Sound familiar? You send your backup tapes for safe keeping and the tapes don't even make it to the vendor's office. (Seems somewhat casual to have an employee pick up the tapes in his personal vehicle.)
http://www.pogowasright.org/article.php?story=20080610132042741
U of U Hospital billing records stolen; data from 2.2m patients at risk (update 1)
Tuesday, June 10 2008 @ 01:20 PM EDT Contributed by: PrivacyNews News Section: Breaches
Billing records have been stolen from a business that does work for the University of Utah Hospitals and Clinics. The records, reportedly containing data from 2.2 million patients, were stolen from an outside vendor of University of Utah Hospitals and Clinics, according to a news release from the university.
Source - Salt Lake Tribune
Update 1:
[...]
A metal box containing the backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system. The driver violated the protocols his company had established to ensure secure data transportation.
... The billing records included patient names, related demographic information and diagnostic codes. None of the records contained credit card information. Records for a subset of 1.3 million patients also contained Social Security numbers.
The company contracted by the university to transport and store the tapes, Perpetual Storage Inc., said this is the first and only such incident in its 40-year history. It also said that the employee who left the tapes in his car had been with the company for nearly 18 years.
Nevertheless, The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.
Source - Business Wire
Interesting because it seems part of an Network Neutrality protest.
http://www.pogowasright.org/article.php?story=20080611052414289
Security breach at Belgacom exposed
Wednesday, June 11 2008 @ 05:24 AM EDT Contributed by: PrivacyNews News Section: Breaches
Belgacom, the largest Belgian ISP, admitted today that 2,000 of its ADSL accounts were compromised earlier this year.
The company discovered details of its subscribers posted on a webpage by hackers who weren’t happy with download limits on broadband internet connections.
... Belgacom didn't communicate the security breach to its users at large, apparently to avoid panic.
Source - The Register
[From the article:
"We sent postal letters [They used 'snail mail' rather than email – rather casual wasn't it? Bob] to small groups of users since April and asked them to change passwords as a matter of precaution," Belgacom spokesperson Jan Margot told The Register. "The site was closed down immediately, and we haven't seen any abuse since then." [Translation: “We burned down the bank, and it hasn't been robbed since.” Bob]
Belgacom insists it is a minor issue. "We have 1 million ADSL users, it wasn't a big threat." [Do you know how many users were compromised? Will the hackers release 2,000 a day? Bob]
Last week HSBC was “featured” in two breach articles on the same day. Never thought that would happen again.
http://www.pogowasright.org/article.php?story=20080611052800723
HSBC customer data loss probed (update)
Wednesday, June 11 2008 @ 05:28 AM EDT Contributed by: PrivacyNews News Section: Breaches
The Monetary Authority is studying HSBC's report on the loss of a computer server containing customer data, and supervisory action may be taken if the bank has breached personal data protection guidelines, Secretary for Constitutional & Mainland Affairs Stephen Lam says.
The authority received HSBC's notification on May 2 concerning the loss of a computer server containing customer data on April 26. It ordered the bank to inform affected customers, boost personal data protection and submit an incident report.
Source - news.gov.hk
What does this mean? Perhaps it shows that crooks do try new and innovative ways to steal your money...
http://www.pogowasright.org/article.php?story=20080611053258228
Speaking of HSBC.... (Hannaford update)
Wednesday, June 11 2008 @ 05:32 AM EDT Contributed by: PrivacyNews News Section: Breaches
HSBC Card and Retail Services and HSBC Bank Nevada notified [pdf] the NH Dept. of Justice in April that they had discovered "irregular activity" on one of their Forget Login Password pages. When they investigated, they found it was due to the use of a script employed by unauthorized third parties.
Of particular interest, HSBC reports that "the accounts involved in this security incident had a 95 perc match rate with the accounts compromised by the third party Hannaford Brothers breach..."
HSBC did not indicate the total number of accounts affected.
“Don't ask, don't tell” is not a viable security management technique... “We didn't notice it for THREE YEARS!?!?
http://www.pogowasright.org/article.php?story=20080610132334750
Thousands of UF students’ private records breached online
Tuesday, June 10 2008 @ 01:23 PM EDT Contributed by: PrivacyNews News Section: Breaches
The private records of 11,300 current and former University of Florida students — including names, addresses and Social Security numbers — were inadvertently made publicly accessible online.
The information was posted online between 2003 to 2005, but remained online because of an error until it was discovered during a recent routine audit, according to a UF news release.
Source - Jacksonville.com
This could be the outline of a great presentation for the White Hat club...
http://www.insidecrm.com/features/50-ways-take-control-data061008/
50 Ways to Take Back Control of Your Personal Data
Use these tips to avoid identity theft, financial loss and other crimes.
By Inside CRM Editors on June 10, 2008
Interesting statistics?
http://www.pogowasright.org/article.php?story=20080611051336761
CONSUMER PARTICIPATION: A Powerful Weapon in the Fight Against identity Theft
Wednesday, June 11 2008 @ 05:13 AM EDT Contributed by: PrivacyNews News Section: Breaches
Debix has released a study on how consumer participation in Debix Identity Protection Network can reduce the risk of ID theft. From the report:
Background:
Background: This is the largest identity theft study ever published with 259,761 consumers participating. The majority of these consumers were recent victims of data breaches in which their name, address, Social Security number, and date of birth were compromised.
This study is not based on survey questions asked to a random sampling of consumers, but rather on the electronic audit trail of live consumer transactions processed by the Debix Network over a 90-day period. Debix analyzed 30,618 Instant Authorization TM requests processed between 10/1/2007 and 12/31/2007. Instant Authorizations are secure electronic authorization requests sent from institutions to consumers via phone.
Some of their key findings:
Out of the 30,618 authorization requests for new lines of credit, consumers stopped 380 reported attempts of identity theft.
The rate of new credit account fraud that occurred when consumers participated in the decision was 0.00%, which means there were no successful attacks. This compares to an expected fraud rate of 1.05% when banks open accounts without consumer participation (source: Javelin 2007).
Consumers reported four incidents of identity theft that occurred when the consumer was not invited to participate in the decision. Per the above assumption, this number is likely understated, as consumers may not discover the fraudulent account for many months or even years.
Report (requires free reg.)
Ignore Ignorance. Never listen to what the politician claim a law is about – you have to actually read the words and think about it (something the politicians don't bother doing.)
http://www.bespacific.com/mt/archives/018553.html
June 10, 2008
Working Paper: Do Data Breach Disclosure Laws Reduce Identity Theft?
Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University
"Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use a panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses [That is the true benefit Bob] and improving a firm’s security and operational practices."
http://www.technewsworld.com/rsstory/63357.html
The Storm Worm's Elaborate Con Game
By Jack M. Germain TechNewsWorld 06/11/08 4:00 AM PT
Security researchers at Cisco's IronPort say they've pieced together the complex con operation behind the Storm Worm, a persistent Web threat. The botnet's purpose, they say, was essentially to act as a virtual dealer of prescription -- and often bogus -- medication, sometimes enlisting work-from-home employees who thought they were doing legitimate tasks.
... IronPort announced its discovery of an online criminal ecosystem [A new term of art? Bob] comprised of illegal pharmaceutical supply chain businesses that recruit botnets to send spam promoting their Web sites. By converting spam into high-value pharmaceutical purchases, these supply chain enterprises allow the monetization of spamming botnets, providing an enormous profit motivation for botnet attacks and continuous innovation. [See, it's all economics Bob]
This has some potential.
http://www.killerstartups.com/Social-Networking/capzles-com-rich-online-timelines/
Capzles.com - Rich Online Timelines
So what’s the latest in social networking? The trend seems to be capturing niche audiences and markets catering to everything from nanobots to crowdsourcing movies. One of the latest of these is called Capzels which offers users the ability to create their own online time capsules and share them with the world. You can store pictures, videos, documents, music along with any other media file. Capzles offers a slick, entirely Flash based, interface that’s reminiscent of Apple’s coverflow . Files are organized in chronological order and you can scroll back and forth in time as is your preference. Find a file that piques your interest, and click on it fore more information. You can rate each moment or file with up to five stars, add it to your Favorites, flag it or send it to a friend. And it’s absolutely free to use.
No comments:
Post a Comment