Nissan Investigation Concerning
Customer Information
Overview
Nissan Motor Co Ltd announced that there might have been
a leak of personal information from its customer database,
potentially affecting up to 5.38 million individuals. From
the data investigations, Nissan has concluded that the most
likely timing for the leak to have occurred was between May
2003 and February 2004. A third-party research company
conducted the investigations (12/21/2006).
Relevance
Highlights:
- Nissan has been unable to match the database with one
that exists in the company;
- the investigation has, however, identified certain matching
items that could only have been sourced from within the
company;
- certain internal data may have been sourced from an old
customer database;
- letters have been sent to all potentially affected customers
clarifying the situation and apologizing for the inconvenience;
- Nissan security measures are as follows:
- in January 2006 the entire customer database was replaced
based upon a higher level of security system;
- 2007 plans for additional security measures include
the implementation of physical security systems including
camera monitoring of secure areas, database monitoring
and organizational changes.
http://www.forbes.com/markets/feeds/afx/2006/12/21/afx3276888.html
http://www.autospectator.com/modules/news/article.php?storyid=7208
Back to Top
Boeing Loses another Laptop
Holding Employee Info
Overview
A laptop, containing personal data of 382,000 current and
former employees, was stolen from the car of a Boeing employee
in the U.S. The theft is the third time that Boeing's employee
data has been stolen. The computer contained names, social
security numbers, home addresses and telephone numbers. (12/14/2006)
Relevance
- the company admitted that the laptop should not have been
removed from its offices;
- the laptop was unencrypted;
- the laptop requires a password to access;
- the employee has since been fired;
- the company is looking for ways to phase out the use of
Social Security Numbers to identify employees;
- the company also began looking into the automatic encryption
of any sensitive personal or company information downloaded
onto laptop computers;
- the company is in the process of notifying everyone affected
by the security breach;
- all employees and retirees whose information was exposed
will be provided credit monitoring.
http://news.zdnet.co.uk/security/0,1000000189,39285190,00.htm
(News article)
http://www.eweek.com/article2/0,1895,2073119,00.asp
(News article)
Back to Top
Vermont Officials Blast Contractor
for Security Lapse
Overview
A contractor, working for the state of Vermont, accidentally
posted the Social Security Numbers of hundreds of health care
providers on the state's Web site earlier this year. (12/12/2006)
Relevance
- as part of its contract, the contractor obtained a list
of health care providers from the state's current health
care administrator, which it subsequently posted on the
state’s web site;
- the information remained on the web site for about a month
before being removed;
- the state is sending a letter to the affected health care
providers informing them of the privacy breach;
- a second letter will sent out informing affected individuals
of the state's decision to pay for one year's worth of credit-monitoring
services;
- in a letter to the contractor, the state expressed "deep
dissatisfaction that an expert consultant could overlook
the inclusion of Social Security numbers in a document that
was to be publicly posted and disseminated to potential
bidders. We did not expect to encounter this kind of problem
as a result of your work”;
- the contractor is cooperating with the state in resolving
these matters.
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005940&intsrc=hm_list
Back to Top
UCLA Data Breach Leaves 800,000
at Risk
Overview
In one of the largest known security breaches at a University,
the database at the University of California, Los Angeles
has been broken into, exposing the private information of
about 800,000 people. The attacks on the UCLA database began
in October 2005 and ended Nov. 21 of this year, when computer
security technicians noticed suspicious database queries.
(12/12/2006)
Relevance
- the database contained names, home addresses, SSN’s
and birth dates;
- it is known that the hacker sought and retrieved some
Social Security numbers;
- the university:
- advised the FBI, who have commenced an investigation;
- mailed a letter to all affected individuals;
- set up a web site and an Identity Alert Hotline for
those who think they may have been affected by the breach;
- suggests that recipients contact credit reporting
agencies and take steps to minimize the risk of potential
identity theft.
http://news.zdnet.com/2100-1009_22-6143003.html?tag=nl.e589
(News article)
http://www.cbsnews.com/stories/2006/12/12/tech/main2249716.shtml
(News article)
http://www.identityalert.ucla.edu/index.htm
(UCLA website for affected individuals)
Back to Top
Retail Breach Forces Banks to
Cancel Credit Cards
Overview
The wide effect that retail security breaches can have was
highlighted when several financial institutions recently canceled
thousands of credit and debit cards in Michigan because of
fraud concerns related to an apparent data compromise at a
convenience store chain. The problems appear to have resulted
from a security breach at Wesco, a Muskegon-based gas station
and convenience store chain with 51 locations in Michigan.
(11/20/2006)
Relevance
- the Wesco website notice revealed the commencement
of an investigation into the possibility of credit card
fraud associated with credit card transactions at the
retail location and that an investigation has been launched
by the US Secret Service;
- MasterCard and Visa USA Inc. confirmed that they were
investigating a data breach in the Muskegon area;
- four out of five data compromises involve security
breaches at point-of-sale systems;
- an analyst at Gartner Inc. stated that:
- POS systems at convenience and grocery stores,
as well as gas stations, can be especially vulnerable
because of a lack of IT security awareness and
resources;
- much of the exposure results from merchants
connecting their POS terminals to IP-based networks-
such systems store magnetic stripe data from cards
and have default passwords that can be easily
hacked.
- Fifth Third Bancorp said it was reissuing credit cards
to a "limited number of customers" as a precautionary
measure, Community Shores Bank Corp. and Family Financial
Credit Union replaced some of their cards after seeing
evidence of fraudulent transactions;
- Community Shores Bank asked about 550 customers to
destroy their debit and credit cards after it noticed
several of its cards being used to conduct fraudulent
transactions.
computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=274392&taxonomyId=17&intsrc=kc_top
Back to Top
Starbucks Data Missing
Overview
Starbucks recently reported the theft of four “retired”
laptop computers two of which contained the names, addresses
and Social Security numbers of 60,000 current and former employees.
Most of the affected employees worked in the United States
and a few in Canada. Of the 60,000 people affected, the company
still employs 10,000. The disappearance, first noticed on
Sept. 6th, was reported to the public on Nov. 4th. (11/04/2006)
Relevance
- the lost information dated prior to December 2003
before the time the company indicated that it had changed
its personal information storage procedures and strengthened
its privacy requirements;
- potentially affected employees are being notified
by letter;
- a toll-free number has been established to answer
questions;
- a website has also been created to provide additional
information;
- Starbucks is also offering free credit monitoring
from Equifax for affected persons;
- Starbucks waited two months to disclose the problem
until the completion of a thorough internal investigation
to try to locate the computers.
seattlepi.nwsource.com/business/291114_starbucks04.html
www.consumeraffairs.com/news04/2006/11/starbucks_data.html
Back to Top
Fraud Alert: Winners
Customers Warned
Overview
Canadian customers of HomeSense and Winners are being warned
of a potential security breach after computers at several
locations of U.S. based discount chain TJX Co. were broken
into. According to Framingham, Mass.-based TJX, several of
the computers that handle customer interactions and store
information at HomeSense and Winners (and its other stores
in the USA, UK and Ireland), including credit card numbers,
were tampered with. The exposed data covers 2003 and the period
from mid-May through December 2006. While the investigation
is in its early stages the number of accounts exposed could
exceed 40 million. (11/04/2006)
Relevance
Highlights:
- the tampering was discovered by an outside consultant
who advised TJX that the network could be compromised;
- TJX says it hired General Dynamics Corp. and IBM Corp.
to monitor and evaluate the intrusion and identify the affected
information- the companies have helped to secure and upgrade
the system;
- law enforcement (US and Canada) was contacted immediately
and at their request the breach was kept confidential for
a period of time;
- TJX is conducting a full investigation into the intrusion-
a limited number of credit card holders have been specifically
identified;
- major credit card companies, including American Express,
Discover, MasterCard and VISA and TJX payment processors
have been notified;
- 28 banks in Massachusetts have been alerted by the credit
card companies that some of their customers have had personal
information that may have been exposed;
- the banks are either monitoring customer accounts or reissuing
customer debit cards- there is now evidence of fraud in
the US;
- helplines have been established for customers in the USA,
Canada, the UK and Ireland; and
- information is also available at the TJX website and an
“Important Customer Alert” included on the Winners/
HomeSense websites.
Litigation:
- A class action lawsuit has been launched against Winners
and HomeSense in various provinces seeking compensation
on behalf of Canadians who may have been affected by this
incident.
Complaint:
- Canadian Internet Policy and Public Interest Clinic (“CIPPIC”)
filed a formal complaint with the federal Privacy Commissioner
on January 24 “requesting a formal investigation into
the widely-reported security breach suffered by the Winners
group of companies, and affecting consumers who shop at
any Winners or HomeSense store in Canada”:
- CIPPIC’s position is that Winners/HomeSense
has violated PIPEDA provisions related to collection,
use, retention and disclosure, consent and safeguards.
- the Commissioner is being requested to investigate not
only the incident but the general data practices of Winners/HomeSense
that led to the incident;
- highlights of the particular issues that the Commissioner
is being requested to address include:
- the specific information collected from customers;
- how the information is collected;
- the involvement of third-parties such as financial
institutions in the collection;
- mechanisms used to obtain customer consent to the
collection, retention, use and disclosure of their personal
information and the validity of the consent;
- records retention and destruction policy and procedures;
- sharing of the information- for what purposes and
under what conditions; and
- security measures applied to the database to prevent
security breaches.
http://www.canada.com/vancouversun/news/story.html?id=37f4475f-845d-4de9-83d1-b782f328e2e8&k=43942
http://news.com.com/T.J.+Maxx+parent+says+customer+data+stolen/2100-1029_3-6151017.html
http://news.bostonherald.com/localRegional/view.bg?articleid=177792
http://www.merchantlaw.com/winners.html
Litigation Information
http://www.cippic.ca/en/news/documents/winners2007jan23.pdf
CIPPIC complaint
Back to Top
GE Laptop with 50,000 Employee
Names and Data Stolen From Hotel
Overview
A laptop belonging to an employee of General Electric, and
containing personal information about more than 50,000 current
and former employees of GE, was stolen from a locked hotel
room. (10/27/2006)
Relevance
Highlights:
- the information was not encrypted and was protected
by password only;
- the employee was authorized to have the data and was
using it for a specific project;
- there was no sign that the data has been used improperly;
- affected employees were notified and offered free
one-year identity theft monitoring and credit checks;
- disciplinary actions are being considered;
- GE is assessing its procedures to safeguard personal
information.
www.internetnews.com/security/article.php/3634601
news.com.com/GE+laptop+theft+exposes+data+on+thousands/2100-1029_3-6120181.html
Back to Top
Privacy Office Probes
Science Centre Theft
Overview
The Ontario Science Centre (a Crown Agency) is apologizing
to its members after a laptop containing information about
some of them was stolen from its offices. The laptop contained
information about Science Centre programs and included some
registration data. The laptop is password protected and a
Science Centre spokesperson called the theft an “isolated
incident”. (10/26/2006)
Relevance
- stolen data includes names, addresses and credit card
numbers;
- the Centre reported the theft to the Ontario Privacy
Commissioner as required which allows staff to help
the affected agency take steps to deal with the theft
of personal information;
- the Privacy Commissioner confirmed that the Centre
has since taken all appropriate steps to protect its
members which include:
- sending letters to members whose names have
been in the computer warning them to “take
appropriate steps” to secure their personal
and credit-card information;
- indicating to members in the notification letter
an intention to review the Centre’s security
procedures to prevent a recurrence; and
- notifying the police.
www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_
Type1&c=Article&cid=1161856749703&call_pageid=968256289824&col=968342212737
Back to Top
U.S. Department of Veteran Affairs
Reports New Data Loss
Overview
In response to a data loss, the U.S. Department of Veterans
Affairs has awarded a contract to a third party (Identity
Force) to provide identity theft protection services for more
than 5,700 citizens. The contract is the result of an incident
in which a backup data tape was reported missing. (10/11/2006)
Relevance
- The third party will provide the following services
to each affected citizen:
- online and toll-free access for individuals
to enroll in the Credit Monitoring Services program;
- automatic daily monitoring of Equifax, Experian
and TransUnion credit bureau reports;
- alerts of any key changes to credit reports;
- on-demand personal access to credit reports
and scores;
- dedicated fraud resolution representatives available
to counsel and assist victims of identity theft;
- a $20,000 identity theft insurance policy.
- As a result of a number of breaches, the Veteran Affairs
department:
- established an information security program
setting standards for accessing information systems;
- requires officials to report compliance failures
or policy violations immediately;
- is conducting annual cyber security and privacy
awareness training for all employees.
www.fcw.com/article96431-10-11-06-Web
Back to Top
Cabinet Filled with Census
Files Sold at Auction
Overview
Personal files of approximately 75 census workers turned
up in a filing cabinet at an auction. The files included the
worker’s names, Social Insurance Numbers and earnings.
Statistics Canada acknowledged it erred, and the agency intends
to apologize to every person listed in the files. The Federal
Privacy Commissioner is investigating the breach. (10/05/2006)
Relevance
- the auction house receives truckloads of used government
furniture, and on occasion some contain files;
- the auction house attempts to check the furniture
when it arrives but does not always have time;
- the Statistics Canada Director for the region said
the agency has detailed written instructions in place
to check each piece of furniture before sending it to
auction;
- the Director assumed total responsibility for the
incident stating that “at the end of the day the
buck stops here”;
- the Assistant Federal Privacy Commissioner said the
privacy office is always concerned when personal information
leaks out and indicated they were looking into this
incident.
www.canada.com/edmontonjournal/news/cityplus/story.html?id=4197a8e2-8dfa-4ea5-b22a-23bdf1859d42&k=40186
Back to Top
B.C. Facility Loses Public’s
Personal Data
Overview
Computer tapes containing private health care records of
250,000 British Columbians were discovered missing from the
government’s main data centre in Victoria. The discovery
was made when a confidential forensic audit revealed that
three missing tapes contain social insurance numbers, names
and addresses of individuals who had received income assistance
from 1991, 1993 and 1998. An additional sixteen tapes include
the names of patients, their birth dates, prescription records,
diagnoses etc. It was revealed that the government contracted
Telus to provide storage security. (09/12/2006)
Relevance
- the loss of the records was never reported publicly
and the audit report recommended that the public not
be notified consistent with government policy that does
not require notification of a possible disclosure of
personal information;
- the auditors suggest notification “where an
actual disclosure of personal information is known to
have occurred”;
- the report also stated that in this instance government
notification would be impractical given the number of
affected individuals;
- the government decided not to make the data public
as it was confident that there had not been a breach
of security;
- the report warns that the some of the data is sensitive
enough to be used for “purposes of identity theft”;
- since the discovery the province has worked with Telus
to improve security and record-keeping at the site;
- Telus conducted it’s own review and strengthened
its data security and revealed that it has implemented,
or is in the process of implementing, every recommendation
made by the auditors;
- the information and privacy commissioner’s office
was notified and expressed satisfaction with the mitigation
steps the government is planning to take.
www.canada.com/victoriatimescolonist/news/story.html?id=e1b03e3e-d043-4e64-9a09-415a24636751&k=71796
Back to Top
Wells Fargo Discloses another
Data Breach
Overview
Wells Fargo has suffered another security breach when the
personal information of an undisclosed number of employees,
contained in a computer and a hard disk, was stolen from the
trunk of a locked vehicle belonging to an employee of an audit
company retained by the bank. (09/11/2006)
Relevance
- loss by auditors;
- Wells Fargo notified affected employees of the breach;
- there was no evidence that the compromised data had been
misused;
- the bank indicated that all vendors and service providers
are required to “take strict measures and follow specific
guidelines” for protecting sensitive data;
- in this case, the audit company failed to comply with
specified policies and therefore Wells Fargo terminated
its services.
www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002944&intsrc=article_more_side
Back to Top
Chase Discards Tapes
with Data on 2.6M Circuit Customers
Overview
Chase (the second largest U.S. credit card issuer) has acknowledged
that it accidentally discarded five computer tapes containing
the personal information of 2.6 million current and former
Circuit City credit card account holders. The tapes containing
names, phone numbers and account numbers, were dumped when
mistakenly identified as trash by Chase personnel. Chase reported
no misuse of the credit card information and stated the belief
that the information was destroyed in a trash compactor and
buried in a landfill. (09/08/2006)
Relevance
- the tapes were discarded in July but the incident
was made public after Chase had completed its review
of the incident;
- the incident was discovered through a security systems
audit after which law enforcement was contacted;
- the tapes were accidentally discarded because of human
error when specific procedures were not followed;
- affected accounts were monitored for suspicious activity;
- Chase notified the affected customers of the breach
and offered one free year of credit monitoring for those
whose social security numbers were on the tapes;
- Chase advised that to prevent a recurrence security
procedures are being strengthened and there will be
a review of all data storage and protection processes;
and
- employee training procedures are being reviewed.
www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003108
Back to Top
AT&T Sues Brokers over
Customer Data, New Laws Prompt Firms to Go After Phone Record
Fraud
Overview
AT&T Corp. is suing 25 brokers it alleges practiced ‘pretexting’
by posing as their customers and fraudulently gaining access
to 2,500 phone records. The suit seeks to stop the stealing
of customer data and the award of monetary damages. (08/24/2006)
Relevance
- AT& T taking steps to force internet providers
to identify those responsible to protect their customers;
- companies are finally taking action to address the
invasion of their customers privacy in light of new
laws requiring security breach disclosures;
- privacy advocates recommend that companies train their
employees on how to detect pretexting which is an illegal
tool frequently used to gain unauthorized access to
records;
- AT&T notified affected customers of the breach.
www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/24/BUGDDKNUNS1.DTL
Back to Top
User Privacy Violation
Ends 3 Careers at America Online
Overview
A recent America Online (AOL) privacy breach involved the
intentional release of 19 million searches performed by 658,000
users from March-May, 2006. AOL made the data available as
part of a program to assist academic researchers and released
it to its public research website. Despite a substitution
of numeric IDs for subscribers’ user names the search
queries contained Social Security Numbers and medical conditions
that could be traced to individuals. Once this was discovered
the data was quickly circulated by webloggers. The AOL CEO
stated that the incident occurred because “some employees
did not exercise good judgment or review their proposal with
our privacy team”. At least two privacy groups- Electronic
Frontier Foundation and World Privacy Forum- have asked the
FTC to investigate. (08/22/2006)
Relevance
The privacy breach response was as follows:
- the removal of the information from the AOL website
once senior executives became aware of it;
- the firing of 2 employees and the resignation of the
Chief Technology Officer; and
- plans made to prevent a recurrence:
- create a task force led by senior executives
to review privacy and data retention policies;
- place additional limits on employees access
to data regardless of whether they are linked
to additional accounts;
- evaluate technologies designed to flag sensitive
information; and
- improve employee education and awareness on
privacy.
www.macworld.com/news/2006/08/07/aol/index.php
Back to Top
Doctors Angry After Laptop
Stolen With 8,000 Personal Financial Files
Overview
8,000 clients of MD Management, a subsidiary of the Canadian
Medical Association received a letter from the company warning
that a laptop containing their names, addresses, ages and
detailed financial and professional information was stolen
from the locked car of an employee broken into in a parking
lot. (07/25/2006)
Relevance
- loss by a financial services company;
- their employee had downloaded extensive information
on the laptop the day it was stolen;
- the company hired a private investigator to track
down the laptop;
- the company contacted Equifax and TransUnion, as a
precaution, to keep the information from being used
for fraudulent purposes; and
- the company conducted a review of the company’s
policies on what information may be downloaded in what
circumstances and by which employees;
www.cbc.ca/cp/health/060725/x072524.html
(Log in to PrivaWorks first)
Back to Top
Equifax Says Laptop
with Employee Data Was Stolen
Overview
Equifax Inc., one of the three major US credit-reporting bureaus,
reported the May 29 theft of a laptop computer, containing
nearly all of its US employees’ names and Social Security
numbers, from an employee traveling on a commuter train in
Britain. (06/20/2006)
Relevance
- employee not complying with company policy- authorized
to have access to the data but not permitted to store
it on his laptop;
- affected employees notified of theft on June 7 and
encouraged to put fraud alerts on their credit files;
and
- Equifax also providing employees free credit monitoring.
www.eweek.com/article2/0,1895,1979296,00.asp
Back to Top
Laptop Stolen From D.C.
Home
Overview
ING US Financial Services reports that laptop containing personal
information- including Social Security numbers- of 13,000
city workers and retirees was stolen from the Washington home
of one if its employees. The laptop was not protected by password
or encryption (06/18/2006)
Relevance
- ING mailing a letter to all affected account holders
to alert them to the risk of identity theft;
- company to establish and pay for a year of credit
monitoring and identity fraud protection;
- ING explained its 5 day delay in alerting the District
by advising that it took several days to ascertain the
contents of the laptop;
- the employee involved did not breach company procedures
by taking home the laptop with sensitive data; and
- the incident resulted in ING analyzing whether any
of its remaining 5,000 laptops in circulation across
the US lacked adequate protection and stated that laptops
without encryption software would be fixed.
www.usatoday.com/news/nation/2006-06-18-data-theft_x.htm
Back to Top
AIG: Personal Data on 970,000
Lost In Burglary
Overview
A major US insurance company, AIG, announces the theft of
a computer containing the names, Social Security numbers and
tens of thousands of medical records from its Midwest office.
The lost records were submitted to AIG by hundreds of insurance
brokers shopping for rates for excess medical coverage on
behalf of a large numbers of employers. The lost computer
was password protected. (06/18/2006)
Relevance
- AIG to mail notifications to affected persons by June
23;
- break-in occurred on March 31 and AIG justified the
2 ½ month delay in disclosing the breach by stating
there was no evidence of any misuse and they were unwilling
to publicize that the computer contained sensitive information.
Reason for breach notification not provided; and
- policy changed as personal information submitted by
brokers is not required by AIG to obtain rate quote
and brokers are now required to submit only aggregated
data on employees’ medical claims history.
www.usatoday.com/money/industries/insurance/2006-06-16-AIG_x.htm?POE=NEWISVA
www.msnbc.msn.com/id/13327187/
Back to Top
CPA Group says Hard Drive with
Data on 333,000 Members Missing
Overview
The American Institute of Certified Public Accountants (AICPA)
disclosed that a computer hard drive containing the unencrypted
names, addresses and Social Security numbers of nearly all
of its 330,000 members was lost. The hard drive, sent out
for repairs, went missing on its way back to the AICPA via
Fedex. (06/07/2006)
Relevance
- loss by third-party- courier company;
- notification to all affected members of potential
compromise of their personal data;
- offer of a year’s worth of free credit monitoring
services to victims;
- implementation of the decision to delete all Social
Security numbers from the AICPA member database;
- the reversal of the long-standing procedure of collecting
and maintaining Social Security numbers except in limited
circumstances ; and
- even in those limited circumstances alternate means
of uniquely identifying members will be developed.
www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030&source=rss_topic84
Back to Top
Ahold Pension Data Lost When
Laptop Disappears From Flight
Overview
A laptop containing the names and personal information of
retirees of the grocery store chain Ahold USA disappeared
after being left in checked baggage on a US flight and the
airline lost the baggage. The laptop was lost by an employee
of Electronic Data Systems (EDS), which provides data processing
services for the Ahold pension plan. (06/05/2006)
Relevance
- loss by third-party- data processing company;
- notification of affected retirees by mail;
- employee in violation of company policy when he checked
the laptop on the flight;
- notification of the three major credit bureaus by
EDS and Ahold; and
- toll-free number established to allow retirees to
get information on obtaining free credit reports and
free credit monitoring for one year.
www.networkworld.com/news/2006/060506-ahold-usa-pension-data-lost.html
Back to Top
Laptop Theft Exposes Hotels.com
Data
Overview
A laptop of an Ernst & Young Global Ltd employee containing
the name, address and credit card information of 243,000 Hotels.com
customers, related to transaction from 2002-2004, was stolen
in a car theft. The laptop was password protected but not
with encryption software. Ernst & Young was in the middle
of conducting an audit when the theft occurred. (06/02/2006)
Relevance
- loss by third-party- auditors;
- breach notification letters:
- Ernst & Young- identified transaction periods,
type of transaction and the information breached;
and
- Hotels.com- toll-free call centre to assist
customers with questions, an offer of free credit
monitoring service and instructions on how to
file a fraud alert with credit card companies
and advised credit card companies of specific
customers whose cards were compromised.
- Ernst & Young has since encrypted data on all
laptops within its US and Canadian operations.
news.com.com/Car+theft+exposes+Hotels.com+data/2100-7348_3-6079424.html?part=rss&tag=6079424&subj=news
computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000929
Back
to Top
Stolen YMCA Laptops Contained
Data on 68,000 Members
Overview
A laptop containing debit card, credit card, Social Security
numbers and other personal information of YMCA members and
names, addresses and allergy and medication information of
children in the Y’s day care programs was stolen from
a locked office at the YMCA’s administrative offices.
(06/02/2006)
Relevance
- an example of a breach of physical safeguards;
- breach notification letter sent advising victims to
contact their credit card companies or financial institutions
and to consider placing a fraud alert on their credit
files at the credit card bureaus.
computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000916
Back to Top
Non-Profit Reports
Data Loss for 1.3 Million Borrowers
Overview
Texas Guaranteed Student Loan Corp, a non-profit organization,
announced that its third-party service provider, Toronto based
Hummingbird Ltd, had lost a piece of computer equipment containing
the names and social security numbers of about 1.3 million
borrowers. (05/31/2006)
Relevance
- loss by third-party- software company. Details on
how the computer was lost not provided;
- notification letters sent to those directly affected
with information about their records and recommendations
on how to protect themselves from identity theft; and
- online resources provided to those potentially affected.
seclists.org/lists/isn/2006/Jun/0006.html
www.bizjournals.com/austin/stories/2006/05/29/daily11.html
Back to Top
Security Breach Hits the Online
World
Overview
Linden Lab (the Lab) the creator of Second Life, the online
world that allows users to live out another existence, reported
a security breach in which a malicious hacker broke into a
database holding information about its 650,000 users. The
database held names, addresses, passwords and encrypted credit
card information. There was no compromise of a second database
holding unencrypted credit card data. (05/08/2006)
Relevance
- within 2 days of the breach the Lab reported the incident
to players and asked them to change their passwords
– the nature of the attack meant the Lab could
not find out which personal records had been viewed
by the attacker; and
- the Lab updated its security arrangements to help
users who had lost or forgotten information used to
re-set passwords.
news.bbc.co.uk/2/hi/technology/5333996.stm
Back to Top
|
