|
|
|
Last Updated: Sep 15th, 2009 - 14:20:36 |
ID Theft Alerts
A Good Night's Sleep Might Cost You...
And we KNOW it's going to cost Radisson! The hotel announced recently that guests who stayed at Radisson Hotels and Resorts between October 2008 and May 2009 "may have been among" records that were compromised. Not much more info was provided, but....you can bet that Radisson execs aren't sleeping well! READ MORE
Sep 15, 2009, 14:16
ID Theft Alerts
Why Don't We Make it EASY!!!
You've probably noted that I've not said a lot about laptop/USB stick
and/or paper record thefts recently -- mostly because repeating myself
makes me crazy. I wish I could say it was because everyone had gotten
smarter about where they put identifying info, and how secure they kept
everything. Fat chance. If anything, the crooks are getting smarter
about finding people who do dumb things! What dumb things you ask?
Well let's see:
Irving Texas School District: (ISD) Paper records containing
information on teachers in the district (there are more than 3400) were
tossed in a dumpster. Unshredded. Unblacked out. Just tossed. 64 so
far have been identified as having been on the reports. Many have had
fake charges on their credit cards. So what, the school district was
too cheap to spring for a shredder????
More...
Apr 29, 2009, 13:28
ID Theft Alerts
Sharing Music, Movies, My Medical Info??
Sharing Music, Movies, MEDICAL INFO?
A doctor walks into his office and says to a meeting of his patients, I have some good news and some bad news. "Because my staff uses P2P networks on their laptops, your medical information, up to and including private diagnosis, insurance information and social security numbers, can be accessed on those P2P networks."
A patient raises his hand and says, "Ok Doc, now give us the good news."
The Doctor says "That was it. The bad news is, the government is mandating that everyone have digitized medical records so..."
All right, maybe it won't be that bad, and certainly eliminating the countless reams of paper that most doctors offices, hospitals and other patient care facilities generate is a good thing. IF IT'S DONE RIGHT.
Apr 7, 2009, 10:21
ID Theft Alerts
Express Extortion?
A New "Script" in the ID Theft Game
In what is an astonishingly brazen move, a hacker or sophisticated hacker group sent an extortion letter to Express Scripts, one of the largest pharmacy benefits management companies in North America, threatening to expose millions of the company's patients' information, including: names, social security numbers, addresses, birthdates and even some prescription information, if they were not paid.
Express Scripts handles the pharamacy benefit plans for many major corporations, insurance carriers and more, so the volume of information that may (or may not be) available to be posted could be staggering.
Nov 17, 2008, 12:00
ID Theft Alerts
A California Paradox
A California Paradox...
Well, new quarter, new articles, same old happenings it seems.
California
is a state with one of the (supposedly) most stringent data breach laws
in the country. One would think then, that the result would be a lower
rate of ID thefts, breaches etc. One would be wrong. Very wrong. In a
report published by the FTC, one location in California is the "ID
Theft Capitol" of the country. Yes, that's right - one place in the
land of the harshest penalties for breaches, is the worst place to whip
out your credit card, ID, checkbook or other identifying generator of
personal information. The California paradox.
Oct 28, 2008, 15:00
ID Theft Alerts
Computers with feet....A Quick Reality Check on Breach Prevention!
Computers with Feet...
So, after a long hiatus, and a little r and r time, I'm back. And it would be nice to say that "all's quiet on the western front" but, no, quiet is not how I'd describe it. Rather than go into minute detail of each and every one of the breaches (UMass, Central Connecticut State, University of Colorado, ID problems (Chrysler Financial) and stolen computer equipment that's happened (like at Staten Island University Hospital or bigger still, CollegeInvests missing drive.) I thought I'd begin writing about HOW some of this could be prevented.
May 7, 2008, 11:47
ID Theft Alerts
More than Groceries....
Went for Groceries, Got Taken for a Ride.
Following last year's TJ MAXX fiasco, where millions of credit card numbers were stolen by hackers, one would have thought that those who accept credit cards (read: every major retailer!) would have completed a security audit and ensured that they would not be the NEXT "TJ MAXX". And everyone knows what we mean by that. Unfortunately, one would be wrong. VERY WRONG, as it turns out. Delhaize SA, owner of Hanaford and Sweetbay Grocery stores in the Northeast and South respectively, announced a "breach" that occurred DURING credit card processing, impacting potentially millions of customers. WBZ Boston announced the number as 4 million affected customers, but Delhaize has not released "solid" numbers.
Mar 18, 2008, 11:44
ID Theft Alerts
Hackers Hit Harvard
Hackers Hit Harvard Hard..University Administrators Need to go Back to Class
And learn the latest anti-hacking and personal information security techniques.. I've been down for the count for a few days....and lots has happened! I'll be updating the blog as soon as possible, but wanted to get this "hot off the presses" information out.
Mar 13, 2008, 10:26
ID Theft Alerts
Systematic....Problem?
Quick Update:
This one is worthy of an update, and I'll continue to add to it as the breath of this little "oops" continues to become clear. The City of Torrance, CA has now id'd it's school district employees as being among the "affected". I'll tell them to head straight to the bottom sentence, the one that includes "make a huge stink.." Since "discovery" continues (ok, quick tangent here: why can't they even say WHAT was on those hard drives? Isn't there a back up somewhere that can be looked at and a list of affected parties notified?) we will update this story as more comes out.
Seems Like a Systematic Problem...
Ok, so that pun is even worse than a few of the others I've used... but I suspect you'll agree with me that it fits after you read this one!
Systematic Automation is a benefits automation/plan manager for a large number of public employees, including many school districts, public utilities and more, many in California. THREE, yes, you read that right 3, separate sets of employees, are now being warned that in a "Smash and grab" burglarly, a hard drive, (and three monitors, but those don't have information on them!) containing the personal information of the emlpoyees of the Clovis Unified School District, Modesto School District and the LA Department of Water and Power, were "stolen". The drive contained the name, address, social security numbers, health insurance information, salary information and more on current employees as well as those who retired between January of 2006 and now. In LA, the district is paying for a years worth of credit information and insurance, information from the other districts will be updated as we learn more. There has been no comment from Systematic Automation, but we here at the blog might make a teeny suggestion: Beef up that security.
On the plus side, the districts tell us that the information sent to Systematic Automation is "encrypted", on the not-so-plus side, Systematic Automation has not indicated whether in "automating" the process, setting up accounts and otherwise "managing" this they KEPT the information in encrypted form. Based on certain district's fear and reactions, we are inclined to believe that the answer is no.
Ok, call me a skeptic, but any time lately I hear about a "burglary" from a firm that it would not be too hard to figure out has all kinds of neat information on people (like say, names, addresses and social security numbers!) I get a little suspicious. Seems a little too convenient that the "smash and grab" didn't "grab" more, or "grab" from other locations. Unfortunately, these sorts of "plan management" firms OUGHT to know that they are just big fat targets, and take extra precautions. Now maybe I'm just overly negative on the state of humankind, but with the number of people out there willing to pay BIG BUCKS for just this sort of juicy information - doesn't it at least raise a few eyebrows when there's a "loss"? Beyond my skepticism, how do you "smash and grab" an office? I mean - isn't most stuff locked up, and shouldn't hard drives be especially locked? And back to my skeptical side, who would have taken just hard drives but someone who thought something good was on it? I mean nobody follows Britney Spears sister around hoping for a picture of Britney - they go after the girl herself. Same goes here. Your a random thief- you grab whatever you can get. You're someone on a mission - well, you're a little more particular.
Ok, so if you're all waiting for my rant, I'm only going to say it once. LOCK things up people! This information is VALUABLE (not to mention personal) and like Pandora's box, once it's out, it's pretty darn hard to put away. So the goal would be to keep it PERSONAL. It's not that hard, and certainly should be written into ANY contract.
The LA Water Department Union, who opposed the "outsourcing" of the work in the first place, wants penalties on Systematic Automation - and, given that the information was at headquarters for years without problems (locked and encrypted!), wants the outsourcing contract terminated. Hard to disagree with that position isn't it?
If you are one of the affected or possibly affected, contact your plan administrator or local Human Resource coordinatior. Watch your bills, credit reports etc. and make a huge stink if something shows up that shouldn't. Accidents can happen to anyone, negligence demands action.
So there....until next time.
Feb 21, 2008, 13:32
ID Theft Alerts
Personal Information and File Sharing Sites; The Lexmark Saga
Personal Information and File Sharing Sites...Bad Combination
WAVE TV in Louisville. KY, obtained a letter sent to current and former Lexmark employees (one hasn't worked there in more than 10 years!!!)
that their personal information was "inadvertantly" placed on a file sharing site, that was subsequently accessed by two IP addresses and as-yet unidentified "owners". The information apparently contained names, addresses and social security numbers, although in the typical cagey way of PR folk, the Lexmark spokesperson "declined" to elaborate on exactly what information was "inadvertantly" shared. Well, heck, I'm thinking that most of those affected would have "declined" that honor if given the choice.
The news channel reports that Lexmark has identified two IP addresses as having "accessed" the information, although until the ISP provides the names etc. of those parties (can you say, "subpoena?") it is impossible to know why it was accessed and what, if anything, was utilized. (I mean it could be a "whoo hoo, look what Bill made last year" scenario or it could be far more sinister, and some of these people could suddenly be buying minks in Minsk.) Lexmark is offering the "affected" a year of credit monitoring and ID theft insurance.
Ok, let's pick this carcass some. First problem, and it's the biggie. How does this sort of information "inadvertantly" end up on a file sharing network? I mean, did some former (and highly disgruntled) employee "inadvertantly" do this to get even with the boss/management team that canned him/her? How could this happen? Obviously the information in question should (and I say should because Lexmark isn't sharing which group owned the information) have been "owned" and managed by HR/Personel. Since when does personnel have access to file sharing sites external to the company? (Let's lock that little gate right now shall we?) In most companies, file sharing sites are a no-no. a BIG no-no. In the TV report, there was no indication that this was a "policy violation" but it sure should have been.
Next big question: Why is Lexmark still holding onto personal information of employees who departed the company MORE than a decade ago? Last we here at the blog checked, the LONGEST that sort of information needed to be held was ten years, and in most cases, it is only seven. Strikes me that perhaps Lexmark needs a Data Retention Plan. One that includes a whole section on "automatic destruction" - where they toss data that is no longer legally required to be saved in a secure way. The "number of affected" probably would be a lot less if any that hadn't crossed Lexmark's threshold in seven years or more had been removed from the system. This is easy to do stuff guys -- and certainly your HR department should be taking care of it. Them or your compliance office...
Our advice to the "affected": Get to the bottom of this. Find how who did it and why. Make the company find out who "accessed" the information (get those corporate lawyers into court and get subpoenas to find out who did what when.) so that you can determine whether the "one year" of both insurance and credit monitoring is ANYWHERE near sufficient. Until you know the who's and why's, there's no way to tell. Be loud if you have to, but don't let it slide. Oh, and if you haven't worked there in years, find out why they haven't removed your "personal information" (or personnel information!) from the system yet. Can't lose what you don't have. Why did they still have it?
The WAVE channel 3 report is here.
Feb 18, 2008, 11:39
|
|
|
|
