Data Breach Roundup: September 2013
A surprising number of last month's data breaches involved the theft or loss of laptops or hard drives.
This month eSecurity Planet takes a look back at the data breaches we covered in September, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
What follows is a list of such breaches by category, noting what happened, what data was exposed, and what (if anything) the organization is doing to help those affected – along with a few comments by industry experts.
A surprising proportion of the breaches in September resulted from the theft or loss of laptops or hard drives, many of them unencrypted. Chester Wisniewski, senior security advisor at Sophos, says unencrypted laptops at this point are simply gross negligence. "We should have zero tolerance for this behavior in 2013," he says.
Buckeye Check Cashing A laptop was stolen from a vehicle, exposing an undisclosed number of names, addresses, bank account information and/or Social Security numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Dr. Hankyu Chung. A password-protected laptop was stolen, exposing an undisclosed number of patients' names, phone numbers, birthdates and medical records, including visit dates, complaints, physical examination notes, diagnoses, and testing and medication information.
Edgewood Partners Insurance Center. Five password-protected but unencrypted laptops were stolen, exposing an undisclosed number of names, addresses, birthdates, driver's license numbers, benefits information and Social Security numbers, along with some bank account information and health information. All those affected were offered one year of Experian's ProtectMyID Alert service.
InterContinental Mark Hopkins San Francisco. A hard drive was accessed but not stolen during a burglary, potentially exposing an undisclosed number of guests' names, mailing addresses, email addresses, phone numbers and credit/debit card numbers.
NHC Healthcare. An unencrypted backup tape was discovered missing. The backup tape contained an undisclosed number of patients’ names, Social Security numbers, birthdates, home addresses and medical information.
Olson & White Orthodontics. Password-protected computers were stolen. Ten thousand patients' names, addresses, x-rays, photos and diagnostic findings were exposed, along with parents' or insured parties' names, email addresses, Social Security numbers and credit scores.
St. Anthony's Medical Center. A password-protected laptop and flash drive were stolen, providing the thieves with access to 2,600 patients' names and birthdates, and possibly their medical records.
UTHealth. An unencrypted laptop was discovered missing. The laptop contained 596 patients' names, birthdates and medical record numbers.
Columbia University Medical Center. A hidden column in a widely emailed spreadsheet contained personal data, exposing 407 medical students' names and Social Security numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Georgia Department of Labor. An employee mistakenly emailed a spreadsheet containing 4,457 people's names, Social Security numbers, phone numbers and email addresses to approximately 1,000 people. All those affected are being offered credit monitoring services from Equifax.
Hill Air Force Base. An employee forwarded sensitive data to an unprotected email address in order to work from home, potentially exposing 525 Air Force employees' names and Social Security numbers.
Virginia Department of Human Resources Management. A Conexis employee mistakenly sent 13,000 state employees' personal information, including names and Social Security numbers, to 11 state employees. Free credit monitoring and identity theft protection services are being provided to all those affected.
BEL USA LLC. A server was breached, exposing an undisclosed number of customers' names, addresses, phone numbers, credit or debit card numbers, expiration dates and CVV codes.
Bell Helicopter. A database was breached, exposing an undisclosed number of email addresses along with some credit card numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Creative Banner Assemblies. The company’s website was hacked and infected with malware, providing the hackers with access to 232 customers' names, addresses, phone numbers and credit card information. All those affected were offered one year of credit monitoring and identity theft protection through ITAC Sentinel Plus.
ICG America. The company’s payment processing system was hacked, exposing an undisclosed number of customers’ names, addresses, email addresses, credit/debit card numbers, expiration and CVV codes.
NetCologne. The company’s website was hacked via SQL injection. The hackers published a list of 15 user names, encrypted passwords, email addresses, registration dates and display names.
Outdoor Network, LLC. The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers' names, addresses, credit card numbers, expiration dates and CVV codes.
Unique Vintage. The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers’ names, email addresses, phone numbers and credit card numbers.
Virginia Tech. A server in the university’s human resources department was hacked, exposing 144,963 job applicants’ names, addresses, employment history, education history and prior convictions, along with 16,642 applicants’ driver’s license numbers.
These types of attacks are particularly preventable, according to Camouflage Software president and CEO Kevin Duggan, because they’re often the result of personnel having access to sensitive data that’s not required for them to do their jobs.
"The main question these organizations need to be asking is: Did the individuals from whom the data was stolen really need access to the sensitive portion of the data in order to do their jobs? In many cases, the answer is a resounding no," Duggan says.
Other methods of mitigating insider threat risks include creating effective data loss prevention policies, such as restricting data access by file type and/or user privilege level; encrypting data; and investing in software that monitors, analyzes and potentially stops files containing sensitive data from moving out of the business network.
State Farm. A call center employee stole customers’ credit card numbers. Nearly 700 customers were potentially affected.
Vodafone Germany. The company says the breach was only made possible through insider access. Two million customers' names, addresses, birthdates, genders, bank sort codes and account numbers were accessed.
Partner Company Hacked
Medical University of South Carolina. Credit card processor Blackhawk Consulting Group was hacked, exposing 7,000 customers' names, billing addresses, email addresses, credit/debit card numbers, expiration dates and CVV numbers. All those affected are being offered one year of credit protection from Experian.
Paymast'r Services. A website hosted by the company’s service partner was hacked, exposing an undisclosed number of names, addresses, Social Security numbers, driver's license numbers and payroll card numbers.
Windhaven Investment Management. A third-party vendor’s Web server was hacked, exposing an undisclosed number of clients’ names, account numbers, custodians, and investment positions. All those affected were offered one year of credit monitoring from Equifax.
Spear phishing attacks can occur by getting employees to open malicious email attachments. While email gateways and anti-virus scanners can detect many of those attachments, experts see an increase in spear phishing attacks in which fraudsters instead entice people to click on links that take them to websites that attempt to exploit common security vulnerabilities.
To decrease the likelihood that these attacks will occur, it's a good idea to train staff to recognize both suspicious attachments and links. Some vendors also offer products that help companies gauge the effectiveness of education efforts by allowing companies to send simulated spear phishing emails to employees after they have received training.
U.S. House of Representatives. A spear phishing attack appears to have provided hackers with access to five names, email addresses, encrypted passwords, IP addresses and photos.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.