19 December 2008 - Phone Hacker Sticks Computer Company with $52,000 Bill
Manitoba (Canada) Telecom Services is insisting that a Winnipeg-based company is responsible for the cost of phone calls a hacker made to Bulgaria through its phone system. Someone broke into the HUB Computer Solutions system in late November and over a period of two-and-a-half weeks made calls totaling CA $52,360 (US $43,023). MTS said it should have been contacted as soon as the volume of outbound international calls began to exceed normal levels.
19 December 2008 - RIAA Changes Tactics
The Recording Industry Association of America (RIAA) said it will stop filing numerous lawsuits against suspected copyright violators. Instead, the RIAA will work with Internet service providers (ISPs) to target people it believes are violating copyright laws and convince them to change their ways. Under the new plan the RIAA will notify ISPs of suspected violators and the ISPs will either notify the suspected offenders themselves or forward the messages from the RIAA. Repeat offenders would be subject to increasing sanctions, including network speed throttling and termination of Internet service. The RIAA has not entirely ruled out the possibility of lawsuits; people who appear to be committing gross violations of copyright law could still find themselves being sued by the RIAA.
17 December 2008 - Research Finds Inadequate Intellectual Property Protection at UK Firms
The results of research commissioned by the UK's Intellectual Property Office's IP Crime Group indicates that while companies are aware of the importance of protecting intellectual property (IP), they are by and large not doing enough to protect their own IP or that of others. Forty percent of the more than 1,000 people interviewed did not have any practical measures, such as trademark registration or employee training, in place. More than 25 percent of respondents said employees are not warned against illegal downloading at work.
8 December 2008 - Wireless Providers Agree Voicemail is Not Secure
T-Mobile and AT&T Will No Longer Advertise Their Voice Mail Systems as Secure (December 11, 2008) T-Mobile and AT&T have agreed to permanent injunctions in a Los Angeles court that prohibit them from claiming that their voice-mail systems are protected from sabotage. The Los Angeles District Attorney's Office says the two mobile service providers advertised that their systems were secure when they were not. An investigation revealed that their voice mail could be easily broken into changed or deleted.
13 November 2008 - Former Student Charged with eMail Hacking
Former University of Maine student James Wieland has been charged with aggravated criminal invasion of privacy, a felony offense, for allegedly breaking into hundreds of university email accounts. Wieland allegedly installed keystroke logging programs on the victims' computers; authorities do not know his motives. Wieland's surreptitious activity began to unravel after a student received an email message from a friend while that friend did not have computer access.http://www.wcsh6.com/news/breaking/story.aspx?storyid=95880&catid=112
12 November 2008 - $1 million reward for arrest of cyberextortionists
Express Scripts, a
pharmacy benefits management firm announced Tuesday that it is offering a $1 million reward for information leading to the conviction of whomever is threatening to divulge the personal information of millions of its members. http://www.scmagazineus.com/1-million-reward-for-arrest-of-cyberextortionists/article/120929/?DCMP=EMC-SCUS_Newswire
12 November 2008 - Former Network Admin Pleads Guilty to Multiple Offenses
Andrew Madrid has pleaded guilty to charges of hacking, identity theft, burglary and drug possession in Santa Clara County (California) Superior Court. Madrid destroyed data on a former employer's computer system hoping that they would hire him back to fix the problem he had created.
He also placed spyware on computer systems to steal passwords. Madrid used a neighbor's wireless network to disguise his digital tracks.Dressed as a security guard, Madrid strolled through various companies stealing computer equipment. He faces up to 12 years in prison when he is sentenced.
12 November 2008 - Spam Levels Drop After Hosting Company Disconnected
The amount of spam being sent worldwide dropped noticeably after McColo, a northern California-based hosting provider identified as hosting spamming organizations, was cut off by its Internet providers. It is estimated that McColo hosted the machines responsible for 75 percent of spam sent worldwide. McColo's upstream service was severed on Tuesday, November 11; that same afternoon, organizations tracking spam noted a sharp decrease in the volume being sent. The relief is likely to be temporary, as operations that send the unsolicited commercial email seek out other avenues to help them spread their wares.
10 November 2008 - Former Sysadmin Arrested for Alleged Extortion
A systems administrator who had recently been laid off from Third Avenue Management, a New York-based mutual fund company, has been arrested for allegedly threatening to damage his former employer's servers if they did not meet his demands. Viktor Savtyrev was one of 10 employees who lost their jobs on November 5. All were given a severance package, but several days later, Savtyrev allegedly sent email messages to several people still with the company, including the company's general counsel, saying he was "not satisfied with the terms" of his severance package and threatening to damage the computer systems unless they gave him more money and provided him with extended medical coverage and "excellent"
job references. In subsequent communications, Savtyrev allegedly said he would get help attacking the servers from friends in Belarus and that he had already placed several back doors on the company's computer systems. Savtyrev was arrested at his home in Old Bridge, NJ.
9 November 2008 - Australian Federal Police Files Left on Hotel Computer in Nepal
An Australian Federal Police (AFP) officer based in south Asia has been ordered to return to Australia following the revelation that documents and images from AFP USB data storage device were left in a hotel computer in Kathmandu, Nepal. Other guests at the hotel were reportedly able to view the files, which include a document containing priorities and strategies for the AFP's Bangladesh office and graphic pictures of a plane crash. The officer involved in the incident will assist in the investigation.
7 November 2008 - Woman Gets Four-Year Sentence for Identity Theft and Credit Card Fraud
Kimberly Ann Mavis was sentenced to four years in federal prison without the possibility of parole for her role in an identity fraud scheme. Mavis and a co-conspirator, Jerry Bagby, gained unauthorized access to the customer database of Premier Bank in Overland Park, Kansas and used the purloined information to open credit card accounts in other people's names. Mavis and Bagby used those cards to purchase expensive items, which they later resold for cash. In August, Mavis pleaded guilty to computer fraud, conspiracy, aggravated identity theft and credit card fraud. Bagby pleaded guilty to aggravated identity theft and credit card fraud; he is awaiting sentencing.
3 November 2008 - Compromised Facebook accounts could cost unwary users
If you're a Facebook user you should be wary of messages sent by friends requesting personal information or money. A Google Australia employee almost ended up out of pocket after she received messages from a "friend" of hers who claimed he needed money for an air ticket as he was stuck in Lagos. In fact, the fraudster had compromised her friend's Facebook account. Learn more from Sophos now.
3 November 2008 - Banking Trojan horse masquerades as Symantec software
Portuguese spam messages are attempting to dupe innocent computer users into downloading and installing a fake Symantec product. Learn more about this attack from the SophosLabs blog.
13 October 2008 - Stolen Laptop Holds Pension Data
Deloitte has acknowledged that a laptop stolen from an employee's bag contains personally identifiable information of more than 150,000 pension holders. The data include names, National insurance numbers and salaries, but not bank data or addresses. A notice from Deloitte says that the security measures implemented on the laptop include encryption.http://www.theregister.co.uk/2008/10/13/deloitte_data_loss_vodafone/
11 October 2008 - Malware-Laden Spam Pretends to be Windows Security Update
New spam messages are spreading, purporting to contain "an experimental private version of an update for all Microsoft Windows OS users." While there is nothing new about malware spreading in the guise of security updates, the fact that these messages are arriving just as Microsoft is scheduled to release its October update makes it more likely that the attackers will have a greater level of success. The executable file attached to the message infects users' computers with malware. The spam offers several clues that it is not legitimate; the grammar is dodgy and the message claims that the update addresses versions of Windows that are no longer supported and for which patches would not therefore be issued. Microsoft never sends security updates as email attachments.http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
11 October 2008 - Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information
The UK's Ministry Of Defense has admitted to losing a portable hard drive which contained the personal details of up to 1.5 million pieces of information including details of over 100,000 active service personnel and 600,000 recruits. The missing disk was not encrypted. Of particular concern is the missing data include details on personnel who served in Northern Ireland and may be terrorist targets. The lost information includes details such as individuals' passport numbers, addresses, date of birth and in some cases banking details. The portable disk was being held by the main IT contractor for the MOD, EDS.
EDS reported the drive missing after a priority report was carried out on October the 8th. Over the past four years over 658 laptops have gone missing from the MOS with 26 memory sticks containing sensitive information missing since January 2008.
8 October 2008 - Spammers Ordered to Pay US $236 Million
A US District Judge in Iowa has ordered Henry Perez and Suzanne Bartok of Arizona to pay US $236 million for sending millions of unsolicited commercial emails. Robert Kramer the owner of Iowa-based CIS Internet Services, sued Perez and Bartok, who ran a company called AMP Dollar Savings, for inundating his network with spam. Perez and Bartok used a program called "Bulk Mailing 4 Dummies" to send out messages that advertised home mortgage refinancing.http://www.theregister.co.uk/2008/10/08/mom_and_pop_spammer_judgement/
8 October 2008 - Contractor Allegedly Accessed Shell Oil Employee Database
Shell Oil has warned its employees that their personal information may have been compromised. An employee of a third-party contractor working on-site for Shell was escorted off the premises after it emerged that the individual had allegedly accessed a database containing personally identifiable information of most current and former Shell employees.
Shell has noted that in four instances, employee's Social security
numbers (SSNs) were used to file phony unemployment claims. Shell has
terminated its contract with the third-party company.
8 October 2008 - Man Admits Role in Phishing Scheme
Sergiu Daniel Popa of Romania has admitted that he was part of a phishing scheme that stole US $700,000 over a three-year period. He pleaded guilty to possession of unauthorized access devices and aggravated identity theft. Popa lived in the US for nearly seven years; he was extradited from Spain in June to face the charges. Popa faces up to 10 years in prison and a US $500,000 fine. According to his plea agreement, Popa stole identities of more than 7,000 people.http://www.theregister.co.uk/2008/10/09/romanian_phishing_guilty_plea/
6 October 2008 - Reported Data Breaches in US on the Rise
According to statistics compiled by the Identity Theft Resource Center, there have been 516 reported consumer data breaches in the first nine months of 2008, exposing 30 million records; in 2007, the total number of reported breaches was 446. Extrapolated from the numbers so far this year, the total number of reported breaches in 2008 could top 680.
Eighty percent of the breaches involved digital media; the remaining 20 percent involved data recorded on paper. Of the incidents this year,
36 percent occurred at businesses, 21 percent occurred at educational institutions, and 16 percent on military or federal government systems.
Twenty percent of the reported braches were due to lost or stolen digital media storage devices, 17 percent were due to insider theft and
13 percent were exposed through hacking.
3 October 2008 - Most Hotel Internet Connections for Guests are Not Adequately Secured
A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats.
3 October 2008 - Stolen Laptop Holds Irish Health Service Executive Employee Data
A laptop stolen in Dublin, Ireland on September 17 contains personally identifiable information of several thousand Health Service Executive
(HSE) staff. The compromised data include names, salaries and staff numbers; the data were not encrypted. Just weeks ago, several HSE data storage devices, including a laptop, a Blackberry and a data disk, were stolen from a medical officer's home. After that theft, HSE committed to encrypt all digital media storage devices that contain personal and medical data within one month.
3 October 2008 - 80,000+ Websites Serving Drive-by Malware Attacks
More than 80,000 websites have been "modified with malicious content"
that serves exploit code to unpatched PCs of site visitors. A server containing administrative login credentials for more than 200,000 websites has been found, although not all the sites are known to be infected with the malware. The infected sites include universities, Fortune 500 companies, government systems, and the US Postal Service.
2 October 2008 - US Financial Crisis Ripe Pickings for Scammers
The mergers and acquisitions of banks resulting from the US financial crisis have provided new opportunities for online scam artists. Attacks have been seen in which the customers of a bank are asked to provide account information and other personal details to the bank's new owner for verification purposes. Banks would not ask for such information online; it would be done through paper mail.
2 October 2008 - Remote Tracking Software Used to Find Alleged Laptop Thief
A White Plains, NY man used remote tracking software to identify the person who stole his laptop computer. Jose Caceres's computer was stolen when he left it on top of his car while carrying items into his home. His initial attempts at using remote tracking software to find the culprit yielded little more than the thief's fondness for pornography, but eventually the suspect typed in his name and address while registering on a website. Caceres was able to provide police with adequate information for them to arrest Gabriel Mejia, who has been charged with grand larceny.http://www.theregister.co.uk/2008/10/02/laptop_theft_suspect_busted/print.html
30 Sept 2008 - Insurance Brokers' Data Exposed
Blue Cross & Blue Shield of Louisiana is offering one year of free credit monitoring to 1,800 insurance brokers whose personally identifiable information was accidentally exposed. In late September, the insurance company sent out an email alerting the brokers to a software upgrade; a document containing all the brokers' phone numbers, addresses and SSNs was inadvertently attached to the message.
Blue Cross has asked the brokers to delete the data and confirm that they have done so; the company has made changes to ensure that a similar error does not occur.http://www.businessinsurance.com/cgi-bin/news.pl?id=14084
30 Sept 2008 - Camera Purchased on eBay Contains Sensitive MI6 Information
A man from Hemel Hempstead, England who purchased a camera from eBay for GBP 17 (US $30) found it contained data from MI6, the British Secret Intelligence Service, including pictures of rocket launchers, log-in information for an encrypted Secret Service remote computer network and detailed information about terrorist cells. The man notified police, who initially did not take him seriously. However, several days later, Special Branch officers went to the man's home and seized the camera and his computer. He was also told not to speak to the media. MI6 is trying to determine the identity of the agent responsible for the leak. In a separate case, the civil servant who left top secret documents on a train will be charged with violations of the Official Secrets Act.
30 Sept 2008 - Court Says Woman May Sue County Clerk Over Identity Theft
An Ohio appeals court has reversed a lower court decision that dismissed an identity theft lawsuit brought against the Hamilton County clerk of courts, allowing Cynthia Lambert the right to proceed with her lawsuit. Lambert had sued the clerk, Greg Hartmann, after her identity was used fraudulently following the posting of an image of a 2003 speeding ticket that contained personally identifiable information, including her Social Security number (SSN), online. Someone using a phony driver's license under Lambert's assumed identity made purchases totaling more than US $20,000. The driver's license number used by the data thief differed from Lambert's actual license number by one digit, the same error made by the recording officer at the time the ticket was written.
26 Sept 2008 - Ten Most Mysterious Cyber Crimes
While cyber crime cases that result in arrests and prison sentences are making the news more and more often, there are still major cases that have remained unsolved for years. This list of "The 10 Most Mysterious Cyber Crimes" includes both old - the hacking of a UK Ministry of Defense satellite in early 1999 - and new - the Hannaford/Sweetbay supermarket chain credit card data breach that was acknowledged earlier this year.
26 Sept 2008 - Whittington Hospital NHS Trust's Missing Disks Returned
Four disks reported missing from the Whittington Hospital NHS Trust in London have been recovered. After a memo was sent to all employees notifying them of the situation, the disks were turned in the trust's finance department. The disks, which were password-protected, contain personally identifiable information of 18,000 trust staff members. The trust is reviewing its data handling procedures.
25 Sept 2008 - Researchers Find Users Often Click Through Dialog Windows Without Reading
An experiment conducted by psychologists at North Carolina State University found that computer users often fail to distinguish fake Windows dialog boxes from legitimate ones. Sixty-three percent of the
42 students participating in the experiment clicked OK whenever a pop-up window appeared, ignoring anomalies that should have clued them in to the potential for malicious activity. The subjects appeared to view pop-up windows as hindering their intended activity; clicking the OK button is the virtual equivalent of brushing away flies.
22 Sept 2008 - Survey Shows Two-Thirds of Organizations Have Experienced Cyber Attacks
According to the US Department of Justice's 2005 National Computer Security Survey, over two-thirds of the more than 7,800 companies responding to the survey experienced at least one cybercrime incident during that year. The incidents were classified as cyber attacks, cyber theft, or other. Three-fourths of the cyber attacks originated from outside the organizations; the same percentage of cyber thefts originated from within the organizations. More than half of the cyber thefts were reported to authorities, while just six percent of cyber attacks were reported.http://www.securityfocus.com/brief/825
The actual survey results: http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf
17 Sept 2008 - Former State Dept. Intelligence Analyst Pleads Guilty to Passport File Snooping
A former US State Department intelligence analyst has pleaded guilty to unauthorized access to a State Department computer for snooping on passport records of well known people. Lawrence Yontz could face up to a year in prison for accessing the files, which include those of major players in the current presidential race. A recent audit found "a general lack of policies, procedures, guidance and training" at the State Department's passport bureau. Yontz admitted to having perused the files of approximately 200 well-known individuals and their families; he will cooperate with the government's continuing investigation.http://blog.wired.com/27bstroke6/2008/09/idle-curiosity.html
13 Sept 2008 - Countrywide Notifying Customers of Data Breach
Personally identifiable information of as many as 2 million Countrywide customers may have been sold by data thieves, according to the mortgage company. While there have been no reports of the information being used to commit identity fraud, Countrywide is offering two years of credit monitoring to affected customers. The data were allegedly stolen by a former Countrywide employee who downloaded approximately 20,000 customer records every week for two years. Each batch was allegedly sold for US $500, or about US 2.5 cents for each record. It appears that the data were sold to other mortgage brokers.
13 Sept 2008 - Insurance Office Employee Allegedly Used Customer Data to Open Accounts
Attorneys general in 45 US states have been notified that a State Farm Insurance employee in Surprise, Arizona used customer information to obtain credit cards. The compromised data include addresses, Social Security numbers (SSNs), driver's license numbers and in some cases, bank account numbers. A company spokesperson did not specify the number of people affected by the breach. Police are investigating. All affected customers have been contacted and offered one year of free credit monitoring.
12 Sept 2008 - Former Intel Employee Charged with Theft of Trade Secrets
Former Intel Corp. employee Biswamohan Pani has been charged with theft of trade secrets for allegedly stealing proprietary company data, including information about the development of new chips. Pani allegedly accessed an encrypted system at Intel and downloaded 13 top secret documents. He had resigned from Intel in May and was taking accrued vacation time through June 11; the intrusions occurred between June 8 and June 10. Pani had already begun to work for Intel competitor AMD. The issue was discovered when an employee looked into Pani's access and download history on the system in question.
8 Sept 2008 - Arrest Warrants Issued in Connection with Customer Data Found on Discarded Disks
Two disks found in a trash pile near a Seoul, Korea subway station contain personal information of 11.1 million GS Caltex customers. GS Caltex is one of South Korea's largest oil refineries. The information correlates to data gathered through the company's bonus card membership sign-up; the bonus card gives customers discounts at filling stations.
The card does not contain bank or credit card account information. GS Caltex said there is no evidence that their systems were breached by an outsider and suggested that it may have been an inside job. Arrest warrants have been issued for three GS Caltex employees.
5 Sept 2008 - Iowa County Officials Planned to Sell Data
An organization made up of county officials in Iowa has admitted that it was negotiating with Data Tree for access to county mortgage records and other documents that contain personally identifiable information of Iowa residents. IowaLandRecord.org, the organization, had planned to sell Data Tree its database and updates in the future for US $11,750 a month. The officials agreed to hold off on the deal when state legislators became concerned about the situation. The site is maintained by the Iowa County Recorders Associations. The site has been inaccessible since last week, shortly after the issue was made public in The Des Moines Register. The site is estimated to hold more than 10 million records.
5 Sept 2008 - Lost Drive Holds Prison Officers' Data
UK Justice Secretary Jack Straw has launched an inquiry into the loss of a computer drive that holds personally identifiable information of 5,000 justice staff members. Prison officers threatened to strike after they learned of the incident. The disk was in the possession of EDS, a government contractor, when it was lost; the last time anyone at EDS saw the disk was July 2007, but the Prison Service was not notified that the disk was missing until July 2008.http://www.guardian.co.uk/society/2008/sep/08/prisonsandprobation.justice/print
2 Sept 2008 - Guilty Verdict in Filesharing Case Prompted by Evidence Tampering
A man in Arizona has been ordered to pay US $40,850 for copyright infringement. Jeffrey Howell had been set to stand trial for placing songs in a shared folder of the Kazaa filesharing program. However, the case will not go to trial because the judge agreed with the plaintiff's request for a verdict on the grounds that the defendant had tampered with and destroyed evidence. Howell formatted his computer's hard disk, ran a data deletion program and reinstalled the operating system even after he had been served the complaint against him.
28 August 2008 - Number Affected by Bank of New York Mellon Corp Breach Increases
The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million. In February, the bank lost between six and ten unencrypted backup tapes containing customer names, addresses, birth dates and Social Security numbers (SSNs). In May, Connecticut Governor M. Jodi Rell launched an investigation into the incident which affected hundreds of thousands of Connecticut residents.http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true
27 August 2008 - Computer Purchased on eBay Holds Bank Customers' Data
The UK Information Commissioner's Office is investigating an incident in which a used computer sold on eBay still held personally identifiable information of one million bank customers. The affected banks plan to also launch investigations. The computer, which was purchased for GBP
35 (US $64) in an eBay auction, belonged to Graphic Data UK Ltd, a document management services firm; a spokesperson for the company called the incident an "honest mistake." The information includes names, account numbers and signatures. The computer and another piece of equipment purchased at the same time by the same buyer were returned to
Graphic Data. Graphic Data is owned by Mail Source UK.
27 August 2008 - Six Arrested in Taiwan for Data Theft
Six people have been arrested in Taiwan in connection with the theft of personal data from a variety of organizations. The stolen data include information about Taiwan's current and former presidents. More than 50 million records are believed to have been stolen from government agencies, state-run organizations, telecommunications companies and a television shopping network; the suspects allegedly tried to sell the data for about US $10 per record. If they are convicted, they each face up to five years in prison.
21 August 2008 - UK Government Depts. Lost 29 Million Records in One Year
In the last 12 months, UK government departments have lost 29 million records containing personal data. The government asked for departments to include data loss on their financial statements after the loss of two disks containing personally identifiable information of 25 million child benefit claimants last year. The remaining four million lost records include those of three million driving test candidates reported by the Department of Transport and 620,000 on an unencrypted Ministry of Defence laptop. In a related story, the Home Office learned earlier this week that an outside contractor lost a memory stick containing personal information about thousands of criminals in England and Wales.
The Information Commissioner has been notified.
20 August 2008 - Gaming Industry to Go After Illegal Filesharers
The computer game industry plans to send letters to people in the UK who
are suspected of illegally sharing games over the Internet, asking them
to pay GBP 300 (US $563 ) to preclude further legal action. This week,
a judge ruled that Isabella Barwinska must pay GBP 16,000 (US $30,053)
to Topware Interactive for putting a copy of the company's Dream Pinball
game on a filesharing site. A law firm representing five computer game
makers "is applying to the High Court for an order requiring Internet
Service providers to hand over the names and addresses of 25,000
individuals suspected of illegally downloading computer games.
20 August 2008 - FEMA PBX System Breached
A recently installed voicemail system at the US Federal Emergency
Management Agency (FEMA) was breached last weekend and used to make US
$12,000 worth of phone calls to numbers in the Middle East and Asia. The
system is a Private Branch Exchange (PBX); attacks on this type of
system have been around for years, and trained administrators know how
to put security measures in place. FEMA is part of the US Department
of Homeland Security (DHS), which issued a warning about this type of
attack five years ago. The incident is under investigation.http://www.msnbc.msn.com/id/26319201/
11 August 2008 - BBC Apologizes for Losing Children's Data
The BBC has sent letters of apology to the parents of approximately 250 children whose personal information were on a flash drive that was stolen. The data were on the device because the children had signed up for a cooking program. The data include names, addresses, phone numbers, and dates that the children and their families would be away on vacation. The drive was in the possession of an employee of an independent production company that was making the show.
7 August 2008 - Texas Hospital Patient Data on Missing USB Drive
A hospital administrator in Texas apparently downloaded sensitive patient information to a flash drive that was later reported lost or stolen. The Health Insurance Portability and Accountability Act(HIPAA) requires healthcare providers to take measures to protect patient data from exposure. The associate administrator for Harris County Hospital District allegedly placed records of 1,200 patients with HIV, AIDS and other medical conditions on the storage device.The data, which include names, Social Security numbers (SSNs), medical conditions and treatments, were not encrypted or password-protected.
2 August 2008 - Former Employee Arrested in Calif. Supermarket ATM Scam
Police in California have arrested Raymond Kurt Fisher in connection with an ATM theft scheme that cost shoppers at Lunardi's, a Los Gatos supermarket, approximately US $300,000. Fisher was employed at Lunardi's until his arrest, when he was fired. The fraudulent withdrawals occurred in March and April 2008. The card reader at the ATM was modified to capture card data, including card numbers and PINs.
Fisher is being held on charges of burglary, conspiracy and drunk driving. Authorities did not rule out the possibility of additional arrests in connection with the case.http://www.nbc11.com/news/17066606/detail.html
1 August 2008 - Two Arrested in Connection with Theft and Sale of Countrywide Loan Applicant Data
A former Countrywide Financial Corp. employee is accused of stealing loan applicant information and selling it to others in the mortgage industry who used the data to offer new loans to the applicants. Rene L. Rebollo Jr. allegedly used a work computer that lacked the security of other office computers to copy information of approximately 20,000 customers at a time onto a flash drive. The stolen data include Social Security numbers (SSNs). Last month, Rebollo voluntarily surrendered the flash drive and a personal computer to the FBI. Rebollo's attorney later placed a call to the FBI saying that his client had revoked his permission for the FBI to search the devices. Another man, Wahid Siddiqi, was also arrested; he allegedly sold disks of Countrywide data to a witness who was working for the FBI. Rebollo has been charged with exceeding authorized access to the computer of a financial institution.
Authorities believe Siddiqi acted as a middle-man in the data theft and sale operation.
25 July 2008 - College Student in Jail for Alleged ID Theft
College student Christopher Fowler is in jail for allegedly stealing his professor's identity to access the school's computer network and change his grades. Investigators also allege that Fowler broke into the Georgia Highlands College VoIP system to eavesdrop on phone conversations. Charges against Fowler include unlawful surveillance or eavesdropping and computer trespass; he could also be charged with identity theft.
24 July 2008 - Texas Clinic Patient Data Stolen, Used in Payday Loan Fraud
The personal information of more than 500 patients at medical clinics in Fort Bend County, Texas was stolen and used to commit fraud.
Thirty-eight people have been indicted in connection with the identity theft ring. Two people are suspected of having stolen patient data while employed at the clinics, one is accused of using the information to obtain payday loans totaling more than US $230,000 and the rest are suspected of being involved in efforts to launder the stolen funds.
14 July 2008 - Former Analyst at Certegy Sentenced to Over 4 Years in Prison
A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of 8.4 million consumer records from Certegy Check Services. William G.
Sullivan, who worked as an analyst for Certergy, exceeded his authorized computer access to steal personal banking details (bank account data or credit/debit card data) of over 5.3 million customers. Sullivan then sold that information to his co-conspirators for US $580,000. He claimed he took part in the scheme because he had no retirement plan and his wife was not working. http://tampabay.bizjournals.com/tampabay/stories/2008/07/07/daily59.html
12 July 2008 - Former HP Executive Pleads Guilty to Passing IBM Trade Secrets
Atul Malhotra pleaded guilty before the San Jose District Court to one count of theft of trade secrets. His sentencing is scheduled for October 29th where he could face up to 10 years in jail and a fine of up to US $250,000. While as a director in IBM's global services department, Malhotra received a report containing "Trade Secret" information on IBM's calibration metrics. Each page in the report was marked "IBM Confidential". In May 2006, two months after receiving the report, Malhotra moved to Hewlett Packard as vice president of imaging and printing services. In late July of that year Malhotra sent an email to a HP senior vice president with an attachment containing the IBM calibration metrics document. He also sent the same document to another HP senior vice president. Upon discovering the nature of the document, HP reported the incident to both IBM and law enforcement. According to a HP statement ""The activity with which Malhotra is charged was in direct violation of clear HP policies, including HP Standards of Business Conduct,"
12 July 2008 - Homer Simpson Spreading Malware to AIM Users
An email address, firstname.lastname@example.org, used by the Homer Simpson character in a 2003 episode in the cartoon series "The Simpsons," is being used to spread malware to unsuspecting AIM users. The email address used in the episode was a real address and employed by the TV studio to respond to queries from fans of the show. The address became defunct, but has now resurfaced and is being used to spread a Trojan.
AOL users who have the email address in their buddy list receive a message with a link promising a web exclusive video of the show. The link leads to a malicious site which attempts to recruit the computer into a Botnet controlled by Turkish hackers.
11 July 2008 - Army Laptop Recovered
A 17 year old teenager has been arrested in relation to the theft of a laptop containing personal information on 700 soldiers based at Fort Lewis, WA. Police recovered the laptop when they arrested the teenager.
The laptop was reported stolen on July 4 from the seat of an Army employee's Dodge truck. A 500 GB removable hard drive was also taken in the theft. The employee "appears to have violated Army standards and policies for protecting personal information and government property"
by leaving the laptop and the removable hard drive overnight in the vehicle which was unlocked.
30 June 2008 - More Than 630,000 Laptops Lost at Airports Each Year
A Ponemon Institute survey of 106 airports in 46 states found that as many as 637,000 laptops are reported lost each year. Overall, more than 12,000 laptops are reported lost at the airports every week, and 67% are never recovered. The 36 largest US airports account for more than 10,000 lost laptops each week. The laptops are most commonly lost at security checkpoints and departure gates. The survey also included feedback from
864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent. The study was commissioned by Dell, which has just released "a suite of data protection and asset protection services," including laptop tracking and remote data deletion.
30 June 2008 - Man Convicted in P2P Copyright Infringement Case
Daniel Dove has been convicted on charges of conspiracy and felony copyright infringement for operating a website where people uploaded pirated content for others to download. The US Department of Justice says this is the first criminal conviction for peer-to-peer copyright infringement. According to prosecutors, Dove helped distribute the pirated content with BitTorrent technology. He faces up to 10 years in prison.
26 June 2008 - City Employee Resigns After Password-Sniffing Software Found on Computer
Timothy Nagel resigned from his position of computer support specialist for the city of Bowie, Maryland after a routine security sweep discovered password-sniffing software on his computer. The program was harvesting password data entered into City Hall computers from one of the city network's servers. Staff members were advised to change their passwords. A private company has been hired to investigate the breach.
26 June 2008 - Former Employee Allegedly Deleted Organ Bank Data
Danielle Duann has been indicted for allegedly breaking into the computer system at an organ bank and deleting patient data. Duann allegedly accessed the LifeGift Organ Donation Center database shortly after she was fired from her position as technology director at the Houston, TX organ bank, despite the fact that her administrative rights and passwords were revoked upon her termination. She then allegedly deleted database records and accounting invoice files. The lost data were restored from backups. If she is convicted, Duann could face up to 10 years in prison and a US $250,000 fine.
17 June 2008 - Casino Workers Indicted for Allegedly Stealing Customer List
Three casino workers have been indicted on charges related to the theft of a list of more than 20,000 "top level players" from the Tropicana Casino and Resort in Atlantic City, NJ. The three were once employed at the Tropicana, but have since left for jobs at other casinos. The data on the list include names, addresses, and gambling data. John Conklin, Justin Litterelle and James DiMarco were all charged with theft by unlawful taking, computer theft and conspiracy. Conklin also faces a charge of witness tampering for allegedly having a lawyer make Litterelle sign a false affidavit saying that Conklin had not asked him to download the information.
9 June 2008 - 22 Percent of European PC Users Say They Were Hit by Cyber Crime
A study of 7,000 European PC users found that 22 percent have experienced some type of cyber crime. When asked if they believed they would ever be victims of certain types of crimes, 34 percent of respondents said they believed they would experience cyber crime, while
22 percent said they would likely be hit by burglary. Among specific countries, 32 percent of Italian people had experienced cyber crime, while 31 percent of UK respondents said the same thing. The survey was conducted by Ipsos on behalf of AVG Technologies.
5 June 2008 - Stolen AT&T Laptop Holds Unencrypted Management Compensation Data
A laptop stolen on May 15 from an AT&T employee's car contains unencrypted "AT&T management compensation information, including names, Social Security numbers (SSNs), and [some] salary and bonus information." Affected employees were notified eight days after the theft. The breach affects people throughout the US.
5 June 2008 - Stolen Computer Holds Canadian Farmers' Data
A laptop stolen from a programmer working for the Canadian Canola Growers Association contains personally identifiable information of approximately 32,000 Canadian farmers. The compromised data include bank account numbers and social insurance numbers of farmers who have applied for Agriculture Canada's advance payment programs. Those affected by the breach have been notified by letter. Security measures on the stolen laptop include strong password protection and a biometric fingerprint reader.
4 June 2008 - Study Tracked People by Cell Phone for Six Months
A study of 100,000 people's movements based on cell phone use found that nearly 75 percent stayed within a 10-mile radius of home over the course of six months. The study was conducted by Northeastern University in Boston without participants' knowledge in an unnamed European country; in the US, such a study would be illegal. The locations were noted whenever the people sent or received a phone call or text message.
Precise locations were not known; locations were tracked through the nearest cell phone tower. The information gathered about people's travel patterns could be used to help design transportation systems or predict the spread of disease.
4 June 2008 - UC Irvine Students' Tax Returns Filed Fraudulently;
United Healthcare Identified as Source of Data Leak
United Healthcare has been pinpointed as the source of the data leak that exposed personally identifiable information of 1,132 University of California Irvine (UCI) graduate students. The breach affects UCI graduate students who used the UCI Graduate Student Health Insurance program. The breach came to light in February, 2008 when a number of students attempted to file their tax returns electronically only to be informed by the IRS that their returns had already been filed and their refunds collected. All 155 people who experienced the problem used the aforementioned healthcare program; the breach affects students enrolled in the program for the 2006-2007 academic year.
29 May 2008 - BPO Owner Allegedly Stole and Sold Former Customer's Data
The owner of a business processing outsourcing (BPO) company in Ahmedabad, India is accused of stealing data from a Florida company and selling the information to that company's rivals within the US. The data are valued at Rs 1 crore (US $233,809). Noble Ventures Inc, the Florida company, cancelled its contract with Maulik Dave's company more than three months ago. After the contract was cancelled, Dave allegedly broke into Noble Ventures' database, stole 8.5 million records and sold them.
29 May 2008 - Man Arrested and Charged in Online Brokerage Account Fraud Scheme
Michael Largent has been indicted on charges of computer fraud, wire fraud and mail fraud for allegedly exploiting a common practice at online brokerages of sending tiny deposits to new accounts to verify their authenticity. Largent allegedly collected nearly US $50,000 by setting up thousands of online brokerage accounts under phony names as well as his own, one of a series of missteps that led authorities to discover his identity. Largent also allegedly used a small range of IP addresses through which he created the phony accounts, another clue that helped point to his identity.
29 May 2008 - Commerce Dept. Laptop May Have Been Breached During Dec. Trip to China
Anonymous sources say that an investigation is underway into whether the contents of a government laptop were copied during Commerce Secretary Carlos M. Gutierrez's December trip to China. The information may have been used to gain access to Commerce computers; following Gutierrez's return, US CERT was called to the Department of Commerce three times to manage serious intrusion attempts.
19 May 2008 - 38 Charged in Phishing Scheme
Two US federal indictments charge 38 people in the US and Romania in connection with a phishing scheme designed to steal credit and debit card numbers. The information was used to manufacture phony credit and debit cards, which were in turn used to withdraw funds from various accounts. The charges include conspiracy to violate the Racketeer Influenced and Corrupt Organizations (RICO) Act, conspiracy in connection with access devices, unauthorized access to a protected computer, bank fraud, and aggravated identity theft.
18 May 2008 - Card Skimming Scheme Nets One Million Euro From Irish Bank Accounts
Fraudsters have stolen approximately one million euro (US $1.55 million) from 300 Irish bank accounts. The thieves apparently worked with store and restaurant employees in the Dublin area to skim credit cards and shoulder surf for their associated PINs. The information was then used to withdraw funds in various countries in mainland Europe.
16 May 2008 - American Arrested in Korea for Alleged Cyber Extortion
Korean police have arrested an American man for allegedly breaking into a computer system of a Korean savings bank. The man, identified only by the initial "J," allegedly encrypted the customer database and then attempted to extort money from the bank to release the information. The man has been on a work visa in Korea since 2003.
10 April 2008 - Student Arrested for High School Data Theft
A Joliet West High School student allegedly downloaded the names and
Social Security numbers (SSNs) of all the school's students onto an
iPod. Police became aware of the situation after the student showed the
information to other students, who then notified a teacher. George C.
Janecek has been arrested and charged with computer tampering, a
misdemeanor. He is in the ROTC program at his school which allowed him
access to a school computer to work on the ROTC website.
7 April 2008 - Lost Disk Holds Data on 370,000 HSBC Customers
The UK's Financial Services Authority will investigate the loss of a
disk containing personally identifiable information of 370,000 HSBC
customers. The compromised data include names, dates of birth, and life
insurance information, but no bank account information. The disk was
being sent from HSBC to a reinsurance firm. The disk was not encrypted.
Normally, the data are transferred electronically, but because the
system was down, HSBC sent the information on disk through the post.
7 April 2008 - Pfizer Data Security Breach
Pfizer has experienced another data security breach. A laptop stolen
from a contractor's home contains personally identifiable information
of approximately 800 current and former Pfizer employees and
contractors. The data include names, credit card numbers, and card
expiration numbers. The theft occurred on February 7, 2008; an incident
notification letter the company sent to attorneys general in several
states was dated March 19. In 2007, Pfizer suffered four data security
breaches that compromised personally identifiable information of more
than 52,000 individuals.
3 April 2008 - Software Engineer Indicted for Theft of Trade Secrets
Hanjuan Jin, a former software for a Chicago-based telecommunications
company, has been indicted for allegedly stealing trade secrets from a
telecommunications company and attempting to take the data to China.
When her luggage was searched at O'Hare International Airport in
Chicago, authorities discovered confidential technical documents and
computer memory devices holding documents that belong to an unnamed
company. Customs agents retained the documents and equipment. The
intellectual property in the case is estimated to be worth US $600
7 April 2008 - Kraken Botnet Twice as Large as Storm
The Kraken botnet is believed to be more than twice the size of the
Storm botnet. Just 20 percent of antivirus (AV) packages are presently
detecting Kraken, which comprises more than 400,000 zombie machines;
Kraken is hard to detect because its code morphs. Researchers are still
trying to determine how Kraken works its way into apparently
well-fortified systems. One known technique it uses is to copy itself
to infected computers' hard drives in an altered form that can be used
to reinfect the machine if AV programs are eventually able to identify
the original file. The Kraken botnet is used primarily to send spam.
Internet Storm Center:
7 April 2008 - NIH Workers May Not Store Sensitive Data on MacBooks
A National Institutes of Health (NIH) agency memo forbids employees from
storing sensitive data on MacBook laptop computers. As of April 4, all
NIH laptops running Windows or Linux operating systems must have the
Pointsec encryption tool; Windows Vista users may also use that
operating system's BitLocker disk encryption tool. There is presently
a beta version of Pointsec for MacBooks, but not an approved version.
The ban on MacBooks holding sensitive data applies to contractors as
well as in-house employees.
3 April - US Legislator's Data is on Missing NIH Computer
A US legislator whose personal information is on a laptop computer
stolen from a National Institute of Health (NIH) researcher's car wants
the inspector general at the Department of Health and Human Services to
conduct an investigation. Among the questions Representative Joe Barton
(R-Tex.) wants answered is whether or not NIH has an effective means of
contacting individuals affected by such a breach; at least one person
did not learn his information was on the computer until he contacted NIH
himself. It is also unclear whether or not the laptop was encrypted and
why the initial estimate of affected individuals fell short by 500.
1 April 2008 - Laptop Hacked in Contest Makes Brief Appearance on eBay
The man who won a laptop computer he hacked in a contest at the
CanSecWest conference last week made a short-lived attempt to sell the
machine on eBay. Shane Macaulay had offered the Fujitsu U810 Windows
Vista-equipped laptop, saying that it was possible his exploit code
could be derived from the machine. eBay removed the listing because
they do not allow the sale of "anything that would do harm." Macaulay
also received a US $5,000 cash prize for his successful hack of the
computer. Macaualy's attack exploited a flaw in Adobe Flash Player.
Adobe researchers say they knew of the flaw before Macaulay's attack and
that they plan to patch it later this month.
26 March 2008 - 42 Months in Prison for Data Theft and Card Fraud
Former Compass Bank programmer James Kevin Real was sentenced to 42
months in prison for stealing a hard drive containing customer data and
using them to commit identity fraud. Real was also ordered to repay
more than US $32,000 that he and an accomplice stole from customers'
accounts. Real used the stolen data to create 250 phony debit cards;
he used 45 of them to commit fraud. Court documents indicate the data
were stolen in May 2007 and that the fraud occurred in June and July
2007. Alabama is just one of 11 states that do not require consumer
notification of personal data breaches.
24 March 2008 - Stolen Laptop Holds NIH Clinical Trial Data
A laptop computer containing unencrypted personal information of 2,500
National Institutes of Health (NIH) study participants was stolen from
a locked car trunk in February. NIH waited nearly a month before
notifying affected individuals. The clinical trial information includes
names, diagnoses, hospital medical record numbers and MRI data, but no
Social Security numbers (SSNs) or financial information. Government
policy requires that portable electronic devices have encryption
software. An NIH statement indicates that the agency is taking steps to
ensure that all devices have encryption and that personally identifiable
information not be stored on laptops.
22 Match 2008 - Stolen Computer Holds Unencrypted Agilent Employee Data
Agilent Technologies has sent letters to 51,000 current and former
employees notifying them that their personally identifiable information
was on a laptop computer that was stolen on March 1. The unencrypted
data include names, addresses, SSNs, and stock option information. The
laptop was stolen from a vendor's car; Agilent's letter places the blame
on that vendor - Stock & Option Solutions - for not encrypting the data.
A former employee who received a notification letter said, "Agilent
should have put all of the data into an encrypted format to begin with."
20 March 2008 - Former Employee Gets Probation for Destructive Cyber Intrusion
Joseph Patrick Nolan was sentenced to four years probation for breaking
into his former employer's computer system and destroying data. Nolan
destroyed records from Pentastar Aviation's personnel and payroll
operations, costing the company more than US $50,000. Nolan was also
ordered to pay Pentastar US $1,158. Nolan resigned from Pentastar in
January 2007; the intrusion occurred in February of that year. He was
then employed by the city of Ann Arbor's Information Technology
Department until May 2007.
18 March 2008 - 51-Month Sentence for Stealing Data Through Limewire
Gregory Kopiloff has been sentenced to 51 months in prison for
stealing personally identifiable information of 50 people through
P2P (peer-to-peer) filesharing programs. Kopiloff pleaded guilty
to mail fraud, computer hacking, and aggravated identity theft.
Kopiloff accessed tax returns, credit reports, bank statements and
other financial documents through the Limewire filesharing program.
He then obtained credit cards with the information and ran up US
$76,000 in fraudulent charges. Kopiloff will be on probation for three
years following his release and was also ordered to pay compensation.
13 March 2008 - Lost and Found Memory Stick Holds Police Data
A passerby in Hertfordshire, England found a memory stick in the gutter
that contained confidential police information. The unencrypted data
included the names and addresses of offenders as well as the types of
vehicles they drive and details about their offenses. A police
spokesperson acknowledged that a device was lost on March 5 and turned
in several hours later.
11 March 2008 - MTV Data Breach Exposes 5,000 Employees' Personal Data
A compromised Internet connection on an MTV Networks employee's computer
led to a data breach that exposed personally identifiable information
of approximately 5,000 MTV employees. The data include names, Social
Security numbers (SSNs), and compensation information. Someone external
to the company breached the files, though it is unclear whether the
files were opened. MTV is conducting an internal investigation and
employees have been notified.
11 March 2008 - 40,000 NY Insurance Subscribers' Data on Lost Computer
Forty thousand members of HealthNow New York have been notified that
their personal information was on a laptop that has been missing for
several months. The data include names, dates of birth, SSNs, employer
group names and health insurance identifier numbers, but not health or
medical claim information. HealthNow does not plan to issue new
identification numbers to all affected members, but will comply with
individuals' requests to do so. The laptop was not encrypted, and the
organization has severed the computer's access to the corporate network.
10 March 2008 - Music Labels Want Irish ISP to Help Fight Piracy
Irish Internet service provider (ISP) Eircom may be compelled to take
steps to prevent illegal music downloading if four major record labels
have their way. The four - EMI Records (Ireland) Ltd, Sony BMG Music
Entertainment (Ireland) Ltd, Universal Music (Ireland) Ltd, and Warner
Music (Ireland) Ltd - have brought a High Court action in an attempt to
force the ISP to use technology specially designed to identify and stop
the illegal activity. Eircom has thus far refused to employ
technological filtering and blocking technologies to stop illegal
downloads. One record company executive cited a 30 percent drop in
sound recording sales since 2001.
8 March 2008 - Brothers Receive Prison Sentences for Selling Pirated Software
Brothers Maurice A. Robberson and Thomas K. Robberson have been
sentenced to prison for selling pirated software online. Together, the
brothers made more than US $1 million by selling counterfeit software
worth more than US $6.5 million. Both men have agreed to forfeit all
they earned from their business. Maurice was sentenced to three years
in prison, while Thomas received a sentence of 30 months. Two other
people involved on the scheme have already been sentenced. The pirated
software included products from Adobe Systems, Autodesk, and Macromedia.
6 march 2008 - Man Indicted in South Korea for Intellectual Property Crimes
A former LG Electronics employee has been arrested and indicted for
giving technology from LG to a Chinese company, according to South
Korean prosecutors. The man, identified only as Jeong, allegedly took
a portable hard drive with information about plasma display technology
when he left the company and later gave the information to his new
employer, the Chinese company COC. Another former LG employee and one
who still works for the company have also been indicted for assisting
Jeong. LG maintains that the theft and sharing of the proprietary
information could cost the company as much as 1.3 trillion won (US $1.35
6 March 2008 - Children's Personal Data on Stolen Memory Stick
A memory stick plugged into a laptop computer stolen from a Shropshire
(UK) medical center holds personally identifiable information of more
than 200 children. The computer "had been fitted with encryption
software to comply with ... NHS security standards" and its remote
access has been disabled to prevent it from connecting to the NHS
network. It also had tracking technology installed. The data on the
memory stick include names, dates of birth, addresses and information
about the treatment they received for speech and language therapy.
Patients and their families were notified promptly.
4 March 2008 - Judge Allows RIAA to Subpoena Univ. to Obtain Students' Identities
A federal judge has granted a request from the Recording Industry
Association of America (RIAA) to subpoena the University of Arizona (UA)
to surrender information identifying 14 students the RIAA believes have
violated copyright law. Universities usually have 30 days to comply
with the subpoenas; the RIAA is likely to contact UA within the next
week. The RIAA sent 14 prelitigation letters to the university in early
December; the students have been identified only as John Does. UA
decided not to send those letters on to the students.
3 March 2008 - NJ Legislator Wants investigation Into Stolen Insurance Company Laptop
New Jersey State Senator Kevin O'Toole (R-40) has called for a hearing
to investigate the circumstances surrounding the theft of a laptop that
holds personally identifiable information of more than 300,000 Horizon
Blue Cross/Blue Shield of New Jersey subscribers. The computer was
stolen from an employee's home in January. Senator O'Toole wants to
know how many other laptops hold Horizon subscriber data and wants
Horizon's data privacy practices closely examined. Horizon has said that
security procedures designed to protect data were not followed in this
3 March 2008 - Encryption Pays Off for VA
Security measures put in place at the Veterans Affairs department (VA)
after the widely publicized theft of computer equipment in 2006 have
proven to be effective. A laptop stolen last month from the home of an
employee at the VA's Austin (TX) Corporate Data Center was encrypted,
and department officials knew precisely what data were on the computer.
The employee had permission to have the computer at home and had locked
it down to furniture.
SAI Note: It's nice to finally see a positive awareness news story!!!
3 March 2008 - Virginia Supreme Court Upholds Spammer's Conviction
By a vote of 4-3, the Virginia Supreme Court upheld the felony
conviction of Jeremy Jaynes, who in 2004 was found guilty of spamming
and sentenced to nine years in prison; it was the first felony
conviction for spamming in the US. Jaynes and his lawyer maintained
that the Virginia law under which he was convicted violates both the
First Amendment and the interstate commerce clause of the US
Constitution, but the court rejected those claims.
1 March 2008 - Prison Time for Data Thieves
Two people have received prison sentences for their roles in a data
theft scheme that victimized patients of the Kelsey-Seybold Clinic in
Houston, Texas. Former insurance analyst Kretia Lutriel Griffin stole
personal data belonging to approximately 200 of the clinic's patients.
She sold them to Aubry Johnson, who used the information to open charge
accounts at various stores. Johnson was sentenced to seven years in
prison for access device fraud and aggravated identity theft. Griffin
received a two-year sentence for conspiracy. The clinic has notified
patients whose data were compromised. A clinic spokesperson said that
no medical data were involved. http://www.chron.com/disp/story.mpl/headline/metro/5583753.html
25 February 2008 - Workers Often Peek at Customer Data
Documents made public in a lawsuit indicate that employees throughout
Wisconsin utility company WE Energies were accessing data about friends,
family members, politicians, and others. Several years ago, a WE
Energies employee leaked information about a mayoral candidate.
Following that incident, the company began paying closer attention to
which accounts its employees were accessing; 17 people were fired
between 2005 and 2007. Federal agencies are struggling with similar
25 February 2008 - Stolen Laptop Contained Psychiatric Patient Data
A laptop computer stolen from a NHS doctor's home in 2005 held extremely
sensitive medical information about 190 psychiatric patients. The
computer is one of approximately 180 devices reported missing or stolen
from public institutions in the Lothians region of Scotland over the
last five years.
23 February 2008 - Woman Indicted on HIPAA Violation
An Oklahoma woman has been indicted on charges of violating the Health
Insurance Portability and Accountability Act (HIPAA). The federal
indictment alleges that Leslie A. Howell provided patient information
from an unnamed counseling center to two individuals, knowing that they intended to use the information to commit "access device fraud" and
identity theft. If she is convicted of charges against her, Howell
could face up to 10 years in prison and a fine of up to US $250,000.
18 February 2008 - Woman Fined for Intercepting Nanny Agency eMail
A woman has been fined GBP 500 (US $975) for reading email messages from
her previous employer's account. Susan Holmes had worked for a nanny
agency that accepted registration forms through an AOL email account.
The company neglected to change the account password after Holmes left,
which allowed her access to the information. The company became
suspicious after a noticeable decline in the amount of email they
received on the account in the first few months of 2007. AOL
connections logs revealed IP addresses that eventually led to Holmes
being identified as the culprit. Last week, she pleaded guilty to
unauthorized access to a computer, in violation of section one of the
Computer Misuse Act 1990.
16 February 2008 - Former Intern Arrested for Allegedly Accessing City eMail
A former intern for a San Jose (CA) city councilman has been arrested
for breaking into the city's email system. Eric Hernandez worked as an
intern for Councilman Sam Liccardo; during his work there, he created
email accounts for Liccardo's staff and knew the account passwords.
Hernandez was allegedly trying to find information about another
Liccardo staff member with whom he was angry; he planned to give the
information to a blog and a newspaper. Hernandez faces up to three years
in prison for the felony charge made against him.
15 February 2008 - Halifax Bank Blocks Credit Card Payments to WoW Publisher
The UK's Halifax bank has decided to block credit card payments to World
of Warcraft publisher Blizzard Entertainment after noting that an
unusually large number of payments being made through the company's
gaming sites involved stolen credit card information. Customers who
want to subscribe to Blizzard game sites with Halifax or Bank of
Scotland credit cards can contact the bank and make arrangements for the
payments to go through. It is not apparent that other banks or
financial institutions have followed Halifax's lead.
14 February 2008 - Nine Sued for Selling Pirated Software on eBay
The Software & Information Industry Association has filed lawsuits
against nine people for allegedly selling pirated software on eBay. The
lawsuits were filed on behalf of Symantec and Adobe as part of SIIA'a
Auction Litigation Program, which offers rewards in the form of credit
toward legitimate copies of software to people who turn in those selling
the counterfeit software. The SIIA's antipiracy program has already
helped them catch other sellers of counterfeit software.
14 February 2008 - Bloodbank Donor Information on Missing Computers
Approximately 320,000 people who donated blood through Lifeblood in
Memphis are at risk of identity fraud after two laptop computers were
reported missing from the company. Lifeblood has enhanced its security
practices since the incident. Areas where laptops are kept now have
more stringent access restrictions as well as closed circuit monitoring.
Software installed on company laptops allows their locations to be
tracked remotely and provides a means for erasing the computers' hard
drives should they be lost or stolen. Finally, the company has altered
the programming so that complete Social Security numbers (SSNs) are not
downloaded to mobile computers. The missing computers were reported to
Lifeblood management in early January; the company decided to refrain
from making the incident public knowledge until all affected donors had
14 February 2008 - Woman Sues Best Buy for US $54 Million Over Lost Laptop
A woman has filed a US $54 million lawsuit against Best Buy for losing
her computer. Raelyn Campbell acknowledges that the amount far exceeds
replacement cost and compensation, but she wants to draw attention to
the reprehensible state of consumer property and privacy protection at"
Best Buy. Campbell says that her computer was stolen from the Best Buy
store and that employees falsified records to hide that fact. She also
says they lied to her for weeks about the status of her computer.
Campbell brought her computer in for repairs in May 2007, and filed the
lawsuit in mid-November.
12 February 2008 - Unencrypted UK Army Laptop Left in Pub
A UK Army captain left a laptop computer containing sensitive
information in a pub. The unencrypted data include personal information
pertaining to more than 200 soldiers, military exercises information and
weapons store locations. Cabinet Secretary Sir Gus O'Donnell recently
ordered that laptops containing unencrypted data not be removed from
government offices. The laptop was handed in by the person who found
it in the pub.
11 February 2008 - Spanish Police Arrest 76 for Internet Fraud
Seventy-six people arrested by Spanish police are believed to have
stolen more than 3 million Euros in a variety of Internet fraud schemes.
Some of the suspects allegedly sold expensive merchandise on auctions
sites but never sent the items. Other suspects allegedly used stolen
bank account information, probably stolen in a phishing scam, to siphon
money into their own accounts.
11 February 2008 - Russian Computers Sending an Increasing Share of Spam
Experts at SophosLabs scanned all spam messages received in the
company's global network of spam traps, and found a dramatic rise in the
proportion of the world's spam messages being sent from compromised Russian computers. Russian now accounts for one in twelve junk mails
seen in inboxes. Between October-December 2007, the USA relayed far more
spam than any other country, because so many US computers have been
taken over by remote hackers.
7 February 2008 - South Bend Hospital Employee Data on Missing Computer
A laptop computer holding personally identifiable information of
approximately 4,300 current and former employees of Memorial Hospital
in South Bend, Indiana was lost last November. The data were on an
employee's computer that was lost while she was traveling; the computer
was not encrypted.
29 January 2008 - Go Phish: Watch Out For These 10 Scams
Fools and their money have never been more quickly parted than in
cyberspace. Here's a list of top phishing scams to avoid.
13 January 2008 - Malware Hiding on Digital Devices
There have been three reports of consumers who found that digital
picture frames attempted to install malware on devices connected to the
frame. The frames were sold in different branches of the same store,
suggesting that the source of the infection was the factory or some
point during shipping. The malware appears to be a Trojan horse program
that hides itself like a rootkit once on a computer and tries to disable
the computer's ability to access anti-virus tools. The incidents
illustrate the necessity for users to be wary of all digital devices
with onboard memory. There have also been reports of hard disk drives
and digital music players attempting to install malware on computers.
These incidents appear to have been accidental, related to the
manufacturing process, but some believe it is just a matter of time
before such infections are intentional and malicious. It is also
possible that the items were purchased and returned, which would make
it possible for someone to install malware on a device and then return
10 January 2008 - Former Cox Employee Gets Prison Time for Causing Outage
William Bryant has been sentenced to five months in prison and five
months of home confinement for sabotaging his former employer's computer
system. He was also ordered to serve two years of supervised release,
perform 200 hours of community service, and pay more than US $15,000 in
restitution. Bryant worked at Cox Communications, which provides
computer and telecommunications services across the US. When Bryant was
asked to resign from Cox, he remotely shut down parts of the company's
network, which resulted in loss of services to customers in Texas, Las
Vegas, New Orleans, and Baton Rouge. In some cases, 911 emergency
services were affected as well. The services were back up within hours
of the attack.
3 January 2008 - Stolen Laptops Hold Nashville Voter Data
Two laptop computers stolen from the Metro Office Building in Nashville,
Tennessee, hold the SSNs of approximately 337,000 Nashville voters; the
data are not encrypted. The break-in was discovered after a security
guard noticed the building was unusually cold; the thieves had broken a
window to gain access to the building. The video recorder that could
have captured evidence had been unplugged. The guard who was on duty
at the time of the theft has been fired. The Davidson County Election
Commission and two other departments questioned by the Metro Council's
Public Safety Committee about the incident say they have stepped up
physical security and have removed voters' SSNs from laptops. Alarms
have been placed on video recorders to alert staff. There is some
confusion as to whose responsibility it was to encrypt the data. The
election commission plans to establish a procedure for making sure
laptops are secured after business hours. The Davidson County Election
Commission is offering free identity theft protection to affected
3 January 2008 - Teen Draws 90-Day Sentence for Internet Service Disruption
A Wisconsin teenager was sentenced to 90 days in jail for breaking into
a computer network and cutting off Internet access to residents of the
Marshfield, Wisconsin area for 18 hours last April. Shaun Lancaster was
granted work-release status for his term. He was also ordered to serve
three years probation and to pay restitution of approximately US $6,000.
2 January 2008 - German Justice Minister Denies Music Companies Access to
Data for Civil Cases
German Justice Minister Brigitte Zypries says that the music industry
does not have the right to demand stored Internet data to pursue its
copyright violation allegations in civil cases. Only police and the
public prosecutor's office may use the stored data.
1 January 2008 - Malware Development Outpacing Anti-Virus
Protecting computers from malware infections requires a combination of
anti-virus products, firewalls, tools that detect behavioral anomalies,
and good old-fashioned human caution. Anti-virus alone cannot do the
job because malware purveyors are growing skilled at releasing new
variants that won't immediately be detected by signature-based
anti-virus products. There are tools available on the Internet that
allow users to test whether pieces of code are detectable by different
anti-virus systems. Some malware creators have reportedly even set up
their own laboratories to ensure that their latest releases will have
time to infect computers before anti-virus companies learn of the new
27 December 2007 - Alleged Source Code Thief Arrested
A woman has been arrested and is being held on charges that she
allegedly stole US $12 million worth of sensitive data from her former
employer, Hinjewadi (India) based 3DPLM Software, just days before
leaving her job there. Anjali Sharma allegedly used her work computer
to send source code to her husband. Sharma's alleged actions violate a
non-disclosure agreement she signed when she began work at 3DPLM. http://www.dnaindia.com/report.asp?newsid=1141842
27 December 2007 - List Identifies Dubious Music Download Sites
The Center for Democracy and Technology (CDT) has released a list of 34
websites it says are misleading users by implying that mainstream music
can be downloaded from them. The sites charge subscription fees, which
users may assume are used to pay royalty costs, but the listed websites
have not obtained the necessary licensing agreements to distribute the
music. Instead, users are provided peer-to-peer file sharing software,
which is often available at no cost elsewhere, and given instructions
on using filesharing networks.
26 December 2007 - Disk Containing UK Police Data Found at Recycling Center
An obsolete computer that had been sent out to be recycled was found to
contain personally identifiable information of an unspecified number of
employees, including police officers, of Devon and Cornwall (UK) Police.
Assistant Chief Constable Bob Pennington has issued an apology and says
the incident is under investigation. Normally, disks are wiped clean
before computers are sent to be recycled. The disk containing the
information was found by a man looking for parts at a recycling center.
22 December 2007 - Identity Thief Targets Municipal Court Website
An identity thief apparently entered random Social Security numbers
(SSNs) into the Franklin County (Ohio) Municipal Court website, hoping
to find a match. According to police, the thief stole personally
identifiable information, such as names, ages and addresses of hundreds
of people, and used the information to open bank accounts and credit
cards. The site contains information about people convicted of
misdemeanors; the data theft affects people from Ohio, Kentucky, South
Carolina, Texas, and Wyoming.