tag:blogger.com,1999:blog-386244462024-03-14T09:11:55.075-07:00Personal Data Breaches - Your Data "In The Wild"One in three Americans was exposed as a potential victim of Identity Theft in 2006. Most all of these breaches involve the transport of portable unencrypted data being compromised through neglect, theft or outright stupidity on the part of the stewards of the data. Don't be a victim. Don't have to be the one that explains to your boss, your clients or worse even yet, a judge or jury that you did not take proper and adequate measures to protect valuable data with which you are entrusted.James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.comBlogger38125tag:blogger.com,1999:blog-38624446.post-62911022555455115462007-02-12T13:09:00.000-08:002007-02-07T16:55:58.584-08:00VA Data Breach is NATIONWIDE - VA UPdates to 1.85Million the Number of Lost "Records"<span style="font-family: verdana;">Just like last time, the information slowly trickles out about the breach at the Veterans Administration. Again, just as in the last case, they have made and will continue to make "revisions" to the amount of data that was actually lost. These revisions are always <span style="font-weight: bold;">UP</span> and involve <span style="font-weight: bold;">new and shocking information with each release.</span> The latest revision was released on a SUNDAY - yet again showing the VA's habit of releasing information on a holiday, weekend or at other times in an effort to "slide by" the media and the public. </span><br /><br /><span style="font-family: verdana;">When everything is said and done and they actually do </span><a style="font-family: verdana;" href="http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html">find the hard drive in some black market stall</a><span style="font-family: verdana;">, they will undeniably announce like they did last time that </span><a style="font-family: verdana;" href="http://www.foxnews.com/story/0,2933,201540,00.html">"the data has not been accessed"</a><span style="font-family: verdana;"> although we know this statement to be a lie since there is absolutely no way of knowing whether or not the data was accessed, copied or ghosted to another hard drive.</span><br /><br /><span style="font-family: verdana;">How about a full-blown press conference Mr. Nicholson - say at 2:00PM on a Wednesday - with 2 business days notice to the national and local press, full disclosure of all events and facts and a question & answer period at the end? I am sure you could find time in your schedule to enlighten the American people that pay your salary and actually fund the VA.</span><br /><br /><span style="font-family: verdana;">This UPdate pegged the number of VA Individuals that were affected was 535,000 (Not the 48,000 with only 20,000 records "unencrypted" as stated previously) and the real shocker this time is that there were additional NON-VA records of 1.3 million private Physicians although the VA states that only "some of the files contain personal information". </span><br /><br /><span style="font-family: verdana;">Whom and What to believe are the real questions here. The VA should know by now after 4 weeks exactly what information was on the hard drive and should disclose everything - not just feed us bit-by-bit hoping that no-one will put the information together.</span><br /><br /><a style="font-family: verdana;" href="http://www.myfoxal.com/myfox/pages/News/Detail?contentId=2348926&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1">VA Update on Missing Hard Drive in Birmingham, Ala</a><br /><br /><span style="font-family: verdana;">11 Feb 2007, 5:37 PM CST</span><br /><br /><span style="font-family: verdana;">WASHINGTON -- The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala.</span><br /><br /><span style="font-family: verdana;">“Our investigation into this incident continues, but I believe it is important to provide the public additional details as quickly as we can,” said Jim Nicholson, Secretary of Veterans Affairs. “I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened.</span><br /><br /><span style="font-family: verdana;">“VA will continue working around the clock to determine every possible detail we can,” Nicholson said.</span><br /><br /><span style="font-family: verdana;">VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians — both living and deceased— could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information.</span><br /><br /><span style="font-family: verdana;">VA continues to examine data on the employee’s work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused. </span><br /><br /><span style="font-family: verdana;">The non-VA physician data is used by VA to enhance the quality of care for veterans by analyzing and comparing information about the health care received from VA and non-VA providers.</span><br /><br /><span style="font-family: verdana;">Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised.</span><br /><br /><span style="font-family: verdana;">“VA is unwavering in our resolve to bolster our data security measures,” Nicholson added. “We remain focused on doing everything that can be done to protect the personal information with which we are entrusted.”</span><br /><br /><span style="font-family: verdana;">On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA’s IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA’s Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.</span><br /><br /><span style="font-family: verdana;">The OIG seized the employee’s work computer and began analyzing its contents. This analysis continues and VA IT staff has been providing technical support.</span><br /><br /><span style="font-family: verdana;">In addition to the ongoing criminal investigation, the OIG initiated an administrative investigation to determine how such an incident could occur.</span><br /><br /><span style="font-family: verdana;">VA is operating a call center that individuals can contact to get information about this incident. That toll-free number is 1-877-894-2600. The call center will operate every day from 7 a.m. to 9 p.m. CST as long as it is needed.</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-44964911090276861882007-02-05T16:57:00.000-08:002007-02-05T17:02:59.400-08:00Update on Missing VA Hard Drive - The Plot Thickens...<span style="font-family: verdana;">It appears now that </span><a style="font-family: verdana;" href="http://news.zdnet.com/2100-1009_22-6156386.html">this "missing hard drive" was stolen from a VA FACILITY</a><span style="font-family: verdana;">. This is in sharp contrast to last years missing-at-home scenario. This means that the drive walked out of a secure government facility with un-encrypted data on it.</span><br /><br /><span style="font-family: verdana;">Why was the data only partially encrypted? According to testimony before Congress by Director Jim Nicholson, ALL private data was to be encrypted on VA computers. </span><br /><br /><span style="font-family: verdana;">Why would the VA allow a "backup" from the employees computer when the data is only supposed to be on a secure VA Server?</span><br /><br /><span style="font-family: verdana;">There is an untold tale that will eventually surface regarding the rest of the story. We'll be waiting.</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com1tag:blogger.com,1999:blog-38624446.post-86752215731048925322007-02-05T16:12:00.000-08:002007-02-05T16:45:32.145-08:00Update for Small Accountancy Firms and Tax Preparers - GLBA<p style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;">Congress passed sweeping legislation in 1999 to require "financial institutions" to protect their customers data. While traditional tax preparers aren't considered financial institutions, they do collect and warehouse private financial data and ARE subject to this rule.<br /></span></p><p style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;"><span style="font-weight: bold;">Even though you "think" it may not apply to you, read on... It very well might.</span><br /></span></p><p style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;">See below for information from the following publication:<br /></span></p><span style=";font-family:verdana;font-size:100%;" ><span style="color: rgb(0, 0, 0);"><strong> </strong></span><span style="color: rgb(0, 0, 0);"><strong></strong></span></span><blockquote style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;"><a href="http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm"><strong>In Brief: The Financial Privacy Requirements </strong></a><strong><a href="http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm">of the Gramm-Leach-Bliley Act</a><br /><br /></strong></span><span style="font-size:100%;">Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.<br /><br /></span><span style="font-size:100%;">Here's a brief look at the basic financial privacy requirements of the law. <strong><br /><br />Financial Institutions</strong> </span><span style="font-size:100%;"><br /><br />The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, <span style="font-weight: bold;">tax preparers,</span> providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.</span><span style="font-size:100%;"><br /><br />The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.</span></blockquote><span style=";font-family:verdana;font-size:100%;" ><span style="color: rgb(0, 0, 0);"></span><span style="font-weight: bold; color: rgb(0, 0, 0);">EXEMPTIONS FOR CPA's - ONLY FROM PRIVACY REPORTING REQUIREMENT.</span><br /></span><blockquote style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;"><a href="http://www.icpas.org/icpas/ei/gbarticle.asp"><span style="font-weight: bold;">CPAs Exempt from Gramm-Leach-Bliley Act Privacy Notification Requirement </span></a><br /><br /><b>Press Release from the AICPA, Washington, DC, October 13, 2006—</b>The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice. The exemption is effective immediately.</span></blockquote><span style=";font-family:verdana;font-size:100%;" ><span style="color: rgb(0, 0, 0); font-weight: bold;">Tax Preparers are however NOT currently exempt from the Security Rule of 15USC Sec. 6801 - which states:</span><br /></span><p style="color: rgb(0, 0, 0);font-family:verdana;"><span style="font-size:100%;"><b></b></span></p><blockquote style="font-family:verdana;"><p style="color: rgb(0, 0, 0);"><span style="font-size:100%;">(b) Financial institutions safeguards</span></p> <p style="color: rgb(0, 0, 0);"><span style="font-size:100%;">In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -</span></p> <blockquote style="color: rgb(0, 0, 0);"> <p><span style="font-size:100%;">(1) to insure the security and confidentiality of customer records and information;</span></p> <p><span style="font-size:100%;">(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and</span></p> <p><span style="font-size:100%;">(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.</span></p> </blockquote> </blockquote><span style="font-family:verdana;">Thank you George Toft from <a href="http://www.myitaz.com/">http://www.MyITAZ.com</a> for bringing this to our attention.</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-58410988357064443582007-02-05T16:10:00.000-08:002007-02-05T16:12:13.008-08:00Thief Steals Tax Records for Identity Fraud<span style="font-size:100%;"><span style="font-weight: bold; font-family: verdana;">Announced February 3rd, 2007<br /></span><span style="font-weight: bold; font-family: verdana;">Computer Data Theft - Data Breach - Unencrypted Data<br /></span><span style="font-weight: bold; font-family: verdana;">Financial Data<br /></span><span style="font-weight: bold; font-family: verdana;">800 Records<br /><br /></span><span style="font-weight: bold; font-family: verdana;">Governing Privacy Law or Rule - GLBA, State Laws</span><br /><br /><a style="font-weight: bold; font-family: verdana;" href="http://www.wndu.com/news/headlines/5530966.html">Reporter: Kari Huston - www.wndu.com</a><br /><span style="font-weight: bold; font-family: verdana;">Thief Steals Tax Records</span><br /><br /><span style="font-family: verdana;">Eight hundred people are in jeopardy of having their credit ruined, because thieves in the night stole their personal information from a Cassopolis tax preparer.</span><br /><br /><span style="font-family: verdana;">“I come around here and my computer is gone. My hard drive is gone. I went hysterical,” recalls Carlotta Kirstein. “I screamed,'I’ve been robbed!'"</span><br /><br /><span style="font-family: verdana;">Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington.<br /><br /></span><span style="font-family: verdana;">She believes someone knew her computer possessed valuable information. “I had money in here. I had checks and nothing was taken, just the computer,” says Kirstein. “If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there.”</span><br /><br /><span style="font-family: verdana;">Between 1:00 a.m. and 3 a.m. a neighbor saw headlights in the CTS parking lot. Footprints in the snow lead police to believe that more than one person broke in the back door. “We're urging anyone who had an account with CTS to contact the credit bureaus and put a fraud alert on, as well as contact their banking institutions,” suggests Captain Lindon Parrish of the Cass County Sheriff’s Department.</span><span style="font-family: verdana;"><br /><br />“I'm putting flags on my accounts,” says CTS client Vicki Vaughn. “I have to change some of the accounts right now because they said they can not do it over the phone.”</span><span style="font-family: verdana;"><br /><br />Carlotta is offering a $5,000 reward to help catch the thieves. If those people are watching Carlotta would like to say, “Shame on you! How can you do this to somebody else? How can you do this?” And to anyone who may know who did this, “please come forward,” she pleads. “Please tell, too many lives depend on this.”</span><span style="font-family: verdana;"><br /><br />To report information that could lead to that reward call the Cass County Sheriff's Department at 269-445-1560. If you are a client of CTS and you'd like to report fraudulent activity on your accounts call 269-445-1244. </span></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-45168297487244831712007-02-03T18:19:00.000-08:002007-02-03T18:29:10.921-08:00Update on Veterans Affairs Hard Drive - The information is trickling out AGAIN.<span style="font-family: verdana;font-size:100%;" class="sansmediumhead" ><span style="font-weight: bold;">Notice the timing of the Press Release</span><br /><br /></span><span class="sansmediumhead" style="font-size:100%;"><!---- END STORY TITLE --------><span style="font-family: verdana; font-weight: bold;">Hard drive that may contain personal data on veterans missing in Birmingham, Ala. </span><br /><br /><span style="font-family: verdana; font-weight: bold;">ASSOCIATED PRESS - </span><span style="font-family: verdana; font-weight: bold;">9:12 p.m. February 2, 2007</span><br /><br /><span style="font-family: verdana;">WASHINGTON – <span style="font-weight: bold;">A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.</span></span><br /><br /><span style="font-family: verdana;">An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. It may have contained data from research projects, the department said.</span><br /><br /><span style="font-family: verdana;">The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.</span><br /><br /><span style="font-family: verdana; font-weight: bold;">Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.</span><br /><br /><span style="font-family: verdana;">Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.<br /><br /><span style="font-style: italic; font-weight: bold;">Commentary - </span><br /><span style="font-weight: bold;"><br />Credit monitoring? Same old tired response to an epidemic of stupidity.</span></span></span><span style="font-size:100%;"> Secure the Data Already!</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-18063932516833443332007-02-03T10:58:00.000-08:002007-02-03T18:12:37.747-08:00Commentary on VA Loss - Arrogance and Stupidity Redux<span style="font-weight: bold;font-family:verdana;" >By <a href="mailto:james@iqbio.net">James Childers</a></span><br /><span style="font-weight: bold;font-family:verdana;" >CEO Artemis Solutions Group</span><br /><span style="font-weight: bold;font-family:verdana;" >Intelligent Biometric Solutions, iQBio</span><br /><br /><span style="font-family:verdana;">February 3rd, 2006</span><br /><br /><span style="font-family:verdana;">Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.<br /><br />Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive? <br /><br />To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.<br /><br />The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!<br /></span><br /><span style="font-family:verdana;">Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:</span><br /><br /><span style="font-family:verdana;">Like the breach last year, this data breach was not exposed for two weeks after it was known by the </span><span style="font-family:verdana;">VA. The culture of denial and cover-up is alive and well at the VA.</span><br /><ul style="font-family: verdana;"><li><a href="http://www.msnbc.msn.com/id/12953600"><span style="font-family:verdana;">“I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.</span><br /><br /></a><p style="font-family: verdana;" class="textBodyBlack">“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.<br /><br /></p></li><li face="verdana"><p class="textBodyBlack">This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.<br /></p></li></ul><span style="font-family:verdana;">Like the breach last year, the theft of data was handled by the VA Inspector General, this time however they did bring in the FBI. <br /><br />In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.</span><br /><ul style="font-family: verdana;"><li><a href="http://www.msnbc.msn.com/id/12953600"><span style="font-family:verdana;">"Sen. Patrick Leahy said President Bush should call Nicholson “into the woodshed” because of the data theft. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning."</span><br /><br /></a></li><li style="font-family: verdana;"><span style="font-size:100%;"> On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.</span></li></ul><span style="font-family:verdana;">Just like last time Mr. Nicholson tauted his "resolve to be the leader in protecting personal information". This statement would be almost laughable if it wasn't such a serious threat to both personal liberty and national security.</span><br /><br /><span style="font-family:verdana;">In his statement last year:</span><br /><ul face="verdana"><li><span style="font-family: verdana;">"VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.</span><br /><br /><span style="font-family: verdana;">But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."</span></li></ul><span style="font-family:verdana;">A year later:</span><br /><ul style="font-family: verdana;font-family:verdana;" ><li><span style="font-size:100%;"> "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."</span></li></ul><span style="font-weight: bold;font-family:verdana;" >Same Song, Same Dance, Different Day ... The Potomac Two-Step. The VA is seriously delinquent in the formation and enforcement of their policies and then they try to pull the wool over the publics eyes by leaking information little-by-little in an effort to spin the damage.<br /><br />The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:<br /><br /></span><span style="font-size:100%;"><a style="color: rgb(51, 102, 255); font-family: verdana;" href="http://www1.va.gov/opa/data/data.asp"><span style="color: rgb(153, 0, 0);"><span style="font-weight: bold;">Since the incident, all VA employees have received training in the proper handling of sensitive information and laptop computers throughout the department have had reliable data encryption programs installed.</span></span></a></span><br /><span style="font-weight: bold;font-family:verdana;" ><br /></span><span style="font-family:verdana;">This prose to please the proletariat is expected, but where is the BEEF? If this statement were true, and all relevant department policies were followed, why did we have the loss of the un-encrypted hard drive in Birmingham and the theft of RAW FILES in Bremerton, WA last week? You can encrypt the laptops, but if the data itself is not encrypted - what good does it do? There are some serious questions to answer at the leadership level in the VA.<br /><br />Here are some relevant issues that were uncovered as a result of the the last data breach and the resulting cover-up:<br /><br /></span><a href="http://www.va.gov/OCA/testimony/hgrc/06060800.asp">James Nicholson's testimony before Congress in June 2006</a>:<br /><ul><li><span style="font-family: verdana;">"As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." </span><span style="font-weight: bold; font-family: verdana;">This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.</span><br /><br /></li><li><span style="font-family: verdana;">"I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the </span><i style="font-family: verdana;">Data Security-Assessment and Strengthening of Controls</i><span style="font-family: verdana;"> program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.</span><br /><br /><span style="font-family: verdana;">One existing </span><i style="font-family: verdana;">Security Guideline, Security Guideline for Single-User Remote Access</i><span style="font-family: verdana;">, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be </span><u style="font-family: verdana;">encrypted</u><span style="font-family: verdana;"> and </span><u style="font-family: verdana;">password protected</u><span style="font-family: verdana;">. </span><span style="font-weight: bold; font-family: verdana;">If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.</span><br /><br /></li></ul><span style="font-weight: bold;font-family:verdana;" >Point ONE: Secretary Nicholson should be fired.<br /><br />Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.<br /><br />Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.<br /><br />Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.<br /><br />Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.<br /></span><br /><span style="font-family:verdana;">The VA has been lax in its stewardship, warehousing and use of the data with which they are entrusted. This unauthorized release of this data is a threat to both personal liberty and national security. </span><a style="font-family: verdana;" href="http://iqbio.blogspot.com/2006/07/latest-mea-culpa-from-veterans-affairs.html">Look at our previous blog on this last year for clarification of this issue and the evasion, deception and progressive clarifications by the VA.</a><br /><br /><span style=";font-family:verdana;font-size:100%;" >The </span><span style="font-size:100%;"><a style="font-family: verdana;" href="http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=50&FType=2">VA implemented Directive 6500</a></span><span style=";font-family:verdana;font-size:100%;" > on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-27081516959812135762007-02-03T10:46:00.000-08:002007-02-03T18:29:55.893-08:00Missing Veterans Affairs hard drive sparks identity theft fears<span style="font-size:100%;"><span style="font-weight: bold;font-family:verdana;" >Announced February 2nd, 2007<br />Portable Hard Drive Theft - Portable Data Breach - Unencrypted Data<br />Medical Data and Personal Identifying Data<br />48,000+ Records<br /><br />Veterans (Current and Former?) Data Stolen AGAIN!???<br /></span><span style="font-family:verdana;"> </span><br /><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - </span><a style="font-weight: bold; font-family: verdana;" href="http://www.biometricsdirect.com/Biometrics/laws/HIPAA.htm">HIPAA</a><span style="font-weight: bold;font-family:verdana;" >,</span></span><span style="font-weight: bold;font-family:verdana;" > </span><span style="font-weight: bold;font-family:verdana;" >Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549</span><span style="font-weight: bold;font-family:verdana;" ><span style="font-weight: bold;font-family:verdana;" >, State Laws</span><br /><br /></span><div class="art_body" style="font-family:verdana;"> <div class="art_byln"><span style="font-size:100%;"><a href="http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149192998926&path=%21news%21localnews">By James W. Crawley / Media General News Service</a></span></div> <div class="art_date"><span style="font-size:100%;">Feb 2, 2007</span></div><span style="font-size:100%;"><br /></span><span style="font-size:100%;">WASHINGTON (Feb. 2, 2007) -- The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen. </span><p> </p><span style="font-size:100%;"><br />"I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved." </span><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;">On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved. </span></p><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;"> On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate. </span></p><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;"> The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. Analyzing the work computer may help investigators determine the nature of the information the hard drive potentially contained. </span></p><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;"> Pending results of the investigation, VA is prepared to send individual notifications and provide one year of free credit monitoring to those whose information proves compromised. </span></p><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;"> In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information. </span></p><p> </p><p><span style="font-size:100%;"><br /></span></p><p><span style="font-size:100%;"> "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken." </span></p></div>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-79009737058113164292007-02-01T14:35:00.000-08:002007-02-01T14:38:02.845-08:00Workers Compensation Database Stolen - 1200 Records<span style="font-weight: bold;">Announced January 30th, 2007<br /></span><span style="font-weight: bold;">Network Security Breach - Unencrypted Data<br /></span><span style="font-weight: bold;">Workers comp data stolen<br /></span><span style="font-weight: bold;">1,200 Records<br /><br /></span><span style="font-weight: bold;">Workers Compensation Database Stolen</span><br /><br /><a href="http://www.boston.com/business/ticker/2007/02/workers_comp_da.html">A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.</a><br /><br />The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.<br /><br />The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach.<br /><br />"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site and established a telephone hotline to address claimant concerns."<br /><br />The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."<br /><br />The hotline number is 1-800-323-3249, ext. 560. (AP)<br />Posted by Boston Globe Business Team at 12:27 PMJames Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-32696537789651453962007-02-01T13:20:00.000-08:002007-02-01T14:07:08.401-08:00TJX Hit with Second Class Action Lawsuit - FINALLY someone is being held accountable.<h2 style="font-family:verdana;"><span style="font-size:100%;">Bank files class-action lawsuit against retailer</span></h2> <p style="font-family:verdana;"><span style="font-size:100%;">WASHINGTON -- TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.</span></p><p style="font-family:verdana;"><span style="font-size:100%;"><br /></span></p> <p style="font-family:verdana;"><span style="font-size:100%;">The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.</span></p><p style="font-family:verdana;"><span style="font-size:100%;"><br /></span></p><p style="font-family:verdana;"><span style="font-size:100%;">Other banks and financial institutions could join in the suit.</span></p><p style="font-family:verdana;"><span style="font-size:100%;"><br /></span></p><p style="font-family:verdana;"><span style="font-size:100%;">The Globe says the Massachusetts Credit Union League is also asking Framingham-based TJX to reimburse credit unions for the costs of reissuing credit cards.</span></p><p style="font-family:verdana;"><span style="font-size:100%;"><br /></span></p><p style="font-family:verdana;"><span style="font-size:100%;">A class-action lawsuit was filed earlier this week on behalf of consumers.</span></p><p style="font-family:verdana;"><span style="font-size:100%;"><br /></span></p><p style="font-family:verdana;"><span style="font-size:100%;">Meanwhile, Massachusetts Congressman Ed Markey has asked the Federal Trade Commission to investigate the security breach.</span></p><p style="font-family:verdana;"><span style="font-size:100%;">(Copyright 2007 by The Associated Press. All Rights Reserved.)</span></p>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com2tag:blogger.com,1999:blog-38624446.post-71951937204262157062007-02-01T13:14:00.000-08:002007-02-01T13:20:09.986-08:00Vermont State Computer Breach - 70,000 Records Illegally Disclosed<span style="font-weight: bold;">Announced January 30th, 2007</span><br /><span style="font-weight: bold;">Network Security Breach - Unencrypted Data</span><br /><span style="font-weight: bold;">Vermont State Government</span><br /><span style="font-weight: bold;">70,000 Records - Bank Records, Social Security Numbers, Personal Information</span><br /><br /><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/GRAMMLEACHBLILEY.htm">GLBA</a>, State Laws<br /><br /></span><span style="font-family:verdana;"><span style="font-weight: bold;">Vermont State was warned of potential computer security breach</span><br /></span><span style="font-family:verdana;"><span style="font-weight: bold;"><br />(iQBio Commentary - "AN UNSECURED COMPUTER DIRECTLY ON THE INTERNET WITH SENSITIVE DATA?" This is the absolute pinnacle of stupidity. Anyone involved with this breach should be fired, sued and promptly run out of town.)</span></span><br /><span style="font-family:verdana;"><br />MONTPELIER, Vt. --A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday.<br /><br />An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system."<br /><br />The report goes on to say the patches released in August "were downloaded but never applied on this system."<br /><br />The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments.<br /><br />Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said.<br /><br />The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet.<br /><br />As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities.<br /><br />"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday.<br /><br />The internal state report pointed to more direct personal involvement.<br /><br />"Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text.<br /><br />Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files."<br /><br />Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system.<br /><br />The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8.<br /><br />Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services.<br /><br />"All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said.<br /><br />At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members."<br /><br />Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection.<br /><br /><span style="font-weight: bold;">"We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here." </span><br /><br />------------------<br /><br />On the Net:<br /><br />http://www.nefcu.com<br /></span><span style="font-family:verdana;"></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-72356883522838158372007-02-01T13:07:00.000-08:002007-02-03T11:47:40.374-08:00Veterans Administration Loses Data AGAIN - Undisclosed Records Lost<p><span class="smalltext"><b>Announced January 22nd, 2007<br />Portable Data Breach - Stolen Laptop</b></span></p><p><span class="smalltext"><b>Department of Veterans Affairs (AGAIN!)</b></span></p><p><span class="smalltext"><b>By JOSH FARLEY, jfarley@kitsapsun.com</b></span><br /><span class="smalltext"><b>January 22, 2007</b></span><span style="font-weight: bold;"><br /></span></p><p style="font-weight: bold;">BREMERTON, WA</p><p>A locked car that had folders of veterans' identifying information was burglarized late Wednesday in downtown Bremerton, according to the Bremerton Police Department and the Seattle office of the federal Department of Veteran's Affairs.<br /></p><p><br /></p><p>The government-owned vehicle was broken into at a parking garage at Burwell and Pacific, and four folders of veterans' information and a government cell phone were taken, the veterans' affairs office said.<br /></p><br />Bremerton police are investigating the car theft and the veterans office "is taking aggressive steps to protect and assist those who may be potentially affected," according to a press release. <p><br /></p><p>Letters are being sent to the veterans which include information about obtaining a free credit check. </p><p><br /></p><p>"The director's office is also reviewing policies and procedures to ensure they were followed," the press release said, "and will make whatever changes may be necessary to bolster the safeguarding of veterans' private information."</p><span style="font-weight: bold;"><br />(iQBio Commentary - What the hell happened to the NEW POLICIES and PROCEDURES that were supposedly implemented after last years 26.5 million record breach by the Dept of Veterans Affairs? Why will these agencies, corporations and arrogant fools never learn?)</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com1tag:blogger.com,1999:blog-38624446.post-75062632352478468242007-02-01T12:56:00.000-08:002007-02-01T13:03:13.254-08:00Lawsuit filed against TJX - Company Director Resigns<span class="text"> <div id="zoom1"> <a href="http://www.telegram.com/apps/pbcs.dll/article?AID=/20070130/NEWS/701300360/1002"><span class="text"><b><span class="text"><b>By Bob Kievra TELEGRAM & GAZETTE STAFF</b></span></b></span></a><br /><br />FRAMINGHAM – A class action lawsuit was filed yesterday in U.S. District Court in Boston against the TJX Cos., the same day the discount retailer confronting a data breach disclosed the departure of a director and provided additional information about an ongoing investigation.<br /><br />Two law firms, including Stern Shapiro Weissberg & Garin LLP of Boston, yesterday filed an 11-page complaint against the Framingham company, which announced earlier this month someone broke into its computer system last year and stole credit and debit card numbers.<br /><br />The lawsuit, filed on behalf of Paula G. Mace of West Virginia, alleges TJX failed to maintain adequate computer data security, which resulted in the exposure of millions of customers’ personal financial information. The company’s actions put customers at risk for fraud and identity theft and other damages, according to the complaint.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.kqzyfj.com/km121dlurlt8B9AGCAD8A9DCEFCI"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNMwwi6PlNjBvdJU9CwblFSdIcDEKheorlysuAtnelEatspj0kMhs4y1GjRmL4c2aVQKwh0bIj23C9GRriA-W7P0B2GE1CSPfzG_Raq5Kf4tuOx5X6Qe0YE9EYpQo0YP-NT-e9/s400/10441822.gif" alt="" id="BLOGGER_PHOTO_ID_5026673577380933138" border="0" /></a>The lawsuit was filed the same the day the company took a more public role in discussing the data breach, which TJX disclosed Jan. 17. The company also said yesterday that Gary L. Crittenden resigned as a director on Wednesday. Mr. Crittenden, who is also a director at Framingham-based Staples Inc., is executive vice president and chief financial officer at American Express Co.<br /><br />TJX spokeswoman Sherry Lang could not be reached for comment. She told Bloomberg News the company doesn’t comment on director resignations.<br /><br />In a video message and memo posted yesterday on the company’s Web site, <a href="http://www.tjx.com/" target="_blank">www.tjx.com</a>, company officials said they waited a month to disclose the mid-December data breach to contain the problem and strengthen the company’s computer network.<br /><br />TJX purchased a full-page advertisement in the Sunday Telegram and posted updated information on its Web site yesterday, including a 7-1/2 minute video from founder and Chairman Ben Cammarata.<br /><br />“I regret any difficulties our customers may experience because of this incident,” Mr. Cammarata said while standing in an empty TJX store. “We want our customers to feel safe shopping in our stores and I really believe you are.”<br /><br />The company said its investigation has determined that customer transactions at its Bob’s Stores were not involved in the data breach and that debit cards issued by Canadian banks also were not affected.<br /><br />He said TJX has decided not to pay for any credit monitoring because such a service doesn’t detect fraud on debit or credit cards. He also said identity theft as a result of the data breach is unlikely because the vast majority of the stolen information did not include names or addresses. He reminded customers to be wary of potential scams as a result of the data breach. Customers should not provide any personal information about their bank accounts to anyone who might contact them by phone or e-mail, he said.<br /><br />Contact business reporter Bob Keivra by e-mail at <a href="mailto:rkievra@telegram.com">rkievra@telegram.com</a>. </div></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com1tag:blogger.com,1999:blog-38624446.post-54899681038020411552007-02-01T12:54:00.000-08:002007-02-01T12:56:26.148-08:00Lawsuit Filed Against TJX<span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" ><strong>Consumers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright Bring Class Action Suit for Loss of Credit Card Data; Filed by Berger & Montague, PC and Stern Shapiro Weissberg & Garin, LLP<br /><br /></strong></span><table border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td width="83%"><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:78%;" >Posted on : Tue, 30 Jan 2007 01:24:01 GMT | Author : Berger & Montague, PC<br />News Category : PressRelease </span><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:130%;" ><strong></strong></span></td> <td valign="bottom" width="17%"><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:130%;" ><strong></strong></span><br /></td> </tr> </tbody></table> <span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" ><br /> </span> <span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" > PHILADELPHIA, Jan. 29 /PRNewswire/ -- On January 29, 2007, the law firms of Berger & Montague, PC () and Stern Shapiro Weissberg </span><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" >The complaint charges that TJX was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker. As a result of TJX's actions, customer information was stolen from TJX's computer network that handles a wide range of financial information for millions of customers, including credit cards, debit cards linked to checking accounts, and transactions for returned merchandise. Although TJX discovered the data breach in mid- December, 2006, it did not publicly announce the intrusion until one month later when it issued a press release on January 17, 2007. The delay harmed class members in that it prevented them from taking appropriate measures to protect their accounts.</span><br /><br /><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" >While TJX continues to investigate the security breach, it has thus far determined that consumers who patronized TJX stores in 2003 and from mid-May through December 2006 may be affected. Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.</span><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" >The law firm of Berger & Montague, PC consists of over 70 attorneys, all of whom represent plaintiffs in complex litigation. The Berger firm has extensive experience in consumer, securities, and antitrust class action litigation, and has played lead roles in major cases over the past 30 years, which have resulted in recoveries of several billion dollars for consumers and investors. The Stern Shapiro law firm has also been successfully involved in consumer and other class action litigation.</span><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" >If you have been affected by the loss of credit card or other financial data, and have any questions regarding this matter, please contact:</span><span style=";font-family:Verdana,Arial,Helvetica,sans-serif;font-size:85%;" >Berger & Montague, PC</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-20264788162629581342007-02-01T12:49:00.000-08:002007-02-01T13:06:20.881-08:00TJX security breach aftermath: a case study in what to do wrong<h3 style="font-family: verdana;">Retailer needs to disclose more information before it is forced to</h3><span style="font-family:verdana;">Source - Network World</span><br /> <!-- CONTENT GOES HERE--> <p style="font-family: verdana;" class="first"><a href="http://www.networkworld.com/columnists/bradner.html">'Net Insider</a> By <span>Scott Bradner</span>, Network World, 01/29/07</p><p face="verdana">Late last week I wrote about what retailer TJX had done wrong leading up to its recent widely reported <a o="urn:www.microsoft.com/office" st1="urn:www.microsoft.com/smarttags" w="urn:www.microsoft.com/word" href="http://www.networkworld.com/columnists/2007/012207-bradner.html">security lapse.</a>This week's column is about what TJX has done wrong since the lapse was discovered.</p><p style="font-family: verdana;">In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, <a o="urn:www.microsoft.com/office" st1="urn:www.microsoft.com/smarttags" w="urn:www.microsoft.com/word" href="http://www.networkworld.com/news/2007/012707-tjx-breach-could-hurt-30.html">published reports last week</a> that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.<span style="font-family:verdana;"><br /></span></p><p style="font-family: verdana;"><span style="font-family:verdana;">Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first </span><i style="font-family: verdana;" o="urn:www.microsoft.com/office" st1="urn:www.microsoft.com/smarttags" w="urn:www.microsoft.com/word">Wall Street Journal</i> report.</p> <p style="font-family: verdana;">TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.</p><p style="font-family: verdana;">Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.</p> <p style="font-family: verdana;">TJX has not admitted that it was not compliant with the <a o="urn:www.microsoft.com/office" st1="urn:www.microsoft.com/smarttags" w="urn:www.microsoft.com/word" href="https://www.pcisecuritystandards.org/">PCI security standards</a> nor has the company committed to becoming compliant in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.</p> <p style="font-family: verdana;">The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said it has or will destroy the data retained in excess of this standard.</p> <p style="font-family: verdana;">In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the <a o="urn:www.microsoft.com/office" st1="urn:www.microsoft.com/smarttags" w="urn:www.microsoft.com/word" href="http://en.wikipedia.org/wiki/Tylenol_scare">1982 Tylenol deaths</a> -- get in front of the issue and stay there. But TJX decided to hide its head in the sand instead -- a very poor decision, but a good case study in what not to do.</p><p style="font-family: verdana;">Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine. </p>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-53436622161754929612007-02-01T12:36:00.000-08:002007-02-01T12:45:00.150-08:00Salina Regional Health Center - 1,100 Patients<span style="font-weight: bold;font-family:verdana;" >Announced January 24th, 2007<br /></span><span style="font-weight: bold;font-family:verdana;" >Portable Data Theft - Stolen Laptop<br /></span><span style="font-weight: bold;font-family:verdana;" >Salina Regional Health Center<br /></span><span style="font-weight: bold;font-family:verdana;" >1,100 Patients Personal Data and Medical History<br /><br /></span><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/HIPAA.htm">HIPAA</a>, State Laws</span><br /><br /><span style="font-family:verdana;">Patients' personal information threatened with computer theft</span><br /><span style="font-family:verdana;">Some patients of SRHC could be at risk for identity theft<br /><br /></span><span style="font-family:verdana;">By DAVID CLOUSTON<br /></span><span style="font-family:verdana;">Salina Journal<br /><br /></span><span style="font-family:verdana;">A laptop computer containing the names, social security numbers and medical history of up to 1,100 patients is missing, putting them at risk for identity theft, and Salina Regional Health Center officials are offering a $2,000 reward for the laptop's return.</span><br /><br /><span style="font-family:verdana;">The hospital's computer was stolen along with a docking station, printer, overhead projector and other computer equipment, plus a small amount of prescription drugs, from the office of Veridian Behavioral Health, 501 S. Santa Fe., Suite 300, earlier this month.</span><br /><br /><span style="font-family:verdana;">Last week, those patients whose privacy was potentially compromised received letters from the hospital, notifying them to let their financial institutions know about the threat and to be on guard for false charges, Beth Vinson, the hospital's marketing supervisor, said Sunday.</span><br /><br /><span style="font-family:verdana;">Vinson wouldn't identify the laptop's authorized user for concern that publicly identifying him could further compromise patient privacy.<br /><br /><center><a href="http://www.kqzyfj.com/7577hz74z6MPNOUQORMONRQRTWS" target="_blank"><img src="http://www.ftjcfx.com/te105ax0pvtEHFGMIGJEGFJIJLOK" alt="Manage Your Credit with Equifax" border="0" /></a></center></span><span style="font-family:verdana;"><br /><span style="font-weight: bold;">The reason the patient information was stored on the machine was because the user travels to different offices to treat patients. <span style="font-style: italic;">(iQBio Commentary - Visiting Nurses or Traveling Doctors are REQUIRED to have Encrypted Data on their Laptops and secure access with a high encryption password or biometrics according to the DSHS Standards. Why was this not done? This is a violation of a FEDERAL LAW - One that is almost never enforced)</span><br /><br /></span></span><span style="font-family:verdana;">"This person has different offices to go to, and this way when he traveled to different offices, he'd have that information available to him," Vinson said.</span><span style="font-family:verdana;"><br /><br />Vinson stressed that only patients treated by the laptop user would be at risk of having their identities stolen. At the time of the theft, the computer was shut off, and the patient information <span style="font-weight: bold;">is double password protected</span> <span style="font-weight: bold; font-style: italic;">(iQBio Commentary - most passwords are simple passwords - was this a "secure password or two simple unsecure passwords?) </span>, she said.</span><span style="font-family:verdana;"><br /><br />"At this point, there's no information that any of the information has been breached," Vinson said.</span><span style="font-family:verdana;"><br /><br />Salina Police Department officials said Sunday that none of the missing property has been recovered, and there have been no arrests made in connection with the case.</span><span style="font-family:verdana;"><br /><br />Anyone with any information on the theft may call Salina police at 826-7210, or Crimestoppers at 825-TIPS.</span><span style="font-family:verdana;"><br /><br />The hospital has given those individuals potentially affected a phone number to call to speak with the hospital's privacy officer, Donna Vineyard, about any concerns. Vineyard directs the hospital's information management department, where medical records are stored.</span><span style="font-family:verdana;"><br /><br />"We've received about 15 calls. No one has had any problems yet," Vinson said. "But we wanted to make sure that every possible method was used, so no one is the victim of identity theft."</span><span style="font-family:verdana;"><br /><br />In the meantime, she said, the hospital's security policies on the use of laptop computers are being reviewed.</span><span style="font-family:verdana;"><br /><br />There have been laptop thefts from government offices and private companies nationwide in several high-profile cases in recent years. In December, for instance, Boeing officials reported a laptop stolen containing the names and Social Security numbers of 382,000 workers and retirees. The laptop was stolen when an employee left it unattended.</span><span style="font-family:verdana;"><br /><br />"As small as computer hard drives are now, anyone could take a hard drive and walk out of any office," Vinson said. "It's going to be a problem as long as technology improves and devices get smaller.</span><span style="font-family:verdana;"><br /><br />"We do regret it happened. We're just trying to do everything possible to make sure we find the laptop and deal with those responsible."</span><span style="font-family:verdana;"><br /><br />* Reporter David Clouston can be reached at 822-1403, or by e-mail at sjdclouston@saljournal.com. </span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-72118889758375896132007-02-01T12:29:00.000-08:002007-02-01T12:34:22.727-08:00Xerox Employees Data on Stolen Laptop - 297 Employees<span style="font-family: verdana; font-weight: bold;">Announced January 23rd, 2007<br /></span><span style="font-family: verdana; font-weight: bold;">Xerox - Willsonville, OR<br /></span><span style="font-family: verdana; font-weight: bold;">297 Employees Personal Data</span><span style="font-weight: bold; font-family: verdana;"><br /><br />Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/HIPAA.htm">HIPAA</a>, State Laws</span><br /><br /><span style="font-family: verdana;">WILSONVILLE -- Some employees at a local Xerox plant are worried about identity theft at a laptop was stolen from a manager’s car.</span><br /><br /><span style="font-family: verdana;">The UniteHere Local 14Z Union said a computer containing employee’s personal information was stolen from a human resources manager’s car in August.</span><br /><br /><span style="font-family: verdana; font-weight: bold;">Letters were sent out to about 297 employees four months later, the union said. (4 months? Why did it take 4 months?)</span><br /><br /><span style="font-family: verdana;">Some of the employees affected said they experienced credit problems before they were informed of the theft, according to the union.</span><br /><br /><span style="font-family: verdana;">“One person had multiple cell phone accounts taken out in his name a month and a half after the theft,” said Brian Wood, Xerox employee.</span><br /><br /><span style="font-family: verdana;">“We did the right thing,” said Erin Isselmann, Xerox Spokeswoman.<br /><br /></span><span style="font-family: verdana;">Isselmann said the company wanted to investigate whether any personal information was on the laptop before informing employees.</span><span style="font-family: verdana;"><br /><br />“That was a process that took a very long time,” Isselmann said.</span><span style="font-family: verdana;"><br /><br />Xerox is offering all of those employees free credit protection for the next year.</span><br /><br /><span style="font-family: verdana;">(kgw.com Drew Mikkelsen contributed to this report) </span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-39714044697955565572007-02-01T12:14:00.000-08:002007-02-01T12:16:10.046-08:00Greenville, SC School District - 1000 Teachers and 100,000 Students Records BreachedAnnounced January 20th, 2007<br />Greenville, SC School District<br />1000 Employees and 100,000 Students<br /><br />School district leaves personnel records behind during renovations<br /><br /><span style="font-family: verdana; font-size: 100%;">Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/CREDITCARD.htm"></a><a href="http://www.biometricsdirect.com/Biometrics/laws/USFEDANDSTATE.htm">State Laws</a><br /><br />Associated Press<br /><br />GREENVILLE, S.C. - Boxes of personnel records - including the Social Security numbers of thousands of teachers - were accidentally left behind by the Greenville County school district when it vacated its office for renovations, officials say.<br /><br />The 10 boxes held lists of every teacher employed by the district between 1972 and 1990, as well as their Social Security numbers, district spokeswoman Oby Lyles said Friday. Several other boxes contained personnel records as recent as 1998, Lyles said.<br /><br />"While it seems apparent the records were left behind because they were essentially hidden and inaccessible, the district is investigating to determine responsibility and will take appropriate action," he said.<br /><br />There was no evidence the records had been duplicated, Lyles said.<br /><br />District officials and police searched the empty building Thursday night after The Greenville News told the district it had received an anonymous call about the boxes, which had not been located during a walkthrough of the building before it was vacated, according to an incident report.<br /><br />A rear door of the building was also found to be "unsecure, due to screws keeping the locking mechanism from locking the door," the report said.<br /><br />District officials will question employees and workers at the site, Lyles said.<br /><br />The finding comes just two months after it was discovered that the district had sold computers containing Social Security numbers and birthdates for roughly 100,000 students and at least 1,000 employees.<br /><br />The two buyers never released the information found in computers they bought at a dozen school district auctions between 1999 and last March but decided to go public with their findings after the district ignored their warnings about the information, their attorney has said.<br /><br />Last month, Circuit Judge Diane S. Goodstein ordered the men and their company, WH Group, to return the computers, saying both sides had agreed to let an independent computer expert document all of the data.<br /><br />Information from: The Greenville News, http://www.greenvillenews.com<br /></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-50935128922694950982007-02-01T11:59:00.000-08:002007-02-01T12:14:13.884-08:00How to Make a Name for Your Company with Stupid Data Tricks<span style=";font-family:verdana;font-size:100%;" >Announced January 18th, 2007<br />Data Breach UPDATE - TJX Companies<br />20+ Million Records Breached<br /><br />Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/CREDITCARD.htm">PCI-DSS</a>, <a href="http://www.biometricsdirect.com/Biometrics/laws/USFEDANDSTATE.htm">State Laws</a>, Federal Wire Fraud<br /><br />How to make a name for your company - and do it real well!<br /></span><ul style="font-family:verdana;"><li><span style="font-size:100%;">Instruct Employees to Collect Unnecessary Sensitive<br />Private Information - $ 10 per hour</span></li><li><span style="font-size:100%;">Store Sensitive Customer Data on an Un-Encrypted<br />PC - $ 700.00</span></li><li><span style="font-size:100%;">Hole in Firewall for Hacker - $ FREE</span></li><li><span style="font-size:100%;">Realizing through news reports that the ATTORNEY<br />GENERAL of your home state is a victim of your<br />stupidity - PRICELESS<br /></span></li></ul><span style="font-family:verdana;"><span style="font-size:100%;">Now, go explain to your shareholders, Board of Directors and the Authorities how and why you authorized this stupidity...<br /><br />http://www3.whdh.com/news/articles/local/BO40498/<br /></span></span><h2 style="font-family: verdana;">Attorney General Coakley victim of identity theft</h2> <div style="font-family: verdana;" class="imgetcbox"> <img src="http://www1.whdh.com/images/news_articles/389x205/061029_martha_coakley.jpg" class="mainimg" alt="Attorney General Coakley victim of identity theft" border="0" height="205" width="389" /></div> <p style="font-family: verdana;">BOSTON -- New Massachusetts Attorney General Martha Coakley admits to an identity crisis of sorts.</p> <p style="font-family: verdana;">She says she's the victim of identity theft and she is taking the security breach personally.</p> <p style="font-family: verdana;">Framingham-based retailer TJX is the latest company to have had its customer information compromised.</p> <p style="font-family: verdana; font-weight: bold;">Potential victims number in the millions.</p> <p style="font-family: verdana;">The thief used Coakley's information to buy a Dell computer.</p> <p style="font-family: verdana;">Coakley says the system needs improving.</p> <p style="font-family: verdana;">The customer data was hacked from a TJX computer system in mid-December.</p> <p style="font-family: verdana;">If you think your private information may have been stolen, call the TJX help line.</p><p style="font-family: verdana;">The number is 1-866-484-6978.</p><span style="font-weight: bold;font-family:verdana;" ></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-35994021329028273002007-02-01T11:43:00.000-08:002007-02-01T11:56:27.504-08:00Massachusetts Bankers Association Responds to TJX Companies Data Breach - Confirmed over 20 Million Individual Records Breached<span style="font-weight: bold;font-family:verdana;" >Announced January 18th, 2007</span><br /><span style="font-weight: bold;font-family:verdana;" >Data Breach UPDATE - TJX Companies</span><br /><span style="font-weight: bold;font-family:verdana;" >20+ Million Records Breached</span><br /><p><span style="font-weight: bold;font-family:verdana;" >--Editors Note--</span><br /></p><p><span style="font-weight: bold;font-family:verdana;" >The actual depth and breadth of the TJX breach is now becoming fully known - piecemeal. While TJX appeared to have been claiming it was a victim in this breach, they understated the impact of the breach and purposefully understated their culpability in this breach. Updates from some media sources put the breach from TJX at over 20 million victims. Data that was illegally released includes credit card numbers, CVV Codes, drivers license numbers, address and phone numbers of customers. This information is specifically prohibited from being collected and stored in the manner in which it was archived at TJX by PCI-DSS (the Payment Card Industry - Data Security Standard). The collection and illegal dissemination of drivers license, and other individual identifiable data with these records may expose TJX to additional liability through civil and criminal penalties, lawsuits, and other punative measures. Why in the hell was TJX archiving the full contact records and credit card information for over 20 million people in the first place and what were they thinking by storing it on an un-encrypted computer on their network? The full depth and breadth of the stupidity involved in this breach is leaking bit-by-bit to the media. What is even more frightening is that the information stolen from TJX is now VERIFIED as being used by Identity Thieves and the sheer numbers of potential victims is staggering. We will have further updates as they are available on what could be the single largest commercial breach of all time with verified identity theft.</span><br /><span style="font-weight: bold;font-family:verdana;" >--James Childers--<br /></span><br /><span style="font-weight: bold;font-family:verdana;" >Massachusetts Bankers Association Responds to TJX Companies Data Breach</span><br /><br /><span style="font-weight: bold; font-family: verdana;">Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/CREDITCARD.htm">PCI-DSS</a>, <a href="http://www.biometricsdirect.com/Biometrics/laws/USFEDANDSTATE.htm">State Laws</a>, Federal Wire Fraud</span><br /><br /><span style="font-family:verdana;">BOSTON--(BUSINESS WIRE)--The Massachusetts Bankers Association:</span><br /></p><ul><li><span style="font-family:verdana;">MasterCard now Reporting Data Breaches to Banks</span></li><li><span style="font-family:verdana;">Thus far, 28 Massachusetts Banks Report Compromised Cards</span></li><li><span style="font-family:verdana;">Work of MBA Task Force is Underscored</span></li><li><span style="font-family:verdana;">Has TJX been “Victimized?”</span></li><li><span style="font-family:verdana;">Advice for Cardholders</span></li></ul><span style="font-family:verdana;"></span><span style="font-family:verdana;"></span><span style="font-family:verdana;"></span><span style="font-family:verdana;">The Massachusetts Bankers Association (MBA) said today that in addition to VISA USA, now MasterCard is contacting Massachusetts banks to report that some of their customers’ personal banking information may have been compromised due to the data breach reported by TJX Companies yesterday. Bay State banks are acting quickly to protect customers who have been red-flagged by the two card associations after doing business with TJX stores including TJMaxx, Marshalls, Winners, HomeGoods, TKMaxx, AJWright, and HomeSense.</span><br /><br /><span style="font-family:verdana;">After surveying its banks, the MBA is reporting that thus far 28 banks have been contacted by the card associations indicating that some of their card holders have had personal information that may have been exposed due to the TJX data breach. The MBA is cautioning, however, that the number is likely to grow higher as, thus far, only 48 out of 205 banks in Massachusetts have reported in to the Association.</span><br /><br /><span style="font-family:verdana;">In addition, the MBA is questioning the TJX’s self-characterization as being “victimized” by the intrusion in a news release issued yesterday by the retailer.</span><br /><br /><span style="font-family:verdana;">Daniel J. Forte, CEO and president of the MBA said, <span style="font-weight: bold;">“We think it’s a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary.”</span></span><br /><br /><span style="font-family:verdana;">Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”</span><br /><br /><span style="font-family:verdana;">TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”</span><br /><br /><span style="font-family:verdana;">Two years ago, after a data breach that occurred at BJ’s Wholesales Club, the MBA established the New England Debit Card Task Force. The group, consisting of the banking trade associations from the New England states, individual community bankers, representatives from the American Bankers Association, the America’s Community Bankers, the Independent Community Bankers of America, and the California Bankers Association, has been meeting frequently to address this very issue and develop ways to moderate fraud.</span><br /><br /><span style="font-family:verdana;">The task force has worked closely with Visa and Mastercard, engaging in dialogue centered on protecting consumers and seeking to moderate the impact and the costs that banks must bear when such data breaches occur.</span><br /><br /><span style="font-family:verdana;">“Visa and MasterCard have both been increasing fines and penalties for retailers when violations such as this are uncovered,” said Forte.<br /><P><br /><CENTER><a href="http://www.kqzyfj.com/9f104kjspjr6978EA8B687BACDAG" target="_blank"><br /><img src="http://www.awltovhc.com/nn75xjnbhf0312842502154674A" alt="Get Equifax Credit Watch" border="0"/></a></CENTER><br /><br /></span><br /><span style="font-family:verdana;">“Moreover, in Massachusetts,” added Forte, “through the work of the Debit Card Task Force, we have been leading an effort to manage the impact of fraud on consumers and our banks when it occurs due to a retailer’s data breach. We are strongly supporting recent legislation in Massachusetts that would place the liability for the expenses that banks must bear in the hands of the retailers at fault. We hope that long term, this approach would be the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank. While expensive for all banks, Ninety-five percent of the banks in Massachusetts are community banks, and these costs can be particularly tough for smaller banks and credit unions to absorb.”</span><br /><br /><span style="font-family:verdana;">Forte explained that when a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. “MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards,” he said, “however, there is no guarantee that the full amount will be reimbursed. Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”</span><br /><br /><span style="font-family:verdana;">Forte added, <span style="font-weight: bold;">“Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”</span></span><br /><br /><span style="font-family:verdana;">The New England Debit Card Task Force, following the breach involving BJ’s Wholesale Club, began advocating a number of steps to enhance security. Its major recommendations include:</span><br /><br /><span style="font-family:verdana;">1) Notification – Giving banks the ability to notify customers on a timely basis;</span><br /><br /><span style="font-family:verdana;">2) Liability for the Fraud – Retailers should be held accountable, at present banks absorb the cost;</span><br /><br /><span style="font-family:verdana;">3) Full Reimbursement for card re-issue – This cost if not fully covered can be significant for banks;</span><br /><br /><span style="font-family:verdana;">4) Stronger Encryption Standards and Data Capture Limits – a must to protect consumers.</span><br /><br /><span style="font-family:verdana;">Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”</span><br /><br /><span style="font-family:verdana;">The Massachusetts Bankers Association represents 205 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.</span><br /><br /><span style="font-family:verdana;">Massachusetts Bankers Association, Inc.</span><br /><span style="font-family:verdana;">73 Tremont Street, Suite 306</span><br /><span style="font-family:verdana;">Boston, MA 02108-3906</span><br /><span style="font-family:verdana;">Tel: 617-523-7595 / Fax: 617-523-6373</span><br /><span style="font-family:verdana;">http://www.massbankers.org</span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-26590409471711356272007-02-01T11:18:00.000-08:002007-02-01T11:29:15.801-08:00CIBC Asset Management - 470,000 Records Breached<span style="font-weight: bold;font-family:verdana;" >Announced January 18th, 2007</span><br /><span style="font-weight: bold;font-family:verdana;" >Computer Theft</span><br /><br /><span style="font-weight: bold;font-family:verdana;" >CIBC Subsidiary - Talvest Mutual Funds</span><br /><span style="font-weight: bold;font-family:verdana;" >Montreal, Quebec</span><br /><br /><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - Provincial and Canadian Government Privacy Laws</span><br /><br /><span style="font-family:verdana;">Source: SINCLAIR STEWART</span><br /><span style="font-family:verdana;">Globe and Mail Update</span><br /><span style="font-family:verdana;">18/01/07</span><br /><br /><a href="http://www.theglobeandmail.com/servlet/story/RTGAM.20070118.wcibc0118/BNStory/Business/home"><span style="font-family:verdana;">The personal information of nearly half-a-million customers at a CIBC </span><span style="font-family:verdana;">mutual fund subsidiary has gone missing, prompting fears of a potential </span><span style="font-family:verdana;">security breach and inciting an investigation from Canada's federal </span><span style="font-family:verdana;">privacy commissioner.</span></a><br /><br /><span style="font-family:verdana;">A backup computer file containing application data for 470,000 investors </span><span style="font-family:verdana;">at Montreal-based Talvest Mutual Funds disappeared in transit on the way </span><span style="font-family:verdana;">to Toronto recently, the bank said in a news release Thursday.</span><br /><br /><span style="font-family:verdana;">The file contained everything from client names and addresses to </span><span style="font-family:verdana;">signatures, birth dates, bank account numbers and Social Insurance </span><span style="font-family:verdana;">Numbers. Officials at CIBC Asset Management Inc., a division of the </span><span style="font-family:verdana;">Canadian Imperial Bank of Commerce, said there is no evidence of fraud, </span><span style="font-family:verdana;">nor is there any indication that any data on this hard drive has been </span><span style="font-family:verdana;">accessed. The company did not explain how it lost the drive.</span><br /><br /><span style="font-family:verdana;">Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC </span><span style="font-family:verdana;">following a faxing snafu two years ago, said she has determined there </span><span style="font-family:verdana;">are grounds for another investigation in the Talvest matter, even though </span><span style="font-family:verdana;">the bank brought the problem to her attention.<br /><br /></span><span style="font-family:verdana;">Although I appreciate that the bank notified us of this incident and </span><span style="font-family:verdana;">that it is working cooperatively with my office, I am nevertheless </span><span style="font-family:verdana;">deeply troubled, especially given the magnitude of this breach, which </span><span style="font-family:verdana;">puts at risk the personal information of hundreds of thousands of </span><span style="font-family:verdana;">Canadians, said Ms. Stoddart. My office is committed to carrying out a </span><span style="font-family:verdana;">thorough investigation into this matter and to ensuring that preventive </span><span style="font-family:verdana;">and corrective measures are put in place so that this does not reoccur.</span><br /><span style="font-family:verdana;"><br />The bank said it has taken immediate steps to rectify the problem, and</span> <span style="font-family:verdana;">has written letters to affected customers. The vast majority of these </span><span style="font-family:verdana;">are clients of Talvest, rather than CIBC, which bought the mutual fund </span><span style="font-family:verdana;">company in 2001.</span><a href="http://www.tkqlhce.com/l177ox52x4KNLMSOMPKMLPLQQQL" target="_blank"><br /><img src="http://www.tqlkg.com/10107r6Az42ORPQWSQTOQPTPUUUP" alt="GoToMeeting - Online Meetings Made Easy" border="0" /></a><br /><br /><span style="font-family:verdana;">The bank has promised to compensate customers for any loss, and is </span><span style="font-family:verdana;">allowing them to enroll in a free credit monitoring program that can </span><span style="font-family:verdana;">alert them if someone is trying to use their information without proper </span><span style="font-family:verdana;">authorization.</span><br /><br /><span style="font-family:verdana;">Although we have no evidence that the information contained in the </span><span style="font-family:verdana;">backup file has been accessed in any way, we are acting out of an </span><span style="font-family:verdana;">abundance of caution and want to assure our clients that we are taking </span><span style="font-family:verdana;">all steps possible to address this matter, Steve Geist, president of </span><span style="font-family:verdana;">CIBC Asset Management, said in a statement.</span><br /><br /><span style="font-family:verdana;">This is the second major security issue for Canadians in as many days. </span><span style="font-family:verdana;">Wednesday, the U.S. retailer that owns discount chains Winners and </span><span style="font-family:verdana;">HomeSense revealed it had been the victim of a massive computer hacking </span><span style="font-family:verdana;">effort.</span><br /><br /><span style="font-family:verdana;">Sources told The Globe and Mail that the network break-in at TJX Cos. </span><span style="font-family:verdana;">may have affected as many as 20-million Visa cards worldwide, and some </span><span style="font-family:verdana;">estimates suggest as many as 2-million of these cards are Canadian. It's </span><span style="font-family:verdana;">unclear how big that number will be for other card providers, like </span><span style="font-family:verdana;">MasterCard, but the numbers suggest it could be one of the largest such </span><span style="font-family:verdana;">breaches the country has ever seen, according to one person in the </span><span style="font-family:verdana;">financial community. The RCMP is assisting U.S. authorities with that </span><span style="font-family:verdana;">investigation.</span><br /><br /><span style="font-family:verdana;">The Talvest incident is another embarrassing episode on the privacy </span><span style="font-family:verdana;">front for CIBC, which was at the centre of a faxing snafu in 2004. The </span><span style="font-family:verdana;">bank sent errant faxes to a junkyard operator in West Virginia for three </span><span style="font-family:verdana;">years, mistakenly divulging private customer information.</span><br /><br /><span style="font-family:verdana;">The junkyard operator eventually sued the bank for clogging his fax </span><span style="font-family:verdana;">lines, and Canada's privacy commissioner launched an investigation. In a </span><span style="font-family:verdana;">2005 report, she expressed concern about a breakdown in privacy </span><span style="font-family:verdana;">practices that could reflect a bigger problem in Canadian business. </span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-58675034207369973632007-01-17T18:51:00.000-08:002007-02-01T11:18:13.710-08:00TJX Companies, Inc. "Unknown Amount of Records Breached"<span style="font-weight: bold;font-family:verdana;" >Announced January 17, 2006</span><span style="font-weight: bold;font-family:verdana;" ><br />Computer Network Breach - "Unknown Amount of Records"<br /><br /></span><span style="font-weight: bold;font-family:verdana;" >TJX Companies, Inc.<br /></span><span style="font-weight: bold;font-family:verdana;" >Retail (T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores)<br /></span><span style="font-weight: bold;font-family:verdana;" >Framingham, MA<br /><br /></span><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/CREDITCARD.htm">PCI-DSS</a>, <a href="http://www.biometricsdirect.com/Biometrics/laws/USFEDANDSTATE.htm">State Laws</a>, Federal Wire Fraud<br /><br /></span><span style="font-family:verdana;">FRAMINGHAM, Mass.--(BUSINESS WIRE)--The TJX Companies, Inc. (NYSE:TJX) today announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. While TJX has specifically identified some customer information that has been stolen from its systems,</span><span style="font-weight: bold;font-family:verdana;" > the full extent of the theft and affected customers is not yet known.</span><span style="font-family:verdana;"> This intrusion involves the portion of TJX</span><span id="bwanpa11" style="font-family:verdana;">’</span><span style="font-family:verdana;">s computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJX</span><span id="bwanpa12" style="font-family:verdana;">’</span><span style="font-family:verdana;">s Bob</span><span id="bwanpa13" style="font-family:verdana;">’</span><span style="font-family:verdana;">s Stores in the U.S. The Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. TJX is also cooperating with credit and debit card issuers and providing them with information on the intrusion.</span><br /><br /><span style="font-family:verdana;">TJX is conducting a full investigation of the intrusion with the assistance of several leading computer security and incident response firms and is seeking to determine what customer information may have been compromised. The Company is committed to providing its customers with more information when it becomes available.</span><br /><br /><span style="font-family:verdana;">With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores.</span><br /><br /><span style="font-family:verdana;">Ben Cammarata, Chairman and Acting Chief Executive Officer of The TJX Companies, Inc., stated, </span><span id="bwanpa14" style="font-family:verdana;">“</span><span style="font-family:verdana;">We are deeply concerned about this event and the difficulties it may cause our customers. Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe shopping in our stores. Our first concern is the potential impact of this crime on our customers, and we strongly recommend that they carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX.</span><span id="bwanpa15" style="font-family:verdana;">”</span><p style="font-family: verdana;"> </p><span style="font-family:verdana;">Important Information for Customers </span><br /><ul style="font-family: verdana;"><li> TJX has established a special helpline for its customers who have questions about this situation. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.</li><li class="bwlistitemmarginbottom"> TJX will also provide information for customers on its website, <a target="_blank" href="http://www.tjx.com/" shape="rect">www.tjx.com</a>, including tips on preventing credit and debit card fraud and other steps customers may take to protect their personal information. </li><li class="bwlistitemmarginbottom">TJX strongly recommends that customers carefully review their account statements and immediately notify their credit or debit card company or bank if they suspect fraudulent use.</li></ul> <p style="font-family: verdana;"> Actions Taken By TJX </p> <ul style="font-family: verdana;"><li> Upon discovery of the intrusion in mid-December, 2006, TJX immediately notified and began working closely with law enforcement authorities, including the United States Department of Justice and Secret Service and the Royal Canadian Mounted Police. The Company has coordinated its actions with these authorities and provided all assistance requested to seek to identify the criminals responsible for this incident. TJX maintained the confidentiality of this intrusion as requested by law enforcement.</li><li class="bwlistitemmarginbottom"> The Company immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades. </li><li class="bwlistitemmarginbottom">TJX promptly notified and began working closely with the major credit card companies (American Express, Discover, MasterCard and VISA) and entities that process our customers' transactions. The Company has been providing them information including all requested credit and debit card information.</li></ul> <p style="font-family: verdana;"> Information About the Intrusion </p> <p style="font-family: verdana;"> Through its investigation, TJX has learned the following with respect to the intrusion: </p> <ul style="font-family: verdana;"><li> An unauthorized intruder accessed TJX's computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and its Winners and HomeSense stores in Canada.</li><li>The Company is concerned that the intrusion may extend to the computer systems that process and store information related to customer transactions for T.K. Maxx in the U.K. and Ireland, although TJX<span id="bwanpa16">’</span>s investigation has not yet been able to confirm any such intrusion. It is possible that the intrusion may extend to Bob's Stores.</li><li> Portions of the information stored in the affected part of TJX<span id="bwanpa17">’</span>s network regarding credit and debit card sales transactions in TJX<span id="bwanpa18">’</span>s stores (excluding Bob<span id="bwanpa19">’</span>s Stores) in the U.S., Canada, and Puerto Rico during 2003, as well as such information for these stores for the period from mid-May through December, 2006 may have been accessed in the intrusion. TJX has provided the credit card companies and issuing banks with information on these and other transactions.</li><li>To date, TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system and is providing this information to the credit card companies. In addition, TJX has been able to specifically identify a relatively small number of customer names with related drivers' license numbers that were also removed from its system, and TJX is contacting these individuals directly.</li><li>TJX is continuing its investigation seeking to determine whether additional customer information may have been compromised. TJX does not know if it will be able to identify additional information of specific customers that may have been taken.</li></ul><span style="font-family:verdana;">The Company does not yet have enough information to estimate the extent of the financial cost it will incur as a result of this situation, and does not expect to be able to quantify the estimated financial impact of this issue at the time TJX announces January 2007 sales.</span><br /><br /><span style="font-family:verdana;">The TJX Companies, Inc. is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide. The Company operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bob</span><span id="bwanpa20" style="font-family:verdana;">’</span><span style="font-family:verdana;">s Stores, in the United States. In Canada, the Company operates 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores. TJX</span><span id="bwanpa21" style="font-family:verdana;">’</span><span style="font-family:verdana;">s press releases and financial information are also available on the Internet at </span><a style="font-family: verdana;" target="_blank" href="http://www.tjx.com/" shape="rect">www.tjx.com</a><span style="font-family:verdana;">. </span><br /><br /><span style="font-family:verdana;">Source: </span><a style="font-family: verdana;" href="http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070117005971&newsLang=en">Business Wire</a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.biometricsdirect.com/Biometrics/laws/CREDITCARD.htm"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px;" src="http://www.biometricsdirect.com/images/PCIDSScompliance.jpg" alt="" border="0" /></a>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-26777158879282418822007-01-17T18:02:00.000-08:002007-01-17T18:14:56.866-08:00Commentary - Secure the Data Already - AGAIN!<span style="font-weight: bold;font-family:verdana;" >Your private data is everywhere. Your identity is valuable and if it is compromised, the economic, emotional and even physical damage can almost never be reversed.<br /><br /></span><span style="font-family:verdana;">With every purchase you make online, every major purchase like a home or car, each account you open with a bank, broker or insurance agent, health care agency, doctor, or even when you apply for basic services such as telephone or power you are "required by these providers" to release information such as your name, address, social security number, phone number, date of birth, credit card numbers, spouse and children's names, dates of birth, and other private data that is unique to your identity. Most of this data is collected under the guise of verifying your identity or to fulfill some government mandate or industry guideline to validate their internal procedures. The question is, what happens with this data?<br /><br /></span><span style="font-family: verdana;">There are several US Government laws that regulate what can and cannot be done with certain types of personally identifiable information. Each of these laws have penalties for breaches of the requirements. The sad truth is that almost none of these laws are enforced even when a very public breach has occurred. </span> <p style="font-family: verdana;"><a style="font-family: verdana;" href="http://www.jdoqocy.com/kt72zw41w3JMKLRNLOJLKONPQNT" target="_blank"> <img src="http://www.ftjcfx.com/gs79bosgmk5867D97A576A9BC9F" alt="Get Equifax Credit Watch" align="right" border="0" hspace="5" vspace="5" /></a>As an example, HIPAA (Health Insurance Portability and Accountability Act), a law that deals with the collection, maintenance and release of individual private health information established both criminal and civil penalties for the unlawful release of patient data. This legislation took effect in April 2003. The Office for Civil Rights (OCR) within the Department of Health and Human Services is charged with investigating and prosecuting complaints. As of March 2006, the OCR has received over 18,000 complaints regarding the unlawful release of individual patient data, <b>they have yet to impose a single civil penalty</b>. As of March 28, 2006, there have been only two criminal convictions under HIPAA. One was a Texas woman <a target="_blank" href="http://www.usdoj.gov/usao/txs/releases/March2006/060307-Ramirez.htm"> Liz Arlene Ramirez</a> who was arrested after agreeing to sell the information of FBI agents to people whom she believed to be a drug trafficker and the other was a man in Seattle caught using patients information to fraudulently obtain credit cards. HIPAA, like most other laws dealing with privacy of financial transactions, banking, or other regulations designed to protect your data is quite literally NEVER enforced.</p><span style="font-family:verdana;"> So, how can you secure YOUR data? iQBio has several industry leading products that can help any person, business or government agency secure and control local or portable data with multi-factor authentication and encryption. Secure the data already... enough is enough.<br /><br /><a href="http://www.biometricsdirect.com/Portable/ClipBioPro.htm">ClipBio Pro - 1GB or 2GB Portable Flash Memory with Fingerprint Security starting at $69.95</a><br /><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.biometricsdirect.com/Portable/ClipBioPro.htm"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px;" src="http://www.biometricsdirect.com/images/ClipBio_New.jpg" alt="" border="0" /></a><a href="http://www.biometricsdirect.com/Portable/iqbiodrive.htm"><span style="font-family:verdana;">iQBioDrive - 100GB or 160GB Portable Hard Drive with Fingerprint Security starting at $219.95</span></a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.biometricsdirect.com/Portable/iqbiodrive.htm"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px;" src="http://www.biometricsdirect.com/images/openiqbiodrive.jpg" alt="" border="0" /></a><span style="font-family:verdana;">Each of the above is cheap insurance. Protect your data...<br /></span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-19328679364139534762007-01-17T17:45:00.000-08:002007-01-17T17:47:39.902-08:00Announced January, 17, 2007 - Fitchburg Savings Bank "1300+ Records Breached"<span style="font-weight: bold;font-family:verdana;" >Network Computer Breach<br /><br /></span><span style="font-weight: bold;font-family:verdana;" >Fitchburg Savings Bank<br /></span><span style="font-weight: bold;font-family:verdana;" >Business<br /></span><span style="font-weight: bold;font-family:verdana;" >Boston, MA<br /><br /></span><span style="font-weight: bold;font-family:verdana;" >Governing Privacy Law or Rule - <a href="http://www.biometricsdirect.com/Biometrics/laws/GRAMMLEACHBLILEY.htm">GLBA</a>, State Laws</span><span style="font-family:verdana;"><br /><br /><a href="http://www.telegram.com/apps/pbcs.dll/article?AID=/20070117/NEWS/701170343/1002/BUSINESS">About 1,300 debit-ATM cards issued by Fitchburg Savings Bank were deactivated yesterday after the bank was told by Visa USA that a “large-scale data compromise” may have included its check cards.</a><br /><br /></span><span style="font-family:verdana;">None of the cards was used fraudulently and all are being replaced, said Martin F. Connors Jr., bank president and chief executive officer. “If someone has the person’s information, at this point they can’t do anything with it,” he said.</span><br /><br /><span style="font-family:verdana;">Mr. Connors said he was aware of at least one other financial institution in Worcester County with far more cards affected by the security breach. A broader problem was confirmed by the Massachusetts Bankers Association yesterday.</span><span style="font-family:verdana;"><span style="font-weight: bold;"><br /><br />“It appears that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data,” said Bruce E. Spitzer, an MBA spokesman. “Quite a few banks are replacing cards</span> or notifying customers to be extra vigilant in monitoring their accounts. If a card needs to be reissued, the bank will do it.”</span><br /><br /><span style="font-family:verdana;">Another source indicated that the breach may be broader than Visa cards.</span><br /><br /><span style="font-family:verdana;">Mr. Connors said customers should receive new debit cards within a week. Cardholders may activate their new cards immediately by going to one of seven Fitchburg Savings Bank branches with proper personal identification and changing the PIN number on their new card. Or they can wait to receive a new pre-assigned PIN in the mail and follow the activation instructions, the bank said in a letter dated yesterday to customers. </span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-16183527385321893982007-01-17T17:41:00.000-08:002007-01-17T17:43:57.065-08:00Announced January, 17, 2007 - Diablo Municipal Water District "500 Records Breached"<span style="font-family: verdana; font-weight: bold;">Unencrypted Private Data - Stolen Computer Breach<br /><br /></span><span style="font-family: verdana; font-weight: bold;">Diablo Municipal Water District<br /></span><span style="font-family: verdana; font-weight: bold;">Government Agency<br /></span><span style="font-family: verdana; font-weight: bold;">San Marcos, CA<br /><br /></span><span style="font-family: verdana; font-weight: bold;">Governing Privacy Law or Rule - California Senate Bill SB1386<br /><br /></span><a style="font-family: verdana;" href="http://www.signonsandiego.com/news/northcounty/20070117-9999-1mi17rincon.html">The credit-card numbers of about 500 customers in the Rincon del Diablo Municipal Water District were stolen yesterday</a><span style="font-family: verdana;"> in an early-morning break-in, officials said. Thieves smashed a glass wall at the district's offices on North Iris Lane and stole two computers, one from the customer services department and the other from engineering, said Darlene Lynn, interim general manager. Customers' names and credit-card numbers were contained in software on the customer services computer, but their Social Security numbers and birth dates were not on either computer, Lynn said. She said the number of stolen credit-card numbers could increase because officials are still determining the extent of information that was taken. No instances of credit-card numbers being used illegally have been reported, the district said, and police are investigating the burglary. </span>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0tag:blogger.com,1999:blog-38624446.post-20236711171543870742007-01-17T17:39:00.000-08:002007-01-17T17:41:40.824-08:00Announced January, 13, 2007 - North Carolina Dept of Revenue "30,000 Records Breached"<span style="font-weight: bold; font-family: verdana;">Portable Data Breach - Laptop Stolen w/ Unencrypted Data<br /><br /></span><span style="font-weight: bold; font-family: verdana;">NC Dept of Revenue<br /></span><span style="font-weight: bold; font-family: verdana;">State Agency<br /></span><span style="font-weight: bold; font-family: verdana;">Raleigh, NC<br /><br /></span><span style="font-weight: bold; font-family: verdana;">Governing Privacy Law or Rule - North Carolina Identity Theft Protection Act</span><span style="font-family: verdana;"><br /><br />A laptop computer containing files on 30,000 taxpayers was stolen from the car of an N.C. Department of Revenue employee last month, and state officials are cautioning everyone on the list to keep an eye on their finances for potential fraud. </span><a style="font-family: verdana;" href="http://www.charlotte.com/mld/charlotte/16451423.htm">The Revenue Department this week dispatched letters to all 30,000 people, apparently the first such episode since the enactment of an N.C. law last fall requiring government agencies to notify consumers when their data are lost or stolen. </a>James Childers - iQBiohttp://www.blogger.com/profile/16479533292440588296noreply@blogger.com0