[SecurityRatty] tag: senstive

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

A coward exposes personal information on 40% of Chileans

Fri, 16 May 2008 09:56:50 +0000

Technorati Tag: Security Breach

Date Reported:
5/10/08

Organization:
Chilean Government

Contractor/Consultant/Branch:
None

Victims:
Chilean residents

Number Affected:
~6,000,000

Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"

Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."

Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com

Report Credit:
JI Stark, Fayerwayer.com

Response:
From the online sources cited above:

ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.

We urge that these files if they see us please not download or disseminated by any electronic means.

It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.

Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.

Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.

Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.

END OF ORIGINAL POST TEXT

A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on www.fayerwayer.com. href="http://www.fayerwayer.com.%3C/span%3E%3Cbr%3E%3Cbr%3EThe">

The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.

The data was taken early Friday from servers at the Education Ministry, the electoral service and the military

it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.

Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters

Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"

over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.

Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?

In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her very well being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.

El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."

The files include tips on what to do with the data and how best to access it.

"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.

"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."

Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).

"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".

Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.

Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.

Past Breaches:
Unknown

First Magnus Financial customer data found in dumpster

Thu, 21 Feb 2008 10:56:43 +0000

Technorati Tag: Security Breach

Date Reported:
2/15/08

Organization:
First Magnus Financial Corporation

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Loan and financial documents containing names, addresses, phone numbers, Social Security numbers, credit card numbers, financial account information, etc.

Breach Description:
Stacked boxes containing thousands of sensitive loan and financial documents were discovered in an dumpster outside a Ft. Lauderdale, Florida branch of the now bankrupt First Magnus Financial Corporation. The documents contain sensitive personal information belonging to customers.

Reference URL:
CBS Channel 4 News online story

Report Credit:
Carey Codd, CBS Channel 4

Response:
From the online source cited above:

Outside a University of Phoenix Building in Ft. Lauderdale, files and paperwork belonging to the defunct First Magnus Financial at 550 West Cypress Creek Road were just lying inside stacked boxes inside an industrial garbage container, available for anyone to peek at.

The paperwork contains some of the most sensitive information a consumer could posses: Social Security numbers, credit card information, addresses, properties, etc.

Shortly after CBS4 News cameras arrived on Friday, employees of the building removed the boxes and took them indoors, all while police officers from Ft. Lauderdale arrived and roped off access to the dumpster and started an investigation.
[Evan] The Ft. Lauderdale Police Department treats the location of this breach as a crime scene, which it obviously is. Common sense, right? Not so much in some police departments. I have read credible reports of police refusing to even come to the scene and taking reports over the telephone. Kudos to the Ft. Lauderdale Police Department.

"We were told that we just could get rid of this stuff no matter how, that this was going to end up in the landfill, it's going to be drenched down here inside the container, and no one's going to have access to it," said Mike Shank.
[Evan] This is lazy, reckless, and overall bad business (assuming that this statement is accurate).

The building management is supposedly waiting for officials with First Magnus to come and properly dispose of the sensitive documents.
[Evan] I wouldn't hold my breath. First Magnus is bankrupt and has not paid employees after the company folded on August 16, 2007. Who from First Magnus is left to come and get the documents?

Commentary:
Bankruptcy stinks. It stinks for creditors, customers and employees. This bankruptcy stinks a little more for customers because of poor common sense and judgment. Thankfully, someone reported the poorly discarded documents in the dumpster and reported it before (it appears) they fell into the hands of the nefarious. I wonder where the documents are now and who has access to them, supposing they still exist.

Not only did First Magnus have a business responsibility for the protection of senstive information (which ceases with the business), but they also have a moral responsibility (which does not cease).

Past Breaches:
Unknown

Unknown IP addresses access Lexmark personnel data

Fri, 15 Feb 2008 12:32:04 +0000

Technorati Tag: Security Breach

Date Reported:
2/15/08

Organization:
Lexmark International

Contractor/Consultant/Branch:
None

Victims:
"current and former employees"

Number Affected:
"some"*

*As of December 31, 2006, of the approximately 14,900 employees worldwide, 3,900 are located in the U.S. and the remaining 11,000 are located in Europe, Canada, Latin America, Asia Pacific, the Middle East and Africa.

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
Lexmark employees have been notified by the company that some of their senstive personal information was inadvertently posted on a company-owned file transfer site.

Reference URL:
WKYT Channel 27 News story
Lexington Herald-Leader News story

Report Credit:
Scott Sloan, Lexington Herald-Leader

Response:
From the online sources cited above:

Lexmark International told employees this week that information that would identify them personally was inadvertently posted on a company file transfer site.
[Evan] It is not stated whether or not the site was publicly available. I assume that it was, much like ftp://ftp.lexmark.com.

In a letter to employees, Lexmark officials say files containing personal information from some current and former workers were accessed by two unknown parties, last month. Those files contained names, addresses and social security numbers.

It's uncertain whether anyone with malicious intent accessed the files.

The company will not say publicly what type of data was posted, but it did tell affected employees, said spokeswoman Barbara Leary. Lexmark also won't say publicly how many employees were affected.

Affected employees are being offered free credit-monitoring insurance and identity-theft insurance for a year.

The incident occurred Jan. 29 when the data were posted to a site used to exchange information with third-party companies.

"It wasn't a breach of systems," Leary said. "It was human error."
[Evan] A breach is a breach much like a pig is a pig, even if one is wearing a dress.

Within six hours, the release had been discovered and the files were removed, she said.

"We know that there were a couple of unknown IP addresses that accessed the data," Leary said. "We don't know if they downloaded it."

The company waited to disclose the incident to investigate exactly what had happened, the nature of the data released and to discover who was affected, she said.

there's no evidence that the information has been misused

Commentary:
On the one hand, we are all human and all humans make mistakes. On the other hand, I question how this all happened and what kind of training did the culprit receive in the proper handling of confidential information.

According to the report, Lexmark detected the breach within six hours, which helped significantly in reducing the amount of risk. It would be interesting to know the "unknown IP addresses".

Past Breaches:
Unknown

Stockport Primary Care Trust flash drive goes missing

Mon, 21 Jan 2008 06:44:46 +0000

Technorati Tag: Security Breach

Date Reported:
1/18/08

Organization:
Stockport Primary Care Trust NHS

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
4,000

Types of Data:
"NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name"

Breach Description:
A staff member working for the Stockport Primary Care Trust lost a flash drive sometime between parking her car and arriving at her desk in December, 2007. The flash drive was on a lanyard around her neck when it was lost and it contained senstive personal information belonging to patients of the trust.

Reference URL:
Stockport Primary Care Trust NHS Press Release dated 1/18/08
Manchester Evening News Story
ComputerWeekly News Story

Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.

Response:
From the online sources cited above:

In early December 2007 a member of staff of Stockport PCT lost a USB drive containing limited information on approximately 4000 patients. This happened between parking the car and arriving at her desk. The drive was on a clip on a lanyard around the neck and somehow came free and was lost.

Health bosses decided not to tell patients about the loss because they believe the data could not be used in an identity fraud.
[Evan] Whether or not the information could be directly used for identity fraud should be irrelevant to the decision to notify patients. This is personal information that belongs to the patients, not Stockport PCT.

The USB drive (memory stick) included a file which contained the following details:

NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name

Immediate steps were taken to search for the drive by retracing the path of the staff member but the drive has not been found.

The loss was an accident rather than any systematic failing in management and governance.
[Evan] I strongly disagree with this statement made by Stockport PCT. This IS a failure of information security management and governance! The storage of sensitive information on portable media without additional controls such as encryption must be prohibited. This is accomplished through policy, training and awareness, standards and procedures, and technical controls. The fact that this statement is made by Stockport PCT demonstrates a fundamental mis-understanding on information security roles and responsibilities.

Indeed the security of the information had been considered and the data was being carried personally to avoid being sent by e-mail.
[Evan] So the sensitivity of the information was taken into account, and still not secured adequately. There are FREE programs and utilities available to encrypt files, folders and entire drives. It would have added an additional 15 minutes to download the program, install it, and use it. I'm guessing that the aftermath has taken considerably longer in terms of time spent in response. Some flash drives even come with encryption built-in!

The PCT has taken further steps to emphasise to staff the importance of vigilance in carrying/sending personalised data.

The loss of the data has had no adverse impact on the services provided by Stockport PCT and GPs. The data loss was reported centrally at the time of the loss and again on the recent NHS wide audit of data losses.

‘I want to apologise personally for any inconvenience and distress this may have caused patients. Clearly the recent events concerning loss of personal data have raised the awareness and importance of this matter. I want to assure patients that I believe there is no possibility of any “identity theft” as a result of this loss, and let you know that steps have been taken to ensure this never happens again.’, Richard Popplewell, Chief Executive
[Evan] I do give credit to Mr. Popplewell for issuing a statement. I have said this before, but I will say it again. When a Chief Executive speaks on information security matters, it shows that they recognize that the information security "buck" stops with them.

An information line has been set up to deal with patient enquiries and concerns. The number is 0161 426 5678. You can contact the information line between 10am and 2m on Saturday 19th January and 9am and 5pm between 21st and 25th of January. After this date please call 0161 426 5014 (this will be an answerphone and somebody will call you back).

Commentary:
Does the UK have an equivalent to the U.S. HIPAA? I am not well-versed in UK data security laws, so I don't know.

Using flash drives without additional controls to carry confidential information is very risky business.

Past Breaches:
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay