MA: Former Mercer employee pleads guilty to stealing customer info

A former Blackstone woman pleaded guilty  in U.S. District Court in Boston in connection with her role in a scheme to steal personal information from clients of her former employer. Jasmine Banks, 29, pleaded guilty to one count of conspiracy to commit identity theft and access device fraud.  U.S. District Court Judge Leo T. Sorokin scheduled sentencing for June 22, 2016. In 2014, Banks was a customer service employee for Mercer, Inc., in Norwood, and assisted customers with retirement plans that were administered by Mercer.  In connection with her work, she had access to detailed account information and personally identifiable information (PII) for customers’ accounts.    From February 2014 through April 2014, Banks accessed Mercer account information at her computer and provided the names, addresses, and bank account of approximately 270 Mercer account holders to one of her co-conspirators via email and text message.  In many cases, she also provided dates of birth and social security numbers.  In addition, Banks selected 401(k) accounts with large balances and sent the co-conspirator detailed account access information for four of them.  Based on the information Banks provided, a fraudulent withdrawal of $23,485 was made from one of the retirement accounts. Mercer fully cooperated with law enforcement to prevent further account breaches and withdrawals. The charge provides for a sentence of no greater than five years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss, whichever is greater.  Actual sentences for federal crimes are typically less than the maximum penalties.  Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors. United States Attorney Carmen M. Ortiz and Lisa A. Quinn, Special Agent in Charge of the U.S. Secret Service, made the announcement.  The case is being prosecuted by Assistant U.S. Attorney David J. D’Addio of Ortiz’s Cybercrime Unit. SOURCE: U.S. Attorney’s Office, District of Massachusetts

WA: Mercer Island Police investigating case of high school hacking

David Ham reports: Detectives are investigating allegations that a 17-year-old student at Mercer Island High School hacked into the school’s online record-keeping system to change his own grades. According to court documents, a teacher reported to the school administration that she’d noticed odd activity on her school teacher account and then noticed one particular student’s grades had been altered without authorization. Three other teachers also subsequently discovered that the same student’s grades were changed in their courses. Read more on KIRO TV.

UPDATE: Idaho Power says Mercer breach affected over 375,000

The Mercer Health & Benefits breach involving a backup tape lost in transit after being shipped by FedEx is one of those multi-client breaches that comes out in dribs and drabs. But if Mercer hoped to keep the total number affected under wraps, one of their clients may have spilled their beans. On August 12, Idaho Power Health Plan posted an FAQ on their site that I just came across. It says, in part: 2. What happened and what data information was lost? A data breach was reported by Mercer to Idaho Power on June 16, 2010. According to Mercer, on March 26, 2010 a package containing a server back-up tape was sent via FedEx from Mercer’s Boise office to their Seattle office and is presently unaccounted for. The tape contained personal demographic information (not medical or health-related data). The lost information included names, addresses, dates of birth, and Social Security numbers for approximately 5,000 Idaho Power employees and dependents and approximately 375,000 other individuals whom Mercer services through their client base. The FAQ challenges Mercer’s reassuring statement that the unencrypted data would be difficult to be read: 3. Has the tape been recovered? Any indication the tape or any information on the tape has been inappropriately misused? The tape cannot be accounted for, and we cannot confirm the tape or any information on it has or has not been inappropriately misused. While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses. The FAQ is four pages and is either the most detailed, or one of the most detailed, breach FAQs I can recall seeing. The only thing I don’t spot in the FAQ is a phone number at Idaho Power that people can call.

Add Boise to those impacted by Mercer breach

The Associated Press reports that  the names and personal information, including SSN, of about 300 current and former Boise city employees were on a backup computer tape lost by a courier used by Mercer to transport the tape to a storage facility in Washington.