Blog

Posts Tagged ‘Social Security numbers’

BP Loses Personal Data from Oil Spill Claims

Wednesday, March 30th, 2011

BP has the Midas touch…well, the anti-Midas touch. The fabled King Midas from Greek mythology was granted the gift of being able to turn anything into gold with a simple touch. BP, on the other hand, has an innate ability to turn anything it comes into contact with to crap.

As if cutting costs on maintenance and safety for its Deepwater Horizon off-shore drilling rig leading to the biggest marine oil spill in the history of the petroleum industry and pollution the Gulf of Mexico with millions of barrels of oil wasn’t bad enough, now BP has lost a laptop containing personal information on thousands of claimants affected by that disaster.

The missing laptop contained names, addresses, phone numbers, dates of birth and Social Security numbers for the 13,000 plus who had filed claims for damages related to the oil spill. Now, BP can start fresh accepting claims for damages related to identity theft and the compromise of personal information.

A PCWorld article about the missing BP laptop sums up by pointing out a painfully simple, yet obviously ignored reality. “Although numerous encryption technologies are readily available these days to mitigate the risk, many companies still don’t use them.”

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Disgruntled Employee Exposes Client Data

Tuesday, February 15th, 2011

A former San Francisco city employee breached the confidential data of nearly 2,500 Medi-Cal recipients in an effort to make a case defending the “poor performance” that led to her dismissal.

The client data–which includes Social Security numbers, and other sensitive personal data, was sent to her own home PC, but was also exposed to her attorneys and union representatives.

Given the reason for breaching the data, and the limited audience with which the information was allegedly shared, it seems highly unlikely that any of the client information will be used for identity theft or any other nefarious purposes. However, that doesn’t change the fact that the data should not be exposed or compromised.

The fired worker in question ostensibly had a legitimate business purpose for having access to the data in question. The incident illustrates, though, that organizations need to have better monitoring and filters in place to control what happens with that data, or where that data is allowed to be sent or saved even when it is accessed by an authorized individual. Obviously, there will be some workers who need to have access to sensitive information, and organizations need tools to prevent that data from going any further or being shared with or exposed to unauthorized individuals.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Keep An Eye On Sensitive Information

Friday, October 15th, 2010

Every little tidbit of information has value…to someone. A name, address, or birth date are good. A driver’s license or Social Security number is better. A bank or credit card account number is a jackpot. But, any one of those bits of information–and any combination thereof–can be put to use for identity theft or cyber fraud.

That is why events like the Accomack County worker’s laptop that was recently stolen while the employee was vacationing in Las Vegas should just not happen. It’s not that laptops shouldn’t get lost or stolen. It would be nice, but it’s impractical to expect. It’s not even necessarily that sensitive data like the names and Social Security numbers of 35,000 Accomack County taxpayers shouldn’t have been on the laptop when it was stolen. The laptop is used to conduct county business, and assuming this employee had a valid business reason for working with the data, then why shouldn’t it be on the laptop?

What shouldn’t happen is that sensitive information such as this should not be able to be transferred or stored without the IT admin having a record of when and where the data went, and the data should be encrypted to protect it against unauthorized access even in the event that the laptop is lost or stolen. People have to work with their laptops–that is why they have them. And, laptops will continue to get lost and stolen. But, with the right policies and tools in place, a lost or stolen laptop does not have to result in compromising sensitive data.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Stolen Laptop Puts Patient Data at Risk

Tuesday, September 28th, 2010

A laptop belonging to an employee of St. Vincent Hospital in Indianapolis was stolen from the worker’s residence. That laptop contained medical history details and Social Security numbers of 1,200 hospital patients–and of course the data is not encrypted or protected in any way.

Rex McKinney, St. Vincent Hospital privacy officer stated, “We are committed to protecting the confidentiality and privacy of our patients and will continue to implement administrative, technical and physical safeguards against unauthorized disclosures of protected health information.”

That is all well and good, but in order to “continue” implementing safeguards you would have to have implemented some in the first place. The article also states that the hospital is taking “precautionary steps to avoid future incidents.”

The thing is that implementing controls in response to an incident after data has already been compromised is not “precautionary”–it’s reactionary. HIPAA (Health Insurance Portability and Accountability Act) compliance requirements already mandate that the data should have been protected to begin with. Putting basic protection in after the fact is hardly heroic or praiseworthy–it’s just public relations damage control.

When will organizations–particularly medical and educational institutions–learn that implementing solutions like Zecurion’s Zserver Storage is a simple, cost-effective solution that can prevent incidents like these and save the organization from facing the legal, financial, and reputation consequences of compromising sensitive data?

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

City College of New York Gets an “F” in Data Protection

Monday, September 13th, 2010

What is it about education and healthcare that makes them the two industries comprising the vast majority of data breach incidents? Are there just more of them? Are they more valuable targets because of the data they contain? Or, do they simply not understand the importance of data security or how to implement it?

The City College of New York sent letters to about 7,000 students, notifying them that a stolen computer contained sensitive information and that their personal details–including name and Social Security number–might be compromised. The computer was password protected, but for an attacker with half a clue that poses only a trivial roadblock to gaining access.

Obviously, organizations–including education and healthcare institutions–need to store data of a private or sensitive nature, but that data should be properly safeguarded to ensure it can not be compromised or accessed by unauthorized users even if the computer or drive it is stored on is lost or stolen. Someday, maybe these organizations will learn that it is more cost-effective to implement appropriate security measures proactively than it is to deal with the fallout of a data breach.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »