Posts Tagged IT security
LSU Health Acknowledges Data Breach
LSU Health Shreveport recently began notifying patients that a processing error at Siemens Healthcare, which prints and mails doctors’ bills on behalf of LSU Health, resulted in the exposure of 8,330 patients’ personal information (h/t PHIprivacy.net).
According to an LSU Health statement [PDF file], the organization didn’t discover the issue until patients began calling to say their bills were incorrect.
After an investigation, LSU Health determined that an error in a computer data entry field had caused names and treatment information for one patient to be sent to another patient’s mailing addresses in 8,330 cases.
LSU Health says no Social Security numbers, birthdates or financial account numbers were exposed.
“LSU Health Shreveport and Siemens have identified the source problem and taken steps to ensure that this issue will not happen again,” LSU health said in a statement [PDF file].
Affected patients have been sent corrected billing statements, and have been asked to destroy the incorrect statements they received.
Patients with questions are advised to call (888) 824-0379 or (318) 675-7550.
Article source: http://www.esecurityplanet.com/network-security/lsu-health-acknowledges-data-breach.html
Community Health sends patients data breach notifications
After learning of a former employee stealing patient identities, Community Health Med-check in Speedway, Ind. has notified about 180 patients that their data may have been compromised.
WISH TV in Indiana reports that the employee (who no longer works at Community but it’s unknown if they were fired) was able to gain access to the EHRs of up to 180 people from mid-March to mid-April. But Jean Putnam, Vice President at Community Health Network, which has about 1,200 employees, believes only about 10 patients were affected. The data in EHRs that was inappropriately accessed included Social Security numbers, dates of birth or credit card numbers.
Though the report says that Community Health sent letters to affected patients alerting them to the crime, there isn’t an exact timeline of when it learned of the breach and the time it took to alert patients. WISH TV did speak to a patient who said there was about a month-long delay between the breach and when he received his letter. Charges against the former employee have yet to be filed and there wasn’t any talk of Community offering credit report or identity monitoring.
And while Community Health says that it was a first-time incident and it will better protect patient data going forward, the way the employee was able to gain entry into these EHRs should be a bit scary for patients. Since Community didn’t say anything about technical safeguards, the assumption can be made that there were none in place. This looks to be a relatively large network and one would think decision-makers have seen all of the health data breaches over the past few years.
Article source: http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/
Telstra sprung in customer data breach
A deficit – or surplus? – of fashion sense saw Wayne Swan and Tony Abbott on the same page, for once, while Julia Gillard painted the town, in a fashion.
Article source: http://www.businessspectator.com.au/news/2013/5/17/technology/telstra-sprung-customer-data-breach
White Pages as a data breach
Podcast not working? Click here to download the file.
- Download
- Embed
How did a financial regulator unknowingly expose the Australian government’s secret internet filtering scheme? What information has Telstra accidentally revealed now? And is Virgin Mobile’s 4G pricing as good as it sounds?
All those questions and more are answered on this week’s Technolatte podcast, as the Australian team discusses:
-
ASIC’s stuff-up that revealed an internet filtering scheme operating right under our noses
-
Telstra’s latest data breach
-
Virgin Mobile’s 4G mobile broadband pricing.
You can subscribe to Technolatte on iTunes.
Running time: 31 minutes, 25 seconds
Opening theme: “Ecstasy X” by Jason Shaw, CC3.0
Closing theme: “Skyroads” by Pierlo, CC3.0
Article source: http://www.zdnet.com/white-pages-as-a-data-breach-7000015521/
How to Respond to a Data Breach
According to the results of a recent Ponemon Institute study commissioned by Solera Networks, the average cost of a malicious data breach has risen to $840,000, with the average cost per record at $222. Still, only 40 percent of organizations surveyed say they have the tools, personnel and funding in place to track down the root causes of a breach.
And most breaches remain undetected for a long time. The Ponemon study found that it takes an average of 80 days to discover a malicious breach — and one third of malicious breaches aren’t uncovered by the company’s own defenses. They’re only discovered when the company is alerted by law enforcement, a partner or a customer, or they’re simply uncovered by accident.
As a result, Yo Delmar, vice president of GRC solutions at MetricStream, says it’s crucial for companies to become more proactive about planning for a data breach. “As companies become aware they’ve been attacked, they start to develop some sophistication around the processes — but when it first happens, it’s just devastating, because the whole internal organization isn’t calibrated to respond to these kinds of breaches,” she says.
It’s important not only to plan for a breach, Delmar says, but to go one step further by testing that plan in tabletop exercises. “You can’t do this with siloed systems; you need an end-to-end set of interconnected processes around incident management, crisis management and case management, tracking those communications right out to the regulators as you’re reporting what happened,” Delmar says.
Determining Cause of a Data Breach
Rodney Smith, director of information security and field engineering guidance at Guidance Software, says the most important thing to do following a breach is to stay calm and take your time. “Take the system that you’ve determined to be breached, and if at all possible make a forensic image of it so that you can analyze it after you get back online. If you don’t determine what happened, you’ll pay for it in the long run. You could be attacked again from that same vector because you didn’t take the time to analyze how you were attacked and how you can prevent it,” he says.
Particularly for smaller companies, Smith says, it can be tempting to rush that analysis in the effort to get things back up and running. “For the folks with limited resources, where it’s a one-man shop from an IT perspective, that one guy’s already pretty strapped and everybody’s telling him, ‘Hey, we need to get back online and get to work.’ So the smaller folks tend to overlook the need to analyze what actually happened so they can prevent it in the future,” he says.
The point is that it’s much more constructive to see a breach as a learning experience than simply to view it as a failure that’s best forgotten. “Sure, you’re going to take some lumps, but you’re going to come out ahead if you document what you did each time, and learn from each incident going forward so you’re not repeating mistakes over and over again,” Smith says.
Preparing for the Inevitable Breach
Sophos senior security advisor Chester Wisniewski says keeping extensive logs will make it infinitely easier to recover from a breach. “When I talk to folks, they say, ‘If we were to have an incident, what would be the most important thing?’ And I say, ‘Well, do you have, say, the last four years’ worth of firewall logs?’ And they look at me like I’m a space alien,” he says. “But realistically, that’s what you need.”
When a breach is first detected, Wisniewski says, you’ll need those logs in order to determine when the breach started and what was accessed. “You may have regulatory obligations, you may have financial obligations if you’re a public company — and you need to be able to definitively assess what intellectual property was impacted and what customer data may have been stolen,” he says.
And with different data breach notification laws now in place in almost every state, Wisniewski says, it can be extremely complicated to determine what your notification requirements are. “So generally, what organizations do is they choose the strictest, and they just apply that to everyone — rather than trying to sort out what they’re going to do for their customers in Missouri instead of Idaho,” he says.
Encouraging Breach Reporting and Getting Help
Most importantly, Wisniewski says, all employees should be made to feel comfortable coming forward to report a possible breach. “Inform your employees that if they think something’s wrong, there’s no shame involved; make sure you report it so we know right away,” he says. If and when an employee does so, the IT team should immediately step in and assess the situation, keeping management informed as they go.
And Wisniewski says having a clearly laid out plan for breach response will ensure that the initial process goes as smoothly as possible. “Who do you call? Do you unplug the systems? You need to have a plan in place so that when you discover that you have a problem, everybody doesn’t go into a panic,” he says. “You should have an organized list of steps that you’re going to take, and know who’s responsible for the different parts of the plan.”
Finally, Wisniewski says, don’t assume you can handle it by yourself. “Unless you’re a really large organization, you probably should call in an incident response team if you have an incident that you believe may affect customer or employee information, because the forensic skills required to do the job properly are a lot more than almost any average IT guy has,” he says.
Summing It up: 5 Key Steps
Develop an end-to-end set of interconnected breach-response processes around incident management, crisis management and case management — and test them regularly. Spell out who is responsible for handling all of the specific steps in your plan.
Don’t rush your analysis. Try to see it as a learning experience, and realize you can use what you learn to avoid future breaches. If you can, get a forensic image of the damage.
Maintain extensive activity logs, which will help you meet regulatory obligations.
Encourage your employees to report any suspicious activity. Make sure the IT team follows up and checks out each report.
Call in an incident response team for incidents that may affect sensitive employee or customer information.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at jeff@jeffgoldman.com.
Article source: http://www.esecurityplanet.com/network-security/how-to-respond-to-a-data-breach.html
As Data Breaches Rise, AGs Emerge As Primary Enforcers
Terms Conditions and Privacy Statement
Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.
Use of www.mondaq.com
You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.com’s
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltd’s services and products.
Disclaimer
Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided “as is” without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.
The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.
Registration
Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:
- To allow you to personalize the Mondaq websites you are visiting.
- To enable features such as password reminder, newsletter alerts, email a
colleague, and linking from Mondaq (and its affiliate sites) to your website. - To produce demographic feedback for our information providers who provide
information free for your use.
Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
services.
If you do not want us to provide your name and email address you may opt out
by clicking here .
If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .
Information Collection and Use
We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide ‘session-aware’
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) – meaning more free content for
registered users.
We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked “Opt out of Registration Information Disclosure” on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to unsubscribe@mondaq.com with “no
disclosure� in the subject heading
Mondaq News Alerts
In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.
Cookies
A cookie is a small text file written to a user’s hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user’s experience of the site (for example to show information
specific to a user’s region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies – or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the ‘Log Off’ menu option
as the last thing you do when you use the site.
Some of our business partners may use cookies on our site (for example,
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.
Log Files
We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.
Links
This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.
Surveys Contests
From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.
Mail-A-Friend
If a user elects to use our referral service for informing a friend about our
site, we ask them for the friend’s name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.
Security
This website takes every reasonable precaution to protect our users’
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
webmaster@mondaq.com.
Correcting/Updating Personal Information
If a user’s personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that user’s personal data provided to us. This can
usually be done at the “Your Profile� page or by sending an email to EditorialAdvisor@mondaq.com.
Notification of Changes
If we decide to change our Terms Conditions or Privacy Policy, we will
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
the privacy policy under which the information was collected.
How to contact Mondaq
You can contact us with comments or queries at enquiries@mondaq.com.
If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at problems@mondaq.com and we will use
commercially reasonable efforts to determine and correct the problem promptly.
Article source: http://www.mondaq.com/unitedstates/x/239490/Data+Protection+Privacy/As+Data+Breaches+Rise+AGs+Emerge+As+Primary+Enforcers
DENT Neurologic Institute informs patients of data breach
While human error is unavoidable from time to time, what healthcare organizations do to minimize the impact of those mistakes with health data goes under the microscope when breaches occur. DENT Neurologic Institute of Amherst, NY recently experienced a data breach and hasn’t explained whaat (if any) email technical safeguards it had in place at the time, or how it plans on preventing this type of incident in the future.
A DENT office clerk inadvertently emailed 200 people an attachment with personal information of 10,200 patients. Because the organization had exposed that data without technical safeguards, it had to alert each of those patients to explain the data breach. The attachment contained information such as name, address, whether they were an active or former patient, last appointment, visit type, primary care physician, referring physician and email address. DENT called those 200 mistaken recipients on Monday night and asked them to erase the Excel spreadsheet that held the data and followed that with the letter to the 10,000 patients.
Though the data didn’t include medical conditions, birth dates or Social Security number, as PHIPrivacy.net said, it’s hard to argue that publicizing patients’ Neurologic appointments is a good thing for them.
Additionally, the Buffalo News reports that DENT had to deal with a similar breach recently, when instead of mailing letters to only Catholic Medical Partners physicians, it sent letters to all of the organization’s patients. DNI self-reported the incident to the New York Department of Health.
DENT released this statement in a press release Tuesday, according to WGRZ.com:
“We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners,” Fritz said. “Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”
Article source: http://healthitsecurity.com/2013/05/16/dent-neurologic-institute-informs-patients-of-data-breach/
Telstra suffers another data breach
blog It hasn’t been a good few years for the nation’s biggest telco Telstra when it comes to data breaches. It almost seems like every three to four months, there’s a new chunk of Telstra’s customer data leaked onto the public Internet, and the company has to make yet another apology to those affected, as well as kicking off another ‘review’ of its systems. News of the latest blunder comes from the Sydney Morning Herald, which writes (we recommend you click here for the full article):
“Fairfax found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses. A further three spreadsheets contained 8201 customer records that contained only names and telephone numbers, but not home addresses.”
Telstra has already attempted to apologise and clean up its mess. The company’s executive director of customer service for its consumer division, Peter Jamieson, writes on Telstra’s Exchange blog today:
“When we learnt some of our customers’ details were publicly available we immediately convened a team to have access to the data removed and commence an investigation. It is not acceptable, under any circumstances, for this to happen. Telstra takes seriously the confidentiality of all its customers’ data – our customers trust us and we recognise the responsibility this trust means to get this right. We have to do everything possible not to breach that trust.
We are still investigating what happened and the team worked round the clock last night looking through the data and trying to pinpoint how this actually happened. While some of the information is generally available, such as names, addresses and telephone numbers and up to six years old, we are acutely aware of the possibility that some of the information may be sensitive to some. We will take all steps to identify these customers and work with them on an individual basis. Additionally we will be contacting all customers whose information was inadvertently made available.
We take our customers’ privacy seriously; we have sophisticated tools and techniques and skilled people working on risks and privacy-related projects protecting the security of our customers’ information. What has happened is unacceptable, I apologise and assure everybody that we’ll find out exactly what has happened here and do everything we can to make sure this does not happen again.
Of course, not everyone believes that Telstra will be able to stop this kind of thing happening in future. Networking engineer and outspoken industry commentator Mark Newton wrote in response to Jamieson’s apology that he didn’t quite believe it:
“Telstra shows a pattern of behaviour around lack of respect for customer privacy, which includes this latest episode, prior examples of confidential information showing up on public websites, shipping customer clickstreams offshore without telling them during product trials, inspecting their communications content with Deep Packet Inspection equipment. We all know that despite fulminations about how this kind of thing mustn’t happen again, it actually will. It’ll keep happening until Telstra implements cultural change to prevent it.”
Personally, I’m willing to cut Telstra a little break when it comes to this kind of thing. After all, when you consider the amount of data that an organisation the size of Telstra actually stores, and how many employees it has, it’s probably surprising that it doesn’t leak bits and pieces more. This doesn’t excuse the practice — the best companies are good at guarding against this kind of thing — but it is useful context.
Image credit: Telstra
Article source: http://delimiter.com.au/2013/05/16/telstra-suffers-another-data-breach/
Proposed Privacy Law changes must force data breach rethink
Companies in most Western countries must take extreme care to protect any sensitive information they store relating to employees or customers. In Australia and New Zealand, we may soon be held to even higher standards.
NZ Privacy Commissioner Marie Shroff said in her most recent annual report that “Data breach notification isn’t currently required by law, but the Law Commission recently recommended that it should be made compulsory where breaches put people at risk. That would bring New Zealand law into line with practice overseas.”
In Australia, the proposed Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 would see companies fined for data breaches and force them to notify the Federal Privacy Commissioner, affected consumers, and sometimes even the media when data breaches occur. News of a data breach being splashed around in the media is extremely damaging to an organisation’s reputation.
Where is private data stored?
Even though business leaders are well aware of the need to protect customer’s privacy, the reality for most companies is we don’t always store this information in safe places.
First of all, it’s important to understand that the biggest data leakage threats don’t lie in neatly structured company databases, but in unstructured data such as documents, spreadsheets and email. Because unstructured data is much harder to search, it is challenging for organisations to get a clear picture of what this data contains, where it is stored and who has access to it.
Many organisations make two damaging assumptions when it comes to data leakage. The first is believing they only need to worry about privacy if they are hacked. Unfortunately, employees can easily leak information, either maliciously or inadvertently. People often make “convenience copies” and store sensitive information in file shares or email it to their personal accounts. They may also take it outside the firewall using personal laptops, smartphones, cloud storage services, flash drives or email again.
The second assumption is that it would be equally as hard for anyone else to find sensitive information stored in their systems, and because of the resources required to trawl through the millions of emails and files to find evidence of privacy breaches, they simply don’t.
Again, this is a poor assumption because a person who gets hold of your data only needs a small amount of the wrong information to cause you grief. Also, they may have got hold of it by means other than searching, such as a leak or accidentally being released in a court case or complying with a regulatory investigation.
Real-world examples
We recently cleansed more than 10,000 items of personally identifiable information, personal health information and credit card numbers from the Enron PST Data Set published by EDRM. This is a worldwide standard set of test data for electronic discovery practitioners and vendors, which released to the public following the US government investigation into the collapse of energy firm Enron.
Our investigation unearthed 60 items containing credit card numbers including departmental contact lists that each contained hundreds of individual credit cards, 572 containing Social Security or other national identity numbers—thousands of individuals’ identity numbers in total, 292 items containing individuals’ dates of birth and 532 items containing information of a highly personal nature such as medical or legal matters.
Our analysis also showed a considerable number of these items had been sent outside the company, for example, by employees forwarding details to their personal email addresses.
While companies today are more aware than Enron was about the need to protect private data, there are also more opportunities for this information to be stored inappropriately. We have conducted sweeps for private and credit card data in unstructured information stores for dozens of customers and are yet to encounter a single data set without some inappropriately stored personal, financial or health information.
Locate and remediate privacy risks
Recent technology advances have made it much easier to for companies to index large volumes of unstructured data and locate improperly stored sensitive information within it. The methodology we used to identify the personal and financial data in the Enron data can be applied to any corporate data set.
The crucial first step is indexing the most relevant data sources, capturing all text and metadata. This would most likely include email, network file shares, collaboration systems and individual computers.
With a complete index of this data, common investigative steps include:
Using pattern matching to identify and cross-reference sensitive information such as credit card numbers, dates of birth and addresses.
Searching for names, phrases or email address domain names that could indicate personal legal or health discussions, online purchases or other private matters.
Creating network maps and timelines to identify communication patterns and understand messages and documents in the context of external events.
Conducting ‘near duplicate’ analysis to find similar and related content and put together conversation threads.
Once you understand what is in your data stores and where the biggest threats lie, you can delete the high-risk data or move it somewhere that has appropriate encryption and access controls.
Being proactive about privacy protection
Almost every organisation has personal data stored inappropriately. The increasing burden of privacy and data breach regulations, on top of a duty of care to keep this highly sensitive information safe, makes it an unacceptable risk.
By taking a more proactive approach and using the latest technology to understand what lies within your data sources now, you can keep sensitive information safe, for the sake of your customers, employees and ongoing business success.
Eddie Sheehy is the CEO of Nuix, a developer of eDiscovery, electronic investigation and information governance software.
Article source: http://idm.net.au/article/009566-proposed-privacy-law-changes-must-force-data-breach-rethink
Telstra doesn’t have the best track record for keeping data secure. Photo …
‘; var fr = document.getElementById(adID); setHash(fr, hash); fr.body = body; var doc = getFrameDocument(fr); doc.open(); doc.write(body); setTimeout(function() {closeDoc(getFrameDocument(document.getElementById(adID)))}, 2000); } function renderJIFAdWithInterim(holderID, adID, srcUrl, width, height, hash, bodyAttributes) { setHash(document.getElementById(holderID), hash); document.dcdAdsR.push(adID); document.write(”); } function renderIJAd(holderID, adID, srcUrl, hash) { document.dcdAdsAA.push(holderID); setHash(document.getElementById(holderID), hash); document.write(” + ‘ript’); } function renderJAd(holderID, adID, srcUrl, hash) { document.dcdAdsAA.push(holderID); setHash(document.getElementById(holderID), hash); document.dcdAdsH.push(holderID); document.dcdAdsI.push(adID); document.dcdAdsU.push(srcUrl); } function er_showAd() { var regex = new RegExp(“externalReferrer=(.*?)(; |$)”, “gi”); var value = regex.exec(document.cookie); if (value value.length == 3) { var externalReferrer = value[1]; return (!FD.isInternalReferrer() || ((externalReferrer) (externalReferrer 0))); } return false; } function isHome() { var loc = “” + window.location; loc = loc.replace(“//”, “”); var tokens = loc.split(“/”); if (tokens.length == 1) { return true; } else if (tokens.length == 2) { if (tokens[1].trim().length == 0) { return true; } } return false; } function checkAds(checkStrings) { var cs = checkStrings.split(“,”); for (var i=0;i 0 cAd.innerHTML.indexOf(c)0) { document.dcdAdsAI.push(cAd.hash); cAd.style.display =’none’; } } } if (!ie) { for (var i=0;i 0 doc.body.innerHTML.indexOf(c)0) { document.dcdAdsAI.push(fr.hash); fr.style.display =’none’; } } } } } if (document.dcdAdsAI.length 0 || document.dcdAdsAG.length 0) { var pingServerParams = “i=”; var sep = “”; for (var i=0;i 0) { var pingServerUrl = “/action/pingServerAction?” + document.pingServerAdParams; var xmlHttp = null; try { xmlHttp = new XMLHttpRequest(); } catch(e) { try { xmlHttp = new ActiveXObject(“Microsoft.XMLHttp”); } catch(e) { xmlHttp = null; } } if (xmlHttp != null) { xmlHttp.open( “GET”, pingServerUrl, true); xmlHttp.send( null ); } } } function initAds(log) { for (var i=0;i 0) { doc.removeChild(doc.childNodes[0]); } doc.open(); var newBody = fr.body; if (getCurrentOrd(newBody) != “” ) { newBody = newBody.replace(“;ord=”+getCurrentOrd(newBody), “;ord=” + Math.floor(100000000*Math.random())); } else { newBody = newBody.replace(“;ord=”, “;ord=” + Math.floor(100000000*Math.random())); } doc.write(newBody); document.dcdsAdsToClose.push(fr.id); } } else { var newSrc = fr.src; if (getCurrentOrd(newSrc) != “” ) { newSrc = newSrc.replace(“;ord=”+getCurrentOrd(newSrc), “;ord=” + Math.floor(100000000*Math.random())); } else { newSrc = newSrc.replace(“;ord=”, “;ord=” + Math.floor(100000000*Math.random())); } fr.src = newSrc; } } } if (document.dcdsAdsToClose.length 0) { setTimeout(function() {closeOpenDocuments(document.dcdsAdsToClose)}, 500); } } }; var ie = isIE(); if(ie typeof String.prototype.trim !== ‘function’) { String.prototype.trim = function() { return this.replace(/^s+|s+$/g, ”); }; } document.dcdAdsH = new Array(); document.dcdAdsI = new Array(); document.dcdAdsU = new Array(); document.dcdAdsR = new Array(); document.dcdAdsEH = new Array(); document.dcdAdsE = new Array(); document.dcdAdsEC = new Array(); document.dcdAdsAA = new Array(); document.dcdAdsAI = new Array(); document.dcdAdsAG = new Array(); document.dcdAdsToClose = new Array(); document.igCount = 0; document.tCount = 0; var dcOrd = Math.floor(100000000*Math.random()); document.dcAdsCParams = “”; var savValue = getAdCookie(“sav”); if (savValue != null savValue.length 2) { document.dcAdsCParams = savValue + “;”; } 
IT Pro
Date
May 16, 2013 – 2:06PM
- (0)
- Comments 75
Ben Grubb
Deputy technology editor
Telstra doesn’t have the best track record for keeping data secure. Photo: James Davies
The personal information of thousands of Telstra customers has been found online using a Google search.
Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax Media about the information being freely accessible to anyone online after conducting a specific Google search that turned up Telstra spreadsheets.
The owner of marketing business SMS Broadcast, Mr Gaywood said he found the data when he was searching Google for telco carrier access codes, which he needs to know for his SMS service to work.
The data in one of the spreadsheets.
Data discovered included customer names, telephone numbers and in some cases home and business addresses.
“I couldn’t really believe what I was looking at when I found the data,” Mr Gaywood said. “I’ve worked in telcos before and I know that this sort of data should be kept very private and customers would expect it to be secured.”
He said he stumbled across the data after entering into the Google search field “Telstra” and two other search terms, which Fairfax has chosen not to name as the spreadsheets may still be cached on Google’s search engine.
Telstra took the files offline after being notified of the breach by Fairfax at about 4pm on Wednesday.
Fairfax found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses. A further three spreadsheets contained 8201 customer records that contained only names and telephone numbers, but not home addresses.
The spreadsheets also contained internal Telstra reference numbers relating to customer accounts. Other internal Telstra training documents were also found online via a similar Google search to Mr Gaywood’s.
The data appeared to be hosted on a server not belonging to Telstra but a third-party it uses.
Telstra executive director of customer service, Peter Jamieson, thanked Fairfax for alerting it to the issue. He said the breach was “concerning” and that the data should not have been in the public domain.
“This is unacceptable,” Mr Jamieson said. “We take very seriously the confidentiality of our customers’ information and we will take all steps to ensure we protect that information. [I'm] very disappointed about the fact that we have made available information about our customers on this occasion.”
Telstra was investigating exactly how the data was made available outside of its network, he said.
He added that the data appeared to be in some cases several years old but that it didn’t excuse it to be online.
Mr Jamieson has since published a blog post explaining the breach.
Australian IT security researcher Troy Hunt said some of the customers whose telephone numbers were listed in the spreadsheets may have had silent numbers which they would have wanted to have been kept private.
He said the customer data could potentially be used by someone with malicious intent to socially engineer, or trick, a Telstra call centre representative into disclosing more customer information.
For example, the data could enable a person to “establish authenticity” with a Telstra call centre, Mr Hunt said, especially considering the data confirmed a person was a customer and also revealed what plan they were on.
Comment is being sought from the Office of the Australian Information Commissioner, which polices data breaches in Australia.
Telstra’s data breach record
Telstra hasn’t had the best track record for keeping customer information private and has had a number of customer data breaches in recent years. The number of privacy breaches it has had prompted its CEO, David Thodey, to email all staff in July last year telling them that breaches ”must not happen again”.
He said breaches were affecting the telco’s reputation and said staff should inform their manager “as a matter of urgency” should they have concerns with anything that threatens the privacy of Telstra’s customers.
In December 2011 an internal Telstra portal containing the details of almost 800,000 customers was found to be exposed on the public internet without password protection. The telco was also criticised in July 2012 for sending without permission to a company in Canada the URLs that its Next G network customers visited. In November 2010 another 3000 customers’ data was breached.
In April 2010 another Telstra breach exposed details of about 700 customers and in November 2010 another 3000 customers had their data exposed. In October 2010 another breach involved the telco botching a mail merge by sending out 220,000 letters containing account information belonging to other customers.
More recently, in May 2013, another breach, concerning about 35,000 customers, affected BigPond Games account holders.
This reporter is on Facebook: /bengrubb
75 comments so far
More comments
Would you like to comment?
You will need Javascript enabled to use our Commenting Feature.
Make a comment
You are logged in as Logout]
All information entered below may be published.
Thank you
Your comment has been submitted for approval.
Comments are moderated and are generally published if they are on-topic and not abusive.
Advertisement
Advertisement 
Featured advertisers
Editor’s Picks
Customer service
Pulling the plug on call centres
Businesses and customers are looking for each other in the wrong places.
Security
Exposed: hacking threat to our vital buildings
Vital building controls in hospitals, universities and government offices are vulnerable to hackers.
Jobs
Technology jobs drying up
Recruiters confirmed what many in the technology sector already knew: the market is in the doldrums.
Start-up
Tech start-ups look to Asia
Investors are looking to fund more start-up companies to realise the potential for technology in Asia.
Strategy
ATO in race to update comms
Tax Office planning major restructuring of taxpayer communications channels in response to smartphones and social networks.
Cybercrime
Sham Australian firm at centre of cyber heist
A fake Australian company is at the centre of a global cyber crime network.
Privacy
Threat of $1.7m privacy fines serious
Review your privacy practices before new laws take effect, says Paul Lupson.
- Prev
- Next
Advertisement
Advertisement
Ultimate Footy
$1,000 of AFL merch to win. It’s never too late to join.
- Smh.com.au
- Ultimate Footy
- Fantasy News and Analysis
- Real Footy homepage
Motoring
The million-dollar Toyota
- Drive.com.au
- 50 per cent of people text while driving: study
- Over 500 car reviews a year
- Cars for sale on Drive.com.au
Holidays
Last minute city breaks
- Rent-a-home.com.au
- Melbourne accommodation
- Corporate short-term rentals
- Search 27,000+ holiday properties
Essential Kids
The scariest characters from your childhood
- Essentialkids.com.au
- Lunchbox ideas recipes
- Free kids’ activities and worksheets
- Family recipe finder
Compare and Save
Skip to:
Check out today’s best deals
Refinance Save
Refinance at UBank’s new low rate of 4.87%
No Annual Fee
Plus 0% p.a. on balance transfers for 6 months
Rock Bottom Rates
Home loan rates are at record lows. Compare and save
GALAXY S4 plans
Compare deals from all major carriers and online specials
NEW Sony Xperia Z
Water resistant with 13MP camera and 5″ screen
- SMH Home
- NSW
- Politics
- World
- National
- Environment
- Business
- Digital Life
- Entertainment
- Life Style
- Travel
- Cars
- Exec Style
- Sport
- Weather
Article source: http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html
Commenter
JohnW
Location
Date and time
May 16, 2013, 10:54AM
Commenter
ek
Location
Date and time
May 16, 2013, 12:10PM
Commenter
Dave
Date and time
May 16, 2013, 12:18PM
Commenter
Dan
Location
Melbourne
Date and time
May 16, 2013, 12:29PM
Commenter
gtechies
Location
Date and time
May 16, 2013, 12:31PM
Commenter
Grizza8
Location
Date and time
May 16, 2013, 12:45PM
Commenter
RobJ
Location
Date and time
May 16, 2013, 12:51PM
Commenter
KM
Location
Date and time
May 16, 2013, 12:52PM
Commenter
lol
Location
Date and time
May 16, 2013, 1:02PM
Commenter
mtb
Date and time
May 16, 2013, 11:00AM