Posts Tagged breaches
WASHINGTON, May 20, 2013 — /PRNewswire/ – For millions of low-income families, the federal government’s Lifeline program offers affordable phone service. But an online security lapse has exposed tens of thousands of them to an increased risk of identity theft.
A Scripps News investigation, Privacy on the Line, unearthed more than 170,000 records containing sensitive details such as Social Security numbers, home addresses and financial account information. The records were widely available online this spring after being collected for two phone companies participating in Lifeline: Oklahoma City-based TerraCom, Inc. and its affiliate, YourTel America, Inc.
Federal regulations require Lifeline carriers to secure customers’ personal records.
Scripps contacted dozens of people whose private information was posted online. When they learned of the security breach, many were shocked. Linda Mendez doesn’t know how she’ll protect herself and her family. The risk is “just destroying us,” said Mendez, who lives in San Antonio, Texas, with her husband and four children.
The investigation also revealed dubious practices for collecting sensitive personal information. A former Indianapolis worker for SafeLink Wireless, another phone company, described recording Lifeline applicants’ driver’s licenses, Medicaid cards and Social Security numbers in a notebook or with his personal cellphone camera — and said his employer never asked whether he had destroyed the data. The Lifeline program strictly forbids retaining it.
The Indiana attorney general’s office, responding to Scripps’ reporting, has launched an investigation into the release of TerraCom applicants’ personal data. The Texas attorney general’s office also is scrutinizing the practices of TerraCom and YourTel. Company officials declined numerous requests for an interview. But, in a written statement, Dale Schmick, chief operating officer of both companies, said they were “actively investigating the full extent of any security breach.”
A lawyer representing both TerraCom and YourTel accused Scripps of accessing the records illegally. Scripps denied the charge and offered to share a video it produced demonstrating how the reporter found the documents.
The Scripps News investigation Privacy on the Line is available at www.kjrh.com/privacybreach, and on Scripps TV stations and in Scripps newspapers across the country. For a complete list of Scripps stations and newspapers, see http://www.scripps.com/brands
About Scripps Scripps (NYSE: SSP) (www.scripps.com) is a leading media enterprise driven to develop and expand its digital strategies while embracing its rich history in delivering quality journalism through television stations, newspapers and the Scripps Howard News Service. Creative, talented and energetic employees are leading the way at 19 television stations and in 13 newspaper markets. The Scripps digital group is growing and gaining momentum with new product offerings, enhancements, and technology that gives customers more options than ever before to find the information and entertainment they crave.
SOURCE The E.W. Scripps Company
What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?
Oh, you’re referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.
By now, it should be obvious what’s different about the latest breach. If not, read on.
High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It’s
accordingly known as “$45M ATM heist” than data breach.
Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors – including ElectraCard Services and EnStage – who hold sensitive card information of banking customers. The
first BE into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the
scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC about 10 ten days ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.
Like an onion peel, details of the present incident are unraveling day by day. I hope we’ll eventually get answers to the following questions:
- Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
- Was the data stolen from inhouse data centers of the payment processors? Or was it located on a “cloud” provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it’s necessary to get into these details
so that security professionals can plug the right holes.
- Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists occurred earlier this month, did the banks involved – National Bank of Ras Al-Khaimah PSC and Bank of Muscat - reach out to all the affected
cardholders and ask them to change their ATM PIN numbers?
- How soon were the withdrawal frequencies and limits reset to their original – and correct – values?
I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors’ systems, and not when individual
cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all values of online and mobile payment
transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when sensitive data
comes under an attack where it’s found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems
set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.
Article source: http://www.finextra.com/Community/FullBlog.aspx?blogid=7711
LSU Health Shreveport recently began notifying patients that a processing error at Siemens Healthcare, which prints and mails doctors’ bills on behalf of LSU Health, resulted in the exposure of 8,330 patients’ personal information (h/t PHIprivacy.net).
According to an LSU Health statement [PDF file], the organization didn’t discover the issue until patients began calling to say their bills were incorrect.
After an investigation, LSU Health determined that an error in a computer data entry field had caused names and treatment information for one patient to be sent to another patient’s mailing addresses in 8,330 cases.
LSU Health says no Social Security numbers, birthdates or financial account numbers were exposed.
“LSU Health Shreveport and Siemens have identified the source problem and taken steps to ensure that this issue will not happen again,” LSU health said in a statement [PDF file].
Affected patients have been sent corrected billing statements, and have been asked to destroy the incorrect statements they received.
Patients with questions are advised to call (888) 824-0379 or (318) 675-7550.
After learning of a former employee stealing patient identities, Community Health Med-check in Speedway, Ind. has notified about 180 patients that their data may have been compromised.
WISH TV in Indiana reports that the employee (who no longer works at Community but it’s unknown if they were fired) was able to gain access to the EHRs of up to 180 people from mid-March to mid-April. But Jean Putnam, Vice President at Community Health Network, which has about 1,200 employees, believes only about 10 patients were affected. The data in EHRs that was inappropriately accessed included Social Security numbers, dates of birth or credit card numbers.
Though the report says that Community Health sent letters to affected patients alerting them to the crime, there isn’t an exact timeline of when it learned of the breach and the time it took to alert patients. WISH TV did speak to a patient who said there was about a month-long delay between the breach and when he received his letter. Charges against the former employee have yet to be filed and there wasn’t any talk of Community offering credit report or identity monitoring.
And while Community Health says that it was a first-time incident and it will better protect patient data going forward, the way the employee was able to gain entry into these EHRs should be a bit scary for patients. Since Community didn’t say anything about technical safeguards, the assumption can be made that there were none in place. This looks to be a relatively large network and one would think decision-makers have seen all of the health data breaches over the past few years.
A deficit – or surplus? – of fashion sense saw Wayne Swan and Tony Abbott on the same page, for once, while Julia Gillard painted the town, in a fashion.
Podcast not working? Click here to download the file.
How did a financial regulator unknowingly expose the Australian government’s secret internet filtering scheme? What information has Telstra accidentally revealed now? And is Virgin Mobile’s 4G pricing as good as it sounds?
All those questions and more are answered on this week’s Technolatte podcast, as the Australian team discusses:
ASIC’s stuff-up that revealed an internet filtering scheme operating right under our noses
Telstra’s latest data breach
Virgin Mobile’s 4G mobile broadband pricing.
You can subscribe to Technolatte on iTunes.
Running time: 31 minutes, 25 seconds
Article source: http://www.zdnet.com/white-pages-as-a-data-breach-7000015521/
According to the results of a recent Ponemon Institute study commissioned by Solera Networks, the average cost of a malicious data breach has risen to $840,000, with the average cost per record at $222. Still, only 40 percent of organizations surveyed say they have the tools, personnel and funding in place to track down the root causes of a breach.
And most breaches remain undetected for a long time. The Ponemon study found that it takes an average of 80 days to discover a malicious breach — and one third of malicious breaches aren’t uncovered by the company’s own defenses. They’re only discovered when the company is alerted by law enforcement, a partner or a customer, or they’re simply uncovered by accident.
As a result, Yo Delmar, vice president of GRC solutions at MetricStream, says it’s crucial for companies to become more proactive about planning for a data breach. “As companies become aware they’ve been attacked, they start to develop some sophistication around the processes — but when it first happens, it’s just devastating, because the whole internal organization isn’t calibrated to respond to these kinds of breaches,” she says.
It’s important not only to plan for a breach, Delmar says, but to go one step further by testing that plan in tabletop exercises. “You can’t do this with siloed systems; you need an end-to-end set of interconnected processes around incident management, crisis management and case management, tracking those communications right out to the regulators as you’re reporting what happened,” Delmar says.
Determining Cause of a Data Breach
Rodney Smith, director of information security and field engineering guidance at Guidance Software, says the most important thing to do following a breach is to stay calm and take your time. “Take the system that you’ve determined to be breached, and if at all possible make a forensic image of it so that you can analyze it after you get back online. If you don’t determine what happened, you’ll pay for it in the long run. You could be attacked again from that same vector because you didn’t take the time to analyze how you were attacked and how you can prevent it,” he says.
Particularly for smaller companies, Smith says, it can be tempting to rush that analysis in the effort to get things back up and running. “For the folks with limited resources, where it’s a one-man shop from an IT perspective, that one guy’s already pretty strapped and everybody’s telling him, ‘Hey, we need to get back online and get to work.’ So the smaller folks tend to overlook the need to analyze what actually happened so they can prevent it in the future,” he says.
The point is that it’s much more constructive to see a breach as a learning experience than simply to view it as a failure that’s best forgotten. “Sure, you’re going to take some lumps, but you’re going to come out ahead if you document what you did each time, and learn from each incident going forward so you’re not repeating mistakes over and over again,” Smith says.
Preparing for the Inevitable Breach
Sophos senior security advisor Chester Wisniewski says keeping extensive logs will make it infinitely easier to recover from a breach. “When I talk to folks, they say, ‘If we were to have an incident, what would be the most important thing?’ And I say, ‘Well, do you have, say, the last four years’ worth of firewall logs?’ And they look at me like I’m a space alien,” he says. “But realistically, that’s what you need.”
When a breach is first detected, Wisniewski says, you’ll need those logs in order to determine when the breach started and what was accessed. “You may have regulatory obligations, you may have financial obligations if you’re a public company — and you need to be able to definitively assess what intellectual property was impacted and what customer data may have been stolen,” he says.
And with different data breach notification laws now in place in almost every state, Wisniewski says, it can be extremely complicated to determine what your notification requirements are. “So generally, what organizations do is they choose the strictest, and they just apply that to everyone — rather than trying to sort out what they’re going to do for their customers in Missouri instead of Idaho,” he says.
Encouraging Breach Reporting and Getting Help
Most importantly, Wisniewski says, all employees should be made to feel comfortable coming forward to report a possible breach. “Inform your employees that if they think something’s wrong, there’s no shame involved; make sure you report it so we know right away,” he says. If and when an employee does so, the IT team should immediately step in and assess the situation, keeping management informed as they go.
And Wisniewski says having a clearly laid out plan for breach response will ensure that the initial process goes as smoothly as possible. “Who do you call? Do you unplug the systems? You need to have a plan in place so that when you discover that you have a problem, everybody doesn’t go into a panic,” he says. “You should have an organized list of steps that you’re going to take, and know who’s responsible for the different parts of the plan.”
Finally, Wisniewski says, don’t assume you can handle it by yourself. “Unless you’re a really large organization, you probably should call in an incident response team if you have an incident that you believe may affect customer or employee information, because the forensic skills required to do the job properly are a lot more than almost any average IT guy has,” he says.
Summing It up: 5 Key Steps
Develop an end-to-end set of interconnected breach-response processes around incident management, crisis management and case management — and test them regularly. Spell out who is responsible for handling all of the specific steps in your plan.
Don’t rush your analysis. Try to see it as a learning experience, and realize you can use what you learn to avoid future breaches. If you can, get a forensic image of the damage.
Maintain extensive activity logs, which will help you meet regulatory obligations.
Encourage your employees to report any suspicious activity. Make sure the IT team follows up and checks out each report.
Call in an incident response team for incidents that may affect sensitive employee or customer information.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.
Terms Conditions and Privacy Statement
Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.
Use of www.mondaq.com
You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.comâ€™s
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltdâ€™s services and products.
Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided “as is” without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.
The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.
Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:
- To allow you to personalize the Mondaq websites you are visiting.
- To enable features such as password reminder, newsletter alerts, email a
colleague, and linking from Mondaq (and its affiliate sites) to your website.
- To produce demographic feedback for our information providers who provide
information free for your use.
Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
If you do not want us to provide your name and email address you may opt out
by clicking here .
If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .
Information Collection and Use
We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide ‘session-aware’
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) â€“ meaning more free content for
We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked “Opt out of Registration Information Disclosure” on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to email@example.com with â€œno
disclosureâ€� in the subject heading
Mondaq News Alerts
In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.
A cookie is a small text file written to a userâ€™s hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user’s experience of the site (for example to show information
specific to a user’s region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies – or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the ‘Log Off’ menu option
as the last thing you do when you use the site.
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.
We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.
This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.
From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.
If a user elects to use our referral service for informing a friend about our
site, we ask them for the friendâ€™s name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.
This website takes every reasonable precaution to protect our usersâ€™
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
Correcting/Updating Personal Information
If a userâ€™s personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that userâ€™s personal data provided to us. This can
usually be done at the â€œYour Profileâ€� page or by sending an email to EditorialAdvisor@mondaq.com.
Notification of Changes
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
How to contact Mondaq
You can contact us with comments or queries at firstname.lastname@example.org.
If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at email@example.com and we will use
commercially reasonable efforts to determine and correct the problem promptly.
While human error is unavoidable from time to time, what healthcare organizations do to minimize the impact of those mistakes with health data goes under the microscope when breaches occur. DENT Neurologic Institute of Amherst, NY recently experienced a data breach and hasn’t explained whaat (if any) email technical safeguards it had in place at the time, or how it plans on preventing this type of incident in the future.
A DENT office clerk inadvertently emailed 200 people an attachment with personal information of 10,200 patients. Because the organization had exposed that data without technical safeguards, it had to alert each of those patients to explain the data breach. The attachment contained information such as name, address, whether they were an active or former patient, last appointment, visit type, primary care physician, referring physician and email address. DENT called those 200 mistaken recipients on Monday night and asked them to erase the Excel spreadsheet that held the data and followed that with the letter to the 10,000 patients.
Though the data didn’t include medical conditions, birth dates or Social Security number, as PHIPrivacy.net said, it’s hard to argue that publicizing patients’ Neurologic appointments is a good thing for them.
Additionally, the Buffalo News reports that DENT had to deal with a similar breach recently, when instead of mailing letters to only Catholic Medical Partners physicians, it sent letters to all of the organization’s patients. DNI self-reported the incident to the New York Department of Health.
DENT released this statement in a press release Tuesday, according to WGRZ.com:
“We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners,” Fritz said. “Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”
blog It hasn’t been a good few years for the nation’s biggest telco Telstra when it comes to data breaches. It almost seems like every three to four months, there’s a new chunk of Telstra’s customer data leaked onto the public Internet, and the company has to make yet another apology to those affected, as well as kicking off another ‘review’ of its systems. News of the latest blunder comes from the Sydney Morning Herald, which writes (we recommend you click here for the full article):
“Fairfax found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses. A further three spreadsheets contained 8201 customer records that contained only names and telephone numbers, but not home addresses.”
Telstra has already attempted to apologise and clean up its mess. The company’s executive director of customer service for its consumer division, Peter Jamieson, writes on Telstra’s Exchange blog today:
“When we learnt some of our customers’ details were publicly available we immediately convened a team to have access to the data removed and commence an investigation. It is not acceptable, under any circumstances, for this to happen. Telstra takes seriously the confidentiality of all its customers’ data – our customers trust us and we recognise the responsibility this trust means to get this right. We have to do everything possible not to breach that trust.
We are still investigating what happened and the team worked round the clock last night looking through the data and trying to pinpoint how this actually happened. While some of the information is generally available, such as names, addresses and telephone numbers and up to six years old, we are acutely aware of the possibility that some of the information may be sensitive to some. We will take all steps to identify these customers and work with them on an individual basis. Additionally we will be contacting all customers whose information was inadvertently made available.
We take our customers’ privacy seriously; we have sophisticated tools and techniques and skilled people working on risks and privacy-related projects protecting the security of our customers’ information. What has happened is unacceptable, I apologise and assure everybody that we’ll find out exactly what has happened here and do everything we can to make sure this does not happen again.
Of course, not everyone believes that Telstra will be able to stop this kind of thing happening in future. Networking engineer and outspoken industry commentator Mark Newton wrote in response to Jamieson’s apology that he didn’t quite believe it:
“Telstra shows a pattern of behaviour around lack of respect for customer privacy, which includes this latest episode, prior examples of confidential information showing up on public websites, shipping customer clickstreams offshore without telling them during product trials, inspecting their communications content with Deep Packet Inspection equipment. We all know that despite fulminations about how this kind of thing mustn’t happen again, it actually will. It’ll keep happening until Telstra implements cultural change to prevent it.”
Personally, I’m willing to cut Telstra a little break when it comes to this kind of thing. After all, when you consider the amount of data that an organisation the size of Telstra actually stores, and how many employees it has, it’s probably surprising that it doesn’t leak bits and pieces more. This doesn’t excuse the practice — the best companies are good at guarding against this kind of thing — but it is useful context.
Image credit: Telstra