Less than half the size of the VA laptop theft, but proof that the lesson was not learned...
Missing: Laptop with 8.6million medical records
By Dissent, June 14, 2011
Mike Sullivan reports on a huge data breach in the UK:
A laptop holding the medical records of eight MILLION patients has gone missing.
The computer vanished from an NHS building in the biggest-ever security breach of its kind.
It went missing three weeks ago but has only just been reported to police.
The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures.
The data does not include names but patients could be identified from postcodes and details such as gender, age and ethnic origin.
The computer was one of 20 lost from a store room at London Health Programmes, a medical research organisation based at the NHS North Central London health authority.
Eight have been recovered but a search is still being carried out for the other 12.
Though the loss was reported as a theft it is not yet clear if the laptops, said to be worth £10,000 each, were stolen, mislaid or dumped. [Where were the recovered laptops found? Bob]
The records include details of cancer, HIV, mental illness and abortions.
A source said: “This laptop would be a devastating tool in the hands of a blackmailer.”
Police were said to be “dismayed” that the loss – which is also being probed by the Information Commissioner – was not reported earlier.
Sourcee: The Sun
So what will the ICO do with this one? The fact that they’re not sure what happened to the laptop is troubling, as is the issue of why the data were not encrypted (I assume they’re not or that would have been mentioned).
Update: The ICO issued this statement:
“Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach.”
[From the article:
Releasing the withheld information could “tip off” the thief to the significance of the information on the computer, he said.
South Carolina Press Association Executive Director Bill Rogers called that logic “bogus.”
“How is that going to compromise anything other than embarrass the hospital a little bit?” he asked. “It’s nothing that the criminal doesn’t already know.
… Rogers said that under the state Freedom of Information Act, withholding victims’ names from incident reports is acceptable only in cases involving sex crimes or when the victim is a juvenile.
Discovered at the end of March. Every patient is probably (at least) concerned, why not release more information? Indications are the laptop was not encrypted.
Spartanburg hospital, police keeping quiet on details of stolen laptop investigation
By Dissent, June 14, 2011
Stephen Largen provides an update on a breach mentioned previously on this blog:
Spartanburg Regional Healthcare System and the Spartanburg County Sheriff’s Office are keeping many of the details of an ongoing investigation into a stolen laptop computer secret from the public.
The laptop was reported stolen from an SRHS employee’s vehicle in late March and compromised the personal and medical billing information of an undisclosed number of patients.
SRHS waited until May 27 to inform affected patients of the breach.
SRHS has refused to disclose how many patients had information on the stolen computer, and numerous callers to the Herald-Journal have expressed frustration with the lack of information released by the health care system.
Read more on GoUpstate.com,
I still do not see this incident on HHS’s breach tool, so either they have delayed reporting or the incident affected less than 500 people. I guess we’ll have to wait to see but since they already notified patients, I would think that they should have been able to notify HHS without compromising any investigation into the theft.
For additional links to media coverage on this breach, see the reference links in the entry in DataLossDB.org.
Is this the answer we will see for companies which don't implement encryption?
http://news.cnet.com/8301-30685_3-20071239-264/chrome-encrypts-gmail-whether-you-want-it-or-not/
Chrome encrypts Gmail whether you want it or not
This is fast becoming the 'crime of choice.' Apparently it is quite simple to execute and conversion (getting your hands on cash) is easy and relatively risk free.
http://www.databreaches.net/?p=18890
Update: Cleveland debit card spree getting bigger as more than 1 dozen banks, credit unions affected
June 14, 2011 by admin
More on a breach reported previously on this blog, from Teresa Dixon Murray of the Plain Dealer, who has been all over this breach for the past few weeks:
The local debit card fraud breach that was discovered last month is much wider than first realized, striking just about every major bank in the area and some of the biggest credit unions across Northeast Ohio.
At least eight banks — Key, Dollar Bank, Fifth Third, PNC, Huntington, Charter One, Ohio Savings and FirstMerit — are now known to be affected by the breach, a Plain Dealer review of dozens of police reports show.
And more than half a dozen credit unions — including Century Federal Credit Union, whose members include the Cleveland Clinic and Cavs/Quicken Loans — were also hit.
[...]
Coniglio said his credit union has tallied about 200 customers whose accounts were hit.
[...]
North Olmsted Police Department logged about 20 reports of debit card abuse in the last few weeks. Middleburg Heights has some three dozen reports.
No one knows, or is saying, exactly how widespread the breach is. Most of the large banks contacted would not or could not specify how many debit fraud complaints they’ve had related to this case. However, Charter One did say it had at least 50 fraud complaints connected to one west side restaurant, which was originally thought to be the source of the breach.
Read more on Cleveland Plain Dealer.
Defining CyberWar
http://online.wsj.com/article/SB10001424052702304259304576373391101828876.html
China's Cyberassault on America
If we discovered Chinese explosives laid throughout our national electrical system, we'd consider it an act of war. China's digital bombs pose as grave a threat.
“It's so simple, even a caveman can do it!” So imagine how simple it is for an App to do it... Another indication that users consider security to be an annoyance rather than a benefit?
The Most Common iPhone Passcodes
"The problem of poor passwords is not confined to computer use, and that fact was illustrated by an app developer who has added code to capture user passcodes to one of its applications. 'Because Big Brother's [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes,' says Daniel Amitay. It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten."
Moving credit card processes into the Cloud. Should be a useful perspective...
PCI council publishes additional virtualization guidance
… The additional guidance published on Tuesday examines the different classes of virtualization seen in payment environments and explains them. These classes include virtualized operating systems, as well as hardware, platforms, and networks. The system components that constitute these virtual systems, and PCI DSS scoping information for each one, are also addressed.
Moreover, practical methods and concepts for deployment, including suggestions for controls, recommendations for mixed-mode and cloud-based environments, and risk assessment are covered as well.
The supplement also includes an appendix that provides examples of virtualization implications for specific PCI DSS requirements and suggested best practices for addressing them.
Interesting in that we are starting to see the rules for “crowdsourced surveillance” There are more cameras than employees to monitor them, so this type of business has potential – if the rules don't kill it.
http://www.pogowasright.org/?p=23394
CCTV website rapped on privacy
June 14, 2011 by Dissent
From Wire News Services:
A website set up to allow the public to report crime seen via CCTV footage has been forced to make significant changes to the way it operates.
Internet Eyes offers rewards of up to £1000 for crimes such as shoplifting seen via live CCTV footage streamed to the homes of members.
The Information Commissioner’s Office (ICO) demanded changes after footage from the service was found on YouTube.
Images transferred over the internet must now be encrypted. The firm must also carry out checks on registered viewers and audit which viewers are watching which clips.
By July the firm must also ensure that no viewer can access footage from cameras located within a 30 mile radius of the viewer’s location.
Read more on Herald de Paris.
Speaking of surveillance...
http://news.cnet.com/8301-31921_3-20070742-281/exclusive-googles-web-mapping-can-track-your-phone/
Exclusive: Google's Web mapping can track your phone
… Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company's effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster then they could with GPS alone.
Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they're tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you--even if you never intended it to become public.
This will be huge! (If it upheld on appeal)
http://www.databreaches.net/?p=18885
Judge: Comerica must pay company hit in phishing attack
June 14, 2011 by admin
David Ashenfelter reports on a ruling in a case with potentially huge implications, EMI v. Comerica (past coverage):
Comerica bank must reimburse a Sterling Heights sheet metal company $561,000 it lost in an Internet phishing attack, a federal judge has ruled in what may be the first such case nationally to be tried to a verdict.
U.S. District Judge Patrick Duggan said the bank should have detected and stopped the fraudulent activity against Experi-Metal shortly after it began in January 2009.
The company’s lawyer, Richard Tomlinson of Troy, said he was elated by Monday’s ruling.
Read more on Detroit Free Press.
[From the article:
The 2009 attack occurred after Experi-Metal’s controller unwittingly typed in the company’s password to its bank accounts in response to what he thought was a request from Comerica.
In the hours that followed, an unknown Internet fraudster initiated 97 wire transfers totaling $1.9 million from Experi-Metal’s accounts to destinations overseas. The theft was discovered by another bank which alerted Comerica, which recovered all but $561,000.
This is hugely confusing. Perhaps some wise and kindly law professor will explain the logic to me?
http://www.wired.com/threatlevel/2011/06/student-online-speech/
Schools May Punish Students for Off-Campus, Online Speech
Global Cooling! Global Cooling! (Sorry, I can't help finding these stories...)
Big Drop In Solar Activity Could Cool Earth
"Scientists say the Sun, which roils with flares and electromagnetic energy every 11 years or so, could go into virtual hibernation after the current cycle of high activity, reducing temperatures on Earth. As the current sunspot cycle, Cycle 24, begins to ramp up toward maximum, scientists from the National Solar Observatory and the Air Force Research Laboratory independently found that the Sun's interior, visible surface, and corona indicate the next 11-year solar sunspot cycle, Cycle 25, will be greatly reduced or may not happen at all."
A useful list... and I love lists.
http://www.makeuseof.com/tag/top-10-howto-youtube-video-channels/
The Top 10 Best How-To YouTube Video Channels
No comments:
Post a Comment