Identity Theft - keep track of where it's happening

Identity Theft


article link

Federal Trade Commission
FYI

Federal Trade Commission: Your National Resource for Identity Theft

LexisNexis Latest To Tighten Data Security March 22, 2005
Following a hacking incident affecting records of about 32,000 people,
------------------------------------
ChoicePoint
-------------------------------------
Westlaw
-------------------------------------
BankofAmerica
--------------------------------------
others?

Somewhat different situation, but I ordered a book on diabetes from Amazon. Suddenly, I started getting an onscreen advertisement for a new style glucometer every time I log onto the net.

Do you clear your cookies - something of an agent from amazon cause of your diabetes interest?

LexisNexis Uncovers More Consumer Data Breaches
link

Update: Thief nabs backup data on 365,000 patients
An employee for a health care firm in Portland, Ore., had tapes, disks in
his car

News Story by Todd R. Weiss


JANUARY 26, 2006 (COMPUTERWORLD) - About 365,000 hospice and home health
care patients in Oregon and Washington are being notified about the theft
of computer backup data disks and tapes late last month that included
personal information and confidential medical records.
In an announcement yesterday, Providence Home Services, a division of
Seattle-based Providence Health Systems, said the records and other data
were on several disks and tapes stolen from the car of a Providence
employee at his home. The incident was reported by the employee on Dec. 31,
according to the health care system.

The tapes and disks were taken home by the employee as part of a backup
protocol that sent them off-site to protect them against loss from fires or
other disasters. That practice, which was only used by the home health care
division of the hospital system, has since been stopped, said health system
spokesman Gary Walker.

"This was only done in one area of the company," Walker said. "It did not
involve the hospital's database [of patients]....That one part of the
company was sending data home off-site. But we should have reviewed the
policy."

Walker said Thursday that the data on the tapes was encrypted, but today he
corrected that information. Instead, some of the data on the tapes was
password-protected at the application level, he said, while the rest of the
data was stored in proprietary file formats without password-protection.
"Our IT person and I ... miscommunicated about what is being done and what
was being done."

The data on the disks, meanwhile, was in a proprietary file format that was
not encrypted, but "is stored in a way that would make it difficult, if not
impossible, for someone to access it, then make any sense out of it," he
said.

From now on, all data will be made secure using additional technologies,
according to Walker. "We are encrypting all the material we can encrypt
now," as the health care system reviews all of its procedures and security,
he said. "We are sorry that this happened and we don't want it to happen
again."

Providence officials said there have been no reports that any of the stolen
information has been used improperly since the incident.

Providence is notifying affected patients by mail about the theft. The
information on the disks and tapes included names, addresses, dates of
birth, physicians' names, insurance data, diagnoses, prescriptions and some
lab results. For approximately 250,000 of the patients, Social Security
numbers were on the records, according to the health system. Some of the
records also included patient financial information.

Rick Cagen, CEO of Providence's Portland service area, said new backup
procedures are being implemented using more traditional IT means, including
secure sites in remote locations for safety and redundancy. "We do have
alternate practices now," Cagen said.

The four-week delay in publicly announcing the theft was needed so
Providence officials could recreate the stolen data and identify the
patients who needed to be contacted, he said. The delay was also caused in
part by the large number of records that had to be processed, he said.


"We realize this is a major inconvenience and cause for real concern, and
we deeply apologize to everyone affected by this incident," Cagen said.
"Even though we have no indication that the thief has accessed the data, we
are doing all we can to help our patients and employees protect their
information."

The incident is the second data theft from a motor vehicle announced this
week. Yesterday, Minneapolis-based financial services company Ameriprise
Financial Inc. said it is notifying some 158,000 customers and 68,000
financial advisers that a laptop containing personal information about them
-- including names, account numbers or Social Security numbers -- was
stolen from a parked car late last month

bm

Ameriprise Laptop Theft Puts Client Data at Risk

Financial data of 158,000 Ameriprise clients has been
compromised by the theft of a company laptop, though there
have been no reports that the data on the laptop has been
abused.

The Privacy Rights Clearinghouse, a consumer advocacy organization, reported
earlier this week
that more than 52 million Americans have had their personal information
jeopardized by data
breaches since Feb. 15, 2005, when thieves set up bogus accounts using
information obtained from
ChoicePoint. The non-profit group said it chose to begin tallying then because
the ChoicePoint
incident marked a "watershed event" in terms of disclosure.

The breaches range from stolen laptops at the Department of Justice to social
security numbers
printed on tax filing packages sent by H&R Block. Hackers, thieves, dishonest
insiders and
others infiltrated hospitals, defense contractors, banks, schools, mortgage
brokers and car
companies. All involved loss or compromise of information useful to identity
thieves, such as:
social security numbers, account numbers or driver's license numbers.

Ten days after 145,000 to 163,000 individuals' information was compromised in
the ChoicePoint
incident, Bank of America lost a backup tape that included information on about
1.2 million
people, according to the clearinghouse. Several more breaches resulted in the
loss of anywhere
from 4,500 people's information to hundreds of thousands until April, when DSW,
a retail company
found that 1.3 million customers' data could have been exposed to hackers.

In June, CitiFinancial recorded the next loss in the millions when a backup
tape with 3.9
million individuals' information was lost. A mere 10 days later, CardSystems
reported that 40
million people's information was vulnerable because of hacking.

Motorola, City National Bank, J.P. Morgan in Dallas, Wal-Mart, H&R Block and
universities didn't
know how many people were affected by stolen laptops, backup tapes, dishonest
insiders and
hacking.

According to the Public Interest Research Group, California was the only state
with a law
targeting security breaches before the ChoicePoint incident. Since then, 35
states have
introduced laws aimed at curbing the problem. Twenty-three states have enacted
them.

R.I. government site hacked, credit card numbers stolen
State officials say they were told of the breach only last week


News Story by Linda Rosencrance

JANUARY 30, 2006 (COMPUTERWORLD) - Hackers broke into the official Rhode Island state government Web site, www.ri.gov late last month and stole 4,117 credit card numbers, according to New England Interactive Inc. (NEI), the company that manages the site. NEI is a subsidiary of Olathe, Kan.-based e-government provider NIC Inc.
We discovered the breach on Dec. 28, said NIC spokesman Chris Neff. It was due to an error in a line of software code that our local office in Rhode Island that manages the state's portal [NEI] had written. So we immediately closed that breach, fixed that error and initiated a deeper investigation, including a follow-up security scan of the entire site.

According to Neff, NEI at first thought that only eight credit cards had been compromised. We immediately contacted the Rhode Island CIO and the Secret Service and the credit card-issuing companies to flag those accounts so they could be monitored for possible fraudulent activity, Neff said.

After further analysis, however, NEI discovered that 4,117 credit card numbers were actually involved. At that point, we went through the notification process again with the Rhode Island CIO, Secret Service [and the] credit card companies, he said. Now we're collaborating with the state, the credit card companies [and] the Secret Service working on several solutions. We're working toward contacting those card holders and working toward providing some additional services to them [like] credit monitoring and credit rehabilitation for people who were harmed ... as a result of this. And we're working with the state on the security they've hired an external security firm, we have done the same, to assess the state's security measures and ensure that everything is up to par going forward.

According to a statement from NIC today, the stolen credit card numbers were used in transactions with government agencies between Dec. 31, 2004, and March 8, 2005. NIC recommended that anyone who used credit card information on the Rhode Island Web site contact their credit card companies and request that their accounts be monitored for fraudulent activity.

A check of the state site indicates that consumers can conduct a variety of transactions online using a credit card, including renewing fishing and boating licenses, obtaining driving records and renewing vehicle registrations that have been temporarily suspended.

NIC realized that more than eight credit cards might have been compromised last week, when it learned of information on a Russian-language Web site that appeared to discuss the hacking. NEI worked to cross-reference details on the Russian site against information it already had and on Thursday notified NIC, the state CIO, law enforcement officials and credit card companies that additional credit cards were involved in the hacking. That's when the company found that 4,117 credit card numbers had been stolen.

NIC takes security matters very seriously, Harry Herington, chief operating officer of NIC, said in the statement. We take responsibility for this incident and acted immediately to correct the breach upon discovering it. We will continue to work with Rhode Island state officials, law enforcement and the credit card companies to resolve this issue.

But in a letter to Augusta, Maine-based NEI, attorneys for the state indicated that Rhode Island officials learned of the breach only last week.

[NEI] has so far provided incomplete and conflicting responses to the state's efforts to obtain accurate information regarding the size, nature and reason [of the breach]. This is unacceptable and has unnecessarily led to confusion and concern among users of the RI.gov Web site, said James DeGraw, an attorney at Boston-based Ropes & Gray LLP.

The state called on NEI to do the following:

Immediately stop processing credit card transactions through the RI.gov Web site until state officials are sure the site is secure.

Hire an outside security consultant to determine whether there are any other vulnerabilities in the site or in NEI's data-handling procedures and immediately correct them.

Identify all consumers whose credit card or other personal data may have been compromised.

Establish a way for those consumers to find out whether their data was compromised and provide a comprehensive credit card replacement, credit monitoring and credit rehabilitation program to anyone affected.

And this is just the tip of the iceberg folks as our young ones become more and more internet savvy every day more and more sites will be hacked into and subjected to info theft.

Globe and Worcester T&G customer credit info mistakenly releasedComplete Story Here

TOTAL 52,557,249
ChronDataBreaches Report
Copyright © 2005-2006. Privacy Rights Clearinghouse/UCAN.

Waiting for lawsuits to begin.

Eventually people who have their ID stolen and fraudulantly used will start suing their bank establishments, credit card processing companies, retailers, employers, and any third parties who do not properly protect their private information. It will of course be a nightmare to predict from whom the information was hacked or stolen but it's coming ... I predict it.

Cyber-Risk, cyber-risk, selling cyber-risk, touting insurance ... c'mon in ... it's cheap now, don't wait until 1 out of every 10 people have suffered identity theft.

N.H. state server eyed in possible credit card data breach

State and federal law enforcement officials are probing a potential security breach involving a server used by the New Hampshire Department of Motor Vehicles. A routine security review last week found a copy of the Cain & Abel computer worm on the server.

http://cwflyris.computerworld.com/t/312605/1256992/9846/0/

Firewall at work changed so updates have been slow in coming.