Effective
Professional
Affordable



InfoSec in the News
(Archives)

2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001 and earlier

Most of these news stories could have been prevented with an effective security awareness program or they promote the use of security awareness.
Also visit our News Archives for older stories

Subscribe to the following e-mail lists for even more stories:

SANS NewsBites

Security Wire Digest

27 December 2007 - Alleged Source Code Thief Arrested
A woman has been arrested and is being held on charges that she allegedly stole US $12 million worth of sensitive data from her former employer, Hinjewadi (India) based 3DPLM Software, just days before
leaving her job there.  Anjali Sharma allegedly used her work computer to send source code to her husband.  Sharma's alleged actions violate a non-disclosure agreement she signed when she began work at 3DPLM. http://www.dnaindia.com/report.asp?newsid=1141842

27 December 2007 - List Identifies Dubious Music Download Sites
The Center for Democracy and Technology (CDT) has released a list of 34 websites it says are misleading users by implying that mainstream music can be downloaded from them.  The sites charge subscription fees, which users may assume are used to pay royalty costs, but the listed websites have not obtained the necessary licensing agreements to distribute the music.  Instead, users are provided peer-to-peer file sharing software, which is often available at no cost elsewhere, and given instructions on using filesharing networks.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205203862

26 December 2007 - Disk Containing UK Police Data Found at Recycling Center
An obsolete computer that had been sent out to be recycled was found to contain personally identifiable information of an unspecified number of employees, including police officers, of Devon and Cornwall (UK) Police. Assistant Chief Constable Bob Pennington has issued an apology and says the incident is under investigation.  Normally, disks are wiped clean before computers are sent to be recycled.  The disk containing the information was found by a man looking for parts at a recycling center.
http://news.bbc.co.uk/2/hi/uk_news/england/devon/7160490.stm

22 December 2007 - Identity Thief Targets Municipal Court Website
An identity thief apparently entered random Social Security numbers (SSNs) into the Franklin County (Ohio) Municipal Court website, hoping to find a match.  According to police, the thief stole personally
identifiable information, such as names, ages and addresses of hundreds of people, and used the information to open bank accounts and credit cards.  The site contains information about people convicted of misdemeanors; the data theft affects people from Ohio, Kentucky, South Carolina, Texas, and Wyoming.
http://www.coshoctontribune.com/apps/pbcs.dll/article?AID=/20071222/NEWS01/712220309/1002

22 December 2007 - FBI Compiling Huge International Biometric Database
The FBI's Next Generation Identification system will gather biometric data of individuals around the world into the single largest database of such information. The goal of the US $1 billion system is to allow law enforcement authorities worldwide to identify suspected criminals. The FBI has already begun compiling facial, fingerprint, and palm information. In addition, at employers' requests, the FBI will retain fingerprint information of employees who have undergone criminal background checks.
http://www.eweek.com/article2/0,1895,2240010,00.asp

10 December 2007 - Russian Chat Bots Gather Information
An artificial intelligence program circulating in Russian chat forums flirts with human users in an attempt to get them to divulge personally identifiable information.  People have fallen prey to CyberLover because
it is difficult for them to tell that they are not talking with a real person.  The program can create up to 10 relationships in 30 minutes, and assembles dossiers for each relationship that include names, contact
information and photographs. So far, CyberLover has just been spotted in Russian chat rooms, but others are urged to use caution while chatting.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62035388-39000005c

10 December 2007 - Thieves Steal Data Center Equipment
Thieves dressed as police told employees at a Verizon data center in Kings Cross in London that they were looking into reports of people on the roof of the building.  The thieves then tied up the employees and
stole computer hardware from the facility.  The data center is used by a number of financial institutions.
http://www.theregister.co.uk/2007/12/07/verizon_datacentre_robbery_investigation/print.html

7 December 2007 - Bank Customer Data on Stolen Laptop
A laptop computer stolen from a Citizens Advice Bureau employee's car in Ireland contains personally identifiable information belonging to as many as 60,000 individuals.  The data include bank account numbers, National Insurance numbers, names, addresses and dates of birth of people who contacted CAB for advice; the data were encrypted.  The chief executive of Ireland CAB has apologized to affected customers.  The data pertain to people from the Belfast area and go back four or five years.
http://www.guardian.co.uk/uklatest/story/0,,-7135536,00.html

23 November 2007 - French Digital Content Pirates Could Lose Internet Service
A new anti-piracy enforcement body would have the authority to cut off Internet service to people who do not comply with requests to stop engaging in copyright violating behavior.  The "three strikes" plan
would allow people two warnings before their service is rescinded. French Prime Minister Nicolas Sarkozy has endorsed the move, calling it "a decisive moment for the future of a civilized Internet."
http://www.dailytech.com/France+Unveils+Plan+to+Cut+Service+to+Internet+Pirates/article9762.htm
http://news.bbc.co.uk/2/hi/technology/7110024.stm

23 November 2007 - MPAA Asks Universities to Install Monitoring Software
The Motion Picture Association of America (MPAA) has sent letters to 25 US universities it has identified as having the greatest number of downloads of pirated movies over their networks asking them to install
an MPAA-supplied custom toolkit to help "illustrate the level of filesharing on [their schools'] networks."  The reports generated would be "strictly internal and ... confidential."  A closer look at the toolkit raises serious privacy and security flags.  The toolkit is set up to call back to MPAA servers immediately upon being deployed to check for updates, so the MPAA would have the IP address of the computer running the toolkit.  The toolkit also sets up an Apache web server on the machine, which is likely to be visible to the Internet. Administrators could set up usernames and passwords for access to the server, but they are never prompted to.
http://blog.washingtonpost.com/securityfix/2007/11/mpaa_university_toolkit_opens_1.html?nav=rss_blog

22 November 2007 - Chinese Online Service Internet Cafe Sued for Movie Piracy
Five Hollywood movie studios have joined forces to sue Chinese online movie and television provider Jeboo.com and an Internet cafe in Shanghai for making 13 movies available for download and viewing in violation of copyright laws.  Jeboo.com allegedly created the software used by the cafe to download the pirated films.  The studios are seeking 3.2 million yuan (US $432,500) collectively for legal costs and damages.  A statement on the Jeboo.com website maintains all content is "legally obtained."
http://www.pcworld.com/printable/article/id,139878/printable.html

19 November 2007 - Targeted Attacks Spoof Dept. of Justice & Better Business Bureau
There are reports that targeted email messages with malicious attachments are spreading; these messages appear to come from the US Department of Justice (DOJ) and the Better Business Bureau (BBB) and address the recipients by name.  The bodies of the messages refer to complaints made against the recipients and/or their companies.  The attachments accompanying the messages contain malware hidden in screensaver files.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034626-39000005c
http://www.vnunet.com/vnunet/news/2203920/companies-warned-doj-virus


17 October 2007 - Proposed Law Would Let ID Theft Victims Seek Restitution
Proposed legislation in the US Senate would allow victims of identity fraud to seek restitution for costs incurred as a result of the data theft. Under The Identity Theft Enforcement and Restitution Act ( S.2168) the current US $5,000 minimum loss from computer damage would no longer be a prerequisite for prosecution. http://www.msnbc.msn.com/id/21336074/

16/17 October 2007 - Stolen Laptop Holds Home Depot Employee Data
A laptop computer stolen from a car contains personally identifiable information of approximately 10,000 Home Depot employees from across the country. No customer information was affected. The laptop was stolen from a manager's car while it was parked outside his home. Police are investigating the theft. The compromised data include names, addresses and Social Security numbers (SSNs). Affected employees have been notified of the data breach by letter. The manager violated company
policy by leaving the computer in his car. The data were protected by a password, but it is not known if they were encrypted.
http://www.nytimes.com/aponline/technology/AP-Home-Depot-Stolen-Laptop.html?_r=1&ei=5088&en=b1e8c9da4440f08a&ex=1350360000&oref=slogin&partner
=rssnyt&emc=rss&pagewanted=print
http://www.thebostonchannel.com/news/14353117/detail.html

15 October 2007 - Missing TSA Computers Contain Driver Employee Data
Two Transportation Safety Administration (TSA) laptop computers are missing from a contractor's office. The computers, which officials presume were stolen, contain information about commercial drivers who
transport hazardous materials. The data include names, addresses, birthdates and commercial driver's license numbers of 3,930 individuals; some Social Security numbers (SSNs) are included as well. The
contractor said the information had been deleted from the computers before they disappeared, but TSA investigators have determined that the data could still be recovered from the machines. In the wake of the
theft, the TSA has instructed the contractor to encrypt hard drives. http://www.examiner.com/a-990833~2_TSA_contractor_laptops_with_personal_information_are_missing.html

15 October 2007 - Louisiana Student Data on Lost Storage Device
Storage media lost by data storage firm Iron Mountain include personally identifiable information gathered by the Louisiana Office of Student Financial Assistance (LOSFA). The incident is under investigation by state and local police. The breach affects individuals who applied for and/or participated in LOSFA administered programs. Accessing the data on the storage device would "require special software specific computer equipment and sophisticated computer skills." LOSFA is working to notify all affected individuals. http://www.katc.com/Global/story.asp?S=7217462

12 October 2007 - Former Employee Convicted of Destroying Company Data
A disgruntled former Pentastar Aviation employee has been convicted of breaking into company computers and destroying data. Joseph Patrick Nolan failed to sign a separation agreement by the deadline given him after he resigned from the company. He assumed he would be paid for his final two weeks, but the absence of a signed agreement meant no paycheck, which angered him. Nolan later gained access to Pentastar's computer system and destroyed payroll and personnel data. He faces up
to 10 years in prison and a US $250,000 fine when he is sentenced in January.
http://www.darkreading.com/document.asp?doc_id=136137&f_src=darkreading_default

12 October 2007 - Pair Gets Jail Time for Spam
Jeffrey A. Kilbride and James R. Schaffer have received prison sentences for their roles in a spam operation. Kilbride and Schaffer were prosecuted for CAN-SPAM violations as well as fraud, money laundering, and obscenity charges. They launched their spam operation in 2003; when the CAN-SPAM Act was passed later that year, the men tried to make it appear their business was located overseas by logging into servers in Amsterdam remotely, and directing income from their scheme to bank accounts in the Republic of Mauritius and the Isle of Man. Kilbride was sentenced to six years in prison, while Schaffer received a sentence of slightly more than five years. They were also fined US $100,000, ordered to pay US $77,5000 in restitution to AOL, and must forfeit more than US $1 million in proceeds from their scheme. http://www.theregister.co.uk/2007/10/15/smut_spam_sentencing/print.html

10 October 2007 - Stolen Laptops Hold Carnegie Mellon Univ. Student Data
Two laptop computers stolen from the locked office of a Carnegie Mellon University computer science professor hold personally identifiable information of approximately 400 students. While the theft occurred on or around September 2, affected individuals were not notified of the breach until September 29. The breach is believed to affect students who took courses from the professor between summer 2004 and spring 2006. http://www.securitypronews.com/news/securitynews/spn-45-20071009ProfsLaptopsStolenAtCarnegieMellon.html

10 October 2007 - Manager Responsible for Stolen Ohio Tape Loses One Week of Vacation
The payroll team leader for the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project will lose one week of vacation time for failing to make sure the data on a stolen backup tape were secure. The tape, which was stolen from an Ohio state government intern's car in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers. A department spokesperson says that
when similar projects are undertaken in the future, the department will have people whose primary focus is data security.
http://www.theregister.co.uk/2007/10/10/official_penalized_following_data_breach/print.html

10 October 2007 - Former Police Officers Get Jail Time for Unauthorized Computer Access
Two former UK police officers have received jail sentences for using their police connections to tap phone lines and gain unauthorized access to computers while running a detective agency. Jeremy Young was
sentenced to 27 months and Scott Gelsthorpe to 24 months. The agency, called Active Investigation Services (AIS), was started in 1999 and was detected after BT (the primary phone company in the UK) investigators noticed someone tampering with telephone lines. The ensuing investigation revealed the extent of AIS's illegal activities. The man observed tampering with the phone lines received a 14-month jail
sentence, and two men who ran a different detective agency that used similar methods received 10-month and three-month sentences.
http://www.theregister.co.uk/2007/10/10/police_private_detective_hacking/print.html

9 October 2007 - Computer and Data Thief Draws 21-Month Sentence
Joseph Nathaniel Harris has been sentenced to 21 months in prison for stealing medical record data. In August and September 2004, Harris was employed as a branch manager at the San Jose (California) Medical Group; he was asked to leave his position following a number of thefts in the office. In May 2007, Harris pleaded guilty to health-care related theft for stealing a computer from the San Jose Medical Group along with a DVD holding patient data such as names, Social Security numbers (SSNs) and medical diagnoses. Approximately 187,000 patients were affected by the breach. Harris was also ordered to pay US $145,154 in restitution.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/10/BA6VSN2NJ.DTL

8 October 2007 - Stolen Laptop Contains Sensitive Financial Data
A laptop computer stolen from an HMRC (HM Revenue and Customs) employee's car on September 20 contains personal and financial data of at least 400 people. The employee had information from financial
institutions about account holders for the purpose of conducting a routine audit. The police have been notified, and the HMRC will investigate the incident, which does not involve a third party contractor. The data on the computer are reportedly protected by"complex password and top level encryption." HMRC is urging the financial institutions to inform their clients about the breach.
http://www.theregister.co.uk/2007/10/08/hmrc_lost_laptop/print.html

5 October 2007 - Managed Services Firm Sees Increasing Attacks Against Utilities
Managed security services company SecureWorks says it has seen a 90 percent increase in cyber attacks against its US utilities clients in the last nine months. SecureWorks counts 100 US utilities among its 1,800 clients, and noted that between January and April of this year, it blocked an average of 49 attacks against each utility each day. That figure increased to an average of 93 attacks per day for the period between May and September. "Web browser threats represented a large number of the attacks," according to SecureWorks director of development Wayne Haber.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202300190

4 October 2007 - RIAA Wins US $222,000 in Damages in Copyright Case
In the first music piracy case to go to trial, a Minnesota jury has found Jammie Thomas liable for copyright infringement and said she must pay US $222,000 - US $9,250 for each of 24 songs listed in the lawsuit. Thomas was found liable even though the plaintiff, the Recording Industry Association of America (RIAA), did not have to prove a file-sharing program was installed on her computer when they examined
her hard drive, nor did they have to prove that it was actually Thomas at the keyboard. The evidence included the defendants Internet protocol (IP) address and cable modem identifier associated with sharing 1,700 files.
http://blog.wired.com/27bstroke6/2007/10/riaa-jury-finds.html
http://www.usatoday.com/money/media/2007-10-04-downloading-music-trial_N.htm

29 Sept 2007 - Woman in Greece Arrested for Allegedly Stealing Hospital Data
Greek authorities arrested a woman for allegedly sending files from her job at a hospital to her home computer. The woman had recently submitted her letter of resignation at that hospital and was reportedly
working for a rival institution. The files she sent to her home computer included client information and financial reports. Investigators found two hard disks containing similar data at the woman's home.
http://www.ekathimerini.com/4dcgi/_w_articles_politics_100014_29/09/2007_88365

28 Sept 2007 - Stolen Laptop Holds Gap Applicant Data
A laptop computer stolen from a third-party vendor's office holds unencrypted, personally identifiable information of approximately 800,000 people who applied for jobs with The Gap between July 2006 and
July 2007. The breach affects residents of the US, Puerto Rico and Canada who applied for jobs with the clothing retailer online or by phone. The unidentified vendor had been hired specifically to handle the applicant data. http://www.theregister.co.uk/2007/09/28/gap_data_breach/print.html

27 Sept 2007 - Former Employee Pleads Guilty to Hacking Cox Communications
A former Cox Communications employee has pleaded guilty to breaking into the company's networks and disrupting telecommunications service for Cox customers in Louisiana, Texas and Utah. William Bryant said he caused the disruption after he was asked to resign. Emergency service was affected for almost two hours. Bryant's sentencing is scheduled for December, when he will face up to 10 years in prison and a fine of up to US $250,000.
http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070927/BREAKINGNEWS/70927009

27 Sept 2007 - Two Indicted for Allegedly Stealing Trade Secrets
Two men have been indicted on charges of conspiracy, economic espionage and theft of trade secrets for allegedly stealing microchip designs. Lee Lan and Ge Yuefei allegedly tried to steal proprietary information from NetLogics Microsystems, for whom they both worked at the time. Data found on both men's home computers, as well as the fact that they established a company to develop the stolen technologies, implicates them further. The men also allegedly stole information from Taiwan Semiconductor Manufacturing Corporation.
http://news.bbc.co.uk/2/hi/americas/7015916.stm

26 Sept 2007 - "Verified by Visa" Phishing Scam Targets BofA Customers
Phishing emails have been detected that pretend to be related to the legitimate Verified by Visa program. Participants in the program enroll their Visa cards so that online transactions will require a password.
The link provided in the message takes people to a fraudulently constructed site where they are asked to supply their card information purportedly to activate the authentication program. The message concludes by threatening that if they do not enroll, their card may be temporarily disabled, an indication that the email is not legitimate. The phony messages specifically mention Bank of America (BofA); because so many people have cards from BofA, the likelihood that these messages result in theft of financial information is higher. http://www.theregister.co.uk/2007/09/26/verified_by_visa/print.html

22 Sept 2007 - Another Laptop Theft in Connecticut
A laptop computer stolen from a car earlier this month in Watertown, Connecticut holds personally identifiable information of individuals connected with 41 child welfare cases. The computer belonged to a
private consultant and held names, birthdates and allegations that prompted the involvement of the Department of Children and Families (DCF), but no financial data. The consultant reported the theft to the
agency the day after it occurred. This information security breach follows close on the heels of the theft of a laptop computer containing Department of Revenue Services data for more than 105,000 Connecticut
taxpayers and the revelation that a computer backup tape stolen from a car in Ohio earlier this year held information about state agency bank accounts as well as a small number of Connecticut residents.
http://www.wtnh.com/Global/story.asp?S=7108487
http://www.courant.com/news/local/hc-ctaplaptop0922.artsep22,0,924626.story

22 Sept 2007 - Mortgage Data Exposed through Filesharing Network
Personally identifiable information of more than 5,200 ABN Amro Mortgage customers was leaked to the Internet. A former ABN employee had BearShare filesharing software installed on her computer, which allowed the leak of the ABN spreadsheets as well as some of her own personal information. The leaked data include Social Security numbers (SSNs). The company is investigating. There is legitimate concern that the information could be used to commit identity fraud; a man was recently arrested in Washington state for misusing information he obtained through filesharing networks.
http://www.theregister.co.uk/2007/09/21/abn_amro_leak_on_bearshare/print.html

21 Sept 2007 - Audit Departments Not Given Enough IT Security Responsibilities
Among respondents to a survey of corporate audit departments, 55 percent say they do not "have responsibility for auditing risk around information security and privacy," and half do not have business
continuity oversight. Ninety percent believe the amount of IT security oversight their departments are assigned should be increased. Most audit committees said their highest priorities were general risk management, internal controls and accounting judgments. The survey gathered responses from 1,300 audit committee members in 25 countries.
http://software.silicon.com/security/0,39024655,39168530,00.htm

21 Sept 2007 - Companies Still Not Taking Adequate Measures to Wipe Used Drives
The percentage of used hard drives containing sensitive data has not changed much in the last two years. According to statistics from BT Group, 37 percent of second-hand hard drives still contain confidential
information from their previous users. BT Group examined 350 hard drives bought in online auctions. Nineteen percent of the disks had sufficient data on them to identify the organization of origin, and 65 percent contained personally identifiable information. The report, which has yet to be released, also says that used drives are not highly reliable; 44 percent of the 133 disks purchased in the UK did not work
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038221&source=rss_topic17

20 Sept 2007 - German Courts Order eDonkey Servers Shut Down
Following orders from German courts, seven eDonkey servers inGermany were shut down. The removal of those servers means that approximately one-third of esDonkey's four million users will not have access to the filesharing network. eDonkey does not have a parent company; it is a loose organization with no apparent central control, so authorities decided to take aim at those operating the servers that enabled the eDonkey network. Injunctions against servers in France and the Netherlands have also been issued.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article2504723.ece

3 Sept 2007 - Stolen Johns Hopkins Hospital Computer Holds Patient Data
Johns Hopkins Hospital waited five weeks to inform patients that their personally identifiable information was on a desktop computer stolen from an administrative work area. The computer was stolen on July 15, 2007, but the 5,783 people affected by the data security breach were not notified until August 24. The data include names, Social Security numbers (SSNs), and medical histories. Evidence gathered from a
surveillance camera suggests a Hopkins employee and an on-site vendor employee may be involved in the incident. Families of the 1,202 patients who are now deceased are also being notified. The data were
neither encrypted nor password protected.
http://www.baltimoresun.com/news/health/bal-te.theft01sep01,0,6558465,print.story

3 Sept 2007 - Sony Acknowledges Worrisome Software on USB Drives
Sony has acknowledged a recently disclosed security problem with several of its USB drives. The drives contain software that installs hidden directories on users' computers, which could allow attackers access to those computers. Sony says it will have a fix available in the next two weeks. All models of the affected USB drives have been discontinued. The software was developed with the intention of "cloaking sensitive files related to the fingerprint verification feature included on the USB drives." Sony is investigating the issue. http://news.bbc.co.uk/2/hi/technology/6975838.stm

1 Sept 2007 - Man Says He Was Fired for Reporting Data Theft to Police
Steven Shields has filed a wrongful termination lawsuit against Providence Health System. Shields was fired from his job after a thief broke into his car and stole computer disks and digital tape holding personally identifiable information of approximately 365,000 Providence patients. Shields maintains he was fired because he notified police of the theft. Providence Health System notified affected patients of the breach three weeks after the theft, which occurred in late December 2005. Providence paid out US $95,000 in a class action lawsuit filed in response to the breach.
http://www.wweek.com/wwire/?p=9179

27 August 2007 - Former Health Clinic Employee Convicted on Hacking Charges
A federal jury has convicted Jon Paul Olson of intentionally damaging protected computers. Olson left his job at the Council of Community Health Clinics (CCC) in San Diego after he received what he believed to
be a negative performance evaluation. Several months after his resignation, Olson deleted patient data that belonged to the North County Health Services (NCHS) clinic, causing financial losses at both CCC and NCHS. Olson had worked for CCC as a network engineer and technical services manager.
http://sandiego.fbi.gov/dojpressrel/pressrel07/sd082707.htm

27 August 2007 - Government Needs Metrics to Prove ROI for Security Investments
According to former Pentagon officials, it is difficult to obtain adequate funding for Defense Department information assurance programs. Despite the increasing frequency of attacks on government networks, those seeking funding for information security projects are hard pressed to demonstrate how the funds they request will produce a positive return on investment (ROI). Former Deputy Assistant Secretary for Defense for Networks and Information Integration Linton Wells sees the need for improved metrics to help prove return on investment for information assurance projects, because the value of the programs appears to be demonstrated only in times of crisis.
http://www.fcw.com/article103584-08-27-07-Print&printLayout

27 August 2007 - FTC Complaint Targets Company Behind the Spam
A judge has granted a temporary restraining order to stop Sili Neutraceuticals and its owner Brian McDaid from sending spam messages advertising herbal weight-loss pills. The order was granted following a complaint from the US Federal Trade Commission (FTC). The FTC's move is being applauded because the FTC is targeting the company that pays for the spam to be sent; most other cases target the company sending the unsolicited marketing email. A hearing is scheduled for August 27 at which time a judge will determine whether or not the company's assets should be frozen until the FTC investigation is complete.
http://www.securecomputing.net.au/news/90644,ftc-files-complaint-against-weightloss-pill-spammer.aspx

26 August 2007 - 35,000 Veterans' Data Stolen
Computer hard drives and paper files stolen from a POW support organization in Arlington, Texas contain personally identifiable information of approximately 35,000 US veterans and their families. The organization, American Ex-Prisoners of War, plans to notify affected members in a mailing. The theft occurred during the weekend of August 11-12. The data include addresses, dates of birth and Social Security numbers (SSNs). The Department of Veterans Affairs (VA) is participating in the investigation that includes the POW organization and law enforcement authorities.
http://www.estripes.com/article.asp?section=104&article=55899&archive=true

22 August 2007 - Cable & Wireless Customer Data on Stolen Laptop
A former Cable & Wireless employee allegedly stole a laptop computer that holds personally identifiable information about approximately 100,000 of the UK company's customers. The former employee is being enjoined from using the data, and C&W is seeking GBP 300,000 (US $602,400) in damages from her. Seemab Zafar allegedly went on a business trip to Pakistan in 2005 on behalf of C&W, but did not return
to work as scheduled and was fired. http://www.contractoruk.com/news/003412.html

16 August 2007 - One in Five US Surfers Are Victims of Internet Scams
According to a survey commissioned by Microsoft, one in five US based Internet users has fallen victim to an online scam. Of those victims, 81% admitted doing something to compromise their system, such as
clicking on attachments in an email which appeared to be from someone they trusted. The survey revealed that more than half of those surveyed"had little or no knowledge of current online threats and scams." The report highlights that while security tools are important, "people need to be constantly updated to the threats that exist and how to avoid them"
http://www.vnunet.com/vnunet/news/2196820/one-five-surfers-fallen-internet-scam

15 August 2007 - National Guard Information Stolen
A thumb drive containing the personal information of every National Guard soldier in Idaho was stolen from a soldier's car on Monday August 13. The thumb drive containing information on 3,400 soldiers was taken
when other computer equipment and personal items were stolen from the car. The information on the thumb drive was not encrypted.
http://www.forbes.com/feeds/ap/2007/08/15/ap4020711.html

August 13, 2007 - Microsoft to Release Nine Fixes for This Month's Patch Tuesday
Microsoft is expected to release nine fixes for a range of its products for this month's Patch Tuesday, August 14. Products impacted include most versions of the Windows Operating System (including Vista), Microsoft Office, Internet Explorer, Windows Media Player, Visual Basic and Virtual PC. Six of the bulletins address vulnerabilities that have a maximum severity rating of 'critical', Microsoft's highest alert
level. The remaining three patches all carry a maximum rating of 'important.'
http://www.zdnet.co.uk/misc/print/0,1000000169,39288501-39001093c,00.htm

August 12, 2007 - UK Police Database Containing Terrorist Evidence Stolen
Police in the United Kingdom are investigating the theft of a server containing a database of highly confidential mobile phone records used by the police in investigating crimes relating to terrorist and
organised criminal gangs. The server was stolen from the offices of a private company, Forensic Telecommunications Services (FTS), whose clients include Scotland Yard, The Police Service of Northern Ireland, HM Revenue and Customs and the Crown Prosecution Service. FTS reported a break in at their offices over the weekend which resulted in pieces of IT equipment, including the server, being stolen. All the missing data were restored within 24 hours and FTS state that all data held on the server are encrypted.
http://news.independent.co.uk/uk/crime/article2856892.ece
http://news.bbc.co.uk/2/hi/uk_news/england/kent/6943104.stm

August 10, 2007 - Hackers Steal Sensitive Data on 60,000 Norwegians
Hackers gained access to the personal ID numbers of up to 60,000 Norwegians through the website of the telephone operator Tele2. Amongst the victims is Georg Apenes who is director of Datatilsynet, the
Norwegian data protection agency. The Norwegian ID number is an 11 digit number that must be kept confidential. When used in conjunction with other personal information such as names and numbers, it can be used for ID theft. Tele2 has promised to address the weaknesses in its website which enabled the attack. http://news.brisbanetimes.com.au/internet-hackers-steal-confidential-data-on-60000-norwegians/20073511-spc.html
http://www.aftenposten.no/english/local/article1930521.ece?service=print

August 9, 2007 - Two More Sentenced in Piracy Case
Two men have been sentenced to 37 months in federal prison for their involvement in what the government has called "the largest CD and DVD pirating scheme to be prosecuted in the United States." Ye Teng Wen and Hao He were also sentenced to three years of supervised release following their prison terms and fined US $125,000. In June, a third man involved in the scheme received the same prison sentence but was also ordered to pay US $6.9 million in restitution. The scheme involved pirated music, movies, and software; the men admitted to using phony labels with the FBI Anti-Piracy Seal on the products to
lend them authenticity. http://www.scmagazine.com/us/news/article/730406/california-software-pirates-fined-sentenced/

August 9, 2007 - Six Arrested in International Internet Scam
Six men have been arrested in connection with an Internet scam that reportedly cost one Australian man Au$1.76 million (US$1.5 million). The man received an email promising a business contract worth Au
$105.42 million (US $90 million) and had been advancing the thieves money for approximately one year before he began to be suspicious. The men were arrested in Amsterdam, where the target had flown to
meet them for an appointment.
http://www.news.com.au/story/0,23599,22214192-23109,00.html

August 8, 2007 - Phishers Go After Tennessee Valley Federal Credit Union Members
About 30 members of the Tennessee Valley Federal Credit Union (TVFCU) fell prey to a phishing scheme, divulging their account information and losing thousands of dollars to thieves. TVFCU members were targeted with telephone calls and emails telling them their accounts were about to expire and that they needed to call an 800 number and provide personal information to have their accounts restored. The thieves made phony debit cards with the stolen account information and used them to withdraw funds from TVFCU accounts through ATMs.
http://www.newschannel9.com/articles/internet_14598___article.html/computers_people.html

August 8, 2007 - Computers Stolen from Yale Dean's Office
Two computers stolen from the Yale College Dean's Office at Yale University last month contain Social Security numbers (SSNs) of more than 10,000 current and former students, faculty, and staff. Yale has
sent notification letters to the affected individuals. The university determined the content of the computers by examining back-up tapes. The data "had not been maintained for any purpose." The University is attempting to reduce the amount of personal data it stores and is taking steps to encrypt or purge any other files containing SSNs. http://www.yaledailynews.com/articles/view/21093

August 8, 2007 - Missing Flash Drive Holds State Hospital Nurses' Data
A flash drive missing from Patton State Hospital in San Bernardino, California contains the names and SSNs of approximately 300 registry nurses. The Department of mental health has begun notifying affected employees by telephone and mail. Having the data on the drive is a violation of hospital policy. The employee responsible for placing the information on the drive faces disciplinary action; the information was put on the drive to help the nurses process their time sheets.
http://www.sbsun.com/news/ci_6569478

August 7, 2007 - Merrill Lynch Computer Stolen
A computer was stolen from Merrill Lynch's corporate offices in New Jersey. The computer reportedly holds personally identifiable information of approximately 33,000 company employees, but no client data. The theft reportedly occurred two weeks ago; law enforcement agencies have been notified.
http://www.cnbc.com/id/20162588
http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807

August 7, 2007 - First Response Financial Data Theft
UK customers of First Response Financial are being advised to keep an eye on their accounts following the theft of server storage disks from the company's Manchester-area office. The stolen data include bank
and credit card information for current and former customers. The thieves apparently targeted the servers containing these data. First Response has informed customers' banks directly about the incident and has sent notification letters to affected individuals. Police are investigating. http://www.theregister.co.uk/2007/08/07/first_response/print.html
http://www.vnunet.com/vnunet/news/2196201/thieves-steal-uk-finance-house

August 6, 2007 - VeriSign Employee Data on Stolen Laptop
A laptop computer stolen from a VeriSign employee's car holds personally identifiable information of an unspecified number of company employees. Although company policy requires that such information on laptops be encrypted, these data were not. The data include names, addresses, birth dates, salary information and Social Security numbers (SSNs). VeriSign has disabled the stolen laptop's access to the company computer network, and the employee from whose car the computer was stolen no longer works at VeriSign. The computer was stolen on July 12 or 13; notification letters sent to employees were dated July 25. http://www.theregister.co.uk/2007/08/06/verisign_laptop_theft/print.html

August 3, 2007 - Stolen Computer Holds Capital Health Patient Data
One of four laptop computers stolen from a Capital Health office in the Edmonton, Alberta (Canada) area contains personally identifiable information of approximately 20,000 patients. The theft occurred on
May 8, but notification letters were sent on August 2 because the organization needed time to confirm the addresses of the affected patients. While the data are not encrypted, Capital Health uses software that locks computer hard drives. A similar data breach incident in 2006 prompted the Privacy Commissioner to recommend that personal and health data not be stored on laptop computers unless deemed necessary, in which case it should be encrypted. The data include names, addresses, personal health care numbers, and reasons for hospital admission.
http://www.edmontonsun.com/News/Alberta/2007/08/03/pf-4390118.html

August 3, 2007 - Sixty Percent of IRS Employees Succumb to Social Engineering
Auditors from the Treasury Inspector General for Tax Administration Office (TIGTA) conducted a test in which they telephoned employees and contractors at the IRS and, pretending to be IRS help-desk workers, asked them to provide their usernames and temporarily change their passwords to ones they suggested. Sixty percent of those telephoned complied with the request. A similar test in 2004 netted just 35 percent and in 2001, 71 percent changed their passwords. That test prompted "corrective actions" designed to increase awareness of social engineering tactics. The most recent test involved 102 employees. Just eight of the people who received phone calls responded appropriately by "contacting either the audit team, the TIGTA Office of Investigators, or the IRS computer security organization to validate [the] test as being part of an official TIGTA audit."
http://news.com.com/8301-10784_3-9754689-7.html?part=rss&subj=news&tag=2547-1_3-0-20

August 2, 2007 - Storm Worm's Huge Botnet
The Storm worm has reportedly infected nearly 2 million computers, "10 times more than any other email attack in the last two years." The concern that those behind this worm want to do more than just use the
zombie PCs to send spam is growing; the attackers may be planning to use the botnet to launch a massive distributed denial-of-service (DDoS) attack. Small portions of the huge botnet have already been used to launch DDoS attacks; an attack that uses all of the compromised computers would have far-reaching and potentially serious consequences. There is speculation that the people behind the Storm worm were responsible for attacks against Estonian government and commercial websites earlier this year. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202711

August 2, 2007 - Man Arrested for Hacking Cyclist's eMail
A Danish man could face up to 18 months in prison if convicted of charges of illegally obtaining someone else's email. The man allegedly broke into the email account of cyclist Michael Rasmussen and ttempted
to sell messages to a newspaper. Rasmussen was ousted from a Tour de France team on July 25 because he allegedly lied to drug testers about his whereabouts before the race.
http://www.bradenton.com/462/story/112328.html

July 25, 2007 - Number Affected by Fidelity National Breach Grows
Fidelity National Information Services is now saying that the number of consumer records stolen by a former employee is closer to 8.5 million. When the check authorizing company acknowledged the theft earlier this month, the initial estimate of affected consumers was 2.3 million. William G. Sullivan, the former Fidelity employee, allegedly sold the information to a data broker, who in turn sold the data to direct marketers. Fidelity National is not related to Fidelity Investments.
http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-18404346.htm

July 24 & 26, 2007 - FBI, Chinese Police Arrest 25, Seize Pirated Software Worth Half a Billion
The FBI and Chinese police have seized millions of dollars worth of counterfeit Microsoft software. The FBI estimates the seized pirated software is worth approximately US $500 million; Microsoft estimates the group sold US $2 billion worth of pirated software. Twenty-five people have been arrested in raids on the group's production plants in the southern Chinese province of Guangdong. Information crucial to tracking down the pirates was obtained through Microsoft's Windows Genuine Advantage (WGA) program, which "forces users of some versions of Windows to validate their copy of the operating system with Microsoft when updating their software." The pirated software was being manufactured in China and distributed worldwide. The operation, dubbed "Summer Solstice," began in 2005 and resulted in the takedown of "the biggest software counterfeiting organization we have ever seen by far," according to David Finn, Microsoft associate general counsel for worldwide piracy and counterfeiting issues.
http://www.theregister.co.uk/2007/07/24/microsoft_fbi_bust_counterfeit/print.html
http://news.bbc.co.uk/2/hi/technology/6917127.stm

July 24, 2007 - GAO Audit Finds VA IT Equipment Missing
A Government Accountability Office (GAO) audit of equipment inventories at four Veterans Affairs (VA) medical centers found that more than 25 percent of IT equipment at the Washington DC center was unaccounted for. The three other medical centers examined in the audit could not account for between six and 11 percent of their equipment. In all, more than 2,400 pieces of equipment, with an original value of US $4.6 million, could not be accounted for. Not only did the findings of the audit raise concerns about wasteful spending, but they accentuate an already damaged data security profile at the agency. The VA says that in the three months since the audit was completed, they have located most of the missing equipment. http://www.govexec.com/story_page.cfm?articleid=37563

July 20, 2007 - Tokyo policeman loses job for using peer-to-peer file-sharing software
Companies need to remember the importance of computer security and control after it was revealed that a policeman has lost his job for using file-sharing peer-to-peer (P2P) software. Find out more
about this case here.
http://www.sophos.com/news/2007/07/winny-fired.html

July 20, 2007 - D'oh! Spammers exploit interest in The Simpsons Movie
Be careful to ensure that you aren't responding to unsolicited email surveys! A new spam campaign exploits interest in "The Simpsons Movie", due to be released in cinemas this month, and explains the dangers of following links in junk emails. http://www.sophos.com/news/2007/07/simpsons.html

July 19, 2007 - Movie Pirate Gets 300 Hours of Community Service
A New Zealand man was sentenced to 300 hours of community service for movie piracy. Frederick Higgins says he took the movie from the post-production house where he worked for his own viewing; he says he destroyed the copy at work. Higgins appears to have made no money from his actions. The judge maintained that the pirated copies of the movie that had become available must have their origins with the copies Higgins stole. Higgins has been fired.
http://www.nzherald.co.nz/topic/story.cfm?c_id=137&objectid=10452390

July 18, 2007 - Former FBI Analyst Sentenced for Stealing Secret Documents
Former Marine Leandro Aragoncillo has been sentenced to 10 years in federal prison for providing classified information to people attempting to overthrow the Philippine government. Aragoncillo served under two vice presidents and as an FBI intelligence analyst where he had clearance that allowed him access to the FBI's Automated Case Support computer system. He used his clearance to access documents pertinent to the Philippines. He admitted to passing national security documents classified as secret to Philippine contacts. Aragoncillo pleaded guilty to four counts of an indictment, one of which was Unlawful Use of a Government Computer. Aragoncillo was also fined US $40,000.
http://newark.fbi.gov/dojpressrel/2007/nk071807.htm

July 11, 2007 - Former Boeing Employee Charged with Computer Trespass
A former Boeing quality insurance inspector has been charged with computer trespass for allegedly accessing information without authorization and passing it to the media. Gerard Lee Eastman allegedly
copied the documents to a portable drive between September 2004 and April 2006. More than 300,000 pages of internal Boeing documents were found at Eastman's home. Authorities arrested Gerald Lee Eastman last year, and shortly thereafter, Boeing fired him. Eastman was reportedly"disgruntled" with Boeing's lack of attention to the concerns he noted about flaws in the parts inspection process. If he is convicted on all counts, Eastman could face up to 57 months in prison.
http://news.bbc.co.uk/2/hi/business/6290400.stm

July 10, 2007 - Five-Year Sentence for Data Theft
Binyamin Schwartz has been sentenced to five years in prison for gaining unauthorized access to personally identifiable information of more than 100,000 individuals and trying to sell data to someone who turned out to be an undercover Secret Service agent. Schwartz was employed as a software consultant at an insurance firm. Schwartz's sentence also includes two years of supervised release and he was ordered to pay his former employer more than US $500,000 in costs related to the incident. He was convicted on charges of identity theft, aggravated identity theft, access device fraud, and wire fraud.
http://www.computerworld.com/action/article.do?command=viewArticleBasic

taxonomyName=security&articleId=9026701&taxonomyId=17&intsrc=kc_top

July 10, 2007 - Man Gets 25 Years for Hacking Teens' Webcams
Mark Wayne Miller was sentenced to 25 years in prison followed by supervised release for life for breaking into webcams and surreptitiously watching and recording minors in their own homes. In January 2006, Miller pleaded guilty to computer intrusion and sexual exploitation of children. At that time, he was already on probation and a registered sex offender. He allegedly shared the recordings he made with other people. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001050

June 27, 2007 - Lost Flash Drive Holds Bowling Green State Univ. Student Data
Approximately 18,000 current and former Bowling Green State University (BGSU) students are being notified that their personally identifiable information is on a missing flash drive. An accounting professor
reported the drive missing on May 30. The data loss affects students from 1992 through to the present; 199 students' SSNs are included in the data, but after 1992, BGSU switched from SSNs to university-generated unique identifiers. Other data on the drive include names and grades.
http://toledoblade.com/apps/pbcs.dll/article?AID=/20070627/NEWS08/70627020

June 27, 2007 - Phony eMails Claim to Provide Microsoft Patch
The SANS Internet Storm Center is getting reports of emails that claim users need to download a fix for a zero-day flaw in Microsoft Outlook. The spear phishing emails appear to come from Microsoft and include the recipients' full names and company names, but have misspellings in other places. The emails appear to try to trick recipients into visiting a site that looks like a Microsoft site. Microsoft recommends users view site certificates to ensure their legitimacy. http://www.scmagazine.com/us/news/article/667467/researchers-warn-bogus-microsoft-patch-spam/

June 27 2007 - MySpace Taken Over By Hackers Building Botnets
MySpace pages have been changed so they infect visitors to those pages. According to Johannes Ullrich of the Internet Storm Center, the pages exploit an old (2006) Internet Explorer bug. Ullrich also said MySpace is an increasingly popular target for attackers.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001122

June 26, 2007 - More Guilty Pleas in Pirated Software Sales
Two more people have pleaded guilty to selling pirated Rockwell Automation software on eBay. Robert Koster pleaded guilty to selling more than US $5 million worth of software for a profit of US $23,000;
Yutaka Yamamoto pleaded guilty to selling more than US $540,000 worth of software for a profit of US $6,000. The two will be sentenced in November. They face penalties of up to five years in jail, a fine of
US $250,000 and three years of supervised release. Seven other individuals have already been convicted of selling Rockwell Automation software.
http://www.theregister.co.uk/2007/06/26/ebay-software_piracy_convictions/print.html

June 26, 2007 - Two Convicted Under CAN-SPAM
A federal jury has convicted two men on multiple charges relating to a spam operation advertising pornographic web sites. Jeffrey Kilbride and James Schaffer earned US $2 million in commission for setting up the scheme. Kilbride and Shaffer were among the first people to be charged under the CAN-SPAM Act. The charges of which they were found guilty include money laundering, conspiracy and fraud. Sentencing has been set for September, 2007; the pair could face five years in prison for each CAN-SPAM offense and fines of up to US $500,000. Three accomplices have already entered guilty pleas.
http://www.theregister.co.uk/2007/06/26/can_spam_convictions/print.html

June 25, 2007 - More Los Alamos Security Breaches
Two more data security breaches linked to Los Alamos National Laboratory (LANL) have come to light. In May, a LANL employee took his work laptop with him on vacation to Ireland; the computer was stolen from his hotel room. The computer holds sensitive government documents and is equipped with an export-controlled encryption card. The employee violated lab policy by taking the computer to Ireland, but if he had asked permission, his request would likely have been granted. LANL is reportedly undertaking an inventory of all lab laptops and replacing many of them with desktop computers. Also, less than two weeks ago, a LANL scientist sent highly classified information over the open Internet to colleagues at another site; the scientist should have used a secure network. This email is separate from the January incident in which board members communicated about highly classified nuclear information over the regular Internet. http://www.msnbc.msn.com/id/19418769/site/newsweek/page/0/

June 25, 2007 - Stolen Laptop Holds Ohio Workers' Compensation Data
A laptop computer stolen from an auditor's home contains personally identifiable sensitive information belonging to 439 injured workers. The auditor was working for the Ohio Bureau of Workers' Compensation
(BWC). The theft occurred on May 30, but BWC administrator Marsha Ryan was not informed of the theft until June 15. The revelation follows close on the heels of the theft of a backup tape containing personally
identifiable information of hundreds of thousands of Ohioans; that tape was stolen from an Ohio State office intern's car. BWC will notify affected workers and employers.
http://www.middletownjournal.com/hp/content/oh/story/news/state/2007/06/25/ddn062507bwcweb.html

June 24, 2007 - Stolen Laptop Holds Prince's Sensitive Data
A laptop computer stolen from an accountant's car in the UK contains personal information about Prince Charles. The data on the computer are believed to include the Prince's vital account number, sort code, and national insurance number. The accountant from whose car the computer was stolen works for Moorepay, the firm that handles wages for the Duchy of Cornwall estate.
http://www.people.co.uk/news/tm_headline=-pound-15m-charles--bank-secrets-stolen--&method=full&objectid=19347215&siteid=93463-name_page.html

June 22, 2007 - Australian Authority Fines Spammers
The Australian Communications and Media Authority has imposed a fine of AU $11,000 (US $9,305) on Pitch Entertainment Group for violating the country's Spam Act. Pitch allegedly sent more than one million commercial text messages with no viable unsubscribe options. IMP Mobile has been fined AU $ 4,000 (US $3,384) for the same violation. Repeat offenses could be punished with much higher fines.
http://australianit.news.com.au/story/0,24897,21949015-5013044,00.html

June 22, 2007 - DrinkorDie Piracy Ringleader Gets 51 Month Sentence
Hew Raymond Griffiths, a British national living in Australia, was extradited to the US in February 2007 where last week he was sentenced to 51 months in prison for his role in orchestrating the DrinkorDie
international digital piracy group. Griffiths spent three years in detention in Australia while fighting his extradition. It is unknown if the time served in Australia will be subtracted from his sentence in the US. Griffiths could have been given a maximum sentence of 10 years in prison and a US $500,000 fine.
http://www.zdnet.co.uk/misc/print/0,1000000169,39287700-39001093c,00.htm

June 21, 2007 - BSA Nets GBP 250,000 (US $500,000) Settlement
An unnamed UK firm will pay the Business Software Alliance GBP 250,000 (US $500,000) as an out-of-court settlement for using unlicensed software. The average settlement paid to BSA last year was GBP 10,000 (US $20,000). The company, which was not named for legal reasons, was using unlicensed copies of Adobe, Autodesk and Microsoft software on PCs at a number of sites.
http://www.zdnet.co.uk/misc/print/0,1000000169,39287658-39001084c,00.htm

June 20, 2007 - Stolen laptop Holds Texas First Bank Data
A laptop computer stolen from a car in Dallas, Texas contains sensitive, personally identifiable information of about 4,000 Texas First Bank customers. The computer was protected with technology designed to prevent unauthorized access. The computer belonged to a former Texas First Bank online banking vendor; the vendor informed the bank of the theft immediately.
http://www.khou.com/news/local/stories/khou070622_jj_bankid.4056cb0.html

June 14, 2007 - Winny Blamed for Police Data Leak
Winny filesharing software installed on a Japanese policeman's private computer allowed approximately 10,000 documents and images to be uploaded onto the Internet. The documents include investigative records and personally identifiable information of individuals being investigated. In March of this year, Japan's National Police Agency directed all officers to check for the Winny filesharing software on their personal computers. This particular officer apparently indicated he did not have the software on his computer. He was identified as the culprit because his resume was among the information exposed.
http://www.yomiuri.co.jp/dy/national/20070614TDY01004.htm

June 13, 2007 - Phisher Draws Six-Year Sentence
The first person to be convicted by a jury under the CAN-SPAM Act has been sentenced to nearly six years in prison. Jeffrey Brett Goodin used hijacked Earthlink accounts to send email messages to AOL subscribers that appeared to come from AOL's billing department. The email messages directed recipients to visit sites where they were asked for sensitive personal and financial information. The messages implied that if they did not supply the data requested, their AOL accounts would be suspended. Goodin was convicted not only of violating the CAN-SPAM Act, but also of wire fraud, unauthorized use of credit cards, and attempted witness harassment.
http://www.theregister.co.uk/2007/06/13/aol_fraudster_jailed/print.html

June 12 & 13, 2007 - Sydney Opera House and Art Museum Sites Infected with Malware
Google search results have warned users in the last few days that the web sites of the Sydney Opera House and the Sydney Museum of Contemporary Art "may harm [users'] computers." Malware was apparently detected on both web sites. The Sydney Opera House has taken steps to remove the Trojan software from its web site. A third party will now check that site's security on a regular basis. A museum spokesperson said their site has been fixed as well.
http://www.theage.com.au/news/security/virus-blight-spreads-to-museum-site/2007/06/13/1181414340831.html
http://www.smh.com.au/articles/2007/06/11/1181414219766.html

June 12, 2007 - Hackers spread illegal child content through web message boards
Sophos experts have warned web hosts of the dangers of not screening content posted on internet message boards, following the discovery that legitimate web pages have been taken over by cybercriminals using forums to promote child pornography.
http://www.sophos.com/news/2007/06/message-boards.html

June 11, 2007 - Amero supporters form The Julie Group
Supporters of Julie Amero, the former substitute teacher who was granted a new trial months after being convicted of exposing her students to pop-up porn, have formed an advocacy group to help people facing similar courtroom battles.http://ecm.hbpl.co.uk/re?l=evvfpsIfvlxf5I6

June 11, 2007 - Trojan Hides in Phony Security Bulletin
A message claiming to be a cumulative update for Internet Explorer with the title "Microsoft Security Bulletin MS06-4" has been sent to users. A link provided in the email claims to be the patch, but actually allows a malicious file on a remote server to install malware on users' computers. The websites hosting the malicious downloader code have been shut down.
http://www.scmagazine.com/us/news/article/663626/beware-fake-microsoft-security-advisories-say-researchers/

June 6, 2007 - Substitute Teacher Granted New Trial - Verdict Thrown Out
Julie Amero's conviction has generated controversy because security experts believe that malware could have hijacked her PC to force it to visit adult websites. The PC is said to have not been running a firewall or anti-malware software. http://www.sophos.com/pressoffice/news/articles/2007/06/amero.html

June 6, 2007 - Data on Missing Bank Disk Not Encrypted
A computer disk containing names, addresses, dates of birth and mortgage account numbers of 62,000 Bank of Scotland customers is missing. The Bank of Scotland, a subsidiary of HBOS, sends a disk with customer data to a credit reference agency every month. This month, however, the disk was sent through the regular post instead of a secure post service, which is usually the case. Furthermore, the data on the disk sent each month are usually encrypted, but the data on this particular disk were not encrypted. Bank of Scotland has sent letters of apology to affected customers. Another HBOS subsidiary, Halifax Building Society, apologized to 13,000 mortgage customers earlier this year after personal data were stolen from an employee's car. http://www.theherald.co.uk/news/news/display.var.1443290.0.0.php

June 1, 2007 - Police Data on Stolen Laptop
A laptop computer stolen from a software company contains personally identifiable information of approximately 97,000 Texas law enforcement agency employees. The company that possessed the computer stores such data for the Texas Commission on Law Enforcement. Affected individuals were notified of the breach by email in May. http://www.kxan.com/Global/story.asp?S=6601344

June 1, 2007 - Mother's Keylogger Helps Nab Online Predator
A UK mother concerned about her son's online activities installed keylogging software on his computer. When she retrieved the data, she learned that a man from the US had been "grooming" her 15-year-old son for abuse. She contacted the police, who in turn notified US Immigrations and Customs investigators. Jason Bower was arrested last November as he boarded a plane bound for England to meet the boy. Bower has pleaded guilty to charges against him and will face a minimum prison sentence of five years.
http://www.theregister.co.uk/2007/06/01/spyware_mum_foils_pervert/

May 31, 2007 - Former Manager Pleads Guilty to Stealing Computers
A man who once managed the San Jose (Ca.) Medical Group's McKee branch has pleaded guilty to stealing computers and a CD that contained personal medical information of approximately 200,000 patients. Joseph Nathaniel Harris managed the practice between August and September 2004; two computers and the disk were reported missing in March 2005. At that time, the medical group sent letters to approximately 185,000 patients to notify them of the data security breach. The complaint against Harris alleges he stole the computers in late March 2005. Shortly before that theft, computers were also stolen from another of Harris's former employers. All of the stolen computers were all found for sale on Craigslist with email addresses linking them to Harris. The disk was found in Harris's car. Harris was indicted in January 2006. If convicted of all charges against him, Harris could be sentenced to 10
years in prison and fined US $250,000 and ordered to pay restitution.
http://www.mercurynews.com/ci_6029308?source=most_viewed
http://sanfrancisco.fbi.gov/dojpressrel/2006/sf011906.htm

May 18, 2007 - Convicted Movie Pirate Loses Appeal
A Hong Kong man convicted of making movies available for download over the BitTorrent peer-to-peer (P2P) file-sharing network has lost his appeal. Chan Nai-ming will serve a three-month prison sentence for
distributing three movies, "Daredevil," "Miss Congeniality," and "Red Planet," in 2005. The defense argued that Chan merely uploaded the movies but did not distribute them; the judges said that by his actions, Chan "enabled people to download" the films. http://www.theage.com.au/news/Technology/Hong-Kong-man-loses-Internet-piracy-appeal/2007/05/18/1178995401345.html

May 17, 2007 - Former Los Alamos Employee Pleads Guilty to Taking Data
A woman who used to work for a contractor at Los Alamos National Laboratory as an archivist has pleaded guilty to stealing classified data. Jessica Lynn Quintana admitted to printing out some documents, downloading others onto a flash drive, and taking them all home. She was stripped of her security clearance, and face up to a year in prison and a fine of US $100,000, as well as five years probation. There was no indication as to why she took the data home. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199601495

May 15, 2007 - BSA Says Software Piracy Rate Remained Steady
According to statistics from the Business Software Alliance (BSA), the software piracy rate among businesses worldwide has remained constant at 35 percent since 2003. The piracy rate in China has dropped from 92 percent to 82 percent over the past three years, owing in large part to"government intervention." The rates in the US, the UK and Western Europe have remained steady at 22 percent, 27 percent and 36 percent, respectively. The BSA says governments need to do more to encourage companies to use licensed software.
http://news.bbc.co.uk/2/hi/technology/6654033.stm

May 15, 2007 - IBM Tapes Lost After Traffic Accident
Computer tapes holding personally identifiable information of current and former IBM employees were lost following a traffic accident near Armonk, NY on February 23, 2007. The tapes were in a contractor's
vehicle, en route to a permanent storage location. The contractor has not been named. Some customer account information was also on the tapes. IBM recently sent letters to affected employees notifying them of the situation. IBM also placed an advertisement in a local paper asking for the return of the tapes. A spokesperson declined to say how many people were affected, but did note that some of the tapes were encrypted. http://www.theregister.co.uk/2007/05/15/ibm_missing_tapes/print.html

May 11, 2007 - Google Research Finds 10 Percent of Web Pages Hold Malware
According to research from Google, 10 percent of web pages contain malicious code. Google closely analyzed 4.5 million web pages over the course of a year and found that approximately ten percent, or 450,000, had the capability of installing malware without users' knowledge. An additional 700,000 pages are believed to be infected with code that could harm users' computers. The company says it has "started an effort to identify all web pages in the Internet that could be malicious." Most entice users to visit the dangerous pages through tempting offers, and exploit holes in Microsoft Internet Explorer (IE) to install themselves on users' computers. Google also examined the vectors used by attackers to infect these web pages; most malicious code was located in elements beyond the control of website owners, such as banner advertisements and widgets.
http://news.bbc.co.uk/2/hi/technology/6645895.stm
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf

May 5, 2007 - Missing TSA Hard Drive Holds Info. on 100,000 Employees
The US Transportation Security Administration (TSA) has acknowledged that a hard drive containing personally identifiable information of approximately 100,000 current and former employees is missing. The
breach affects individuals employed by the TSA between January 2002 and August 2005. The payroll data on the drive include names, Social Security numbers (SSNs) and bank account and routing numbers. Employees were notified of the situation by email on Friday, May 4. The TSA became aware the drive was missing from the TSA Headquarters Office of Human Capital on May 3; the FBI and the US Secret Service have been asked to investigate.
http://www.usatoday.com/news/washington/2007-05-04-harddrive-tsa_N.htm?csp=34

May 3, 2007 - Maryland Dept. of Natural Resources Thumb Drive Lost
A lost thumb drive holds personally identifiable information of approximately 1,400 Maryland Park Service Rangers and Natural Resources Police officers. The Department of Natural Resources (DNR) information
dates back to the 1970s and includes names and SSNs. The president of the State Law Enforcement Officers Labor Alliance has written to the DNR secretary to find out why someone was permitted to download that information to the portable device and remove it from the office.
http://www.baltimoresun.com/news/local/bal-dnrstory0503,0,2665140.story?coll=bal-local-headlines

May 2, 2007 - Revealed: The top ten web and email threats of last month
Sophos has released a report revealing the most prevalent malware threats causing problems for computer users around the world during April 2007. Find out now which attacks are causing the biggest
problems worldwide, and read more about the rising threat posed by web-based threats.http://s673.link.sophos.com/toptenapr07?pl_id=9

May 1, 2007 - Donated City of Champaign Computer Holds Police Data
A computer donated to charity by the city of Champaign, Illinois contains the names and SSNs of 139 of the city's police officers. The city donated 50 computers last year, including five to the Champaign
Consortium, a not-for-profit job assistance center. One of those computers appeared not to be working, so it was taken to a computer service shop, where the sensitive data were discovered.
http://www.news-gazette.com/news/local/2007/05/01/data_about
__officers_left_on_donated

April 26, 2007 - Four Plead Guilty to Selling Pirated Software on eBay
Four men have pleaded guilty to selling pirated software on eBay. Between the four of them, they made a profit of about US $122,300 on counterfeit copies of Rockwell Automation software valued at US $19.1
million. Each of the defendants faces up to five years in prison and a fine of US $250,000. Three other defendants have already received felony convictions in the case.
http://www.infoworld.com/article/07/04/26/HNfourpleadguilty_1.html

April 26, 2007 - Judge Says UW-Madison Must Provide Student Identities to RIAA
A federal judge has ruled that the University of Wisconsin, Madison (UW-Madison) must disclose the identities of 53 students whom the Recording Industry Association of America (RIAA) says have been sharing music over the Internet. The RIAA filed a John Doe lawsuit to obtain the names, addresses, phone numbers, email addresses and Media Access Control, or MAC addresses associated with specific IP addresses from which files were allegedly traded. The RIAA could use the information to file lawsuits against those individuals, although they will likely start with settlement offers. However, as Ken Frazier, interim CIO at UW-Madison, points out a very "imperfect relationship" between an IP address and an individual. http://www.madison.com/wsj/home/local/index.php?ntid=131102

April 25, 2007 - Ohio University Bans P2P From Campus Network
Ohio University (OU) has outlawed peer-to-peer (P2P) filesharing over its networks. According to OU CIO Brice Bible, "peer-to-peer file sharing consumes a disproportionate amount of resources, both in
bandwidth and human technical support." As of Friday, April 27, OU will monitor the campus network for P2P activity; computers found to be violating the new policy will be cut off from Internet access. OU's
policy decision comes in the wake of a wave of "prelitigation letters" from the Recording Industry Association of America (RIAA), sent to colleges and universities, including OU.
http://www.ohio.edu/students/filesharing.cfm

April 25, 2007 - Report: Fears that a Data Breach Could Ruin Business
A new report from McAfee found that of more than 1,400 IT professionals surveyed, a third fear that a major data security breach could put their company out of business. Despite the fact that 60 percent of
respondents said their companies had experienced data loss in the last year, they reported spending just 0.5 percent of their IT budgets on data security. Sixty-one percent of respondents believe data leaks are
caused by people within the organization, and 23 percent believe those leakages are of malicious intent.
http://www.computing.co.uk/itweek/news/2188528/breaches-worry-firms

April 24, 2007 - Neiman Marcus Employee Data Compromised
A notebook computer stolen from a pension consultant holds personally identifiable information of approximately 160,000 current and former employees of the Neiman Marcus Group. The data include names, addresses, SSNs and salary information. The theft affects employees hired prior to August 30, 2005. Neiman Marcus plans to contact everyone whose data were on the computer. Neiman Marcus learned of the theft on April 10, though it had occurred several days earlier. http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.html

23 April, 2007 - Software Pirate Sentenced to Two Years in Prison
A man who owned and operated a web site providing paid subscribers with unlimited access to pirated software has been sentenced to two years in federal prison. Ronnie A. Knott was convicted of criminal copyright infringement and will serve three years of supervised release when his prison term is completed. His site was taken down in May 2006 following an FBI investigation. Knott earned approximately US $20,000 from subscriptions to his site; the software he had made available had a total value of US $2.5 million.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199200544

April 22, 2007 - Targeted Attacks Using Malicious Office Docs on the Rise
There have been an increasing number of attacks involving maliciously crafted Microsoft Office files. The manipulated files are generally sent as email attachments to specific people; if a document is opened,
the attacker can gain control of the user's computer and from there, explore the internal computer network. The attacks have been targeting employees at US federal agencies and nuclear and defense contractors. Just over a year ago, the number of such attacks detected was one or two a week; in March 2007, one security company intercepted 716 emails with malicious files at 216 agencies and organizations. Such an attack helped intruders gain access to computers at the US State Department. http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm?csp=34

April 20, 2007 - Cards Readers Found on ATMs in Three California Supermarkets
Employees at three WinCo supermarkets in the Inland area of southern California found evidence that card readers had been placed on ATMs in the stores; people who used the ATMs within the last month are being urged to check their bank statements. Card reading devices were recovered from machines at stores in Pomona and Moreno Valley; Velcro found on a machine at a store in Temecula indicated a reader had been in place but had been removed before authorities arrived.
http://www.pe.com/localnews/inland/stories/PE_News_Local_S_scam21.ac606b.html

April 20, 2007 - Stolen Laptop Holds Proprietary Information About Unreleased Films
A laptop computer stolen from a Rutland, Vermont movie production studio contains a considerable amount of proprietary information. The information includes material from two movies that are scheduled to be released later this year. It is unlikely the laptop's content was the thieves' target; surveillance video indicates they were on a "drunken rampage." Other offices in the same complex were burglarized as well.
http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20070420/NEWS01/704200371/1002/NEWS01

April 20, 2007 - Contract Employee Arrested for Computer Sabotage at CA Power Facility
A California man has been arrested for allegedly interfering with computers at the California Independent System Operator (Cal-ISO) agency, which "controls the state's power transmission lines and runs
its energy trading markets." Lonnie Charles Denison's "security access was suspended at the request of his employer based on an employee dispute." The allegation is that when his attempt at a remote cyber
intrusion failed, Denison gained physical access to the facility with his card key; apparently not all access had been suspended. Once inside the facility, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected.
http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/print.html


April 17, 2007 - Japanese Company Sues Former Employee for Leaking Data
The Japanet Takata mail-order company is suing a former employee for allegedly leaking customer data. Japanet's lawsuit seeks 110 million yen (US $929,000) in damages. The defendant allegedly conspired with another former employee to copy information about more than 500,000 Japanet customers onto a portable memory device in 1998. The pair then allegedly leaked the information to outsiders, costing Japanet 2.57 billion yen (US $21.7 million) in losses. The defendant denied involvement with the incident during arbitration. Japanet knows he cannot pay the amount sought by the lawsuit; what the company really want is for him to admit his culpability.
http://mdn.mainichi-msn.co.jp/national/news/20070417p2a00m0na011000c.html

April 17, 2007 - Two Arrested in UK for Wireless Piggybacking
Police in the UK arrested two people in separate incidents for using wireless Internet connections without authorization. Both were arrested within the last month, and both were arrested while using a laptop
computer in a parked car. Law enforcement officials could pursue charges under the Computer Misuse Act, which would have a maximum penalty of five years imprisonment; however, in both these cases, police charged the individuals under dishonesty laws instead. Two years ago, another man was given a 12-month conditional discharge for a similar offense.
http://www.theregister.co.uk/2007/04/18/uk_war_driving_arrests/print.html

April 16, 2007 - Fifth Conviction in P2P Crackdown
A Georgia man faces up to five years in prison for distributing copyrighted content over a peer-to-peer (P2P) filesharing network. Sam Kuonen pleaded guilty to charges of conspiracy to commit copyright
infringement and criminal copyright infringement in violation of the Family Entertainment Copyright Act. Kuonen's arrest came as part of the US Department of Justice's Operation D-Elite, a crackdown on copyright infringement enabled by Elite Torrents, a P2P network that offered music, movies, software and games, sometimes before they were available in stores. Federal agents shuttered Elite Torrents in May, 2005. Kuonen apparently uploaded digital content to a network for others to download. He is the fifth person to be convicted in Operation D-Elite. In addition to the possible five years in prison, Kuonen could also face a fine of US $250,000 and three years of probation.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199100239

April 14 & 15, 2007 - Newspaper Publisher Accused of Stealing Proprietary Data
In March, Par Ridder, publisher of the St. Paul (Minn.) Pioneer Press abruptly left that job to become publisher of its rival newspaper, the Star Tribune, in Minneapolis. Pioneer Press has filed a lawsuit
alleging that Ridder violated a non-compete agreement by taking the job and that he took significant amounts of proprietary data, including budgets and advertising pricing data. The lawsuit asks that Ridder and other Pioneer Press executives who moved to the competing newspaper along with him be barred from working at the Star Tribune for one year. A Pioneer Press staffer dispatched to Ridder's new office with the intent of retrieving his Pioneer Press laptop arrived at Ridder's new office just a week after he announced his departure found someone copying information from the laptop. He was ultimately asked to wait in the lobby for an hour. When he brought the laptop back, there was evidence that nearly "all the data had been copied to an external storage device that day."
http://news.postbulletin.com/newsmanager/templates/localnews_story.asp?a=290750
http://www.winonadailynews.com/articles/2007/04/14/mn/02minpublisher14.txt

April 13, 2007 - Stolen Bank of America Laptop Holds Employee Data
A laptop computer stolen from a Bank of America (BofA) employee holds personally identifiable information of an unspecified number of current and former BofA employees. Compromised data include names, addresses, dates of birth and Social Security numbers (SSNs). BofA has sent letters to individuals whose data were compromised; the letter says there is no indication the information has been misused and offers recipients two years of free credit monitoring. Limited information has been made available regarding the circumstances of the theft because it is under investigation.
http://charlotte.com/123/story/83747.html

April 13, 2007 - Contractor Allegedly Stole Port of Tampa Employee Data
A contractor at the Tampa (Fla.) Port Authority has been arrested for allegedly stealing the personal information of people who hold Port of Tampa access badges and using it fraudulently to apply for credit cards. Daniel E. Glenn has been charged with offense against intellectual property to defraud or obtain property. While working as a computer technician for Tampa Port Authority contractor Siemens Building
Technologies, Glenn allegedly told Port Authority employees he needed access to the security badge database to repair corrupted data. He then allegedly copied information of thousands of access badge holders and applied for credit cards in the names of approximately 20 individuals. Law enforcement agents recovered the stolen data from Glenn's home. He has been suspended with pay from Siemens while the company investigates the allegations.
http://www.sptimes.com/2007/04/13/news_pf/Business/Port_of_Tampa_employe.shtml
http://www.tbo.com/news/metro/MGBTN5P0G0F.html

13 April 2007 - Former Social Security Administration Employee Charge in Identity Fraud Case
A former Social Security Administration employee has been charged with disclosing personally identifiable information taken from a government computer. Jennifer Batiste allegedly passed the stolen data to Craig Harris, who used them to commit identity fraud to the tune of US $2.5 million. Batiste is charged with conspiracy, accessing a protected computer to conduct fraud, and disclosure of a Social Security number (SSN). If convicted on all charges, she could be sentenced to as many as 15 years in prison. Harris pleaded guilty last fall to charges of conspiracy and unlawful possession of a means of identification. When he is sentenced in July, he could face up to 10 years in prison. Batiste allegedly received US $20 for each query she ran that obtained information for Harris.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000813

April 12, 2007 - UK Policeman Gets Jail Time for Stealing Data from Police Database
A UK police officer who provided personal information from a national police database to a known violent offender has had his sentence increased to nine months in jail. James Andrew Hardy was originally given a 28-week suspended sentence and 300 hours of community service; Hardy pleaded guilty to malfeasance in a public office for accessing the police national computer database with the intent of providing Martin Jolley with personal information of three people. An appeal from the Attorney General increased his punishment to nine months in jail. Jolley wanted the information to take retaliatory measures against certain individuals. Jolley also pleaded guilty to counseling and procuring Hardy to commit the crime. Hardy's sentence could have been 18 months, but the court took into account time served while awaiting trial and his promptness in completing his community service.
http://www.theregister.co.uk/2007/04/16/leak_officer_jailed/print.html

April 12, 2007 - US Government gets C- Grade on Security
The annual computer security report cards for federal agencies were released on April 12. The grades reflect how well the agencies have complied with the requirements established by the Federal Information
Security Management Act (FISMA). Overall, the government received a grade of C-minus, a step up from last year's overall grade of D-plus. Nine agencies received lower grades than they did last year; NASA fell
from a B-minus in 2005 to a D-minus in 2006. Eight agencies received failing grades. The Department of Veterans Affairs did not submit enough information to be awarded a grade. FISMA author Rep. Tom Davis
(R-Va.) has a plan to address criticism of the plan, which focuses largely on it being an exercise in paperwork rather than a true measure of computer security. Next year, agencies will receive extra points for beating a "White House deadline for meeting new federal computer security standards," which include "ensur[ing] that any existing or newly purchased personal computers that use Microsoft Windows XP or
Vista software platforms include certain default settings."
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/12/AR2007041201010_pf.html

April 10 & 11, 2007 - Lost Disk Holds Info. of 2.9 Million Georgia Residents
A computer disk lost in transit contains personally identifiable information of approximately 2.9 million Georgia residents who receive services from the Medicaid and PeachCare for Kids health care programs.
The data include names, addresses, Social Security numbers (SSNs) and member identification numbers, but no medical information. The CD was lost by Affiliated Computer Systems (ACS), a contractor working for the Georgia Department of Community Health (DCH). DCH has asked that ACS notify all those affected by the breach and help them to monitor their credit reports.
http://www.theregister.co.uk/2007/04/11/georgia_data_loss/print.html
http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_data.pdfl

April 9 & 11 2007 - Computer Stolen from Fla. Child Welfare Agency
Police in Ft. Lauderdale, Florida are investigating the theft of a laptop computer from ChildNet, a Broward County child welfare agency non-profit contractor. The stolen laptop holds personally identifiable
information of approximately 12,000 adoptive and foster care families. Police believe the thieves wanted the information to commit identity fraud; they have identified one former ChildNet employee as a suspect
in the theft. He has been fired. ChildNet plans to notify all those whose data were compromised; parents of children whose data were exposed will be notified as well. The data include financial and credit information, SSNs, driver's license numbers and passport numbers. There are apparently no full backups of the information except for paper documents. ChildNet has taken steps to protect data in the future.
http://www.local10.com/news/11624491/detail.html
http://cbs4.com/topstories/local_story_099223111.html

April 6, 2007 - Stolen Laptops Contain Chicago Public School Teachers' Data
Chicago Public Schools (CPS) is planning to notify current and former employees that their personal information was on two laptop computers stolen from an office at CPS headquarters on April 6. The breach affects approximately 40,000 current and former employees who contributed to the Teacher Pension Fund between 2003 and 2006. The data include names and SSNs, but not addresses or dates of birth. CPS plans to email current employees and post information on the web for former employees. Surveillance cameras have an image of a suspect in the robbery and there is a US $10,000 reward for information leading to the return of the stolen computers. This is the second time in less than a year that CPS has had to inform employees about a data breach. In November 2006, personally identifiable information of 1,740 former employees was exposed in a staff mailing about health insurance.
http://www.daily-journal.com/archives/dj/display.php?id=392152

April 6, 2007 - Backup Tapes Lost in Transit
A locked shipping case containing backup tapes from Florists' Mutual Insurance Company parent company Hortica has been lost in transit. Hortica provides employee benefits and insurance to companies in the horticultural industry. The container disappeared en route from a secure off-site facility to company headquarters in Illinois. UPS informed Hortica that the case was lost on April 5, 2007. Hortica has changed its backup procedure to eliminate the need for transportations by common carriers. The data on the tapes include names, SSNs, driver's license numbers and bank account numbers.
http://www.pr-inside.com/hortica-alerting-public-to-loss-of-r87434.htm

April 5, 2007 - Web Site Defacement May Have Compromised Customer Data
Security Title Agency in Phoenix, AZ is warning customers that their personal information was put at risk of theft when the company's web site was defaced several weeks ago. Security Title stores customer
information on the same server that hosts its web site. Security Title says there is no indication the intruders stole information, but they cannot be certain they did not. The company is providing customers with free credit monitoring.
http://ktar.com/?nid=6&sid=440413

April 5, 2007 - Navy Computer Sabotage Draws One-Year Prison Sentence
A former government contractor has been sentenced to one year in prison for sabotaging Navy computers after his company's bid for another project was not accepted. Richard F. Sylvestre has pleaded guilty to
one count of damaging protected computers; he could have faced up to 10 years in prison. Sylvestre's company at the time, Ares Systems, had a contract to maintain computers for the Navy's 6th Fleet in Naples, Italy. Sylvestre admitted to placing malicious code on the Navy computers. The computers were used to help submarines navigate and avoid collisions with undersea hazards and other submarines. Sylvestre has also been ordered to pay a fine of US $10,000 and will serve three years probation following his release from prison. He has repaid the Navy US $25,000 for damages.
http://content.hamptonroads.com/story.cfm?story=122352&ran=199274

April 5, 2007 - Former Morgan Stanley Employee Allegedly Stole Company Data
A former Morgan Stanley employee has been charged with conspiracy for allegedly stealing proprietary information. Ronald Peteka allegedly took hedge fund client data and used them in an attempt to set up a
consulting firm with another former Morgan Stanley employee. Peteka allegedly received the information from a former Morgan Stanley computer consultant, Ira Chilowitz, who was arrested in July 2006 and charged with conspiracy, theft and unauthorized computer access. Chilowitz pleaded guilty to the charges in February 2007.
http://www.consumeraffairs.com/news04/2007/04/id_morgan_stanley.html


April 3, 2007 - FCC Order Takes Steps to Protect Telecom Customer Data
The US Federal Communications Commission (FCC) has issued an order that places tighter restrictions on telecommunications companies regarding the release of customer records. Carriers may not release customer records unless the customer provides a password. Otherwise, the records may be sent to the address of record or provided by the telecom company calling the telephone number of record. Companies are also required to inform customers about changes made to their accounts and must obtain
customer consent before sharing data with a third party. The order comes in the wake of the Hewlett-Packard pretexting case, in which a private investigator obtained phone records of company directors,
employees and journalists in an effort to determine the source of an information leak at the company. The US Telecom Association is unhappy with the order, calling it "an extremely anti-consumer outcome."
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198702073

March 30, 3007 - Stolen Disk Holds Univ. of Montana-Western Student Data
The University of Montana-Western is notifying between 400 and 500 current and former students that their personally identifiable information was on a computer disk stolen from a professor's office last
week. The data include SSNs, names, dates of birth and addresses. The students affected by the data security breach are all enrolled in the school's TRIO Student Support Services Program, formerly the Educational Opportunity Program. Police are investigating the incident.
http://www.havredailynews.com/articles/2007/03/30/local_headlines/state.txt

March 30, 2007 - Missing Computers Hold Navy Data
Three laptop computers have been reported missing from the Navy College Office in San Diego. The computers may contain sailors' personally identifiable information, including SSNs, names, rates and rankings. Those potentially affected by the data security breach are "Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education." The Naval Criminal Investigative Service (NCIS) "is investigating the incident as a possible theft" and is working with San Diego police to recover the computers. http://www.military.com/features/0,15240,130657,00.html

March 29, 2007 - Man Sentenced to 27 Months for Selling Pirated Software
An Indiana man who pleaded guilty to selling counterfeit software over the Internet has been sentenced to 27 months in federal prison. Courtney Smith sold more than US $700,000 worth of pirated Rockwell
Automation software through eBay auctions, earning just over US $4,000 from the sales.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198701097

March 29, 2007 - EMT Fired for Stealing Patient Data
An emergency medical technician (EMT) has been fired from the University of Illinois Medical Center at Chicago (UIC) for allegedly using his position to access sensitive patient data. Leslie Langford was charged with eight counts of felony identity theft. He allegedly accessed records of 243 patients, but just eight records were allegedly misused. The data include Social Security numbers (SSNs) and driver's license numbers. Langford was arrested on February 23; the hospital sent affected patients breach notification letters on March 8. Hospital administrators received a tip about the activity and were able to
determine through the electronic record keeping system which employee was accessing the data, and which data were being accessed.
http://abclocal.go.com/wls/story?section=local&id=5164853
http://www.chicagotribune.com/news/local/chi-070329uic,1,3234070.story?coll=chi-news-hed

March 26, 2007 - eBay Fraudster Arrested in Budapest
A Bulgarian woman faces up to 30 years in prison and $500,000 in fines for allegedly swindling Americans out of more than US $350,000 through eBay scams. Mariyana Feliksova Lozanova allegedly advertised expensive items on eBay and directed purchasers to wire funds through a phony service called "eBay Secure Traders" in an attempt to lend her scheme legitimacy. The victims never received the items or refunds. Lozanova was apprehended in Budapest, Hungary on March 22 and indicted for conspiracy to commit wire fraud and conspiracy to commit money laundering. She allegedly used aliases to open bank accounts into which the stolen funds were channeled; she has waived extradition.
http://www.theregister.co.uk/2007/03/27/ebay_fraud_arrest/print.html

March 24, 2007 - Missing Laptops Hold Health Care Data
Two missing laptop computers hold personally identifiable information of approximately 31,000 Group Health Cooperative Health Care System patents and employees in the Seattle area. Compromised data include names, addresses, SSNs and Group Health ID numbers. The computers disappeared in late February and early March of this year. Affected individuals have been notified by mail.
http://www.komotv.com/news/6681342.html

March 23, 2007 - Stolen Hard Drives Hold Patient Data
Approximately 19,000 current and former patients of the Swedish Urology Group in the Seattle area have been informed that their personal information has been compromised. Three hard drives used to back up the practice's data were stolen from a locked office on March 10; there were no signs of forced entry, suggesting that the perpetrator may have had a master key. The data go back as far as four years in some cases. The drives contain physician and staff information as well as patient data. http://www.komotv.com/news/consumer/6678947.html
http://seattlepi.nwsource.com/local/308897_swedish24.html

March 22, 2007 - Oracle Suing SAP for Intellectual Property Theft
Oracle has filed a lawsuit against SAP, alleging that employees of a company subsidiary (SAP TomorrowNow) "copied and swept thousands of Oracle products and other proprietary and confidential materials into its own servers." The suit alleges the company used stolen login credentials to purloin gigabytes of customer support software between September 2006 and January 2007. Oracle discovered the theft while investigating significant traffic spikes on its Customer Connect servers. The suit could draw the attention of federal prosecutors, leading to possible criminal action as well as the civil action brought
by Oracle. The lawsuit alleges that once in possession of the filched software, SAP was able to offer cut-rate services to Oracle customers and attempt to lure them away.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198500150

March 21, 2007 - Man Pleads Guilty to Breaking Into eBay Accounts
An Australian man has pleaded guilty to breaking into 90 eBay accounts and using them to steal AU $42,000 (US $34,000). Dov Tenenboim also broke into email accounts and a bank. Tenenboim advertised non-existent iPods through the hacked eBay accounts and pocketed the money from the fraudulent sales. If he is convicted on all charges against him, Tenenboim could face up to 11 years in jail and fines of AU $9,900 (US $8,007). Tenenboim apparently guessed most of the eBay account passwords.
http://www.theregister.co.uk/2007/03/21/ebay_hijack_plea/print.html
http://www.stuff.co.nz/stuff/3998080a11275.html

21 March 2007 - Half of Corporate Web Traffic Not Work Related
Nearly half of all web traffic coming from corporate networks is non-productive, or non-work related, according to security firm ScanSafe. Traffic includes requests for gambling, music, pornography and webmail sites, despite the fact that web filtering blocks were up 8 percent compared with January, according to the firm. Dan Nadir, vice president of product strategy at ScanSafe says that consequences of this uncontrolled use of the web also include "exposure to legal liability, disclosure of confidential information, breaches of compliance requirements and unnecessary bandwidth consumption."
http://www.vnunet.com/vnunet/news/2185906/half-corporate-web-traffic-work

March 20 & 21, 2007 - Found Memory Stick Holds Scottish Council Employee Pay Data
A memory stick found near a bicycle shelter contains nearly 60 documents from the Perth and Kincross (Scotland) Council. The data include pay details of dozens of Council employees. The person who found the device turned it in to a local newspaper. There is no evidence the loss of the device was reported to police. The council is unhappy that the person who found the device did not instead return the device directly to the council.
http://icperthshire.icnetwork.co.uk/perthshireadvertiser/news/tm_headline=private-pay-details-found-in-street%26method=full%26objectid=18783033%26siteid=88886-name_page.html
http://www.theregister.co.uk/2007/03/21/perth_council_usb_loss/print.html

March 20, 2007 - Technician's Error Erases Disk and Back-Up For $38 Billion Fund
In July 2006, a technician's error wiped out data regarding a financial account worth US $38 billion while the technician was reformatting a disk drive at Alaska's Department of Revenue. The technician accidentally reformatted the back-up drive, and when the organization tried to recover the data from back-up tapes, they discovered that they were unreadable. The deleted data were images of supporting documentation Alaskan residents had submitted to demonstrate their eligibility for payment from the Alaska Permanent Fund. It took approximately two months to rescan the 300 boxes of documents. The incident cost the state more than US $220,000.
http://www.cnn.com/2007/US/03/20/lost.data.ap/index.html

17 March 2007 - The Cost of Stolen Identities
Symantec's latest Internet Security Threat Report claims that the online criminals are exchanging stolen full identities for between $14 and $18. A full identity includes the victim's Social Security number, bank
account details including passwords and other personal information such as date of birth and the mother of the victim's maiden name. The main victims of online identity theft appear to be US citizens with 86% of the credit and debit cards advertised for sale on the online underground issued by U.S. based banks. Elsewhere in the report Symantec claim to have seen an 11% rise in the use of bot networks, with China accounting for 26% of all bot networks. U.S. sites were also the victim of 52% of all DOS attacks.
http://news.bbc.co.uk/2/hi/technology/6465833.stm http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1536335.ece

March 16, 2007 - Ohio School District Employees' Data on Stolen Computer
A laptop computer stolen from the vehicle of an Ohio state auditor's office employee holds personally identifiable information of approximately 2,000 current and former Springfield City Schools employees. The employees have been notified of the data breach by mail. The breach affects people who were considered permanent employees as of June 2004, June 2005 and February 2006 and who received paychecks on three different dates in 2003 and 2004. The employee has been reprimanded for violating office policy by leaving equipment unattended in a vehicle.
http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/03/16/sns031707laptop.html

March 14, 2007 - Copiers' Hard Drives Retain Document Images
Some new models of copiers have hard drives that store images of what has been copied. More often than not, the data are not encrypted and stay there until overwritten by new data. A survey commissioned by Sharp, one of the major copier makers, found that more than half of the people planned to copy their tax returns and associated documents; most intended to make those copies outside of their homes. About the same number of people did not know that photocopiers keep images of what they copy. Sharp and several other manufacturers offer security kits to encrypt and overwrite scanned images.
http://www.kansas.com/mld/kansas/business/technology/16896436.htm

March 13, 2007 - BSA Takes Action Against Software Pirates in US and Europe
The Business Software Alliance (BSA) is taking legal action against five alleged software pirates in the US, the UK, Germany and Austria. In each of the cases, BSA was made aware of the alleged piracy through consumer complaints. The BSA is making a concerted effort to fight piracy on a global level.
http://www.itnews.com.au/print.aspx?CIID=75434&SIID=35

March 13 2007 - Most Data Breaches Traced to Company Errors
A researcher from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders. Phil Howard looked at 550 data breaches that received media coverage between 1980 and 2006. Approximately two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management errors. Less than one-third of the breaches were the work of outside attackers.
http://www.networkworld.com/news/2007/031307-data-breach-companies.html

March 12 2007 - Contract Employee Stole and Sold Printing Company Customer Data
A contract employee at Dai Nippon Printing Company in Japan allegedly stole approximately nine million pieces of customer data by copying the information onto a variety of recording media. Affected clients include the Toyota Motor Corp., American Home Assurance and Aeon Co. A spokesperson for Dai Nippon is in negotiations with customers regarding compensation. The data were stolen between May 2001 and March 2006. An investigation was triggered when the employee allegedly sold 150,000 pieces of data to a criminal group. The investigation led to the discovery that far more information was stolen than first believed. The individual was arrested on February 20 and indicted on charges of theft because the disk he used to copy the information did not belong to him. Japan's personal information protection law does not provide for penalties for stealing data. If the former contract worker had used his own disk to copy the information, authorities would have had a harder time filing any charges against him.
http://www.reuters.com/articlePrint?articleId=UST2997420070312


March 7, 2007 - Two-Thirds of Companies Lose Data Six Times a Year
Sixty-eight percent of companies surveyed by the IT Policy Compliance Group said they experience data loss or theft six times a year; 20 percent say they lose data at least 22 times a year. Just 12 percent of companies report losing data less that twice a year. The top reasons the companies gave for data loss are user error, policy violations, and Internet threats. The ways in which data were lost include lost devices, email and other electronic communications, and software applications.
http://www.eweek.com/print_article2/0,1217,a=202593,00.asp

March 7, 2007 - Gartner Study Sees Sharp Rise in ID Theft and Associated Fraud
A Gartner study says that fraud arising from identity theft has risen significantly since 2003. Extrapolation from gathered statistics indicates that approximately 15 million Americans dealt with fraud stemming from identity theft between the middle of 2005 and the middle of 2006. Figures gathered by the Federal Trade Commission (FTC) in its own survey estimated that number to be 9.9 million in 2003. Gartner surveyed 5,000 US adults who use the Internet. Other findings include an increase in the average amount of money lost to fraud from US $1,408 in 2005 to US $3,257 in 2006. The percentage of funds recovered dropped over the same one-year period from 85 percent in 2005 to just 61 percent in 2006.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012483


March 7, 2007 - VA CIO Restricts Use of USB Drives
Veterans Affairs Department (VA) CIO Robert Howard has placed restrictions on the use of thumb drives within the VA. Employees will be permitted to use only those drives issued by the VA CIO's office, and those devices will be limited to 1G or 2G of memory. Furthermore, employees will need to apply for and demonstrate the need for thumb drives before they are issued. This restriction is just one step Howard plans to take to tighten data security at the beleaguered department. He also plans to "eliminate unencrypted messages that travel on VA's network" and proposing to the Office of Management and budget that the five deputy CIOs at the VA be promoted to "secretaries for different functions," such as information security and strategic planning. http://www.gcn.com/online/vol1_no1/43266-1.html?topic=security

March 3, 2007 - Thief Stole Credit Card Numbers from Seed Site
A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11,500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently. The site is now under 24-hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, 2007. A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site." The FBI is investigating.
http://kennebecjournal.mainetoday.com/news/local/3676190.html

March 2, 2007 - Stolen Metro State Computer Holds Student Data
A laptop computer stolen from a faculty member's office at Metropolitan State College of Denver holds personally identifiable student information. The compromised data include names and SSNs of students who took courses from the professor from fall 1999 through fall 2002. The professor may face disciplinary action as a policy established last spring requires "all College reports or studies that access private student information ... were to be approved through the President's Office." In addition, Metro State is in the midst of a project that requires all college-owned laptops to be submitted to the IT department so the data they hold can be reviewed. The school is attempting to notify all affected students by mail.
http://cbs4denver.com/consumer/local_story_061205155.html

March 1, 2007 - Missing Hard Disk Holds Student and Alumni Data
An external hard disk containing personally identifiable information of approximately 8,800 students and graduates of Tokyo University of Science was stolen on February 24. A professor had taken the device
home with him, but the bag it was in was stolen while he was on a train home. The professor will face punishment.
http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html

February 27, 2007 - Stolen Computers Raise Data Theft Fears in Northern Ireland
Fifty-five computers have been stolen from Northern Ireland civil servants over a nine-year period. The value of the stolen equipment is 90,900 Euros (US $118.670). Northern Ireland Office spokesperson David Lidington said "We need to know what information was there. ... We need an assurance that personal information was not on these computers." A Department of Finance and Personnel spokesperson said the computers did not hold confidential information.
http://www.breakingnews.ie/print/?jp=CWSNSNIDOJID

21 February 2007 - DHS Still Has Long Road Ahead to Securing Data
According to a report from Department of Homeland Security (DHS) inspector general (IG) Richard Skinner, the agency still has a long way to go to implement security controls that will help protect sensitive data and personally identifiable information. The report evaluated DHS on its implementation of the Office of Management and Budget (OMB) Memorandum 06-16, Protection of Sensitive Agency Information. DHS has developed policies and has started to identify and "protect" systems that hold sensitive information. However, the majority of mobile devices, including laptop computers, have not been encrypted. The IG has also expressed concern that DHS has not taken steps to protect systems that can be used by remote users. http://www.fcw.com/article97725-02-21-07-Web&printLayout

February 16, 2007 - Stolen Computers Hold Child Patient Data
Two laptop computers stolen from a locked vehicle in the parking lot of Seton Highland Lakes Hospital near Austin, TX hold personally identifiable information of approximately 2,500 juvenile patients treated by the hospital's mobile medical unit. The data include names, medical information and Social Security numbers (SSNs). http://www.kxan.com/Global/story.asp?S=6100779&nav=0s3d

14 February 2007 - Stolen Computer Holds Kaiser Permanente Patient Information
A laptop computer stolen from a Kaiser Permanente Medical Center in Oakland, California contains information of as many as 22,000 patients. The organization is notifying those affected by the theft, which
occurred in November 2006. The data include some SSNs. A Kaiser spokesperson said they are implementing new security policies that include encrypting data on electronic devices and prohibiting the
storage of large amounts of patient data on any hard drive. http://cbs5.com/consumer/local_story_045212622.html

14 February 2007 - Nationwide Building Society Fined Over Stolen Laptop
The UK's Financial Services Authority has fined the Nationwide Building Society GBP 980,000 (US $1.92 million) for failing to "have adequate information security procedures and controls in place." A laptop
computer stolen from an employee's home in August 2006 held confidential information of nearly 11 million customers. The employee reported the theft promptly, but neglected to tell the company what data were on the computer until he returned from holiday three weeks later. Nationwide has not said if the person is still in its employ or has been disciplined. The company says the data do not include PINs, passwords
or account balance information. A company spokesperson said they have taken measures "to ensure it doesn't happen again." Nationwide informed all affected customers by letter; no customers have lost money. http://news.bbc.co.uk/2/hi/business/6360715.stm

12 February 2007 - Report Indicates FBI Still has Problems with Lost Laptops
According to a report from the Justice Department inspector general's office, the FBI has lost 160 laptops in less than four years. At least 10 of the computers held "highly sensitive classified information" one
held "personal identifying information on FBI personnel." Seven of the missing computers were assigned to counterintelligence and counterterrorism divisions. A 2002 audit revealed 317 missing laptops and 354 missing weapons over a 28-month period. The new report follows up on the 2002 audit to track the FBI's progress in addressing the problems that led to the missing laptops. The new report notes a reduction in the rate of lost laptops, but the rate of stolen laptops increased from 17 in a 28-month period to 44 in a 44-month period. "The FBI could not determine ... whether the stolen or lost laptop computers contained sensitive information or classified information."
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021200629_pf.html

7 February 2007 - Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data
Nine computer backup tapes are missing from Johns Hopkins University and Johns Hopkins Hospital. The tapes were supposed to be returned by a contractor who performs data backups. The tapes hold payroll data, including Social Security numbers (SSNs) and some bank account numbers for 52,000 current and former Johns Hopkins employees, as well as less sensitive data about 83,000 hospital patients. Officials say there is no evidence that the tapes were stolen; it is likely they were delivered to the wrong location or mistaken for trash and destroyed. The university is notifying people affected by the data security breach by
letter and email. http://www.wmdt.com/wires/displaystory.asp?id=58386284
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/07/AR2007020701004_pf.html

7 February 2007 - Univ. of Nebraska-Lincoln Data Exposed
The SSNs of 72 University of Nebraska-Lincoln (UNL) students, faculty and staff were inadvertently posted on the university's public web site; the information had been accessible for more than two years when the
problem was discovered earlier this week. The university sent notification letters to those affected by the data security breach. A similar incident occurred at UNL less than a year ago. In March 2006, the university discovered that the SSNs, email addresses and GPAs of nearly 350 engineering students had been accidentally posted to the web. The university periodically scans its web site for SSNs; the numbers
exposed in the latest incident were not caught because they did not contain the usual two dashes that normally appear in the numbers.
http://www.omaha.com/index.php?u_page=1000&u_sid=2326625

6 February 2007 - IMF Hard Drives Stolen in Azerbaijan
Police in Baku, Azerbaijan are investigating the apparent theft of four computer hard drives from the office of the International Monetary Fund in that city. The drives contain financial, personnel and research
files and "the fund's primary database of information for its operations" in Azerbaijan.
http://www.abcmoney.co.uk/news/06200718804.htm

5 February 2007 - Computer Taken from State Auditor's Home
A laptop computer stolen from the Glens Falls home of a New York Department of Labor unemployment auditor holds personally identifiable information of more than 500 individuals employed by 13 businesses in
and around the Albany area. The state Department of Labor has sent notification letters to people affected by the breach and is reviewing its policies regarding employees taking work home.
http://poststar.com/articles/2007/02/06/news/doc45c8abf57b7ae609243186.txt
http://www.wnyt.com/x11919.xml?ag=x995&sb=x183


5 February 2007 - Coroner Allegedly Shared 911 Web Site Account Info with Journalists
The Pennsylvania Attorney General's Office has filed charges against Lancaster County (PA) Coroner G. Gary Kirchner for allegedly providing newspaper reporters with his password to the 911 system's confidential web site. Five reporters from the Lancaster Intelligencer Journal gave testimony before a grand jury after they were granted immunity from prosecution. Investigators searched four computer hard drives in the newspaper's newsroom and found that the 911 site was accessed with Kirchner's username and password from newspaper offices 57 times.
http://www.phillyburbs.com/pb-dyn/news/103-02052007-1294444.html

2 February 2007 - Michigan Tax Preparer's Computer Stolen
A computer stolen from a tax preparer's office in Cassopolis, Michigan holds tax records for 800 people. Evidence suggests that thieves broke into the office in the early morning hours and took the computer,
leaving behind cash and checks. The tax preparer is offering a US $5,000 reward to help catch the perpetrators. The information includes SSNs and bank routing numbers. The tax preparer has clients from
Michigan, Indiana, Ohio, Virginia, Illinois and Washington.
http://www.wndu.com/news/headlines/5530966.html

2 February 2007 - Superbowl Sites Infected with Malware
At least two web sites that were likely to have been visited by football fans in the days before the Superbowl have been discovered to contain malicious code that can infect users' computers with keylogging and Trojan horse programs. The malware exploits two known Windows vulnerabilities; patches for these flaws were released in April 2006 and January 2007. The Dolphin Stadium web site has reportedly been cleansed.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2151
http://www.theregister.co.uk/2007/02/05/superbowl_trojan/print.html

2 February 2007 - Duracell Employee Pleads Guilty to Stealing Trade Secrets
Former Duracell employee Edward Grande has pleaded guilty to one count of stealing trade secrets. According to court documents and records, Grande downloaded research about Duracell AA batteries to his computer; he then sent the information to two rival companies. Both companies reportedly sent the information back to Duracell; neither had solicited the information from Grande. When he is sentenced, Grande could face up to 10 years in prison and a fine of as much as US $250,000.
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/02/AR2007020200906_pf.html

2 February 2007 - Missing Hard Drive Holds 48,000 Veterans' Data
The Department of Veterans Affairs (VA) and the FBI are investigating the disappearance of a portable hard drive from the VA medical center in Birmingham, Alabama. The drive was reported missing on January 22,
2007; it is believed to hold research project information as well as personally identifiable information of as many as 48,000 veterans. Some of the data were encrypted. "Pending results of the investigation, the VA is planning to send individual notifications and to provide a year of free credit monitoring" to those affected. The drive was used to back up data from an employee's office computer. The VA Office of the Inspector General has taken the employee's work computer and is analyzing its contents.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2169
http://www.signonsandiego.com/news/nation/20070202-2112-securitybreach.html

1 February 2007 - Data Security Breach Exposes Workers' Comp Info. in Mass.
The Massachusetts Department of Industrial Accidents (DIA) has acknowledged a data security breach that exposed personally identifiable information, including Social Security numbers (SSNs), of as many as
1,200 individuals who had submitted workers' compensation claims. A former contractor allegedly accessed the database with the intent of stealing the information; the worker was fired and charged with identity fraud. Three people have reported that their information was misused. DIA has sent notification letters to the people whose data were compromised.
http://www.boston.com/business/ticker/2007/02/workers_comp_da.html

1 February 2007 - MySpace Worm Creator Sentenced
The man believed to be responsible for a worm attack on MySpace.com in October 2005 has pleaded guilty to a felony charge for his actions. Samy Kamkar was sentenced to three years of probation and 90 days of community service for "what is believed to be the first self-propagating cross-site scripting worm." Kamkar used Asynchronous JavaScript and XML (AJAX) to carry out his attack. Kamkar must also pay restitution to MySpace and is prohibited from using the Internet for an unspecified length of time.
http://www.theinquirer.net/default.aspx?article=37422


1 February 2007 - Vermont Human Svcs. Dept. Computer Attack Exposes Info. of 70,000 Citizens
A computer at Vermont's Human Services Department suffered an automated attack that could place about 70,000 state residents at risk for identity fraud. The state will notify affected people by letter. The
computer was taken out of commission in December 2006 when workers discovered malware on the machine. The computer was supposed to contain information about people who owed back child-support payments. However, just 12,000 of the individuals affected by the breach fit that criteria; the remaining 58,800 are members of the New England Federal Credit Union. The credit union normally provides the state with information about people who owe payments, but on two occasions, the state received information on nearly the entire credit union's membership. A patch for the flaw that was exploited in the attack had been downloaded but not installed.
http://www.wcax.com/Global/story.asp?S=6006557&nav=4QcS

1 February 2007 - Man Arrested for Software Piracy
A California man has been arrested for allegedly making and selling counterfeit software. Since 2000, Gad Zamir allegedly netted US $750,000 selling pirated copies of Microsoft and Adobe software online at prices far below retail cost. http://www.theregister.com/2007/02/01/counterfeit_arrest/print.html

31 January 2007 - Companies Held Responsible for How Their Ads are Delivered
Priceline.com, Travelocity.com and Cingular Wireless have agreed to pay fines of between US $30,000 and US $35,000 each for advertising through illegal adware. All three companies had bought advertisements on
DirectRevenue, which has been the target of a lawsuit for "fraudulent software installations and serving illegal pop-up ads." The three companies that purchased the ads paid the fines to settle a separate lawsuit brought by New York Attorney General Andrew Cuomo. The settlement sets a precedent for holding companies liable "when their ads end up on consumers' computers without full notice and consent," said
Cuomo. In the past, companies have claimed ignorance because the advertising had been outsourced.
http://www.vnunet.com/vnunet/news/2173818/adware-funders-fined-supporting

30 January 2007 - TJX in Violation of Payment Card Industry Data Security Standard
TJX Companies was storing customer credit card information in violation of the Payment Card Industry Data Security Standard. As a result, the data thieves were able to obtain Track 2 card information, which
includes the card number, expiration date and card verification value. Some of the data stored on the TJX system dates back to 2003. The theft affects millions of cardholders. TJX owns a number of store chains,
including TJ Maxx, Marshalls and HomeGoods. http://www.informationweek.com/news/showArticle.jhtml;jsessionid?articleID=197001447

29 January 2007 - Notre Dame Security Breach Includes Old Graduate Test Data
Simson Garfinkel recently received a letter from Notre Dame University's Mendoza College of Business informing him that personally identifiable information, including his Social Security number (SSN), was
inadvertently made available on the Internet. Garfinkel has no affiliation with the University of Notre Dame; when he took a battery of graduate school admission exams six years ago, he checked boxes allowing his information to be sent to the school for recruitment purposes. Apparently the information had been on a "decommissioned" computer that was later turned on and connected to the Internet. The files on the computer were made available through a file-sharing program. Notre Dame said log files indicate there was no other access beside the individual who discovered his or her information. Garfinkel thinks Google also accessed the information.
http://www.technologyreview.com/printer_friendly_blogPost.aspx?id=17512

22 January 2007 - Sophos Security Report 2007 reveals growth in web threats and Trojans
The Sophos Security Threat Report 2007 examines in detail the top ten malware threats of the last year, and also confirms that malware authors are continuing to turn their backs on large-scale attacks in favor of more focused strikes against computer users. If you are responsible for network security at your business you cannot afford not to find out more and download this detailed report.
http://s636.link.sophos.com/secrep2007?pl_id=9

19 January 2007 - Storm Trojan spam hits email inboxes
Email users are being bombarded by a widespread spam campaign with a sting its tail. Since Friday hackers have used disguises such as breaking news stories (about European storms, Chinese missiles and Saddam Hussein) as well as messages of love in their attempt to lure unwary users into clicking on the attachments.
http://s636.link.sophos.com/storm?pl_id=9
http://s636.link.sophos.com/stormreturns?pl_id=9

19 January 2007 - Phishers: Click here, or eBay shuts down
Hackers are claiming the ultra-popular auction site eBay will shut down next month in their latest attempt to extract personal information from web users.
http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Ic

18 January 2007 - T.J. Maxx, Marshalls parent company hacked, unknown amount of customer credit card information stolen
A major clothing retailer announced Wednesday that hackers accessed its network and stole an unknown amount of credit card information.

http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Ih

18 January 2007 - MySpace Sued After Assaults
Four families have filed lawsuits against News Corp. and MySpace after their 14- and 15-year-old daughters were sexually assaulted by predators they met on the social networking site. The suits allege negligence, recklessness, fraud and negligent misrepresentation. MySpace has responded to concerns about predators by bolstering education and establishing partnerships with law enforcement. MySpace has also restricted adults' communication with minors and plans to release a tool that will allow parents to view certain aspects of their children's MySpace profiles. A similar suit was filed last June.
http://www.washingtonpost.com/wp-dyn/content/article/2007/01/18/AR2007011800670_pf.html
http://www.informationweek.com/showArticle.jhtml?articleID=196901881&cid=RSSfeed_TechWeb

18 January 2007 - Missing Backup File Holds Information of 500,000 Investors
A backup computer file in transit between offices of CIBC Asset Management is missing. The file contained personally identifiable information of nearly 500,000 Talvest Mutual Funds clients. The data
include names, addresses, dates of birth, bank account numbers and Social Insurance Numbers. Affected clients are being notified by letter. Canada' s privacy commissioner Jennifer Stoddart is launching an investigation. http://www.cbc.ca/canada/story/2007/01/18/cibc.html

18 January 2007 - Thirty Computers Stolen from Closed Infirmary
Thirty computers were stolen from a storeroom at the shuttered Lymington Infirmary in Hampshire, UK earlier this month. It is not believed the computers hold medical records, but could possibly contain the names and addresses of patients and hospital employees. Administrators are conducting an audit to determine exactly what information the computers hold. Hospital staff received a memo in September 2006 and again in December 2006 telling them not to store patient records on PCs. The theft occurred before the computers could be checked for compliance with the guidance.
http://www.theregister.co.uk/2007/01/18/hospital_pc_theft_fear/print.html

17 January 2007 - California phisher faces century in jail for targeting AOL users
A California man has been convicted of violating the CAN-SPAM Act of 2003 for mass-emailing AOL users and requesting credit card information.
http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Il

17 January 2007 - Stolen Water District Computers Hold Customer Credit Card Information
Two computers stolen from the offices of the Rincon del Diablo Municipal Water District in southern California hold the names and credit card information of approximately 500 water district customers. People whose data were compromised were notified of the situation by phone; all water district customers will receive a letter describing the breach some time this week. The water district said it is working to encrypt the data on its computers and is installing fences around the building.
http://www.signonsandiego.com/news/northcounty/20070117-9999-1mi17rincon.html

17 January 2007 - US Nets First Conviction Under Can-Spam Act
Jeffrey Brett Goodin has become the first person to be convicted under the US Can-Spam Act. Goodin ran a phishing scam that duped AOL users into divulging credit card information; he was found guilty on charges of wire fraud, unauthorized use of credit cards, misuse of the AOL trademark and attempted witness harassment. Goodin's sentencing is scheduled for June 11; he could receive a prison sentence of up to 101 years.
http://www.zdnet.co.uk/misc/print/0,1000000169,39285508-39001093c,00.htm

16 January 2007 - Keystroke Loggers and Phishing Attacks on the Rise
A white paper from McAfee noted a 250 percent growth in keystroke logging malware between January 2004 and May 2006. Over that same time period, the Anti-Phishing Working group observed a 100 percent increase in phishing attacks. The UK's Home Office places losses from identity theft at 1.63 billion GBP (US$3.2 billion) over the last three years. The paper also offers tips for protecting sensitive data.
http://www.vnunet.com/computing/news/2172647/id-fraud-taking-toll

16 January 2007 - Computers Stolen from Univ. of New Mexico Hold Faculty Info.
Three computers stolen from the office of the associate provost of University of New Mexico (UNM) earlier this month could hold the names and Social Security numbers (SSNs) of the university's faculty members.
The associate provost's office had recently moved from one location to another and could not say if everything was accounted for as not all equipment was set up. Faculty members received email messages on January 9 alerting them to the theft and the possible compromise of their personal information.
http://www.dailylobo.com/home/index.cfm?event=displayArticle&uStory_id=abad7ee1-3707-450e-acd5-0e7ed80b86b6

16 January 2007 - Substitute Teacher Convicted After Students See Racy Pop-Ups
A substitute teacher has been convicted of endangering students when they saw pornographic pop-up advertisements on her computer. A forensic expert testified that spyware surreptitiously installed on the computer while visiting a seemingly innocuous site was responsible for the barrage of pop-ups. Prosecutors question why the teacher did not simply cut off power to the machine once the offensive content appeared. Sentencing is scheduled for early March; the teacher could face up to 40 years in prison. http://www.securityfocus.com/brief/408


13 January 2007 - North Carolina Department of Revenue PCs Stolen
The North Carolina Department of Revenue has sent letters to 30,000 taxpayers notifying them that their personal information was held on a laptop computer stolen from a NC Dept. of Revenue employee's car. The data include Social Security numbers (SSNs); law enforcement officials are investigating the theft.
http://www.charlotte.com/mld/charlotte/16451423.htm

11 January 2007 - University of Idaho Advancement Services Office PCs Stolen
Three laptop computers missing from the University of Idaho's Advancement Services Office hold personally identifiable information of more than 331,000 alumni, students, employees and donors. The apparent theft took place over the Thanksgiving weekend.
http://www.ktvb.com/news/localnews/stories/ktvbn-jan1107-stolen_data.2df71504.html

11 January 2007 - Malware Purveyors Prey on Users' Morbid Curiosity
Not surprisingly, people's fascination with the macabre is being exploited to spread malware. There are reports of email messages claiming to offer footage of Saddam Hussein's execution; when users click on the provided link, they are directed to a site that tries to download a Trojan horse program. Similar emails have been detected that use attachments rather than links within the body of the message. Several different pieces of malware that try to download keystroke loggers have been detected accompanying messages about the execution.
http://www.vnunet.com/vnunet/news/2172307/saddam-videos-hiding-trojan

11 January 2007 - Chinese Court Cracking Down on Copyright Violators
Luo Zhiguo admitted in a Shanghai court that he profited from illegally operating an on-line game at prices considerably below those of the legitimate version. Luo and two accomplices allegedly copied Mir 3 and
made it available for 300 yuan (US$38.50) for permanent access. Authorized accounts could cost players that much in just one month, depending on the amount of time they play. "Luo said he was not aware that they were committing a crime because a lot of other people were also doing the same." One of Luo's accomplices, You Tangcun, was arrested in May and sentenced to three years house arrest. The other
accomplice, Ye Weilong, turned himself in last spring "but fled while on bail." The scheme was discovered when an investigation was launched in response to complaints from the game's authorized operator that they were losing millions of yuan every month because of the illegal activity.
http://news.xinhuanet.com/english/2007-01/11/content_5592977.htm

11 January 2007 - Corporate Security Hole: Employees Forwarding eMail to Personal Accounts
Employees forwarding their work email to "web-accessible personal accounts" is a growing problem. When away from the corporate network accessing email from these accounts is usually faster and easier than
going through the corporate remote email solution. Accessing email from these accounts is usually faster and easier than going through corporate networks. However, because email sent from these services does not"pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate email and turn it over during litigation." Atlanta's DeKalb Medical Center began using
systems to monitor outbound email after it became aware of the growing problem of "doctors and nurses routinely forward[ing] confidential medical records to their personal Web mail accounts."
http://www.nytimes.com/2007/01/11/technology/11email.html

10 January 2007 - Arrest Made in Towers Perrin Laptop Theft
Towers Perrin has issued a statement saying that "a junior level administrative employee" has been arrested in connection with the theft of laptop computers from the New York City-based pension company. The computers hold personally identifiable information belonging to current and retired United Technologies Corporation (UTC) employees and current and former Altria employees. UTC is based in Hartford, CT; Altria is the parent company of Philip Morris USA.
http://www.wfsb.com/money/10716528/detail.html?taf=hart

8 January 2007 - Phishers Target UK Taxpayers
Phishers have targeted UK taxpayers, sending phony email messages that appear to come from HM Revenue and Customs claming the recipients are entitled to a GBP70 (US$136) refund. The email includes a link to what is supposed to be a form to fill out to get the refund. In a separate story, the US Computer Emergency Response Team (US-CERT) has warned that phishers are targeting US taxpayers.
http://www.theregister.co.uk/2007/01/08/hm_revenue_phish/print.html

5 January 2007 - Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site
A 16-year-old Norwegian boy who allegedly ran a file-sharing hub could face up to 60 days in jail and a fine of NOK4,000 (US$630). The teen allegedly used the Direct Connect P2P file sharing program to help make
more than 150,000 songs, 7,000 movies and 20,000 video clips available for free downloading. His parents could also face a substantial fine to compensate those in the music and film industries for lost revenue.
http://www.theregister.co.uk/2007/01/05/norwegian_filesharer_charged/print.html

4 January 2007 - Intruder Used Univ. of Northern Iowa Server to Store Music Files
In December, officials of the University of Northern Iowa (UNI) discovered that someone had broken into a server that holds information related to the school's Wellness Recreation Center.  The intruder used the server to store music files.  The data on the server includes names, addresses and phone numbers belonging to students, faculty and employees who have used the center.  UNI uses randomly generated ID codes rather than Social Security numbers (SSNs) as unique identifiers.
http://chronicle.com/wiredcampus/index.php?id=1790
http://www.radioiowa.com/gestalt/go.cfm?objectid=BFFAFCD4-41C8-474C-9A44B4316BB5C517&dbtranslator=local.cfm

3 January 2007 - Hard Drive Target Of Office Break-In At A Medical Office
A computer hard drive was stolen from a medical office in Somerset, Pennsylvania. Whoever broke into the office took just the hard drive, leading some to suspect that the thief was after the information on the
storage device. The doctor's office did not provide details about what information the drive may contain.
http://www.tribune-democrat.com/local/local_story_003233725.html

3 January 2007 - SC High School Experiences Third Computer Theft
A laptop computer was stolen from a guidance counselor's office at the Academic Magnet High School in North Charleston, South Carolina over the school holiday.  The computer holds personally identifiable information of approximately 500 students.  School officials have been trying to reassure concerned parents and students by telling them the information is password-protected and encrypted.  This is the third computer theft at the school this academic year.  The other thefts - three monitors and two laptops from the school's media center and another laptop from the same guidance counselor's office - occurred in November 2006. Police are investigating.
http://www.wcbd.com/midatlantic/cbd/news.PrintView.-content-articles-CBD-2007-01-03-0015.html

2 January 2007 - New Year's Worm Spreads Warezov Trojan Variant
A worm purporting to be New Year's greetings is spreading a variant of
the Warezov Trojan horse program; the worm appears to be spreading
rapidly across the Internet. The email arrives with an attachment named
postcard.exe or postcard.zip; if Windows users open the attachment,
their computers can become infected. Once a machine is infected, it
starts sending spam to other computers to spread the worm.
Internet Storm Center Notes: http://isc.sans.org/diary.php?storyid=1987

 

 
Return to top
 
© 1999-2016 Security Awareness, Inc. All Rights Reserved  :  Privacy Statement
Contact Us     Site Map