Everywhere you look, there are breaches we didn’t know about…

Here are summaries of some other breach reports recently filed with the Maryland Attorney General’s Office.   I’ve tried to sort them or organize them somewhat  as I am going through them.  Some of the incidents affect only a few individuals, while others impact many more.  Most of them have never been reported in the media or on this blog before, although a few are updates and not new reports:

E-mail Gaffes

  • An e-mail attachment gaffe by a Deloitte Tax LLP professional resulted in the recipient receiving a file with name, SSN, and December 2009 pay slip.  The recipient notified his employer of the error and deleted the file.
  • Another gaffe, this one by a GEICO field representative, revealed other field representatives’ and their dependents’ names, SSN, dates of birth, and whether the field representatives were enrolled in GEICO’s health plan or other benefits plans.

It’s In the Mail

  • Wells Fargo reports that a package containing a customer’s name, address, SSN and date of birth was sent to the wrong address.  The notification doesn’t explain what happened to the package, though.  Was it recovered?  Was it opened by the party at the incorrect address?  It’s hard to evaluate risk without a bit more detail.

Or It’s in the Fax

  • On  Sept.  10,  Ameriprise Financial Solutions notified the state that a process they used to confirm RiverSource annuity account cash withdrawal requests with their partner, Wells Fargo Investments, was using an incorrect fax number.  As a result, customers’ names,  addresses, SSN,  annuity contract number and Wells Fargo brokerage account number were being sent to another company.

Or Maybe It’s Stolen..

  • Ameriprise Financial Solutions seems to be having a rough year filing breach reports.  Apart from the missing UPS shipment reported in February (and previously covered on this blog),  and in addition to the fax error breach reported above, they have made four additional breach reports to Maryland this year.  In letters dated June 3,   July 2, July 9, and July 14, Ameriprise  reports that a backup hard drive stolen from an independent contractor’s office contained clients names, addresses, SSN, and financial information.    The total number of individuals affected was not reported.
  • Brian Krebs broke the story of the Serco breach back in May.  If you want to see Serco’s notification to Maryland, you can view it here.  They report that one of the missing electronic files contained names, addresses, phone numbers, email addresses, and SSN.   In light of the sensitive data, it’s not clear to me why Serco didn’t offer those affected any free services or why it’s not written into the government’s contract with them that in the event of a breach of this kind, they are required to provide such services.
  • Science Applications International Corporation (SAIC) notified the state on June 30 that backup tapes stolen in May contained personal information such as names and SSN, and in some cases, date of birth.  The notification does not indicate the number of individuals affected, nor the location of the backup tapes, and what format the data were in or any security on the tapes.
  • Darden Restaurants reported a laptop was stolen from a car in Florida.   Darden is the parent corporation of Olive Garden, Red Lobster, Longhorn Steakhouse, the Capital Grille,  Bahama Breeze, and Seasons 52.  The employee information on the laptop included employee ID numbers, addresses, dates of birth, SSN, and salaries of “certain current Darden employees.”

Change the code.  Test.  Rinse. Repeat.

  • CareFirst BlueCross BlueShield notified the state on September 21 that on July 9, they began capturing Writing Agents’ SSN and/or Tax Identification Number so that they could get the proper commission for consumer accounts they signed up.  But “due to a programming error, the SSN of the Writing Agent was visible on the application through the contracted broker’s portal and may have been viewed by the individual applicant.”  The error was spotted by an agent on August 6, but the exposure reportedly existed between July 9 and August 20.

Over-Exposed

  • Morgan Keegan was in the news recently when the Alabama Securities Commission announced it was investigating how a CD with confidential MK data on over 18,000 clients wound up in the hands of a Birmingham attorney.  The attorney returned the disk, and the investigative  report hasn’t been released yet, but now you can read Morgan Keegan’s breach report to Maryland.
  • The Atlanta Housing Authority was informed that when it had provided  a file containing a requested Microsoft Excel spreadsheet on its programs to both a journalist and a local advocacy group, the spreadsheet  contained the clients’ names, addresses, and SSN.  The personal information was not immediately evident on opening the file.

So Near and Yet so Far…

  • Chesapeake Energy Commission reported that a box with reports containing 957 owners’ names, addresses, and SSN fell off the truck belonging to Chesapeake’s shredding vendor.   They sent people out immediately to try to recover all documents, but…. yes, better safe than sorry.

Now here’s a thoughtful employer:

  • When Airgas Inc. conducted a scan of all company computers, they determined that a subset were infected with malicious software.   They then wrote to all employees who had used the compromised computers to inform them of the possibility that if they had used the company computer to login to any personal/financial accounts, their login details may have been captured.  The company encouraged them to change any logins and also offered affected employees free credit monitoring services.

Stay tuned… there are more breach reports to wade through and “I’ll be back.”  Don’t forget to check PHIprivacy.net for other breach reports that may not be cross-posted here.

About the author: Dissent