Data breach puts DHS employees at risk of identity theft

 Breach Incidents, Government Sector, Subcontractor, U.S.  No Responses »
May 222013
 

Jason Miller reports:

Tens of thousands of current and former Homeland Security Department employees are at risk of identity theft after officials discovered a vulnerability in the vendor’s system for processing background investigations.

All DHS employees working in the headquarters office, for the Customs and Border Protection and for the Immigration and Customs Enforcement components from 2009 to 2013 are the most affected, according to an internal notice sent to employees, which was obtained by Federal News Radio and confirmed by a DHS spokeswoman.

“As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user since July 2009,” the internal notice stated.

Read more on FederalNewsRadio.com

Related: DHS Notice

NYPD detective charged with hacking

 Government Sector, Hack  No Responses »
May 212013
 

Edwin Vargas, a detective with the New York City Police Department (NYPD) has been arrested on hacking charges.  Vargas was arrested this morning outside his residence in Bronxville, New York.

Manhattan U.S. Attorney Preet Bharara said, “As alleged, Detective Edwin Vargas paid thousands of dollars for the ability to illegally invade the privacy of his fellow officers and others. He is also alleged to have illegally obtained information about two officers from a federal database to which he had access based on his status as an NYPD detective. When law enforcement officers break the laws they are sworn to uphold, they do a disservice to their fellow officers, to the department, and to the public they serve, and it will not be tolerated.”

FBI Assistant Director in Charge George Venizelos said,  “As alleged, the defendant illegally acquired log-in information for the e-mail accounts of dozens of people, including police department co-workers. Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee. Unlike the e-mail accounts, the defendant didn’t need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization.”

According to the complaint unsealed today in Manhattan federal court:

Between March 2011 and October 2012, Vargas, an NYPD detective assigned to a precinct in the Bronx, hired an e-mail hacking service to obtain log-in credentials, such as the password and username, for certain e-mail accounts. In total, Vargas purchased at least 43 personal e-mail accounts and one cellular phone belonging to at least 30 different individuals, including 21 who are affiliated with the NYPD; of those 21, 19 are current NYPD officers, one is a retired NYPD officer, and one is on the NYPD’s administrative staff.

After receiving the log-in credentials he had purchased from the e-mail hacking services,Vargas accessed at least one personal e-mail account belonging to a current NYPD officer. He also accessed an online cellular telephone account belonging to another victim. Vargas paid a total of more than $4,000 to entities associated with the e-mail hacking services.

An examination of the contents of the hard drive from Vargas’ NYPD computer revealed, among other things, that the Contacts section of his Gmail account included a list of at least 20 e-mail addresses, along with what appear to be telephone numbers, home addresses, and vehicle information corresponding to those e-mail addresses, as well as what appear to be the passwords for those e-mail addresses.

Vargas also accessed the National Crime Information Center (NCIC) database, a federal database, to obtain information about at least two NYPD officers without authorization.

The e-mail accounts of those two officers were among the e-mail accounts Vargas paid the e-mail hacking services to hack into so he could obtain log-in credentials.

Vargas, 42, of Bronxville, New York, is charged with one count of conspiracy to commit computer hacking and one count of computer hacking. Each count carries a maximum sentence of one year in prison.

Source: FBI

Update:  Here’s the complaint.

WINZ: privacy breach ‘major stuff up’

 Exposure, Government Sector, Non-U.S.  No Responses »
May 182013
 

Michael Morrah reports on yet another government data breach in New Zealand:

There’s been another government breach of privacy. A Work and Income employee has emailed the private details of 34 beneficiaries to another claimant by mistake.

Even WINZ bosses are calling this breach a “major stuff up”.

It’s the latest in a series of failures, including last year’s security issue with the agency’s public kiosk computers.

Read more on 3News.

FL: Clearwater officer disciplined for looking up personal information on state database

 Government Sector, Insider  No Responses »
May 172013
 

Peter Jamison reports:

Internal investigators say a Clearwater police commander used a law enforcement database more than 100 times during a two-year period for “questionable” purposes, inappropriately looking up personal information about individuals including his ex-wife’s boyfriend, a television news reporter and the wives of other police officers.

A summary of the internal investigation, obtained by the Tampa Bay Times, shows that Lt. Richard Crean of the Clearwater Police Department searched the Florida Driver and Vehicle Information Database, commonly called DAVID, to obtain information about 54 people without an obvious connection to law enforcement work.

Read more on Tampa Bay Times.

So… is a 5-day suspension and a demotion sufficient consequences for such misuse of a state database? What do you think?

FBI, city of Akron investigating hacker attack that compromised identities of 8,000 taxpayers

 Government Sector, Hack, U.S.  No Responses »
May 172013
 

Jenn Strathman reports:

Cyber hackers from Turkey hacked into the city of Akron’s website and replaced city messages with politically-motivated ones on Thursday. Also, nearly 8,000 taxpayers had their personal information stolen including their names, addresses, and social security numbers.

I don’t know about you, but I would have lead with the theft of the social security numbers, not the political messages.

Read more on NewsNet5.com

But there’s more to the incident, it seems, as the data have reportedly been dumped and there may be many more than 8,000 affected. Ohio.com reports that individuals who filed Akron income tax returns electronically this year have been affected:

The city of Akron notified Friday some of the taxpayers whose personal information — possibly including Social Security numbers, credit card numbers and checking account numbers — was compromised in a cyber attack and posted on the Internet.

But only about half of the affected people have been notified because the city does not have email addresses for all of those affected, Akron’s Chief Information Officer Rick Schmahl said.

The number of affected residents is not known, although it could be between 10,000 and 40,000, Schmahl said. A news release the city issued at noon Friday said it was believed 8,000 names with related information were compromised.

UK: Essex County Council has 27,000 computer hacker attacks in a year

 Government Sector, Hack, Non-U.S.  No Responses »
May 172013
 

Just for perspective….

Ben Bland reports:

More than 25,000 cyber attacks were carried out against Essex County Council in the past year, it has emerged.

It is thought those carrying out the attacks were attempting to access the personal details of people living in Essex, which are held by the authority.

The council refused to state whether any of the attempts were successful.

The council said it spent more than £500,000 each year employing a team of six people to protect its systems.

Read more on BBC.

They may refuse to say, but looking at what we included last year in DataLossDB.org:

  • Sensitive county information was found in a disused building in August 2012.
  • In October, we learned that hundreds of vulnerable people’s names, addresses and financial information were sent from the council’s Adults Health and Community Wellbeing Department to an external computer, and
  • In October, we also learned that 40 volunteers’ personal details contained in a spreadsheet were accidentally sent to those same 40 people.

All insider breaches, and no reports of hacks. Hopefully some organization will seek more information from the council under freedom of information requests.

 

 Older Entries