Thursday, May 01, 2008

It seems to have been a bad week for the citizens of Maryland (or perhaps these reports are a new source of breach disclosure...) ...and I left a bunch out.


This could mean they were hacked, or that they left a terminal logged on in a public space...

http://www.npr.org/templates/story/story.php?storyId=90060908

Gerdau Ameristeel discovers files accessed

Wednesday, April 30 2008 @ 05:31 PM EDT Contributed by: PrivacyNews News Section: Breaches

On April 11, Gerdau Ameristeel notified the Maryland AG's office that during a security check, it had discovered that some files had been accessed without authorization by a third party. Those files contained names, addresses, and Social Security numbers on some employees and their family members.

The notification letter did not indicate the total number of individuals affected, nor indicate whether the unauthorized access was related to any outside intruder or employee conduct.


This is the shortest notification letter (e-mail actually) I've seen. They do point the AG to the letter they plan to send to the victims....

http://www.pogowasright.org/article.php?story=20080430173852778

Columbia Capital laptop stolen during break-in had personal information

Wednesday, April 30 2008 @ 05:38 PM EDT Contributed by: PrivacyNews News Section: Breaches

On April 18, Prokauer Rose, LLP notified [pdf] the Maryland AG that during a break-in at Columbia Capital, LLC property on April 11, a laptop containing a backup of Columbia Capital's limited partners database was stolen.

Information stored on the password-protected laptop included names, addresses, Social Security numbers, banking information, and information on accounts with Columbia Capital.

The total number of individuals affected was not disclosed.


“We don't need no stinking encryption!” (Apparently that is a clause in most outsourcing contracts...) Also note, this is another “third party” with a large number of clients impacted by the theft of the laptop.

http://www.pogowasright.org/article.php?story=20080430174604475

Sterling Commerce employee data on stolen USinternetworking laptop

Wednesday, April 30 2008 @ 05:46 PM EDT Contributed by: PrivacyNews News Section: Breaches

Sterling Commerce, an AT&T company, notified the Maryland AG on April 17 that its employee data was also on the laptop stolen from an employee of business partner USinternetworking, making them the fifth organization to report being affected.

According to the letter by Michael A. Meyer, Senior Vice-President, the stolen laptop contained unencrypted data on "several thousand" Sterling Commerce (America) employees and their dependents, including name, address, date of birth, Social Security number, and premiums and coverage.


How did they keep these breaches under the radar? Perhaps a single point of notice (and a law that covers the entire country) would make this easier for us bloggers?

http://www.pogowasright.org/article.php?story=20080430183346896

Even MORE breaches we never learned about...

Wednesday, April 30 2008 @ 06:33 PM EDT Contributed by: PrivacyNews News Section: Breaches

Let's try batch mode 'em for a while....

  • On January 18, SavaSeniorCare Administrative Services, LLC reported the firm that handles their 401K plans for employees, Windham Brannon, P.C., was burgled on December 31, and computers containing unencrypted personal information on employees and former employees who were residents of Maryland were stolen. The computer was recovered on January 7, and forensic investigation determined that the computer was reformatted within a few hours of the theft, making it impossible to determine whether files had been accessed. Several files reportedly were not overwritten, however, and those did not appear to have been accessed after the theft. [When you reformat a disk, the entire disk is overwritten. Probably an ignorant PR guy (or reporter) but this could be interpreted as “a big lie” Bob]

  • Also on January 18, Mariner Health Care reported that 2,199 of its employees and former employees also had data on the computer stolen from Windham Brannon, P.C.

  • GE Aviation Systems reported that a laptop stolen from an employee's car on December 21, 2007 contained personal information, including SSN, on an unspecified number of employees.

  • Invitrogen learned in December 2007 that a laptop containing current and former employees' names, addresses, and Social Security numbers was stolen from an employee's home. At the time of the theft, the password-protected laptop was secured in a large locked safe; the thieves stole the safe. [Where there's a will there's a way! Bob] Over 1,000 Maryland residents had data on the laptop; total number affected was not disclosed.

  • Non-profit SYDA Foundation reports that the Siddha Yoga web site, operated for SYDA by Merchandizer Software, was hacked on Jan. 4th and customer details acquired. Neither SYDA nor MerchaniZer discovered the problem themselves. SYDA received an email [“from a person” Bob] notifying them of the hack and containing detailed proof of same: names, addresses, credit card numbers, expiration dates, security codes, and passwords for accounts.

  • Bob Davidson Ford Lincoln Mercury, Inc. reports that it sent its payroll processor, ADP, a tape with employee financial info to prepare W-2's. The tape was sent via UPS, but when the package arrived, it was torn and empty.

  • 3M Company reports that an employee's laptop was stolen from his parked car. The laptop contained unencrypted personal info on 1500 individuals, including Social Security numbers.

  • Administrative Systems, Inc. also notified Maryland about the theft of a computer from its office in December. A list of affected clients is appendixed to their notification. Maryland's web site indicates that over 14,000 Maryland residents were affected by the incident. A number of companies were affected by this theft.

  • Walnut Street Securities reports that an employee of Pershing, LLC, which provides account services at WSS branches, misdirected a report containing client account information. The report was erroneously sent to a manager of another WSS branch.

  • The Central Licensing Bureau in Arkansas also had an "oops!" moment. It sent a report containing personal information on 41 individual agents to 27 agencies. Each agency should have received reports on only its own agents.



There was plenty of time to copy the entire hard drive, but I think this is a case where it was improbable any data was stolen. Nice to know they are choosing to err on the side of caution.

http://www.pogowasright.org/article.php?story=20080430175317446

Education Management Corporation laptop with personal employee info stolen; recovered within hours (updated)

Wednesday, April 30 2008 @ 05:53 PM EDT Contributed by: PrivacyNews News Section: Breaches

On March 3, the Education Management Corporation reports [pdf] that 764 current and former employees had personal information -- including Social Security numbers -- on an employee's password-protected laptop that was stolen from the Art Institute of Philadelphia on February 7.

The thief was apprehended 2 1/2 hours later, with the laptop still in his possession.

That wasn't EMC's only security incident, however. According to a second notification letter dated March 13, EMC inadvertently sent the personal information, including SSN, of a dozen Art Institute of Washington students and volunteers to others due to an email blunder.



How is it that no one notices?

http://www.pogowasright.org/article.php?story=20080430131231227

Los Gatos police investigating ID theft from ATM machine

Wednesday, April 30 2008 @ 01:12 PM EDT Contributed by: PrivacyNews News Section: Breaches

Police in Los Gatos say about two dozen people have been victimized in a new spin on ATM thefts.

Investigators say at least 25 people have had their debit card and personal identification numbers stolen while shopping at Lunardi's Supermarket.

Source - InsideBayArea.com

[From the article:

A police spokesman says thieves were able to get the debit card and PIN numbers by switching out an ATM card reader at the store.



Now certain we've seen this one before...

http://www.silive.com/news/advance/index.ssf?/base/news/1209644107324690.xml&coll=1

88,000 patients at risk after computer theft

Desktop and backup hard drive were stolen 4 months ago from SIUH office in Rosebank

Thursday, May 01, 2008 By GLENN NYBACK STATEN ISLAND ADVANCE

STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.

After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.



SunGard continues to grow... Possibly every college in America?

http://www.pogowasright.org/article.php?story=20080501064351618

Laptop containing VT personal information stolen (Sungard update)

Thursday, May 01 2008 @ 06:43 AM EDT Contributed by: PrivacyNews News Section: Breaches

New identity theft fears for an unknown number of Virginia Tech students, faculty, and staff.

The school says a laptop computer that belongs to an outside company, has been stolen. Virginia Tech Director of News & Information Mark Owczarski tells us that laptop contains personal information belonging to people who were at Virginia Tech in 2000. Owczarski said he did not know whether the affected people were employees or students. [Suggesting that SunGard couldn't tell them? Bob]

The laptop belongs to a company called SunGard Higher Education. According to a SunGard news release, the company says the laptop was stolen from an employee on March 13, 2008.

Source - WSLS



Will Interpol have to eat these words?

http://www.infoworld.com/article/08/04/30/Interpol-Olympics-cyberattack-not-major-threat_1.html?source=rss&url=http://www.infoworld.com/article/08/04/30/Interpol-Olympics-cyberattack-not-major-threat_1.html

Interpol: Olympics cyberattack not a major threat

Executive Director for Police Services at global police organization downplays threat of cyberattack at Beijing games, concentrates on protecting physical security of visitors

By Robert McMillan, IDG News Service April 30, 2008



Should we buy laptops from China? Are those counterfeit Cisco servers more that mere knockoffs?

http://it.slashdot.org/article.pl?sid=08/05/01/1233244&from=rss

DARPA Sponsors a Hunt For Malware In Microchips

Posted by timothy on Thursday May 01, @09:23AM from the double-barreled-microscope-loaded-for-vermin dept.

Phurge links to an IEEE Spectrum story on an interesting DARPA project with some scary implications about just what it is we don't know about what chips are doing under the surface. It's a difficult problem to find invasive or otherwise malicious capabilities built into a CPU; this project's goal is to see whether vendors can find such hardware-level spyware in chips like those used in military hardware. Phurge excerpts:

"Recognizing this enormous vulnerability, the DOD recently launched its most ambitious program yet to verify the integrity of the electronics that will underpin future additions to its arsenal. ... In January, the Trust program started its prequalifying rounds by sending to three contractors four identical versions of a chip that contained unspecified malicious circuitry. The teams have until the end of this month to ferret out as many of the devious insertions as they can."



Hee, hee, hee..

http://yro.slashdot.org/article.pl?sid=08/04/30/1348203&from=rss

Wikipedia Blocks Suspicious Edits From DoJ

Posted by CmdrTaco on Wednesday April 30, @10:00AM from the watching-the-watchers dept. Censorship United States

kylehase writes

"The release of Wikiscanner last year brought much attention to white-washing of controversial pages on the community-generated encyclopedia. Apparently Wikipedia is very serious in fighting such behavior as they've temporarily blocked the US Department of Justice from editing pages for suspicious edits."



My kind of Justice: “Now that we got 'em down, let's kick 'em!” TJX has demonstrated that they are virtually immune from lawsuits, what's left?

http://www.pogowasright.org/article.php?story=20080430074013189

EPIC Urges Commission to Impose Civil Penalties in Data Breach Settlements

Wednesday, April 30 2008 @ 07:40 AM EDT Contributed by: PrivacyNews News Section: Breaches

Today, EPIC filed comments with the Federal Trade Commission urging the FTC to include civil penalties in settlements with TJX, Reed Elsevier, and Seisint. The FTC recently concluded investigations of the companies' weak security policies, and reached preliminary settlements that would impose security and audit responsibilities, but no financial penalties.

Source - EPIC Comments [pdf]



“We have the technology, why not use it?”

http://www.pogowasright.org/article.php?story=2008043016262012

Wiretaps Up by 20 Percent in 2007

Wednesday, April 30 2008 @ 04:26 PM EDT Contributed by: PrivacyNews News Section: Surveillance

According to the 2007 Wiretap report, federal and state courts issued 2,208 orders for the interception of wire, oral or electronic communications in 2007, compared to 1,839 in 2006. (Press release.) As in 2006, no applications for wiretap authorizations were denied by either state or federal courts. The total number of authorized wiretaps has grown in each of the five past calendar years, beginning in 2003. The 2007 Wiretap Report does not include interceptions regulated by the Foreign Intelligence Surveillance Act of 1978 or interceptions initiated by the President outside the exclusive authority of the federal wiretap law and the FISA. See EPIC Wiretapping page.

Source - EPIC.org

[From the report:

In 2007, no instances were reported of encryption encountered during any federal or state wiretap.



http://www.pogowasright.org/article.php?story=20080501063630298

Changing privacy expectations? (commentary)

Thursday, May 01 2008 @ 06:36 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

As Miriam Simun from our Digital Natives team is off this morning to present our research findings on digital natives and their attitudes towards privacy at the Harvard CRCS Privacy and Security seminar series, news comes from Italy that the Agenzia delle Entrate – the department of revenue - has made available online for all to see citizens’ annual incomes, searchable by anyone with an Internet connection. After a few hours the site was up it got clogged with requests, while protests started to come in for the breach of tax payers’ privacy. The Garante della Privacy intervened later in the day to stop the data from being released online.

What’s interesting about this story is that one might expect general outrage at the revenue department’s initiative to make such highly personal data public. But a quick look at two online opinion polls published by two of the major national newspapers shows that the outrage is not as widespread as it might be believed.

Source - Corinna di Genarro blog

[From the article:

At the time of writing this, sixty four percent of the readers who replied to the poll answered that they saw nothing wrong with the initiative – while 34 percent of respondents replied that making data available online was too much (La Repubblica). A poll by another newspaper, il Corriere della Sera – shows slightly different results, with 52 percent of respondents agreeing with the initiative to make the data available online.



I'm sure this will spread to the Great Lakes, St. Lawrence Seaway, and Cherry Creek Reservoir...

http://www.npr.org/templates/story/story.php?storyId=90060908

Citizenship Checks on Wash. Ferries Stir Controversy

by Martin Kaste Listen Now [4 min 59 sec]

Morning Edition, April 30, 2008 · The U.S. Border Patrol has started regularly checking the citizenship of passengers on certain ferries inside Washington state. Such nationality checks are common in the Southwest, but along the Canadian border, they're still relatively new — and to many people, the checkpoints have come as a shock.

A ferry from Friday Harbor on San Juan Island to Anacortes, a town on the coast, follows a domestic route — it never leaves U.S. waters. Yet, when it arrives in Anacortes, there's a chance that passengers will be greeted by the Border Patrol.

... Washington state's San Juans are a cluster of picture-postcard islands known for small farms, bed-and-breakfasts and whale-watching. They also happen to be close enough to Canada that an illegal immigrant or a smuggler might kayak across and then take a domestic ferry to the U.S. mainland.

... It certainly bugs some people. William Ginsig, who lives on Orcas Island, encountered the checkpoint for the first time a couple of weeks ago.

"When we got there, there was this big guy, came over to the car. I rolled down the window, and he says, 'Oh, you're American, go ahead.' The hysterical part about all this is, my wife is a French citizen," Ginsig says.

... Upset islanders even called Seattle immigration lawyer Matt Adams, director of the Northwest Immigrant Rights Project, to give them a mini legal seminar.

"They can ask you where you're from; they can ask you to show your papers or to show your driver's license or to show your birth certificate — but you don't have to provide that information," Adams says. [So what good does it do them to ask? Bob]

Because these checkpoints are not on the border, people have a greater right to privacy, Adams says.

... "It's a visceral thing," says Howie Rosenfeld, chairman of the county council. "It just seems like we're not the free and brave country that we were. We seem to be sinking into some sort of a fear-based society."



Are we too paranoid for our own good? My guess is they thought she had Leprosy or some other biblical disease and therefore was a tool of the devil.

http://www.phiprivacy.net/?p=330

Apr-30-2008

Fight or flight; Woman ordered to open medical files in order to fly home

Jordan Press writes in The Kingston Whig-Standard:

A Kingston woman who had to hand over personal medical records to get on an Air Canada flight home was expected to finally arrive some time last night.

Patricia Whiteside-Bell stood in line ready to head through the metal detectors at the airport in Fort McMurray, Alta., Saturday night, when she felt she was about to collapse.

Whiteside-Bell has narcolepsy, a condition that causes people to seem like they have suddenly fallen asleep. In her case, the condition causes her to collapse.

She went to the emergency room that night, but when she tried to board a flight the next day, she was denied passage. The airline required her to present the report from her trip to the emergency room. She was told neither a note from the emergency room doctor who saw her after her episode nor a note from her physician in Kingston was sufficient.

Full story - The Kingston Whig-Standard



Because the UK does not have enough cameras...

http://www.timesonline.co.uk/tol/news/uk/article3846958.ece

April 30, 2008

Lollicams - the latest weapon in the battle against bad drivers

A lollipop lady

Nico Hines

Lollipop ladies have been handed a new weapon to tackle abusive or speeding drivers outside schools.

Patrolmen and women are to be given high-tech lollipops with video cameras capable of recording the bad behaviour of the drivers they encounter.

[Okay, I didn't know what they were talking about either. (Wish they'd speak English!) Lollipop are those Stop signs crossing guards use at intersections near schools... There's a picture in the article. Bob]



Perhaps one day software will replace lawyers...

http://www.killerstartups.com/Web-App-Tools/Vlotechcom---Virtual-Law-Office-Solution/

Vlotech.com - Virtual Law Office Solution

State bar associations across the country have published articles about the need for attorneys to offer unbundled legal services in order to offer more affordable and accessible legal services to the public. For those not familiar with the term, unbundled legal services refer to providing legal documents or advice to clients but leaving the filling and execution of the document to the client. Virtual Law Office is a portal that allows attorneys to provide these services and thereby increase their online business while at the same time offering a more affordable legal experience to clients. The software can be used as a stand alone platform for all law office needs or it can be easily integrated with existing infrastructure.

http://www.vlotech.com/



“We were right about Global Warming, but we're going to have Global Cooling for a while first. Give us more research money so we can explain it better.”

http://www.telegraph.co.uk/earth/main.jhtml?xml=/earth/2008/04/30/eaclimate130.xml

Global warming may 'stop', scientists predict

By Charles Clover, Environment Editor Last Updated: 6:01pm BST 30/04/2008

Global warming will stop until at least 2015 because of natural variations in the climate, scientists have said.

No comments: