A puzzling USAA Federal Savings Bank breach report and 10 more reports

Here are another 11 breach notifications submitted to the Maryland Attorney General’s Office. These were filed in May and June, and in all but one case, we didn’t know about them through the media or other sources.

A breach involving USAA Federal Savings Bank had previously been noted on this site, but there’s more to the story, perhaps. As background: in March, the bank notified the Maryland Attorney General’s Office of an incident involving unauthorized access to and misuse of customer data that occurred on February 23. According to their notification, the fraud was traced back to an employee of an unnamed third party vendor. The vendor reportedly assured USAA that the employee was terminated on February 24. Should be the end of the story, right? Not quite. In May, USAA notified both the Maine Attorney General’s Office and the Maryland Attorney General’s Office that an employee of a third party vendor had compromised a customer’s account on April 8. In their report to Maryland, they note that this incident was related to the incident report that they had filed in March, but do not explain how if the employee was fired on February 24, he compromised another account (or accounts) in April. Was there more than one employee involved or did they not adequately cut off his access… or? Curious.

Prepaid Solutions reported that through its OceanPay and WebPower programs, it provides prepaid payroll cards for customers, while its third party vendor, Travelex Currency Services, facilitates the making of payroll payments by wire or draft.   A computer system error on Travelex’s part exposed participants’ beneficiary information to each other, including names, financial institutions, account numbers, and addresses of beneficiaries.

HSBC Taxpayer Financial Services reported that due to a software error, letters sent to some clients were included in other clients’ envelopes.  The letters included the names, addresses, and account numbers.  The mailing error occurred during the period of  June 2009 through April 13, 2010, but HSBC says that it was only a “very limited breach of customer data.”

Bank of America reported that their entity LandSafe Credit was notified by a customer, American Fidelity Mortgage Inc. (AMFI) that a credit report was accessed by an unauthorized third party using a login assigned to AMFI.

Redwood ERC-Management reported that after completing the purchase of assets from the bankrupt Erickson Retirement Communities, they discovered  that prior to their acquisition, a folder containing the ERC’s employees’ personal information had been  inadvertently shared in an Outlook folder accessible to anyone with an ERC login. The personal info included employees’ names, SSN, and financial account numbers.  The new management firm, on behalf of Senior Living (previously ERC)  notified 7,300 Maryland residents of the incident.

CaridianBCT reported that for a period of four days in May (hmmm… that sounds like it could be a movie title), a folder with current and former employees’ information, including names, addresses, dates of birth and SSN was available on a shared internal drive.

Chartis Insurance reported that a laptop was stolen from an employee’s car.  The good news is that it was encrypted.  The bad news is that a piece of paper with the password written on it was also in the car.

Novartis Vaccines and Diagnostics reported that after being notified by two customers of fraudulent activity on their credit cards that had been traced back to them, an investigation indicated that a security guard working for a third party vendor accessed paper files in the accounts receivable office.  Those files contained names, addresses, and credit card numbers for customers who placed orders over the telephone.  As part of its response to the incident, the firm stopped maintaining paper records of telephone orders involving credit card data.

Experian filed reports in May and June concerning unauthorized access to credit reports.  In the May report, First Bank & Trust  East Texas had consumer information accessed.

T-Mobile USA informed the state that “pursuant to an internal investigation,” they had uncovered the unauthorized use of 22 customers’ credit cards by a T-Mobile employee in a call center. The computer system was not breached in this incident, and T-Mobile doesn’t say what triggered the internal investigation.

K. Hovnanian Enterprises reported that a spreadsheet containing employees’ and contractors’ names and SSN was inadvertently exposed on the firm’s internal server. Approximately 799 individuals may have had their data exposed.

That’s all for now folks.  After wading through reports, I need more coffee!

About the author: Dissent