21 more business sector breaches from 2009 (update 2)
Maryland has updated its web site to provide breach notifications that it has received since its last update. The newly posted notifications are for the period ending December 31, 2009, so there will likely be more to come for 2010. Some of the breaches described in the notifications were reported in the media at the time, but I spotted a number from the business sector that had not been reported in the media or on this site at the time. So here is a brief roundup on another 21 breaches from the business sector last year:
- AT&T reported that an employee of an unnamed service provider improperly removed paper documents containing personal and/or credit card information on customers from the service provider’s office. The information may have included SSN, driver’s license numbers, and/or credit card information as well as names and addresses. Because the employee was described as a “former employee,” it would seem that the employee may have been terminated for violating AT&T’s policies and agreement with its service provider. AT&T notes that there is no indication that the removal was intended for misuse, nor any indication that it had been or would be misused. They elected to report the incident to the state and affected individuals and offered the individuals free credit monitoring services.
- Bristol-Myers Squibb Company reported that it had discovered that an external hard drive missing from a BMS facility in Puerto Rico contained names and SSN of some employees at the Puerto Rican facility.
- Coffee.org reported that it had been hacked and customer data, including credit card data, had been accessed between June 20 and July 19, 2009. A total of 8,058 customers were affected by the breach.
- FCI USA reported that a laptop stolen from an employee may have contained a spreadsheet with names, dates of birth, and Social Security numbers for 2000 employees.
- Feeney Agency reported that a computer stolen from its office contained unencrypted personal information that included SSN and driver’s licenses as well as birth dates and contact information. As a result of the burglary, the agency subsequently purchased a motion-sensitive security system for the office and a computer with encryption.
- Genworth Life Insurance Company of New York reported that an unauthorized individual had somehow obtained the login details for a third party agent authorized to access Genworth’s website where insurance agents can obtain policy information on customers. The information includes their name, address, and SSN.
- Group M reported that 8 laptops stolen from its NY office contained unencrypted information on 1501 employees, likely including their names, Social Security numbers and/or bank account information.
- Hotels.com reported that a computer stolen from the employee of one of an unnamed vendor contained unencrypted information on 200 Hotel.com’s customers, including their names, addresses, phone numbers, and credit card/debit card information.
- InterContinental Hotels Group reported in December that in September, they had detected malicious software that was capturing payment processing information during payment transactions at the Willard InterContinental Hotel in Washington, D.C. The total number of individuals affected was not indicated, but 428 Maryland residents were affected.
- Kraft Foods reports that a laptop and flash drive containing unencrypted personal information of employees and benefit plan participants were stolen from an accounting and payroll department employee’s car. The information included SSN.
- LitCon Group reported that a laptop stolen from an employee’s vehicle contained unencrypted employee information including names, addresses, dates of birth, and SSN. LitCon indicated that in the future, all personal information would be encrypted and in the interim, all laptops would be kept only in the office, which is protected by keyed locks and an alarm system.
- McGraw-Hill Construction (a division of The McGraw-Hill Companies) reported that a laptop stolen from its finance office in Utah contained unencrypted information, including SSNs, on some independent contractors.
- Nordstrom reported that an employee at its Farmington, Connecticut store had skimmed credit card information of customers using a hand-held skimmer.
- Nuance Communications reported that a stolen laptop contained personal information, including SSN used for employment and business purposes.
- Priceline.com reported that an unauthorized individual may have accessed customer data, including names, addresses, email addresses, credit card numbers, credit card expiration date, and credit card verification number through a third party call center.
- Scarborough & Associates reported an email error in which one customer’s insurance policy information, including date of birth and SSN was sent to an erroneous email address. They attempted to learn whether the address was still a working email address and emails bounced back, but not the one containing the customer data. In the future, the firm will not include personal information in email and is considering encrypting all email.
- T-Mobile USA reported that an employee misused or attempted to misuse 10 customers’ credit card numbers to pay his own bills or his friends’ T-Mobile bills. The employee was terminated and the matter referred to law enforcement.
- Thermo Fisher Scientific Co. reported that a laptop stolen from an employee’s car contained personal information and SSN for a credit applicant in Maryland. The company did not tell the individual that their sensitive data had been left in the trunk of a car, however, merely saying that the information “may have been acquired without authorization by a party not related to Thermo Fisher Scientific.”
- Uniformed Services Benefit Association reported that a stolen laptop contained personal information, including SSN, of customers. As a result of the breach, USBA reports that it removed all personal information from all remaining laptops, reduced the number of laptops in use, and discontinued synchronizing laptops to the network server.
- United Guaranty Residential Insurance Company reported that mortgage insurance loan file data on 20 customers was exposed. The data included names, addresses, SSN, FICO scores, and “other information required to apply for a mortgage.” United Guaranty does not describe how the exposure occurred but informs those affected that “The incident did not involve a compromise of any United Guaranty systems.”
- Wolters Kluwer reported that a laptop of a CCH employee was stolen. CCH is a Wolters Kluwer business. The laptop contained CCH customer data including names, addresses, and credit card numbers and expiration dates for customers who made purchases between January 2009 and July 2009.
Updated 3-10-10: Make that 22 more breaches. The Center for American Progress, which had reported one breach on April 30, sent a second breach notification in August, this one involving a breach of an unnamed third-party vendor that handles its Action Fund online payments. As a result of the breach, credit card information may have been acquired as well as names, addresses, and email addresses.
Updated 3-13-10: Coverage in The Boston Globe indicates that the laptop stolen from Nuance Communications was stolen from a car and contained information on 1,191 Massachusetts residents; the total number affected was not indicated.