Running Total for 2007 as of February 12th - a minimum of
Individual Records Were Illegally Breached. The National Pandemic of Stupidity Continues... Are You on the List?
Monday, February 12, 2007
When everything is said and done and they actually do find the hard drive in some black market stall, they will undeniably announce like they did last time that "the data has not been accessed" although we know this statement to be a lie since there is absolutely no way of knowing whether or not the data was accessed, copied or ghosted to another hard drive.
How about a full-blown press conference Mr. Nicholson - say at 2:00PM on a Wednesday - with 2 business days notice to the national and local press, full disclosure of all events and facts and a question & answer period at the end? I am sure you could find time in your schedule to enlighten the American people that pay your salary and actually fund the VA.
This UPdate pegged the number of VA Individuals that were affected was 535,000 (Not the 48,000 with only 20,000 records "unencrypted" as stated previously) and the real shocker this time is that there were additional NON-VA records of 1.3 million private Physicians although the VA states that only "some of the files contain personal information".
Whom and What to believe are the real questions here. The VA should know by now after 4 weeks exactly what information was on the hard drive and should disclose everything - not just feed us bit-by-bit hoping that no-one will put the information together.
VA Update on Missing Hard Drive in Birmingham, Ala
11 Feb 2007, 5:37 PM CST
WASHINGTON -- The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala.
“Our investigation into this incident continues, but I believe it is important to provide the public additional details as quickly as we can,” said Jim Nicholson, Secretary of Veterans Affairs. “I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened.
“VA will continue working around the clock to determine every possible detail we can,” Nicholson said.
VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians — both living and deceased— could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information.
VA continues to examine data on the employee’s work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused.
The non-VA physician data is used by VA to enhance the quality of care for veterans by analyzing and comparing information about the health care received from VA and non-VA providers.
Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised.
“VA is unwavering in our resolve to bolster our data security measures,” Nicholson added. “We remain focused on doing everything that can be done to protect the personal information with which we are entrusted.”
On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA’s IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA’s Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
The OIG seized the employee’s work computer and began analyzing its contents. This analysis continues and VA IT staff has been providing technical support.
In addition to the ongoing criminal investigation, the OIG initiated an administrative investigation to determine how such an incident could occur.
VA is operating a call center that individuals can contact to get information about this incident. That toll-free number is 1-877-894-2600. The call center will operate every day from 7 a.m. to 9 p.m. CST as long as it is needed.
Monday, February 05, 2007
Why was the data only partially encrypted? According to testimony before Congress by Director Jim Nicholson, ALL private data was to be encrypted on VA computers.
Why would the VA allow a "backup" from the employees computer when the data is only supposed to be on a secure VA Server?
There is an untold tale that will eventually surface regarding the rest of the story. We'll be waiting.
Congress passed sweeping legislation in 1999 to require "financial institutions" to protect their customers data. While traditional tax preparers aren't considered financial institutions, they do collect and warehouse private financial data and ARE subject to this rule.
Even though you "think" it may not apply to you, read on... It very well might.
See below for information from the following publication:
In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley ActEXEMPTIONS FOR CPA's - ONLY FROM PRIVACY REPORTING REQUIREMENT.
Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.
Here's a brief look at the basic financial privacy requirements of the law.
The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.
The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
CPAs Exempt from Gramm-Leach-Bliley Act Privacy Notification RequirementTax Preparers are however NOT currently exempt from the Security Rule of 15USC Sec. 6801 - which states:
Press Release from the AICPA, Washington, DC, October 13, 2006—The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice. The exemption is effective immediately.
Thank you George Toft from http://www.MyITAZ.com for bringing this to our attention.
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Computer Data Theft - Data Breach - Unencrypted Data
Governing Privacy Law or Rule - GLBA, State Laws
Reporter: Kari Huston - www.wndu.com
Thief Steals Tax Records
Eight hundred people are in jeopardy of having their credit ruined, because thieves in the night stole their personal information from a Cassopolis tax preparer.
“I come around here and my computer is gone. My hard drive is gone. I went hysterical,” recalls Carlotta Kirstein. “I screamed,'I’ve been robbed!'"
Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington.
She believes someone knew her computer possessed valuable information. “I had money in here. I had checks and nothing was taken, just the computer,” says Kirstein. “If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there.”
Between 1:00 a.m. and 3 a.m. a neighbor saw headlights in the CTS parking lot. Footprints in the snow lead police to believe that more than one person broke in the back door. “We're urging anyone who had an account with CTS to contact the credit bureaus and put a fraud alert on, as well as contact their banking institutions,” suggests Captain Lindon Parrish of the Cass County Sheriff’s Department.
“I'm putting flags on my accounts,” says CTS client Vicki Vaughn. “I have to change some of the accounts right now because they said they can not do it over the phone.”
Carlotta is offering a $5,000 reward to help catch the thieves. If those people are watching Carlotta would like to say, “Shame on you! How can you do this to somebody else? How can you do this?” And to anyone who may know who did this, “please come forward,” she pleads. “Please tell, too many lives depend on this.”
To report information that could lead to that reward call the Cass County Sheriff's Department at 269-445-1560. If you are a client of CTS and you'd like to report fraudulent activity on your accounts call 269-445-1244.
Saturday, February 03, 2007
Hard drive that may contain personal data on veterans missing in Birmingham, Ala.
ASSOCIATED PRESS - 9:12 p.m. February 2, 2007
WASHINGTON – A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.
An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. It may have contained data from research projects, the department said.
The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.
Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.
Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.
Credit monitoring? Same old tired response to an epidemic of stupidity. Secure the Data Already!
CEO Artemis Solutions Group
Intelligent Biometric Solutions, iQBio
February 3rd, 2006
Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.
Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive?
To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.
The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!
Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:
Like the breach last year, this data breach was not exposed for two weeks after it was known by the VA. The culture of denial and cover-up is alive and well at the VA.
- “I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.
“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.
This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.
In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.
- "Sen. Patrick Leahy said President Bush should call Nicholson “into the woodshed” because of the data theft. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning."
- On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
In his statement last year:
- "VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.
But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."
- "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:
Since the incident, all VA employees have received training in the proper handling of sensitive information and laptop computers throughout the department have had reliable data encryption programs installed.
This prose to please the proletariat is expected, but where is the BEEF? If this statement were true, and all relevant department policies were followed, why did we have the loss of the un-encrypted hard drive in Birmingham and the theft of RAW FILES in Bremerton, WA last week? You can encrypt the laptops, but if the data itself is not encrypted - what good does it do? There are some serious questions to answer at the leadership level in the VA.
Here are some relevant issues that were uncovered as a result of the the last data breach and the resulting cover-up:
James Nicholson's testimony before Congress in June 2006:
- "As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.
- "I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the Data Security-Assessment and Strengthening of Controls program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.
One existing Security Guideline, Security Guideline for Single-User Remote Access, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be encrypted and password protected. If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.
Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.
Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.
Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.
Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.
The VA has been lax in its stewardship, warehousing and use of the data with which they are entrusted. This unauthorized release of this data is a threat to both personal liberty and national security. Look at our previous blog on this last year for clarification of this issue and the evasion, deception and progressive clarifications by the VA.
The VA implemented Directive 6500 on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?
Portable Hard Drive Theft - Portable Data Breach - Unencrypted Data
Medical Data and Personal Identifying Data
Veterans (Current and Former?) Data Stolen AGAIN!???
Governing Privacy Law or Rule - HIPAA, Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549, State Laws
WASHINGTON (Feb. 2, 2007) -- The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen.
"I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved."
On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved.
On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. Analyzing the work computer may help investigators determine the nature of the information the hard drive potentially contained.
Pending results of the investigation, VA is prepared to send individual notifications and provide one year of free credit monitoring to those whose information proves compromised.
In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information.
"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
Thursday, February 01, 2007
Network Security Breach - Unencrypted Data
Workers comp data stolen
Workers Compensation Database Stolen
A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.
The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.
The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach.
"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site and established a telephone hotline to address claimant concerns."
The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."
The hotline number is 1-800-323-3249, ext. 560. (AP)
Posted by Boston Globe Business Team at 12:27 PM
Bank files class-action lawsuit against retailer
WASHINGTON -- TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.
The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.
Other banks and financial institutions could join in the suit.
The Globe says the Massachusetts Credit Union League is also asking Framingham-based TJX to reimburse credit unions for the costs of reissuing credit cards.
A class-action lawsuit was filed earlier this week on behalf of consumers.
Meanwhile, Massachusetts Congressman Ed Markey has asked the Federal Trade Commission to investigate the security breach.
(Copyright 2007 by The Associated Press. All Rights Reserved.)
Network Security Breach - Unencrypted Data
Vermont State Government
70,000 Records - Bank Records, Social Security Numbers, Personal Information
Governing Privacy Law or Rule - GLBA, State Laws
Vermont State was warned of potential computer security breach
(iQBio Commentary - "AN UNSECURED COMPUTER DIRECTLY ON THE INTERNET WITH SENSITIVE DATA?" This is the absolute pinnacle of stupidity. Anyone involved with this breach should be fired, sued and promptly run out of town.)
MONTPELIER, Vt. --A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday.
An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system."
The report goes on to say the patches released in August "were downloaded but never applied on this system."
The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments.
Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said.
The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet.
As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities.
"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday.
The internal state report pointed to more direct personal involvement.
"Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text.
Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files."
Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system.
The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8.
Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services.
"All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said.
At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members."
Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection.
"We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here."
On the Net: