Privacy Commissioner details ‘web leakage’ research, but declines to name sites found in violation

 Breach Incidents, Business Sector, Exposure, Non-U.S.  No Responses »
Jun 132013
 

Matthew Braga reports:

The Office of Canada’s Privacy Commissioner has declined to name 11 Canadian websites found to be leaking personal information to third parties without the knowledge of users, but revealed in a blog post that privacy practices had improved after being notified of the government’s concerns.

A study found that user names, email addresses, location data and other identifying information were being sent to advertisers and analytics companies – in some cases, unbeknownst to the websites themselves.

Read more on Financial Post.

I can appreciate that the Commissioner wants to enlist cooperation/remediation and is using the avoidance of naming and shaming as the carrot, but shouldn’t the consumers whose information was leaked – either knowingly or unknowingly by the web sites – be informed? Apparently there is no such legal requirement in Canada.

Australian customers’ private phone calls online

 Breach Incidents, Business Sector, Exposure, Non-U.S.  No Responses »
Jun 092013
 

Ben Grubb reports:

“This call may be recorded for training and quality purposes.”

And perhaps inadvertently uploaded to the internet if you’re a customer of a certain Australian telco.

Recorded voice contracts containing personally identifiable information between telco IF Telecom and its customers have been found online by an Australian security expert while performing a simple Google search.

The audio files found on the internet contain business managers confirming telephone contract agreements to an IF Telecom operator. Information read aloud during the calls by business customers includes their name and position, business name, date of birth, drivers’ licence number and expiry date, business street address and business telephone number.

Read more on The Age.

NY: Town of Brookhaven data breach ‘was clerical error,’ officials say

 Breach Incidents, Exposure, Government Sector, U.S.  No Responses »
Jun 092013
 

Deon J. Hampton reports:

Brookhaven Supervisor Edward P. Romaine on Thursday handed off an investigation into the inadvertent online posting of personal information to the town’s law department — the same unit that made the mistake.

[...]

Town officials did not release the name of the employee who mistakenly made public the Social Security numbers of 78 ambulance workers and beneficiaries. The information was attached to a resolution posted on the town website on May 30. The posting remained accessible on the town website for five days.

[...]

Eaderesto said the mistake was made last month when a law department employee failed to click on the “no public access” check box in the computer system that adds the information to the website. She said one person was responsible for checking the information in the past; now there will be three.

Read more on Newsday and/or NBC.

Alternatively, they could make the default “no public access” which might require people to think about whether there should be public access after reviewing the contents of an entire file.

Wyndham Vacation Resorts reports an insider breach

 Business Sector, ID Theft, Insider  No Responses »
Jun 092013
 

As if Wyndham didn’t have enough problems from a number of breaches it experienced a few years ago, it seems that they may have had an insider breach, too.

In a report to the Maryland Attorney General dated March 12,  Stratis Pridgeon, Group Vice President of Legal Services for Wyndham Vacation Ownership, Inc. (which includes its subsidiary Wyndham Vacation Resorts, Inc.), writes that on or about January 18, they were notified by Orlando Florida police that a  then-current employee had been arrested and tied to fraudulent credit card purchases.  Wyndham terminated the employee the next day and their investigation suggested that he may have manually recorded customers’ credit card numbers during telephone calls in a private ledger he maintained.  The employee was arrested on January 16.

Two Maryland residents may have been affected, but Wyndham does not report the total number of customers whose card data may have been recorded by or misused by the employee or whether the employee may have provided the information to others as well.

Calvert Internal Medicine notifies employees of possible compromise of their SSN, payroll info

 Healthcare Sector, Malware, Subcontractor  No Responses »
Jun 092013
 

On March 19, Calvert Internal Medicine in Maryland notified current and former employees of a computer compromise that may have exposed their Social Security numbers to misuse. A copy of their notification was sent to the Maryland Attorney General’s Office. From reading their description of the breach, it seems that ADP failed to restore a firewall after attempting to deal with another problem, but it’s not clear whether that simply accounts for the spam run problem or if it also contributed to a malware problem that may have compromised employees’ information. See what you think:

Calvert Internal Medicine Group (CIMG) Sequence of Events Relating to Potential IT Breach March 20, 2013

- During the week of March 10, 2013, CIMG was notified by its domain service that ~9,000 spam emails were identified as originating from CIMG’s mail server’s domain. Spam sources were distributed across the internet using a CIMG finance department employee’s email account, an account which was hosted off-site on an independent network’s service computer. Malware was detected in files in the spam inbox of the suspected computer.

- Several weeks prior to the spam discovery, in an effort to resolve a time clock data transmission problem, the finance department employee using the suspect computer placed a service call to ADP technical support. During the call, ADP technical support took control of the computer and disabled the computer’s fire wall. At the end of the service call, ADP technical support failed to reactivate the computer’s firewall.

- During the week of March 10, 2013, the suspect personal computer was removed from CIMG’s server. A new computer was installed.

- The finance department employee’s CIMG domain email account was disabled and replaced with a new, password protected, email address.

- Access passwords were changed for payroll (ADP), accounting (PeachTree) and banking services portals/software which resided on the computer.

- During the week of March 17, 2013, a CIMG employee was notified of irregular personal financial activity by a federal agency.

- Given the proximity of the two events, spam email originating from CIMG’s domain and suspicious activity involving an employee’s personal information/data, CIMG elected to notify all active and terminated employees of a suspected IT breach involving payroll- related information, employees’ names, addresses and social security numbers.

- With counsel’s assistance an employee notification document (attached) was drafted.

UK: ICO fines Glasgow City Council £150K

 Breach Incidents, Government Sector, Lost or Missing, Non-U.S., Of Note, Theft  No Responses »
Jun 092013
 

The Information Commissioner’s Office (ICO) has issued Glasgow City Council with a monetary penalty of £150,000 following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

The serious breach of the Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar breach where an unencrypted memory stick containing personal data was lost.

In the latest incident, two unencrypted laptops were stolen from the council’s offices on 28 May last year. The laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.

One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including 6,069 individuals’ bank account details.

The ICO’s investigation found that, despite the ICO’s previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen.

Ken Macdonald, the ICO’s Assistant Commissioner for Scotland said:

“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.

“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.”

The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.

The ICO has produced guidance on the use of encryption software which is available on the ICO website.

SOURCE: Information Commissioner’s Office

 Older Entries  Newer Entries