Running Total for 2007 as of February 12th - a minimum of
Individual Records Were Illegally Breached. The National Pandemic of Stupidity Continues... Are You on the List?
Monday, February 12, 2007
When everything is said and done and they actually do find the hard drive in some black market stall, they will undeniably announce like they did last time that "the data has not been accessed" although we know this statement to be a lie since there is absolutely no way of knowing whether or not the data was accessed, copied or ghosted to another hard drive.
How about a full-blown press conference Mr. Nicholson - say at 2:00PM on a Wednesday - with 2 business days notice to the national and local press, full disclosure of all events and facts and a question & answer period at the end? I am sure you could find time in your schedule to enlighten the American people that pay your salary and actually fund the VA.
This UPdate pegged the number of VA Individuals that were affected was 535,000 (Not the 48,000 with only 20,000 records "unencrypted" as stated previously) and the real shocker this time is that there were additional NON-VA records of 1.3 million private Physicians although the VA states that only "some of the files contain personal information".
Whom and What to believe are the real questions here. The VA should know by now after 4 weeks exactly what information was on the hard drive and should disclose everything - not just feed us bit-by-bit hoping that no-one will put the information together.
VA Update on Missing Hard Drive in Birmingham, Ala
11 Feb 2007, 5:37 PM CST
WASHINGTON -- The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala.
“Our investigation into this incident continues, but I believe it is important to provide the public additional details as quickly as we can,” said Jim Nicholson, Secretary of Veterans Affairs. “I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened.
“VA will continue working around the clock to determine every possible detail we can,” Nicholson said.
VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians — both living and deceased— could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information.
VA continues to examine data on the employee’s work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused.
The non-VA physician data is used by VA to enhance the quality of care for veterans by analyzing and comparing information about the health care received from VA and non-VA providers.
Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised.
“VA is unwavering in our resolve to bolster our data security measures,” Nicholson added. “We remain focused on doing everything that can be done to protect the personal information with which we are entrusted.”
On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA’s IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA’s Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
The OIG seized the employee’s work computer and began analyzing its contents. This analysis continues and VA IT staff has been providing technical support.
In addition to the ongoing criminal investigation, the OIG initiated an administrative investigation to determine how such an incident could occur.
VA is operating a call center that individuals can contact to get information about this incident. That toll-free number is 1-877-894-2600. The call center will operate every day from 7 a.m. to 9 p.m. CST as long as it is needed.
Monday, February 05, 2007
Why was the data only partially encrypted? According to testimony before Congress by Director Jim Nicholson, ALL private data was to be encrypted on VA computers.
Why would the VA allow a "backup" from the employees computer when the data is only supposed to be on a secure VA Server?
There is an untold tale that will eventually surface regarding the rest of the story. We'll be waiting.
Congress passed sweeping legislation in 1999 to require "financial institutions" to protect their customers data. While traditional tax preparers aren't considered financial institutions, they do collect and warehouse private financial data and ARE subject to this rule.
Even though you "think" it may not apply to you, read on... It very well might.
See below for information from the following publication:
In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley ActEXEMPTIONS FOR CPA's - ONLY FROM PRIVACY REPORTING REQUIREMENT.
Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.
Here's a brief look at the basic financial privacy requirements of the law.
The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.
The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
CPAs Exempt from Gramm-Leach-Bliley Act Privacy Notification RequirementTax Preparers are however NOT currently exempt from the Security Rule of 15USC Sec. 6801 - which states:
Press Release from the AICPA, Washington, DC, October 13, 2006—The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice. The exemption is effective immediately.
Thank you George Toft from http://www.MyITAZ.com for bringing this to our attention.
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Computer Data Theft - Data Breach - Unencrypted Data
Governing Privacy Law or Rule - GLBA, State Laws
Reporter: Kari Huston - www.wndu.com
Thief Steals Tax Records
Eight hundred people are in jeopardy of having their credit ruined, because thieves in the night stole their personal information from a Cassopolis tax preparer.
“I come around here and my computer is gone. My hard drive is gone. I went hysterical,” recalls Carlotta Kirstein. “I screamed,'I’ve been robbed!'"
Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington.
She believes someone knew her computer possessed valuable information. “I had money in here. I had checks and nothing was taken, just the computer,” says Kirstein. “If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there.”
Between 1:00 a.m. and 3 a.m. a neighbor saw headlights in the CTS parking lot. Footprints in the snow lead police to believe that more than one person broke in the back door. “We're urging anyone who had an account with CTS to contact the credit bureaus and put a fraud alert on, as well as contact their banking institutions,” suggests Captain Lindon Parrish of the Cass County Sheriff’s Department.
“I'm putting flags on my accounts,” says CTS client Vicki Vaughn. “I have to change some of the accounts right now because they said they can not do it over the phone.”
Carlotta is offering a $5,000 reward to help catch the thieves. If those people are watching Carlotta would like to say, “Shame on you! How can you do this to somebody else? How can you do this?” And to anyone who may know who did this, “please come forward,” she pleads. “Please tell, too many lives depend on this.”
To report information that could lead to that reward call the Cass County Sheriff's Department at 269-445-1560. If you are a client of CTS and you'd like to report fraudulent activity on your accounts call 269-445-1244.
Saturday, February 03, 2007
Hard drive that may contain personal data on veterans missing in Birmingham, Ala.
ASSOCIATED PRESS - 9:12 p.m. February 2, 2007
WASHINGTON – A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.
An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. It may have contained data from research projects, the department said.
The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.
Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.
Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.
Credit monitoring? Same old tired response to an epidemic of stupidity. Secure the Data Already!
CEO Artemis Solutions Group
Intelligent Biometric Solutions, iQBio
February 3rd, 2006
Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.
Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive?
To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.
The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!
Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:
Like the breach last year, this data breach was not exposed for two weeks after it was known by the VA. The culture of denial and cover-up is alive and well at the VA.
- “I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.
“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.
This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.
In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.
- "Sen. Patrick Leahy said President Bush should call Nicholson “into the woodshed” because of the data theft. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning."
- On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
In his statement last year:
- "VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.
But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."
- "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:
Since the incident, all VA employees have received training in the proper handling of sensitive information and laptop computers throughout the department have had reliable data encryption programs installed.
This prose to please the proletariat is expected, but where is the BEEF? If this statement were true, and all relevant department policies were followed, why did we have the loss of the un-encrypted hard drive in Birmingham and the theft of RAW FILES in Bremerton, WA last week? You can encrypt the laptops, but if the data itself is not encrypted - what good does it do? There are some serious questions to answer at the leadership level in the VA.
Here are some relevant issues that were uncovered as a result of the the last data breach and the resulting cover-up:
James Nicholson's testimony before Congress in June 2006:
- "As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.
- "I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the Data Security-Assessment and Strengthening of Controls program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.
One existing Security Guideline, Security Guideline for Single-User Remote Access, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be encrypted and password protected. If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.
Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.
Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.
Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.
Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.
The VA has been lax in its stewardship, warehousing and use of the data with which they are entrusted. This unauthorized release of this data is a threat to both personal liberty and national security. Look at our previous blog on this last year for clarification of this issue and the evasion, deception and progressive clarifications by the VA.
The VA implemented Directive 6500 on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?
Portable Hard Drive Theft - Portable Data Breach - Unencrypted Data
Medical Data and Personal Identifying Data
Veterans (Current and Former?) Data Stolen AGAIN!???
Governing Privacy Law or Rule - HIPAA, Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549, State Laws
WASHINGTON (Feb. 2, 2007) -- The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen.
"I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved."
On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved.
On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.
The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. Analyzing the work computer may help investigators determine the nature of the information the hard drive potentially contained.
Pending results of the investigation, VA is prepared to send individual notifications and provide one year of free credit monitoring to those whose information proves compromised.
In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information.
"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
Thursday, February 01, 2007
Network Security Breach - Unencrypted Data
Workers comp data stolen
Workers Compensation Database Stolen
A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.
The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.
The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach.
"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site and established a telephone hotline to address claimant concerns."
The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."
The hotline number is 1-800-323-3249, ext. 560. (AP)
Posted by Boston Globe Business Team at 12:27 PM
Bank files class-action lawsuit against retailer
WASHINGTON -- TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.
The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.
Other banks and financial institutions could join in the suit.
The Globe says the Massachusetts Credit Union League is also asking Framingham-based TJX to reimburse credit unions for the costs of reissuing credit cards.
A class-action lawsuit was filed earlier this week on behalf of consumers.
Meanwhile, Massachusetts Congressman Ed Markey has asked the Federal Trade Commission to investigate the security breach.
(Copyright 2007 by The Associated Press. All Rights Reserved.)
Network Security Breach - Unencrypted Data
Vermont State Government
70,000 Records - Bank Records, Social Security Numbers, Personal Information
Governing Privacy Law or Rule - GLBA, State Laws
Vermont State was warned of potential computer security breach
(iQBio Commentary - "AN UNSECURED COMPUTER DIRECTLY ON THE INTERNET WITH SENSITIVE DATA?" This is the absolute pinnacle of stupidity. Anyone involved with this breach should be fired, sued and promptly run out of town.)
MONTPELIER, Vt. --A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday.
An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system."
The report goes on to say the patches released in August "were downloaded but never applied on this system."
The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments.
Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said.
The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet.
As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities.
"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday.
The internal state report pointed to more direct personal involvement.
"Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text.
Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files."
Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system.
The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8.
Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services.
"All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said.
At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members."
Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection.
"We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here."
On the Net:
Announced January 22nd, 2007
Portable Data Breach - Stolen Laptop
Department of Veterans Affairs (AGAIN!)
By JOSH FARLEY, firstname.lastname@example.org
January 22, 2007
A locked car that had folders of veterans' identifying information was burglarized late Wednesday in downtown Bremerton, according to the Bremerton Police Department and the Seattle office of the federal Department of Veteran's Affairs.
The government-owned vehicle was broken into at a parking garage at Burwell and Pacific, and four folders of veterans' information and a government cell phone were taken, the veterans' affairs office said.
Bremerton police are investigating the car theft and the veterans office "is taking aggressive steps to protect and assist those who may be potentially affected," according to a press release.
Letters are being sent to the veterans which include information about obtaining a free credit check.
"The director's office is also reviewing policies and procedures to ensure they were followed," the press release said, "and will make whatever changes may be necessary to bolster the safeguarding of veterans' private information."
(iQBio Commentary - What the hell happened to the NEW POLICIES and PROCEDURES that were supposedly implemented after last years 26.5 million record breach by the Dept of Veterans Affairs? Why will these agencies, corporations and arrogant fools never learn?)
FRAMINGHAM – A class action lawsuit was filed yesterday in U.S. District Court in Boston against the TJX Cos., the same day the discount retailer confronting a data breach disclosed the departure of a director and provided additional information about an ongoing investigation.
Two law firms, including Stern Shapiro Weissberg & Garin LLP of Boston, yesterday filed an 11-page complaint against the Framingham company, which announced earlier this month someone broke into its computer system last year and stole credit and debit card numbers.
The lawsuit, filed on behalf of Paula G. Mace of West Virginia, alleges TJX failed to maintain adequate computer data security, which resulted in the exposure of millions of customers’ personal financial information. The company’s actions put customers at risk for fraud and identity theft and other damages, according to the complaint.
The lawsuit was filed the same the day the company took a more public role in discussing the data breach, which TJX disclosed Jan. 17. The company also said yesterday that Gary L. Crittenden resigned as a director on Wednesday. Mr. Crittenden, who is also a director at Framingham-based Staples Inc., is executive vice president and chief financial officer at American Express Co.
TJX spokeswoman Sherry Lang could not be reached for comment. She told Bloomberg News the company doesn’t comment on director resignations.
In a video message and memo posted yesterday on the company’s Web site, www.tjx.com, company officials said they waited a month to disclose the mid-December data breach to contain the problem and strengthen the company’s computer network.
TJX purchased a full-page advertisement in the Sunday Telegram and posted updated information on its Web site yesterday, including a 7-1/2 minute video from founder and Chairman Ben Cammarata.
“I regret any difficulties our customers may experience because of this incident,” Mr. Cammarata said while standing in an empty TJX store. “We want our customers to feel safe shopping in our stores and I really believe you are.”
The company said its investigation has determined that customer transactions at its Bob’s Stores were not involved in the data breach and that debit cards issued by Canadian banks also were not affected.
He said TJX has decided not to pay for any credit monitoring because such a service doesn’t detect fraud on debit or credit cards. He also said identity theft as a result of the data breach is unlikely because the vast majority of the stolen information did not include names or addresses. He reminded customers to be wary of potential scams as a result of the data breach. Customers should not provide any personal information about their bank accounts to anyone who might contact them by phone or e-mail, he said.
Contact business reporter Bob Keivra by e-mail at email@example.com.
|Posted on : Tue, 30 Jan 2007 01:24:01 GMT | Author : Berger & Montague, PC |
News Category : PressRelease
PHILADELPHIA, Jan. 29 /PRNewswire/ -- On January 29, 2007, the law firms of Berger & Montague, PC () and Stern Shapiro Weissberg The complaint charges that TJX was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker. As a result of TJX's actions, customer information was stolen from TJX's computer network that handles a wide range of financial information for millions of customers, including credit cards, debit cards linked to checking accounts, and transactions for returned merchandise. Although TJX discovered the data breach in mid- December, 2006, it did not publicly announce the intrusion until one month later when it issued a press release on January 17, 2007. The delay harmed class members in that it prevented them from taking appropriate measures to protect their accounts.
While TJX continues to investigate the security breach, it has thus far determined that consumers who patronized TJX stores in 2003 and from mid-May through December 2006 may be affected. Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.The law firm of Berger & Montague, PC consists of over 70 attorneys, all of whom represent plaintiffs in complex litigation. The Berger firm has extensive experience in consumer, securities, and antitrust class action litigation, and has played lead roles in major cases over the past 30 years, which have resulted in recoveries of several billion dollars for consumers and investors. The Stern Shapiro law firm has also been successfully involved in consumer and other class action litigation.If you have been affected by the loss of credit card or other financial data, and have any questions regarding this matter, please contact:Berger & Montague, PC
Retailer needs to disclose more information before it is forced toSource - Network World
'Net Insider By Scott Bradner, Network World, 01/29/07
Late last week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse.This week's column is about what TJX has done wrong since the lapse was discovered.
In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.
Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.
TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.
Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.
TJX has not admitted that it was not compliant with the PCI security standards nor has the company committed to becoming compliant in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.
The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said it has or will destroy the data retained in excess of this standard.
In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol deaths -- get in front of the issue and stay there. But TJX decided to hide its head in the sand instead -- a very poor decision, but a good case study in what not to do.
Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine.
Portable Data Theft - Stolen Laptop
Salina Regional Health Center
1,100 Patients Personal Data and Medical History
Governing Privacy Law or Rule - HIPAA, State Laws
Patients' personal information threatened with computer theft
Some patients of SRHC could be at risk for identity theft
By DAVID CLOUSTON
A laptop computer containing the names, social security numbers and medical history of up to 1,100 patients is missing, putting them at risk for identity theft, and Salina Regional Health Center officials are offering a $2,000 reward for the laptop's return.
The hospital's computer was stolen along with a docking station, printer, overhead projector and other computer equipment, plus a small amount of prescription drugs, from the office of Veridian Behavioral Health, 501 S. Santa Fe., Suite 300, earlier this month.
Last week, those patients whose privacy was potentially compromised received letters from the hospital, notifying them to let their financial institutions know about the threat and to be on guard for false charges, Beth Vinson, the hospital's marketing supervisor, said Sunday.
Vinson wouldn't identify the laptop's authorized user for concern that publicly identifying him could further compromise patient privacy.
The reason the patient information was stored on the machine was because the user travels to different offices to treat patients. (iQBio Commentary - Visiting Nurses or Traveling Doctors are REQUIRED to have Encrypted Data on their Laptops and secure access with a high encryption password or biometrics according to the DSHS Standards. Why was this not done? This is a violation of a FEDERAL LAW - One that is almost never enforced)
"This person has different offices to go to, and this way when he traveled to different offices, he'd have that information available to him," Vinson said.
Vinson stressed that only patients treated by the laptop user would be at risk of having their identities stolen. At the time of the theft, the computer was shut off, and the patient information is double password protected (iQBio Commentary - most passwords are simple passwords - was this a "secure password or two simple unsecure passwords?) , she said.
"At this point, there's no information that any of the information has been breached," Vinson said.
Salina Police Department officials said Sunday that none of the missing property has been recovered, and there have been no arrests made in connection with the case.
Anyone with any information on the theft may call Salina police at 826-7210, or Crimestoppers at 825-TIPS.
The hospital has given those individuals potentially affected a phone number to call to speak with the hospital's privacy officer, Donna Vineyard, about any concerns. Vineyard directs the hospital's information management department, where medical records are stored.
"We've received about 15 calls. No one has had any problems yet," Vinson said. "But we wanted to make sure that every possible method was used, so no one is the victim of identity theft."
In the meantime, she said, the hospital's security policies on the use of laptop computers are being reviewed.
There have been laptop thefts from government offices and private companies nationwide in several high-profile cases in recent years. In December, for instance, Boeing officials reported a laptop stolen containing the names and Social Security numbers of 382,000 workers and retirees. The laptop was stolen when an employee left it unattended.
"As small as computer hard drives are now, anyone could take a hard drive and walk out of any office," Vinson said. "It's going to be a problem as long as technology improves and devices get smaller.
"We do regret it happened. We're just trying to do everything possible to make sure we find the laptop and deal with those responsible."
* Reporter David Clouston can be reached at 822-1403, or by e-mail at firstname.lastname@example.org.
Xerox - Willsonville, OR
297 Employees Personal Data
Governing Privacy Law or Rule - HIPAA, State Laws
WILSONVILLE -- Some employees at a local Xerox plant are worried about identity theft at a laptop was stolen from a manager’s car.
The UniteHere Local 14Z Union said a computer containing employee’s personal information was stolen from a human resources manager’s car in August.
Letters were sent out to about 297 employees four months later, the union said. (4 months? Why did it take 4 months?)
Some of the employees affected said they experienced credit problems before they were informed of the theft, according to the union.
“One person had multiple cell phone accounts taken out in his name a month and a half after the theft,” said Brian Wood, Xerox employee.
“We did the right thing,” said Erin Isselmann, Xerox Spokeswoman.
Isselmann said the company wanted to investigate whether any personal information was on the laptop before informing employees.
“That was a process that took a very long time,” Isselmann said.
Xerox is offering all of those employees free credit protection for the next year.
(kgw.com Drew Mikkelsen contributed to this report)
Greenville, SC School District
1000 Employees and 100,000 Students
School district leaves personnel records behind during renovations
Governing Privacy Law or Rule - State Laws
GREENVILLE, S.C. - Boxes of personnel records - including the Social Security numbers of thousands of teachers - were accidentally left behind by the Greenville County school district when it vacated its office for renovations, officials say.
The 10 boxes held lists of every teacher employed by the district between 1972 and 1990, as well as their Social Security numbers, district spokeswoman Oby Lyles said Friday. Several other boxes contained personnel records as recent as 1998, Lyles said.
"While it seems apparent the records were left behind because they were essentially hidden and inaccessible, the district is investigating to determine responsibility and will take appropriate action," he said.
There was no evidence the records had been duplicated, Lyles said.
District officials and police searched the empty building Thursday night after The Greenville News told the district it had received an anonymous call about the boxes, which had not been located during a walkthrough of the building before it was vacated, according to an incident report.
A rear door of the building was also found to be "unsecure, due to screws keeping the locking mechanism from locking the door," the report said.
District officials will question employees and workers at the site, Lyles said.
The finding comes just two months after it was discovered that the district had sold computers containing Social Security numbers and birthdates for roughly 100,000 students and at least 1,000 employees.
The two buyers never released the information found in computers they bought at a dozen school district auctions between 1999 and last March but decided to go public with their findings after the district ignored their warnings about the information, their attorney has said.
Last month, Circuit Judge Diane S. Goodstein ordered the men and their company, WH Group, to return the computers, saying both sides had agreed to let an independent computer expert document all of the data.
Information from: The Greenville News, http://www.greenvillenews.com
Data Breach UPDATE - TJX Companies
20+ Million Records Breached
Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud
How to make a name for your company - and do it real well!
- Instruct Employees to Collect Unnecessary Sensitive
Private Information - $ 10 per hour
- Store Sensitive Customer Data on an Un-Encrypted
PC - $ 700.00
- Hole in Firewall for Hacker - $ FREE
- Realizing through news reports that the ATTORNEY
GENERAL of your home state is a victim of your
stupidity - PRICELESS
Attorney General Coakley victim of identity theft
BOSTON -- New Massachusetts Attorney General Martha Coakley admits to an identity crisis of sorts.
She says she's the victim of identity theft and she is taking the security breach personally.
Framingham-based retailer TJX is the latest company to have had its customer information compromised.
Potential victims number in the millions.
The thief used Coakley's information to buy a Dell computer.
Coakley says the system needs improving.
The customer data was hacked from a TJX computer system in mid-December.
If you think your private information may have been stolen, call the TJX help line.
The number is 1-866-484-6978.
Massachusetts Bankers Association Responds to TJX Companies Data Breach - Confirmed over 20 Million Individual Records Breached
Data Breach UPDATE - TJX Companies
20+ Million Records Breached
The actual depth and breadth of the TJX breach is now becoming fully known - piecemeal. While TJX appeared to have been claiming it was a victim in this breach, they understated the impact of the breach and purposefully understated their culpability in this breach. Updates from some media sources put the breach from TJX at over 20 million victims. Data that was illegally released includes credit card numbers, CVV Codes, drivers license numbers, address and phone numbers of customers. This information is specifically prohibited from being collected and stored in the manner in which it was archived at TJX by PCI-DSS (the Payment Card Industry - Data Security Standard). The collection and illegal dissemination of drivers license, and other individual identifiable data with these records may expose TJX to additional liability through civil and criminal penalties, lawsuits, and other punative measures. Why in the hell was TJX archiving the full contact records and credit card information for over 20 million people in the first place and what were they thinking by storing it on an un-encrypted computer on their network? The full depth and breadth of the stupidity involved in this breach is leaking bit-by-bit to the media. What is even more frightening is that the information stolen from TJX is now VERIFIED as being used by Identity Thieves and the sheer numbers of potential victims is staggering. We will have further updates as they are available on what could be the single largest commercial breach of all time with verified identity theft.
Massachusetts Bankers Association Responds to TJX Companies Data Breach
Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud
BOSTON--(BUSINESS WIRE)--The Massachusetts Bankers Association:
- MasterCard now Reporting Data Breaches to Banks
- Thus far, 28 Massachusetts Banks Report Compromised Cards
- Work of MBA Task Force is Underscored
- Has TJX been “Victimized?”
- Advice for Cardholders
After surveying its banks, the MBA is reporting that thus far 28 banks have been contacted by the card associations indicating that some of their card holders have had personal information that may have been exposed due to the TJX data breach. The MBA is cautioning, however, that the number is likely to grow higher as, thus far, only 48 out of 205 banks in Massachusetts have reported in to the Association.
In addition, the MBA is questioning the TJX’s self-characterization as being “victimized” by the intrusion in a news release issued yesterday by the retailer.
Daniel J. Forte, CEO and president of the MBA said, “We think it’s a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary.”
Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”
TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”
Two years ago, after a data breach that occurred at BJ’s Wholesales Club, the MBA established the New England Debit Card Task Force. The group, consisting of the banking trade associations from the New England states, individual community bankers, representatives from the American Bankers Association, the America’s Community Bankers, the Independent Community Bankers of America, and the California Bankers Association, has been meeting frequently to address this very issue and develop ways to moderate fraud.
The task force has worked closely with Visa and Mastercard, engaging in dialogue centered on protecting consumers and seeking to moderate the impact and the costs that banks must bear when such data breaches occur.
“Visa and MasterCard have both been increasing fines and penalties for retailers when violations such as this are uncovered,” said Forte.
“Moreover, in Massachusetts,” added Forte, “through the work of the Debit Card Task Force, we have been leading an effort to manage the impact of fraud on consumers and our banks when it occurs due to a retailer’s data breach. We are strongly supporting recent legislation in Massachusetts that would place the liability for the expenses that banks must bear in the hands of the retailers at fault. We hope that long term, this approach would be the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank. While expensive for all banks, Ninety-five percent of the banks in Massachusetts are community banks, and these costs can be particularly tough for smaller banks and credit unions to absorb.”
Forte explained that when a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. “MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards,” he said, “however, there is no guarantee that the full amount will be reimbursed. Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”
Forte added, “Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”
The New England Debit Card Task Force, following the breach involving BJ’s Wholesale Club, began advocating a number of steps to enhance security. Its major recommendations include:
1) Notification – Giving banks the ability to notify customers on a timely basis;
2) Liability for the Fraud – Retailers should be held accountable, at present banks absorb the cost;
3) Full Reimbursement for card re-issue – This cost if not fully covered can be significant for banks;
4) Stronger Encryption Standards and Data Capture Limits – a must to protect consumers.
Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”
The Massachusetts Bankers Association represents 205 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.
Massachusetts Bankers Association, Inc.
73 Tremont Street, Suite 306
Boston, MA 02108-3906
Tel: 617-523-7595 / Fax: 617-523-6373
CIBC Subsidiary - Talvest Mutual Funds
Governing Privacy Law or Rule - Provincial and Canadian Government Privacy Laws
Source: SINCLAIR STEWART
Globe and Mail Update
The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and inciting an investigation from Canada's federal privacy commissioner.
A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release Thursday.
The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Insurance Numbers. Officials at CIBC Asset Management Inc., a division of the Canadian Imperial Bank of Commerce, said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive.
Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC following a faxing snafu two years ago, said she has determined there are grounds for another investigation in the Talvest matter, even though the bank brought the problem to her attention.
Although I appreciate that the bank notified us of this incident and that it is working cooperatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians, said Ms. Stoddart. My office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not reoccur.
The bank said it has taken immediate steps to rectify the problem, and has written letters to affected customers. The vast majority of these are clients of Talvest, rather than CIBC, which bought the mutual fund company in 2001.
The bank has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.
Although we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter, Steve Geist, president of CIBC Asset Management, said in a statement.
This is the second major security issue for Canadians in as many days. Wednesday, the U.S. retailer that owns discount chains Winners and HomeSense revealed it had been the victim of a massive computer hacking effort.
Sources told The Globe and Mail that the network break-in at TJX Cos. may have affected as many as 20-million Visa cards worldwide, and some estimates suggest as many as 2-million of these cards are Canadian. It's unclear how big that number will be for other card providers, like MasterCard, but the numbers suggest it could be one of the largest such breaches the country has ever seen, according to one person in the financial community. The RCMP is assisting U.S. authorities with that investigation.
The Talvest incident is another embarrassing episode on the privacy front for CIBC, which was at the centre of a faxing snafu in 2004. The bank sent errant faxes to a junkyard operator in West Virginia for three years, mistakenly divulging private customer information.
The junkyard operator eventually sued the bank for clogging his fax lines, and Canada's privacy commissioner launched an investigation. In a 2005 report, she expressed concern about a breakdown in privacy practices that could reflect a bigger problem in Canadian business.