Wednesday, March 31, 2010

Local
http://www.databreaches.net/?p=10911
Letters tip off patients
March 30, 2010 by admin
Pierrette J. Shields reports:
Boulder Community Hospital officials are investigating anonymous letters sent to patients of a Lafayette clinic along with medical records that the sender claims were pulled from the trash.
A Longmont woman told the Times-Call she received the anonymous letter Monday with a page from her son’s medical records that included private medical information and her Social Security number.
Mary Iannotti, a spokeswoman for Boulder Community Hospital, said Monday afternoon that four patients of the Family Medical Associates clinic in Lafayette, which is affiliated with BCH, fielded four calls from patients who reported receiving the anonymous letters.
[...]
The woman said the record had handwritten notes on it as though it had been used as scrap paper and that the information included notes about other patients, including a DUI notation and that a family had suffered from swine flu.
The letter urges the recipient to report the incident as a potential federal violation of laws that require medical records to be kept private.
A post office box listed as the return address belongs to the Boulder Community Hospital Foundation.
Iannotti said the foundation is not involved.
Read more in the Longmont Times-Call.


Heartland data is still on the market…
http://www.databreaches.net/?p=10907
MidFlorida Credit Union Issuing New Cards
March 30, 2010 by admin
Kyle Kennedy reports that new fraud reports have emerged related to the Heartland Payment Systems breach disclosed in January 2009 and that a credit union is now replacing additional cards:
Some MidFlorida Credit Union members are getting new debit cards because of a fraud risk.
Kathy Britt, chief operations officer for Lakeland-based MidFlorida, said the firm is issuing 12,000 new debit cards after recent fraud attempts stemming from a previous data breach at Heartland Payment Systems.
[...]
MidFlorida issued new cards to about 5,000 of its members last year and is now sending out 12,000 new cards following recent fraud attempts on cards involved in the Heartland breach, Britt said.
The credit union has about 80,000 debit card holders.
Read more in The Ledger.


Is forced disclosure better for your corporate reputation?
http://www.databreaches.net/?p=10891
Outed by judge, Wet Seal reveals 2008 breach
March 30, 2010 by admin
After being outed by a Massachusetts judge who felt that the retailer should have disclosed the incident in 2008, Wet Seal subsequently issued a statement acknowledging that they had a security breach that involved the hacking ring led by Albert Gonzalez.
According to Wet Seal’s statement:
In May 2008, we became aware that a criminal group obtained unauthorized access to our information systems in an attempt to steal credit and debit card data of our customers. Through an investigation led by an independent, third-party computer forensics firm, and corroborated by members of the U.S. Secret Service and U.S. Department of Justice who led the government’s prosecution of Mr. Gonzalez, we found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken. In working with the major credit card processing agencies, we also have identified no instances of credit card fraud to suggest that any such data was taken.
Not revealed in their statement is whether Wet Seal discovered the breach themselves or were informed by federal investigators. And while the retailer pats itself on the back for responding promptly once they found out, it seems that they simply lucked out, as the indictment of Gonzalez in the New Jersey case indicated that:
In or about January 2008, Company B was the victim of a SQL Injection Attack that resulted in the placement of malware on its network.
In or about January 2008, over an internet messaging service, GONZALEZ sent P.T. a SQL Injection String that was used to penetrate Company B’s computer network (the “Company B SQL String”). The Company B SQL String was programmed to direct data to Hacking Platforms, including the ESTHOST Server and the Ukranian Server.
[...]
On or about April 22, 2008, GONZALEZ modified a file on the Ukranian Server that contained computer log datastolen from Company B’s computer network.
[...]
Between in or after March 2007 and in or about May 2008, GONZALEZ participated in a discussion over an internet messaging service in which one of the participants stated “core still hasn’t downloaded that [Company B] sh-t.”
From the above, it seems that at any point between January 2008 and May 2008, Gonzalez and his fellow hackers could have downloaded Wet Seal customer data and it is only a matter of Wet Seal’s good fortune that the hackers hadn’t gotten around to it before Wet Seal found out about the breach and secured their server.
Why Wet Seal felt that they were entitled to victim status and that their reputation and privacy should be respected escapes me, as it seems evident that their customers were lucky but still entitled to know that the retailer’s system had been breached. Maybe not entitled by law, but entitled.


Always the first question.
http://news.cnet.com/8301-13505_3-10471583-16.html?part=rss&subj=news&tag=2547-1_3-0-20
When will cloud computing start raining cash?
by Matt Asay March 30, 2010 8:24 AM PDT


May not be a useful precedent, after all this is strange, even for New Jersey!
http://www.bespacific.com/mt/archives/023889.html
March 30, 2010
New Jersey Supreme Court Rules in Favor of Employee Email Privacy
EPIC: "The New Jersey Supreme Court ruled in favor of a female employee whose employer read emails that she sent while using Yahoo Mail on a company-owned laptop. The employee, Marina Stengart, had exchanged emails with her attorney regarding a possible discrimination lawsuit against the employer. The employer then pulled the emails off of the laptop's hard drive and used them to prepare a defense to the discrimination suit. The New Jersey Supreme Court found that "Under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them." The Supreme Court of the United States is set to consider employee privacy in City of Ontario v. Quon, in which EPIC submitted a "friend of the court brief."


Die SCO, die! (The end of the “case that would not die?”
http://linux.slashdot.org/article.pl?sid=10/03/30/1951242
Novell Wins vs. SCO
Posted by CmdrTaco on Tuesday March 30, @04:20PM
Aim Here writes
"According to Novell's website, and the Salt Lake Tribune, the jury in the SCO v. Novell trial has returned a verdict: Novell owns the Unix copyrights. This also means that SCO's case against IBM must surely collapse too, and likely the now bankrupt SCO group itself. It's taken 7 years, but the US court system has eventually done the right thing ..."
No doubt this is the last we will ever hear of any of this.


I love lists. I love free stuff. I really like lists of free stuff.
http://www.pcmag.com/article2/0,2817,2361876,00.asp
The Best Free Software of 2010
03.30.10
Get what you DON'T pay for: Here are 196 programs that cost nothing but will make your computing life richer—all while keeping your wallet fat.

No comments: