|
|
|
Last Updated: Nov 17th, 2008 - 12:30:30 |
ID Theft Alerts
Express Extortion?
A New "Script" in the ID Theft Game
In what is an astonishingly brazen move, a hacker or sophisticated hacker group sent an extortion letter to Express Scripts, one of the largest pharmacy benefits management companies in North America, threatening to expose millions of the company's patients' information, including: names, social security numbers, addresses, birthdates and even some prescription information, if they were not paid.
Express Scripts handles the pharamacy benefit plans for many major corporations, insurance carriers and more, so the volume of information that may (or may not be) available to be posted could be staggering.
Nov 17, 2008, 12:00
ID Theft Alerts
A California Paradox
A California Paradox...
Well, new quarter, new articles, same old happenings it seems.
California
is a state with one of the (supposedly) most stringent data breach laws
in the country. One would think then, that the result would be a lower
rate of ID thefts, breaches etc. One would be wrong. Very wrong. In a
report published by the FTC, one location in California is the "ID
Theft Capitol" of the country. Yes, that's right - one place in the
land of the harshest penalties for breaches, is the worst place to whip
out your credit card, ID, checkbook or other identifying generator of
personal information. The California paradox.
Oct 28, 2008, 15:00
ID Theft Alerts
Computers with feet....A Quick Reality Check on Breach Prevention!
Computers with Feet...
So, after a long hiatus, and a little r and r time, I'm back. And it would be nice to say that "all's quiet on the western front" but, no, quiet is not how I'd describe it. Rather than go into minute detail of each and every one of the breaches (UMass, Central Connecticut State, University of Colorado, ID problems (Chrysler Financial) and stolen computer equipment that's happened (like at Staten Island University Hospital or bigger still, CollegeInvests missing drive.) I thought I'd begin writing about HOW some of this could be prevented.
May 7, 2008, 11:47
ID Theft Alerts
More than Groceries....
Went for Groceries, Got Taken for a Ride.
Following last year's TJ MAXX fiasco, where millions of credit card numbers were stolen by hackers, one would have thought that those who accept credit cards (read: every major retailer!) would have completed a security audit and ensured that they would not be the NEXT "TJ MAXX". And everyone knows what we mean by that. Unfortunately, one would be wrong. VERY WRONG, as it turns out. Delhaize SA, owner of Hanaford and Sweetbay Grocery stores in the Northeast and South respectively, announced a "breach" that occurred DURING credit card processing, impacting potentially millions of customers. WBZ Boston announced the number as 4 million affected customers, but Delhaize has not released "solid" numbers.
Mar 18, 2008, 11:44
ID Theft Alerts
Hackers Hit Harvard
Hackers Hit Harvard Hard..University Administrators Need to go Back to Class
And learn the latest anti-hacking and personal information security techniques.. I've been down for the count for a few days....and lots has happened! I'll be updating the blog as soon as possible, but wanted to get this "hot off the presses" information out.
Mar 13, 2008, 10:26
ID Theft Alerts
Systematic....Problem?
Quick Update:
This one is worthy of an update, and I'll continue to add to it as the breath of this little "oops" continues to become clear. The City of Torrance, CA has now id'd it's school district employees as being among the "affected". I'll tell them to head straight to the bottom sentence, the one that includes "make a huge stink.." Since "discovery" continues (ok, quick tangent here: why can't they even say WHAT was on those hard drives? Isn't there a back up somewhere that can be looked at and a list of affected parties notified?) we will update this story as more comes out.
Seems Like a Systematic Problem...
Ok, so that pun is even worse than a few of the others I've used... but I suspect you'll agree with me that it fits after you read this one!
Systematic Automation is a benefits automation/plan manager for a large number of public employees, including many school districts, public utilities and more, many in California. THREE, yes, you read that right 3, separate sets of employees, are now being warned that in a "Smash and grab" burglarly, a hard drive, (and three monitors, but those don't have information on them!) containing the personal information of the emlpoyees of the Clovis Unified School District, Modesto School District and the LA Department of Water and Power, were "stolen". The drive contained the name, address, social security numbers, health insurance information, salary information and more on current employees as well as those who retired between January of 2006 and now. In LA, the district is paying for a years worth of credit information and insurance, information from the other districts will be updated as we learn more. There has been no comment from Systematic Automation, but we here at the blog might make a teeny suggestion: Beef up that security.
On the plus side, the districts tell us that the information sent to Systematic Automation is "encrypted", on the not-so-plus side, Systematic Automation has not indicated whether in "automating" the process, setting up accounts and otherwise "managing" this they KEPT the information in encrypted form. Based on certain district's fear and reactions, we are inclined to believe that the answer is no.
Ok, call me a skeptic, but any time lately I hear about a "burglary" from a firm that it would not be too hard to figure out has all kinds of neat information on people (like say, names, addresses and social security numbers!) I get a little suspicious. Seems a little too convenient that the "smash and grab" didn't "grab" more, or "grab" from other locations. Unfortunately, these sorts of "plan management" firms OUGHT to know that they are just big fat targets, and take extra precautions. Now maybe I'm just overly negative on the state of humankind, but with the number of people out there willing to pay BIG BUCKS for just this sort of juicy information - doesn't it at least raise a few eyebrows when there's a "loss"? Beyond my skepticism, how do you "smash and grab" an office? I mean - isn't most stuff locked up, and shouldn't hard drives be especially locked? And back to my skeptical side, who would have taken just hard drives but someone who thought something good was on it? I mean nobody follows Britney Spears sister around hoping for a picture of Britney - they go after the girl herself. Same goes here. Your a random thief- you grab whatever you can get. You're someone on a mission - well, you're a little more particular.
Ok, so if you're all waiting for my rant, I'm only going to say it once. LOCK things up people! This information is VALUABLE (not to mention personal) and like Pandora's box, once it's out, it's pretty darn hard to put away. So the goal would be to keep it PERSONAL. It's not that hard, and certainly should be written into ANY contract.
The LA Water Department Union, who opposed the "outsourcing" of the work in the first place, wants penalties on Systematic Automation - and, given that the information was at headquarters for years without problems (locked and encrypted!), wants the outsourcing contract terminated. Hard to disagree with that position isn't it?
If you are one of the affected or possibly affected, contact your plan administrator or local Human Resource coordinatior. Watch your bills, credit reports etc. and make a huge stink if something shows up that shouldn't. Accidents can happen to anyone, negligence demands action.
So there....until next time.
Feb 21, 2008, 13:32
ID Theft Alerts
Personal Information and File Sharing Sites; The Lexmark Saga
Personal Information and File Sharing Sites...Bad Combination
WAVE TV in Louisville. KY, obtained a letter sent to current and former Lexmark employees (one hasn't worked there in more than 10 years!!!)
that their personal information was "inadvertantly" placed on a file sharing site, that was subsequently accessed by two IP addresses and as-yet unidentified "owners". The information apparently contained names, addresses and social security numbers, although in the typical cagey way of PR folk, the Lexmark spokesperson "declined" to elaborate on exactly what information was "inadvertantly" shared. Well, heck, I'm thinking that most of those affected would have "declined" that honor if given the choice.
The news channel reports that Lexmark has identified two IP addresses as having "accessed" the information, although until the ISP provides the names etc. of those parties (can you say, "subpoena?") it is impossible to know why it was accessed and what, if anything, was utilized. (I mean it could be a "whoo hoo, look what Bill made last year" scenario or it could be far more sinister, and some of these people could suddenly be buying minks in Minsk.) Lexmark is offering the "affected" a year of credit monitoring and ID theft insurance.
Ok, let's pick this carcass some. First problem, and it's the biggie. How does this sort of information "inadvertantly" end up on a file sharing network? I mean, did some former (and highly disgruntled) employee "inadvertantly" do this to get even with the boss/management team that canned him/her? How could this happen? Obviously the information in question should (and I say should because Lexmark isn't sharing which group owned the information) have been "owned" and managed by HR/Personel. Since when does personnel have access to file sharing sites external to the company? (Let's lock that little gate right now shall we?) In most companies, file sharing sites are a no-no. a BIG no-no. In the TV report, there was no indication that this was a "policy violation" but it sure should have been.
Next big question: Why is Lexmark still holding onto personal information of employees who departed the company MORE than a decade ago? Last we here at the blog checked, the LONGEST that sort of information needed to be held was ten years, and in most cases, it is only seven. Strikes me that perhaps Lexmark needs a Data Retention Plan. One that includes a whole section on "automatic destruction" - where they toss data that is no longer legally required to be saved in a secure way. The "number of affected" probably would be a lot less if any that hadn't crossed Lexmark's threshold in seven years or more had been removed from the system. This is easy to do stuff guys -- and certainly your HR department should be taking care of it. Them or your compliance office...
Our advice to the "affected": Get to the bottom of this. Find how who did it and why. Make the company find out who "accessed" the information (get those corporate lawyers into court and get subpoenas to find out who did what when.) so that you can determine whether the "one year" of both insurance and credit monitoring is ANYWHERE near sufficient. Until you know the who's and why's, there's no way to tell. Be loud if you have to, but don't let it slide. Oh, and if you haven't worked there in years, find out why they haven't removed your "personal information" (or personnel information!) from the system yet. Can't lose what you don't have. Why did they still have it?
The WAVE channel 3 report is here.
Feb 18, 2008, 11:39
ID Theft Alerts
Lifeblood Laptops in LaLa Land
The Laptop is their Lifeblood...
Ok, that pun is terrible. But what's worse is this morning's report from Lifeblood, the "bloodmobile" unit of MidSouth Regional Blood Center, that two of its laptops are presumed missing, along with the personal information of 320,000 donors. Ok, you got me, what exactly does "presumed" mean? Does it mean "we know it's stolen but this sounds better?" or does it mean "We're really disorganized and it could be here somewhere...someone might be using them for bookends?" Neither scenario particularly attractive.
According to the Lifeblood letter that its customers will be receiving, the "dual password protected" laptops (oh goody, the thief will have to complete TWO steos to get the information!) are "presumed" stolen. Both were used in the "mobile blood collection" units, and they contained donor information, including names, race, gender, DOB, addresses, social security numbers (in some cases, although those "cases" are a mystery!) and other "personally identifying information."
Lifeblood is recommending that affeted donors put a "fraud alert" on their credit report.
If you are an "affected donor" I would recommend that you demand some credit monitoring, as well as some additional protection, and make a stink if you have to. (Hint: Local media loves to talk about companies behaving badly!) Then watch for any information and *should* something happen, make an EVEN BIGGER stink. But that's just me. Wink. Wink.
Lifeblood has also announced that it has implemented several new technologies to "protect donor information going forward", including adding tracking devices to laptops, adding software that prevents display and download of entire social security numbers, as well as automatic disk "washing" software. Cold comfort to the 320,000 impacted donors. Also akin, as my grandfather would say, to "closing the barn door after the horse gets out." I can only hope that someone else might learn from this pain, but so far seems not to be the case.
Now I'll stand on my soapbox! Laptops are light, easy to conceal and easier to hock. And if hocking isn't in the cards, steal the right laptop and they can be extremely lucrative on the black market. So, ENCRYPT everything. (Remember, for $200 you can PGP everything!) LOCK THEM UP. TIE THEM DOWN, TRACK THEIR WHEREABOUTS. We put microchips in our dogs, but we let laptops wander. We take our cellphones but leave our laptops in cars....Let's fix this. Make it harder for the next "lightfingers Louie" to get his hands on it.
As an aside, I'm becoming a fan of those "blow up the laptop" software I hear about, that renders a laptop useless (ie. blows up everything on it), although I've little experience with it.
I'll keep you all updated on this one.
Feb 14, 2008, 12:07
ID Theft Alerts
One Thief. 37,000 Accounts. Pass the Aspirin!
One Employee, 37000 Accounts, Lots of Headaches.
Tenet Healthcare, which operates hospitals nationwide, is advising customers who "may have been affected" by mail, after one of their employees is caught (redhanded, so to speak) attempting to use the personal information of a Tenet customer that he "spirited" out of the building he worked in, at a Costco in Arlington, TX.
It seems one Terrence Brooks (who Tenet says "passed a background check") worked for the billing center of Tenet, located in Frisco, Texas. He would also seem to have been the type to "borrow things from work - they'll never know". Only he didn't borrow a few notebooks or a stapler, he copped the personal information of people. Including names, addresses, socials....When caught, he was attempting to open a charge in someone else's name. He was promptly arrested when a "savvy" employee called the police.
The "Island Packet" of Hilton Head Island, SC, lists Hilton Head Hospital and Coastal Carolina Medical Center as two hospitals where there may be victims. Tenet claims that only roughly 90 people are affected, although there is no explanation for where that number came from. Mr. Brooks had access to 37,000 accounts, which Tenet says is "less than 1% of its customers" (I'm sure that makes those 37,000 feel *really* good.)
I have so many questions I'm not sure where to start. First, I guess, is WHY does ONE yahoo have access to 37,000 accounts? Or, more importantly, why does that same yahoo have access to SO MUCH personal information. Shouldn't it be limited? How did he get the information out of the building? What sort of monitoring procedures are there? And suppose this particular yahoo had been a few IQ points higher, and rather than risk being caught red-handed, simply sold the information to a shadowy information broker who sold it worldwide?
I get a headache thinking about everything that's wrong here. {sigh}
I couldn't find anything on Tenet's website about it, but the Island Packet article is here.
Tenet is paying for credit monitoring for the "affected".
Oh, and the background check - maybe it should have been more detailed. When apprehended, Mr. Brooks was arrested...on outstanding warrants.
Feb 13, 2008, 13:27
ID Theft Alerts
Another Repeat Offender!
Another Repeat Offender!
Let me start by saying that this blog is MOST definitely not a place you want to appear more than once. So why is it that we seem to be attracting what I am lovingly referring to as "repeat offenders"? One set of "boo boos" wasn't enought to rewrite the security policy and more importantly, enforce it? {Sigh}...
So, without further ado, behind curtain no. 1, let us introduce our latest contestant in the "repeat offender contest", or the next case in point that stupidity does, indeed, run rampant. Drum roll, please. Salesforce.com
Just last month, CRM giant Salesforce.com was discussed in our column, with regards to teaching employees how NOT to respond to "phishing" expeditions. Now it seems it's time to take the whole group back again and talk some more about SECURITY, and we don't mean the guys in the little uniforms at the front desk. This one might get their attention - they themselves are the affected group--Salesforce current and former employees. Thousands of them.
This month's tale of woe begins with one employee and an "unencrypted, portable storage device" that just happened to contain the personal information (names, addresses, socials) of fellow Salesforce.com employees. It seems the "unencrypted portable storage device" was taken home from work. The sorry tale continues as the "unencryoted, portable storage device" is then stolen from said employees car. (No, I don't know if anything else was stolen..) Now the tale ends here, with Salesforce.com appearing as a "repeat winner" in the "bad with personal information" category. {Sigh. Again}
Now, when I was a kid there were magazines in the dentist's office that always had some variation of the "What's wrong with this picture" theme. You know the ones I mean - they'd show two pictures, and in one everything was perfect in the other a bird was on it's head and the guy was missing his shirt? So let's play the same game here with this latest Salesforce.com scenario. "What's wrong with this picture?" Hmm. Where shall we start? My personal favorite is "unencrypted portable storage device". Why are those words in the same sentence with "personal information"? Salesforce.com (presumably) does not post a list of everyone who works there, along with their social and salary on a bulletin board for the rest of the company to see, so WHY would it allow that same information to be placed on said "unencrypted portable storage device" where it *could* get lost, stolen, or damaged? Oh, and for those of you who know me well, yea, the unencypted part really IRKS me too. PGP can be had for under $200. Seems to me that Salesforce.com could afford that, right? But I digress again.
On to more of what's wrong with this picture. Said "unencrypted portable storage device" and a car. Unless the car was being used to run over, and ergo *destroy* said "unencrypted portable storage device". they should never have been in the same place, let alone left alone together where prying eyes and light fingers could get to them. Apparently "planning ahead" isn't a job requirement there.
I could add more to these "oddservations" (to borrow a term coined here in Austin by my favorite comment columnist John Kelso, who defines it as an "observation" only screwier.) but why bother? Repeat offender status ought to be enough. Or not. I'll let you know next month if they show up again. Or maybe we can hope for improvement. Much like my friends in Las Vegas hope the scientists are wrong about Lake Mead - hoping for the best, planning for the worst. {Sigh}.
Salesforce.com is asking former employees to contact HR.
Feb 12, 2008, 15:15
|
|
|
|
