related
Guides:
Security &
InfoCrime
Consumers
& Trust
related
Profiles
& Notes:
ID Theft,
ID Fraud
|
This
note highlights recent examples of large scale exposure
of sensitive consumer information through hacking of databases,
loss of computer tapes in transit or theft of laptops.
It covers -
introduction
The following items illustrate discussion in the Security
& InfoCrime and Identity
Theft/Fraud profile elsewhere on this site.
The incidents are of interest as indicators of -
- the
persistence of media such as computer tapes in the transfer
of data from one location to another, contrary to claims
that all organisations do or will use private/public
networks
- vulnerabilities
in the form of laptops and desktop machines - the server
may be guarded 24/7 but data is accessible when it is
embodied in a laptop that can be stolen in one minute
- the
importance of social engineering - why crack code or
break doors when data is yours for the asking if you
ask nicely, look plausible and hand over an access fee
to custodians who do not appear to rigorously authenticate
your bona fides?
- institutional/corporate
irresponsibility in failing to encrypt sensitive information
- the
significance of legislation that requires organisations
to alert consumers about breaches
- the
reluctance of organisations to provide such alerts and
to accept responsibility for breaches.
networks
2003 student Christopher Phillips hacks into University
of Texas system, copies personal information including
40,000 Social Security Numbers. Convicted by federal jury
in June 2005, with order to pay US$170,000 restitution
for his crimes and serve five years of probation.
2004 University of California San Diego
Unauthorised access to four servers containing social
security numbers for 380,000 people
2004 University of California Berkeley
Personal records of 1,400,000 people exposed on researcher's
networked personal computer
2004 twenty employees of MphasiS, in Indian city of Pune,
withdraw $US425,000 from Citibank accounts
2005 DSW/Retail Ventures
unauthorised access to
100,000 customer records
2005 three former MphasiS employees arrested for allegedly
stealing US$350,000 from accounts of four Citibank customers
2005 Polo Ralph Lauren
unauthorised access to 180,000 customer records
2005 DSW
second breach at DSW, with unauthorised access to 1.3
million records
2005
LexisNexis
LexisNexis reports unauthorised access over several weeks
to 310,000 personal records
2005 MasterCard and Visa
MasterCard International reports that unauthorised access
to CardSystems Solutions database may have exposed over
40 million credit card accounts, inc 14 million MasterCard
customers. It commented that
We
are actively monitoring the situation on a real-time
basis using our state-of-the-art fraud-fighting technologies.
tapes
2004 Bank of America loses tapes during shipment across
US
Unencrypted tapes with account information on 1.2 million
US federal employee credit cards, including US senators,
went missing during shipment to a remote site. The bank
commented that
we,
with federal law authorities, have done a very robust,
thorough investigation on this and neither we nor they
would make the statement lightly that we believe those
tapes to be lost
2005 IBM Canada loses Alberta pension tapes and fiche
IBM lost tapes with data about 77 pension refund cheques.
The Alberta Information & Privacy Commissioner notes
that there was no tracking of computer tape shipments
between IBM and its agent, no tracking of delivery of
microfiche from that agent to IBM, and that IBM waited
two months before disclosing the breach.
2005 Iron Mountain storage company loses Time Warner tapes
Unencrypted personal data on 600,000 current and former
Time Warner employees from 1986 went missing during shipment
to the Iron Mountain data repository
2005 Ameritrade
200,000 customer records on lost backup tape
2005 Citigroup loses tape enroute from CitiFinancial to
credit reference agency
Tapes holding 3.9 million unencrypted consumer records
from active and closed accounts went missing during shipment
by UPS. CitiFinancial apologised, commented it "has
no reason to believe that the information has been used
inappropriately", offered customers free enrollment
in a credit-monitoring service for 90 days (although critics
note that the average time for victims to become aware
of the theft is 12 months, with a further 175 hours and
US$808 out-of-pocket expenses spent clearing their names)
and announced that it has stopped delivering computer
tapes by courier.
2005 City National
Los Angeles-based City National loses two backup tapes
in transit to secure repository
laptops and other devices
2004 University of California Los Angeles stolen laptops
Loss of two UCLA laptops results in exposure of personal
information concerning 145,000 blood donors and 62,000
health patients
2005 University of California Berkeley laptop stolen
Device holds social security numbers and other personal
information about 98,369 graduates
2005 MCI laptop stolen from employee car
Device contains names and social security numbers of 16,500
current and former MCI employees
2005 ACS burglary
thieves steal two computers from Motorola's HR services
provider Affiliated Computer Services, with information
on Motorola's US staff
2005 Omega World Travel
stolen laptop contains names and credit card details of
80,000 customers, inc US Department of Justice employees
2005 NSW State Transit Authority
NSW government agency auctions 12 servers but fails to
delete payroll and financial information, Sydney public
transport passenger counts, ticketing system codes, incident
reports and employee access PINs.
sale or other provision
2005 ChoicePoint
Reference agency ChoicePoint sells personal financial
information of 145,000 people to criminals purporting
to be legitimate businesses. ChoicePoint initially sends
notice of breach only to Californians
::
|
|
