Blog

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

« Older Entries
Newer Entries »

Rice Faculty and Student Data at Risk

Saturday, October 2nd, 2010

Personal data on more than 7,000 Rice faculty, students, staff, and retirees was contained on a stolen storage device. The data was apparently not encrypted or protected, which means it may very well be exposed to or compromised by the thief, but there is no indication so far that the data has been used so far.

A report from Rice News and Media explains, “Late last month a device containing information for about 7,250 Rice faculty and staff, along with some students and retirees, was stolen. Over the past week administrators discovered that one of the files contained a list of Rice employees and students on the Rice payroll as of January 2010 and included information such as names, addresses, birth dates, employee identification numbers, salaries and emergency contacts, but no Social Security numbers. Another file included Social Security numbers, mostly for Rice employees.”

This is another example underscoring the need for data at rest to be encrypted–particularly sensitive data that can lead to identity theft if exposed to unauthorized users. Technology is becoming increasingly more portable and mobile, which–by definition–also makes it easier to lose or steal. There is little that any organization can do to eliminate the possibility of devices being lost or stolen, so instead organizations should be focused on tools and protection that ensure that the data contained on those devices can not be accessed even if the device is lost or stolen.

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Stolen Laptop Puts Patient Data at Risk

Tuesday, September 28th, 2010

A laptop belonging to an employee of St. Vincent Hospital in Indianapolis was stolen from the worker’s residence. That laptop contained medical history details and Social Security numbers of 1,200 hospital patients–and of course the data is not encrypted or protected in any way.

Rex McKinney, St. Vincent Hospital privacy officer stated, “We are committed to protecting the confidentiality and privacy of our patients and will continue to implement administrative, technical and physical safeguards against unauthorized disclosures of protected health information.”

That is all well and good, but in order to “continue” implementing safeguards you would have to have implemented some in the first place. The article also states that the hospital is taking “precautionary steps to avoid future incidents.”

The thing is that implementing controls in response to an incident after data has already been compromised is not “precautionary”–it’s reactionary. HIPAA (Health Insurance Portability and Accountability Act) compliance requirements already mandate that the data should have been protected to begin with. Putting basic protection in after the fact is hardly heroic or praiseworthy–it’s just public relations damage control.

When will organizations–particularly medical and educational institutions–learn that implementing solutions like Zecurion’s Zserver Storage is a simple, cost-effective solution that can prevent incidents like these and save the organization from facing the legal, financial, and reputation consequences of compromising sensitive data?

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

City College of New York Gets an “F” in Data Protection

Monday, September 13th, 2010

What is it about education and healthcare that makes them the two industries comprising the vast majority of data breach incidents? Are there just more of them? Are they more valuable targets because of the data they contain? Or, do they simply not understand the importance of data security or how to implement it?

The City College of New York sent letters to about 7,000 students, notifying them that a stolen computer contained sensitive information and that their personal details–including name and Social Security number–might be compromised. The computer was password protected, but for an attacker with half a clue that poses only a trivial roadblock to gaining access.

Obviously, organizations–including education and healthcare institutions–need to store data of a private or sensitive nature, but that data should be properly safeguarded to ensure it can not be compromised or accessed by unauthorized users even if the computer or drive it is stored on is lost or stolen. Someday, maybe these organizations will learn that it is more cost-effective to implement appropriate security measures proactively than it is to deal with the fallout of a data breach.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Supermarket Customer Data Breached by SQL Injection Hack

Wednesday, August 25th, 2010

Neo Beat–an online Japanese Supermarket–reported that data on nearly 13,000 customers was compromised as a result of a SQL injection attack against its database. Credit card companies have reported that there have been fraudulent charges racked up as a result of the stolen customer data.

A report from Japan Today states “A source close to Neo Beat, which also operates the websites of these online supermarkets, said it believes that the approximately 30,000 unauthorized accesses to its database server were likely ‘‘perpetrated by a group of professional hackers.” Japan Today also states “The company’s investigation has found that its database program has a security vulnerability which made it difficult to block attempts from outside to intrude into the database server.”

Organizations should have sufficient perimeter defenses to prevent unauthorized access to internal servers, and there should be tools in place to monitor access and detect suspicious activity, but there are two other lessons to be learned here. First, IT admins need to stay informed of vulnerabilities affecting critical systems like customer database servers and make sure they are patched in a timely manner. Second, had the data been protected with encryption–using a tool  like Zecurion Zserver Storage–the hackers would have retrieved nothing but useless gibberish and the customer data wouldn’t be compromised in spite of the other security weaknesses.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Hell Pizza Needs to Add Some Encryption to the Menu

Tuesday, August 3rd, 2010

A popular pizza chain in New Zealand–Hell Pizza–has been victimized by cyber attackers. The personal information–including name, address, email address, phone number, account password, and even past pizza orders–of over 230,000 Hell Pizza customers has been exposed in the database breach.

Hell Pizza director Warren Powell said ”We are honestly taking this very seriously. The last thing we have wanted to do is inconvenience our customers. We take customers’ personal details bloody seriously and we spend a lot of money on security.”

Apparently, Hell Pizza needs to learn that the quality of the security spending is more important than the quantity. Unfortunately, spending the most money is not a valid measure of the effectiveness of network security measures. Had Hell Pizza invested in Zserver Storage, the information on the breached database would have been encrypted and the only thing exposed to attackers would be useless gibberish.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Cooper University Reports Personal Data on Missing Thumb Drive

Monday, August 2nd, 2010

ABC News in Philadelphia–WPVI–reports that Cooper University Hospital is missing a USB thumb drive containing sensitive personal data on medical students, residents, and fellows.

It is unknown whether the thumb drive was stolen, or simply lost. But, what is known is that the missing thumb drive contains Social Security numbers, addresses, and phone numbers of the affected individuals.

Cooper University Hospital issues a statement explaining “Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised.”

There is no indication that the data on the thumb drive was a violation of policy in any way, but it is worth noting that USB thumb drives are a significant security concern for all organizations. Portable storage media capable of holding 32Gb or more of data could contain untold volumes of sensitive or confidential information. IT admins should employ Zecurion’s Zlock to restrict access for storing data on removable media. For additional data protection, the data on removable or portable media should also be encrypted so it can’t be compromised even if the device is lost or stolen.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Personal Info of 93,000 Exposed in University Data Breach

Saturday, July 31st, 2010

Buena Vista University announced that a database was compromised containing data such as names, Social Security numbers, and driver’s license numbers of 93,000 students, parents, current and former faculty and staff, alumni and donors dating back to 1987.

Had the information stored in the database been encrypted, the breach of the database would not have exposed the sensitive data.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Penn State Server Compromised by Botnet

Wednesday, June 9th, 2010

Penn State University has sent out data breach notification letters to nearly 16,000 individuals to let them know that a computer in its Outreach Market Research and Data office was found to be actively communicating with a malicious botnet and that personal information including Social Security numbers may have been compromised.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

« Older Entries
Newer Entries »