Call today! 1 866 3 NYMITY
Username: Password:
Home About Us

 

Breach Reports

 

This section of Nymity's Threat Tracker is dedicated to providing Privacy Officers with a convenient way to review Breach Reports.   This section is updated at the beginning of each month.

 

 

Resources - 2008
 
Resources - 2007
 
Resources - 2006

 

Index of Resources - 2008:

 

 

 

 

 

 

 

 

 

 

 

 

 

 


  
PIPEDA

 

 

 

 

 

 

 
Wayward Bank Statement Concerns Woman - Braden Husdal, Saskatchewan News Network

 

Business Activity:  Use of Third-Parties

 

Impact

Outsourcer sends a bank statement to the wrong person; person who received the statement files a complaint with Information and Privacy Commissioner.  (03/28/2008)

 

Relevance

Background Facts:

  • a woman opened her bank statement from TCU Financial Group ("TCU") and found an additional bank statement which:
    • was addressed to another individual; and
    • included the other individual's cheques.

 

Relevance to Business Activity:

  • use of third-parties considerations:
    • TCU:
      • outsources statements to Credit Union Payment Service ("Credit Union") which:
        • processes them in an automated enviroment.
      • is unaware of how the statement mix-up occured;
      • is investigating the situation.
    • neither party has been able to contact the other individual;
    • the woman who received both bank statements:
      • refuses to hand over the individual's statements to TCU because she thinks proof of the mix-up might disappear;
      • has decided to file a complaint with the Information and Privacy Commissioner even though there has been no breach of her own personal information.
    • the Credit Union will be apologizing to any members affected by the error.

 

http://www.canada.com/saskatoonstarphoenix/news/business/story.html?id=9c0a1b89-01aa-4927-bd08-24ff50260cb2

 

Customer Notification Starts in TJX Hack - Associated Press

 

Business Activity: Breach Response

 

Impact

Class action lawsuit results in additional costs for TJX.  (03/03/2008)

 

Relevance

Background Facts:

  • a federal court in Boston, handling a class action consumer lawsuit against TJX, orders the company to commence customer notification.

 

Relevance to Business Activity:

  • breach response considerations:
    • breach notification notices are going out to millions of customers who may have had credit card information compromised in a data breach at stores such as T.J. Maxx and Marshalls;
    • these notices contain information about eligibility for compensation, such as:
      • vouchers and credit monitoring to be provided under a proposed settlement with TJX Cos.
    • the court ordered mailings, newspaper and magazine notices began last Friday in the United States, Canada and Puerto Rico:
      • the court hopes to reach people who made purchases, or returned items, during a breach believed to have begun in mid-2005 but went undetected until December 2006.
    • those consumers who will benefit include those who believe:
      • their personal financial data was stolen or put at risk; and
      • they were harmed.
    • they can object to the terms, or send in a claim form to ask:
      • for benefits if they're eligible; or
      • to be excluded from the settlement if they provide notice by June 24. 
    • a toll-free phone number and a Web site have been set up for consumer information;
    • TJX also would provide:
      • three years of credit monitoring; and
      • identity theft insurance to certain customers who:
        • returned merchandise without a receipt and were sent letters notifying them that their driver's license or other identification information may have been compromised.
    • TJX has also proposed a three-day "Customer Appreciation" sale - opposed by several state attorneys general.

 

http://www.forbes.com/feeds/ap/2008/02/29/ap4717120.html

 

 

Debit Hackers make 'Huge' Haul - Jonathan Jenkins, Sun Media

 

Business Activity:  Safeguarding Data

 

Impact

Thieves are targeting large retailers' debit card terminals to obtain customers' PIN numbers and other sensitive account information. (02/19/2008)

 

Relevance

Background Facts:

  • an elusive gang of thieves are stealing customer's banking information by manipulating retail debit card terminals in and around Toronto.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • thieves are going into large retailers such as supermarkets at late hours and stealing point-of-sale debit terminals, sometimes replacing them with dummy terminals:
      • overnight, the terminal is compromised so it can record all of a customer's bank information, including the password or PIN number;
      • thieves will then go back into the store and replace the dummy terminal with the compromised unit;
      • the unit will be left in place for weeks until the thieves retrieve it and download the information.
    • banking information gleaned from the cards can be used to:
      • steal straight from a victim's bank account; or
      • spin off into fake credit cards and other frauds.
    • once a unit has been compromised there is little that customers using the terminal can do to protect themselves. 

 

http://cnews.canoe.ca/CNEWS/Crime/2008/02/15/4849041-sun.html

Privacy Commissioner Looking into Bell Data Breach - Paul Waldie, Globe and Mail

 

Business Activity:  Breach Response/Safeguarding Data

 

Impact

Bell Canada recovers stolen data; Privacy Commissioner could potentially conduct investigation of data breach. (02/14/2008)

 

Relevance

Background Facts:

  •  3.4 million customers of Bell Canada from Ontario and Quebec had their personal information stolen.


Relevance to Business Activities:

  • safeguarding data considerations:
    • a person, who was not a Bell employee or connected to the company suppliers, stole customer information;
    • stolen information included:
      • names;
      • addresses;
      • a list of Bell services the customer subscribed to; and
      • phone numbers including:
        • 17,000 unlisted numbers.
    • no financial or account information was stolen.

 

  • breach response considerations:
    • after receiving a tip about the theft, Bell contacted Montreal police and worked with them on the investigation;
    • weeks later, following the arrest and recovery of the data, Bell:
      • began notifying those customers who had an unlisted phone number about the breach: and
        • on request will give them a new unlisted number.
      • notified the Privacy Commissioner about the breach.
    • Bell is investigating the situation but does not currently know:
        • how the theft occurred; and
        • when the information was stolen.
    • Privacy Commissioner:
      • wants to know why Bell waited weeks to report the incident to them;
      • is going to review what happened; and
      • is deciding whether it should be opened as an incident and monitored or whether it warrants an investigation.

 

http://www.reportonbusiness.com/servlet/story/RTGAM.20080213.wbell0213/BNStory/Business/home

http://www.cbc.ca/canada/story/2008/02/12/bell.html#skip300x250

 
Notice of Possible Unauthorized Access to Personal Information of New Hampshire Residents
 

Business Activity:  Breach Response

 

Impact

Canadian company experiences breach of servers in Toronto affecting one New Hampshire resident; requires notification of New Hampshire Attorney General.  (02/11/2008)

 

Relevance

Background Facts:

  • Canadian Standards Association (CSA) became aware of a security breach involving its Learning Centre online store:
    • the server was located in Toronto, Canada.
  • there may have been unauthorized access to customer personal information including:
    • names;
    • addresses;
    • credit card account numbers and expiration dates:
      • credit card numbers on the site were encrypted but the intruder may have had access to the
         encryption key.
  • along with Canadian customers, one New Hampshire resident was affected.


Relevance to Business Activity:

  • breach response considerations:
    • written notification was sent to the Attorney General of New Hampshire containing:
      • information about the breach including:
        • types of information that may have been accessed; and
        • the fact that one New Hampshire resident was affected.
      • steps CSA is taking to address the situation include:
        • contacting appropriate law enforcement authorities, regulators and/or data protection commissioners;
        • sending a letter to all customers who may be affected:
          • informing them of the breach;
          • suggesting customers:
            • contact their credit card company, notify them of the breach and request they monitor suspicious changes in the future;
            • close the account and open a new one;
            • check credit cards for unauthorized transactions and report them to the credit card company; and
            • review loan and other financial statements upon receipt and report any suspicious activity.
          • providing information on preventing and detecting credit card fraud, including website links to:
            • the Privacy Commissioner of Canada;
            • US Federal Trade Commission; and
            • major credit reporting agencies.
      • taking the affected CSA websites off-line and reconstructing the sites;
      • engaging a computer forensics specialist to determine the extent of breach and its implications;
      • planning short and long term initiatives to improve security of the website.

 

http://doj.nh.gov/consumer/pdf/CSAGroup2.pdf

Gym Heist Raises Identify Theft Fears:  Computers Stolen from Toronto Fitness Centre had Personal, Financial Info of 4,500 Members - Paola Loriggio - thestart.com

 

Business Activity:  Breach Response/Customer Service

 

Impact

Organization ceases collection of Social Insurance Numbers after breach occurs - organization unaware of why SIN was being collected. (01/31/2008)

 

Relevance

Background Facts:

  • two computers were stolen from Fun 2B Fit, a Toronto gym which is owned and operated by the University Health Network;
  • personal information contained on the computers included:
    • names, addresses and telephone numbers, and in some cases:
      • bank account;
      • credit card; and
      • social insurance numbers.

Relevance to Business Activity:  

  • customer service considerations:
    • bank account and credit card information are collected to facilitate automatic payment of monthly membership fees;
    • a spokesperson for the gym could not provide a reason why customers' SIN was collected;
    • some members only provided an employee number to the gym as they are employees of the University Health Network and monthly fees are deducted from their pay cheque.
  • breach response considerations:
    • the gym had addresses for 2,300 members:
      • a letter sent to these members describing the threat; and
      • contacted financial institutions and credit card companies on behalf of these members.
    • the gym was unable to contact nearly half of the affected members as the gym did not have personal contact information on file;
    • Social Insurance Numbers will no longer be collected.

 

http://www.thestar.com/article/299034

Centocor:  Security Breach Over Stolen Computers - Ed Silverman - Pharmalot.com

 

Business Activity:  Breach Response

 

Impact

An example of a breach notification letter sent to affected individuals. (01/30/2008)

 

Relevance

Background Facts:

  • an undetermined number of computers have gone missing from the headquarters of Centocor, a division of Johnson & Johnson;
  • the laptops contained personal information of 114 speakers and consultants retained by Centocor, including:
    • name and city/state; and
    • social security/tax identification numbers.

Relevance to Business Activity:

  • breach response considerations:
    • as the computer contained information of one resident of New Hampshire, Centocor advised that state's Attorney General of the breach;
    • the letter to the Attorney General:
      • provided a brief description of the incident;
      • stated that one year of credit-monitoring services had been provided to affected individuals;
      • indicated there was no evidence that individuals' information had been misused;
      • included a sample notification letter that was sent to affected individuals.
    • the notification letter to affected individuals included:
      • a description of the nature of the incident:
        • how Centocor became aware that the computers were missing:
          • Centocor was notified by its IT vendor that they could not locate the computers.
        • that an investigation had been launched:
          • the investigation indicated that the computers had been removed by a former, contracted employee of the vendor.
        • that the local law enforcement agency had been notified;
        • what personal information was contained on the computers; and
        • that there was no evidence that information had been misused and that the risk of misuse is low.
      • credit monitoring will provided a no-cost to the individual, which includes:
        • a full year of free credit monitoring;
        • an initial 3-bureau Credit Report;
        • $25,000 Identity Theft Insurance; and
        • access to fraud resolution representatives.
      • a 1-800 number for individuals to contact Centocor;
      • recommended steps individuals can take to protect against identity theft and fraud, e.g.:
        • review financial account statements and verify all recent transactions;
        • immediately notify bank, credit and debit card companies if suspicious of fraudulent use or questionable charges;
        • report any suspected criminal or illegal activity to law enforcement; and
        • review credit reports for unusual activity, and consider adding a "Fraud Alert" to their credit file.

 

http://doj.nh.gov/consumer/pdf/Centicor.pdf

 

EDS to Pay for Identity Theft Coverage After Errant Mailing - Scott Bauer, Associated Press

 

Business Activity:  Breach Response / Safeguarding Data / Use of Third-Parties

 

Impact

This is an example of a breach resulting in liability for a third-party service provider.  (01/16/2008)

 

Relevance

Background Facts:

  • Electronic Data Systems Corp. ("EDS") printed Social Security numbers on the address labels of brochures sent to Medicaid and other insurance participants;
  • EDS was providing processing services to the Wisconsin Department of Health and Family Services ("the Department");
  • 260,000 Wisconsin residents were affected. 


Relevance to Business Activities:

  • breach response considerations related to the use of third-parties:
    • EDS described the mistake as human error;
    • the Department asked EDS to:
      • explain how the breach occurred;
      • inform the affected individuals of the error; and
      • provide each affected individual with a year of credit-monitoring services.
    • the Department also asked EDS to explain why there were problems early on with the company's customer service line:
      • callers reported long waits and busy signals;
      • the concerns have been addressed with additional staff and phone lines.
    • the coverage and new mailings will cost EDS at least $1 million;
    • the Department has asked the state's attorney general's office to investigate a possible lawsuit against EDS, claiming the error violated:
      • the EDS contract with the state; and
      • state and federal privacy laws.
    • EDS will cooperate fully with an investigation from the attorney general.

 

  • safeguarding data considerations:
    • the Department was preparing to move away from using Social Security numbers as identifiers for Medicaid:
      • the use of an identification number other than a Social Security number is a growing trend among government agencies and businesses because of increased concern and risk of identity theft.

 

http://www.chron.com/disp/story.mpl/ap/tx/5448101.html

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=310692&source=rss_topic84

Sears put Customers' Buying Histories on the Web - Robert McMillan - ComputerWorld

 

Business Activity:  On-line Marketing / Safeguarding Data

 

Impact

The use of online tracking software criticized by privacy advocates; insufficient notice provided to customers enrolling in the program. (01/09/2008)

 

Relevance

Background Facts:

  • Sears Holding Corp is being severely criticized by privacy advocates for:
    • making purchases history of customers publicly available on its Managemyhome.com website; and
    • using spyware to track on-line activities of customers who sign up for its MY SHC Community program.

Relevance to Business Activities:

  • safeguarding data considerations:
    • the Managemyhome portal allows Sears shoppers to download product manuals, find product information and get home renovation ideas;
    • the site has a feature called "Find your products" that lets users look up past purchases:
      • users enter name, phone number and address to access purchase history;
      • users could enter the above information of others, such as friends or family, and view that individual's past purchases.
    • this feature violated Sears own online privacy policy, which does not allow the company to share user's purchase history with others;
    • purchase information may be very useful for potential scammers or burglars;
    • Sears has subsequently turned of this feature until it implements a validation process to prevent access by unauthorized individuals.

 

  • on-line marketing considerations:
    • Sears implemented its new Sears Holding SHC Community program to solicit input and feedback from its customers:
      • offers $10.00 and a chance to win one of several sweepstakes as an incentive to join. 
    • signing up for the SHC Community program resulted in the user downloading a software program that tracks every:
      • site the user goes to;
      • search conducted by the user;
      • on-line purchase made by the user on that computer; and
      • every product looked at but not purchased.
    • the tracking is not limited to Sears sites or products but includes all sites visited on the computer on which the software has been installed;
    • the tracked information is sent to the ComScore, an internet measurement firm;
    • Sears discloses that it is installing tracking software:
      • disclosure is included in the email inviting users to join the SHC Community;
      • some analysts are of the opinion that the disclosure is not sufficient:
        • FTC requires that software makers and distributers provide clear, prominent, unavoidable notice of the key terms;
        • notice is included in the email invitation but is found midway through a paragraph and without any heading;
        • there is no mention of any downloaded software on the first signup page;
        • the privacy policy and licence agreement describe the application on the 10th page of text;
        • the download process offers no abort function.  

 

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9055498&source=rss_topic84  Re:  Managemyhome

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9054738&source=rss_topic84  Re:  SHC Community

Wendy's International Inc.'s Response to Compromise of Personal Information

 

Business Activity:  Breach Response

 

Impact

Breach results in written notification to Regulator. (01/08/2008)

 

Relevance

Background Facts:

  • a laptop containing personal information of Wendy's International Inc. employees affecting 1,092 individuals including 3 in New Hampshire was stolen;
  • the information included:
    • name;
    • email address;
    • social security number;
    • employee identification number; and
    • salary information.


Relevance to Business Activities:

  • safeguarding data considerations:
    • on December 1, 2007 a car burglary at an employee's residence resulted in the theft of a company-issued laptop;
    • to access the data, the following is required:
      • the employee's log-in;
      • password for traditional access methods.
    • the information was in a subfolder with an  uninformative title.

 

  • breach response considerations:
    • written notification sent to the Attorney General of the Department of Justice regarding the incident;
    • IT Department began working with the employee whose laptop was stolen to determine what information might have been stored on the laptop:
      • they were able to compile the type of data stored on the laptop and the employees affected.

 

http://doj.nh.gov/consumer/pdf/wendys.pdf

Deloitte partner, principal confidential information on stolen laptop - Dan Kaplan - SC Magazine

 

Business Activity:  Breach Response / Safeguarding Data

 

Impact

Unencrypted laptop containing personal information of Deloitte employees stolen from a third-party contractor.  (12/18/2007)

 

Relevance

Background Facts:

 

  • a laptop containing personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen from a third party contractor:
    • information included confidential data such as names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates.

 

Relevance to Business Activities:

 

  • safeguarding data considerations:
    • the laptop was password protected but not encrypted;
    • Deloitte has an ongoing program that identifies vendors who access confidential information of employees to confirm that they have implemented appropriate safeguards;
    • Deloitte is a noted security expert providing seminars, white papers, service lines:
      • this breach creates reputational risk for Deloitte.

 

  • breach response activities:
    • a letter was sent to affected parties that:
      • notified parties that a laptop was stolen;
      • included offer of one year of free credit-monitoring;
      • advised affected parties to notify their banks to be on the lookout for suspicious account activity.
    • Deloitte has ceased working with the third party contractor until it "can demonstrate that it has implemented appropriate data security protections".

 

http://www.scmagazineus.com/Deloitte-partner-principal-confidential-information-on-stolen-laptop/article/99945/

GE Money Reported that its Vendor, Iron Mountain Lost a Backup Tap Containing Active Account Numbers and Social Security Numbers

 

Business Activity:  Breach Response / Use of Third-Parties

 

Impact

Breach related to a third party storage vendor results in written notification to a State Attorney General's Office. (01/16/2008)

 

Relevance

 Background Facts:

  • GE Money reported a breach caused by a lost backup tape containing personal information of New Hampshire residents:
    • 1,851 instances were active accounts numbers;
    • in 20 cases Social Security Numbers (SSN) were included.


Relevance to Business Activities:

  • breach response considerations related to the use of third-party:
    • GE Money:
      •  informed the New Hampshire Attorney General 's Office that Iron Mountain, their third-party storage vendor, was unable to locate the back-up tape:
        • the back-up tape was one from a set of 9 that was delivered to Iron Mountain last year;
        • it was checked into their secure facility and never checked out;
        • Iron Mountain and GE Money searched their premises and the tape was not found.  
      • restored the contents of the tape and have nearly completed a search for any sensitive consumer information;
      • notified individuals via first class mail of the nature of the incident;
      • provided suggestions to customers on steps they can take to protect themselves (appropriate to the nature of the information on the tape); 
      • offered customers whose SSN was included, a free year's credit monitoring service; and
      • instituted an enhance internal monitoring of the accounts for individuals whose account number was included.

 

http://doj.nh.gov/consumer/pdf/ge.pdf

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY