Search results for big-screw
Someone at the FAA neglected to secure one of their systems and allowed all of the personally identifiable information on 45,000 employees to leave the network. Details are scant right now, but I don’t think this was a matter of a stolen or lost laptop, nor is it an insecure HR webserver that was penetrated through a simple SQL injection. I think this was a trojan horse malware placed on an internal system, or maybe an old server sitting behind an outdated firewall rule.
The AP describes it here:
Hackers broke into the Federal Aviation Administration’s computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees.
The agency said in a statement Monday that two of the 48 files on the breached computer server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006.
The server that was accessed was not connected to the operation of the air traffic control system and there is no indication those systems have been compromised.
“The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information,” the statement said. The data theft has been reported to “law enforcement authorities,” who are investigating.
This is unusual in that the file accessed had data prior to February 2006. This could mean several things, but most likely, this may be an old system that had been offline for a while and then improperly restored to the network. The Federal government routinely recycles systems, and perhaps this was an old server that had been put back online after some maintenance without first wiping the old data from the drive.
Happy happy, joy, joy. I got my notification letter from a previous employer, SRA International. They said that there was a data breach, but they have no idea what data, or how much of it, may have been stolen by hackers. And since they are so clueless as to the extent of the data breach, they are notifying all of their federal customers that information relating to them may have been exposed as well. I am not sure which is worse- that they were so poorly unprotected defensively, or that they have no visibility into the mobility of their PII data.
From ComputerWorld here:
Employees at federal security agencies are being notified that their personal information may have been compromised after hackers planted a virus on computer networks of government contractor SRA International Inc.
SRA began notifying its employees and all of its customers after discovering the breach. The malicious software may have allowed hackers to get access to data maintained by SRA, including “employee names, addresses, Social Security numbers, dates of birth and health care provider information,” the Fairfax, Va.-based company said in a notification posted at the Maryland attorney general’s Web site.
The breach is embarrassing for SRA, a 6,600-employee technology consulting company that sells cybersecurity and privacy services to the federal government. The company wouldn’t say which federal agencies were affected by the breach, but in U.S. Securities and Exchange Commission filings, it lists intelligence agencies and the U.S. Department of Defense, the U.S. Department of Homeland Security and the U.S. National Guard among its clients.
SRA doesn’t know if any data has been compromised, but it’s taking the precaution of notifying customers that their data may have been accessed.
SRA also has a large contract with FDIC. From the description of the exposure, it sounds like employee health information was possibly accessed, which points to a breach in the HR department. If the breach was limited to just that internal group, no contract information with Federal branches should have been exposed, unless of course, the HR department could access the rest of the network at will.
I really can’t stand the empty platitudes that often accompany these admissions of data breaches. For instance, in my letter, SRA claims:
Sorry, but I don’t think SRA is really committed to the protection of personal data. If they were, they would have already had the safeguards in place that they are implementing now.
An employee swipes an old system from his company and sells it for crack money on EBAY. On the old system is unencrypted information on credit card transactions and personal information of more than a million persons. This would have been the motherlode for scammers and fraudsters.
From the DailyMail here:
Personal details of more than a million bank customers have been found on a computer sold on eBay. Highly sensitive information on American Express, NatWest and Royal Bank of Scotland customers was stored on the machine’s hard drive. It includes names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers’ maiden names and even signatures.
It was on a computer previously used at the company’s archive in Shoeburyness, Essex.
A former employee sold it on eBay for just £35.88 earlier this month. Crucially, he did so without first erasing the internal hard drive.
It was only when buyer Andrew Chapman started looking at the hard disk that its astonishing contents came to light.
First, how did this computer leave the building without the security team throwing a fit? Second, why was that data stored unencrypted on the hard drive if it was at the company’s ARCHIVE office? Sloppy security bankrupts people.
According to Brian Krebs of the WaPo, an employee of a local DC area investment firm installed Limewire on her work computer and then shared out her whole hard drive. Then enterprising identity thieves stole the names, addresses and social security numbers of 2000 clients of the company, including Justice Stephen Breyer. And he goes on to report that the thieves have been hard at work stealing cash and opening up new lines of credit.
From the WaPo here:
Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm’s clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
The breach was not discovered for nearly six months. A reader of washingtonpost.com’s Security Fix blog found the information while searching LimeWire in June.
Reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P, told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt’s bank and credit accounts.
The company looks to be a small cabal of DC lawyers scheming on some investments. This goes to show that even small companies must work to protect critical files- and someone is certain to get sued over this.
Dumbass students put a spreadsheet or database containing almost 12,000 students names, addresses and social security numbers online, with no security protection. Why? So one or two of them could access the data from home. Along with every other criminal looking for identity theft victims.
From ABC7 here:
The University of Florida is sending letters to more than 11,000 current and former students to notify them that their Social Security numbers, names and addresses were accidentally posted online.
University officials said Tuesday that the privacy breach was recently discovered during a routine systems audit.
The information became available when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program between 2003 and 2005. The information has been removed.
Pretty soon there will be more laws on how to handle privacy data than there is on handling toxic waste. And as soon as people start treating this type of data like its a ticking time bomb, datalosses like this will diminish.
The bad news is that 600,000 people may have their personal information exposed because one idiotic recruiter left his unencrypted laptop in his car overnight and it was stolen.
The good news is that the MoD seems to know how to cut through red tape and get things done when it needs to. It recalled all laptops and made sure they were using disk encryption if you can believe this article here by the Register:
Defence minister Des Browne has admitted that the Ministry of Defence (MoD) has lost not one, but three laptops containing unencrypted information since 2005.
Last week, it emerged that the MoD had lost a laptop containing the personal details of 600,000 people who had expressed an interest in joining the armed services.
The laptop was stolen from a junior Naval officer, who had left the machine in a car parked overnight in Edgbaston, Birmingham. West Midlands police are investigating the theft.
Talking to Parliament yesterday, Browne said: “It is not clear to me why recruiting officers routinely carry with them information on such a large number of people or why the database retains this information at all.”
Ministers were told of the theft on 11 January, but believed at the time that the data was encrypted. They were told it was not encrypted on 14 January. By 18 January all other MoD laptops were recalled and secured.
The reason I am suspicious that all laptops were recalled and secured is that it would take a massive effort to strip the laptops from its officers, apply new disk encryption software or verify that security measures are in place. In the US, the military can’t even agree on a single standard, and each branch of the military uses different security software.
At least the half that gets welfare checks for having children.
Two disks, put in the snail mail system, mailed from the Tax department to the audit agency, never arrived. Why this data couldn’t be transferred electronically in encrypted form is anyone’s guess.
From the AP here:
Two computer disks bearing addresses, bank account numbers and other details of about 25 million people — almost half the British population — were popped into internal government mail and never arrived.
The government says there is no sign the data has fallen into criminal hands.
The disks disappeared while being sent by internal mail from the tax and customs department to the government’s audit agency. They contained names, addresses, birthdates, national insurance numbers and, in some cases, banking details for 25 million adults and children.
Treasury chief Alistair Darling said the disks held information on the 7.25 million families in Britain claiming a child benefit — a tax-free monthly payment available to everyone with children.
The disks were password protected, but the information on them was not encrypted.
I’m taking a guess that they are talking about DVD or CDRom discs here. How the hell do you password-protect a DVD but not encrypt it? I didn’t think that CDRoms could be password protected either, and if its not encrypted, nothing will prevent a sector by sector recovery of the data.
The breach of TJMaxx customer data, which I initially wrote about here, has been updated. Brian Krebs at the WaPo says that data loss could have affected as many as 94 Million accounts.
The cost of doing business when you can’t keep your data secured? How about One Billion Dollars, Dr. Evil.
From the WaPo here:
TJX Breach Was Twice as Bad as First Reported
The largest digital data theft ever recorded was bigger than originally thought. TJX, the Massachusetts retail giant that earlier this year disclosed that a series of network and computer intrusions had compromised more than 45 million credit- and debit-card numbers, may have lost more than twice that number.
A group of banks suing TJX over the compromises now claim that more than 94 million accounts were affected in the break-ins, according to The Boston Globe. The thefts included about 65 million Visa account numbers and roughly 29 million MasterCard credentials.
Several analysts have estimated that the total costs to TJX could run as high as $1 billion, including legal settlements and lost sales. To date, though, sales figures reported by TJX suggest that shoppers have not been put off by the breach.
TJX believes intruders stole the data via insecure wireless networks at two Marshalls stores in Miami.
An insecure wireless network. But not only that, such a network would have to be directly connected to internal databases that were also unfirewalled and weakly protected. Most security should have layers of protection, but it sounds like TJX had none of that.
Data Loss? You can do it. We can help.™
Home Depot’s soon-to-be-fired regional manager left a laptop in his car so thieves could break in and steal it. It had the names, addresses and social security numbers of over 10 Thousand employees on the hard drive. They claim the computer was protected with a password, but that won’t prevent data recovery from the drive.
From the AP here:
The Home Depot Inc. said Wednesday that a laptop computer containing about 10,000 employees’ personal data was stolen from a regional manager’s car in Massachusetts.
The computer, which was password protected, didn’t contain any customer information, said Ron DeFeo, a spokesman for the company said. He would not say whether the information had been encrypted.
The laptop was stolen from his car while it was parked outside his home, DeFeo said.
The laptop contained names, home addresses and Social Security numbers of certain Home Depot employees.
Home Depot should fire the manager for leaving the valuable data in his car. And then they need to use proper information security practices company-wide to protect personal data at rest.
The Gap group, which includes Gap Stores, Banana Republic, and Old Navy, hired an external consultant to manage their job applications. For some stupid reason, the consultant kept 800,000 applications on a single laptop which then stolen. And of course, the data was unencrypted.
From Reuters here:
Clothing retailer Gap Inc said on Friday that a laptop computer containing personal information for about 800,000 job applicants was stolen from a vendor it used to manage that data. An investigation is under way.
The stolen laptop contained personal information for people who applied for store positions with the company’s Old Navy, Banana Republic, Gap and Outlet stores in the United States, Puerto Rico and Canada between July 2006 and June 2007.
Gap said the applicants’ Social Security numbers were included in the stolen information and that it is offering them a year of free credit monitoring services with fraud resolution assistance. Canadian applicants’ Social Insurance Numbers were not stolen, Gap said.
The information on the laptop was not encrypted, a fact Gap said is contrary to its agreement with the vendor. But Gap added that it has no reason to believe that the data on the computer was the target of theft or that the personal information has been accessed or used improperly.
I don’t know why Gap doesn’t just come out and point the finger at the guilty consultant. I hope they fire the consulting company. In the mean time, who knew that almost a million people applied for a job at the Gap??
Back in January, University of Missouri allowed hackers into the network through a weak online grant application. They had to notify 1200 researchers that their social security numbers were up for sale on the hacker underground.
But instead of working to properly secure their network, Mizzou sysadmins allowed hackers back into the network, this time through their own helpdesk application, to steal the identities of 22,000 current and alum students. I hope Mizzou fires the admins who keep screwing over their users.
From the AP here:
A computer hacker accessed the Social Security numbers of more than 22,000 current or former students at the University of Missouri, the second such attack this year, school officials said Tuesday. The FBI is investigating.
Campus computer technicians confirmed a breach of a database last week by a user or users whose Internet accounts were traced to China and Australia.
The hacker accessed personal information of 22,396 University of Missouri-Columbia students or alumni.
The hacker obtained the information through a Web page used to make queries about the status of trouble reports to the university’s computer help desk.
In January, a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system.
The university is contacting people affected by the latest breach and providing instructions on how to monitor their credit reports and other financial records for suspicious activity, officials said.
Maybe the victims of this latest breach would be kind enough to send a letter back showing the lazy admins how to patch their systems and use proper filters on their firewalls. Lotsa luck to the FBI on catching the hackers.
Some 2000 soldiers who were serving on the border with Mexico in Operation Vista may have had their personal identitifying information stolen. A hard drive containing the names, socials and DoB’s of soldiers on temporary duty on the border since last year went missing from a secure facility.
From SignonSanDiego here:
Military investigators are searching for a computer hard drive containing personal information for about 2,000 California National Guardsmen, a Guard spokesman confirmed yesterday.
On Feb. 23, a soldier noticed the hard drive was missing from task force headquarters at San Diego Naval Base at 32nd Street. Because the drive disappeared from a locked closet inaccessible to civilians, agents from the Guard’s Criminal Investigative Division think a soldier took it, said Lt. Col. Jon Siepmann.
The drive was used to back up data for troops who have served in the Guard’s U.S.-Mexico border patrol task force since last summer, he added.
All affected Guard members have been advised on I.D. theft protection, Siepmann said, and so far there is no sign that someone has tried to use the personal data.
Guardsmen have been advised to be on the lookout of identity theives, but as yet, the Guard is not paying for credit monitoring.
It doesn’t surprise me that a discount store also used discounted security to run their backend enterprise.
The company admits that their security was out of date in a long apologetic letter to customers.
From the Miami Herald here:
Marshalls, T.J. Maxx customer data is stolen
T.J. Maxx and Marshalls discount stores announced Wednesday its computer system was hacked late last year and customer information stolen.
Consumers who have shopped at stores in 2003 and between May and December of 2006 are urged to check their credit card statements and bank accounts for unauthorized charges.
The full extent of the theft is still unknown, but the hackers targeted the portion of the computer network containing customer data such as credit and debit card numbers and checking information, the company said.
In addition to T.J. Maxx and Marshalls, data collected from the company’s HomeGoods and A.J. Wright stores in the United States and Puerto Rico and Winners and HomeSense Stores in Canada may have also been stolen.
Although I criticize TJ Maxx for having shoddy security, I applaud them for hiring the best firms to help them in their recovery and monitoring. IBM and General Dynamics stepped in, charging top dollar, to upgrade their systems and provide a security re-design.
Boeing is still refusing to encrypt portable electronic devices, which is surprising given both the ease of use and availability of encryption software today and the fact that even the bloated Federal Government is now encrypting laptops. So why is Boeing still behind the curve? Not only do they not encrypt the information, but they do a poor job of physically protecting that data from theft too. They dumped all of the names and socials of every employee who ever worked at Boeing on a single laptop and then allowed a thief to steal it.
From Seattlepi here:
A laptop with personal information on hundreds of thousands of Boeing Co. employees was stolen earlier this month, and the aerospace company will inform those potentially affected by the theft in a company e-mail today.
“In the first week of December, a laptop was stolen from an employee’s car,” Boeing spokeswoman Kelly Danaghy said. “That laptop had files that contained Social Security numbers for about 382,000 past and present employees, and in most cases it also included a home address, phone number and date of birth.”
The company will provide free three-year credit monitoring for employees whose personal information was compromised.
Last month, a Boeing online memo warned that another computer with “old, unencrypted salary planning files containing personally identifiable information on 762 individuals” had been taken from an employee’s home. “This incident underscores the importance for all Boeing employees to either use encryption or rid their computers of old, unused files, particularly those containing personally identifiable information,” Boeing said in the memo.
Boeing needs to make encryption of portable devices a mandatory part of their information security policy. And Boeing needs to do this from the management on down, not merely suggest in a stupid memo that employees handle information security themselves by choosing whether or not to encrypt or delete old files. Even deleting files does not adequately erase data from a hard drive, and any Boeing infosec employee must certainly cringe when he sees such foolish advice distributed in a company memo.
In the face of multiple data losses from multiple portable devices, Boeing should immediately institute a recall of all portable devices for a “compliance upgrade.” Systems should be audited for patches, spyware, and have disk encryption installed prior to reissuance to employees.
Boeing does not list a Chief Information Officer or a Chief Information Security Officer in their executive biographies. Perhaps it is time that they get one.
2006 was a remarkable year in my life, and much of it was documented on the pages of this blog. This post should be considered a year-end restrospective on the events and items that I found to be among the most outstanding. Click on any item below to see a story or collection of stories that were among the very best of 2006.
Lax security at the campus of UCLA allowed hackers a year and more to harvest and collect personally identifiable data from its servers. 800,000 people are being notified that their data was exposed.
From the AP here:
LOS ANGELES – The University of California, Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.
Only a small percentage “far less than 5 percent” of the records in the database were actually accessed, UCLA spokesman Jim Davis told The Associated Press.
The attacks in started October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school Web site set up to answer questions about the theft.
Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security and get into the restricted database, which has information on current and former students, faculty and staff, and some student applicants and parents of students or applicants who applied for financial aid.
Many of the records in the database do not link names and Social Security numbers, however, the two pieces of information the hacker was after, Davis said.
The university’s investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. Out of caution, the school said, it was contacting everyone listed in the database.
I question what this “undetected software flaw” was? Undetected by whom? Certainly the hackers (and there were likely several gangs of hackers taking advantage of the weakness) knew what this software flaw was. My guess is it was a SQL code injection. Someone will certainly be fired over this egregious breach.
Strictly speaking in terms of cash amounts, Terrence Chalk is a small time hood compared to Ken Lay and the way that Lay bilked investors of billions. But Lay was more of a ceremonial captain of the Sinking Ship Enron compared to Terrence Chalk’s Compulinx.
It could at least be argued that Lay was trying hard and made some stupid mistakes, or did not know the extent of the fraud going on at his company. The same could not be said for Terrence Chalk.
If Ken Lay was the captain of a sinking ship, Terrence Chalk was a crazed kamikaze corporate bomber, who took out his company, his employees, and his employees’ credit ratings with him when he went down. And as it turns out, he was ripping off his customers all along with phony claims of managed services.
The end of Compulinx came when Terrence Chalk was caught stealing the identities of current and former employees. He would take the socials and dates of birth from job applications and use the information to open up bogus lines of credit. He racked up over a hundred thousand dollars in bogus debt to finance his lifestyle. There are rumors that the identities of customers and business partners may have also been compromised. Now Terrence faces 1.65 centuries in jail if he is convicted.
From VarBusiness here:
One day after the arraignment of its CEO on identity theft and fraud charges, work at MSP firm Compulinx has come to a sudden halt, and Terrence Chalk’s claims of a robust business with an international client?le and a growing bottom line are looking more and more like smoke and mirrors.
Former business associates of Chalk say claims that Compulinx had hundreds of customers with data hosted on a massive IT infrastructure of 300 servers and 40 TB of storage in four data centers is nothing more than urban legend.
“[Chalk] got very politically connected, and he made a lot of promises that resulted in an image that he walked on water. But the bottom line is, he had one cabinet in our facility, that was it,” says Christopher Furey, CEO of Savvy Networks in Tarrytown, N.Y. “The other three data centers don’t exist.”
As for claims that Compulinx employed some 50 people, Furey, who has hired some former workers from his White Plains, N.Y., competitor, calls that claim “patently ridiculous.”
“There’s about six people left working there [at Compulinx],” Furey says.
Federal law enforcement officials Tuesday raided the White Plains, N.Y., home of Chalk, Compulinx’s CEO, and arrested the well-known Westchester County businessman with charges of stealing the identities of his employees in order to secure fraudulent loans, lines of credit and credit cards. Chalk, 44, was arraigned in federal court Wednesday along with his nephew, Damon T. Chalk, 35, on charges related to submitting some $1 million worth of credit applications using the names and personal information — names, addresses and social-security numbers — of Compulinx employees.
Since the arraignment, the Compulinx Web site has gone dark and phones at the White Plains company have gone unanswered. Numerous messages left on the Compulinx Services Center voicemail have not been returned.
In addition to the identity theft charges, Chalk is also charged with racking up more than $100,000 in unauthorized credit-card charges. If convicted, he faces 165 years in prison and $5.5 million in fines, prosecutors say. His nephew faces a maximum sentence of 35 years imprisonment and $1.25 million in fines.
Crash and burn. And set the town on fire.
I have documented in this space numerous times how the government and private industry have been screwing their employees and taxpayers by losing sensitive data to theft and downright negligence. You can click here to see the previous stories.
But now Seagate has come out with a new hard drive that is automatically encrypted. This will be a huge boon for the privacy and protection of data, and will help serve as an insurance policy against theft or negligence.
From NewsFactor here:
Seagate Debuts New Hard Drives with Built-In Encryption
Seagate Technology will soon begin shipping its first hard drives with special encryption chips that will make it impossible to read data off the disk — or even boot up a PC — without some form of authentication.
The new Momentus 5400 FDE.2 (Full Disk Encryption 2), geared to notebook computers, will come in several capacities, including 80 GB, 120 GB, and 160 GB. Seagate said it expects to ship the drives early next year.
The world’s first laptop hard disk with built-in encryption could help reduce the impact of losing a laptop loaded with sensitive files. Protecting data at the hard drive level — rather than just at the level of the operating system — will offer another layer of defense against thieves.
Now the Government should fast track the accreditation process on this new drive and require it in all future laptops. And for all of those companies that do audits- you should get them too and stop embarrassing yourselves when you lose the data from the company you are auditing.
GE had a laptop swiped from a hotel room that contained the names and socials of 50k current and former employees. The article does not say that the data on the drive was encrypted, so Im assuming it was not.
From Reuters here:
September 26, 2006 (Reuters) — General Electric Co. said today that a company laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September.
The laptop, which had been issued to a GE official who was authorized to have the data, was stolen from a locked hotel room, GE said.
The Fairfield, Conn.-based company began mailing letters this week to the people whose names and Social Security numbers were on the laptop to notify them of the breach and offer a year’s free access to a credit-monitoring service, GE spokesman Russell Wilkerson said.
Wilkerson declined to give further details such as where and when the theft took place or whether the company official is still with GE.
Anytime that this personal data is placed on a hard drive that exits the sphere of physical control of the corporate security office, it should be encrypted. GE knows this, and they are one of the leaders in IT security. They have the entire 3.x.x.x class A address space and they have an amazing IA team. How this one got away is puzzling. It can only be negligence or an external contractor that does not take proper precautions.
When I was twenty-something, one of my first credit cards was a Circuit City Card. It was paid off long ago and the card clipped and thrown away. I confirmed the account was closed and I never heard from them again.
Until yesterday. I got a letter from Chase Card Services explaining to me that the old information, including my social security number, is hopefully at the bottom of a deep pit in some landfill somewhere, but uh… the Card Services company isn’t completely sure that’s where it is. It seems that they can’t tell the difference between backup tapes and old Pizza boxes. Idiots.
From CIO.com here:
Chase Card Services has dumped tapes containing millions of customers details in a landfill site.
The company will now have to tell 2.6 million current and former credit card customers of Circuit City that tapes containing their details were tossed out when they were mistaken for rubbish. Chase is apparently working with both local and national authorities to find out what happened, but it thinks they were in a locked box that was crushed and dumped in the landfill hole.
There is no evidence that the tapes or their contents have been accessed or misused, the company said. And CEO Rich Srednicki issued a statement promising that: “The privacy of our customers personal information is of utmost importance to us, and we take the responsibility to safeguard this information very seriously.”
Utmost importance huh? Just not important enough to properly label your backup tapes. Yeah, blame it on the immigrant cleaning crew. That’s the ticket. They should fire anyone who was responsible for the handling of this data.
Chase is offering me one free year of credit monitoring. I may just take them up on that.