May 302014
 

Robert Zullo reports:

The scope of a data breach at UPMC that may have exposed Social Security numbers, addresses, salary and bank account information to identity thieves has now widened to potentially include all of its 62,000 workers, the health-care conglomerate informed employees in an e-mail today.

“Outside of the 817 confirmed victims of tax fraud, we are not aware of any other fraud perpetrated against UPMC relating to this situation,” the e-mail says. “In the interest of protecting our staff, we are now urging all of our employees to take the proper precautions to protect their personal information.”

Read more on the Pittsburgh Post-Gazette.

May 292014
 

Associated Press reports:

The Washington attorney general’s office has filed charges against a former state employee accused of using confidential state databases to commit identity theft and steal unclaimed property.

The state charged Timothy Darrell Fultz on Wednesday with multiple counts of theft, money laundering and computer trespass. He is accused of taking more than $150,000 in unclaimed property through the Department of Revenue’s ClaimYourCash.org website.

Read more on CBS Seattle.

May 292014
 

Home Depot seems to be having a rough year with dishonest employees.

In February, this site reported that some employees had been charged with stealing  co-workers’ personal information. Over 1200 were notified in California.

Now Home Depot has notified the New Hampshire Attorney General’s Office that between May 7 – May 21, an employee was accessing – and sharing with third parties – tool rental customers’ names, addresses, phone numbers, dates of birth, credit card numbers and expiration dates.

According to Home Depot, less than 500 customers’ information was shared with others, but the employee also obtained access to 30,000 other customers’ accounts.

Read more of their notification here (pdf).

Customers are being offered free services with AllClear ID.

 

May 262014
 

Eric Blaisdell reports:

The head of the state’s chapter of the American Institute of Architects says around 40 Vermont architects just discovered they were all the victims of identity theft.

Read more on Times Argus.

Keep in mind that the AIA is a professional association, not the state licensing board, and the national AIA application membership form asks for the architect’s license number from their state, but does not ask for Social Security number. And Vermont’s architects’ license numbers are not their SSN. Are SSNs stored in the state’s licensing database, though?

Where did the criminals obtain the SSNs? Only federal tax returns were affected, it seems.

May 202014
 

Trot on over to KrebsOnSecurity.com, where Brian’s connecting the dots between a number of criminal prosecutions and Ngo, the Vietnamese national who posed as a Singapore investigator to get a Court Ventures account that gave him access to reports in U.S. Info Search’s database. Experian subsequently acquired Court Ventures, and Ngo’s account was allowed to continue until Experian was notified of the criminal activity.

And with this post of his, Brian has added another strong refutation to any claims that there’s no evidence of identity theft or misuse of the data.

But who is notifying all those affected and who will be held accountable for this breach?

As noted previously on this blog, there’s been a lot of finger-pointing.  But while Experian and U.S. Info Search are pointing fingers at each other, and while state attorneys general are investigating, it appears consumers still haven’t been notified by any of the firms involved.

DataBreaches.net reached out to Experian to inquire whether there was anything new in terms of agreement between U.S. Info Search and Experian as to who would notify those affected, but a spokesperson said there was nothing new to report on that front.

And that’s something state attorneys general should keep in mind when looking into this whole mess. What does their state law say about who is responsible to notify consumers – the owner of the database where the consumer information resided or the company whose clients improperly accessed that database?

 

 

May 142014
 

Tavia D. Green reports:

A Fort Campbell active duty officer entered a guilty plea to stealing the identity of other soldiers, applying for loans and using the money for his personal benefit.

James Robert Jones, 43, of Woodlawn, Tennessee pleaded guilty Tuesday in U.S. District Court Judge Aleta A. Trauger‘s court in connection with a scheme to obtain fraudulent bank loans using the stolen identities of active duty U.S. Army officers, according to a news release from David Rivera, United States Attorney for the Middle District of Tennessee.

Read more on Army Times.