Sunday, June 15, 2008

PogoWasRight spent a couple of days at this conference, which explains the number of breach reports in todays blog. Looks (from the outlines) interesting, but the full papers are password protected!

http://www.pogowasright.org/article.php?story=20080614173321738

First Annual Privacy Law Scholars Conference

Saturday, June 14 2008 @ 05:33 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Now that I've gotten news caught up, let me spend a minute talking about why the gap in coverage.

This past week, over 130 people met at the George Washington University Law School to attend the first annual Privacy Law Scholars Conference. The program, hosted by the Berkeley Center for Law & Technology and the GW Law School Intellectual Property Law Program, was organized by Dan Solove and Chris Hoofnagle.



Perspective on a third party breach...

http://www.pogowasright.org/article.php?story=20080614133711441

Stolen R. E. Moulton laptop held personal info on up to 19,000; over 2 months later, those affected still not notified

Saturday, June 14 2008 @ 01:56 PM EDT Contributed by: PrivacyNews News Section: Breaches

A buglary at R. E. Moulton's Texas regional office on March 7th resulted in the theft of a laptop computer containing names and Social Security numbers of up to 19,000 individuals, according to a report filed by the medical stop-loss insurance vendor with the New Hampshire Dept. of Justice.

R.E. Moulton is a OneAmerica Financial Partners company, and according to the report filed by Susan Caito, OneAmerica's Privacy Manager, the company had the data on the laptop because they receive requests for quotes on stop-loss insurance from either the individuals' employers or third parties. Neither the report to NH nor planned notification letter to those affected indicate whether there was any protection on the laptop at all.

In what will undoubtedly upset at least some of those affected, although those requesting the theft occurred March 7, the individuals themselves had still not been notified by R. E. Moulton as of May 23rd because the company does not have anyone's addresses [Interesting twist Bob] and only first notified the employers and third parties on May 5 -- almost two months after the theft. Caito reported that "we hope to start sending letters to the affected individuals in June."



Nothing new. Just another manager with no idea what his people are doing...

http://www.pogowasright.org/article.php?story=20080615074010412

CT: SSNs Posted On State Web Sites

Sunday, June 15 2008 @ 07:40 AM EDT Contributed by: PrivacyNews News Section: Breaches

For more than three years, the state Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site in violation of state law, exposing the state to lawsuits and monetary loss, according to a recently released state audit.

The audit also uncovered that the Social Security numbers of prospective nursing employees were accessible on an agency Web site for 19 months until a complaint was lodged. [So the auditors didn't fint this one, they acted on a complaint... Bob]

Source - HartfordBusiness.com



Is this just a clever way to slip breach notification in under the radar? Note that the bank didn't notice the hackers...

http://www.pogowasright.org/article.php?story=20080614125814444

Fraudsters target area bank customers' information

Saturday, June 14 2008 @ 01:35 PM EDT Contributed by: PrivacyNews News Section: Breaches

High-tech thieves out to steal and misuse personal banking information have targeted area customers of 1st Source Bank and Grabill Bank within the last month.

In the case of 1st Source, hackers sought the information from the bank and caused a security breach, which will result in the reissue of debit cards.

In the case of Grabill Bank, thieves tried to trick personal information out of customers by impersonating bank officials.

Source - Business Weekly

[From the article:

At 1st Source, companies hired by the bank to track its computer systems [Not sure what “track” means in this context Bob] found a security breach in mid-May, said Larry Bauer, marketing vice president. The hackers appeared to be after personal bank account and Social Security numbers.



Interesting story? Shipping laptops from the hotel rather than carrying them through airport security?

http://www.pogowasright.org/article.php?story=20080614135602383

United Transportation Union Insurance Association laptops with personal info missing

Saturday, June 14 2008 @ 01:56 PM EDT Contributed by: PrivacyNews News Section: Breaches

On June 9, the United Transportation Union Insurance Association reported that during shipment of their laptops to their offices via UPS, two laptops that may have contained personal information including names and Social Security numbers went missing.

The report filed by Stu Collins, Director of Finance, did not indicate whether there was any security protection on the laptops, and those being notified were not offered any free credit monitoring services. Collins notes that the UTUIA had notified UPS and was working with the "hotel involved ( Westin San Francisco)."



How many breaches does it take to establish a “reputation for carelessness?”

http://www.pogowasright.org/article.php?story=20080614140758732

Bearing Point reports a second stolen laptop

Saturday, June 14 2008 @ 02:07 PM EDT Contributed by: PrivacyNews News Section: Breaches

On June 6, Bearing Point reported that an employee's home was burglarized in Atlanta on May 14th, and a laptop containing names and Social Security numbers of independent contractors was stolen.

This was the second incident in as many months for Bearing Point. In the first incident, a laptop was stolen from an employee's vehicle.

As in the first theft, the data on the stolen laptop were reportedly secured by two passwords and two forms of authentication, and the data were not in a single file or spreadsheet.

The company intended to notify those affected on or before June 6, and offered them a year of free credit monitoring.



You can't keep a breach quiet. Your employees will rat you out (or the victims, or the state Ags, or someone) You better have a plan in place. Law Students: “How to plan for the inevitable “Privacy Breach Notification” might make an interesting paper.

http://www.pogowasright.org/article.php?story=20080614145456827

More details emerge on stolen AT&T laptop

Saturday, June 14 2008 @ 02:54 PM EDT Contributed by: PrivacyNews News Section: Breaches

When an irate employee contacted PogoWasRight.org to report that a laptop containing personal information on AT&T management personnel had been stolen, PogoWasRight.org reported the theft and revealed the email and documentation provided to employees. An AT&T spokesperson, however, declined to provide any additional details such as the location of the theft or how many individuals were affected.

In its report [pdf] to the Maryland Attorney General's office, however, AT&T necessarily revealed some of the missing details. We now know that the laptop containing unencrypted names, Social Security numbers, and bonus payment or salary information on many employees was stolen from an employee's vehicle in San Antonio and that 886 employees in Maryland were affected.

AT&T did not reveal the total number affected in its report.


Related. More detail than the “minimum required” Makes them seem like they actually care!

"The secret of acting is sincerity. If you can fake that, you've got it made." George Burns

http://www.pogowasright.org/article.php?story=20080614152828807

Altman Weil: SQL virus attack compromised customer credit card info

Saturday, June 14 2008 @ 03:28 PM EDT Contributed by: PrivacyNews News Section: Breaches

Altman Weil, Inc., a legal consulting firm, notified the Maryland Attorney General's Office on May 27th that the web host for their online store had informed them that their server had been infected by the SQL virus and customer credit card information may have been accessed.

The incident appears to be related to the massive surge in attacks reported a few weeks ago in Techworld and other security publications.

In her letter on behalf of Altman Weil, Pamela Woldow outlined all of the steps the company took after being notified of the problem. It makes for interesting reading for those interested in breach responses. What the company did not do, however, was offer affected customers free credit monitoring. Perhaps it's not quite the standard just yet, after all.


Too little information in your report can also have an impact. Quest will be getting a call form me, since my wife is a “client” No doubt they will get a few (dozen? Hundred? Thousand?) more from clients who hear about the breach but don't have enough information to be sure they are not included.

http://www.phiprivacy.net/?p=472

Jun-14-2008

Quest Diagnostics laptop stolen

Quest Diagnostics has notified the Maryland Attorney General’s office that an employee’s password-protected laptop containing names, addresses, and Social Security numbers was stolen on May 1. The notification letter did not indicate the total number of individuals with data on the laptop, whether the data belonged to patients or employees, or whether the laptop was stolen from a vehicle, home, or other location. From the wording of the letter, however, it would appear to be patient data.

Quest is offering those affected free credit monitoring for one year.



Related (More for the cost figures in the article)

http://www.pogowasright.org/article.php?story=20080614171002256

Official: Dickson schools payroll data on stolen laptop

Saturday, June 14 2008 @ 05:10 PM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop computer containing the Social Security numbers and payroll information of all the employees of the Dickson County school system has been stolen, and authorities are warning school officials to watch their bank accounts.

The theft occurred sometime between Friday afternoon and Monday morning, said Johnny Chandler, the new county's new schools directors.

Source - Tennessean.com Related - WSMV.com Props, The Breach Blog

[From the article:

A similar laptop theft sparked a huge controversy in Davidson County earlier this year. A laptop stolen during a break-in at the Metro Election Commission's offices last year contained the names, addresses and Social Security numbers of 337,000 registered voters.

Metro Police later got the Election Commission's laptop back and determined the information on it had not been accessed, but the whole episode cost Metro more than $800,000, including the cost of paying for credit protection for every voter who wanted it.



More on the cost of a single incident

http://www.pogowasright.org/article.php?story=200806150803128

OH: A year later, victims of state blunder still wary

Sunday, June 15 2008 @ 08:03 AM EDT Contributed by: PrivacyNews News Section: Breaches

Mark Niquette describes what changes have been made since a backup tape left in an intern's car last year was stolen. Some of the changes and costs incurred include:

  • Spending nearly $934,000 on SafeBoot software to encrypt sensitive data for more than 70,000 state laptops, personal computers and other data devices. The encryption process is expected to be completed by the end of this month.

  • Spending an $850,000 for Computrace service to track state laptops and other computers and to have the ability to delete sensitive information remotely.

  • Hiring a CISO for the state.

  • Reviewing and revamping policies and procedures.

  • Paying nearly $2.2 million to provide one year of free identity-theft monitoring for anyone affected.

Source - Columbus Dispatch



The flip side of an employee reported breach, is giving your laid-off employees the information required to commit identity theft.

http://www.pogowasright.org/article.php?story=20080614170556585

UK: Glaxo workers fear identity thefts after personal details revealed

Saturday, June 14 2008 @ 05:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site.

The emails contained information such as names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy [layoff Bob] payouts, of more than 500 employees.

A reliable source, who wishes to remain anonymous, says GSK staff from across south and west Cumbria are up in arms.

They fear the information has been sent out to all 110,000 employees in the UK and US.

Source - North-West Evening Mail Related - Fleetwood Weekly News Props, The Breach Blog

[From the article:

They fear the information has been sent out to all 110,000 employees in the UK and US. And some feel they could become victims of identity theft by cash-strapped workers facing redundancy.



Tools for Ubiquitous Surveillance (Something for the Hacking Club?)

http://digg.com/hardware/Not_Just_for_the_Military_Anymore_A_Look_at_DIY_UAV_s

Not Just for the Military Anymore, A Look at DIY UAV's

pbs.org — The unmanned, aerial vehicle (UAV) has been used by the Military for years but now the technology underlying the sophisticated unmanned aircraft is now so easily available and inexpensive that one of Silicon Valley's most influential figures is encouraging hobbyists to build and fly their own.

[Video: http://www.pbs.org/kcet/wiredscience/video/163-diy_uavs.html



I suspect this will become increasingly common – but it is the wrong approach. (Imagine a Columbine or Virginia Tech with all the phones locked away) Better to teach students some cell phone manners.

http://www.pogowasright.org/article.php?story=20080614162105635

Board passes cell phone policy

Saturday, June 14 2008 @ 04:21 PM EDT Contributed by: PrivacyNews News Section: Minors & Students

Students have no expectation of privacy [The school will wiretap? More likely, strip search Bob] if they use electronic devices such as cellular phones on school property under a new policy approved Thursday by United Local’s board of education.

The new policy states students must leave cell phones in their lockers during school hours.

“Students using electronic devices on school property and who are in violation of school policy by doing so do not hold any legitimate expectation of privacy with regard to the contents of their device,” [Oh. They strip search the phone! Bob] the policy states.

Source - SalemNews.net Props, Flying Hamster

[From the article:

Young said Thursday that according to established case law, schools only have to have “reasonable suspicion” to search the contents of an electronic device, not the more strict “probable cause,” which is required by law enforcement to search private property. The same principle applies to items stored inside lockers, he said.



What we need is a few gifted teachers – they could have figured a way to use gifted students to make the budget go farther... Statistical truth: Half the world is below average.

http://query.nytimes.com/gst/fullpage.html?res=9901E4D6173FF931A35750C0A9629C8B63

Schools, Facing Tight Budgets, Leave Gifted Programs Behind

By DIANA JEAN SCHEMO Published: March 2, 2004

... Struggling with shrinking revenues and new federal mandates that focus on improving the test scores of the lowest-achieving pupils, Mountain Grove and many other school districts across the country have turned to cutting programs for their most promising students.



Fighting for Network Neutrality (and consumers who paid for “unlimited Internet”)

http://tech.slashdot.org/article.pl?sid=08/06/14/1849234&from=rss

Google To Develop ISP Throttling Detector

Posted by timothy on Saturday June 14, @03:03PM from the if-choking-please-call-for-help dept. The Internet Google

bigwophh writes

"Google has been very vocal on its stance for net neutrality. Now, Richard Whitt — Senior Policy Director for Google — announces that Google will take an even more active role in the debate by arming consumers with the tools to determine first-hand if their broadband connections are being monkeyed with by their ISPs."



Dilbert explains IT layoffs

http://dilbert.com/strips/comic/2008-06-15/

No comments: