ENRC fears data loss from hacking and stolen laptop

 Breach Incidents, Business Sector, Hack, Non-U.S., Theft  No Responses »
May 232013
 

Terry Macalister reports:

The mining group Eurasian Natural Resources Corporation warned on Thursday that it may have lost internal data as a result of computer hacking and the theft of a laptop.

The problems add to a complicated picture for ENRC, a London-based but Kazakh-facing producer of minerals from iron ore to coal, which received an indicative takeover offer last week but is also the subject of an investigation by the Serious Fraud Office.

ENRC said it had notified the information commissioner about the data loss saying: “The first incident relates to the theft of a laptop during a domestic burglary, while the second incident relates to an intrusion into the group’s electronic systems by a third party.

Read more on The Guardian.

So… are any of the data on the stolen laptop related to the investigation? Or should I just grab a tinfoil hat?

MS: Head Start records containing personal information stolen from Moss Point office

 Breach Incidents, Miscellaneous, Theft  No Responses »
May 162013
 

April Havens reports:

 Residents’ personal information could be in jeopardy after someone took Head Start records from Jackson County Civic Action Committee Inc.’s Jefferson Street facility in Moss Point.

Spokeswoman Hannah Donegan sent out a news release today saying the theft occurred between April and April 24, and a police report has been filed in Moss Point.

The stolen records include names, mailing addresses, Social Security numbers, birth dates and some health records for students and families who applied for Head Start in the 2008-2009 school year, she said.

“We have no way of knowing how many files were stolen,” JCCAC Executive Director Diann Payne said. “But we have alerted all parents of the possibility that they might be affected.”

Read more on GulfLive.com.

A notice on the JCCAC’s web site reads:

Between April 22 and April 24, 2013, records from Jackson County Civic Action Committee, Inc.’s Head Start program were stolen from the Jefferson Street facility in Moss Point.

Records included names, mailing addresses, Social Security numbers, birthdates and some health records for students and families who attended Head Start in the 2008-2009 school year.

JCCAC has filed a police report with the Moss Point Police Department for the theft.

As a preventative step, JCCAC recommends anyone who applied for Head Start during the 2008-2009 school term closely monitor their and their child’s financial information and promptly report suspicious activity to their financial institution. JCCAC also recommends that parents submit a complaint with the Federal Trade Commission by calling 1-877-ID-THEFT (1-877-438-4338) or by visiting https://www.ftccomplaintassistant.gov/

Individuals may also want to contact Equifax, Transunion and Experian to obtain a credit report; they can do so by calling 1-877-322-8228 or by visiting www.annualcreditreport.com.

Even if fraud isn’t detected immediately, it is recommended that individuals consistently monitor their credit. They may also wish to place a security freeze on credit. This is free for individuals with a police report indicating record theft, which affected individuals may pick up at JCCAC’s Central Office at 5343 Jefferson St., Moss Point MS, 39563. To obtain a freeze, contact the following agencies:

Individuals who may have been affected should contact JCCAC Executive Director Diann Payne at 228-769-3317 or Head Start Program Director Vanessa Gibson at 228-769-3401.

FTC Approves Final Order Settling Charges Against Cbr Systems, Inc.

 Breach Incidents, Business Sector, Theft, U.S.  No Responses »
May 052013
 

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that Cbr Systems, Inc. failed to protect the security of customers’ personal information and that its inadequate security practices led to a breach that exposed the Social Security numbers and debit and credit card information of nearly 300,000 consumers.

As part of the settlement announced on January 28, 2013, Cbr agreed to establish and maintain a comprehensive information security program. The company also must submit to security audits by an independent auditor every other year for the next 20 years. The settlement order also bars misrepresentations about the privacy, confidentiality, security or integrity of personal information collected from or about consumers.

The Commission vote approving the final order and letter to the member of the public who commented on it was 4-0. (FTC File No. 112-3120; the staff contacts are Laura Riposo VanDruff, Bureau of Consumer Protection, 202-326-2999 and Ryan Mehm, Bureau of Consumer Protection, 202-326-2918.)

SOURCE: FTC

When, oh when, will people stop leaving unencrypted laptops in their cars?

 Breach Incidents, Business Sector, Commentaries and Analyses, Theft, U.S.  Comments Off
Apr 252013
 

OptiNose US Inc. has been notifying some of its consultants that their names and Social Security numbers were on a laptop stolen from an employee’s car.

The laptop was stolen on March 26 in a Philadelphia suburb, and OptiNose started sending out notification letters on April 16.  The letter did not inform recipients that the laptop was stolen from an unattended vehicle.  The letter states that OptiNose “has no information that any personal data has been accessed by an unauthorized party.” They do not state whether there was any software on the laptop that would even provide such information.

OptiNose offered those affected credit monitoring at the firm’s expense, but get this – enrollees have to pay for the service and then submit a request for reimbursement.

The notification letter does not indicate whether the employee was disciplined at all or what steps OptiNose is taking to prevent this from ever happening again.

If you get the sense that I am unimpressed with their handling of this breach, you’re right.

The incident was reported to  the New Hampshire Attorney General’s Office on April 16 and the Vermont Attorney General’s Office on April 23.

Stanley Black & Decker breach notice, v2.0

 Breach Incidents, Business Sector, Theft, U.S.  Comments Off
Apr 192013
 

Don’t you just hate it when your breach response goes awry and compounds the breach or you discover that your original analysis of what information was involved was incomplete?

Last month, Stanley Black & Decker notified both California and New Hampshire that a stolen corporate laptop contained employees’ information, including their bank routing and account numbers for those who received reimbursement for expenses via direct deposit.

On April 15, however, the firm notified New Hampshire that in the process of preparing notification letters, they experienced a mail merge error that resulted in some individuals having the wrong addresses.

While trying to address the mail merge error, and to compound matters even more, they discovered that the stolen laptop had held the Social Security numbers of some of the former and current employees.

As a result, the firm is sending out new notification letters to everyone affected by the stolen laptop breach.

You can read their explanation to New Hampshire here.

VUDU warns customers after user data stolen in burglary

 Breach Incidents, Business Sector, Theft, U.S.  Comments Off
Apr 102013
 

Damon Poeter reports that streaming video provider, VUDU, has been notifying users after user data was on a hard drive stolen during an office burglary:

Vudu notified users that a break-in at its offices on 24 March compromised users’ personal information and account activity, warning customers to be on the lookout for “spam email, emails asking for personal information, or emails asking you to click on links to other websites” as a result.

The streaming video provider said “a number of items were stolen, including hard drives” during the burglary of its Santa Clara, California-based offices. Vudu informed customers in an email message that it was implementing a system-wide password reset because the hard drives contained user emails, addresses, account activity, dates of birth, and in some cases, credit card information.

Read more on ItProPortal.

VUDU has also posted an FAQ about the breach that provides a bit more detail on the data types involved:

Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

Addendum: Text of VUDU’s email to users, provided to this site by a reader:

Date: Tue, 09 Apr 2013 14:43:26 -0600
From: “VUDU, Inc.”
Reply-To: “VUDU, Inc.”
To: [redacted]
Subject: Important Information Regarding Your VUDU Account.

Dear [redacted],

We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.

Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.

While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. So we think it’s best to be proactive and ask that you be proactive as well.

SECURITY PRECAUTIONS:

If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the “Sign In” button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.

As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.

As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.

Thank you,

Prasanna Ganesan
Chief Technology Officer, VUDU
VUDU.com | Support | Sign In
Please also note that this email inbox is not monitored. To contact us, please visit vudu.com/support.html

Security & Privacy
VUDU protects your security and privacy. We will never ask for personal information (such as passwords or payment information) in an email Postcard. If you receive such a request, please do not respond to the email. See our Privacy Policy

VUDU, Inc., 2980 Bowers Ave. Santa Clara, CA, 95051, UNITED STATES © 2013 VUDU, Inc. All rights reserved.

 Older Entries