Data Breach & Security Incidents Continue

Time is money, but information is a blank cheque.   A number of companies have reported stolen laptops and other breaches of data security, potentially exposing personal information about thousands in recent months.  One financial company said its computer systems had been hacked, a tech company reported a laptop was stolen, and Boston insurance giant John Hancock Financial Services reported that a CD with customers’ personal information was lost.

In November, the state of Massachusetts reported that credit card numbers, medical records, or other personal information from nearly 1 million residents was stolen or exposed from 2007 through late 2009.  Since that time, the state has been notified of at least six data breaches that each potentially affected more than 1,000 residents.

Learning from these past experiences, on March 1, the state enacted new regulations requiring companies to encrypt personal data stored on laptops or sent over the Internet, so that the information would be useless to thieves if it was lost or stolen. 

It is not all FUD (Fear Uncertainty & Doubt).  These are all very real events.  Encrypt those laptops, folks.  And consider the same for your home computers.  Unless of course, you don’t really value your personal information, like tax details, bank accounts, surfing habits and other information that you take for granted, but an informed thief will take for cash. 

Despite increased knowledge about and vigilance around the problem of data theft, breaches and security incidents are still happening.  Just recently, at least 6 companies have reported stolen laptops as the root cause of their security incidents.  Other breaches of data security have potentially exposed the personal information of thousands.  Take a look at some of the biggest recent known data breach cases.

Over 50 Known Incidents & Breaches So Far In 2010

  • March 2010, an external hard drive containing names, Social Security numbers and other unspecified personal information of about 35,000 Arkansas National Guard soldiers recently went missing.  The unencrypted drive was a backup storage device used by a soldier to archive work related information over the past six years.
  • March 2010, information on the Swiss bank accounts of 24,000 customers was stolen from British-based HSBC between late 2006 and early 2007, the bank announced.  The bank said it didn’t think the stolen data would allow unauthorized account access, but the data could expose customers who stash unreported assets in Swiss accounts to prosecution by tax officials in their home countries.
  • Feb. 2010, the thefts of two laptops from the Gainesville, Fla., headquarters of health care provider AvMed may have compromised Social Security and other information for 208,000 customers.
  • Feb 2010, the Westin Bonaventure Hotel & Suites in Los Angeles recently revealed that hackers may have broken into its point-of-sale systems and obtained unspecified sensitive information from the hotel’s four restaurants and valet parking service.
  • Feb 2010, the personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services.  Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes.
  • Feb 2010, hackers believed to be from China, gained access to an Iowa government database which contained the personal information of 80,000 current and former employees of Iowa’s casino and racing industries, including names, Social Security numbers, home addresses and birth dates.  The hackers were able to get into the database because a firewall on the commission’s computer system had not been properly patched by a private contractor.  A computer log indicated that all appropriate software patches had been installed. In reality, they were not.
  • Feb 2010, Wyndham Hotels and Resorts revealed that it was the victim of another data breach after hackers broke into its computer systems and stole customer payment card data and other sensitive information.  Last year, WHR suffered a separate data breach after a hacker accessed its computer systems and downloaded information from several WHR properties.
  • Feb 2010, a Valdosta State server reported as being breached could have exposed the information of up to 170,000 students and faculty.  The university said the grades and social security numbers of up to 170,000 students and faculty were exposed in the breach.
  • Feb 2010, about 600,000 Citigroup customers received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number.
  • Feb 2010, John Hancock Financial Services owned by Toronto insurer Manulife Financial, reported that a partner could not locate a CD containing customer information, including names, dates of birth, and Social Security numbers of 1,085 Massachusetts residents.  The company said the CD was password-protected and encrypted, but they offered credit monitoring to customers whose information may have been compromised.
  • Jan 2010, at Lincoln National, an investment and insurance company based near Philadelphia, regulators warned the company that a leaked user name and password may have exposed the company’s computer system to hackers.  Lincoln’s system, which is used by two subsidiaries, contained records of 1.2 million customers, including 34,600 Massachusetts residents, according to the company.  Lincoln hasn’t found any evidence that the information has been misused, but couldn’t rule out the possibility.
  • Jan 2010, Beer & Wine Hobby, a company that sells equipment over the Internet to make beer and wine, told the state last month that it learned its computer system may have been breached in 2009.  The company estimated personal information was exposed for 35,000 customers, including partial credit numbers for 12,000 customers, nearly 10 percent of whom live in Massachusetts.
  • Jan. 2010, three months after the theft of 57 hard drives from a Blue Cross Blue Shield facility in Chattanooga, Tenn., the company said Social Security numbers and other personal information for about 220,000 people may have been exposed. Though BlueCross has identified 90% of the customers who may have had their Social Security numbers and other personal data disclosed, in all about 500,000 customers who simply phoned the call center between January 2007 and October 2009 may have had some piece of their personal information released.
  • Jan 2010, 25,000 users of the do-it-yourself trading site received an “urgent” e-mail notifying them that the company’s computer database had been breached by a hacker and that all users should log in to change their passwords immediately. That e-mail, stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit card information.
  • Jan 2010, a class action suit was filed against Netflix, Inc., in the United States District Court for the Northern District of California.  Plaintiffs in the suit claim that Netflix has “perpetrated the largest voluntary privacy breach to date.”  Netflix is claimed to have knowingly and voluntarily disclosed sensitive and personal information of approximately 480,000 subscribers when it provided contest participants with data containing over 100 million subscriber movie ratings and preferences.  Netflix claims the data was anonymized, however several researchers were able to crack Netflix’s anonymization process and identify individual subscribers.
  • Jan 2010, Hackers stole login credentials for more than 8,300 customers of New York Suffolk County National Bank after breaching its security and accessing a server that hosted its online banking system over a six-day period.  The breach was discovered during an internal security review.
  • Jan 2010, An electronic storage device stolen from an employee’s car in Sacramento contained health information from 15,500 patients, including about 800 in the Fresno area.  Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment. 

Over 300 Incidents & Breaches In 2009

  • Nuance Communications, a Burlington MA speech technology company, reported a laptop stolen from a locked car may have contained personal information such as names and Social Security numbers of 1,191 Massachusetts residents.  A VP of corporate communications at Nuance said the company notified its employees, installed security and encryption software on laptops, and purchased credit monitoring services for those workers whose information was on the laptop.  To his knowledge, the personal data had not been accessed.
  • Beecher Carlson Holdings Inc., an insurance broker in Atlanta, said two laptops were stolen from employees attending an off-site company meeting in January.  The laptops contained names and Social Security numbers for employees of Beecher Carlson’s clients, including 1,012 people who live in Massachusetts. 
  • P.F. Chang’s China Bistro Inc., a restaurant chain based in Scottsdale, Ariz., reported the theft of “electronic equipment’’ that may have contained personal data for 1,823 current and former employees who live in Massachusetts.
  • A computer attack on the Minneapolis-based information services and payroll provider Ceridian compromised Social Security numbers – and in some cases bank account information – for about 27,000 employees at thousands of companies nationwide.  This was the second security breach at Ceridian in three years; the 2007 theft of financial information involved a former employee.  This hacker was from outside the company and still has not been found.
  • Malware infections on 3 Penn State computers compromised the Social Security numbers of as many as 30,000 people. Officials said the infections were apparently unrelated.
  • The theft of a laptop from an employee at Florida care center chain Halifax compromised billing information for about 33,000 customers.  Hospital officials said someone stole an employee’s laptop out of his car.  Officials said the information is password protected, and they have no reason to believe any sort of identity theft has actually occurred.
  • Theft of a laptop from a BlueCross BlueShield association employee in Chicago compromised the Social Security numbers of as many as 187,000 association doctors. The laptop contained other information on every doctor belonging to the company’s BlueCard network – 850,000 in total.
  • An attack on a server at the University of North Carolina-Chapel Hill compromised personal records of 180,000 mammography patients, including 114,000 Social Security numbers. The records were part of a university study.
  • The theft of a laptop compromised personal data for 131,000 current and former Army National Guard soldiers, including Social Security numbers and information on bonus pay.
  • A rogue bit of code embedded by hackers into the servers of Web domain registrar Network Solutions of Virginia, exposed credit and debit card information for more than 573,000 accounts, garnered from thousands of online stores.
  • Overseas hackers attacked UC-Berkeley servers, compromising Social Security numbers, immunization records and health insurance information for about 160,000 people.
  • Hackers attacked Virginia’s state prescription database, seizing records for 8 million people and demanding a $10 million ransom for the data’s return.  The perps said they destroyed all backups of the data, but officials later refuted the claim.
  • The theft of 8 data tapes from a storage facility compromised the Social Security numbers and direct-deposit information of 80,000 current and former New York Police Department officers.