Sunday, January 04, 2009

Adding a second country to the complications of a Data Breach.

http://www.databreaches.net/?p=105

Stolen CreditTek laptop contained data on 68,857 DJO patients

January 3rd, 2009 by admin

When a Creditek, LLC employee went on vacation to the Bahamas, he took his work laptop with him. The laptop, which contained personal and medical information on 68,857 patients of orthopedic products supplier DJO, LLC, was stolen from the home in which the employee was staying.

According to a notification sent to New Hampshire’s Attorney General on December 12th, Creditek is a Pennsylvania firm that provides billing services for DJO. The laptop, which was stolen on November 14th:

… contained numerous files including some of our billing data regarding certain OJO patients such as: names, addresses, social security numbers, dates of birth, gender, dates of services rendered by OJO, diagnostic codes (and, in some cases, a brief description of the diagnosis), summary charges (reflecting the total retail value of services rendered), patient balances, insurance ID numbers, current payors, and, if the payor was an insurance company, the insurance plan identification numbers.

There was no mention in the notification as to whether there was any security on the laptop, and no copy of any notification letter to individuals was enclosed with the report. Affected patients are from across the U.S. and Puerto Rico.



Update: We heard of this one before?

http://www.databreaches.net/?p=226

Wyndham Hotel Group hacked

January 3rd, 2009 by admin

If you stayed at a Wyndham hotel, check your mail, because you may be getting a letter from the chain telling you of a hack that occurred months ago.

In a letter to the New Hampshire Attorney General dated December 23, Wyndham Hotels and Resorts updated a notification sent to states attorney general back in early October about a breach involving their data center in Phoenix. The date of the breach and date of discovery were not indicated in the follow-up letter and the original notification to states attorney general is not currently available online.

In a letter to affected individuals, the chain writes:

As a result of unauthorized access to Wyndham systems, Wyndham has determined that your credit or debit card number, expiration date and possibly your name were compromised. Wyndham has taken numerous steps to protect your information since the discovery of this incident. In addition to terminating the unauthorized access, we revalidated our information security infrastructure to confirm that we maintain industry standard protections for customer data. In addition, we promptly notified law enforcement and each of the major payment card networks (American Express, Visa, MasterCard, and Discover). We also provided each of the payment card companies with the actual credit and debit card numbers that had been involved in the incident so that the payment card companies could take such action as they deemed appropriate to monitor the cards. We also notified the affected managed and franchised hotels so that they could take the appropriate action to ensure that their systems are properly investigated and secured.

In their notification to the states, Wyndham notes that “due to the nature of the breach, the names and addresses of the consumers were not readily available. Consequently, Wyndham contracted with a third party, Equifax, to provide a matching service for all current credit card numbers which we believe may have been compromised.”

Notification to those affected began on December 15, but because the matching process was not completed as of December 23, the company anticipated that it would still be sending out notifications “early in 2009.”

Wyndham did not indicate in its notification which hotels were affected or how many customers were affected. In its response to an inquiry, a spokesperson reported:

We are taking every step to ensure our guests’ information is protected and at the same time give them notice to watch their accounts. This affected a small number of guests at a small number of hotels.

Claiming confidentiality, the spokesperson declined to answer any further questions. A reliable source informs us that Wyndham has also tried to prevent its breach disclosure from being made publicly available on the web in at least one state’s breach list.

The chain is offering those affected one year of Equifax Credit Watch 3-in-1 Alerts and:

In addition, for a limited time we are offering a Preferred Customer Rate discount program for our customers who may have been impacted by this incident. You will receive a 20% discount on the room rate for any hotel stays with a Wyndham brand hotel when you make your reservations on or before March 31, 2009.



Is it possible to request that breach notices not be put online? Wyndham tried (see article above) but Merrill has more clout?

http://www.databreaches.net/?p=212

Five recent Merrill Lynch security breaches you probably didn’t know about

January 3rd, 2009 by admin

As if the financial sector wasn’t in enough of tailspin recently, Merrill Lynch reported at least five security breaches during the last quarter of 2008. Reports filed by the firm with several states attorney general reveal that:

  • On September 3, the company reported a lost laptop containing personally identifiable information to New York State. That report is not currently available online.

  • On September 15, the company reported a stolen laptop to New York State. That report is also not currently available online.

  • On September 18, the company reported a stolen laptop to Maryland that contained names, addresses, dates of birth, and social security numbers. The report is not available online, and Merrill Lynch has not responded to two inquiries as to whether this was the same laptop reported to NYS or a separate incident.

  • On October 9, the company notified Maryland that an external hard drive was lost or stolen during transport to a facility. Information on the drive included clients’ names, social security numbers or tax ID numbers, dates of birth, addresses, phone numbers, email addresses, passport numbers, [foreign nationals? Bob] drivers license numbers, Merrill Lynch account numbers, loan information, insurance policy information, other financial account information, and online user credentials.

  • On December 16, the company notified New Hampshire of a stolen laptop containing personal information. The laptop, which was stolen from the firm’s Tacoma office on November 26, contained client information including name, Social Security number, address, telephone number and email address.

  • On December 29, the company notified New Hampshire that another laptop was stolen, this one from the home of a third-party contractor’s employee. The theft occurred early in December, and the laptop contained names and social security numbers of “a population of current and former Merrill Lynch Financial Advisors and some applicants for employment.” The laptop did not contain any additional personal or financial information, nor any client data.

The number of employees or clients affected by these breaches was not revealed, and Merrill Lynch has not responded to several requests for additional information.

Past Known Breaches

In 2007, Merrill Lynch reported two data losses to New Hampshire: a laptop stolen from a New York office that contained client information, and a storage device theft affecting 33,000 employees that was reported in the media. Two incidents reported to New York in 2006 were not reported in the media. One involved a laptop stolen from a third-party tax preparer that contained information on 300 individuals. The other involved a laptop stolen from an employee’s vehicle that contained client account data on 10,500 New York residents and 2,800 North Carolina residents; the total number of clients affected was not reported. Other breaches may have been reported to New York for 2007, but complete 2007 data from NYS have not yet been obtained.



Things go better with Coke? (PBG is in New York, so I suspect this could be a nation-wide breach)

http://www.databreaches.net/?p=131

Pepsi employee data on missing storage device

January 3rd, 2009 by admin

On December 23rd, Pepsi Bottling Group notified the New Hampshire Attorney General that:

During the week of December 8, the payroll department of The Pepsi Bottling Group (PBG) reported that it could not account for a portable data storage device, which contained unencrypted personal information, including the names and social security numbers of PBG employees in the US. Upon receiving the report of the missing device, the PBG security department conducted a thorough search for the device, but concluded it was lost.

Although the total number of affected employees was not provided in the report, 198 New Hampshire residents were affected. Information on the device also included the employees’ identification number and state of residence.

In an F.A.Q. sent to those affected, Pepsi indicated that a member of PBG’s payroll department had downloaded unencrypted personal information onto a portable data storage device in connection with an audit of payroll information. The F.A.Q. also indicated that although some of the files on the device were password protected, the employee information was in one or more files that were not password protected.

PBG has not responded to inquiries as to whether the situation violated any of its security policies.



The rise of the hacker as a tool of asymmetric cyber war? How do you counter attacks originating in cyber-cafes around the world?

http://news.cnet.com/8301-10787_3-10130633-60.html?part=rss&subj=news&tag=2547-1_3-0-5

Israeli news site down, blames cyber attack

Posted by Charles Cooper January 3, 2009 6:41 PM PST

First real war, now a cyber war? The Jerusalem-based Debkafile said it was temporarily put out of action Saturday evening by a cyber attack.

It's not clear whether this was a denial of service attack. Debka, which specializes in military and political analysis, sent out a note to subscribers that both its English and Hebrew sites had been under attack "since 19:00 local time." It did not get more specific and the site's publishers were not immediately available for comment.

The announcement took place in the shadow of the week-long conflict between Israel and Hamas. Earlier today, the Israel Defense Force sent its troops into Gaza in a move to smother missile fire.



Hey! It's free! (If you've been using a free service to interact with customers, you have some scrambling to do...)

http://tech.slashdot.org/article.pl?sid=09%2F01%2F03%2F203255&from=rss

Protection From Online Eviction?

Posted by kdawson on Saturday January 03, @05:01PM from the our-data-our-selves dept.

AOL has been shutting down its free Web services, in some cases with little or no notice to users, and they are not the only ones. This blog post on the coming "datapocalypse" makes the case that those who host Web content should be required to provide notice and access to data for a year, and be held strictly accountable the way landlords are before they can evict a tenant. Some commenters on the post argue that you get what you pay for with free Web services, and that users should be backing up their data anyway. What do you think, should there be required notice and access before online hosts take user data offline for good?



Does the contract make any guarantee that service quality will remain constant? (Sometimes you act like an evil monopoly even when you aren't, technically.) Comments make it seem most readers now expect this type of behavior from providers...

http://mobile.slashdot.org/article.pl?sid=09%2F01%2F03%2F1818206&from=rss

AT&T 3G Upgrades Degrade 2G Signal Strength

Posted by kdawson on Saturday January 03, @03:44PM from the cellphone-walks-into-a-bar dept. Cellphones Wireless Networking

Timothy R. Butler writes

"Much to the chagrin of owners of various 2G cell phones on AT&T Mobility's network, including the highly visible (and originally highly expensive) first-generation iPhone, we have discovered that AT&T has been quietly adjusting its network in ways that degrade 2G network performance as it has sought to build out its next-generation 3G network. Many of the phones affected, including BlackBerry devices, are still well within their two-year contract period."



Interesting idea. Not your normal search – looks at twits, blogs, etc. I found out that "privacy law in a nutshell" is available for the Kindle!

http://www.killerstartups.com/Web20/whostalking-com-see-who-s-saying-what

WhosTalking.com – See Who’s Saying What

http://www.whostalkin.com

Have you ever wanted to know what people are saying about you or your startup? If so, then you probably tried Twitter Search, Google, and other things of that nature. But, is there a tool that lets you quickly search through all that web chatter? Yes there is, and it’s called WhosTalkin.com. With this site, you’ll be able to keep track of what people are saying about any topic you can think of. The site uses 60 of the internet’s most popular sources of information to help you find that chatter about your startup you were looking for. I was impressed by how well thought out the site’s UI is. It’s easy to sort through all the information, as the menus slide up and down in order to reveal what information you’re looking for.

The selection of sources is top-notch, and should allow you to find everything people are saying about any topic, be it you, your startup, or even your favorite trumpet player.



Simple strategy: 1) attract really smart students. 2) exploit them.

http://yro.slashdot.org/article.pl?sid=09%2F01%2F03%2F2327255&from=rss

Universities Patenting More Student Ideas

Posted by kdawson on Sunday January 04, @04:23AM from the thanks-for-the-research dept. Patents Education

theodp writes

"Working as a NASA intern, grad student Erez Lieberman had a eureka moment, resulting in an algorithm that detects whether a person is standing correctly or is off balance. Unfortunately, MIT liked it so much they decided to patent it. Seeking permission to use his own idea for his iShoe startup, which develops products like insoles to address the problems of seniors, Lieberman was told no problem — as long as he promised a hefty royalty and forked over a $75,000 upfront payment. Whether or not students are aware of it, the NYTimes reports that most universities own inventions created by students that were developed using a 'significant' amount of schools resources. Colleges and universities once obtained fewer than 250 patents a year, but that was before the Bayh-Dole Act gave them ownership of inventions developed through federally financed research. Now they acquire about 3,000 a year, and in 2006 licensing fees and equity in spinoff companies totaled at least $45B — research powerhouses like Stanford and NYU pocketed $61M and $157M, respectively."



This has potential. For my website students!

http://www.killerstartups.com/Video-Music-Photo/mashface-com-put-your-face-anywhere

MashFace.com – Put Your Face Anywhere

http://www.mashface.com

It’s a well known fact: people like to put their face on others’ bodies. Whether it be a body builder, Amy Winehouse, or a dog, it’s funny to see your face on someone else’s body. If that is something that draws your attention (and I assume it does, you’re only human) then you have to check out MashFace.com. With the site, you’ll be able to quickly put your face on any type of body you can think of. All you have to do is follow the simple 4 step process to get your pictures “mashed”. The site takes advantage of your computer’s video camera, allowing you to record mouth and eye movement. This adds a whole new level of depth to any “mashed” face you create.

No comments: