Search This Blog

Thursday, October 04, 2007


MY LATEST STROLL DOWN "PERSONAL DATA BREACH" MEMORY LANE


It is my practice to let the personal data breaches pile up, and then I cull out the most significant of the bunch and report them to you, just in case you may have missed these important incidents. This time I go back to June of this year and the theft of a storage device from an Ohio government intern’s car with 64,000 state employees’ personal information including Social Security numbers. (See Story) But according to a story in The Columbus Dispatch, the significance of the occurrence was downplayed from the beginning. Ohio Republicans called it a “cover-up” since Gov. Ted Strickland is a Democrat. Next, there were the computers stolen from the Yale College Dean’s office in July, compromising the names and Social Security numbers of 10,000 current and former students, faculty and staff. The Yale Daily News reported “The lost files had not been maintained for any purpose,” and “were overlooked in the University’s efforts at reducing the amount of personal information it holds.” Just when you thought you’d heard it all. Approximately 25 percent of all data breaches nationwide happen in places of higher learning, which qualifies this area as critical in the identity crisis. And then came Certegy’s breach of 8.5 million customer checking account and credit card records, also in July. I did two posts on this you can read here and here. Certegy is a subsidiary of Fidelity National Information Services, a financial processing company that provides solutions supporting financial services companies throughout the world. It is alleged that a senior employee by the name of William G. Sullivan heisted the records and sold them through a company he owned to junk mailers. This is a case of companies buying consumers’ sensitive data without checking its source, and from my experience as a junk mail data broker, that is irresponsible. But here is the most bazarre case I have heard of in a long time. The Russian connection targets wealthy Americans with high home equity loan reserves, and has stolen $1.5 million from their accounts with attempts to steal another $10.7 million, according to Technology News Daily. The conspiracy ringleader is a 24 year old Russian named Igor Klopov from Moscow who scammed, among others, the head of a major credit reporting agency. He had four accomplices spread out all over the country, all of which have now been indicted as of August 17. Maybe now we can get the attention of the Experian, Equifax, and TransUnion people, but I won’t hold my breath. It sounds like a James Bond novel with the likes of the US Secret Service, NYPD, and the Manhattan district Attorney’s Identity Theft Unit involved. One bright spot in the scam was JP Morgan/Chase bank’s alertnertness that stopped one of the transactions before the money was taken. Johns Hopkins Hospital in Maryland had a computer stolen in July with over 5 thousand patients’ names, SS#s, birth dates, medical histories, and other personal information, as reported by the Baltimore Sun. It took more than five weeks before the victims were alerted of the theft. The University of Kansas apparently not very vigilant in disposing of personal records containing SS#s, addresses, insurance details and student grades. The U. newspaper the Kansan says in their September story that no less than four other breaches have occurred. The Gap had 800,000 job applicant personal records including SS#s and other private information taken in the theft of a laptop from a third-party vendor in September, says MSNBC.com. Other Gap stores include Old Navy, banana Republic, and Outlet stores in Puerto Rico and Canada. But the prize-winner is the alleged charge by an attorney that Ameritrade online brokerage lost personally identifying information to hackers for some 6.3 million customers. The class-action lawsuit filed last May against the company also aleges it knew of the breach a year ago (last November), but kept pumping user information into the breached database. The story appeared on InformationWeek.com on September 17, 2007, and quotes security company Sophos as warning Ameritrade users “to be on ‘red alert’ against targeted spam attacks.” Personal data taken was names, e-mail addresses, phone numbers and home addresses. By masquerading as Ameritrade, the phishing underground could have a field-day with this one.

No comments: