In The News

Bank tape lost with data on 90,000 customers

Peoples Bank in Connecticut said the tape was lost in transit
ComputerWorld January 11, 2006 Stephen Lawson -IDG News Service

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today.

People's Bank, based in Bridgeport, Conn., is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. It was bound for the TransUnion LLC credit reporting bureau, based in Woodlyn, Pa., via United Parcel Service of America Inc., the bank said.

UPS is investigating the incident along with all involved parties, said UPS spokeswoman Heather Robinson. She would not disclose when the package was lost.

The bank has not received any reports of unauthorized activity on the affected accounts and has no reason to believe the data has been improperly used, according to People's statement. The bank considers misuse of the data "highly unlikely." UPS also has no evidence that the package was compromised, stolen or received by an unauthorized person, according to Robinson.

Loss and theft of personal data has taken on a high profile since the theft of data on 145,000 consumers from credit and personal information vendor ChoicePoint Inc. in February 2005. Since that time, there have been dozens of reported cases of loss or theft of personal information involving more than 52 million people, according to a chronology compiled by the Privacy Rights Clearinghouse in San Diego. Among them was the loss of a computer backup tape from Bank of America Corp. containing information on 1.2 million customers, according to the privacy rights group.

There isn't enough information on the People's Bank tape to allow anyone to get into a customer's account, according to the bank. It does not contain checking account balances, debit card numbers, personal identification numbers or birth dates, the statement said. In addition, the tape can't be read without a mainframe and software, according to the bank.

The data on the tape involves customers that have a People's Bank personal credit line, an overdraft protection mechanism for checking accounts. As a safeguard, the bank will provide affected customers with a credit monitoring service for one year, at the bank's expense, to quickly alert customers to possible fraud involving their personal information.



<TOP>

February 23^rd 2006

Denver International Airport parking tapes stolen

CBS4DENVER reported that Denver Police were investigating where private credit card information gathered at Denver International Airport has gone. DIA officials have apparently confirmed three back-up computer tapes with credit card data are missing.
The information is from people who park at the airport lots. The tapes apparently contain data going back seven years and reportedly contain credit card numbers and expiration dates, but not the names of the card holders. The contractor that operates the lots said it would be hard to use the information because of the numerous security codes. This is the normal response and shows a true lack of understanding as to how information on tapes is recorded. The Denver Post reports that police asked that the airport not divulge the theft right away for fear that making it public might jeopardize their investigation. But a recently fired ACS employee sent an e-mail to 7News disclosing the theft,
They say police have been talking to ACS employees and that ACS also has taken some steps to guard against this happening again.

<TOP>

Thief nabs backup data on 365,000 patients
An employee for a health care firm in Portland Oregon, had tapes & disks in his car.

News Story by Todd R. Weiss

JANUARY 26, 2006 (COMPUTERWORLD) - About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records.

In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system.

The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters. That practice, which was only used by the home health care division of the hospital system, has since been stopped, said health system spokesman Gary Walker.

"This was only done in one area of the company, Walker said. "It did not involve the hospital’s database [of patients]....That one part of the company was sending data home off-site. But we should have reviewed the policy."

Walker said Thursday that the data on the tapes was encrypted, but today he corrected that information. Instead, some of the data on the tapes was password-protected at the application level, he said, while the rest of the data was stored in proprietary file formats without password-protection. "Our IT person and I ... miscommunicated about what is being done and what was being done."

The data on the disks, meanwhile, was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it," he said.

From now on, all data will be made secure using additional technologies, according to Walker. "We are encrypting all the material we can encrypt now," as the health care system reviews all of its procedures and security, he said. "We are sorry that this happened and we don't want it to happen again."

Providence officials said there have been no reports that any of the stolen information has been used improperly since the incident.

Providence is notifying affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.

Rick Cagen, CEO of Providence's Portland service area, said new backup procedures are being implemented using more traditional IT means, including secure sites in remote locations for safety and redundancy. "We do have alternate practices now," Cagen said.

The four-week delay in publicly announcing the theft was needed so Providence fficials could recreate the stolen data and identify the patients who needed to be contacted, he said. The delay was also caused in part by the large number of records that had to be processed, he said.

"We realize this is a major inconvenience and cause for real concern, and we deeply apologize to everyone affected by this incident," Cagen said. "Even though we have no indication that the thief has accessed the data, we are doing all we can to help our patients and employees protect their information."

The incident is the second data theft from a motor vehicle announced this week. Yesterday, Minneapolis-based financial services company Ameriprise Financial Inc. said it is notifying some 158,000 customers and 68,000 financial advisers that a laptop containing personal information about them -- including names, account numbers or Social Security numbers -- was stolen from a parked car late last month.

<TOP>

Iron Mountain Admits Tape Loss, Recommends Encryption
April 22, 2005
By Paul Shread, on www.enterprisestorageforum.com

In a move that could fuel efforts to change data storage practices, records management giant Iron Mountain has admitted losing a customer's backup tapes and is recommending that customers begin encrypting tapes.

"Iron Mountain performs upwards of five million pickups and deliveries of backup tapes each year, with greater than 99.999% reliability," the company said in a statement Thursday. "Nevertheless, since the beginning of the year, four events of human error at Iron Mountain resulted in the loss of a customer's computer backup tapes. While four losses is not a large number in comparison to an annual rate of five million transportation events, any loss is important to customers and to Iron Mountain."

Iron Mountain did not name the customer, but the admission comes on the heels of announcements from Bank of America and Ameritrade that the financial firms had lost backup tapes containing customer data and were notifying customers.

"Iron Mountain is advising its customers that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure," the company said.

Companies commonly create multiple copies of their computer data on backup tapes and move them off site to allow for recovery in case of a disaster. According to a recent report from the Enterprise Strategy Group, only seven percent of businesses encrypt all of their backup tapes.

Many businesses don't encrypt because the process increases the complexity of the backup process and may reduce the reliability of an effective disaster recovery plan, Iron Mountain said.

"Iron Mountain, therefore, is recommending that companies encrypt backup tapes containing personal information, but take care to incorporate encryption in a way that does not compromise their overall disaster recovery plans," the company said. "This announcement is the beginning of a campaign to educate our customers on these important issues so that together we can start to work toward solutions."

Iron Mountain noted that the accidental loss of backup tapes "poses a potential risk if sensitive information stored on those tapes is unencrypted. ... Iron Mountain is not aware of any incident in which the physical loss of a backup tape resulted in the unauthorized access of personal information. It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."

"We invest more in training, automation and process controls than anyone in our industry," stated Iron Mountain CEO Richard Reese. "But even Iron Mountain is not immune from human error. The only effective means to prevent unauthorized access to data is the use of encryption."

Iron Mountain spokesperson Melissa Burman said the company made the announcement "to create awareness and educate our customers on this issue. We believe encryption is the best way for businesses to meet the increasing need for privacy protection."

The company isn't currently working with storage security vendors or offering an encryption solution, she said.

"For now, we're focused on the education component, but we are evaluating solutions to bring to our customers, either directly or indirectly, that will make it easier for them to implement encryption into the tape backup process without compromising disaster recovery objectives," Burman told Enterprise Storage Forum.

<TOP>

DISUK expands in Central Europe with opening of German offices

2^nd June 2005 –Northampton UK > – Data at rest encryption specialist, DISUK today announces the opening of its central European offices in Munich Germany. Marcus Schmitt will lead DISUK Deutschland operations covering Germany and Austria

Schmitt joins DISUK from business development and general management roles with various start-ups entering the German market. Prior to this, Schmitt was with Computer Associates and OCÉ Printing Systems. He will be responsible for educating and working with end users on DISUK’s product, Paranoia2™.

DISUK’s Paranoia2 is a fast, robust, ‘on the fly’ encryption technology that sits between the data path and the tape storage device.  By using the strong encryption protocol 3DES², it is a primary security tool for safeguarding backup tapes.

Paranoia2 meets an emerging business security need to protect data held on backup tapes.  It can be sold as an infrastructure or a standalone solution, perfect for mid-market, departmental and SME sales.

Marcus Schmitt, managing director of DISUK Deutschland said on this new opportunity: “ Germany has some of the most comprehensive legislation to protect individual’s personal information, whether they are an employee or customer. Everyone in Germany will have personal data held on a backup tape somewhere. Once a copy exists, that data is vulnerable, unless it’s encrypted.  This presents an excellent opportunity for resellers to help businesses to eliminate a weak spot in their security arrangements before someone successfully takes advantage.”

Paul Howard, managing director of DISUK, explains: “Marcus has a prestigious track record of working with organisations to develop sound data security strategies. He is the ideal candidate to lead our efforts in Germany. We are very excited to have him on board.”

[ends]

Media contacts

Photographs and interviews available.  Please contact:

Rose Ross / Hannah Knowles
Omarketing Limited (for DISUK EMEA)
T: +44 (0)20 8255 5225
E: rose@omarketing.co.uk / hannah@omarketing.co.uk

<TOP>

Multichannel News July 7th 2006

Cablevision Systems said late Tuesday that an external vendor it hired to deliver a package containing computer tapes with the personal information of some of its current and former employees lost that information in transit.

Although Cablevision did not release how many employees were affected or what type of information was contained in the package, a person familiar with the matter said the computer tape included social security and certain salary information for about 13,700 current and former Cablevision employees.

In a statement, Cablevision stressed that the specialized magnetic tape did not include personal data on Cablevision customers.

Cablevision said the tape was lost during a routine delivery, using a nationally recognized courier to its external 401(k) record keeper. The company added that it has contacted law enforcement -- which is investigating the matter -- and it is working with the courier and its 401(k) record keeper to recover the tape.

Cablevision takes the security of our employees' personal information extremely seriously, and we deeply regret that this incident occurred," the company said in a prepared statement.

While we have no evidence to date to suggest that the tape has been accessed or misused, we are providing current and former employees with resources to monitor their credit as we continue to work with law enforcement, the courier and our 401(k) vendor to thoroughly investigate and resolve this matter," Cablevision added, declining further comment.

Copyright The Associated Press 2006. All Rights Reserved

<TOP>

Bank of America: 1.2 million accounts jeopardized

February 25, 2005 CNN

Firm says tapes containing information about government cardholders, including U.S. senators, went missing.

NEW YORK (CNN/Money) - Bank of America said Friday it lost computer tapes containing account information on 1.2 million federal employee credit cards, among them those of U.S. senators, potentially exposing them to theft or hacking.

The bank told CNN/Money that federal government's General Services Administration (GSA) cardholders' account information may have been on the tapes.

The tapes were lost in December, but a bank spokeswoman told Reuters that bank officials were not allowed to notify cardholders until they received permission from federal law enforcement authorities

The missing tapes may contain information, including cardholders' names, addresses and social security numbers. But it varies from account to account.

According to Time.com, which cited an unnamed U.S. official, a large percentage of the accounts are for the Pentagon, in addition to 40 federal agencies and other entities.

Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

"Whether it is identity theft, terrorism or other theft, in this new and complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," he added.

Bank of America declined to reveal how many GSA accounts they handle but a spokeswoman said federal law enforcement is investigating the loss.

The financial giant said it has sent out a letter to inform its GSA cardholders whose information may have been on the tapes.

"So far no evidence to suggest the tapes have been accessed or misused," said Eloise Hale, spokeswoman for Bank of America. "The tapes are now presumed lost."

<TOP>

1.3 million files include Texas students' names, Social Security numbers


June 2, 2006 - By PETE SLOVER - The Dallas Morning News

AUSTIN – Don't breathe easy just because your student loans are long paid off: Names and Social Security numbers from accounts closed more than a decade ago were among at least 1.3 million records recently lost by a computer contractor for the Texas student loan company.

The Texas Guaranteed Student Loan Corp., created in 1979, urged anybody who has ever borrowed through the agency to verify whether his or her records were among those on an unspecified piece of computer equipment that disappeared May 24. I think anybody who has concerns should go ahead and contact our call center," spokeswoman Kristin Boyer said.

The toll-free number is 1-800-530-0626. The corporation has also set up a Web site instructing affected individuals how best to prevent identity theft if the missing information falls into criminal hands. Go to www.tgslc.org and click on "Customer Data."

Ms. Boyer said the corporation is required by state and federal laws to keep records for at least five years after loans are paid off, longer for loans that had delinquencies, she said.

There is no time limit after which dormant records are purged, she said. And, she added, records imported from older computer systems are sometimes unable to be indexed or sorted by date, making it technologically impractical to purge data on that basis.

The nonprofit corporation, created by the Legislature to administer federal student loan programs, answers to lawmakers and a board made up of the state comptroller and 11 members appointed by the governor. Governor Perry is concerned about the compromise of personal data and expects the agency to take swift action to rectify the problem and prevent future incidents," Perry spokeswoman Rachael Novier said.

The Round Rock-based loan corporation said in its press release that all of its security procedures were followed and that the data was decrypted and left unsecured only while in the possession of the contractor, Toronto-based Hummingbird Ltd.

Both companies were purposely vague about the circumstances of the breach, declining to release information about the nature of the "device" containing the data, the city in which it was lost or the circumstances of the loss.

"We don't want to create a scavenger hunt by those that would abuse the data," Ms. Boyer said. "As of now, we have no indication that this data has been accessed."

This much was reported by the loan corporation and Hummingbird, which was working on a data management project:

In January, the loan corporation prepared and encrypted a series of files containing the sensitive information.

Sometime after that, those files were downloaded by a Hummingbird employee, who decrypted them and stored them on some sort of device that was "subsequently lost." That device is password-protected, Hummingbird said.

A spokesman for Hummingbird declined to expand on a news release in which the company said it "has no reason to believe that the piece of equipment has been stolen to gain access to confidential data."

"Given the technology that would be required to retrieve the data, Hummingbird believes that any misuse of the data is extremely unlikely," the release said. "However, Hummingbird has exhausted every possibility to recover the equipment and has filed a lost property report with the police."

That police report could not be located because the companies declined to identify which of Hummingbird's offices around the world was involved. Ms. Boyer said it was one of the firm's nine U.S. locations, which include a Dallas office.

There might be fewer than 1.3 million people affected by the breach because some of the records are likely duplicates of borrowers with more than one loan, Ms. Boyer said.

The current estimate of missing records represents about 10 percent of the company's borrowers. The number might rise, she said, because the companies are still working to identify which files were on the missing apparatus.

Because of that, the loan company said it is important for clients to call in and update their addresses so they can be notified if the companies learn more about which records were affected or if the case is solved.

E-mail pslover@dallasnews.com

.<TOP>

The personal data on thousands of students was exposed

Todd R. Weiss August 04, 2006 (Computerworld)

Two top IT officials at Ohio University (OU) who were suspended in June in connection with data security breaches at the school in recent months were fired yesterday.

In a statement, the Athens, Ohio-based school announced that Tom Reid, the university's director of communication network services, and Todd Acheson, the manager of Internet and systems for the school, were dismissed in the wake of the breaches -- including one that exposed personal information on 137,000 alumni.

The firings come three weeks after the school's CIO, William Sams, resigned following the disclosure of the security breaches. Sams is continuing to serve as CIO until the university hires his replacement.

In two-page termination letters to Reid and Acheson, Sams said, "It has become clear from my analysis that you clearly should have foreseen the risks and consequences of IT security breaches, and also should have taken a much more responsible role in securing the wide are and local area networks under your responsibility."

In a statement, Reid said he is "disappointed by Ohio University's decision ... to fire me after 22 years of dedicated and exemplary service. By firing me the University is wrongfully damaging my credibility and professional standing on a global scale. To single me out as being responsible for the recent data thefts is simply not supported by the facts or by industry-leading advice on securing information at large, research intensive universities."

Reid was also critical of a recent consultant's report that looked into the university's security breaches, saying it contained errors and that the supporting documentation used to create it had been destroyed, giving him no ability to review the case. The destruction of such records is in violation of Ohio public records laws, he said.

Frederick Gittes, a Columbus, Ohio-based attorney representing Acheson, called the firings "a disgraceful, disgusting coverup." "The computers hacked at OU were not in Acheson's area of responsibility, yet somehow he is being blamed," Gittes said. "The same is true of Tom Reid."

Gittes said Acheson will file an administrative appeal of his firing to try to get his job back. "We are exploring other possible legal action," he said. "These two guys' careeers are being trashed and it is totally ridiculous."

Last week, the university announced a 20-point plan to improve information security at the school, which has about 16,640 undergraduate students and 862 full-time faculty members on its Athens campus.

The initiatives that are scheduled to be completed over the next nine to 12 months include the installation of a perimeter firewall, implementation of a system to classify data by the level of security required and an effort to reduce the use of Social Security numbers at the university. When Social Security numbers are needed, the school plans to encrypt them. Also planned is the reorganization of the school's central IT organization to establish clear roles and responsibilities for each division.

The initiatives are expected to cost between $5.5 million and $8 million.

The changes at OU follow a review of an independent report commissioned to assess the university's IT security practices. The first breach involved a server containing patent data and intellectual property files at the university's Innovation Center. That breach was discovered when the FBI told the university it had been provided with disk drives from the server.

A few days later, IT officials noticed that a server supporting alumni relations and development had been compromised and was being used to launch distributed denial-of-service attacks against an external target. That breach -- which had remained undiscovered for more than a year -- prompted the university to notify alumni of the potential compromise of their Social Security numbers and other personal data.

Then, on May 4, the university discovered that a system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

The discovery of the three break-ins prompted the school's IT organization to bring in outside experts to conduct a sweeping review of systems housed in the school's Computer Services Center. The review led to the discovery of two more breaches: One involved a computer that contained IRS 1099 forms for nearly 2,500 vendors and contractors that had done work for the university in 2004 and 2005; the other involved a computer that hosted a variety of Web-based forms, including some that processed online business transactions.



<TOP>