Six people accused of UCI tax fraud (follow-up) Wednesday, 27 August 2008, 5:18 pm

Six people accused of stealing personal information from UCI student health forms and using it to get bogus tax refunds have been indicted by a federal grand jury in Texas.

According to federal authorities, the conspirators set up fake companies and filed electronic returns, using information stolen from UCI students and others.

More than 1,100 UCI students had their personal information taken by someone working inside Texas-based United Healthcare, police said. At least 163 discovered that bogus 2007 tax returns had been filed using their social security numbers.

Source - OC Register

Reddit It | Digg This | Add to del.icio.us

Source: Data Breach Watch Blog Articles |

OH: Database security breached Wednesday, 27 August 2008, 2:17 pm

A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by a retired Ohio Police & Fire Pension Fund employee, officials said Wednesday.

… The pension fund employee retired Aug. 15. Within 30 hours, the state discovered he had emailed the database to himself at home. Warning letters were mailed Monday.

State officials do not believe the unidentified employee would have used it for “malicious intent,” so they do not plan to prosecute him at this point, according to pension fund spokesman David Graham.

Source - Cincinnati.com

Reddit It | Digg This | Add to del.icio.us

Source: Data Breach Watch Blog Articles |

Experian announced to continue fraud alerts, Debix to cover ID theft losses Wednesday, 27 August 2008, 2:14 pm

Gov. M. Jodi Rell and Attorney General Richard Blumenthal today announced that more than 50,000 Connecticut residents, potentially affected by a temporary lapse in identity theft protection, will have any resulting losses covered by Debix Identity Protection Network, the company hired by the state last year after a security breach.

In addition, Experian, a major credit bureau has agreed to extend existing fraud alerts for a year for those residents. These measures resulted from an aggressive state inquiry of recent consumer complaints over a change in the way Experian was handling fraud alerts it received from Debix.

[…]

Experian recently notified certain Connecticut taxpayers that they would have to re-enroll for fraud alerts by providing confidential information – even though Debix, under a state contract, had promised to provide the fraud alerts for two years through the three national credit reporting agencies, including Experian.

Experian confirmed in writing today that, upon resubmission of a fraud alert request by Debix, it will renew the fraud alerts without further action by Connecticut taxpayers.

Source - StamfordPlus.com

Reddit It | Digg This | Add to del.icio.us

Source: Data Breach Watch Blog Articles |

Checks, debit and credit card numbers stolen from YMCA sale Wednesday, 27 August 2008, 12:57 pm

Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken.

The University YMCA at 1001 S. Wright St., C, conducted its annual garage sale fund-raiser at the University of Illinois Stock Pavilion on Saturday Sometime between 4 p.m. Saturday and 11 a.m. Sunday, someone took cash from the sale, along with checks and credit and debit card numbers, according to Willard Broom, interim executive director at the YMCA.

Source - The News-Gazette

Reddit It | Digg This | Add to del.icio.us

Source: Data Breach Watch Blog Articles |

Theft included K-State students’ personal data Wednesday, 27 August 2008, 12:56 pm

Eighty-six Kansas State University students are receiving letters from the Division of Continuing Education advising them that papers with their names and Social Security numbers on them were stolen from a parked vehicle last week.

An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning Center, reported an Aug. 15 overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that instructor’s classes from fall 2007 through summer 2008.

Source - CJ Online

Reddit It | Digg This | Add to del.icio.us

Source: Data Breach Watch Blog Articles |

FTC "Reminder" About ID Theft Red Flag Compliance Wednesday, 16 July 2008, 3:50 pm

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC’s notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.

The Identity Theft Red Flag Rules were jointly adopted last year by the FTC and five other federal agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration) pursuant to the Fair and Accurate Credit Transaction Act of 2003. Under the rules, financial institutions and “creditors” with “covered accounts” must have identity theft prevention programs in place and operating by November 1, 2008. The programs must identify, detect and respond to patterns, practices or specific activities that could indicate an account holder has been the victim of — or is engaged in — identity theft.

As explained in the DWT advisory, all types of financial institutions and most electronic service providers (including video, Internet and voice service providers) will have “covered accounts” governed by these new rules and therefore must have designed, implemented and begun operating an internal system to detect and combat identity theft no later than November 1, 2008. The advisory provides the relevant definitions and other triggering terms in the rules, and an overview of what they require.

Source: Data Breach Watch Blog Articles |

Malware Cited as the Cause of Massive Supermarket Data Breach Monday, 14 April 2008, 5:50 pm

By Hozaifa Cassubhai

A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria.  Recently, the Hannaford Bros. grocery chain announced the cause of that breach:  unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.

While the precise source of the malicious software remains under investigation, the Scarborough, Maine-based grocer confirmed that Massachusetts regulators had been informed of the link between the breach and the malware, which polluted nearly all of the company’s 271 stores’ servers.  The U.S. Secret Service has confirmed that it is helping investigate the crime, although the scope of its involvement is unclear.

The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale.  This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research.

The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006.  That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston.

Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards.  “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17.  “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

Source: Data Breach Watch Blog Articles |

Corporate Finance Law Blog Monday, 17 March 2008, 6:08 pm

Source: Data Breach Watch Blog Articles |

Technology, eBusiness & Digital Media Blog Friday, 14 March 2008, 7:57 pm

Source: Data Breach Watch Blog Articles |

Some State Data Encryption Requirements More Effective than Others Wednesday, 27 February 2008, 9:59 am

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

The Nevada statute, NRS 597.970 (effective October 1, 2008), requires each business in Nevada to encrypt customers’ personal information when it is transmitted outside the business’ secure network. See Charlene Brownlee, “Nevada passes first law requiring business to encrypt customer personal information during transmission” (October 19, 2007). The Nevada statute does not require businesses to encrypt consumers’ personal information while it is being stored on the businesses’ servers, laptops, or backup tapes.   It’s much more likely, however, that thieves will steal and business will lose large amounts of stored consumer data than it is that data in transit will be stolen or lost. For that reason, the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit.  See, e.g., Chronology of Data Breaches.  The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data.

Unlike the Nevada statute, Michigan Senate Bill No. 1022 would require businesses to encrypt stored consumer data. The Michigan bill would, among other things, amend the state’s “Identity Theft Protection Act,” MCL 445.71-.72, by prohibiting the following conduct:

(e) If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.

This prohibition would make it unlawful to fail to encrypt consumers’ personal information stored in digital form and to fail to use “industry-standard encryption methods and capabilities.” The latter prohibition should prevent businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. It is important that businesses be required not only to encrypt stored data but to do so competently. See, e.g., Mike Chapple “Lessons Learned from TJX: Best Practices for Enterprise Wireless Encryption”  (December19, 2007) (reporting that the data theft of payment card data at TJX has been linked to the company’s use of the flawed WEP encryption program and to other errors). 

The proposed Michigan statute also includes, at section 16, authorization for financial institutions to bring civil actions for card replacement and other costs against persons who maintain computerized databases that contain personal information if a security breach of the database occurs. Section 16 of the Michigan bill is similar to Minn. Stat. 365E.64, which was adopted last year. See Randy Gainer, “State Laws to Shift Some Data Breach Costs to Businesses with Weak Security” (May 25, 2007).

Two bills pending in the Washington State legislature, Substitute House Bill 2838 and Senate Bill 6425, would also authorize financial institutions to recover such costs from persons who must disclose data breaches. See section 1 of Sub. HB 2838 and section 6 of SB 6425. 

Section 4 of pending Washington SB 6425 would also require businesses that collect or store computerized personal information in connection with payment cards to “comply with payment card industry data security standards established by the PCI security standards council.” Requirement 3.4 of the current version of the PCI Data Security Standard (PCI DSS) mandates that the primary account number of payment cards must be protected while in storage by encryption, hash indexes, truncation, or index tokens and pads. Requirement 4 of the PCI DSS mandates that card information be encrypted when it is transmitted over easily accessible networks. Proposed Washington SB 6425 would, therefore, effectively require encryption for payment card data in transit and require either encryption or other data-masking measures for payment card primary account numbers while they are in storage.  

If enacted, Michigan SB 1022 and Washington SB 6425 will require businesses that collect digital personal information to take effective steps to protect the information. While the PCI DSS already requires such measures for payment card data, both bills would enact the requirements into law and the Michigan bill would extend such protections to all digital personal information.

Source: Data Breach Watch Blog Articles |