Previous month:
March 2012
Next month:
May 2012

14 posts from April 2012

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Slamming And Your Home Energy Bills

Recently, an I've Been Mugged reader wrote asking me about what to do with their home energy bill. The reader was concerned that they had been "slammed" -- their energy supplier had been switched without their approval. When thinking about situations like this, it is important for consumers to understand your rights first.

Each state in the USA has a Public Utility Commission (PUC) or state agency to govern and regulate which companies are licensed to sell energy (e.g., electricity, natural gas). So, to understand your rights a good first step is the PUC website for the state where you live.

I'll use the state where I live as an example. In Massachusetts, some private companies are licensed to sell only electricity, some only gas, and some both. The Executive Office of Energy and Environmental Affairs (EEA) provides the lists of licensed energy sellers in Massachusetts. Obviously, this is a list consumers would use to verify any private company selling energy in the state, especially door-to-door sales people.

The same EEA website describes consumers' various rights about energy services. For example, the "Cooling Off Period" describes the length of time consumers can change their mind after switching to a new energy service provider:

"Your choice of a competitive power supplier will not take effect for at least three business days. Should you change your mind during that three day period, you will not incur any charges."

The site also describes consumers' rights about slamming:

"A competitive power supplier may not switch you to its service without your consent. Your consent must take the form of either: 1) a written letter of authorization signed by you; or 2) your oral statement to an independent third party, such as a separate verification company. If you are switched without your authorization, you may file a complaint with the Massachusetts Department of Telecommunications and Energy by calling 1-800-392-6066."

Historically, slamming happened a lot with phone services, but lately it can happen with energy services, too. In 2011, the Georgia Public Service Commission (PSC) fined gas marketer Energy America with a $400,000 penalty for customers it "slammed." While some companies approach consumers at home, others perform phone solicitations.

Before accusing a company of slamming your energy service, I would first check with other members in the home, or a landlord, to see if somebody else signed an order to switch service. Then, I would contact the new energy supplier to get the sales person's name and a copy of that new-service order.

If slamming is still a concern, other steps I might perform in order:

  1. Check the website of my existing energy supplier to see what they advise about slamming
  2. Check my state's PUC website to understand my rights and what they advise about slamming
  3. File a complaint with the PUC in the state where I live
  4. File a police report with local law enforcement, since it is fraud to forge another person's signature
  5. File a complaint with the Federal Trade Commission
  6. Consult with an attorney to see what other options there may be for consumers

Having difficulty finding the website for your state's PUC? This list may help.

Data Breach By PWC Exposes Personal Data Of Under Armour Employees

PWC logo The Baltimore CBS News affiliate reported during the weekend about a data breach at Under Armour, that exposed the sensitive personal information of employees. The company's auditing firm, PWC, lost on or about April 12 in the postal mail an unencrypted flash drive containing personnel information.

The data elements lost or stolen included employees' names, Social Security numbers, and pay. Under Armour has about 5,400 employees worldwide. Employees have been offered one year of free credit monitoring. PWC is investigating how its security failed.

This PWC data breach highlights the data security risks and impacts from an outsourcing vendor. And no client company wants a breach by their auditing firm. Sadly, this is not the first breach by an auditing or accounting firm. Notable breach history:

Year Company Auditor / Accountant # Records Comments
January, 2012 Regions Financial Corp. Ernst & Young
Unknown Sensitive personal financial information including SSNs of current and former Regions employees. Auditor from Ernst & Young mailed a flash drive and decryption code. Flash drive lost/stolen. Regions employs ~27K people in 16 states.
April 2009 Borrego SPrings Bank Not disclosed Unknown Sensitive personal financial information including bank account names, numbers, and balances. Theft of 7 laptop computers from an auditing firm's office.
January 2008 Mariner Health Care, SavaSeniorCare Administrative Services, LLC Windham Brannon 80, 124 Sensitive personal and financila information including current and former employees' SSNs, 401(k) data, DOBs, and salaries. Cash and several laptops stolen from Windham's Atlanta office.
March, 2007 Springfield City Schools (Ohio)
State Auditor 1,950 Sensitive personal information of current and former employees. Theft of laptop from a state auditor employee's vehicle parked at home.
October 2006 Community National Bank Crowe Chizek 90 Sensitive personal and financial information including SSNs, tax ID numbers, and account numbers. Two laptops belonging to Crowe auditors were stolen from a car in a restaurant parking lot. 
October 2006 DirecTV Deloitte & Touche 55 Names and SSNs of some current and former employees. Laptop stolen during the home of a Deloitte & Touche employee.
Data Source: Privacy Rights Clearinghouse

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

  • During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (; followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
  • During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

  1. Be ready to give out some personal information.
  2. Know that a third-party will gain access to your personal information.
  3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

How To Get Help And File Complaints About Private Student Loans

Logo for Consumer Financial Protection Bureau To complete college and/or graduate-level study, many consumers took out student loans. According to the Consumer Financial Protection Bureau (CFPB):

"Student loans have now surpassed credit cards as the largest source of unsecured consumer debt... unlike federal student loans, private student loans do not generally have the same borrower protections such as military deferments, discharges upon death, or income-based repayment plans."

More help is available. The CFPB announced that it provides assistance for consumers who are experiencing problems with taking out a private student loan, repaying their private student loan, or managing a student loan that has gone into default and may have been referred to a debt collector:

  • Before applying for loans, students should read the financial aid shopping sheet. Some consumers have already submitted feedback to the CFPB about what they want in this draft disclosure sheet. The CFPB will use this feedback in crafting future disclosure guidelines for lenders.
  • Students who already have loans can use the Student Debt Repayment Assistant interactive, online tool to discover new repayment options.
  • Borrowers who are experiencing difficulties paying loans, managing loans, or loans that have gone into default can now submit complaints at the CFPB website about private student loans. the types of complaints include: payment difficulties, confusing advertising or marketing terms, billing disputes, deferment issues, debt collection problems, and credit reporting issues.

Borrowers can also submit complaints to the CFPB via a toll-free phone number (1-855-411-2372), via fax (1-855-237-2392), and via postal mail (CFPB, P.O. Box 4503, Iowa City, Iowa 52244).

Private student loans are issued by banks, credit unions, schools, and similar lending institutions. If you aren’t sure what kind of loans you have, the CFPB advises students to visit the National Student Loan Database System for Students and select “Financial Aid Review” for a list of all federal loans made to you. Click each individual loan to see who the company is that collects payments from you.

Complaints about federal student loans (e.g., Direct, Stafford, Perkins, etc.) should be submitted to the U.S. Department of Education. The CFPB will automatically forward complaints it receives about federal student loans to the Department of Education.

Consumer Reports Reviews Several Prepaid Cards

This blog previously warned consumers about the differences between the three types of plastic in your wallets/pursues. Consumer Reports published the findings of its review of several prepaid cards, and concluded:

"... although fees are beginning to come down, they aren't always disclosed upfront. Moreover, prepaid cards offer weaker consumer protections than those provided by traditional debit cards..."

Some of the higher fees Consumer Reports found with prepaid cards:

  • Activation or initiation fees ranging from from $3 to $14.95.
  • Monthly fees as high as $10
  • Fees to get cash as high as $2.50 per withdrawal
  • Fees to contact customer service as high as $2.99 per call.

Obviously, consumers should ask for and read closely the terms and conditions or prepaid card agreement before purchasing a prepaid card. It is wise to understand the different types of prepaid cards.

Related posts:

BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach

Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.

HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.

HHS disclosed in a news release:

"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

The 450-day corrective action plan requires BCBST to:

  • Review, revise, and maintain its Privacy and Security policies and procedures,
  • Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
  • Perform monitor reviews to ensure BCBST compliance with the corrective action plan.

SAIC To Pay $500.4 Million to Settle Suit With U.S. Attorney And City of New York

Last month, Science Applications International Corporation (SAIC) announced a settlement with the U.S. Attorney Office for the Southern District in New York and with the City of New York about the company's CityTime system. Terms of the settlement require SAIC to pay $500.4 million in restitution and penalties, and an independent monitor selected by the U.S. Attorney's Office will review certain policies and practices by SAIC for three years.

CityTime is an automated workforce management system used by about 163,000 New York City employees in 65 agencies. According to a press release (Adobe PDF) by the U.S. Attorney's Office:

"Under the agreement, SAIC will forfeit a total of $500,392,977 to the Department of Justice, and forgive more than $40 million still owed by the City to SAIC in connection with the CityTime project. In a Statement of Responsibility (the “Statement”) that was part of the agreement, SAIC acknowledged that it failed to properly investigate a 2005 ethics complaint filed by a whistleblower alleging, among other things, that the project’s Program Manager, Gerard Denault, had to be receiving kickbacks on the project from the single source subcontractor he had hired to perform the work. SAIC also accepted responsibility for the illegal conduct alleged against Denault and admitted to by Carl Bell, who served as Chief Systems Engineer in SAIC’s New York City office."

The City of New York had selected SAIC's CityTime system to modernize its timekeeping and payroll systems across City agencies. In 2000, SAIC became the lead contractor on the City's CityTime project, with a value then of approximately $73 million. The Washington Post reported recently:

"Last year, SAIC said it removed three top executives — Deborah Alderson, president of the company’s defense solutions group; John Lord, her deputy; and Peter Dube, general manager of the enterprise and mission solutions business — although the company said there was no evidence that any of the three were involved in the fraud."

SAIC, a Fortune 500 scientific, engineering and technology applications company employs about 41,000 people worldwide, and about 93% of its business is generated by government contracts. In 2011, SAIC was involved with a TRICARE data breach that exposed the sensitive personal data of 4.9 million active and retired military personnel and their families.

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

Global Payments Breach Affects 1.5 Million Consumers

Last week, debit and credit card payments processor Global Payments Inc. announced that its systems had been breached by hackers and perhaps as many as 3 million credit and debit card numbers had been stolen. Global Payments processes transactions for Visa and MasterCard for retailers and card issuers.

In a statement released Sunday, Global Payments revised downard the number of stolen cards:

"... it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained..."

The company has not disclosed how hackers breached its systems, nor the duration of the breach. The company's Monday-morning conference call focused on earnings and left little time for questions about the breach details.

The term "Track 2" refers to certain data elements stored in the magnetic strip on the back of debit and credit cards. Also on Sunday, Visa removed Global Payments from its list of "compliant service providers." Forbes magazine reported that the company expects to quickly correct the Visa compliance issue:

"Global Payments chief executive Paul Garcia is quoted in the company’s statement as saying that “We are making rapid progress toward bringing this issue to a close,” and emphasized that all major brands of cards still allow Global Payments to act as a payment processor."

After a breach like this, card issuers (e.g., banks, credit unions, retailers) will usually notify directly those cardholders with stolen account information, and whether replacement cards and accounts will be issued. And the card issuers usually seek reimbursement from the payments processor to cover the costs of issuing replacement cards to consumers.

Another payments processor, Heartland Payment Systems, experienced a much larger breach in 2008, after which multiple lawsuits resulted as card issuers provided replacement cards and accounts. With a reported 800,000 merchants and 3.5% market share, Global Payments is a smaller payments processor, when compared to First Data Corporation's 22.6% market share.

The largest banks, like Bank of America, have subsidiaries with joint venture arrangement with processor First Data to process card transactions. It seems to me that hackers have smartly figured out a way to steal valid credit/debit card information is to attack the transaction processors instead of retailers, like T.J.Maxx, or banks directly.

I called Global Payments to see how many retailers they may have lost already due to the breach and their inability to process Visa transactions. The public relations rep referred inquiries to the company's data breach site:, which includes this statement to its merchants/retail clients:

"We are still processing all of your transactions, including Visa transactions, and will continue to work with the card associations in response to this incident."

Time will tell if and how long that continues. The company's breach web site also advises affected cardholders who suspect fraud to monitor their accounts, contact their card issuer, and place a Fraud Alert on their credit reports.

The Global Payments breach highlights the fact that several companies are involved in debit/credit card transaction flow, from the time yo swipe your card until when payment is completed. And, the security of that transaction flow is only as strong as the weakest link, or company, in the flow.

Proposed Settlement Between FTC and Online Game Site RockYou

Last week, the U.S. Federal Trade Commission announced a proposed settlement (Adobe PDF) with online game website RockYou for alleged data security failures which exposed 32 million consumers' e-mail addresses and passwords. It its lawsuit, the FTC alleged that RockYou made data security claims it didn't provide, and that its collection of the sensitive personal information of 179,000 children violated the Children's Online Privacy Protection Act Rule (Adobe PDF):

"Defendant violated COPPA and the FTC Act by failing to provide notice to parents of its information practices, and to obtain verifiable parental consent prior to collecting, using, and or disclosing personal information from children online..."

Terms of the proposed settlement prohibit RockYou from deceptive claims in the future about privacy and data security, requires the company to implement and maintain a data security program, prohibits future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty.

In 2010, a class-action suit was filed against RockYou about data security failures. Network World listed RockYou on its 2009 data breach hall of shame list.