Group items tagged

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

There are many websites that sell or provide for free, personal information about individuals. This information is gathered from many sources including white pages listings (directory assistance), publicly-available sources and public records. * Data vendors that offer an opt out policy * Data vendors that do not offer an opt out policy Directory Listings: To prevent the cross-referencing of your address with your phone number, you can choose to not have your information available in the phone book or through directory assistance. If your number is "unlisted," your name, address and phone number will not be printed in the phone book, but the information is available through both directory assistance and reverse directory assistance. If your number is "unpublished," your information will not be printed in the phone book and is not available through directory assistance or reverse directory assistance. Or you can list your name and phone number, but not your address. Telephone companies usually charge a monthly fee to be unlisted or unpublished. Public Records: Please note that public records are often that--public. Web sites that provided personal information gathered from various sources are not required to offer a way to have that information removed or suppressed, though many will as a courtesy. The table below notes many of the more common online providers of public and non-public information that do offer an opt out mechanism. The opt out notes below usually only apply to non-public information. Not all web sites that sell personal information allow individuals to have their information removed or suppressed. Check the privacy policy of the site to see if they offer an opt-out mechanism. If one is provided, ask the online data broker for clarification on whether opting out also applies to public records information they may maintain. Some online data vendors will request information from you (such as your Social Security number or date of birth) to proce

A defunct payment gateway has exposed as many as 19,000 credit card numbers, including up to 60 Australian numbers. The discovery by a local IT industry worker was made by mistake and appears to be caused by a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone. The cached data, viewed by iTnews, includes 22,000 credit card numbers, including CVVs, expiry dates, names and addresses. Up to 19,000 of these numbers could be active. Most are customers in the US and Britain although some are Australian. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of companies, including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

Woonsocket-based CVS Caremark Corp., the largest U.S. drugstore chain, has agreed to pay $2.25 million to settle federal charges that company employees compromised customer privacy by throwing prescription records and drug bottles into open trash bins. The Federal Trade Commission said its investigation with the Health and Human Services Department followed media reports that trash bins behind CVS pharmacies contained pill bottles bearing patient names, credit-card and insurance information, and Social Security numbers. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies said. The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit-card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver's license numbers and account numbers. Names of the patients' doctors were also included. The settlement "will restore appropriate privacy protections to tens of millions of people across the country," FTC chairman William Kovacic said in a statement. "It also sends a strong message" that organizations "are required to secure consumers' private information," he said.

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers. Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial. The upcoming ruling will determine whether parts or all of the suit will go forward. The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen? "These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.

On June 25, 2011, the Social Security Administration (SSA) will began assigning random Social Security Numbers (SSN). The current numbering process had been in place since it was created in 1936.

"Medical records for about 15,500 Northern California Kaiser patients - about 9,000 of them in the Bay Area - were compromised after thieves stole an external drive from a Kaiser employee's car last month, Kaiser officials said Tuesday." Kaiser officials said the electronic device contained patients' names, medical record numbers and possibly ages, genders, telephone numbers, addresses and general information related to their care and treatment. No Social Security numbers or financial information was contained on the drive, and Kaiser officials said there's no evidence that the information has been used inappropriately. The device was not encrypted, but some of the information was password protected. Kaiser has sent letters to the 15,500 members and the employee, who Kaiser would not identify, has been fired.

Another hospital employee fired for inappropraite access of medical records. More damage to a medical group reputation because someone failed to get the message.

"A CEO who publicly posted his Social Security number on billboards and TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says. The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc., which is based in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud. Davis has previously admitted that he was the victim of an identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan which wasn't repaid and ended up being handled by a collection agency. The New Times reported that Davis has been a victim of similar ID theft at least a dozen more times."

Might not want to put much stock in Lifelock.

"Nearly every practicing doctor in the United States is being warned that their identities might have been stolen when the laptop of an employee of an insurance trade group was snagged from a car in Chicago. The laptop contained business and personal information such as Social Security numbers, addresses and certain identification numbers on the laptop of an employee from the Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans. The association confirmed that an employee "broke protocol and transferred to a personal laptop" information that was stolen in late August. No patient information was on the database, and so far, no doctor has reported a security breach. However, nearly 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft, according to an article in the Chicago Tribune."

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach. FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week. Story continues below ↓advertisement | your ad here Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes. Waters said the other file contained medical information that was encrypted. "These government systems should be the best in the world, and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

One of the nation's largest time-share companies is going to be shelling out nearly a $1 million for making phone calls to people on the national "Do Not Call" list, federal regulators said Tuesday. Westgate Resorts, based in Orlando, Fla., was named in a complaint filed on behalf of the Federal Trade Commission. The agency alleged that Westgate and two other companies placed thousands of telemarketing calls to people on the list. The FTC says Westgate has agreed to pay $900,000 to settle the charges. The commission on Tuesday also announced a $275,000 settlement with another Florida-based travel company, Accumen Management Services Inc., and its subsidiary, All in One Vacation Club, LLC. The company made telemarketing calls to consumers who had filled out entry forms for a sweepstakes to win vacation packages. Many of those called, the FTC said, were on the Do Not Call registry and did not agree to receive the telemarketing pitches for timeshares and vacation getaways. In the case of Westgate, the agency received several thousand complaints from consumers. The commission said Westgate bought phone numbers from an Internet-based lead generator that collected contact information in connection with offerings on its Brandarama.com web site. The two other companies named in the Westgate complaint are: Central Florida Investments Inc., and CFI Sales and Marketing, LLC., which both did telemarketing for Westgate. The combined fines of $1.17 million will go to the U.S. Treasury. Calls to Westgate and Accumen seeking comment were not immediately returned. The latest enforcement actions bring to 40 the number of Do Not Call cases the government has filed against companies since the registry began in June 2003. The biggest case to date involved satellite television provider DirecTV Inc., which paid a $5.3 million settlement. More than 167 million phone numbers have been placed on the Do Not Call registry.

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach. In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

While the recession injured many industries in 2008, health care was one of the few bright spots in the employment picture, growing by 372,000 jobs last year, according to the U.S. Bureau of Labor Statistics' January 2009 Employment Situation Summary. The large aging population has health care employers in need of qualified workers: stat. Therefore, despite the current economic conditions, health care employers will continue to increase staff in 2009, according to CareerBuilder.com's annual health care hiring forecast, conducted online within the U.S. by Harris Interactive. Close to one-in-five (17 percent) of large health care employers (50 or more employees) plan to increase the number of full-time, permanent employees in 2009, while 67 percent foresee either making no change in the number of employees or are unsure. Sixteen percent plan to decrease the number of employees. "The health care industry continues to boast high demand for qualified workers. Employers are reacting to this need by continuing strong recruiting efforts this year," says Jason Ferrara, vice president of corporate marketing for CareerBuilder.com. "Half of health care employers, the highest among industries we surveyed, have open positions for which they can't find qualified candidates. In response, health care employers will have to adjust their recruitment and retention strategies to find and keep top talent."

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, claiming their privacy has been breached. In March the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work the morning of Monday, March 9, according to hospital security reports. Last week two patients who are HIV-positive filed a suit in Suffolk Superior Court against the hospital and the unidentified billing manager. The unnamed plaintiffs have been joined by two other HIV-positive people. The legal action was first reported in the weekly newspaper Bay Windows. Their lawyer, John Yasi of the Salem law firm Yasi and Yasi, said in an interview he has filed a motion to make the suit a class action that could cover all 66 patients, a significant number of whom are also HIV-positive. "The damages that jump out are the emotional distress surrounding the loss of obviously very sensitive medical information and secondarily the loss of personal security information," he said. "A Social Security number in reality may lead to identity theft, which we all know is a nightmare."

The state's highest court told Bergen County yesterday to release 8 million pages of real estate documents -- including mortgage information -- to fulfill a request filed under the state's public records law, but that Social Security numbers included in them must be kept private. The justices also said the company requesting the information should pay the $460,000 it will cost the county to remove the Social Security numbers from records spanning more than two decades. The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state's Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents. "The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft," Chief Justice Stuart Rabner wrote for the court. Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

Names, credit card numbers, Social Security numbers: information Daron Breinholt did not go looking for, but found Thursday morning. He took out the trash from the shoe distribution center, where he works, in the warehouse section on Salt Lake's west side. "I was just throwing away some stuff (in a dumpster) , and it was chock full of medical records," said Breinholt. "There's everything in there from canceled checks to routing numbers. They could steal a lot identities. A lot of identities were in there." At least some of the records appeared to come from Mountain Medical Center, a chiropractic office that had been in the Murray area until some months ago. Dr. Randall Malin said through his lawyer that he did not throw away records. "It's news to him," said Attorney Robert Harrison. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the documents, as they dug into the matter. Surveillance video, which 2News has not been able to see, reportedly showed two people who drove up in a red pickup truck Wednesday afternoon, and unloaded the materials from a trailer.

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires