CyberInsecure.com

Archive for the ‘Privacy’ Category

A security breach discovered on Monday, June 9, compromised names and social security numbers of 5,000 employees, contractors and board members in state Department of Consumer Affairs (DCA). About 2,800 of the people on the list are current, full-time employees of the DCA.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information. Some of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board. The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone’s name. However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver’s license numbers. This kind of information is very easy to obtain though.

The DCA is the main state agency charged with protecting consumers in California. From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.

The incident is still being investigated, and it can not be disclosed who had received the document. So far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

The state Department of Consumer Affairs (DCA) has sent warning letters to all 5,000 affected. The DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list. The DCA had not yet determined how much these protections were going to cost.

Anyone concerned about identity theft can visit http://www.privacy.ca.gov/, for more information on how to protect themselves.

DivShare, an online service for storing and sharing video, photos, music and documents, has had a security breach. The company announced on its blog tonight that a malicious user had accessed its database, which included user e-mail addresses and other basic profile information.

DivShare is an online file-sharing service with more than half a million members. It is free to sign up for, gives members 5GB of storage and it is possible to download 50GB of data from the service per month.

DivShare members have been warned regarding this security breach by an email from the service. DivShare temporarily took all members’ files offline and implemented a new security system, though full access to the files has now been restored, the company said.

“No financial information has been accessed by any unauthorized parties. We have taken extreme measures to secure the site in the last 12 hours and are currently in the process of rolling out new security precautions,” the statement said. It also says that the company apologizes for allowing this breach to take place and takes every precaution available to ensure that this doesn’t happen again.

While it’s good that DivShare provides information about their security breach, it might be hard to trust again a company that allowed personal information to be accessed by hackers. Although they quickly resolved the issue, the database remains compromised, and this is probably why DivShare recommends all users to change account password and the passwords on any private folders as a security precaution.

According to DivShare website update from 8:30 PM ET, all files are now back online after outages caused by security upgrades. Concerned members of DivShare service can contact support in case of any questions.

Private details and social security numbers of 5,000 Columbia University students had been searchable online for the last 16 months. Students received an e-mail message on Tuesday night from the vice president of student auxiliary and business services, Scott Wright, explaining that in February 2007, a student employee had posted a database of students’ housing information on a Google-hosted Web site.

On June 3, Columbia University’s Housing and Dining department was informed that one archival database file containing housing information of current and former undergraduate students. It appears that the file was inadvertently posted by a former student employee in February 2007. Upon university request, Google immediately removed this file.

Columbia Public Safety investigators have concluded that this security breach was unintentional. Columbia University would not identify the student, saying only that the person had worked in the university’s housing office. A similar leak occurred in April 2007, when the university noticed that three databases containing students’ addresses and Social Security numbers were online.

Several students created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased. The petition address is www.petitiononline.com/breach/petition.html.

No financial data was included in the file in question, and there is no evidence of identity theft. Phone number for questions or comments is 1(888) 882-7331. Email: studentservices-assist@columbia.edu.

Personal information of more than 11,000 current and former University of Florida students was compromised after being posted on a school website, officials said Tuesday. The information, which included Social Security numbers, was put on a school tutoring site without a password. The site contained information about students at the school from 2003 to 2005 who expressed an interest in tutoring through the Office for Academic Support and Institutional Services.

In the wrong hands, Social Security numbers can be used to open credit card accounts, get government benefits or apply for a job. School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.

Two former students who worked in the office were trying to create a database for tutoring and included for about 11,300 students. Only students from the College of Liberal Arts and Sciences would have had information on the site. Letters were sent out Tuesday to students notifying them of the privacy breach, which was discovered last month during a routine school audit.

The school doesn’t have any evidence that the information was accessed but cannot be absolutely certain. The site has been taken down and the information has been removed from the university system.

Full press release regarding the incident can be found at http://privacy.ufl.edu/CLASBreach/CLASBreach.doc. For further questions, there is a UF’s Privacy Office Hotline at 866-876-HIPA.

Largest Belgian ISP announced today that 2,000 of its ADSL accounts were compromised earlier this year by hackers. Belgacom discovered details of its subscribers posted on a web page by hackers who are against download limits on Belgacom broadband internet connections.

In Belgium, about 90% of residential ISP customers are connected either via Belgacom or Telenet. Although the connections are fast, both ISPs last year had a maximum download limit of 12 GB/month. Whoever passes this limit gets the speeds dropped to 3 KB/s for the rest of the month, which is not enough for nowadays average online usage.

In December frustrated Belgian internet users signed a petition demanding more reasonable download limits and on 30 December tried to download as much as possible to show Internet traffic wasn’t significantly higher than on other days. Apparently a group of disgruntled users decided that wasn’t enough, and exposed the details 2,000 Belgacom accounts to the web.

Belgacom did not inform the public about this security breach to avoid panic. Belgacom spokesperson said that postal letters were sent to small groups of users since April and asked them to change passwords as a matter of precaution. The site exposing clients details was closed down immediately and there was no abuse reports since then. According to Belgacom it is a minor issue, since they got 1 million ADSL users and stolen details of only 2,000 of them is not a threat.

The University of Utah Hospitals & Clinics announced today about the recent theft of billing records. A metal box containing backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system.

The driver discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box. The driver, who worked for Perpetual Storage Inc. for 18 years, was fired due to violation of protocols his company established to ensure secure data transportation. The company contracted by the university to transport and store the tapes, Perpetual Storage Inc., said this is the first and only such incident in its 40-year history.

The Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service are investigating the theft. The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft. The billing records included patient names, related demographic information and diagnostic codes.  None of the records contained credit card information. Records for a subset of 1.3 million patients also contained Social Security numbers.

The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data. Additionally, the health-care system mailed notification letters to all 2.2 million patients and guarantors. Free credit monitoring and restoration service to be provided to patients whose records included Social Security numbers. Toll-free information line number for questions is 1-866-581-3599

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked.  Those wishing to claim the reward may call the Sheriff’s Department at (801) 743-7000.

More information and resources can be found at http://healthcare.utah.edu/billingrecordstheft.

The recently introduced data availability initiative at MySpace allowing everyone to share their profile data with other community and social networking sites across the Web, is vulnerable to a major privacy flaw exposing the private photos of MySpace users. The flaw is in a system that helps the social-networking site share information with other Web sites.

Thanks to data portability, a technology that allows personal information to be shared between social networks and other websites, one can see any profile on MySpace. For example, pictures of Paris Hilton and Lindsay Lohan from private MySpace profiles can already easily be seen by anyone on the Internet, since those two celebrities are, as usual, the first to be hit.

Byron Ng, a computer technician who earlier this year found a way to access Paris Hilton’s Facebook page, disclosed a 15-step process, that allows people to see supposedly-private pictures and other information by first logging into Yahoo, at Valleywag blog. Yahoo’s integration with MySpace makes it easy to view photos for any profile.

Byron’s instructions involve no real hacking or unauthorized access. They work because Yahoo allows its users to add their MySpace profiles to their cell phones without checking their credentials. It requires a login, but accepts any login, not the specific user’s login.

Here are the instructions for viewing any MySpace profile, as posted on Valleywag:

1. you’ll need a Yahoo account. go to www.yahoomail.com and create a yahoo account if you don’t have one already. and you will need to go to www.myspace.com to sign up for a myspace account first, if you don’t have one already.

2.go to http://beta.m.yahoo.com/w/gallery/widget click on the ‘mail’ button under “sign in to yahoo!”.

3. click on ‘click here to sign in’.

4. enter your yahoo id, yahoo password.

5. then on the top of the screen in the white box, enter: myspace then click Search Widgets Gallery.

6. you will see a green box in the middle with the word ‘myspace’ in there.

7. click the green myspace.

8. see in the middle of the screen it says “add it” - click that.

9. click yes when it asks you about sharing info.

10. go here http://beta.m.yahoo.com/w/gallery/widget.

11. enter myspace into the box. click search widgets gallery.

12. click on the green myspace. now, since you have already set it up in the previous steps, it won’t ask you to download again.

13. click on ‘go to widget’ (that’s right below the ‘already added it” text.

14. now sign in to myspace.

15. now take the URL I asked you to save above before step 1: http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 and click on it. it may ask you to sign into yahoo or my space. sign in as appropriate. now you should be able to see the person’s pictures. if you can only see your own profile, then click on it again http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 then it will work.

State Street Corporation (NYSE: STT) said on May 29 that a disk drive containing personal details from 5,500 employees and 40,000 customer accounts was stolen. Lost details included individuals names, addresses, dates of birth, and, in some cases, Social Security numbers. The theft occurred in December and was reported to State Street in January. State Street didn’t disclose the breach publicly or to individuals until yesterday because it took months to determine who was affected.

State Street Corporation began sending precautionary notifications to employees and some customers of the former Investors Financial Services Corp. that computer equipment containing certain personal data was stolen from a vendor’s facility.

The compromised information was among a batch of data sent to an unnamed analysis firm located in the United States. At the time of the transfer, the data was encrypted, making it much more difficult to misuse. The firm had unencrypted the information for its work and stored it on the hard drive that was then stolen.

There is no evidence to date to suggest that the data has been misused or that legacy State Street customers or employees are impacted. The theft was reported to federal authorities. As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers whose personal data was on the stolen computer equipment.

State Street has developed a dedicated section of its website with more details for the legacy IBT customers and employees who will receive these precautionary notifications. This information can be found at www.statestreet.com/notification and includes detail about a number of credit monitoring services being made available by State Street at no cost for two years. For questions and details customers may contact the usual customer representative . Employees may contact GHR Customer Service at +1 617 985 8040.

Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, rising identity theft concerns and an investigation by the Army. The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.

Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday. The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said. Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.

Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise. Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.

The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday. Walter Reed plans to offer free credit protective services to patients whose information was revealed. The hospital also has set up a hot line for people to call to see if their information was disclosed (1-877-854-8542, ext. 9). A 24/7 hot-line has been established in the Combined Operations Center, 202-782-8333 or 877-854-8542 ext 9 and a info site on the web page is also being created.

Computers at Pocono Mountain School District were breached by a hacker in May 30, who apparently tapped into confidential information concerning students and their parents, the district’s superintendent said Friday. District superintendent sent letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening. Parents got the letters when their children returned at the end of the school day.

The information that may have been compromised includes Student ID, network password, SSN if provided, ethnicity, gender, birth date, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code, dietary allergies, bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers.

The district’s technical staff had noted some irregularities during a routine security check Thursday night. They detected some activity that seemed a little “unusual”. The technical staff is checking to see to what extent any personal information, and to whom it may belong, had been compromised.

The district referred the matter to Pennsylvania State Police at Swiftwater for further investigation.

In case of unauthorized activity, it is possible to contact the office of Executive Director of Technology at (570) 873-7121 Ext. 10151.

During routine University of California San Francisco (UCSF) monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers. The investigation was completed this month and shows that an unauthorized movie-sharing program had been installed on this computer on or about December 2, 2007, by an unknown individual. The computer also held personal patient information of 3569 patients of Pathology and Laboratory Medicine. Installation of this program required high-level system access, which is why the incident is considered a security breach.

The University of California San Francisco alerted the group of patients that it has discovered a security breach after immediately removing the computer from the network to prevent further access. There is no indication that any patient files were accessed. According to UCSF, the administration takes this situation very seriously and is therefore responding with the highest level of caution and concern.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers. The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

A top-level task force has been created to improve the system of controls to protect patient information and other sensitive data. This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who received notification letters informing them about this recent breach.

LPL Financial recently notified the Maryland State Attorney General of a breach in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial (”LPL”). The hackers used these passwords to gain access to customer accounts in order to “pump and dump” penny stocks. These incidents affected approximately 10,219 individuals.

Hackers compromised the logon passwords of employees in offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months. The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.

According to LPL Financial, attempted transactions were intercepted and either rejected or reversed, so no losses were passed on to customers. At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach. LPL also unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and notified the law enforcement, the primary regulator, and the Financial Industry Regulatory Authority. They also determined what information had been compromised and notified the affected individuals, offering solutions to those interested.

Those having questions or encountered an identity theft issue, can call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday. To ask LPL Financial a question regarding this incident, call 1-800-558-7567, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.