More breaches we didn’t read about
The Maryland Attorney General’s Office web site update reveals a number of breaches in the past few months that were never reported in the media. In addition to other news items reported earlier today on this site, here are some more newly revealed breaches:
- Pension Fund of the U.S.W.U. Local No. 74 reported that in the process of becoming the fund’s third party administrator, Associated Third Party Administrators (APTA) suffered a theft of a laptop at their NYC office on May 28. The laptop contained a file with some pension fund data on fund participants and their dependents: names, addresses, Social Security numbers, copies of drivers’ licenses, other pension-related details, and in some cases, bank account information. The data were not encrypted. APTA was making the notification and offering those affected two years’ worth of free services.
- Northrop Grumman, already under fire from some Virginia legislators over allegedly unsatisfactory work, is also dealing with the loss of a backup drive. The personal data on the drive relates to people working on Northrop Grumman’s contract with NASA that is being performed in NG’s West Virginia facility. The company has not been able to determine who removed the drive from a desk drawer.
- Hitachi Data Systems reported that a company laptop was stolen from an employee’s home. The laptop contained employee information, including Social Security numbers.
- Procter & Gamble reported that a laptop used by their employee benefits administrator, IBM, was stolen. The laptop, which contained several layers of password protection, contained some former employees’ names, employee ID, and Social Security numbers.
- Members Plus Credit Union (MPCU) reported that when they moved offices in September 2008, they hired Olympia Moving and Storage to handle the move and rented moving crates from Rent-A-Crate. When Rent-A-Crate later notified them that they had not returned one crate but no one reported anything missing, MPCU concluded that Rent-A-Crate had simply miscounted the number of crates provided. But in April 2009, MPCU discovered that a box containing discs of account statement images was missing. The information on the images included names, addresses, MPCU account information, including the Social Security numbers of those who were MPCU members between December 2000 and November 2001. [Update of Aug. 3: the Boston Globe has caught up with this story.]
- The Washington Examiner reported that a laptop from the Human Resources Department was stolen. But determining what was on the laptop was no easy feat, apparently. Their lawyer writes:
Examiner staff spent last week trying to determine the extent or if there are employee databases on that computer. We think not. While there was no Examiner HR database on the computer stolen, there may have been copies of offer letters or other miscellaneous HR correspondence. That would mean that several hundred names and addresses may be exposed, but there is no customarily vulnerable information like birth dates, social security number or financial account numbers.
The letter mentions some security steps The Examiner is considering in light of the incident. Not listed among the ideas, however, was the notion of knowing with certainty what is on a laptop.
- Davis Vision, a third-party administrator providing vision services, reported that through human error, they had sent secure files containing personal and protected health information on 1,367 members to the wrong third party administrator on eight occasions before they learned of their error.
- CIGNA reported that personal information of some of its insurance members was “acquired or used by an unauthorized person or used for an unauthorized purpose.” CIGNA learned of the breach from one of its HIPAA Business Associates that provided coordination of benefits services. A small group of the vendor’s employees allegedly created documents and screen shots involving members’ information and Social Security numbers and used the information for their own, unauthorized purposes, which seem to have involved the former employees using the information as part of a wage and hour dispute with the vendor. The vendor initiated court proceedings to compel the return of the documents from the former employees.
- Milgard Manufacturing reports that an employee laptop containing Social Security numbers and information on several current and former employees was stolen.
Some companies reporting breaches have terminated contracts with vendors or have terminated employees as a result of their breaches:
- Policy Studies, Inc. (PSI) reported that a former employee has been arrested and indicted for unauthorized transfer of names, Social Security numbers, and in some cases, bank account information. The former employee allegedly attempt to sell the information, but reportedly only managed to sell it to law enforcement officers. All information stolen has reportedly been recovered. The incidents occurred between October of 2008 and April of 2009.
- State Farm Insurance reported that a California agent’s employee used the personal information of a policyholder to open a credit card. State Farm decided to alert all customers of the California agent.
- Boeing Stores, Inc. reported that a breach of a third-party vendor that hosted boeingstores.com resulted in their customers’ credit card information being potentially accessed between 2008 and June 2009. The company has terminated their contract with that vendor. Customers were to be notified last week.
- Kubota Credit Corporation (KCC) reported a case of fraud/identity theft involving an application for a revolving credit account through East Carolina Equipment. It seems that KCC suspected that someone who previously applied for credit through East Carolina Equipment had their personal information misused to try to obtain more credit from KCC. The company notes:
East Carolina Equipment was an independent dealer authorized to sell equipment and tractors made by various companies, including Kubota Tractor Corporation. As of June 11, 2009, East Carolina Equipment is no longer authorized to sell Kubota equipment or to finance equipment through KCC.