[SecurityRatty] tag: residents

Busch alerts N.H. residents: Stolen laptop had personal data

Fri, 01 Aug 2008 20:00:00 +0000

About 2,250 New Hampshire residents have been notified that their personal information was stored on a laptop computer taken by thieves that burgled an Anheuser-Busch Co. office in Missouri in June.

Metro Round-Up: Cablevision Update; Springfield (Mich.)

Fri, 01 Aug 2008 10:49:43 +0000

Cablevision says it's already spent $20m towards its plan to build out Wi-Fi across its operating territory: The cable firm has $300m budgeted to put Wi-Fi in place for its higher-tier subscribers at no cost across Long Islands and parts of New Jersey and Connecticut, as well as New York City and Westchester County. Cablevision thinks their network will be good enough to replace cell phones across their coverage, which ties in with the quadruple play many cable operators are aiming for: data, voice, video, and mobile.

Springfield, Mich., puts in its first antennas for a city-wide network: The network is being built with a $750,000 grant from a state development corporation to extend access and improve the business climate. Access will cost $10 per month for residents after an initial free period while the service powers up.

Anheuser-Busch alerts N.H. residents that stolen laptop contained personal data

Fri, 01 Aug 2008 09:00:00 +0000

Anheuser-Busch has informed New Hampshire Attorney General Kelly Ayotte that a company laptop stolen in Missouri contained personal data on up about 2,250 residents of the state.

Wee-Fi: Research on Digital Divide; NYC May Opt for Fiber for Housing Projects

Tue, 29 Jul 2008 10:40:02 +0000

Participate in a research survey on the role of wireless to shrink the digital divide: Gwen Shaffer, a Temple University (Phila.) doctoral student, is looking for responses from many kinds of stakeholders in building networks that have a purpose, at least in part, to extend Wi-Fi access. She notes that this could include community networks, non-profits, and for-profit firms like Fon. Personal information will not be collected, and she's looking to conduct in-depth interviews with some participants.

New York City considers plan to bring fiber to public housing residents: Wireless networks are definitely out in the recommendations of a private consultant to the city's Broadband Advisory Committee, ComputerWorld reports. They may opt to use $4m in a fund from Verizon and a potential $8m from the two incumbent cable operators.

Most sensitive data on government laptops unencrypted

Mon, 28 Jul 2008 20:00:00 +0000

Only 30 percent of sensitive information stored on U.S. government laptops and mobile devices, including the personal information of U.S. residents, was encrypted a year ago, despite a series of data breaches at government agencies in recent years, according to an auditor's report.

Lompoc's Comeback

Tue, 15 Jul 2008 06:57:35 +0000

I've been citing Lompoc, Calif., as a poster child of what can go wrong in municipal Wi-Fi for a few years: But I apparently have to change my tune. Lompoc, near Santa Barbara, had unreasonable expectations, if you read their first and second RFPs. The first provider built a network that Lompoc found unacceptable and they bid it out for a second network to be built (some of these details are murky and some under dispute).

What's been clear is that after spending more than $3m, the city couldn't acquire more than a few hundred regular subscribers, about 10 percent of the point they'd need to pay expenses and pay down capital outlay. But it turns out that the backend was as important as their network deployment, IDG News Service reports.

The latest city network administrator brought in Aptilo Networks for backend authentication and session processing, opened the network to 15-minute free trials, and started accepted ad hoc payment. The new network guru also let outsourced contracts expire and brought customer support and other services back in house to reduce expenses and improve the feedback loop. He discovered their existing authentication system was licensed for 500 users, so that might have explained their failure to grow, too.

The city now has 1,000 regular users at all levels, from pay-as-you-go to monthly household subscriptions. They've revised breakeven down to 2,000 subscribers, and say they are breakeven for expenses.

The other problem Lompoc had, by the way, is that the cable and telephone companies didn't sit still. I exaggerate, but when Lomopoc was planning its network, it had very poor coverage for its 42,000 residents for DSL and cable modem service. When the Wi-Fi network was announced, the incumbents started pulling copper, coax, and fiber, and dramatically improved network coverage. The $3m wasn't entirely ill spent so far: it was a kind of reverse incentive to the private companies to get their act together.

Colorado Division of Motor Vehicles cited in audit report

Fri, 11 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles

Victims:
Residents

Number Affected:
~3,400,000

Types of Data:
"names, addresses, dates of birth and Social Security numbers"

Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."

Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security

Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.

Response:
From the online source cited above:

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.

At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure

Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.

But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.

Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".

"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.

Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.

On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007

Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?

No one person is responsible for security
[Evan] Or is it no one is responsible for security?

High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.

While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?

"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.

"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.

Some problems already have been fixed.

The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses

The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?

Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.

There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".

Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing

Employee fraud at Wells Fargo Home Mortgage affects some customers

Tue, 08 Jul 2008 08:58:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Wells Fargo & Company

Contractor/Consultant/Branch:
Wells Fargo Home Mortgage

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"names, addresses, dates of birth, loan numbers, Personal Identification Numbers (PIN), current bank account numbers and last five digits of their Social Security numbers"

Breach Description:
"We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information. We have taken appropriate action against this individual."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Pursuant to the information compromise notification requirements of the State of New Hampshire, Wells Fargo hereby notifies you that we have give notice to approximately 24 residents of the state of New Hampshire of a potential compromise of their Social Security numbers and mortgage loan account numbers.

We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information.
[Evan] Employee fraud is one of the most difficult breaches to prevent (and sometimes to detect). Most controls are largely administrative in nature such as background checks, segregation of duties, job rotation, policy and procedure, etc. Sometimes even the best controls won't do much to prevent an attack from the enemy within.

We have taken appropriate action against this individual.
[Evan] I wonder what this means.

We have no information indicating your information was compromised.

However, the former employee, in the course of their employment, had access to information that may have included your name, address, date of birth, loan number, Personal Identification Number (PIN), current bank account number and last five digits of your Social Security number.
[Evan] The fact that only the last five digits of the Social Security numbers were accessible is a good indication that Wells Fargo identified the risk involved with a person in the former employee's position accessing confidential information. Limiting Social Security number exposure also limits the extent and impact of the breach.

We started mailing consumer notices on May 13, 2008.

Wells Fargo Home Mortgage takes information security very seriously and wants to assure you that we are taking precautionary measures to reduce the potential risk associated with this incident.

Wells Fargo Home Mortgage, to ensure everything is done to protect you, will be providing you with a new PIN to access the line of credit on your reverse mortgage loan.
[Evan] Not just "to protect you". Remember that Wells Fargo is in business to make money and I am pretty sure that the things they do are to that end.

As a precaution, Wells Fargo has partnered with a company called Intersections, Inc. to provide you with a free one-year subscription to IDENTITY GUARD CREDITPROTECTX3.
[Evan] Cool! "CREDITPROTECTX3" sounds super strong and effective!

Wells Fargo Home Mortgage values and appreciates the trust you have placed in us by allowing us to serve you.

We sincerely apologize for this situation.

If we can be of further assistance, please do not hesitate to call us at (800) 472-3209 between the hours of 8:00 am and 8:00 pm eastern time, Monday through Friday.

Commentary:
I think that breaches like this are more common than some people would like to admit. Banks have the one thing that everyone wants!

Past Breaches:
Unknown

Houghton Mifflin Harcourt server breach leads to notification

Tue, 08 Jul 2008 08:22:09 +0000

Technorati Tag: Security Breach

Date Reported:
7/1/08

Organization:
Houghton Mifflin Harcourt ("HMH")

Contractor/Consultant/Branch:
None

Victims:
"individuals affiliated with Harcourt Trade"

Number Affected:
194

Types of Data:
Social Security numbers

Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive. In order for an attack to be successful, a vulnerability must be exploited. I wonder what the vulnerability was.

On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.

Within minutes, HMH took steps to secure the affected databases.

HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident. The incident doesn't seem to be significant enough. Sad but usually true. The Secret Service has to prioritize just like everyone else.

As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st. This is a long forensic investigation! I also noticed that this statement mentions "computer systems". Does this mean that more than one server was compromised?

They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement. My definition of compromise probably differs though.

HMH has no evidence to date to suggest that the data has been misused.

Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you

Since learning of the incident, HHM [sic] has:

Reported this matter to the U.S. Secret Service and state law enforcement;
Cooperated with law enforcement, which is actively investigating the incident;
Conducted a thorough investigation of the incident, including an assessment of whether or not the theft created any prospective data security risk;
Identified the sensitive personal information about individuals stored on the affected server; and
Made arrangements to notify affected individuals about the incident in accordance with state laws, offer premium credit monitoring, ID theft insurance, and ID theft resolution services, and provide additional information about prevention and detection of ID theft including information about credit alerts and credit freezes.

HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.

We apologize and deeply regret that this happened.

I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch. The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.

Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate. Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?

Past Breaches:
Unknown

Service Canada employee loses flash drive

Sat, 28 Jun 2008 19:18:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Service Canada

Victims:
Canadian Residents

Number Affected:
More than 1,500

Types of Data:
Name and Social Insurance Number

Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."

Reference URL:
NowPublic
Radio-Canada (French)
Radio-Canada (Google English translation)

Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader

Response:
From the online sources cited above:

An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french. An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it. Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians. As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information. Was this employee aware of the risk of using a flash drive to store this information? If so, then there should be consequences for his/her actions. If not, then Service Canada really needs some help. Training and awareness is only a part of an effective information security program, but it is a very important one. Are flash drives permitted for use at Service Canada? They probably shouldn't be.

The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.

Among the information contained in the key, were found including the names of persons and their number of social insurance.

One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected. "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.

There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.

Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.

The government agency has opened an investigation and added that no identity theft had been reported.

It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada. It may be worse than some of us think, and it may be better than others of us think. In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.

As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.

If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree. Risk management is critical.

However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.

Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is. I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada. We'll see if this happens. I don't expect things to change until the people responsible are held responsible.

How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?

Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
December, 2007 - Passport Canada web site suffers serious breach
June, 2008 - Canadian farmer personal information on stolen CCGA laptop
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600