Data Breach At Experian Credit Reporting Service

Experian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.

Data Breach At Pantone.com

In an April 10, 2012 letter, X-Rite Inc. notified the State of California Attorney General of a data breach where hackers accessed a Pantone.com website server on or about February 6, 2012.The breach notice did not disclose the number of records accessed/stolen, nor the exact method the hackers used.

The breach was discovered by X-Rite management on March 23, 2012. The data accessed and stolen included the names, addresses, and credit card information of customers who bought products at the pantone.com website. X-Rite notified affected customers on April 6. In August 2007, X-Rite announced its acquisition of Pantone for about $180 million.

A copy of the breach notice is available at the State of California Attorney General website and here (Adobe PDF, 23k bytes).

Data Breach At Choice Hotels

Since I started this blog almost five years ago, I've written about a variety of data breaches, where sensitive customer and employee information was stolen. Sometimes, the breach involved hackers breaking into a company's website server. Often, it included the theft of a laptop computer or flash drive left in an employee's parked car. Sometimes, it was "insider identity theft" by an employee or contractor. This latest breach involved a method I hadn't heard before.

About April 25, 2012, Choice Hotels notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. According to the breach letter submitted by the company, sensitive customer information (e.g., credit card numbers, drivers license numbers, passport numbers, Social Security numbers) were not entered into the proper database fields in the company's customer systems. As a result, this sensitive data wasn't protected (e.g., encrypted), and was passed along to the company's marketing partners where the sensitive data was inadvertently printed on marketing envelopes mailed to customers.

Choice Hotels claims that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for markeing purposes. The company hired Kroll Advisory Solutions to investigate the problem with a "forensic analysis." About 59 New Hampshire residents were affected and have already been notified.

The company's breach notice did not identify the company's marketing partners. Its website Privacy and Security Policy states that:

"If you reside in California and have provided Choice your personally identifiable information, you may request a list from us of third parties with whom we shared your personally identifiable information for their own direct marketing purposes during the preceding calendar year..."

Choice Hotels operates several lodging brands including Clarion, Comfort Inn, EconoLodge, MainStay Suites, and Rodeway Inn. A copy of the breach notice is available at the New Hampshire Department of Justice website and here (Adobe PDF; 154k bytes). The California Attorney General website also includes a copy of the breach letter sent to affected consumers. The company has reportedly contracted with TransUnion Interactive for for free credit monitoring services for breach victims.

Data Breach At Opening Ceremony

BankInfo Security reported details of a data breach at Opening Ceremony, a New York-based clothing and shoe retailer. Hackers inserted malicious software on the company's website server.

The data stolen included the payment card information of customers who purchased products online between Feb. 16 and March 21. the company has already notified customers affected by the breach. In a May 4 letter to affected customers (Adobe PDF), Opening Ceremony has contracted with ID Experts for complimenary credit monitoring and resolution services.

 

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Data Breach By PWC Exposes Personal Data Of Under Armour Employees

The Baltimore CBS News affiliate reported during the weekend about a data breach at Under Armour, that exposed the sensitive personal information of employees. The company's auditing firm, PWC, lost on or about April 12 in the postal mail an unencrypted flash drive containing personnel information.

The data elements lost or stolen included employees' names, Social Security numbers, and pay. Under Armour has about 5,400 employees worldwide. Employees have been offered one year of free credit monitoring. PWC is investigating how its security failed.

This PWC data breach highlights the data security risks and impacts from an outsourcing vendor. And no client company wants a breach by their auditing firm. Sadly, this is not the first breach by an auditing or accounting firm. Notable breach history:

Year	Company	Auditor / Accountant	# Records	Comments
January, 2012	Regions Financial Corp.	Ernst & Young	Unknown	Sensitive personal financial information including SSNs of current and former Regions employees. Auditor from Ernst & Young mailed a flash drive and decryption code. Flash drive lost/stolen. Regions employs ~27K people in 16 states.
April 2009	Borrego SPrings Bank	Not disclosed	Unknown	Sensitive personal financial information including bank account names, numbers, and balances. Theft of 7 laptop computers from an auditing firm's office.
January 2008	Mariner Health Care, SavaSeniorCare Administrative Services, LLC	Windham Brannon	80, 124	Sensitive personal and financila information including current and former employees' SSNs, 401(k) data, DOBs, and salaries. Cash and several laptops stolen from Windham's Atlanta office.
March, 2007	Springfield City Schools (Ohio)	State Auditor	1,950	Sensitive personal information of current and former employees. Theft of laptop from a state auditor employee's vehicle parked at home.
October 2006	Community National Bank	Crowe Chizek	90	Sensitive personal and financial information including SSNs, tax ID numbers, and account numbers. Two laptops belonging to Crowe auditors were stolen from a car in a restaurant parking lot.
October 2006	DirecTV	Deloitte & Touche	55	Names and SSNs of some current and former employees. Laptop stolen during the home of a Deloitte & Touche employee.
Data Source: Privacy Rights Clearinghouse

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

Two Years After Its Data Breach, Upromise Email Notice Leaves Customer Confused

William, an I've Been Mugged reader, received the below email message from Upromise.com:

"From: Upromise (member@your.upromise.com)
Subject: Important information regarding Personalized Offers
Date: March 10, 2012 12:14:23 AM EST
To: ***********@************

Dear William,
Our records show that you had the TurboSaver® toolbar installed with the optional Personalized Offers feature enabled at some point through January 21, 2010. Through that date, because of an issue with vendor-supplied software, the use of this feature resulted in the unintended collection and transmission of certain categories of your personal information to Upromise or our vendor. Depending on how a particular web page was configured, this could have included information you entered into forms such as usernames, passwords, search terms, credit card numbers or financial account numbers. Our members' privacy is extremely important to us, and we took immediate action when we learned of this issue in January 2010 by directing the software vendor to disable the Personalized Offers functionality. As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled.

As always, if you would like to uninstall the TurboSaver toolbar, simply access the toolbar menu by clicking the Upromise logo on the left hand side of the toolbar, select "Uninstall" and follow the prompts. If you have any questions, or need additional information, we welcome you to contact us at 1-800-877-6647 or email questions@upromise.com.

Sincerely,

The Upromise Customer Care Team
www.upromise.com"

William doesn't remember receiving a prior breach notice from Upromise, and says he is diligent about opening both email and postal mail from companies he does business with. William wants to know what is happening at Upromise, and why he received an email that looks like a breach notice two years after the data breach.

William does not appear to be the only concerned Upromise member. You can read posts by a couple customers in the Upromise community forum.

A review of the Upromise Facebook page and Upromise Insider blog did not find any posts during 2012 about a breach notice. I contacted Upromise and a representative, Deborah Hohler replied:

"When the matter came to our attention two years ago, we immediately addressed it and saw no evidence anyone’s data was misused. The protection of personal information is extremely important to us. This email communication was in connection with a proposed consent order from the FTC, and we worked with them on actual content and timing of the message."

At this point, a little history might help. In January 2010, PC Magazine reported about the Upromise breach involving the Upromise Toolbar:

"Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company. Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior."

Another breach at a Sallie Mae company seems to have been the result of insider identity theft. In July 2011, WTHR Channel 13 in Indiana reported:

"The suspect is an employee at another Sallie Mae spin-off in Massachusetts - College Choice... In a letter sent to more than 300 parents, College Choice admitted an employee with its program manager, UPromise Investments, accessed names, social security numbers, birthdays and other contact information for seven months while on the job."

Also during July 2011, Upromise filed a breach notice (Adobe PDF) with the State of New Hampshire Department of Justice. The notice did not disclose how many customers were affected, but confirmed the WTHR news report and that letters were mailed to breach victims on June 23, 2011 -- about six months after the toolbar breach was discovered. I also checked Maryland, Vermont, and Wisconsin. None contained any Upromise breach notices, but Maryland hasn't yet uploaded breach notices received during 2011.

William lives in a state that does not post online the breach notices it receives.

The January 18, 2012 U.S. Federal Register (Adobe PDF) mentioned a proposed settlement agreement between the U.S. Federal Trade Commission (FTC) and Upromise, which alleged that:

"... Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. Among other things, Upromise: (1) Transmitted sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text; (2) did not use readily available, low-cost measures to assess and address the risks to consumer information; (3) failed to ensure that employees responsible for the information collection program received adequate guidance and training; (4) failed to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information."

The proposed settlement agreement includes six parts describing the actions Upromise must take to improve its data security and notices to its members (bold emphasis added):

"Part I of the proposed order requires Upromise to disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used. The disclosure must be clear and prominent and separate from other notices. The company must also obtain consumers’ express affirmative consent before the consumer downloads, installs, or otherwise activates such software. In addition, the company must provide this clear and prominent notice, and obtain express affirmative consent, before enabling data collection through any previously installed TurboSaver Toolbar and before making any material change from stated practices about collection or sharing of personal information through the Toolbar.

Part II of the proposed order requires Upromise to provide notice to consumers who, prior to the issuance of the order, had the Personalized Offers feature enabled. The notice must inform consumers about the categories of personal information that were, or could have been, transmitted by the feature, and how to disable the Personalized Offers feature and uninstall the Toolbar. Part III of the proposed order requires the company to destroy data it collected during the years covered by the complaint unless otherwise directed by the Commission.

Part IV of the proposed order prohibits the company from making any misrepresentations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers. Part V of the proposed complaint requires Upromise to maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of such information (whether in paper or electronic format) about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Upromise’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Upromise to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; - Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Upromise or obtain on behalf of Upromise, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Part VI of the proposed order requires Upromise to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent third party professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected."

Upromise is a rewards program where members save towards college by making everyday purchases with Upromise partners: brick-and-mortar and online stores, restaurants, grocery stores, drug stores, and similar retailers. Upromise members include parents, grandparents, and other family members saving for college for a child, grandchild, or family member. Upromise members can invest their savings in a high-yield savings account or tax-deferred 529 plan, and then use that to pay down student loan, or request a check to pay for college expenses.

What might all of this mean?

According to Hohler at Upromise, the email message William received was part of the above proposed settlement agreement with the FTC (probably Part 2). Given this, the email is in my opinion confusing and unnecessarily vague. It raises more questions than it answers.

A better email update would have reminded Upromise members that this email was follow-up to a prior breach notice, and that it was prompted in part by the settlement agreement with the FTC. The email update didn't mention the settlement agreement at all.

A better email update would also explain why Upromise left a toolbar installed in customers' web browsers that might display inaccurate messaging which might confuse users:

"As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled."

This seems to conflict with Upromise's reply that, "... we immediately addressed it..." about the toolbar data breach. A defective browser toolbar still operating two years after the breach would make anyone wonder.

A better email update would instruct users how to upgrade the defective toolbar. A better email update would have mentioned the proposed settlement agreement with the FTC, and then outlined everything Upromise is doing, or has already done, to comply.

The comprehensive and detailed scope of the proposed consent agreement suggests to me that there were more data security problems at Upromise than a toolbar breach. It seems to me that most of the six parts of the proposed settlement agreement are data security methods a company would implement anyway to protect sensitive assets and customer information.

Having received a breach notice via postal mail after IBM's 2007 breach, I can definitely tell you that a breach letter is not something you would easily forget nor misplace. So, I believe William 100% when he said that the above email is his first notice from Upromise about its 2010 data breach.

In the 4+ years I have written this blog, I have encountered situations where companies experiencing data breaches have created a website about its breach investigation. IBM created such a web site after its 2007 data breach. I searched for such a site at Urpomise and didn't find one. Perhaps its exists and is behind a secure log-in available only to customers. Then again, William would have mentioned it if it exists. A better email update would summarize its breach investigation(s) and explain the proposed consent agreement.

As it stands, users like William are unsure and left wondering exactly what is happening. Transparent communication promotes trust.

If you were affected by the Upromise breach, what has been your experience? What do you think of Upromise's post-breach response? What are your opinions of the proposed settlement agreement?

Data Breach At Motorola Mobility Affects Refurbished XOOM Tablets

Motorola Mobility admitted Friday in a press release that it failed to erase the sensitive personal information of original owners on refurbished tablets. The breach included about 100 Motorola XOOM WiFi tablets from a batch of 6,200. The tablets were resold by Woot.com during October through December 2011.

Motorola did not specify the types of sensitive personal information exposed, but it likely include any personal information the original tablet owners stored on their devices:

"It is possible that users might have stored photographs and documents. They may have also stored user names and passwords for email and social media accounts, as well as other password-protected sites and applications."

Ya think so? Duh! Obviously, affected consumers should change their passwords at any online bank, financial, and social networking websites; especially if you stored your passwords on your Motorola tablet. Purchasers of the affected refurbished tablets should return their devices to Motorla to ensure that the memory of each device is cleared. If you purchased a refurbished Motorola XOOM Wi-Fi tablets from Woot.com between October and December 2011, you should visit motorola.com/xoomreturn or call Motorola Mobility Customer Support (1-800-734-5870 and select Option 1) to determine if your tablet is affected.

For consumers who purchased and then returned a Motorola XOOM Wi-Fi tablet to Amazon.com, Best Buy, BJ’s Wholesale, eBay, Office Max, Radio Shack, Sam’s Club, or Staples and a few other independent retailers between March and October 2011, Motorola offers a free two-year membership with Experian’s ProtectMyID Alert credit monitoring service. The company also directed original tablet owners to contact Experian at 1-866-926-9803 to register for their complimentary credit monitoring service.

At press time, refurbished XOOM tablets were selling for about $349 on Amazon.com.

This breach is troublesome. While breaches often happen, the company should have adequately wiped all sensitive personal data from refurbished tablets. That the company failed to do so makes one wonder if any malware was transmitted to purchasers of refurbished tablets -- or of any other Motorola mobile devices.

If you were affected by this data breach, share your experience below.

Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

ICO Updates Requirements For Data Breach Disclosures

The Information Commissioner’s Office (ICO) recently updated its data breach disclosure regulations for ISPs and telecommunications providers in the United Kingdom. To make reporting requirements easier for businesses, the ICO suggests that companies submit a list of data breaches monthly.

However, companies would still need to report major breaches in detail and separately. The existing regulations require companies' breach disclosures to include:

"The nature of the breach; the consequences of the breach; and the measures taken or proposed to be taken by the provider to address the breach."

The existing regulations require companies to maintain a log of any breaches affecting consumers personal information, and to provide affected consumers or customers with a breach notification covering:

"The nature of the breach; contact details for your organisation where they can get more information; and ow they can mitigate any possible adverse impact of the breach."

Companies do not have to report data breaches where the data is protected by encryption. The ICO describes itself as:

"... the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

Data Breach At Peoples Gas in Chicago

Last week, the ABC television network affiliate in Chicago reported that Peoples Gas has notified an undisclosed number of customers about a data breach. An employee at one of the utility's vendors accessed and used customers' personal information.

The vendor's employee attempted to apply for new credit cards using the stolen customer information. The employee has since been fired. Details about the breach were sparse. The utility did not announce the dates of the breach, nor explain steps to prevent a repeat occurrence with vendors. The utility notified affected customers by phone and by letter.

The utility warned affected customers to check their credit reports for fraudulent entries, to file a police report about any fraud, and to contact the illinois Attorney General's Office hotline (1-866-999-5630). Peoples Gas serves more than 800 thousand consumers in the city of Chicago.

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.

Latest Sony Data Breach Affects 93,000 Customers

On Tuesday, Sony announced In its Playstation blog that the entertainment company experienced another data breach affecting 93,000 of its Sony Entertainment Network (SEN), PlayStation Network (PSN), and Sony Online Entertainment (SOE) customers. While the affected customers are less than one tenth of one percent (0.1%) of total PSN, SEN and SOE customers, the affected customers include about 60,000 PSN/SEN customers and about 33,000 SOE customers. In response to the intrusion, Sony has temporarily locked down those accounts.

"We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet."

During May and June of 2011, Sony announced multiple data breaches at its PSN, Canadian eShop, Greece, and Thailand websites, affecting over 77 million customers worldwide, plus another 24 million SOE customers. Several Sony executives apologized publicly for the data breaches. After those attacks, several security experts concluded that Sony used obsolete data security software.

It would appear that with the latest attacks, security at Sony online sites is far from optimal or desired.

 

Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families

TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:

"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."

In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.

While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.

If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.

SAIC describes itself as:

"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."

Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.

Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).

If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at:

• SAIC: Facebook, Twitter
• TRICARE Management Activity: Facebook, Twitter

Data Breach At Vacationland Vendors Affects About 40K Consumers

Vacationland Vendors, a supplier of arcade equipment and vending machines, announced at its website a major data breach affecting consumers who used their debit- credit-cards at the Wilderness Resort locations in Wisconsin or Tennessee during the period from December 12, 2008 to May 25, 2011. The company released very few details in its breach notice:

"Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort."

While company did not disclose the number of consumers affected by the data breach, the Credit Union Times reported that an estimated 40,000 consumers were affected. Vacationland Vendors advises affected consumers to closely monitor their bank accounts for fraudulent charges, report any fraudulent charges to their bank, and then place a fraud alert on their credit reports.

Vacationland Vendors needs to do much more to help affected consumers, and explain more about its investigation, why the breach went on for so long -- over two years, and what the company is doing so another hack doesn't happen for so long a period.

California Amends Its Breach Notification Law

California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:

"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."

SB 24 (Adobe PDF) goes into effect January 1, 2012.

This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.

Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.

Moreover, the InfoLaw Group appropriate emphasized that SB 24:

"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."

Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.

Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.

Data Breach At A Retailer Has Affected BofA and Citi Customers

A data breach at a retailer has affected cardholders at both Bank of America and CitiBank. Both banks have deactivated some credit cards. According to American Banker, the banks have not disclosed the name of the retailer. According to Bloomberg, Bank of America sent several debit card customers new cards as a precaution after a possible breach. The banks have not disclosed the name of the retailer.

From my view, the two events are related and the retailer's breach is significant. A reader wrote to me yesterday:

"Wow. This morning BOA contacted me about suspicious activity on my debit card...3 transactions at some international art market. On the 3rd transaction, BOA caught it and declined the card. The rep said she thinks they had a fake card made. But wow! What the hell? Do you think this is a coincidence or could it be related?"

It's probable that this reader's debit card information was skimmed and cloned. It's great that BofA acted proactively and notified the reader of these suspect transaction, but the fraud has already happened. This reader's bank account information is out there among identity theft and fraud criminals. Now, this reader needs to get a new bank account and replacement debit card; plus update all of her online bill payment settings.

I encouraged this reader to use credit cards instead of her debit card when shopping at online and brick-and-mortar retail stores. Sure, debit cards are convenient, but the risk is just too high. When breached, it gives criminals direct access to your bank checking account.

Think of it this way: every time you shop with your debit card at a retail store, you are trusting that retail store and its employees to:

1. Protect your sensitive bank account information,
2. Protect their customer databases from hacks,
3. Protect its point-of-sale terminals from skimming devices,
4. Encrypt wireless transmissions of purchase transactions between it and its banks,
5. Implement a "red flag" program to controla ccess to sensitive customer data and to discover insider identity theft,
6. Comply with state laws to protect and delete certain transaction information within the appropriate deadline, and
7. Comply with merchant guidelines (e.g., from Visa International, MasterCard)

So, the next time you enter a brick-and-mortar store, look around and ask yourself if you feel comfortable that that particular establishment has the resources, skills, and commitment to do #1 through #7 to protect your sensitive bank account and payment data. If the answer is "no," then use cash or a credit card. At gas stations, use your card inside and not at the pump. Learn how to avoid being a victim of skimming. Learn more about whether to shop with cash, debit, credit, or a charge card.

Me? I use my debit cards only at my bank's ATM machines.

If you are a Citi or Bank of America customer, were you affected by this latest breach? Did you receive replacement debit/credit cards, or did you have to demand them? If so, please share your experience below.

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.