Data Breaches

Heartland Payment Systems recently announced a data breach due to malicious software (malware) that stole an unknown number of payment transactions and may affect upwards of 100 million Americans making it the largest data breach on record and eclipsing TJX, which owns retailers TJ Maxx and Marshalls, whose breach affected 94 million customers. The malware that stole payment data such as names, addresses, debit and credit card numbers at Heartland hid in an unallocated portion of a server’s disk. According to Heartland CFO Robert Baldwin…

“The malware was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud warnings went off at both Visa and MasterCard.”

Baldwin also indicated that both the U.S. Secret Service and Justice Department told him that the hackers had breached the records of other financial institutions.

“We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice,” Baldwin said in the statement.”

Apparently, federal law enforcement had already been investigating this “I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” Carr said. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.”

According to The Identity Theft Resource Center, reports of data breaches in the United States increased 47 percent in 2008, jumping from 446 reported breaches in 2007 to 656 reported breaches in 2008. Approximately 14% of the data breaches were due to hacking and an estimated 35 million Americans had their personal information compromised, down significantly from 2007 which included the numbers from the TJX breach.

The Heartland Payment Systems data breach will likely make 2009 the worst year on record when the final numbers on compromised consumers are released. Consider that the company processes credit, debit and prepaid cards for more than 250,000 business locations and has with the help of Visa and Mastercard contacted more than 150,000 merchant locations to bring them up to date on this breach. Consider also that it is unclear when the hackers put the malware in place let alone when it was first discovered and you can see the staggering number of people that may be affected. Right now everyone is awaiting details but currently Heartland has not been forthcoming.  Stay tuned for more.

You shred your credit card statements, guard you Social Security number and always put your outgoing mail in a locked box, all to protect yourself from the risk of identity theft. Unfortunately, in this day in age, no matter how hard you try to safeguard your information on your own, it will most likely not be enough. The number of identity theft victims increases every year.

This is because even if you keep your information safe when conducting your personal business, you have no control over the fact that your data can be compromised when it’s in the hands of a company, educational institution or other organization that you do business with. In fact, large-scale data breaches seem to happen on a weekly – or even daily—basis in recent months.

This is not just an illusion, the instances of identity thieves compromising corporate data really are on the rise. In fact, according to the Identity Theft Resource Center, a nonprofit organization in the U.S., the number of breaches in the first six months of 2008 is over 69 percent higher than in the first six months of 2007. This trend continued over the third quarter.

Identity thieves get information from companies in a variety of ways, some of which are by stealing laptop computers or other electronic devices, by hacking into databases they should not have access to or by working alongside someone who is actually an employee of the company. (Believe it or not, this type of “inside job” made up 15.8 percent of the breaches in early 2008.) Stolen Laptops and lost or stolen data tapes add to the mix.

Plus, there are also passive ways in which an identity thief can come by the information, such as if an employee accidentally loses the information or posts it online or in an email to unauthorized users.
So, in other words, even if you are doing a near perfect job of protecting your personal information, there is no way for you to police everyone that you work with to make sure that they do the same, and oftentimes you will not be notified as soon as a breach occurs. So you may want to consider some additional help to protect your personal information from identity thieves.

This help could come in the form of identity theft protection, which is available from dozens of companies. With identity theft protection services you can put further guards on your accounts to prevent identity thieves from accessing your accounts or opening new ones if your information becomes public due to a data breach. These companies take this risk very seriously. In fact, at least one company, Trusted ID, keeps a comprehensive list of these breaches on its Web site.

Others, such as LifeLock, offer a service guarantee to help with costs you incur if you become a victim of identity theft while using the service. Without this type of protection, recovery could cost you thousands of dollars and quite possibly a substantial amount more. Not only that but they also do the strong majority of work to recover your identity saving you your valuable time, often 200 – 600 hours over a frustrating two year period.

You can’t control everything in the world of data breaches, but you can choose to make the best effort possible to safeguard yourself in the event that your name and personal information does get out there. It is time to start learning about your identity theft protection options. Find what you feel is a good fit for you and your family then use that as your identity protection plan.

A month after the initial discovery, former dental patients of the University of Florida College of Dentistry are just now being informed of unauthorized access to their information.
Over 330,000 former patients, some dating back to 1990, have been notified that their information, which includes names, address, birthdates and Social Security number, had been accessed by an outside source.

This was discovered by some IT technicians that were upgrading the school server. They found that there was software that had been installed by a remote user, and along with removing the files, they disconnected the server from the internet to avoid further access. The hacker had access to these files for quite some time, but there is no evidence at this time that any of the information has been used to commit identity theft. Obviously those affected will be at risk for a lng time and should take preventative measures to protect themselves from identity fraud.

Most have been notified, but the university was unable to contact over 8,000 previous patients whose information was at risk. The university has, however, set up a hotline for patients to call and request information about the data breach. This number is 866-783-5883. The FBI and University Police are working together to investigate this security breach.

Patients who had their private information compromised should consider utilizing an identity theft protection service.

Data breaches continue to be reported at alarming rates even though there is evidence that a lot of corporations fail to report as required in 37 States. To date there have been 524 data breaches affecting over 30 Million Americans. This is a sharp increase from the 424 breaches reported in 2007. It is important to note that identity theft can occur from any breach regardless of size. The reverse is also true in that a massive data breach may not lead to any cases of identity theft. The following is a sample, both large and small, of breaches reported in September. If your data was compromised in any of these it is important to read the details to determine if you need additional ID theft protection.

St. Paul’s Surgery
A robbery that involved St. Paul’s Surgery in Winchester was the reason for over 15,000 patients’ information being stolen mid-September.

The personal information of patients registered at St. Paul’s Surgery was stored on a computer back-up tapes. These tapes were stored in a locked safe that was in a locked room, but the burglars broke through a rear door and set off the alarm.

The tapes are password protected, as well as they require specialized computer equipment to read. The hope is that none of the information is at risk, but managers did send letters to those whose personal details were stored on the stolen computer back-up tapes.

Ex-Employee Copies Data of Lottery Winners in Austin, Texas
A previous computer analyst for the Texas Lottery Commission was arrested for copying data of over 27,000 people who had won prizes from the Texas Lottery. This ex-employee copies the data and took them to his next job, exposing Social Security numbers and some bank account and routing numbers of numerous employees and lottery retailers.

The month-long investigation led to the arrest mid-September. The information has been recovered, and it is unknown if the data had been compromised. Lottery winners are requested to watch their bank accounts and credit reports for any malicious or suspicious charges or changes.

University of Pittsburgh
A laptop at the University of Pittsburgh that contained personal information of it’s College of Business Administration graduates was stolen in August of 2008. Information lost included names and Social Security numbers of graduates. It is unknown the number of students that are affected by this theft.

The laptop was last used by an employee to conduct surveys, and was stolen from Mervis Hall on campus on August 11th, 2008. The employee was violating a policy established by the university regarding storage of sensitive data. The information on the laptop was supposed to have been deleted and removed from the laptop.

It does not appear as though the information has been used, but the university did contact the graduates and notified them of the recent loss. At this time, the thief has not been identified.

GS Caltex
GS Caltex, one of the nation’s largest oil refineries, is responsible for the lost of information of over 11 million of it’s customers.

Two discs, a DVD and a CD-Rom, were found in a backstreet trash pile in a Seoul subway station by an office worker. These discs contained files in a “GS Caltex” folder that included names, address, phone numbers, email addresses, workplaces, and Social Security numbers of it’s customers. Immediately upon receiving the discs, GS Caltex compared the information with the data in their current systems, and found that the information is that collected for a discount card available by it’s company. This information does not include credit card or bank account information.

There has been no evidence of hacking, and so far, none of the information has been used inappropriately by any outside sources. It is believed that this information was taken by an employee of the company, and GS Caltex is doing everything it can to investigate this case.

National Offender Management Service
Staff of the UK justice system, the National Offender Management Service in England and Wales, may be forced to relocate their families due to a data breach that actually happened in the middle of 2007. Approximately 5,000 employees of the justice system were affected.

The data was lost by a company called EDS, and they were not notified of this loss of data until recently. This is extremely upsetting to authorities, considering the information is private and puts the employees, and their families, at risk.

Authorities will look into the information that was lost, as well as how it was lost and how this could affect those whose information was lost. Just weeks before, a computer memory stick with the information and personal details of thousands of criminals was lost as well. This missing information could affect many people and their safety.

This loss could cost taxpayers millions of pounds, as the cost of relocating and protecting the employees and their families could get expensive.

East Burke High School in Morganton, NC
East Burke High School, based in Morganton, North Carolina, recently discovered that for the past five years, their school website had staff member’s personal information available to those online.

Liberty Coalition, an organization that searches and notifies companies and organizations about data security leaks, found the file simply by using Yahoo’s search engine. In this file was information uploaded online in 2003, which included employee names, Social Security numbers, home addresses, unlisted phone numbers, job titles and email addresses. 163 people’s information was available online. They notified the school on August 27, 2008, and the school’s principal informed those affected two days later.

Although the file was immediately removed from the internet by school officials, Liberty Coalition’s spokesperson claims that it is impossible to guarantee that the file was not downloaded or archived by someone else and that the information was indeed entirely removed.

There are numerous ways that the school can assist those who were affected. Instead of filing Social Security numbers, they could replace them with employee numbers. Access to important files like these should be limited and password protected to be available to those who need to access it. The school had a meeting with those affected to discuss protecting their identity and to address the victims’ questions and concerns.

Clarkson University
Near the end of August, a student at Clarkson University in Potsdam, New York gained access to a drive that was meant to be password protected for authorized users only. This student notified the campus of the vulnerability of this drive, and authorities quickly took action. Over 200 employees, including former employees, had personal information on this drive, which included information such as names, social security numbers, date of birth, and records regarding their university credit cards.

The drive was only accessible on the Clarkson University network. It was accessible due to some work being done on the school servers which caused the access information to be set to default, allowing anyone on the campus network to view the files. Once the breach was discovered, authorities launched a full investigation to find out who had accessed the files during this time. The student appeared to be the only unauthorized person to access the drive, and it did not appear as though anyone else had access to the drive.

Reynoldsburg, Ohio School District
Information on the students of Reynoldsburg’s school district in Ohio was stored on a laptop that was stolen on August 23rd, 2008.

The school was recently switching their computerized system to eliminate the use of Social Security numbers. The computer technician that was contracted to do the work had left the laptop in his car while attending a wedding in Columbus, where it was stolen.

The technician had completed the work, but had not deleted the information from the laptop. It is not known if the thief was aware that this information was on the computer. The information included the Social Security numbers and names and addresses of over 4,000 current students.

Forever 21 Retail Store
Recently, the retail store Forever 21 found that some of their customer’s credit card information had been accessed by an outside source. The following nine shopping dates have been affected: March 25, 2004, March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007. The main store location affected is that in Fresno, California, located at 567 E. Shaw Avenue.

Approximately 98,000 credit and debit card numbers are at risk, though over half of the numbers accessed are expired credit accounts. This information did not contain customer names or addresses.

Tennessee State University
Mid September, a missing flash drive containing Social Security numbers and financial information for over 9,000 students was reported. This information dates back to 2002.

Tennessee State University has sent out letters to those that could be affected, and the university is also offering credit protection to those students whose records were lost. As far as University officials recall, the information was not password protected or encrypted, but at this point, there have been no attempts to use the data.

The employee who misplaced the flash drive is on paid leave during the investigation.

Marshall University in Charleston, West Virginia
Near the end of August, university officials discovered that the information of nearly 200 students, which included social security numbers, was publicly available on the internet. The information was available through a student’s personal web page via a Microsoft Word document.

This breach is not considered a threat, but the university has taken the steps to notify those who may be affected by misuse of this information.

State Farm Insurance
The Surprise, Arizona State Farm branch run by agent Lisa Ro Grant is under investigation after one of her employees fraudulently used customer information to obtain new credit card accounts. Access to this information supplies customer social security numbers, driver’s license numbers, addresses and possible some financial account numbers.

The amount of information accessed and directly affected was not disclosed, but it could have affected those outside of the state of Arizona. Letters have been sent and free credit monitoring has been set up for those affected.

For a complete list of data breaches please visit http://datalossdb.org.

Summary
With 30 Million records already exposed and no end in sight it is clear that identity theft is going to continue at its torrid pace. Illegal internet sites that sell our personal information are popping up all the time and personal information from old data breaches such as the T-Mobile breach are appearing on these sites after being dormant for 2.5 years. This is why you should consider using an identity protection service to help protect your identity.