Breach Reports 2007

Call today! 1 866 3 NYMITY

Breach Reports

This section of Nymity's Threat Tracker is dedicated to providing Privacy Officers with a convenient way to review Breach Reports. This section is updated at the beginning of each month.

Resources - 2008

Resources - 2007

Resources - 2006

Index of Resources - 2007:

Business data exposed on Canada Post website: Glitch in agency's online shipping site could be a 'gold mine' for those involved in identity theft and fraud, law professor says - Kenyon Wallace, Globe and Mail (12/18/2007)

New Brunswick Government Taking Measures In Wake Of Lost Medical Records -The Canadian Press (12/17/2007)

Forrester Loses Laptop Containing Personnel Data- Lisa Vaas, EWeek.com (12/05/2007)

Police Investigate Security Breach of Patient Records in N.L. - The Canadian Press, canadianpress.google.com (11/26/2007)

State Watching Response to Blockbuster Store Identity Breach - Todd Ruger, HeraldTribune.com (10/31/2007)

Ellen Messmer, Network World - Ebay Denies Security Breach Led to Data Posting: Auction Giant Contacting Each of the 1,200 affected eBay Users Individually by Phone to Explain the Situation to Them (10/01/2007)

Parija B. Kavilanz, CNNMoney, cnnmoney.com - Gap: Stolen Laptop has Data of Job Applicants: Retailers said a laptop stolen from a third-party vendor contained personal information of 800,000 people, including Social Security Numbers (10/01/2007)

TD Ameritrade Releases Restuls of Client SPAM Investigation (09/14/2007)

CBC News - Medical Faxes Misdirected to Winnipeg Woman's Home (09/13/2007)

Pfizer Reports Another Data Breach (09/04/2007)

Sick Kids Doctor Loses Data on 3,300 Patients (08/31/2007)

Security Breach at Monster.com (08/24/2007)

B.C. Hydro Discloses Customer Information to U.S. Firm (08/23/2007)

Pfizer Reports Second Data Breach in Two Months (08/14/2007)

VeriSign Laptop Containing Employee Information is Stolen (08/07/2007)

Four laptops stolen from Capital Health (08/02/2007)

Breach, Undetected Since 2005, Exposes Data on Kingston Customers (07/16/2007)

Fidelity National Reports Data breach, Fires Employee (07/03/2007)

Coastal Community Credit Union Reports Stolen Backup Tapes (06/19/2007)

Bank of Montreal Mistakenly Sends Faxes to an Alberta Couple (06/07/2007)

Pfizer Suffers Data Breach (06/02/2007)

Saskatoon Health Documents Sold at Auction (05/29/2007)

Alcatel-Lucent Notifies Employees and Retirees of Missing Computer Disk Containing Personal Information (05/17/2007)

IBM Contractor Loses Employee Data (05/16/2007)

Insurance Agent could be Suspended (05/01/2007)

J.P. Morgan Chase Probing Data Breach Shown in YouTube Video (05/01/2007)

Printing Firm Fired After Privacy Breach (05/01/2007)

Ceridian: Data from NY Firm Accidentally Leaked (04/26/2007)

Rogers Inc. Data about Clients Found in Parking Lot (04/08/2007)

Investigation Ordered into a Wireless Breach (03/27/2007)

Rogers Customers Advised of Possible Credit Data Breach (03/27/2007)

Stolen TJX Data used in $8M Scheme before Breach Discovery (03/21/2007)

WellPoint has Second Data Breach (03/15/2007)

TJX Faces Fines from Security Breach (03/01/2007)

Privacy Breach: John Hopkins University Lost Personal Information on 135,000 Individuals (02/11/2007)

Worker Charged with ID theft was a Contractor with a State Agency (02/02/2007)

Security Breach of Customer Information Reported by Club Monaco (No evidence of an actual breach was found) (01/26/2007)

Commisioner Launches Investigation of CIBC Breanch of Talvest Customers' Personal Information and Talvest Issues Statement (01/20/2007)

Retiree Data Lost in Laptop Theft (01/09/2007)

PIPEDA

Business data exposed on Canada Post website: Glitch in agency's online shipping site could be a 'gold mine' for those involved in identity theft and fraud, law professor says - Kenyon Wallace, Globe and Mail

Business Activity: Safeguarding Data

Impact

By altering information in the URL of an online application, a user is inappropriately exposed to usernames and passwords of other users. (12/18/2007)

Relevance

Relevance to Business Activity:

safeguarding data considerations:
- a Yahoo search by a business owner of his company's name revealed a link that contained the owner's username and password for the Sell Online website;
- the owner was able to access other websites containing a large number of other login records by changing dates in the URL in his browser:
  - the records contained usernames and password attempts on the Sell Online website.
- the business owner advised that using his username and password would reveal his customer's shipping details and his VISA card number;
- many users use the same username and passwords across multiple websites:
  - revealing a username and password therefore creates significant risk of identity theft;
  - may provide access to applications such as on-line banking or e-mail accounts.
- when presented with evidence that username and password had been compromised some owners expressed concern about continuing to use the Sell Online service;
- it appears that a folder containing client login attempts was inadvertently placed in a public area of the web server;
- Canada Post indicated that it had addressed the problem.

Additional Considerations:

Canada Post:
- outsources all of its IT service to third parties;
- remains responsible to ensure that computer applications provided by its third parties provide adequate safeguards.

http://www.theglobeandmail.com/servlet/story/RTGAM.20071217.wbreach17/BNStory/National/home

New Brunswick Government Taking Measures In Wake Of Lost Medical Records -The Canadian Press

Business Activity: Breach Response

Impact

New Brunswick uses indirect method for notifying affected individuals after a breach. (12/17/2007)

Relevance

Background Facts:

the personal health information of 485 residents of New Brunswick and British Columbia was lost when computer disks went missing when they were sent to B.C.

Relevance to Business Activity:

breach response considerations:

the health minister has:

offered free credit monitoring which the patients will be able to use for a year;
directed staff to the immediately report any breach or suspected breach related to the protection of personal health information.

staff has attempted to call all 485 patients and have taken out ads in the newspaper in British Columbia in case any patients are still in that province;
the health department has:

changed the way the health records are sent;
has initiated a police investigation;
launched a full review within the department; and
asked the Ombudsman's office to conduct a review.

http://canadianpress.google.com/article/ALeqM5iKpUY0-IpcnO4V1Q6kTCL5jETkGw

Forrester Loses Laptop Containing Personnel Data- Lisa Vaas, EWeek.com

Business Activity: Breach Response

Impact

Stolen laptop hard drive password protected but not encrypted; media relations staff caught off-guard. (12/05/2007)

Relevance

Background Facts:

thieves stole a laptop from the home of a Forrester Research employee potentially exposing personal information including Social Security numbers of an undisclosed number of current and former employees and directors.

Relevance to Business Activity:

breach response considerations:

a notification letter sent to affected persons noted that the hard drive of the laptop was password-protected but made no mention of encryption:

consultants routinely warn firms of the importance of encrypting portable data devices;
password protection is considered ineffective for actually protecting laptop data.

the office of the "chief people officer" appears not to have informed the firm's media staff before sending out the notification letter:

media relations staff was therefore not prepared with an incidence response plan.

organizations encouraged to lay out incidence response plans that detail a chain of command to ensure that:

the right executive is informed;
the public relations staff are devoted to incidence response; and
the proper authorities have been notified etc.

the theft was reported to the police and the Attorney's Office in Massachusetts;
those affected, except residents of New York, are being provided with a full year of credit monitoring, including $25,000 identity theft insurance.

http://www.eweek.com/article2/0,1895,2228887,00.asp

Police Investigate Security Breach of Patient Records in N.L. - The Canadian Press, canadianpress.google.com

Business Activity: Breach Response / Use of Third Parties

Impact

Patient information hacked from private-sector consultant’s computer while at home. (11/26/2007)

Relevance

Background Facts:

patient records of the Provincial Public Health Laboratory in Newfoundland were accessed without authorization from the databank collected by the lab and included the following:

patient test results for infectious diseases including, HIV and hepatitis;
name;
health numbers;
age;
sex; and
name of physician.

it appears to have been an isolated incident and no files were lost from the province’s wider computer network.

Relevance to Business Activity:

use of third parties considerations:

files were obtained through an open Internet connection on a computer taken home by a private-sector consultant on contract with the Provincial Public Health Laboratory in Newfoundland:

the consultant installed a file-sharing software on the computer.

consultant became aware of the breach when called by someone who identified himself as a representative of a New-York based private computer security company:

the caller claimed he was in possession of some of the patient information stored on the consultant’s computer.

the Attorney General and Health Minister believe department guidelines had been breached by the consultant by bringing the materials home.

breach response considerations:

the Government determined that at least 47 individuals should be contacted;
the incident will force a review of the department’s computer policy;
the province’s Office of the Chief Information Officer is opening a formal investigation into the incident;
the police are investigating whether computer hackers viewed the patient information and will determine if any criminal charges will be laid.

http://canadianpress.google.com/article/ALeqM5gsDLF3tpvC6I7ULofVPUWfP1VuPQ

http://www.cbc.ca/canada/newfoundland-labrador/story/2007/11/27/security-breach.html

State Watching Response to Blockbuster Store Identity Breach - Todd Ruger, HeraldTribune.com

Business Activity: Breach Response

Impact

Improper disposal of records results in breach of customer and employee personal information. (10/31/2007)

Relevance

Background Facts:

a box of approximately 400 Blockbuster membership forms and employee applications with credit card and Social Security Numbers were found in a trash container;
the Florida Attorney General's office is requesting copies of the documents asked the company to notify individuals whose personal information may have been compromised.

Relevance to Business Activity:

breach response considerations:

the company:

sent a memo to all of its stores reinforcing the company policy requiring that all documents generated in the store be destroyed when no longer kept on file;
indicated that all stores have shredders;
had put in place procedures to protect customer information;
claims that this was an isolated incident;
launched an internal investigation which could result in disciplinary action up to being fired.

http://www.heraldtribune.com/article/20071025/NEWS/710250439

TD Ameritrade Releases Results of Client SPAM Investigation

Business Activity: Breach Response

Impact

Delayed notification of breach by brokerage company results in class-action lawsuit. (09/14/2007)

Relevance

Background Facts:

hackers accessed an internal database of TD Ameritrade using unauthorized code;
forensic data experts were commissioned to assist in the investigation of stock-related spam to TD Ameritrade’s customers:

Relevance to Business Activity:

breach response activities:
class-action lawsuit filed against the company alleging that the company knew that customer email addresses were leaked to spammers over a year ago and failed to notify its customers.
the FBI and Securities and Exchange Commission were also notified;
eliminated the unauthorized code from its systems;
company hired another third party to investigate and monitor for potential identify theft:
after thorough analysis, no evidence of identity theft was found;
ongoing services to monitor identity were provided to customers;
company is confident that it has identified the way in which the customer information was taken and has taken the appropriate steps to prevent it from recurring;
company participates in industry groups to share information on these types of threats in the interest of protecting all clients;
no special action was required of its customers other than continuing to remain alert in guarding their personal information.

http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070914005075&newsLang=en

http://www.informationweek.com/security/showArticle.jhtml?articleID=201807006

Ellen Messmer, Network World - Ebay Denies Security Breach Led to Data Posting: Auction Giant Contacting Each of the 1,200 affected eBay Users Individually by Phone to Explain the Situation to Them

Business Activity: Breach Response

Impact

Public discussion board temporarily shut down when security breach suspected. (10/01/2007)

Relevance

Background Facts:

personal information of 1,200 eBay users, including credit card numbers appeared on eBay’s Trust & Safety Discussion Board where public comment is shared.

Relevance to Business Activity:

breach response activities:

eBay responded by immediately shutting down the discussion board;
company’s security team launched an investigation to determine if hacking of eBay computer systems had occurred:

eBay servers were not breached:

credit card information posted was not the same as the information that eBay stores on their system.

eBay is contacting each of the 1,200 affected users individually by telephone to explain the situation and warn customers to take necessary steps to protect themselves.

http://www.pcworld.com/article/id,137765-c,auctionsites/article.html

Parija B. Kavilanz, CNNMoney, cnnmoney.com - Gap: Stolen Laptop has Data of Job Applicants: Retailers said a laptop stolen from a third-party vendor contained personal informatino of 800,000 people, including Social Security Numbers

Business Activity: Breach Resonse / Use of Third Parties

Impact

Unencrypted job applicant information stolen from third-party vendor. (10/01/2007)

Relevance

Background Facts:

laptop containing personal information of about 800,000 job applicants was stolen from the offices of one of Gap Inc.’s vendors that manages data for the company:

laptop contained personal information for people who applied on-line or by phone for store positions with several of the company’s affiliates in the U.S., Canada and Puerto Rico between July 2006 and June 2007:

information did not include Canadian Social Insurance Numbers.

Relevance to Business Activity:

breach response activities:

company notified U.S. applicants whose Social Security Numbers were included in the information on the laptop.

use of third party considerations:
- contrary to the company’s agreement with the vendor, the information on the laptop was not encrypted.

http://money.cnn.com/2007/09/28/news/companies/gap/?postversion=2007092816

CBC News - Medical Faxes Misdirected to Winnipeg Woman's Home

Business Activity: Breach Response/Safeguarding Data

Impact

An example of inappropriate safeguards relating to faxing of sensitive personal information. (09/13/2007)

Relevance

Background Facts:

personal medical information was faxed for years from several health facilities in Winnipeg to the complainant’s residence who had a similar home fax number to a health clinic:
- faxes were sent from doctor’s offices, medical clinics, two departments at the Health Sciences Centre and the province’s own after-hours office;
- despite efforts to prevent reoccurrences, faxes continued to come to the complainant’s home.

Relevance to Business Activities:

breach response activities:
- the provincial Health Minister responded to the complainant via letter indicating that the matter was of great concern and that the breach was a result of human error;
- Manitoba Health and Healthy Living took action to remind facilities and practitioners that they must ensure that personal health information transmitted by fax is securely transmitted;
- a number of the facilities were asked to put the fax number of the medical clinic where the faxes were intended to be sent on their speed-dial;
- people whose information had been compromised were not notified;
- the province and federal government are both reviewing their privacy policies to determine whether changes should be made.
safeguarding data considerations:
- concern was expressed that this kind of information should not have been faxed at all.

http://www.cbc.ca/health/story/2007/09/13/medical-faxes.html

Pfizer Reports Another Data Breach

Business Activity: Breach Response/Safeguarding Data

Impact

Employee violated policy by removing highly sensitive personal information resulting in the third breach in three months. (09/04/2007)

Relevance

Background facts:

third data breach in three months affected current and former Pfizer employees, as well as health care workers and other individuals;
data for approximately 52,000 individuals was breached;
no evidence of any misuse of the personal information.

Relevance to Business Activities:

lack of data safeguarding results in the third breach:
- a Pfizer employee wrongfully removed copies of confidential information from a Pfizer computer system;
- there was an eight month delay between the incident and when Pfizer became aware of the breach.
breach response activities:
- letters to Attorneys General around the nation were sent out more than seven weeks after Pfizer became aware of the compromised information;
- employee responsible for the breach violated policy and no longer works for Pfizer;
- computer systems have been modified and security enhanced;
- specialist retained in preventing identity theft, including credit monitoring and fraud-resolution counselling;
- $50,000 in identity theft insurance also provided.

http://www.theday.com:80/re.aspx?re=2f8ed114-d2eb-4ae5-a534-fbcd3a76e5e9

Sick Kids doctor Loses Data on 3,300 Patients

Business Activity: Breach Response/Safeguarding Data

Impact

Hospital loses unencrypted data despite previous Order requiring encryption. (08/31/2007)

Relevance

Background Facts:

doctor at Sick Kids Hospital lost an external hard drive containing personal information of 3,300 patients at an airport;
6 weeks prior Sick Kids had another security breach which resulted in an order requiring encryption when removing electronic personal information from the hospital.

Relevance to Business Activities:

Sick Kids failed to comply with the safeguarding data requirements of the PHIPA Order by failing to encrypt the hard drive:
- the hard drive has not been located.
Sick Kids responded to the breach by providing patients written notification 4 months after the incident occurred as it took time to reconstruct the information.

Additional Considerations:

The IPC noted that it would take some months for organizations of that size to adapt to the orders.

http://www.privacylawyer.ca/blog/2007/08/incident-sick-kids-physician-loses.html

Security Breach at Monster.com

Business Activity: Breach Response

Impact

A breach of Monster.com’s website is discovered by a security company, Symantec Corp:

a third party, Symantec, posted information about the breach on its website ahead of Monster advising its customers. (08/24/2007)

Relevance

Background facts:

security experts at Symantec discovered the breach and advised Monster;
hackers used the stolen credentials of employers to steal the information;
Monster undertook its investigation of the breach and:

Relevance to Business Activities:

the third party, Symantec, posted information about the breach on its website;
Monster’s breach response included posting information about the breach on its website one day later:
Monster indicated that would terminate any account used for illegitimate purposes.

http://www.foxnews.com/story/0,2933,294471,00.html

B.C. Hydro Discloses Customer Information to U.S. Firm

Business Activity: Use of Third Parties

Impact

B.C. Hydro shared customer personal information with a U.S. based polling firm in violation of B.C. legislation. This incident highlights risks of doing business with government organizations in some provinces (e.g. B.C or Nova Scotia) by third party service providers who:

are located outside of Canada;
are a Canadian subsidiary of an foreign company; or
store data on servers outside of Canada, considered a breach causing notification. (08/23/2007)

Relevance

Background facts:

B.C. Hydro invited 10,000 customer to participate in a survey;
the survey was conducted by Energy Insights, a company with operations in Canada as well as internationally;
approximately 750 customers responded to the survey and provided personal information, such as:

Relevance to Business Activities:

this is an example of the use of third parties based outside of Canada:

http://www.canada.com/theprovince/news/story.html?id=1eb7e36b-a1a8-404f-8b27-a65bc2a52453

Pfizer Reports Second Data Breach in Two Months

Business Activity: Use of Third-Parties/Breach Response

Impact

This is an example of the reputational damage that can be caused by the actions of third-party service providers:

a laptop was stolen from the car of an employee of the third-party service provider;
the state Attorney General expressed concern about the 2 month delay in providing notification.

Relevance

Background facts:

two laptops were stolen from a third-party service provider (“Axia”) employee’s vehicle;
the laptops contained the personal information of 950 current and former employees and some contractors, including:

Relevance to Business Activities:

Pfizer’s breach response details:
this is an example of the risks associated with the use of third-parties.

http://www.informationweek.com/news/showArticle.jhtml?articleID=201800113

http://www.theday.com/re.aspx?re=8af00085-8d2e-4267-b431-2344b0bfd97e

VeriSign Laptop Containing Employee Information is Stolen

Business Activity: Personal Information Handling Policies/Breach Response

Impact

A VeriSign contract employee no longer works for the company after her laptop was stolen from her car:

appropriate policies were in place but the employee failed to comply. (08/07/2007)

Relevance

Background facts:

the contract employee:

worked in VeriSign's human resources department;
failed to comply with company policies that:

data be encrypted; and
employee information not be downloaded on laptop computers.

left her laptop in her car overnight in her garage, and the next morning found that the car had been broken into and the laptop had been stolen;
contacted the police and then reported the theft to VeriSign who also contacted police and began their own internal investigation.

Relevance to Business Activities:

the employee's contract was not renewed:

VeriSign did not indicate whether the contract was terminated prematurely or if it happened to expire soon after the policy was not followed.

VeriSign had established personal information handling policies:

has a policy on how to manage laptops that contain sensitive information and company data, including:

laptops must not be left in vehicles in plain view;
the amount of confidential and sensitive data stored on laptops must be kept to a minimum;
data encryption tools must be used to protect data that absolutely must be stored on a laptop.

will continue to review its security procedures to prevent future human errors of this type;
its breach response included notification to all affected employees and the offer of free credit monitoring.

http://www.informationweek.com/management/showArticle.jhtml?articleID=201203456

Four laptops stolen from Capital Health

Business Activity: Safeguarding Data/Breach Response

Impact

Breach notification was provided when one of 4 stolen laptops contained patient information:

even though the laptop had two-level password protection. (08/02/2007)

Relevance

Background facts:

thieves broke into the building in the evening and stole the 4 laptops;
only one computer contained patient information.

Relevance to Business Activities:

these safeguarding data provisions did not prevent the theft of the laptops:

they were secured to desks with cable locks;
the thieves were able to dislodge cable locks;
the laptops were equipped with two-level password protection.

breach response included notification to patients:

even though they considered the risk of compromise to patient data is considered to be low;
even with two-level password protection.

Other considerations:

the OIPC stated that this incident reinforces that cable locks alone are not sufficient protection, and organizations should consider securing laptops in locked cabinets after working hours.

http://www.capitalhealth.ca/NewsAndEvents/NewsReleases/2007/StolenLaptops.htm news release

http://www.canada.com/edmontonjournal/news/story.html?id=baeb84c8-557a-4397-b67e-fb19cdad9075&k=22599 news article

Breach, Undetected Since 2005, Exposes Data on Kingston Customers

Business Activity: Safeguarding Data/Breach Response

Impact

A September 2005 security breach which a Kingston Technology Company Inc. spokesman believes was perpetrated by an external attacker was recently discovered. Names, addresses and credit card details of roughly 27,000 online customers of the computer memory vendor may have been compromised. (07/16/2007)

Relevance

Highlights:

the IT team “detected irregularities” in the computer system at some unspecified point in time and along with forensic computer experts begun investigating the issues;
after the probe was completed and a final report released the company confirmed the scope of the intrusion and its impact;
the company arranged for consumer protection services and materials and has commenced notification of affected customers;
the company email statement stated that it had taken “aggressive steps” to minimize any potential risk to those affected by the illegal access;
the company also revealed that it has contacted with a security consulting firm to provide credit monitoring services and, if needed, "identity restoration" free of charge to affected customers;
a top computer forensics firm has been engaged to assist in the development of “even greater levels of system security” to thwart future attacks;
no evidence to date that the illegally accessed adapt has been misused.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=networking_and_internet&articleId=9027220&taxonomyId=16

Fidelity National Reports Data breach, Fires Employee

Business Activity: Breach Response/Safeguarding Data

Impact

An employee steals and subsequently sells customer records for personal gain; the organization:

fired the employee;
filed a civil lawsuit against former employee and the marketers who subsequently used that data for marketing purposes. (07/03/2007)

Relevance

Highlights:

a database administrator:
the data broker sold some of the data to a number of direct marketers;
the organization:

http://www.reuters.com/article/bankingfinancial-SP/idUSN0318017820070703?pageNumber=1

http://www.techweb.com/showPressRelease.jhtml?articleID=X622373

Coastal Community Credit Union Reports Stolen Backup Tapes

Business Activity: Breach Response

Impact

Although data on stolen backup tapes is encrypted, a Credit Union issues an advisory to its members. (06/19/2007)

Relevance

Highlights:

Coastal Community Credit Union reported backup tapes containing the personal information of its 120,000 members were stolen from a courier company;
the tapes:
the Credit Union:

http://www.darkreading.com/document.asp?doc_id=127081&f_src=darkreading_section_296

Bank of Montreal Mistakenly Sends Faxes to an Alberta Couple

Business Activity: Training Employees on Privacy / Safeguarding Data

Impact

BMO determines human error is the cause of faxes being sent to the wrong fax number:

bank was aware of the problem but had been unable to permanently stop the problem from reoccurring due to manual dialing;
no investigation by Privacy Commissioner has been reported. (06/07/2007)

Relevance

Highlights:

an Alberta couple reported to the media:
the bank:

http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20070607/faxes_bank_070607/20070607?hub=Canada

http://canadaeast.com/ce2/docroot/article.php?articleID=7974

Pfizer Suffers Data Breach

Business Activity: Safeguarding Data

Impact

Unauthorized file-sharing software downloaded by an employee’s spouse onto company-issued laptop causes personal information to be accessed via a peer-to-peer network:

information was posted on a website;
offered yearlong credit monitoring including a $25,000 insurance policy. (06/02/2007)

Relevance

Highlights:

the P2P software was downloaded onto the company laptop by the employee’s spouse;
the laptop contained the (unencrypted) name, Social Security number, and in some instances, address of approximately 17,000 present and former Pfizer employees;
the company’s investigation determined that:
the company:

http://www.darkreading.com/document.asp?doc_id=126297&WT.svl=news1_1

http://www.courant.com/business/hc-pfizer0612.artjun12,0,416274.story?coll=hc-headlines-business

Saskatoon Health Documents Sold at Auction

Business Activity: Records Destruction

Impact

Improper disposal of a box of 2,000 health related plastic cards containing personal information results in breach:

box was to be shredded but was sent to a used furniture auction due to employee error. (05/29/2007)

Relevance

Highlights:

the plastic cards, created by the Saskatoon Health Region:
box was included in a collection of material sold at the auction;
the cards were turned over by the buyer to the Opposition Party, who returned them to the health region.

http://www.canada.com/nationalpost/news/story.html?id=fd7fc2ea-8de5-4dd9-b347-a5d101df4e03&k=25680

Alcatel-Lucent Notifies Employees and Retirees of Missing Computer Disk Containing Personal Information

Business Activity: Breach Response/Use of Third-Parties

Impact

A computer disk created by one third-party service provider (of Alcatel-Lucent) for shipment to another third-party service provider via courier, went missing, resulting in Alcatel-Lucent notifying its employees and retirees. (05/17/2007)

Relevance

Highlights:

the service provider did not encrypt the computer disk;
information contained on the computer disk included name, address, Social Security number, date of birth and salary data;
Alcatel-Lucent:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019841&source=rss_topic84 news article

http://www.alcatel-lucent.com/wps/portal/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLd4x3tXDUL8h2VAQAURh_Yw!!?LMSG_CABINET=Docs_and_Resource_Ctr&LMSG_CONTENT_FILE=News_Releases_2007/News_Article_000295 press release

IBM Contractor Loses Employee Data (05/16/2007)

Business Activity: Breach Response/Use of Third-Parties

Impact

A third-party vendor loses data tapes that contained sensitive personal information about current and former IBM employees during transit. (05/16/2007)

Relevance

Highlights:

the tapes went missing in transit from a contractor's vehicle;
IBM investigated the incident and concluded that the tape loss was inadvertent;
IBM ran an ad in the local newspaper seeking help in retrieving the tapes but has been unable to recover them;
there is no indication that any information on the tapes has been accessed;
the tapes included dates of birth, Social Security numbers, and addresses of current and former IBM employees.
some of the tapes were not encrypted;
IBM began notifying victims of the breach and is offering one year's worth of free credit monitoring.

http://www.infoworld.com/article/07/05/15/IBM-contractor-loses-employee-data_1.html

http://www.consumeraffairs.com/news04/2007/05/ibm_data.html

Insurance Agent could be Suspended

Business Activity: Records Destruction

Impact

An insurance company could be suspended as a Manitoba Public Insurance broker after hundreds of customers' personal documents were discarded in a garbage dumpster. (05/01/2007)

Relevance

Highlights:

Manitoba Public Insurance:
the insurance company:

believes cleaning staff accidentally threw the documents in the dumpster;
has a contract with a recycling company that picks up papers from the office, shreds and recycles them.

http://www.winnipegfreepress.com/local/story/3955565p-4568048c.html

J.P. Morgan Chase Probing Data Breach Shown in YouTube Video

Business Activity: Records Destruction

Impact

A worker’s union posted a video on YouTube, allegedly showing that financial services firm J.P. Morgan Chase dumped documents containing personal financial data of its customers in garbage bags. (05/01/2007)

Relevance

Highlights:

the documents contained account data, including full customer names, addresses and Social Security numbers and were discovered in trash bags outside bank branches in and around New York City;
the video ends with a message urging viewers to call the bank's head of media relations for Retail Financial Services and the U.S. Region;
the bank stated that:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9018384&intsrc=hm_topic

Printing Firm Fired After Privacy Breach

Business Activity: Breach Response/Use of Third-Parties

Impact

The State of Indiana fired a printing company that mailed dozens of taxpayers’ forms with their neighbors' Social Security numbers. (05/01/2007)

Relevance

Highlights:

the Department of Revenue canceled the contract with the printing company, which received $235,000 a year to print and mail Estimated Income Tax coupon books to taxpayers;
a representative of the Department personally called the 45 taxpayers who mistakenly received their neighbors' Social Security numbers and asked them to mail them back;
the department is considering deleting the first five digits of Social Security numbers in such mailings to prevent misuse;
the glitch happened after an automated machine jammed - the operator fixed the jam and restacked the machine with printed pages but failed to check to make sure they were in the right sequence.

http://www.boston.com/news/local/articles/2007/05/01/printing_firm_fired_after_privacy_breach/

Ceridian: Data from NY Firm Accidentally Leaked

Business Activity: Breach Responses/Use of Third Parties

Overview

Payroll processing firm Ceridian Corp. notified New York advertising company Innovation Interactive last week after it learned that ID and bank-account data on 150 employees had been posted on a Web site. (04/26/2007)

Relevance

Ceridian stated that :

a former employee accidentally posted the information on a personal Web site;
the employee took the data by accident after leaving the company in March 2006;
it is offering up to two years of credit protection services for Innovation employees affected by the breach;
it is not aware of any additional security breaches involving other companies.

http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html

Rogers Inc. Data about Clients Found in Parking Lot

Business Activity: Breach Response/Use of Third Parties

Overview

A Toronto resident found hundreds of Rogers Communications Inc. order forms behind a coffee shop and strewn across a parking lot. The order forms appeared to contain customer’s names, addresses, phone numbers, and driver’s licence numbers and, in a few cases, SIN numbers or driver’s license numbers. This incident highlights the risks companies face when outsourcing sales or other functions to other firms which may or may not have the same level of privacy controls. (04/08/2007)

Relevance

Highlights:

the forms were found by a nearby resident who, rather than contacting Rogers, contacted the Toronto Star;
a random check of some names and numbers on work orders for both cable and Internet services found that some customers had had the work done a number of years ago and in some cases no longer lived at the address;
the newspaper contacted Rogers, who immediately launched an investigation;
Rogers spokesperson stated that:

http://www.thestar.com/article/200900

http://www.theglobeandmail.com/servlet/story/RTGAM.20070409.wgtrogers09/BNStory/Technology/?cid=al_gam_nletter_dtechal

Investigation Ordered into a Wireless Breach

Business Activity: Safeguarding Data/Breach Response

Overview

Alberta’s Privacy Commissioner, in response in a newspaper article, has ordered an investigation into a security breach of a wireless computer belonging to a lawyer. (03/27/2007)

Relevance

Highlights:

a unprotected computer server in a law office allowed access to hundreds of client files that included personal information such as:
the lawyer had set up a wireless system in his office and thought it was secured by an encrypted password;
the system was accessed by an individual in a nearby office building;
generally such access points are password-protected;
the individual said no password was requested and after he got into the system it invited him to log onto one of the lawyer’s databases;
the lawyer immediately shut down the system after being notified of the breach;
there is no indication that anyone else accessed the information;
the president of the Law Society of Alberta said the society will warn all its lawyers to ensure their computer systems are secure in their April newsletter.

http://www.canada.com/edmontonjournal/news/story.html?id=1d7b4321-5b65-4c4c-a19b-1e2e952200d5&k=49107

Rogers Customers Advised of Possible Credit Data Breach

Business Activity: Breach Response

Overview

Rogers spokeswoman Taanta Gupta has advised that two of the codes Rogers uses to access customer information from credit bureau TransUnion may have been used inappropriately. She is unaware of any customers experiencing difficulties related to the suspected breach and would not disclose details on what happened other than to say Rogers' corporate security was alerted to the problem at the end of October. (03/27/2007)

Relevance

Rogers immediately deactivated the codes in question and started to examine its customers' records to see who may have been affected;
160 customers were advised by letter that their credit information may have been improperly accessed, five months after the cable and wireless company was first alerted to the problem;
Rogers defended the time it took since then to alert customers to