Posts Tagged ‘Data breach’

SAFE Data Act to hold corporations accountable

Wednesday, July 20th, 2011

Rep. Mary Bono Mack (R-Calif.) has introduced legislation to protect American consumers from data theft. The legislation is in response to concerns over recent cyber attacks and data breaches.

The Secure and Fortify Electronic Data Act (HR 2577) will require reasonable security policies and procedures to protect personal information, as wells nationwide notice in the event of a security breach.

The announcement of the SAFE Data Act comes on the heels of data breaches at Sony, Epsilon and Citigroup.

“In recent years, sophisticated and carefully orchestrated cyber attacks, designed to obtain personal information about consumers, have become one of the fastest growing criminal enterprises here in the United States and across the world. Today, Americans need new safeguards to prevent identity theft, and the SAFE Data Act will help accomplish this goal,” said Bono Mack. “My legislation is crafted around a guiding principle: Consumers should be promptly informed when their personal information has been jeopardized. The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now.”

The act will not, however, do anything to prevent or deter online crime. A key feature of the act, however, requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and the scope of the breach has been assessed. If passed, the act would allow the FTC the authority to levy civil penalties if entities fail to respond in a timely and responsible manner.

What to do if your business is affected by a data breach

Monday, May 9th, 2011

The news of data breaches causes ripples of panic among consumers – and the threat of a possible data breach has business owners sitting up and taking notice as well. At any given moment, an employee may be accessing confidential information, either by accident or dishonestly. This presents a unique challenge for businesses today.

Fortunately, through some simple management procedures, your human resources department can help prevent leaks from happening. These procedures will help protect employee and customer information from being exposed to unauthorized parties.

First of all, be aware of where critical employee and customer information is located and who has access to this data. Develop acceptable use policies for all employees that clearly outlines appropriate use of this information. You should include procedures as to what will take place should a violation occur. Be sure to consistently enforce these policies and procedures.

You should regularly review and revise these policies to make sure all changes and additions have been addressed, and that the procedures stay current with changing laws.

Make sure your company has an internal incident plan, and the appropriate resources in house to handle any incidents of employee or customer data loss or unauthorized access by an employee or outsider.

The worst thing your company can do is to compromise any investigation of a breach. Don’t turn on an suspect employee’s computer to “look around.” This may destroy potential evidence.

Don’t make the mistake of assuming your IT department will figure things out. Your IT guys are not forensic specialists. A professionally trained computer forensics expert should be retained for this purpose.

Be sure to report the breach as soon as possible, to both the public and, most importantly, those who may be potentially affected. Not doing so puts your customers at risk, and can potentially be suicide for your business. Be proactive and transparent.

Data breach leaked info already on Black Market, reports NYT

Wednesday, May 4th, 2011

Spear phishing is now apparently the concern for Sony Online Entertainment users, following a data breach that has affected some 77 million users.

Users of games like EverQuest, which is found on the network, could face the exposure of their credit card numbers, despite the fact that Sony said its credit card data is encrypted.

The New York Times has reported that researchers have already spotted credit card numbers associated with the breach listed for sale on the Black Market.

Phishing is a common identity theft scam, which involves criminals sending out e-mails or letters, or even telephoning a potential victim, claiming to be a legitimate source, seeking personal information. It is common for these scammers to claim that “verification” of the victim’s personal information is needed, in the hopes that the victim will just hand over things like credit card or Social Security card numbers.

If you receive such a request, according to Sony, ignore it. Sony officials said the company never sends out e-mails or letters requesting such information, nor does it call customers.

The incident is being investigated by the FBI. Should you be affected by this breach, check your bank and credit card statements carefully, and review your credit report, looking for unauthorized charges.

Be sure you also change your passwords, and if you do receive an e-mail that appears to be from Sony, don’t click on any links it may contain. The links could contain malware, which criminals can use to steal your private information.

Data breaches becoming more common; still frequently not reported

Wednesday, November 10th, 2010

Since the data breach by ChoicePoint six years ago, regulators, businesses and consumers have increased their awareness and reaction to organizations that mishandle sensitive consumer data.

In early 2005, California was the only state that had a breach notification law. ChoicePoint allowed information on approximately 150,000 consumers to be accessed fraudulently. When ChoicePoint only notified California victims of the breach, a precursor to identity theft, both victims and regulators reacted.

Since 2005, 46 states and three territories have enacted data breach laws. Only Alabama, Kentucky, New Mexico and South Dakota are left. Each state law is different, making compliance difficult for any organization that has security a security breach in which the victims reside in multiple states.

Since the CheckPoint incident, over a half-billion profiles have been compromised in 2,500 reported incidents. Some Americans have been victimized by security breaches multiple times, for example, by their schools, local, state or federal government, a retailer, financial institution or their favorite charity. Some organizations have suffered numerous breaches.

Of the 2,500 reported breaches, one third of the reporting organizations could not quantify how much information was accessed, lost, stolen or improperly disposed.

The most frightening statistics are a bit more general. Most organizations haven’t inventoried the consumer information they possess, and they don’t have a method in place to detect a breach. Others report that their employees don’t report breaches because they fear retribution by consumers and regulators.

It pays for consumers to take action to protect themselves with a service such as LifeLock.

LifeLock is the only proactive identity protection service on the market today. As a LifeLock customer, you will be notified the moment any threat to your personal information, whether credit related or not, is detected. This, in effect, stops identity theft in its tracks, and makes any information a thief could acquire during a data breach useless.

Call LifeLock today. Receive 30 days free and get a 10 percent discount on enrollment with the LifeLock Promo Code “Defense.”

Broward data breach puts close to 24,000 at risk

Wednesday, August 11th, 2010

Nearly 24,000 Broward College summer school students are at risk for identity theft after a data breach at the Florida college leaked the students’ personal information during a computer upgrade.

The leak was not announced until recently, and college officials say the information was on the Web, unprotected, for five days in late May and early June.

The College Center for Library Automation, which provides library services and electronic resources to Florida’s community colleges, apologized Aug. 10 for the breach, which also affected five other schools.

The affected parties will receive a letter from the center, which will contain instructions on what to do to protect their credit and minimize the risk for identity theft.

Statewide, about 126,000 community college students, faculty and staff were affected by the breach. There is no evidence to date that the information has ben used by criminals.
According to identity theft statistics, about 11.1 million Americans – one out of every 20 adults – became victims of identity theft last year, with the cost to victims estimated at $54 billion.

To take a proactive stance to protect your personal information and your good credit, contact LifeLock today. With LifeLock Identity Alert™, you can rest assured that LifeLock will monitor for credit and non-credit related identity threats. You’ll be notified immediately via e-mail, postal mail or telephone of any potential compromises.

And should you fall victim to identity theft while under LifeLock’s watchful eye, LifeLock will spend up to $1 million to make it right. In addition, LifeLock’s member representatives are available 24 hours a day, seven days a week to assist you and answer all your questions.

Receive 30 days free and get a 10 percent discount on enrollment with the LifeLock Promo Code “Defense.”

Data Breach

Thursday, May 6th, 2010

Data breaches reported from 12 medical facilities last month

A dozen medical data breaches were added to the Privacy Rights Clearinghouse list last month – and that doesn’t even include Affinity Health Plan’s leaving personal information of more than 400,000 people on their digital copier when the lease was up.

  • Our Lady of Peace (Louisville, KY)
    Someone lost or stole a flash drive containing personal information of nearly 25,000 of the psychiatric hospital’s patients. Some of the records are from as far back as 2002.
  • St. Jude Heritage Medical Group (Orange, CA)
    Five computers storing the information of 20,000 patients were stolen during a break-in. In this case, the info included names, birth dates and Social Security numbers; some patients’ health information was also on the computers.
  • The Medical Center (Bowling Green, KY)

  • Someone stole a hard drive that contained the info of women who had bone density testing at the mammography suite between 1997 and 2009.

  • Hutcheson Medical Center and a plastic surgery center (Chattanooga, TN)
    Thousands of patient files dating back to 1998 were sent to the Dupont Recyling Center. Information within the files included personally identifying info. Patients who underwent plastic surgery will be mortified to know their photos were also up for grabs. (This data breach actually occurred May 2009, but just made the list April 2010.)
  • DRC Physical Therapy Plus (Monticello, NY)
    Thousands of patients’ records were unceremoniously dumped when the business folded. Police impounded a dump truck loaded with boxes of files and removed another 12 boxes of patient records from the bucket of a front-end loader.
  • (more…)

Data Breach

Friday, April 16th, 2010

Data breach at Countrywide Financial leads to class action lawsuit

When it was discovered that Rene Rebollo came into the office every Sunday for two years and stole a total of roughly two million files, Countrywide’s management said they were unaware he was downloading customer information to sell it; they just though Rene Rebollo, 36, was an especially hard working employee. Now, a class action lawsuit asks whether Rebollo was working on his own, or whether he was just the fall guy tasked with selling off the stolen information to raise money for the failing Countrywide Home Loan.

The plaintiffs are asking for a $20 million settlement and additional punitive damages because of their elevated identity theft risk they face and the invasion of their privacy. (more…)

Identity theft protection

Friday, March 5th, 2010

Consumer education key to cybercrime war

Is it better to try to chase down cybercriminals, or educate computer users? That’s the ongoing debate among security experts.

On one hand, there have been some huge victories recently in the battle against the bad guys. This week, three men were arrested in connection with a creating a “botnet” that infected an estimated 13 million computers from 190 countries and stole personal and financial information.

In 2008, the alleged mastermind of the largest cybercrimes in history was arrested. Albert Gonzalez is responsible for the greatest data breaches in history, including Heartland Payment Systems, TJX, Hannaford Brothers, 7-Eleven, Citibank and Dave and Buster’s, according to his indictments.

Gonzalez also supervised an online forum in which more than 160 million credit cards, birth certificates, Social Security cards, PIN numbers and computer login information was exchanged.

So, the good guys must be winning the war, right? Probably not. (more…)

Data breach

Friday, February 5th, 2010

Data breaches in hotel industry higher than any other sector in 2009, according to Trustwave report

Which is most worrisome: (A) that hackers hit the hotel industry in 38% of data breaches last year; (B) that it took the hotels an average of five months to notice a data breach; (C) that the hackers often got into the data by using software glitches that had patches available 10 years ago; or, (D) all of the above?

A new report from security firm Trustwave indicates that the hotel industry was targeted for data breaches more than any other last year primarily because they were such an easy target and the takings were so rich. The hackers gained access to potentially millions of credit card account details from hotels that did little to protect the data, and never reported the resulting identity theft risk to officials or customers. (Picture a frisky young pit bull gleefully trotting after a fat, blind, three-legged cat while the cat’s owner sleeps in a hammock nearby.) (more…)

Data breach

Friday, January 15th, 2010

Health Net data breach prompts attorney general’s “historic lawsuit”

Connecticut Attorney General Richard Blumenthal said last November that he was “outraged and appalled” upon learning of Health Net’s massive data breach and their keeping it hush-hush for six months. He acted on those feelings this week by filing suit against the insurer and its new owners, United Health Group and Oxford Health Plans.

The data breach occurred May 2009 when a hard drive containing the information of 1.5 million customers went missing. Records were for the period 2002 through 2009. Roughly 446,000 of the members are from Connecticut.

Blumenthal’s lawsuit asserts Health Net gave its employees inadequate supervision and training on appropriate maintenance, use and disclosure of protected health information.

The company explained the six-month lag time between their awareness of the breach and their notifying state officials by saying the time was necessary to complete a “detailed forensic review.” Kroll, a computer forensic consulting firm hired to complete the investigation determined the information wasn’t encrypted or protected in any way from access or viewing. (more…)