Security News
Details of 24,000 people lost following laptop theft from training company
scmagazineuk.com – 30. Jun 2010
Training company A4e has written to clients in Hull and Leicester following the loss of the details of over 24,000 people on a stolen laptop.
It claimed that the data lost 'did not contain any banking or credit information' and it advised that the risk of illegal use is low. The data was held on the personal computer of an A4e employee stolen in what police believe was an opportunistic domestic burglary.
This contained names, postcodes, dates of birth and any possible awards made by a court. The company is examining how its data security procedures were breached, to ensure such an incident does not occur again.
The Information Commissioner has been informed and the police investigation into the burglary is continuing....
Link...
Laptops stolen from California health care organization
scmagazineuk.com – 03. May 2010
How many victims? More than 20,000.
What type of personal information? Social Security numbers, dates of birth and, in some cases, health-related information.
What happened? Thieves stole the computers from the St. Jude Heritage Healthcare Clinical Management Services building.
Details: There have been no reports of stolen personal information being used illegally.
Quote: "The data that was stolen originated from private practice physicians," St. Jude Heritage Healthcare spokesman Kevin Andrus said in a statement. “St. Jude Heritage Healthcare is an administrative foundation that contracts with physicians, so that's why the data was there.”...
Link...
Serious SSL Vulnerability Found
InformationWeek – 05. Nov 2009
A vulnerability in the most common data security protocol on the Internet could allow secure Web sessions to be hijacked.
Two security researchers with PhoneFactor, a provider of phone-based two-factor authentication, on Thursday said that they had discovered a serious flaw in the SSL protocol, which is used to protect sensitive data in online transactions.
SSL, short for Secure Sockets Layer, is used for online banking and for secure e-mail and database access, among other things.
Discovered in August and disclosed by PhoneFactor researchers Marsh Ray and Steve Dispensa to a consortium of major tech industry companies and standards groups in September, the vulnerability was slated for disclosure next year, to give affected vendors time to patch their software.
But an independent security researcher discovered the vulnerability on his own and posted it to an Internet Engineering Task Force mailing list on November 4th.
The vulnerability could allow an attack to conduct a man-in-the-middle attack, whereby he or she could hijack an authenticated SSL session and execute commands. In theory, neither the Web server nor Web browser would provide any indication that the session had been subverted.
"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said Steve Dispensa, CTO of PhoneFactor, in a statement. "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL." ...
Link...
Two-factor authentication, vigilance foil password theft
SearchSecurity.com – 02. Nov 2009
The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.
It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior.
Traditional password protection policies, such as those described by Jeremiah Grossman, one of the industry's top researchers at WhiteHat Security Inc., can be implemented to reduce the risk of an intruder impersonating a user. However, even if the password policy works, it is often unacceptable for IT to disable accounts after a number of bad logon attempts. The business often relies on out-of-wallet questions to avoid expensive help desk calls and a security investigation.
Phishing protection begins with training, antiphishing evangelist: IT organizations can take a lesson from marketers by sending three phishing education emails to users before the holiday season.
End users are also storing passwords in their browsers for automatic logon and those passwords are often used for multiple accounts in different businesses. The result is an organization that is dependent on another organization's security program to protect a password....
Link...
USB stick security flaw puts data at risk
crn.com.au – 02. Nov 2009
USB sticks have been found to contain a significant security flaw which could be exploited to break into millions of computers around the world, according to researchers at MWR InfoSecurity.
The UK firm claimed that the flaw could allow the creation of USB sticks that "interrogate a computer and download the contents".
The researchers added that such devices are just months away from development, and are likely to be used by malevolent and sophisticated criminals to steal the contents of entire hard drives.
"What millions of us have seen in countless James Bond and other spy thrillers around the world has now taken a step closer to being realised," said Alex Fidgen, commercial director at MWR InfoSecurity.
"The bad guy plugging a small device into the system and removing sensitive data is no longer theoretical. It is possible."
Criminals could exploit a flaw in the driver software of USB devices to take control of systems and steal information. Fidgen claimed that MWR InfoSecurity has been concerned about these security implications for some time.
"Hackers are becoming more and more sophisticated, and business is under threat. Up until now people have felt secure in the knowledge that a simple USB stick could not copy their information without their permission. We have proved that it is not the case," he said....
Link...
Stolen Laptop Exposes 33,000 Patients' Data
internetnews – 26. Oct 2009
Laptop plucked from employee's car at Daytona Beach, Fla. medical center exposes potentially exposed thousands of patient IDs.
A laptop stolen in August from an employee's vehicle parked at a Dayton Beach, Fla. Medical center exposed more than 33,000 patients' personal and medical data, according to hospital officials.
Halifax Health officials last week began sending out letters to the roughly 33,000 people who may have had their data exposed in the theft, advising them to check in with the major credit reporting companies to monitor their various accounts for any unusual activity.
Some of the data was thought to be password-protected while other data may not have been, hospital officials.
"We have no reason to believe that any identity theft has occurred," Ann Martorano, the health care provider's chief marketing officer, said in a statement. "However, we are advising patients of the steps they can take to protect themselves from that possibility."
Florida is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised....
Link...
Stolen laptops biggest danger as extent of UK data losses revealed
Computerweek – 26. Oct 2009
UK CIOs reported 356 data loss incidents last year, a Freedom of Information (FOI) request by a software supplier has revealed.
The FOI request to the information commissioner's office by Software AG revealed that within the 356 reported incidents 71 memory sticks and CDs were lost, 127 devices including laptops were stolen and there were 24 incidents of data lost in transit via courier services.
On 78 occasions data was disclosed in error. This included packages being wrongly addressed and arriving at the wrong place.
The 356 incidents between November 2008 and September 2009 compared with 190 incidents between October 2007 and November 2008, said Software AG.
"The chronic problem of data loss should be in decline, and not increasing, as these figures seem to indicate. Organisations are failing to learn from previous examples. They continue to gamble with sensitive data via risky transfers, rather than implementing a robust infrastructure to ensure information is moved securely," said Tim Holyoake, lead technologist at Software AG....
Link..
Insurance company Zurich has lost thousands of people’s details after losing a backup tape in South Africa.
itpro.uk.com – 22. Oct 2009
Zurich Insurance admitted today that it has lost a backup tape containing details of 51,000 of its UK customers.
The company has said the tape was lost in a routine transfer to its data centre in South Africa during August of last year. It also contained details of customers and other parties based in Botswana and South Africa, Zurich confirmed.
It conducted an investigation and admitted there were deficiencies in the management of data tape security procedures.
Annette Court, chief executive of Europe General Insurance of Zurich, said in a statement: “We apologise to any customers affected by this unfortunate matter. We take the security of our customers’ data very seriously. What has happened is unacceptable to us.”
IT PRO contacted Zurich to ask what types of data had been lost but a spokesperson told us it “wouldn’t be fair” to share that information....
Link..
Laptop Theft Nets Data On 800,000 Doctors
informationweek – 15.Oct 2009
The stolen laptop contained personal data on nearly every physician in the country. The theft of a laptop belonging to an employee of an insurance trade group has put hundreds of thousands of physician around the country at risk of identity theft.
The laptop, belonging to an employee of the Blue Cross and Blue Shield Association (BCBSA), was stolen from a car in late August, according to reports in the Boston Globe and the Chicago Tribune. It contained a database listing the business and personal information of about 800,000 doctors.
There were about 732,000 practicing physicians in the U.S. at the end of 2007, according to a spokesperson for the American Medical Association.
The BCBSA, which represents various Blue Cross health groups across the U.S., did not immediately respond to a request for comment.
A spokesperson for the American Medical Association confirmed that the organization had been warning physicians about the breach....
Link...
Previous cases of missing data
BBC – 25. May 2009
There has been a series of cases where confidential information has been lost or stolen.
Several laptops containing sensitive data have gone missing and files marked Top Secret have been left on a commuter train.
In one of the most high-profile cases, a private consulting firm lost a computer memory stick containing the details of tens of thousands of prisoners.
Here are other cases to emerge in the recent past:
MAY 2009: RAF PERSONNEL DATA
It emerged that data lost from RAF Innsworth in Gloucestershire the previous September included 500 highly sensitive files, containing details of individuals' extra-marital affairs, debts and drug use.
An internal MoD memo passed to the BBC warned that the material "provides excellent material for Foreign Intelligence Services and blackmailers".
On the same day, a report from the Information Commissioner told the NHS to improve its data security, after the watchdog took action against 14 NHS organisations in the last six months...
Link...
Stolen RAF vice files spark blackmail fear
guardian – 24. May 2009
Sensitive files detailing the extra marital affairs, drug taking and use of prostitutes by very senior officers in the RAF have been stolen, raising fears within the Ministry of Defence that personnel could be vulnerable to blackmail.
Up to 500 people in the service could be affected by the theft. They have been interviewed individually about the possible consequences to them and to their families.
Westminster correspondent David Henke talks about stolen hard disks which detail drug taking and the use of prostitutes by senior staff in the RAF Link to this audio
The potentially damaging information was stored on three computer hard drives that went missing from RAF Innsworth, Gloucestershire, last September. The files were not encrypted, so could be opened easily. The RAF disclosed the loss of the hard drives two weeks after they went missing, revealing only that the bank details and home addresses of 50,000 servicemen and women were on the computers.
It kept secret the fact that the "vetting" information about 500 staff had also disappeared. The defence secretary at the time, Des Browne, was not told, nor was Sir Richard Thomas, the then information commissioner. The details were also withheld from parliament.
But the seriousness of the potential loss, and the nature of the information, were outlined in an internal MoD memo, which was obtained under Freedom of Information legislation...
Link...
Ex-employees walking out the door with corporate data
itnews– 24. Feb 2009
More than half of workers who left their jobs last year have admitted that they took confidential corporate information with them.
Fifty-nine per cent of ex-employees who either left or lost their jobs in 2008 took information including email lists, employee records, or customer information such as contact lists, said the report. The most common means by which information was taken outside of the business was via a CD or DVD, with USB devices coming a close second and personal web mail the third most popular.
Data loss is preventable if firms put in place clear policies, adequate controls on data access, and communicate better with employees, according to Larry Ponemon, chairman of the Ponemon Institute, which carried out the research....
Link...
Data losses proving more costly for businesses
networkworld – 02. Feb 2009
Data breaches are costing companies more than ever as consumers shun those that have lost information, according to a new study. Data breaches have proven to be a downside of the information age as personal and financial information face threats from hackers, careless employees and thieves.
The study is based on a survey of 43 U.S. companies that lost data in 2008, ranging from 4,200 records to 113,000 records across 17 industry sectors, according to the Ponemon Institute, which studies privacy practices at companies and government organizations. It cost companies on average $202 for every data record lost in 2008. That's compared with $197 in 2007, $182 in 2006 and $138 in 2005, the first year the study was conducted.
Factored into those figures are how much companies spend on detecting data losses, costs incurred notifying victims and hiring forensic experts and paying for free credit checks for affected consumers, among others. The most costly factor, however, was loss of business. Of the $202, $139 represented the cost of lost business, up 69% over 2007.
Link...
Bank customer data sold on eBay
BBC UK – 26 Aug, 2008
The details of customers of three banks were involved
An investigation is under way into how a computer containing bank customers' personal data was sold on eBay. The computer, bought by IT manager Andrew Chapman for £77, had the sensitive details on its hard drive. Mr Chapman, from Oxford, said the machine contained information on several million bank customers. Details of customers of three companies, including the Royal Bank of Scotland (RBS) and its subsidiary, Natwest, were involved.
RBS said an archiving firm told it the computer had been "inappropriately sold on via a third party". It said historical information relating to credit card applications for its bank and others had been on the machine. The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names...
Link...
UK gov't loses personal data on 4M people in one year
computerworld UK – 22 Aug, 2008
The U.K. government has lost the personal information of up to four million citizens in one year alone.
The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April.
And the trend has not stopped - in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June.
Treasury minister Jane Kennedy told MPs the newly-announced HMRC breaches did not necessarily result in data losses, adding that they reflect "potential weaknesses reported by staff and not actual thefts or losses", and indicate that staff are more aware of security and reporting more incidents. HMRC said it takes data loss and security breaches "very seriously" and thoroughly investigates any breach....
Link...
900 laptops lost at Heathrow per week
itnews– 01 Aug, 2008
More than 3,300 laptops are lost or go missing at the eight largest airports in Europe, the Middle East and Africa (EMEA) each week, according to new research commissioned by Dell. The Notebook Lost & Found study by the Ponemon Institute revealed that nearly six out of 10 of the lost laptops go unclaimed. Heathrow tops the list at 900 lost laptops per week, followed by Schiphol with 750 and Charles de Gaulle with 733. The problem is not limited to Europe, as an estimated 12,000 laptops are lost or stolen weekly in US airports.
More worryingly, nearly half of the professionals surveyed keep confidential information on their laptops, and over half take no steps to protect that data in the event of loss or theft. Dell has warned that this combination is a gaping hole in data leakage prevention for many companies. "It is staggering to learn that more than 175,000 laptops are lost or go missing in major European airports every year, many containing sensitive information that organisations must account for," said Larry Ponemon, chairman and founder of the Ponemon Institute....
Link...
Warning for Daily Mail staff after laptop theft
The Guardian – 05 Jul, 2008
For months it has fulminated against the consequences of laptops left in taxis and CDs lost in the post. But journalists employed by Associated Newspapers, publisher of the Daily Mail, have now received letters warning them to contact their bank after a company laptop with their personal details was stolen.
The letters went out to journalists and other freelancers employed by Associated, which also publishes the Mail on Sunday and Metro, and regional newspaper publisher Northcliffe. Both are owned by parent company Daily Mail & General Trust.
Those affected were told their name, bank account number and sort code had been lost. The letter, from the group finance director, Simon Dyson, also advised them to consult a government identity theft website for advice. He apologised for any annoyance and inconvenience, saying the "incident was inadvertently caused by a technical issue".
Link...
Laptops lost like hot cakes at US airports
macworld – 30 Jun, 2008
Keep laptops close at airports, because they have a startling tendency to disappear in the blink of an eye, according to a new survey. Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey.
Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-sized airports, and 69 percent are not reclaimed. Travelers seem to lack confidence that they will recover lost laptops. About 77 percent of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn’t do anything if they lost their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.
Link...
NHS hospital reports loss of six laptops
Heise – 19 Jun, 2008
Six laptops containing patient details have been stolen from St. George's Hospital, Tooting, South London. The six machines were removed from a locked cabinet inside a secure room in June, and contained names, dates of birth, postcodes and medical notes of 20,000 patients. The news comes in the same week as Hazel Blears' laptop was stolen from secure premises. St. George's is one of the largest and busiest NHS hospitals in the UK. It appears that failure of core IT systems made it necessary to put patient data on the laptops. No therapeutic data were stored on them, and the laptops themselves were password-protected. The hospital has apologised and informed all affected patients. This is one of the swiftest reports of its kind – often, months pass before laptop theft is disclosed to the public.
Link...
Government fears over stolen PC
Heise – 18 Jun, 2008
Government officials fear that sensitive documents could fall into the wrong hands, after a PC was stolen from the Salford constituency office of Hazel Blears, the communities secretary, on Saturday the 14th of June. On Tuesday night it emerged that the PC contained documents that had been emailed to Blears in breach of rules designed to protect classified documents.
In a statement, Peter Housden, top civil servant with the Department of Communities and Local Government, said "It is clear that papers have been sent to Hazel Blears in a way that is not fully consistent with the departmental guidance,". He argued no damage has been done because the documents were not classified as secret or top secret, and said the computer was password-protected, however the data on the PC is not believed to have been encrypted. Housden said "I have instructed my officials that departmental procedures, guidance, and the awareness and accessibility of that guidance are now strengthened to ensure this does not happen again," – "I take full responsibility for ensuring this is done."
Link...
Identity Theft Goes Corporate
PC World – 27 Apr, 2008
Do you know where your personal and corporate identity information resides or may be lurking? According to two Canadian security experts, personal and corporate identity theft is quickly becoming commonplace in the market and more vigilance and formal corporate policies are needed in order to help combat this issue.
Link...
Passwords, but not personal info, better protected
SecurityFocus – 17 Apr, 2008
People are getting wiser about their passwords, but not necessarily about their personal information, according to a survey conducted in Europe.
The survey, conducted by conference group Infosecurity Europe, found that only 21 percent of the nearly 600 people queried outside Liverpool Street Station in London gave up their password when offered an incentive -- in this case, a chocolate bar -- down from 64 percent last year. Yet, of the people who declined to give their password, six in ten later identified the type of information -- such as date of birth, pet's name, or anniversary date -- used to create their password....
Link...
More than 1,000 gov't laptops lost since 2001
Silicon– 01 Apr, 2008
Government departments have misplaced more than 1,000 laptops and almost 500 mobile phones - either lost or stolen - since 2001. The Department for Business Enterprise and Regulatory Reform (Berr) is the latest to reveal figures in response to questions from Liberal Democrat MP for Brent East, Sarah Teather, about the loss of gadgets across government departments. Full Disclosure campaign silicon.com is aiming to make businesses and government take data security more seriously. In parliamentary written answers, Berr admitted it had lost 96 laptops since 2001 (along with 82 mobile phones and nine PDAs) taking the total figure to more than 1,000 lost laptops across all government departments....
Link...
With Vista breached, Linux unbeaten in hacking contest
Networkworld– 29 Mar, 2008
The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.
Earlier this week, contest sponsors had put three laptops up for grabs to anyone who could hack into one of the systems and run their own software. A $20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.
Link...
Windows hacked in seconds via Firewire
Heise News – Mar 05, 2008
After two years of inaction, researchers comes clean on Windows bug. A New Zealand security researcher has published a software tool allowing attackers to quickly gain access to Windows systems via a Firewire port. The tool, which can only be used by attackers with physical access to a system, comes shortly after the publication of research on gaining access to encrypted hard drives via physical access to memory.
Link...
Needles used to steal PINs
Heise News – Feb 27, 2008
Serious flaws have been found in two widely used point of sale (EPOS) PIN entry devices (PEDs) examined by the University of Cambridge Computer Laboratory. The researchers found they could readily bypass the supposed tamper-proofing of both terminals and read transaction data. One of the PEDs, manufactured by Ingenico has a rear compartment containing an exposed circuit board that can be probed to pick up the data....
Link...
Disk crypto threatened by keys left in RAM
Securityfocus – Feb 22, 2008
Encryption software designed to guard sensitive data on laptops can be circumvented by searching the computers' volatile memory for traces of the encryption keys, a group of computer-security researchers said in a paper published on Thursday....
Link...
Cracking a crypto hard drive case
Heise News – Feb18, 2008
A new generation of inexpensive disk drive enclosures using hardware encryption and RFID keys do not fulfil the promises of their publicity. The adverts claim 128-bit AES hardware encryption, but they don't tell us how it is used. The specifications of the 2.5in. Easy Nova Data Box PRO-25UE RFID hard drive case by German vendor Drecom sound promising: hardware data encryption with 128-bit AES, access control via an RFID chip compact enough to carry around on your key ring and optional 160GB or 250GB hard disk capacity...
Link...
Sweden misplaces military secrets
BBC News Europe – Jan 4, 2008
Some security experts see USB memory sticks as a risk
Sweden's military is investigating a major security breach after a member of staff left a memory stick holding classified data on a public computer...
Link...
Has chip-and-pin failed to foil fraudsters?
The Guardian – Jan 3, 2008
It was supposed to bring an end to unauthorised card transactions, but two years on is chip-and-pin just as fallible as its predecessor?
This is a big week for Alain Job. The 40-year-old football coach is bringing his case against the Halifax bank to court. He says that fraudsters withdrew £2,100 from his account at ATMs, even though he was in possession of his card, and he doesn't want to pay.
Link...
Hackers may threaten economy
Newhouse News Service – Dec 27, 2007
Without better security, nation's industries could lose billions, expertswarn… At risk are assets worth billions of dollars which, if interrupted, could cause major disruptions in the nation's economy,..
Link...
Identity theft is expected to intensify
Sun – Dec 23, 2007
This year has been a doozy for victims of identity theft. But next year the
threat is likely to be even worse. Consumers should expect identity thieves to get younger, scams to get harder to detect and security breaches to be more frequent...
Link...
More data lost after laptop theft
BBC news - 21 Dec 2007
The sensitive personal details of 14,000 customers have been lost, a subsidiary of the Skipton Building Society has admitted….
Link...
West Penn tells home care, hospice patients of ID theft risk
Pittsburgh Business Times – Dec 17, 2007
Home care and hospice patients of The Western Pennsylvania Hospital and Allegheny General Hospital could be at risk of identify theft because of a stolen laptop...
Link...
IT security gets personal in 2008
IT Week – 17 Dec, 2007
The human rather than the technology side of IT security will be a major priority for IT teams in 2008, as threats increase and social engineering techniques become more sophisticated,...
Link...
CONSUMER ALERT: Identity thieves impersonate Texas banks
North Texas eNews, Texas – 16 Dec, 2007
A new identity theft scheme is targeting Texans, particularly those who bank at Amarillo National Bank…
Link...
Protecting your employees from identity theft
Denver Business Journal - Nov 16, 2007
...According to the FBI, identity theft is the fastest-growing crime in the United States. It occurs when an individual's sensitive or personal information,..
Link...
Identity Theft
The FBI calls identity theft one of the fastest growing crimes in the United
States and estimates that 500,000 to 700,000 Americans become identity theft victims each year.
Link...