27 December 2007 - Alleged Source Code Thief Arrested
A woman has been arrested and is being held on charges that she
allegedly stole US $12 million worth of sensitive data from her former
employer, Hinjewadi (India) based 3DPLM Software, just days before
leaving her job there. Anjali Sharma allegedly used her work computer
to send source code to her husband. Sharma's alleged actions violate a
non-disclosure agreement she signed when she began work at 3DPLM. http://www.dnaindia.com/report.asp?newsid=1141842
27 December 2007 - List Identifies Dubious Music Download Sites
The Center for Democracy and Technology (CDT) has released a list of 34
websites it says are misleading users by implying that mainstream music
can be downloaded from them. The sites charge subscription fees, which
users may assume are used to pay royalty costs, but the listed websites
have not obtained the necessary licensing agreements to distribute the
music. Instead, users are provided peer-to-peer file sharing software,
which is often available at no cost elsewhere, and given instructions
on using filesharing networks.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205203862
26 December 2007 - Disk Containing UK Police Data Found at Recycling Center
An obsolete computer that had been sent out to be recycled was found to
contain personally identifiable information of an unspecified number of
employees, including police officers, of Devon and Cornwall (UK) Police.
Assistant Chief Constable Bob Pennington has issued an apology and says
the incident is under investigation. Normally, disks are wiped clean
before computers are sent to be recycled. The disk containing the
information was found by a man looking for parts at a recycling center.
http://news.bbc.co.uk/2/hi/uk_news/england/devon/7160490.stm
22 December 2007 - Identity Thief Targets Municipal Court Website
An identity thief apparently entered random Social Security numbers
(SSNs) into the Franklin County (Ohio) Municipal Court website, hoping
to find a match. According to police, the thief stole personally
identifiable information, such as names, ages and addresses of hundreds
of people, and used the information to open bank accounts and credit
cards. The site contains information about people convicted of
misdemeanors; the data theft affects people from Ohio, Kentucky, South
Carolina, Texas, and Wyoming.
http://www.coshoctontribune.com/apps/pbcs.dll/article?AID=/20071222/NEWS01/712220309/1002
22 December 2007 - FBI Compiling Huge International Biometric Database
The FBI's Next Generation Identification system will gather biometric
data of individuals around the world into the single largest database
of such information. The goal of the US $1 billion system is to allow
law enforcement authorities worldwide to identify suspected criminals.
The FBI has already begun compiling facial, fingerprint, and palm
information. In addition, at employers' requests, the FBI will retain
fingerprint information of employees who have undergone criminal
background checks.
http://www.eweek.com/article2/0,1895,2240010,00.asp
10 December 2007 - Russian Chat Bots Gather Information
An artificial intelligence program circulating in Russian chat forums
flirts with human users in an attempt to get them to divulge personally
identifiable information. People have fallen prey to CyberLover because
it is difficult for them to tell that they are not talking with a real
person. The program can create up to 10 relationships in 30 minutes,
and assembles dossiers for each relationship that include names, contact
information and photographs. So far, CyberLover has just been spotted
in Russian chat rooms, but others are urged to use caution while
chatting.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62035388-39000005c
10 December 2007 - Thieves Steal Data Center Equipment
Thieves dressed as police told employees at a Verizon data center in
Kings Cross in London that they were looking into reports of people on
the roof of the building. The thieves then tied up the employees and
stole computer hardware from the facility. The data center is used by
a number of financial institutions.
http://www.theregister.co.uk/2007/12/07/verizon_datacentre_robbery_investigation/print.html
7 December 2007 - Bank Customer Data on Stolen Laptop
A laptop computer stolen from a Citizens Advice Bureau employee's car
in Ireland contains personally identifiable information belonging to as
many as 60,000 individuals. The data include bank account numbers,
National Insurance numbers, names, addresses and dates of birth of
people who contacted CAB for advice; the data were encrypted. The chief
executive of Ireland CAB has apologized to affected customers. The data
pertain to people from the Belfast area and go back four or five years.
http://www.guardian.co.uk/uklatest/story/0,,-7135536,00.html
23 November 2007 - French Digital Content Pirates Could Lose Internet Service
A new anti-piracy enforcement body would have the authority to cut off
Internet service to people who do not comply with requests to stop
engaging in copyright violating behavior. The "three strikes" plan
would allow people two warnings before their service is rescinded.
French Prime Minister Nicolas Sarkozy has endorsed the move, calling it "a decisive moment for the future of a civilized Internet."
http://www.dailytech.com/France+Unveils+Plan+to+Cut+Service+to+Internet+Pirates/article9762.htm
http://news.bbc.co.uk/2/hi/technology/7110024.stm
23 November 2007 - MPAA Asks Universities to Install Monitoring Software
The Motion Picture Association of America (MPAA) has sent letters to 25
US universities it has identified as having the greatest number of
downloads of pirated movies over their networks asking them to install
an MPAA-supplied custom toolkit to help "illustrate the level of
filesharing on [their schools'] networks." The reports generated would
be "strictly internal and ... confidential." A closer look at the
toolkit raises serious privacy and security flags. The toolkit is set
up to call back to MPAA servers immediately upon being deployed to check
for updates, so the MPAA would have the IP address of the computer
running the toolkit. The toolkit also sets up an Apache web server on
the machine, which is likely to be visible to the Internet.
Administrators could set up usernames and passwords for access to the
server, but they are never prompted to.
http://blog.washingtonpost.com/securityfix/2007/11/mpaa_university_toolkit_opens_1.html?nav=rss_blog
22 November 2007 - Chinese Online Service Internet Cafe Sued for Movie Piracy
Five Hollywood movie studios have joined forces to sue Chinese online
movie and television provider Jeboo.com and an Internet cafe in Shanghai
for making 13 movies available for download and viewing in violation of
copyright laws. Jeboo.com allegedly created the software used by the
cafe to download the pirated films. The studios are seeking 3.2 million
yuan (US $432,500) collectively for legal costs and damages. A
statement on the Jeboo.com website maintains all content is "legally
obtained."
http://www.pcworld.com/printable/article/id,139878/printable.html
19 November 2007 - Targeted Attacks Spoof Dept. of Justice & Better Business Bureau
There are reports that targeted email messages with malicious
attachments are spreading; these messages appear to come from the US
Department of Justice (DOJ) and the Better Business Bureau (BBB) and
address the recipients by name. The bodies of the messages refer to
complaints made against the recipients and/or their companies. The
attachments accompanying the messages contain malware hidden in
screensaver files.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034626-39000005c
http://www.vnunet.com/vnunet/news/2203920/companies-warned-doj-virus
17 October 2007 - Proposed Law Would Let ID Theft Victims Seek Restitution
Proposed legislation in the US Senate would allow victims of identity
fraud to seek restitution for costs incurred as a result of the data
theft. Under The Identity Theft Enforcement and Restitution Act (
S.2168) the current US $5,000 minimum loss from computer damage would
no longer be a prerequisite for prosecution. http://www.msnbc.msn.com/id/21336074/
16/17 October 2007 - Stolen Laptop Holds Home Depot Employee Data
A laptop computer stolen from a car contains personally identifiable
information of approximately 10,000 Home Depot employees from across the
country. No customer information was affected. The laptop was stolen
from a manager's car while it was parked outside his home. Police are
investigating the theft. The compromised data include names, addresses
and Social Security numbers (SSNs). Affected employees have been
notified of the data breach by letter. The manager violated company
policy by leaving the computer in his car. The data were protected by a
password, but it is not known if they were encrypted.
http://www.nytimes.com/aponline/technology/AP-Home-Depot-Stolen-Laptop.html?_r=1&ei=5088&en=b1e8c9da4440f08a&ex=1350360000&oref=slogin&partner
=rssnyt&emc=rss&pagewanted=print
http://www.thebostonchannel.com/news/14353117/detail.html
15 October 2007 - Missing TSA Computers Contain Driver Employee Data
Two Transportation Safety Administration (TSA) laptop computers are
missing from a contractor's office. The computers, which officials
presume were stolen, contain information about commercial drivers who
transport hazardous materials. The data include names, addresses,
birthdates and commercial driver's license numbers of 3,930 individuals;
some Social Security numbers (SSNs) are included as well. The
contractor said the information had been deleted from the computers
before they disappeared, but TSA investigators have determined that the
data could still be recovered from the machines. In the wake of the
theft, the TSA has instructed the contractor to encrypt hard drives. http://www.examiner.com/a-990833~2_TSA_contractor_laptops_with_personal_information_are_missing.html
15 October 2007 - Louisiana Student Data on Lost Storage Device
Storage media lost by data storage firm Iron Mountain include personally
identifiable information gathered by the Louisiana Office of Student
Financial Assistance (LOSFA). The incident is under investigation by
state and local police. The breach affects individuals who applied for
and/or participated in LOSFA administered programs. Accessing the data
on the storage device would "require special software specific computer
equipment and sophisticated computer skills." LOSFA is working to
notify all affected individuals. http://www.katc.com/Global/story.asp?S=7217462
12 October 2007 - Former Employee Convicted of Destroying Company Data
A disgruntled former Pentastar Aviation employee has been convicted of
breaking into company computers and destroying data. Joseph Patrick
Nolan failed to sign a separation agreement by the deadline given him
after he resigned from the company. He assumed he would be paid for his
final two weeks, but the absence of a signed agreement meant no
paycheck, which angered him. Nolan later gained access to Pentastar's
computer system and destroyed payroll and personnel data. He faces up
to 10 years in prison and a US $250,000 fine when he is sentenced in
January.
http://www.darkreading.com/document.asp?doc_id=136137&f_src=darkreading_default
12 October 2007 - Pair Gets Jail Time for Spam
Jeffrey A. Kilbride and James R. Schaffer have received prison sentences for their roles in a spam operation. Kilbride and Schaffer were
prosecuted for CAN-SPAM violations as well as fraud, money laundering,
and obscenity charges. They launched their spam operation in 2003; when
the CAN-SPAM Act was passed later that year, the men tried to make it
appear their business was located overseas by logging into servers in
Amsterdam remotely, and directing income from their scheme to bank
accounts in the Republic of Mauritius and the Isle of Man. Kilbride was
sentenced to six years in prison, while Schaffer received a sentence of
slightly more than five years. They were also fined US $100,000,
ordered to pay US $77,5000 in restitution to AOL, and must forfeit more
than US $1 million in proceeds from their scheme. http://www.theregister.co.uk/2007/10/15/smut_spam_sentencing/print.html
10 October 2007 - Stolen Laptops Hold Carnegie Mellon Univ. Student Data
Two laptop computers stolen from the locked office of a Carnegie Mellon
University computer science professor hold personally identifiable
information of approximately 400 students. While the theft occurred on
or around September 2, affected individuals were not notified of the
breach until September 29. The breach is believed to affect students
who took courses from the professor between summer 2004 and spring 2006. http://www.securitypronews.com/news/securitynews/spn-45-20071009ProfsLaptopsStolenAtCarnegieMellon.html
10 October 2007 - Manager Responsible for Stolen Ohio Tape Loses One Week of Vacation
The payroll team leader for the Ohio Department of Administrative
Services' Administrative Knowledge System (OAKS) ERP project will lose
one week of vacation time for failing to make sure the data on a stolen
backup tape were secure. The tape, which was stolen from an Ohio state
government intern's car in June, contains personally identifiable
information of nearly 84,000 current and former Ohio state employees and
more than 47,000 state taxpayers. A department spokesperson says that
when similar projects are undertaken in the future, the department will
have people whose primary focus is data security.
http://www.theregister.co.uk/2007/10/10/official_penalized_following_data_breach/print.html
10 October 2007 - Former Police Officers Get Jail Time for Unauthorized Computer Access
Two former UK police officers have received jail sentences for using
their police connections to tap phone lines and gain unauthorized access
to computers while running a detective agency. Jeremy Young was
sentenced to 27 months and Scott Gelsthorpe to 24 months. The agency,
called Active Investigation Services (AIS), was started in 1999 and was
detected after BT (the primary phone company in the UK) investigators
noticed someone tampering with telephone lines. The ensuing
investigation revealed the extent of AIS's illegal activities. The man
observed tampering with the phone lines received a 14-month jail
sentence, and two men who ran a different detective agency that used
similar methods received 10-month and three-month sentences.
http://www.theregister.co.uk/2007/10/10/police_private_detective_hacking/print.html
9 October 2007 - Computer and Data Thief Draws 21-Month Sentence
Joseph Nathaniel Harris has been sentenced to 21 months in prison for
stealing medical record data. In August and September 2004, Harris was
employed as a branch manager at the San Jose (California) Medical Group;
he was asked to leave his position following a number of thefts in the
office. In May 2007, Harris pleaded guilty to health-care related theft
for stealing a computer from the San Jose Medical Group along with a DVD
holding patient data such as names, Social Security numbers (SSNs) and
medical diagnoses. Approximately 187,000 patients were affected by the
breach. Harris was also ordered to pay US $145,154 in restitution.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/10/BA6VSN2NJ.DTL
8 October 2007 - Stolen Laptop Contains Sensitive Financial Data
A laptop computer stolen from an HMRC (HM Revenue and Customs)
employee's car on September 20 contains personal and financial data of
at least 400 people. The employee had information from financial
institutions about account holders for the purpose of conducting a
routine audit. The police have been notified, and the HMRC will
investigate the incident, which does not involve a third party
contractor. The data on the computer are reportedly protected by"complex password and top level encryption." HMRC is urging the
financial institutions to inform their clients about the breach.
http://www.theregister.co.uk/2007/10/08/hmrc_lost_laptop/print.html
5 October 2007 - Managed Services Firm Sees Increasing Attacks Against Utilities
Managed security services company SecureWorks says it has seen a 90
percent increase in cyber attacks against its US utilities clients in
the last nine months. SecureWorks counts 100 US utilities among its
1,800 clients, and noted that between January and April of this year,
it blocked an average of 49 attacks against each utility each day. That
figure increased to an average of 93 attacks per day for the period
between May and September. "Web browser threats represented a large
number of the attacks," according to SecureWorks director of development
Wayne Haber.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202300190
4 October 2007 - RIAA Wins US $222,000 in Damages in Copyright Case
In the first music piracy case to go to trial, a Minnesota jury has
found Jammie Thomas liable for copyright infringement and said she must
pay US $222,000 - US $9,250 for each of 24 songs listed in the lawsuit.
Thomas was found liable even though the plaintiff, the Recording
Industry Association of America (RIAA), did not have to prove a
file-sharing program was installed on her computer when they examined
her hard drive, nor did they have to prove that it was actually Thomas
at the keyboard. The evidence included the defendants Internet protocol
(IP) address and cable modem identifier associated with sharing 1,700
files.
http://blog.wired.com/27bstroke6/2007/10/riaa-jury-finds.html
http://www.usatoday.com/money/media/2007-10-04-downloading-music-trial_N.htm
29 Sept 2007 - Woman in Greece Arrested for Allegedly Stealing Hospital Data
Greek authorities arrested a woman for allegedly sending files from her
job at a hospital to her home computer. The woman had recently
submitted her letter of resignation at that hospital and was reportedly
working for a rival institution. The files she sent to her home
computer included client information and financial reports.
Investigators found two hard disks containing similar data at the
woman's home.
http://www.ekathimerini.com/4dcgi/_w_articles_politics_100014_29/09/2007_88365
28 Sept 2007 - Stolen Laptop Holds Gap Applicant Data
A laptop computer stolen from a third-party vendor's office holds
unencrypted, personally identifiable information of approximately
800,000 people who applied for jobs with The Gap between July 2006 and
July 2007. The breach affects residents of the US, Puerto Rico and
Canada who applied for jobs with the clothing retailer online or by
phone. The unidentified vendor had been hired specifically to handle
the applicant data. http://www.theregister.co.uk/2007/09/28/gap_data_breach/print.html
27 Sept 2007 - Former Employee Pleads Guilty to Hacking Cox Communications
A former Cox Communications employee has pleaded guilty to breaking into
the company's networks and disrupting telecommunications service for Cox
customers in Louisiana, Texas and Utah. William Bryant said he caused
the disruption after he was asked to resign. Emergency service was
affected for almost two hours. Bryant's sentencing is scheduled for
December, when he will face up to 10 years in prison and a fine of up
to US $250,000.
http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070927/BREAKINGNEWS/70927009
27 Sept 2007 - Two Indicted for Allegedly Stealing Trade Secrets
Two men have been indicted on charges of conspiracy, economic espionage
and theft of trade secrets for allegedly stealing microchip designs.
Lee Lan and Ge Yuefei allegedly tried to steal proprietary information
from NetLogics Microsystems, for whom they both worked at the time.
Data found on both men's home computers, as well as the fact that they
established a company to develop the stolen technologies, implicates
them further. The men also allegedly stole information from Taiwan
Semiconductor Manufacturing Corporation.
http://news.bbc.co.uk/2/hi/americas/7015916.stm
26 Sept 2007 - "Verified by Visa" Phishing Scam Targets BofA Customers
Phishing emails have been detected that pretend to be related to the
legitimate Verified by Visa program. Participants in the program enroll
their Visa cards so that online transactions will require a password.
The link provided in the message takes people to a fraudulently
constructed site where they are asked to supply their card information
purportedly to activate the authentication program. The message
concludes by threatening that if they do not enroll, their card may be
temporarily disabled, an indication that the email is not legitimate.
The phony messages specifically mention Bank of America (BofA); because
so many people have cards from BofA, the likelihood that these messages
result in theft of financial information is higher. http://www.theregister.co.uk/2007/09/26/verified_by_visa/print.html
22 Sept 2007 - Another Laptop Theft in Connecticut
A laptop computer stolen from a car earlier this month in Watertown,
Connecticut holds personally identifiable information of individuals
connected with 41 child welfare cases. The computer belonged to a
private consultant and held names, birthdates and allegations that
prompted the involvement of the Department of Children and Families
(DCF), but no financial data. The consultant reported the theft to the
agency the day after it occurred. This information security breach
follows close on the heels of the theft of a laptop computer containing
Department of Revenue Services data for more than 105,000 Connecticut
taxpayers and the revelation that a computer backup tape stolen from a
car in Ohio earlier this year held information about state agency bank
accounts as well as a small number of Connecticut residents.
http://www.wtnh.com/Global/story.asp?S=7108487
http://www.courant.com/news/local/hc-ctaplaptop0922.artsep22,0,924626.story
22 Sept 2007 - Mortgage Data Exposed through Filesharing Network
Personally identifiable information of more than 5,200 ABN Amro Mortgage
customers was leaked to the Internet. A former ABN employee had
BearShare filesharing software installed on her computer, which allowed
the leak of the ABN spreadsheets as well as some of her own personal
information. The leaked data include Social Security numbers (SSNs).
The company is investigating. There is legitimate concern that the
information could be used to commit identity fraud; a man was recently
arrested in Washington state for misusing information he obtained
through filesharing networks.
http://www.theregister.co.uk/2007/09/21/abn_amro_leak_on_bearshare/print.html
21 Sept 2007 - Audit Departments Not Given Enough IT Security Responsibilities
Among respondents to a survey of corporate audit departments, 55 percent
say they do not "have responsibility for auditing risk around
information security and privacy," and half do not have business
continuity oversight. Ninety percent believe the amount of IT security
oversight their departments are assigned should be increased. Most
audit committees said their highest priorities were general risk
management, internal controls and accounting judgments. The survey
gathered responses from 1,300 audit committee members in 25 countries.
http://software.silicon.com/security/0,39024655,39168530,00.htm
21 Sept 2007 - Companies Still Not Taking Adequate Measures to Wipe Used Drives
The percentage of used hard drives containing sensitive data has not
changed much in the last two years. According to statistics from BT
Group, 37 percent of second-hand hard drives still contain confidential
information from their previous users. BT Group examined 350 hard
drives bought in online auctions. Nineteen percent of the disks had
sufficient data on them to identify the organization of origin, and 65
percent contained personally identifiable information. The report,
which has yet to be released, also says that used drives are not highly
reliable; 44 percent of the 133 disks purchased in the UK did not work
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038221&source=rss_topic17
20 Sept 2007 - German Courts Order eDonkey Servers Shut Down
Following orders from German courts, seven eDonkey servers inGermany
were shut down. The removal of those servers means that approximately
one-third of esDonkey's four million users will not have access to the
filesharing network. eDonkey does not have a parent company; it is a
loose organization with no apparent central control, so authorities
decided to take aim at those operating the servers that enabled the
eDonkey network. Injunctions against servers in France and the
Netherlands have also been issued.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article2504723.ece
3 Sept 2007 - Stolen Johns Hopkins Hospital Computer Holds Patient Data
Johns Hopkins Hospital waited five weeks to inform patients that their
personally identifiable information was on a desktop computer stolen
from an administrative work area. The computer was stolen on July 15,
2007, but the 5,783 people affected by the data security breach were not
notified until August 24. The data include names, Social Security
numbers (SSNs), and medical histories. Evidence gathered from a
surveillance camera suggests a Hopkins employee and an on-site vendor
employee may be involved in the incident. Families of the 1,202
patients who are now deceased are also being notified. The data were
neither encrypted nor password protected.
http://www.baltimoresun.com/news/health/bal-te.theft01sep01,0,6558465,print.story
3 Sept 2007 - Sony Acknowledges Worrisome Software on USB Drives
Sony has acknowledged a recently disclosed security problem with several
of its USB drives. The drives contain software that installs hidden
directories on users' computers, which could allow attackers access to
those computers. Sony says it will have a fix available in the next two
weeks. All models of the affected USB drives have been discontinued.
The software was developed with the intention of "cloaking sensitive
files related to the fingerprint verification feature included on the
USB drives." Sony is investigating the issue. http://news.bbc.co.uk/2/hi/technology/6975838.stm
1 Sept 2007 - Man Says He Was Fired for Reporting Data Theft to Police
Steven Shields has filed a wrongful termination lawsuit against
Providence Health System. Shields was fired from his job after a thief
broke into his car and stole computer disks and digital tape holding
personally identifiable information of approximately 365,000 Providence
patients. Shields maintains he was fired because he notified police of
the theft. Providence Health System notified affected patients of the
breach three weeks after the theft, which occurred in late December
2005. Providence paid out US $95,000 in a class action lawsuit filed
in response to the breach.
http://www.wweek.com/wwire/?p=9179
27 August 2007 - Former Health Clinic Employee Convicted on Hacking Charges
A federal jury has convicted Jon Paul Olson of intentionally damaging
protected computers. Olson left his job at the Council of Community
Health Clinics (CCC) in San Diego after he received what he believed to
be a negative performance evaluation. Several months after his
resignation, Olson deleted patient data that belonged to the North
County Health Services (NCHS) clinic, causing financial losses at both
CCC and NCHS. Olson had worked for CCC as a network engineer and
technical services manager.
http://sandiego.fbi.gov/dojpressrel/pressrel07/sd082707.htm
27 August 2007 - Government Needs Metrics to Prove ROI for Security Investments
According to former Pentagon officials, it is difficult to obtain
adequate funding for Defense Department information assurance programs.
Despite the increasing frequency of attacks on government networks,
those seeking funding for information security projects are hard pressed
to demonstrate how the funds they request will produce a positive return
on investment (ROI). Former Deputy Assistant Secretary for Defense for
Networks and Information Integration Linton Wells sees the need for
improved metrics to help prove return on investment for information
assurance projects, because the value of the programs appears to be
demonstrated only in times of crisis.
http://www.fcw.com/article103584-08-27-07-Print&printLayout
27 August 2007 - FTC Complaint Targets Company Behind the Spam
A judge has granted a temporary restraining order to stop Sili
Neutraceuticals and its owner Brian McDaid from sending spam messages
advertising herbal weight-loss pills. The order was granted following
a complaint from the US Federal Trade Commission (FTC). The FTC's move
is being applauded because the FTC is targeting the company that pays
for the spam to be sent; most other cases target the company sending the
unsolicited marketing email. A hearing is scheduled for August 27 at
which time a judge will determine whether or not the company's assets
should be frozen until the FTC investigation is complete.
http://www.securecomputing.net.au/news/90644,ftc-files-complaint-against-weightloss-pill-spammer.aspx
26 August 2007 - 35,000 Veterans' Data Stolen
Computer hard drives and paper files stolen from a POW support
organization in Arlington, Texas contain personally identifiable
information of approximately 35,000 US veterans and their families. The
organization, American Ex-Prisoners of War, plans to notify affected
members in a mailing. The theft occurred during the weekend of August
11-12. The data include addresses, dates of birth and Social Security
numbers (SSNs). The Department of Veterans Affairs (VA) is
participating in the investigation that includes the POW organization
and law enforcement authorities.
http://www.estripes.com/article.asp?section=104&article=55899&archive=true
22 August 2007 - Cable & Wireless Customer Data on Stolen Laptop
A former Cable & Wireless employee allegedly stole a laptop computer
that holds personally identifiable information about approximately
100,000 of the UK company's customers. The former employee is being
enjoined from using the data, and C&W is seeking GBP 300,000 (US
$602,400) in damages from her. Seemab Zafar allegedly went on a
business trip to Pakistan in 2005 on behalf of C&W, but did not return
to work as scheduled and was fired. http://www.contractoruk.com/news/003412.html
16 August 2007 - One in Five US Surfers Are Victims of Internet Scams
According to a survey commissioned by Microsoft, one in five US based
Internet users has fallen victim to an online scam. Of those victims,
81% admitted doing something to compromise their system, such as
clicking on attachments in an email which appeared to be from someone
they trusted. The survey revealed that more than half of those surveyed"had little or no knowledge of current online threats and scams." The
report highlights that while security tools are important, "people need
to be constantly updated to the threats that exist and how to avoid
them"
http://www.vnunet.com/vnunet/news/2196820/one-five-surfers-fallen-internet-scam
15 August 2007 - National Guard Information Stolen
A thumb drive containing the personal information of every National
Guard soldier in Idaho was stolen from a soldier's car on Monday August
13. The thumb drive containing information on 3,400 soldiers was taken
when other computer equipment and personal items were stolen from the
car. The information on the thumb drive was not encrypted.
http://www.forbes.com/feeds/ap/2007/08/15/ap4020711.html
August 13, 2007 - Microsoft to Release Nine Fixes for This Month's Patch Tuesday
Microsoft is expected to release nine fixes for a range of its products
for this month's Patch Tuesday, August 14. Products impacted include
most versions of the Windows Operating System (including Vista),
Microsoft Office, Internet Explorer, Windows Media Player, Visual Basic
and Virtual PC. Six of the bulletins address vulnerabilities that have
a maximum severity rating of 'critical', Microsoft's highest alert
level. The remaining three patches all carry a maximum rating of
'important.'
http://www.zdnet.co.uk/misc/print/0,1000000169,39288501-39001093c,00.htm
August 12, 2007 - UK Police Database Containing Terrorist Evidence Stolen
Police in the United Kingdom are investigating the theft of a server
containing a database of highly confidential mobile phone records used
by the police in investigating crimes relating to terrorist and
organised criminal gangs. The server was stolen from the offices of a
private company, Forensic Telecommunications Services (FTS), whose clients include Scotland Yard, The Police Service of Northern Ireland,
HM Revenue and Customs and the Crown Prosecution Service. FTS reported
a break in at their offices over the weekend which resulted in pieces
of IT equipment, including the server, being stolen. All the missing
data were restored within 24 hours and FTS state that all data held on
the server are encrypted.
http://news.independent.co.uk/uk/crime/article2856892.ece
http://news.bbc.co.uk/2/hi/uk_news/england/kent/6943104.stm
August 10, 2007 - Hackers Steal Sensitive Data on 60,000 Norwegians
Hackers gained access to the personal ID numbers of up to 60,000
Norwegians through the website of the telephone operator Tele2. Amongst
the victims is Georg Apenes who is director of Datatilsynet, the
Norwegian data protection agency. The Norwegian ID number is an 11 digit
number that must be kept confidential. When used in conjunction with
other personal information such as names and numbers, it can be used for
ID theft. Tele2 has promised to address the weaknesses in its website
which enabled the attack. http://news.brisbanetimes.com.au/internet-hackers-steal-confidential-data-on-60000-norwegians/20073511-spc.html
http://www.aftenposten.no/english/local/article1930521.ece?service=print
August 9, 2007 - Two More Sentenced in Piracy Case
Two men have been sentenced to 37 months in federal prison for their
involvement in what the government has called "the largest CD and DVD
pirating scheme to be prosecuted in the United States." Ye Teng Wen
and Hao He were also sentenced to three years of supervised release
following their prison terms and fined US $125,000. In June, a third
man involved in the scheme received the same prison sentence but
was also ordered to pay US $6.9 million in restitution. The scheme
involved pirated music, movies, and software; the men admitted to
using phony labels with the FBI Anti-Piracy Seal on the products to
lend them authenticity. http://www.scmagazine.com/us/news/article/730406/california-software-pirates-fined-sentenced/
August 9, 2007 - Six Arrested in International Internet Scam
Six men have been arrested in connection with an Internet scam that
reportedly cost one Australian man Au$1.76 million (US$1.5 million).
The man received an email promising a business contract worth Au
$105.42 million (US $90 million) and had been advancing the thieves
money for approximately one year before he began to be suspicious.
The men were arrested in Amsterdam, where the target had flown to
meet them for an appointment.
http://www.news.com.au/story/0,23599,22214192-23109,00.html
August 8, 2007 - Phishers Go After Tennessee Valley Federal Credit Union Members
About 30 members of the Tennessee Valley Federal Credit Union (TVFCU)
fell prey to a phishing scheme, divulging their account information and
losing thousands of dollars to thieves. TVFCU members were targeted
with telephone calls and emails telling them their accounts were about
to expire and that they needed to call an 800 number and provide
personal information to have their accounts restored. The thieves
made phony debit cards with the stolen account information and used
them to withdraw funds from TVFCU accounts through ATMs.
http://www.newschannel9.com/articles/internet_14598___article.html/computers_people.html
August 8, 2007 - Computers Stolen from Yale Dean's Office
Two computers stolen from the Yale College Dean's Office at Yale
University last month contain Social Security numbers (SSNs) of more
than 10,000 current and former students, faculty, and staff. Yale has
sent notification letters to the affected individuals. The university
determined the content of the computers by examining back-up tapes.
The data "had not been maintained for any purpose." The University
is attempting to reduce the amount of personal data it stores and is
taking steps to encrypt or purge any other files containing SSNs. http://www.yaledailynews.com/articles/view/21093
August 8, 2007 - Missing Flash Drive Holds State Hospital Nurses' Data
A flash drive missing from Patton State Hospital in San Bernardino,
California contains the names and SSNs of approximately 300 registry
nurses. The Department of mental health has begun notifying affected
employees by telephone and mail. Having the data on the drive is a
violation of hospital policy. The employee responsible for placing the
information on the drive faces disciplinary action; the information
was put on the drive to help the nurses process their time sheets.
http://www.sbsun.com/news/ci_6569478
August 7, 2007 - Merrill Lynch Computer Stolen
A computer was stolen from Merrill Lynch's corporate offices in New Jersey. The computer reportedly holds personally identifiable information of approximately 33,000 company employees, but no client data. The theft reportedly occurred two weeks ago; law enforcement agencies have been notified.
http://www.cnbc.com/id/20162588
http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807
August 7, 2007 - First Response Financial Data Theft
UK customers of First Response Financial are being advised to keep an
eye on their accounts following the theft of server storage disks from
the company's Manchester-area office. The stolen data include bank
and credit card information for current and former customers. The
thieves apparently targeted the servers containing these data.
First Response has informed customers' banks directly about the
incident and has sent notification letters to affected individuals.
Police are investigating. http://www.theregister.co.uk/2007/08/07/first_response/print.html
http://www.vnunet.com/vnunet/news/2196201/thieves-steal-uk-finance-house
August 6, 2007 - VeriSign Employee Data on Stolen Laptop
A laptop computer stolen from a VeriSign employee's car holds
personally identifiable information of an unspecified number of
company employees. Although company policy requires that such
information on laptops be encrypted, these data were not. The data
include names, addresses, birth dates, salary information and Social
Security numbers (SSNs). VeriSign has disabled the stolen laptop's
access to the company computer network, and the employee from whose
car the computer was stolen no longer works at VeriSign. The computer
was stolen on July 12 or 13; notification letters sent to employees
were dated July 25. http://www.theregister.co.uk/2007/08/06/verisign_laptop_theft/print.html
August 3, 2007 - Stolen Computer Holds Capital Health Patient Data
One of four laptop computers stolen from a Capital Health office in
the Edmonton, Alberta (Canada) area contains personally identifiable
information of approximately 20,000 patients. The theft occurred on
May 8, but notification letters were sent on August 2 because the
organization needed time to confirm the addresses of the affected
patients. While the data are not encrypted, Capital Health uses
software that locks computer hard drives. A similar data breach
incident in 2006 prompted the Privacy Commissioner to recommend that
personal and health data not be stored on laptop computers unless
deemed necessary, in which case it should be encrypted. The data
include names, addresses, personal health care numbers, and reasons
for hospital admission.
http://www.edmontonsun.com/News/Alberta/2007/08/03/pf-4390118.html
August 3, 2007 - Sixty Percent of IRS Employees Succumb to Social Engineering
Auditors from the Treasury Inspector General for Tax Administration
Office (TIGTA) conducted a test in which they telephoned employees and
contractors at the IRS and, pretending to be IRS help-desk workers,
asked them to provide their usernames and temporarily change their
passwords to ones they suggested. Sixty percent of those telephoned
complied with the request. A similar test in 2004 netted just 35
percent and in 2001, 71 percent changed their passwords. That test
prompted "corrective actions" designed to increase awareness of
social engineering tactics. The most recent test involved 102
employees. Just eight of the people who received phone calls responded
appropriately by "contacting either the audit team, the TIGTA Office
of Investigators, or the IRS computer security organization to validate
[the] test as being part of an official TIGTA audit."
http://news.com.com/8301-10784_3-9754689-7.html?part=rss&subj=news&tag=2547-1_3-0-20
August 2, 2007 - Storm Worm's Huge Botnet
The Storm worm has reportedly infected nearly 2 million computers, "10
times more than any other email attack in the last two years." The
concern that those behind this worm want to do more than just use the
zombie PCs to send spam is growing; the attackers may be planning to use
the botnet to launch a massive distributed denial-of-service (DDoS)
attack. Small portions of the huge botnet have already been used to
launch DDoS attacks; an attack that uses all of the compromised
computers would have far-reaching and potentially serious consequences.
There is speculation that the people behind the Storm worm were
responsible for attacks against Estonian government and commercial
websites earlier this year. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202711
August 2, 2007 - Man Arrested for Hacking Cyclist's eMail
A Danish man could face up to 18 months in prison if convicted of
charges of illegally obtaining someone else's email. The man allegedly
broke into the email account of cyclist Michael Rasmussen and ttempted
to sell messages to a newspaper. Rasmussen was ousted from a Tour de
France team on July 25 because he allegedly lied to drug testers about
his whereabouts before the race.
http://www.bradenton.com/462/story/112328.html
July 25, 2007 - Number Affected by Fidelity National Breach Grows
Fidelity National Information Services is now saying that the number of
consumer records stolen by a former employee is closer to 8.5 million.
When the check authorizing company acknowledged the theft earlier this
month, the initial estimate of affected consumers was 2.3 million.
William G. Sullivan, the former Fidelity employee, allegedly sold the
information to a data broker, who in turn sold the data to direct
marketers. Fidelity National is not related to Fidelity Investments.
http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-18404346.htm
July 24 & 26, 2007 - FBI, Chinese Police Arrest 25, Seize Pirated Software Worth Half a Billion
The FBI and Chinese police have seized millions of dollars worth of
counterfeit Microsoft software. The FBI estimates the seized pirated
software is worth approximately US $500 million; Microsoft estimates the
group sold US $2 billion worth of pirated software. Twenty-five people
have been arrested in raids on the group's production plants in the
southern Chinese province of Guangdong. Information crucial to tracking
down the pirates was obtained through Microsoft's Windows Genuine
Advantage (WGA) program, which "forces users of some versions of Windows
to validate their copy of the operating system with Microsoft when
updating their software." The pirated software was being manufactured
in China and distributed worldwide. The operation, dubbed "Summer
Solstice," began in 2005 and resulted in the takedown of "the biggest
software counterfeiting organization we have ever seen by far,"
according to David Finn, Microsoft associate general counsel for
worldwide piracy and counterfeiting issues.
http://www.theregister.co.uk/2007/07/24/microsoft_fbi_bust_counterfeit/print.html
http://news.bbc.co.uk/2/hi/technology/6917127.stm
July 24, 2007 - GAO Audit Finds VA IT Equipment Missing
A Government Accountability Office (GAO) audit of equipment inventories
at four Veterans Affairs (VA) medical centers found that more than 25
percent of IT equipment at the Washington DC center was unaccounted for.
The three other medical centers examined in the audit could not account
for between six and 11 percent of their equipment. In all, more than
2,400 pieces of equipment, with an original value of US $4.6 million,
could not be accounted for. Not only did the findings of the audit
raise concerns about wasteful spending, but they accentuate an already
damaged data security profile at the agency. The VA says that in the
three months since the audit was completed, they have located most of
the missing equipment. http://www.govexec.com/story_page.cfm?articleid=37563
July 20, 2007 - Tokyo policeman loses job for using peer-to-peer file-sharing software
Companies need to remember the importance of computer security
and control after it was revealed that a policeman has lost his job
for using file-sharing peer-to-peer (P2P) software. Find out more
about this case here. http://www.sophos.com/news/2007/07/winny-fired.html
July 20, 2007 - D'oh! Spammers exploit interest in The Simpsons Movie
Be careful to ensure that you aren't responding to unsolicited email
surveys! A new spam campaign exploits interest in "The
Simpsons Movie", due to be released in cinemas this month, and
explains the dangers of following links in junk emails. http://www.sophos.com/news/2007/07/simpsons.html
July 19, 2007 - Movie Pirate Gets 300 Hours of Community Service
A New Zealand man was sentenced to 300 hours of community service for
movie piracy. Frederick Higgins says he took the movie from the
post-production house where he worked for his own viewing; he says he
destroyed the copy at work. Higgins appears to have made no money from
his actions. The judge maintained that the pirated copies of the movie
that had become available must have their origins with the copies
Higgins stole. Higgins has been fired.
http://www.nzherald.co.nz/topic/story.cfm?c_id=137&objectid=10452390
July 18, 2007 - Former FBI Analyst Sentenced for Stealing Secret Documents
Former Marine Leandro Aragoncillo has been sentenced to 10 years in
federal prison for providing classified information to people attempting
to overthrow the Philippine government. Aragoncillo served under two
vice presidents and as an FBI intelligence analyst where he had
clearance that allowed him access to the FBI's Automated Case Support
computer system. He used his clearance to access documents pertinent
to the Philippines. He admitted to passing national security documents
classified as secret to Philippine contacts. Aragoncillo pleaded guilty
to four counts of an indictment, one of which was Unlawful Use of a
Government Computer. Aragoncillo was also fined US $40,000.
http://newark.fbi.gov/dojpressrel/2007/nk071807.htm
July 11, 2007 - Former Boeing Employee Charged with Computer Trespass
A former Boeing quality insurance inspector has been charged with
computer trespass for allegedly accessing information without
authorization and passing it to the media. Gerard Lee Eastman allegedly
copied the documents to a portable drive between September 2004 and
April 2006. More than 300,000 pages of internal Boeing documents were
found at Eastman's home. Authorities arrested Gerald Lee Eastman last
year, and shortly thereafter, Boeing fired him. Eastman was reportedly"disgruntled" with Boeing's lack of attention to the concerns he noted
about flaws in the parts inspection process. If he is convicted on all
counts, Eastman could face up to 57 months in prison.
http://news.bbc.co.uk/2/hi/business/6290400.stm
July 10, 2007 - Five-Year Sentence for Data Theft
Binyamin Schwartz has been sentenced to five years in prison for gaining
unauthorized access to personally identifiable information of more than
100,000 individuals and trying to sell data to someone who turned out
to be an undercover Secret Service agent. Schwartz was employed as a
software consultant at an insurance firm. Schwartz's sentence also
includes two years of supervised release and he was ordered to pay his
former employer more than US $500,000 in costs related to the incident.
He was convicted on charges of identity theft, aggravated identity
theft, access device fraud, and wire fraud.
http://www.computerworld.com/action/article.do?command=viewArticleBasic
taxonomyName=security&articleId=9026701&taxonomyId=17&intsrc=kc_top
July 10, 2007 - Man Gets 25 Years for Hacking Teens' Webcams
Mark Wayne Miller was sentenced to 25 years in prison followed by
supervised release for life for breaking into webcams and
surreptitiously watching and recording minors in their own homes. In
January 2006, Miller pleaded guilty to computer intrusion and sexual
exploitation of children. At that time, he was already on probation and
a registered sex offender. He allegedly shared the recordings he made
with other people. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001050
June 27, 2007 - Lost Flash Drive Holds Bowling Green State Univ. Student Data
Approximately 18,000 current and former Bowling Green State University
(BGSU) students are being notified that their personally identifiable
information is on a missing flash drive. An accounting professor
reported the drive missing on May 30. The data loss affects students
from 1992 through to the present; 199 students' SSNs are included in the
data, but after 1992, BGSU switched from SSNs to university-generated
unique identifiers. Other data on the drive include names and grades.
http://toledoblade.com/apps/pbcs.dll/article?AID=/20070627/NEWS08/70627020
June 27, 2007 - Phony eMails Claim to Provide Microsoft Patch
The SANS Internet Storm Center is getting reports of emails that claim
users need to download a fix for a zero-day flaw in Microsoft Outlook.
The spear phishing emails appear to come from Microsoft and include the
recipients' full names and company names, but have misspellings in other
places. The emails appear to try to trick recipients into visiting a
site that looks like a Microsoft site. Microsoft recommends users view
site certificates to ensure their legitimacy. http://www.scmagazine.com/us/news/article/667467/researchers-warn-bogus-microsoft-patch-spam/
June 27 2007 - MySpace Taken Over By Hackers Building Botnets
MySpace pages have been changed so they infect visitors to
those pages. According to Johannes Ullrich of the Internet Storm Center,
the pages exploit an old (2006) Internet Explorer bug. Ullrich also said MySpace is an increasingly popular target for attackers.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001122
June 26, 2007 - More Guilty Pleas in Pirated Software Sales
Two more people have pleaded guilty to selling pirated Rockwell
Automation software on eBay. Robert Koster pleaded guilty to selling
more than US $5 million worth of software for a profit of US $23,000;
Yutaka Yamamoto pleaded guilty to selling more than US $540,000 worth
of software for a profit of US $6,000. The two will be sentenced in
November. They face penalties of up to five years in jail, a fine of
US $250,000 and three years of supervised release. Seven other
individuals have already been convicted of selling Rockwell Automation
software.
http://www.theregister.co.uk/2007/06/26/ebay-software_piracy_convictions/print.html
June 26, 2007 - Two Convicted Under CAN-SPAM
A federal jury has convicted two men on multiple charges relating to a
spam operation advertising pornographic web sites. Jeffrey Kilbride and
James Schaffer earned US $2 million in commission for setting up the
scheme. Kilbride and Shaffer were among the first people to be charged
under the CAN-SPAM Act. The charges of which they were found guilty
include money laundering, conspiracy and fraud. Sentencing has been set
for September, 2007; the pair could face five years in prison for each
CAN-SPAM offense and fines of up to US $500,000. Three accomplices have
already entered guilty pleas.
http://www.theregister.co.uk/2007/06/26/can_spam_convictions/print.html
June 25, 2007 - More Los Alamos Security Breaches
Two more data security breaches linked to Los Alamos National Laboratory
(LANL) have come to light. In May, a LANL employee took his work laptop
with him on vacation to Ireland; the computer was stolen from his hotel
room. The computer holds sensitive government documents and is equipped
with an export-controlled encryption card. The employee violated lab
policy by taking the computer to Ireland, but if he had asked
permission, his request would likely have been granted. LANL is
reportedly undertaking an inventory of all lab laptops and replacing
many of them with desktop computers. Also, less than two weeks ago, a
LANL scientist sent highly classified information over the open Internet
to colleagues at another site; the scientist should have used a secure
network. This email is separate from the January incident in which
board members communicated about highly classified nuclear information
over the regular Internet. http://www.msnbc.msn.com/id/19418769/site/newsweek/page/0/
June 25, 2007 - Stolen Laptop Holds Ohio Workers' Compensation Data
A laptop computer stolen from an auditor's home contains personally
identifiable sensitive information belonging to 439 injured workers.
The auditor was working for the Ohio Bureau of Workers' Compensation
(BWC). The theft occurred on May 30, but BWC administrator Marsha Ryan
was not informed of the theft until June 15. The revelation follows
close on the heels of the theft of a backup tape containing personally
identifiable information of hundreds of thousands of Ohioans; that tape
was stolen from an Ohio State office intern's car. BWC will notify
affected workers and employers.
http://www.middletownjournal.com/hp/content/oh/story/news/state/2007/06/25/ddn062507bwcweb.html
June 24, 2007 - Stolen Laptop Holds Prince's Sensitive Data
A laptop computer stolen from an accountant's car in the UK contains
personal information about Prince Charles. The data on the computer are
believed to include the Prince's vital account number, sort code, and
national insurance number. The accountant from whose car the computer
was stolen works for Moorepay, the firm that handles wages for the Duchy
of Cornwall estate.
http://www.people.co.uk/news/tm_headline=-pound-15m-charles--bank-secrets-stolen--&method=full&objectid=19347215&siteid=93463-name_page.html
June 22, 2007 - Australian Authority Fines Spammers
The Australian Communications and Media Authority has imposed a fine of
AU $11,000 (US $9,305) on Pitch Entertainment Group for violating the
country's Spam Act. Pitch allegedly sent more than one million
commercial text messages with no viable unsubscribe options. IMP Mobile
has been fined AU $ 4,000 (US $3,384) for the same violation. Repeat
offenses could be punished with much higher fines.
http://australianit.news.com.au/story/0,24897,21949015-5013044,00.html
June 22, 2007 - DrinkorDie Piracy Ringleader Gets 51 Month Sentence
Hew Raymond Griffiths, a British national living in Australia, was
extradited to the US in February 2007 where last week he was sentenced
to 51 months in prison for his role in orchestrating the DrinkorDie
international digital piracy group. Griffiths spent three years in
detention in Australia while fighting his extradition. It is unknown
if the time served in Australia will be subtracted from his sentence in
the US. Griffiths could have been given a maximum sentence of 10 years
in prison and a US $500,000 fine.
http://www.zdnet.co.uk/misc/print/0,1000000169,39287700-39001093c,00.htm
June 21, 2007 - BSA Nets GBP 250,000 (US $500,000) Settlement
An unnamed UK firm will pay the Business Software Alliance GBP 250,000
(US $500,000) as an out-of-court settlement for using unlicensed
software. The average settlement paid to BSA last year was GBP 10,000
(US $20,000). The company, which was not named for legal reasons, was
using unlicensed copies of Adobe, Autodesk and Microsoft software on PCs
at a number of sites.
http://www.zdnet.co.uk/misc/print/0,1000000169,39287658-39001084c,00.htm
June 20, 2007 - Stolen laptop Holds Texas First Bank Data
A laptop computer stolen from a car in Dallas, Texas contains sensitive,
personally identifiable information of about 4,000 Texas First Bank
customers. The computer was protected with technology designed to
prevent unauthorized access. The computer belonged to a former Texas
First Bank online banking vendor; the vendor informed the bank of the
theft immediately.
http://www.khou.com/news/local/stories/khou070622_jj_bankid.4056cb0.html
June 14, 2007 - Winny Blamed for Police Data Leak
Winny filesharing software installed on a Japanese policeman's private
computer allowed approximately 10,000 documents and images to be
uploaded onto the Internet. The documents include investigative records
and personally identifiable information of individuals being
investigated. In March of this year, Japan's National Police Agency
directed all officers to check for the Winny filesharing software on
their personal computers. This particular officer apparently indicated
he did not have the software on his computer. He was identified as the
culprit because his resume was among the information exposed.
http://www.yomiuri.co.jp/dy/national/20070614TDY01004.htm
June 13, 2007 - Phisher Draws Six-Year Sentence
The first person to be convicted by a jury under the CAN-SPAM Act has
been sentenced to nearly six years in prison. Jeffrey Brett Goodin used
hijacked Earthlink accounts to send email messages to AOL subscribers
that appeared to come from AOL's billing department. The email messages
directed recipients to visit sites where they were asked for sensitive
personal and financial information. The messages implied that if they
did not supply the data requested, their AOL accounts would be
suspended. Goodin was convicted not only of violating the CAN-SPAM Act,
but also of wire fraud, unauthorized use of credit cards, and attempted
witness harassment.
http://www.theregister.co.uk/2007/06/13/aol_fraudster_jailed/print.html
June 12 & 13, 2007 - Sydney Opera House and Art Museum Sites Infected with Malware
Google search results have warned users in the last few days that the
web sites of the Sydney Opera House and the Sydney Museum of
Contemporary Art "may harm [users'] computers." Malware was apparently
detected on both web sites. The Sydney Opera House has taken steps to
remove the Trojan software from its web site. A third party will now
check that site's security on a regular basis. A museum spokesperson
said their site has been fixed as well.
http://www.theage.com.au/news/security/virus-blight-spreads-to-museum-site/2007/06/13/1181414340831.html
http://www.smh.com.au/articles/2007/06/11/1181414219766.html
June 12, 2007 - Hackers spread illegal child content through web message boards
Sophos experts have warned web hosts of the dangers of not screening
content posted on internet message boards, following the discovery
that legitimate web pages have been taken over by cybercriminals using
forums to promote child pornography.
http://www.sophos.com/news/2007/06/message-boards.html
June 11, 2007 - Amero supporters form The Julie Group
Supporters of Julie Amero, the former substitute teacher who was granted a new trial months after being convicted of exposing her students to pop-up porn, have formed an advocacy group to help people facing similar courtroom battles.http://ecm.hbpl.co.uk/re?l=evvfpsIfvlxf5I6
June 11, 2007 - Trojan Hides in Phony Security Bulletin
A message claiming to be a cumulative update for Internet Explorer with
the title "Microsoft Security Bulletin MS06-4" has been sent to users.
A link provided in the email claims to be the patch, but actually allows
a malicious file on a remote server to install malware on users'
computers. The websites hosting the malicious downloader code have been
shut down.
http://www.scmagazine.com/us/news/article/663626/beware-fake-microsoft-security-advisories-say-researchers/
June 6, 2007 - Substitute Teacher Granted New Trial - Verdict Thrown Out
Julie Amero's conviction has generated controversy because security experts believe that malware could have hijacked her PC to force it to visit adult websites. The PC is said to have not been running a firewall or anti-malware software. http://www.sophos.com/pressoffice/news/articles/2007/06/amero.html
June 6, 2007 - Data on Missing Bank Disk Not Encrypted
A computer disk containing names, addresses, dates of birth and mortgage
account numbers of 62,000 Bank of Scotland customers is missing. The
Bank of Scotland, a subsidiary of HBOS, sends a disk with customer data
to a credit reference agency every month. This month, however, the disk
was sent through the regular post instead of a secure post service,
which is usually the case. Furthermore, the data on the disk sent each
month are usually encrypted, but the data on this particular disk were
not encrypted. Bank of Scotland has sent letters of apology to affected
customers. Another HBOS subsidiary, Halifax Building Society,
apologized to 13,000 mortgage customers earlier this year after personal
data were stolen from an employee's car. http://www.theherald.co.uk/news/news/display.var.1443290.0.0.php
June 1, 2007 - Police Data on Stolen Laptop
A laptop computer stolen from a software company contains personally
identifiable information of approximately 97,000 Texas law enforcement
agency employees. The company that possessed the computer stores such
data for the Texas Commission on Law Enforcement. Affected individuals
were notified of the breach by email in May. http://www.kxan.com/Global/story.asp?S=6601344
June 1, 2007 - Mother's Keylogger Helps Nab Online Predator
A UK mother concerned about her son's online activities installed
keylogging software on his computer. When she retrieved the data, she
learned that a man from the US had been "grooming" her 15-year-old son
for abuse. She contacted the police, who in turn notified US
Immigrations and Customs investigators. Jason Bower was arrested last
November as he boarded a plane bound for England to meet the boy. Bower
has pleaded guilty to charges against him and will face a minimum prison
sentence of five years.
http://www.theregister.co.uk/2007/06/01/spyware_mum_foils_pervert/
May 31, 2007 - Former Manager Pleads Guilty to Stealing Computers
A man who once managed the San Jose (Ca.) Medical Group's McKee branch
has pleaded guilty to stealing computers and a CD that contained
personal medical information of approximately 200,000 patients. Joseph
Nathaniel Harris managed the practice between August and September 2004;
two computers and the disk were reported missing in March 2005. At that
time, the medical group sent letters to approximately 185,000 patients
to notify them of the data security breach. The complaint against
Harris alleges he stole the computers in late March 2005. Shortly
before that theft, computers were also stolen from another of Harris's
former employers. All of the stolen computers were all found for sale
on Craigslist with email addresses linking them to Harris. The disk was
found in Harris's car. Harris was indicted in January 2006. If
convicted of all charges against him, Harris could be sentenced to 10
years in prison and fined US $250,000 and ordered to pay restitution.
http://www.mercurynews.com/ci_6029308?source=most_viewed
http://sanfrancisco.fbi.gov/dojpressrel/2006/sf011906.htm
May 18, 2007 - Convicted Movie Pirate Loses Appeal
A Hong Kong man convicted of making movies available for download over
the BitTorrent peer-to-peer (P2P) file-sharing network has lost his
appeal. Chan Nai-ming will serve a three-month prison sentence for
distributing three movies, "Daredevil," "Miss Congeniality," and "Red
Planet," in 2005. The defense argued that Chan merely uploaded the
movies but did not distribute them; the judges said that by his actions,
Chan "enabled people to download" the films. http://www.theage.com.au/news/Technology/Hong-Kong-man-loses-Internet-piracy-appeal/2007/05/18/1178995401345.html
May 17, 2007 - Former Los Alamos Employee Pleads Guilty to Taking Data
A woman who used to work for a contractor at Los Alamos National
Laboratory as an archivist has pleaded guilty to stealing classified
data. Jessica Lynn Quintana admitted to printing out some documents,
downloading others onto a flash drive, and taking them all home. She
was stripped of her security clearance, and face up to a year in prison
and a fine of US $100,000, as well as five years probation. There was
no indication as to why she took the data home. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199601495
May 15, 2007 - BSA Says Software Piracy Rate Remained Steady
According to statistics from the Business Software Alliance (BSA), the
software piracy rate among businesses worldwide has remained constant
at 35 percent since 2003. The piracy rate in China has dropped from 92
percent to 82 percent over the past three years, owing in large part to"government intervention." The rates in the US, the UK and Western
Europe have remained steady at 22 percent, 27 percent and 36 percent,
respectively. The BSA says governments need to do more to encourage
companies to use licensed software.
http://news.bbc.co.uk/2/hi/technology/6654033.stm
May 15, 2007 - IBM Tapes Lost After Traffic Accident
Computer tapes holding personally identifiable information of current
and former IBM employees were lost following a traffic accident near
Armonk, NY on February 23, 2007. The tapes were in a contractor's
vehicle, en route to a permanent storage location. The contractor has
not been named. Some customer account information was also on the
tapes. IBM recently sent letters to affected employees notifying them
of the situation. IBM also placed an advertisement in a local paper
asking for the return of the tapes. A spokesperson declined to say how
many people were affected, but did note that some of the tapes were
encrypted. http://www.theregister.co.uk/2007/05/15/ibm_missing_tapes/print.html
May 11, 2007 - Google Research Finds 10 Percent of Web Pages Hold Malware
According to research from Google, 10 percent of web pages contain
malicious code. Google closely analyzed 4.5 million web pages over the
course of a year and found that approximately ten percent, or 450,000,
had the capability of installing malware without users' knowledge. An
additional 700,000 pages are believed to be infected with code that
could harm users' computers. The company says it has "started an effort
to identify all web pages in the Internet that could be malicious."
Most entice users to visit the dangerous pages through tempting offers,
and exploit holes in Microsoft Internet Explorer (IE) to install
themselves on users' computers. Google also examined the vectors used
by attackers to infect these web pages; most malicious code was located
in elements beyond the control of website owners, such as banner
advertisements and widgets.
http://news.bbc.co.uk/2/hi/technology/6645895.stm
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
May 5, 2007 - Missing TSA Hard Drive Holds Info. on 100,000 Employees
The US Transportation Security Administration (TSA) has acknowledged
that a hard drive containing personally identifiable information of
approximately 100,000 current and former employees is missing. The
breach affects individuals employed by the TSA between January 2002 and
August 2005. The payroll data on the drive include names, Social
Security numbers (SSNs) and bank account and routing numbers. Employees
were notified of the situation by email on Friday, May 4. The TSA
became aware the drive was missing from the TSA Headquarters Office of
Human Capital on May 3; the FBI and the US Secret Service have been
asked to investigate.
http://www.usatoday.com/news/washington/2007-05-04-harddrive-tsa_N.htm?csp=34
May 3, 2007 - Maryland Dept. of Natural Resources Thumb Drive Lost
A lost thumb drive holds personally identifiable information of
approximately 1,400 Maryland Park Service Rangers and Natural Resources
Police officers. The Department of Natural Resources (DNR) information
dates back to the 1970s and includes names and SSNs. The president of
the State Law Enforcement Officers Labor Alliance has written to the DNR
secretary to find out why someone was permitted to download that
information to the portable device and remove it from the office.
http://www.baltimoresun.com/news/local/bal-dnrstory0503,0,2665140.story?coll=bal-local-headlines
May 2, 2007 - Revealed: The top ten web and email threats of last month
Sophos has released a report revealing the most prevalent malware
threats causing problems for computer users around the world during
April 2007. Find out now which attacks are causing the biggest
problems worldwide, and read more about the rising threat posed by
web-based threats.http://s673.link.sophos.com/toptenapr07?pl_id=9
May 1, 2007 - Donated City of Champaign Computer Holds Police Data
A computer donated to charity by the city of Champaign, Illinois
contains the names and SSNs of 139 of the city's police officers. The
city donated 50 computers last year, including five to the Champaign
Consortium, a not-for-profit job assistance center. One of those
computers appeared not to be working, so it was taken to a computer
service shop, where the sensitive data were discovered.
http://www.news-gazette.com/news/local/2007/05/01/data_about__officers_left_on_donated
April 26, 2007 - Four Plead Guilty to Selling Pirated Software on eBay
Four men have pleaded guilty to selling pirated software on eBay.
Between the four of them, they made a profit of about US $122,300 on
counterfeit copies of Rockwell Automation software valued at US $19.1
million. Each of the defendants faces up to five years in prison and a
fine of US $250,000. Three other defendants have already received
felony convictions in the case.
http://www.infoworld.com/article/07/04/26/HNfourpleadguilty_1.html
April 26, 2007 - Judge Says UW-Madison Must Provide Student Identities to RIAA
A federal judge has ruled that the University of Wisconsin, Madison
(UW-Madison) must disclose the identities of 53 students whom the
Recording Industry Association of America (RIAA) says have been sharing
music over the Internet. The RIAA filed a John Doe lawsuit to obtain
the names, addresses, phone numbers, email addresses and Media Access
Control, or MAC addresses associated with specific IP addresses from
which files were allegedly traded. The RIAA could use the information
to file lawsuits against those individuals, although they will likely
start with settlement offers. However, as Ken Frazier, interim CIO at
UW-Madison, points out a very "imperfect relationship" between an IP
address and an individual. http://www.madison.com/wsj/home/local/index.php?ntid=131102
April 25, 2007 - Ohio University Bans P2P From Campus Network
Ohio University (OU) has outlawed peer-to-peer (P2P) filesharing over
its networks. According to OU CIO Brice Bible, "peer-to-peer file
sharing consumes a disproportionate amount of resources, both in
bandwidth and human technical support." As of Friday, April 27, OU will
monitor the campus network for P2P activity; computers found to be
violating the new policy will be cut off from Internet access. OU's
policy decision comes in the wake of a wave of "prelitigation letters"
from the Recording Industry Association of America (RIAA), sent to
colleges and universities, including OU.
http://www.ohio.edu/students/filesharing.cfm
April 25, 2007 - Report: Fears that a Data Breach Could Ruin Business
A new report from McAfee found that of more than 1,400 IT professionals
surveyed, a third fear that a major data security breach could put their
company out of business. Despite the fact that 60 percent of
respondents said their companies had experienced data loss in the last
year, they reported spending just 0.5 percent of their IT budgets on
data security. Sixty-one percent of respondents believe data leaks are
caused by people within the organization, and 23 percent believe those
leakages are of malicious intent.
http://www.computing.co.uk/itweek/news/2188528/breaches-worry-firms
April 24, 2007 - Neiman Marcus Employee Data Compromised
A notebook computer stolen from a pension consultant holds personally
identifiable information of approximately 160,000 current and former
employees of the Neiman Marcus Group. The data include names,
addresses, SSNs and salary information. The theft affects employees
hired prior to August 30, 2005. Neiman Marcus plans to contact everyone
whose data were on the computer. Neiman Marcus learned of the theft on
April 10, though it had occurred several days earlier. http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.html
23 April, 2007 - Software Pirate Sentenced to Two Years in Prison
A man who owned and operated a web site providing paid subscribers with
unlimited access to pirated software has been sentenced to two years in
federal prison. Ronnie A. Knott was convicted of criminal copyright
infringement and will serve three years of supervised release when his
prison term is completed. His site was taken down in May 2006 following
an FBI investigation. Knott earned approximately US $20,000 from
subscriptions to his site; the software he had made available had a
total value of US $2.5 million.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199200544
April 22, 2007 - Targeted Attacks Using Malicious Office Docs on the Rise
There have been an increasing number of attacks involving maliciously
crafted Microsoft Office files. The manipulated files are generally
sent as email attachments to specific people; if a document is opened,
the attacker can gain control of the user's computer and from there,
explore the internal computer network. The attacks have been targeting
employees at US federal agencies and nuclear and defense contractors.
Just over a year ago, the number of such attacks detected was one or two
a week; in March 2007, one security company intercepted 716 emails with
malicious files at 216 agencies and organizations. Such an attack
helped intruders gain access to computers at the US State Department. http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm?csp=34
April 20, 2007 - Cards Readers Found on ATMs in Three California Supermarkets
Employees at three WinCo supermarkets in the Inland area of southern
California found evidence that card readers had been placed on ATMs in
the stores; people who used the ATMs within the last month are being
urged to check their bank statements. Card reading devices were
recovered from machines at stores in Pomona and Moreno Valley; Velcro
found on a machine at a store in Temecula indicated a reader had been
in place but had been removed before authorities arrived.
http://www.pe.com/localnews/inland/stories/PE_News_Local_S_scam21.ac606b.html
April 20, 2007 - Stolen Laptop Holds Proprietary Information About Unreleased Films
A laptop computer stolen from a Rutland, Vermont movie production studio
contains a considerable amount of proprietary information. The
information includes material from two movies that are scheduled to be
released later this year. It is unlikely the laptop's content was the
thieves' target; surveillance video indicates they were on a "drunken
rampage." Other offices in the same complex were burglarized as well.
http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20070420/NEWS01/704200371/1002/NEWS01
April 20, 2007 - Contract Employee Arrested for Computer Sabotage at CA Power Facility
A California man has been arrested for allegedly interfering with
computers at the California Independent System Operator (Cal-ISO)
agency, which "controls the state's power transmission lines and runs
its energy trading markets." Lonnie Charles Denison's "security access
was suspended at the request of his employer based on an employee
dispute." The allegation is that when his attempt at a remote cyber
intrusion failed, Denison gained physical access to the facility with
his card key; apparently not all access had been suspended. Once inside
the facility, Denison allegedly broke the glass protecting an emergency
power cut-off station and pushed the button, causing much of the data
center to shut down. Cal-ISO was unable to access the energy trading
market, but the power transmission grid was unaffected.
http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/print.html
April 17, 2007 - Japanese Company Sues Former Employee for Leaking Data
The Japanet Takata mail-order company is suing a former employee for
allegedly leaking customer data. Japanet's lawsuit seeks 110 million
yen (US $929,000) in damages. The defendant allegedly conspired with
another former employee to copy information about more than 500,000
Japanet customers onto a portable memory device in 1998. The pair then
allegedly leaked the information to outsiders, costing Japanet 2.57
billion yen (US $21.7 million) in losses. The defendant denied
involvement with the incident during arbitration. Japanet knows he
cannot pay the amount sought by the lawsuit; what the company really
want is for him to admit his culpability.
http://mdn.mainichi-msn.co.jp/national/news/20070417p2a00m0na011000c.html
April 17, 2007 - Two Arrested in UK for Wireless Piggybacking
Police in the UK arrested two people in separate incidents for using
wireless Internet connections without authorization. Both were arrested
within the last month, and both were arrested while using a laptop
computer in a parked car. Law enforcement officials could pursue
charges under the Computer Misuse Act, which would have a maximum
penalty of five years imprisonment; however, in both these cases, police
charged the individuals under dishonesty laws instead. Two years ago,
another man was given a 12-month conditional discharge for a similar
offense.
http://www.theregister.co.uk/2007/04/18/uk_war_driving_arrests/print.html
April 16, 2007 - Fifth Conviction in P2P Crackdown
A Georgia man faces up to five years in prison for distributing
copyrighted content over a peer-to-peer (P2P) filesharing network. Sam
Kuonen pleaded guilty to charges of conspiracy to commit copyright
infringement and criminal copyright infringement in violation of the
Family Entertainment Copyright Act. Kuonen's arrest came as part of the
US Department of Justice's Operation D-Elite, a crackdown on copyright
infringement enabled by Elite Torrents, a P2P network that offered
music, movies, software and games, sometimes before they were available
in stores. Federal agents shuttered Elite Torrents in May, 2005.
Kuonen apparently uploaded digital content to a network for others to
download. He is the fifth person to be convicted in Operation D-Elite.
In addition to the possible five years in prison, Kuonen could also face
a fine of US $250,000 and three years of probation.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199100239
April 14 & 15, 2007 - Newspaper Publisher Accused of Stealing Proprietary Data
In March, Par Ridder, publisher of the St. Paul (Minn.) Pioneer Press
abruptly left that job to become publisher of its rival newspaper, the
Star Tribune, in Minneapolis. Pioneer Press has filed a lawsuit
alleging that Ridder violated a non-compete agreement by taking the job
and that he took significant amounts of proprietary data, including
budgets and advertising pricing data. The lawsuit asks that Ridder and
other Pioneer Press executives who moved to the competing newspaper
along with him be barred from working at the Star Tribune for one year.
A Pioneer Press staffer dispatched to Ridder's new office with the
intent of retrieving his Pioneer Press laptop arrived at Ridder's new
office just a week after he announced his departure found someone
copying information from the laptop. He was ultimately asked to wait
in the lobby for an hour. When he brought the laptop back, there was
evidence that nearly "all the data had been copied to an external
storage device that day."
http://news.postbulletin.com/newsmanager/templates/localnews_story.asp?a=290750
http://www.winonadailynews.com/articles/2007/04/14/mn/02minpublisher14.txt
April 13, 2007 - Stolen Bank of America Laptop Holds Employee Data
A laptop computer stolen from a Bank of America (BofA) employee holds
personally identifiable information of an unspecified number of current
and former BofA employees. Compromised data include names, addresses,
dates of birth and Social Security numbers (SSNs). BofA has sent
letters to individuals whose data were compromised; the letter says
there is no indication the information has been misused and offers
recipients two years of free credit monitoring. Limited information has
been made available regarding the circumstances of the theft because it
is under investigation.
http://charlotte.com/123/story/83747.html
April 13, 2007 - Contractor Allegedly Stole Port of Tampa Employee Data
A contractor at the Tampa (Fla.) Port Authority has been arrested for
allegedly stealing the personal information of people who hold Port of
Tampa access badges and using it fraudulently to apply for credit cards.
Daniel E. Glenn has been charged with offense against intellectual
property to defraud or obtain property. While working as a computer
technician for Tampa Port Authority contractor Siemens Building
Technologies, Glenn allegedly told Port Authority employees he needed
access to the security badge database to repair corrupted data. He then
allegedly copied information of thousands of access badge holders and
applied for credit cards in the names of approximately 20 individuals.
Law enforcement agents recovered the stolen data from Glenn's home. He
has been suspended with pay from Siemens while the company investigates
the allegations.
http://www.sptimes.com/2007/04/13/news_pf/Business/Port_of_Tampa_employe.shtml
http://www.tbo.com/news/metro/MGBTN5P0G0F.html
13 April 2007 - Former Social Security Administration Employee Charge in Identity Fraud Case
A former Social Security Administration employee has been charged with
disclosing personally identifiable information taken from a government
computer. Jennifer Batiste allegedly passed the stolen data to Craig
Harris, who used them to commit identity fraud to the tune of US $2.5
million. Batiste is charged with conspiracy, accessing a protected
computer to conduct fraud, and disclosure of a Social Security number
(SSN). If convicted on all charges, she could be sentenced to as many
as 15 years in prison. Harris pleaded guilty last fall to charges of
conspiracy and unlawful possession of a means of identification. When
he is sentenced in July, he could face up to 10 years in prison.
Batiste allegedly received US $20 for each query she ran that obtained
information for Harris.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000813
April 12, 2007 - UK Policeman Gets Jail Time for Stealing Data from Police Database
A UK police officer who provided personal information from a national
police database to a known violent offender has had his sentence
increased to nine months in jail. James Andrew Hardy was originally
given a 28-week suspended sentence and 300 hours of community service;
Hardy pleaded guilty to malfeasance in a public office for accessing the
police national computer database with the intent of providing Martin
Jolley with personal information of three people. An appeal from the
Attorney General increased his punishment to nine months in jail.
Jolley wanted the information to take retaliatory measures against
certain individuals. Jolley also pleaded guilty to counseling and
procuring Hardy to commit the crime. Hardy's sentence could have been
18 months, but the court took into account time served while awaiting
trial and his promptness in completing his community service.
http://www.theregister.co.uk/2007/04/16/leak_officer_jailed/print.html
April 12, 2007 - US Government gets C- Grade on Security
The annual computer security report cards for federal agencies were
released on April 12. The grades reflect how well the agencies have
complied with the requirements established by the Federal Information
Security Management Act (FISMA). Overall, the government received a
grade of C-minus, a step up from last year's overall grade of D-plus.
Nine agencies received lower grades than they did last year; NASA fell
from a B-minus in 2005 to a D-minus in 2006. Eight agencies received
failing grades. The Department of Veterans Affairs did not submit
enough information to be awarded a grade. FISMA author Rep. Tom Davis
(R-Va.) has a plan to address criticism of the plan, which focuses
largely on it being an exercise in paperwork rather than a true measure
of computer security. Next year, agencies will receive extra points for
beating a "White House deadline for meeting new federal computer
security standards," which include "ensur[ing] that any existing or
newly purchased personal computers that use Microsoft Windows XP or
Vista software platforms include certain default settings."
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/12/AR2007041201010_pf.html
April 10 & 11, 2007 - Lost Disk Holds Info. of 2.9 Million Georgia Residents
A computer disk lost in transit contains personally identifiable
information of approximately 2.9 million Georgia residents who receive
services from the Medicaid and PeachCare for Kids health care programs.
The data include names, addresses, Social Security numbers (SSNs) and
member identification numbers, but no medical information. The CD was
lost by Affiliated Computer Systems (ACS), a contractor working for the
Georgia Department of Community Health (DCH). DCH has asked that ACS
notify all those affected by the breach and help them to monitor their
credit reports.
http://www.theregister.co.uk/2007/04/11/georgia_data_loss/print.html
http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_data.pdfl
April 9 & 11 2007 - Computer Stolen from Fla. Child Welfare Agency
Police in Ft. Lauderdale, Florida are investigating the theft of a
laptop computer from ChildNet, a Broward County child welfare agency
non-profit contractor. The stolen laptop holds personally identifiable
information of approximately 12,000 adoptive and foster care families.
Police believe the thieves wanted the information to commit identity
fraud; they have identified one former ChildNet employee as a suspect
in the theft. He has been fired. ChildNet plans to notify all those
whose data were compromised; parents of children whose data were exposed
will be notified as well. The data include financial and credit
information, SSNs, driver's license numbers and passport numbers. There
are apparently no full backups of the information except for paper
documents. ChildNet has taken steps to protect data in the future.
http://www.local10.com/news/11624491/detail.html
http://cbs4.com/topstories/local_story_099223111.html
April 6, 2007 - Stolen Laptops Contain Chicago Public School Teachers' Data
Chicago Public Schools (CPS) is planning to notify current and former
employees that their personal information was on two laptop computers
stolen from an office at CPS headquarters on April 6. The breach
affects approximately 40,000 current and former employees who
contributed to the Teacher Pension Fund between 2003 and 2006. The data
include names and SSNs, but not addresses or dates of birth. CPS plans
to email current employees and post information on the web for former
employees. Surveillance cameras have an image of a suspect in the
robbery and there is a US $10,000 reward for information leading to the
return of the stolen computers. This is the second time in less than a
year that CPS has had to inform employees about a data breach. In
November 2006, personally identifiable information of 1,740 former
employees was exposed in a staff mailing about health insurance.
http://www.daily-journal.com/archives/dj/display.php?id=392152
April 6, 2007 - Backup Tapes Lost in Transit
A locked shipping case containing backup tapes from Florists' Mutual
Insurance Company parent company Hortica has been lost in transit.
Hortica provides employee benefits and insurance to companies in the
horticultural industry. The container disappeared en route from a
secure off-site facility to company headquarters in Illinois. UPS
informed Hortica that the case was lost on April 5, 2007. Hortica has
changed its backup procedure to eliminate the need for transportations
by common carriers. The data on the tapes include names, SSNs, driver's
license numbers and bank account numbers.
http://www.pr-inside.com/hortica-alerting-public-to-loss-of-r87434.htm
April 5, 2007 - Web Site Defacement May Have Compromised Customer Data
Security Title Agency in Phoenix, AZ is warning customers that their
personal information was put at risk of theft when the company's web
site was defaced several weeks ago. Security Title stores customer
information on the same server that hosts its web site. Security Title
says there is no indication the intruders stole information, but they
cannot be certain they did not. The company is providing customers with
free credit monitoring.
http://ktar.com/?nid=6&sid=440413
April 5, 2007 - Navy Computer Sabotage Draws One-Year Prison Sentence
A former government contractor has been sentenced to one year in prison
for sabotaging Navy computers after his company's bid for another
project was not accepted. Richard F. Sylvestre has pleaded guilty to
one count of damaging protected computers; he could have faced up to 10
years in prison. Sylvestre's company at the time, Ares Systems, had a
contract to maintain computers for the Navy's 6th Fleet in Naples,
Italy. Sylvestre admitted to placing malicious code on the Navy
computers. The computers were used to help submarines navigate and
avoid collisions with undersea hazards and other submarines. Sylvestre
has also been ordered to pay a fine of US $10,000 and will serve three
years probation following his release from prison. He has repaid the
Navy US $25,000 for damages.
http://content.hamptonroads.com/story.cfm?story=122352&ran=199274
April 5, 2007 - Former Morgan Stanley Employee Allegedly Stole Company Data
A former Morgan Stanley employee has been charged with conspiracy for
allegedly stealing proprietary information. Ronald Peteka allegedly
took hedge fund client data and used them in an attempt to set up a
consulting firm with another former Morgan Stanley employee. Peteka
allegedly received the information from a former Morgan Stanley computer
consultant, Ira Chilowitz, who was arrested in July 2006 and charged
with conspiracy, theft and unauthorized computer access. Chilowitz
pleaded guilty to the charges in February 2007.
http://www.consumeraffairs.com/news04/2007/04/id_morgan_stanley.html
April 3, 2007 - FCC Order Takes Steps to Protect Telecom Customer Data
The US Federal Communications Commission (FCC) has issued an order that
places tighter restrictions on telecommunications companies regarding
the release of customer records. Carriers may not release customer
records unless the customer provides a password. Otherwise, the records
may be sent to the address of record or provided by the telecom company
calling the telephone number of record. Companies are also required to
inform customers about changes made to their accounts and must obtain
customer consent before sharing data with a third party. The order
comes in the wake of the Hewlett-Packard pretexting case, in which a
private investigator obtained phone records of company directors,
employees and journalists in an effort to determine the source of an
information leak at the company. The US Telecom Association is unhappy
with the order, calling it "an extremely anti-consumer outcome."
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198702073
March 30, 3007 - Stolen Disk Holds Univ. of Montana-Western Student Data
The University of Montana-Western is notifying between 400 and 500
current and former students that their personally identifiable
information was on a computer disk stolen from a professor's office last
week. The data include SSNs, names, dates of birth and addresses. The
students affected by the data security breach are all enrolled in the
school's TRIO Student Support Services Program, formerly the Educational
Opportunity Program. Police are investigating the incident.
http://www.havredailynews.com/articles/2007/03/30/local_headlines/state.txt
March 30, 2007 - Missing Computers Hold Navy Data
Three laptop computers have been reported missing from the Navy College
Office in San Diego. The computers may contain sailors' personally
identifiable information, including SSNs, names, rates and rankings.
Those potentially affected by the data security breach are "Sailors and
former Sailors homeported on San Diego ships from January 2003 to
October 2005 and who were enrolled in the Navy College Program for
Afloat College Education." The Naval Criminal Investigative Service
(NCIS) "is investigating the incident as a possible theft" and is
working with San Diego police to recover the computers. http://www.military.com/features/0,15240,130657,00.html
March 29, 2007 - Man Sentenced to 27 Months for Selling Pirated Software
An Indiana man who pleaded guilty to selling counterfeit software over
the Internet has been sentenced to 27 months in federal prison.
Courtney Smith sold more than US $700,000 worth of pirated Rockwell
Automation software through eBay auctions, earning just over US $4,000
from the sales.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198701097
March 29, 2007 - EMT Fired for Stealing Patient Data
An emergency medical technician (EMT) has been fired from the University
of Illinois Medical Center at Chicago (UIC) for allegedly using his
position to access sensitive patient data. Leslie Langford was charged
with eight counts of felony identity theft. He allegedly accessed
records of 243 patients, but just eight records were allegedly misused.
The data include Social Security numbers (SSNs) and driver's license
numbers. Langford was arrested on February 23; the hospital sent
affected patients breach notification letters on March 8. Hospital
administrators received a tip about the activity and were able to
determine through the electronic record keeping system which employee
was accessing the data, and which data were being accessed.
http://abclocal.go.com/wls/story?section=local&id=5164853
http://www.chicagotribune.com/news/local/chi-070329uic,1,3234070.story?coll=chi-news-hed
March 26, 2007 - eBay Fraudster Arrested in Budapest
A Bulgarian woman faces up to 30 years in prison and $500,000 in fines
for allegedly swindling Americans out of more than US $350,000 through
eBay scams. Mariyana Feliksova Lozanova allegedly advertised expensive
items on eBay and directed purchasers to wire funds through a phony
service called "eBay Secure Traders" in an attempt to lend her scheme
legitimacy. The victims never received the items or refunds. Lozanova
was apprehended in Budapest, Hungary on March 22 and indicted for
conspiracy to commit wire fraud and conspiracy to commit money
laundering. She allegedly used aliases to open bank accounts into which
the stolen funds were channeled; she has waived extradition.
http://www.theregister.co.uk/2007/03/27/ebay_fraud_arrest/print.html
March 24, 2007 - Missing Laptops Hold Health Care Data
Two missing laptop computers hold personally identifiable information
of approximately 31,000 Group Health Cooperative Health Care System
patents and employees in the Seattle area. Compromised data include
names, addresses, SSNs and Group Health ID numbers. The computers
disappeared in late February and early March of this year. Affected
individuals have been notified by mail.
http://www.komotv.com/news/6681342.html
March 23, 2007 - Stolen Hard Drives Hold Patient Data
Approximately 19,000 current and former patients of the Swedish Urology
Group in the Seattle area have been informed that their personal
information has been compromised. Three hard drives used to back up the
practice's data were stolen from a locked office on March 10; there were
no signs of forced entry, suggesting that the perpetrator may have had
a master key. The data go back as far as four years in some cases. The
drives contain physician and staff information as well as patient data. http://www.komotv.com/news/consumer/6678947.html
http://seattlepi.nwsource.com/local/308897_swedish24.html
March 22, 2007 - Oracle Suing SAP for Intellectual Property Theft
Oracle has filed a lawsuit against SAP, alleging that employees of a
company subsidiary (SAP TomorrowNow) "copied and swept thousands of
Oracle products and other proprietary and confidential materials into
its own servers." The suit alleges the company used stolen login
credentials to purloin gigabytes of customer support software between
September 2006 and January 2007. Oracle discovered the theft while
investigating significant traffic spikes on its Customer Connect
servers. The suit could draw the attention of federal prosecutors,
leading to possible criminal action as well as the civil action brought
by Oracle. The lawsuit alleges that once in possession of the filched
software, SAP was able to offer cut-rate services to Oracle customers
and attempt to lure them away.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198500150
March 21, 2007 - Man Pleads Guilty to Breaking Into eBay Accounts
An Australian man has pleaded guilty to breaking into 90 eBay accounts
and using them to steal AU $42,000 (US $34,000). Dov Tenenboim also
broke into email accounts and a bank. Tenenboim advertised non-existent
iPods through the hacked eBay accounts and pocketed the money from the
fraudulent sales. If he is convicted on all charges against him,
Tenenboim could face up to 11 years in jail and fines of AU $9,900 (US
$8,007). Tenenboim apparently guessed most of the eBay account
passwords.
http://www.theregister.co.uk/2007/03/21/ebay_hijack_plea/print.html
http://www.stuff.co.nz/stuff/3998080a11275.html
21 March 2007 - Half of Corporate Web Traffic Not Work Related
Nearly half of all web traffic coming from corporate networks is
non-productive, or non-work related, according to security firm
ScanSafe. Traffic includes requests for gambling, music, pornography
and webmail sites, despite the fact that web filtering blocks were up 8
percent compared with January, according to the firm. Dan Nadir, vice
president of product strategy at ScanSafe says that consequences of this
uncontrolled use of the web also include "exposure to legal liability,
disclosure of confidential information, breaches of compliance
requirements and unnecessary bandwidth consumption."
http://www.vnunet.com/vnunet/news/2185906/half-corporate-web-traffic-work
March 20 & 21, 2007 - Found Memory Stick Holds Scottish Council Employee Pay Data
A memory stick found near a bicycle shelter contains nearly 60 documents
from the Perth and Kincross (Scotland) Council. The data include pay
details of dozens of Council employees. The person who found the device
turned it in to a local newspaper. There is no evidence the loss of the
device was reported to police. The council is unhappy that the person
who found the device did not instead return the device directly to the
council.
http://icperthshire.icnetwork.co.uk/perthshireadvertiser/news/tm_headline=private-pay-details-found-in-street%26method=full%26objectid=18783033%26siteid=88886-name_page.html
http://www.theregister.co.uk/2007/03/21/perth_council_usb_loss/print.html
March 20, 2007 - Technician's Error Erases Disk and Back-Up For $38 Billion Fund
In July 2006, a technician's error wiped out data regarding a financial
account worth US $38 billion while the technician was reformatting a
disk drive at Alaska's Department of Revenue. The technician
accidentally reformatted the back-up drive, and when the organization
tried to recover the data from back-up tapes, they discovered that they
were unreadable. The deleted data were images of supporting
documentation Alaskan residents had submitted to demonstrate their
eligibility for payment from the Alaska Permanent Fund. It took
approximately two months to rescan the 300 boxes of documents. The
incident cost the state more than US $220,000.
http://www.cnn.com/2007/US/03/20/lost.data.ap/index.html
17 March 2007 - The Cost of Stolen Identities
Symantec's latest Internet Security Threat Report claims that the online
criminals are exchanging stolen full identities for between $14 and $18.
A full identity includes the victim's Social Security number, bank
account details including passwords and other personal information such
as date of birth and the mother of the victim's maiden name. The main
victims of online identity theft appear to be US citizens with 86% of
the credit and debit cards advertised for sale on the online underground
issued by U.S. based banks. Elsewhere in the report Symantec claim to
have seen an 11% rise in the use of bot networks, with China accounting
for 26% of all bot networks. U.S. sites were also the victim of 52% of
all DOS attacks.
http://news.bbc.co.uk/2/hi/technology/6465833.stm http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1536335.ece
March 16, 2007 - Ohio School District Employees' Data on Stolen Computer
A laptop computer stolen from the vehicle of an Ohio state auditor's
office employee holds personally identifiable information of
approximately 2,000 current and former Springfield City Schools
employees. The employees have been notified of the data breach by mail.
The breach affects people who were considered permanent employees as of
June 2004, June 2005 and February 2006 and who received paychecks on
three different dates in 2003 and 2004. The employee has been
reprimanded for violating office policy by leaving equipment unattended
in a vehicle.
http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/03/16/sns031707laptop.html
March 14, 2007 - Copiers' Hard Drives Retain Document Images
Some new models of copiers have hard drives that store images of what
has been copied. More often than not, the data are not encrypted and
stay there until overwritten by new data. A survey commissioned by
Sharp, one of the major copier makers, found that more than half of the
people planned to copy their tax returns and associated documents; most
intended to make those copies outside of their homes. About the same
number of people did not know that photocopiers keep images of what they
copy. Sharp and several other manufacturers offer security kits to
encrypt and overwrite scanned images.
http://www.kansas.com/mld/kansas/business/technology/16896436.htm
March 13, 2007 - BSA Takes Action Against Software Pirates in US and Europe
The Business Software Alliance (BSA) is taking legal action against five
alleged software pirates in the US, the UK, Germany and Austria. In
each of the cases, BSA was made aware of the alleged piracy through
consumer complaints. The BSA is making a concerted effort to fight
piracy on a global level.
http://www.itnews.com.au/print.aspx?CIID=75434&SIID=35
March 13 2007 - Most Data Breaches Traced to Company Errors
A researcher from the University of Washington, Seattle says that
organizations are more often to blame for data security breaches than
outside intruders. Phil Howard looked at 550 data breaches that
received media coverage between 1980 and 2006. Approximately two-thirds
of the breaches could be traced to lost or stolen equipment and a
variety of management errors. Less than one-third of the breaches were
the work of outside attackers.
http://www.networkworld.com/news/2007/031307-data-breach-companies.html
March 12 2007 - Contract Employee Stole and Sold Printing Company Customer Data
A contract employee at Dai Nippon Printing Company in Japan allegedly
stole approximately nine million pieces of customer data by copying the
information onto a variety of recording media. Affected clients include
the Toyota Motor Corp., American Home Assurance and Aeon Co. A
spokesperson for Dai Nippon is in negotiations with customers regarding
compensation. The data were stolen between May 2001 and March 2006. An
investigation was triggered when the employee allegedly sold 150,000
pieces of data to a criminal group. The investigation led to the
discovery that far more information was stolen than first believed. The
individual was arrested on February 20 and indicted on charges of theft
because the disk he used to copy the information did not belong to him.
Japan's personal information protection law does not provide for
penalties for stealing data. If the former contract worker had used his
own disk to copy the information, authorities would have had a harder
time filing any charges against him.
http://www.reuters.com/articlePrint?articleId=UST2997420070312
March 7, 2007 - Two-Thirds of Companies Lose Data Six Times a Year
Sixty-eight percent of companies surveyed by the IT Policy Compliance
Group said they experience data loss or theft six times a year; 20
percent say they lose data at least 22 times a year. Just 12 percent
of companies report losing data less that twice a year. The top reasons
the companies gave for data loss are user error, policy violations, and
Internet threats. The ways in which data were lost include lost devices, email and other electronic communications, and software
applications.
http://www.eweek.com/print_article2/0,1217,a=202593,00.asp
March 7, 2007 - Gartner Study Sees Sharp Rise in ID Theft and Associated Fraud
A Gartner study says that fraud arising from identity theft has risen
significantly since 2003. Extrapolation from gathered statistics
indicates that approximately 15 million Americans dealt with fraud
stemming from identity theft between the middle of 2005 and the middle
of 2006. Figures gathered by the Federal Trade Commission (FTC) in its
own survey estimated that number to be 9.9 million in 2003. Gartner
surveyed 5,000 US adults who use the Internet. Other findings include
an increase in the average amount of money lost to fraud from US $1,408
in 2005 to US $3,257 in 2006. The percentage of funds recovered dropped
over the same one-year period from 85 percent in 2005 to just 61 percent
in 2006.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012483
March 7, 2007 - VA CIO Restricts Use of USB Drives
Veterans Affairs Department (VA) CIO Robert Howard has placed
restrictions on the use of thumb drives within the VA. Employees will
be permitted to use only those drives issued by the VA CIO's office, and
those devices will be limited to 1G or 2G of memory. Furthermore,
employees will need to apply for and demonstrate the need for thumb
drives before they are issued. This restriction is just one step Howard
plans to take to tighten data security at the beleaguered department.
He also plans to "eliminate unencrypted messages that travel on VA's
network" and proposing to the Office of Management and budget that the
five deputy CIOs at the VA be promoted to "secretaries for different
functions," such as information security and strategic planning. http://www.gcn.com/online/vol1_no1/43266-1.html?topic=security
March 3, 2007 - Thief Stole Credit Card Numbers from Seed Site
A cyber thief broke into the web site of Johnny's Selected Seeds and
stole sensitive customer data, including credit card numbers; in all,
11,500 accounts were compromised. Approximately 20 of the stolen card
numbers have been used fraudulently. The site is now under 24-hour
monitoring to prevent a recurrence; other security measures have also
been implemented. Johnny's has notified all people whose account
information was stolen. The initial intrusion occurred on February 4,
2007. A company official said "criminals gained access to our internal
systems and gathered enough information to allow then to gain access to
our web site." The FBI is investigating.
http://kennebecjournal.mainetoday.com/news/local/3676190.html
March 2, 2007 - Stolen Metro State Computer Holds Student Data
A laptop computer stolen from a faculty member's office at Metropolitan
State College of Denver holds personally identifiable student
information. The compromised data include names and SSNs of students
who took courses from the professor from fall 1999 through fall 2002.
The professor may face disciplinary action as a policy established last
spring requires "all College reports or studies that access private
student information ... were to be approved through the President's
Office." In addition, Metro State is in the midst of a project that
requires all college-owned laptops to be submitted to the IT department
so the data they hold can be reviewed. The school is attempting to
notify all affected students by mail.
http://cbs4denver.com/consumer/local_story_061205155.html
March 1, 2007 - Missing Hard Disk Holds Student and Alumni Data
An external hard disk containing personally identifiable information of
approximately 8,800 students and graduates of Tokyo University of
Science was stolen on February 24. A professor had taken the device
home with him, but the bag it was in was stolen while he was on a train
home. The professor will face punishment.
http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html
February 27, 2007 - Stolen Computers Raise Data Theft Fears in Northern Ireland
Fifty-five computers have been stolen from Northern Ireland civil
servants over a nine-year period. The value of the stolen equipment is
90,900 Euros (US $118.670). Northern Ireland Office spokesperson David
Lidington said "We need to know what information was there. ... We need
an assurance that personal information was not on these computers." A
Department of Finance and Personnel spokesperson said the computers did
not hold confidential information.
http://www.breakingnews.ie/print/?jp=CWSNSNIDOJID
21 February 2007 - DHS Still Has Long Road Ahead to Securing Data
According to a report from Department of Homeland Security (DHS)
inspector general (IG) Richard Skinner, the agency still has a long way
to go to implement security controls that will help protect sensitive
data and personally identifiable information. The report evaluated
DHS on its implementation of the Office of Management and Budget (OMB)
Memorandum 06-16, Protection of Sensitive Agency Information. DHS
has developed policies and has started to identify and "protect"
systems that hold sensitive information. However, the majority of
mobile devices, including laptop computers, have not been encrypted.
The IG has also expressed concern that DHS has not taken steps to
protect systems that can be used by remote users. http://www.fcw.com/article97725-02-21-07-Web&printLayout
February 16, 2007 - Stolen Computers Hold Child Patient Data
Two laptop computers stolen from a locked vehicle in the parking lot of
Seton Highland Lakes Hospital near Austin, TX hold personally
identifiable information of approximately 2,500 juvenile patients
treated by the hospital's mobile medical unit. The data include names,
medical information and Social Security numbers (SSNs). http://www.kxan.com/Global/story.asp?S=6100779&nav=0s3d
14 February 2007 - Stolen Computer Holds Kaiser Permanente Patient Information
A laptop computer stolen from a Kaiser Permanente Medical Center in
Oakland, California contains information of as many as 22,000 patients.
The organization is notifying those affected by the theft, which
occurred in November 2006. The data include some SSNs. A Kaiser
spokesperson said they are implementing new security policies that
include encrypting data on electronic devices and prohibiting the
storage of large amounts of patient data on any hard drive. http://cbs5.com/consumer/local_story_045212622.html
14 February 2007 - Nationwide Building Society Fined Over Stolen Laptop
The UK's Financial Services Authority has fined the Nationwide Building
Society GBP 980,000 (US $1.92 million) for failing to "have adequate
information security procedures and controls in place." A laptop
computer stolen from an employee's home in August 2006 held confidential
information of nearly 11 million customers. The employee reported the
theft promptly, but neglected to tell the company what data were on the
computer until he returned from holiday three weeks later. Nationwide
has not said if the person is still in its employ or has been
disciplined. The company says the data do not include PINs, passwords
or account balance information. A company spokesperson said they have
taken measures "to ensure it doesn't happen again." Nationwide informed
all affected customers by letter; no customers have lost money. http://news.bbc.co.uk/2/hi/business/6360715.stm
12 February 2007 - Report Indicates FBI Still has Problems with Lost Laptops
According to a report from the Justice Department inspector general's
office, the FBI has lost 160 laptops in less than four years. At least
10 of the computers held "highly sensitive classified information" one
held "personal identifying information on FBI personnel." Seven of the
missing computers were assigned to counterintelligence and
counterterrorism divisions. A 2002 audit revealed 317 missing laptops
and 354 missing weapons over a 28-month period. The new report follows
up on the 2002 audit to track the FBI's progress in addressing the
problems that led to the missing laptops. The new report notes a
reduction in the rate of lost laptops, but the rate of stolen laptops
increased from 17 in a 28-month period to 44 in a 44-month period. "The
FBI could not determine ... whether the stolen or lost laptop computers
contained sensitive information or classified information."
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021200629_pf.html
7 February 2007 - Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data
Nine computer backup tapes are missing from Johns Hopkins University and
Johns Hopkins Hospital. The tapes were supposed to be returned by a
contractor who performs data backups. The tapes hold payroll data,
including Social Security numbers (SSNs) and some bank account numbers
for 52,000 current and former Johns Hopkins employees, as well as less
sensitive data about 83,000 hospital patients. Officials say there is
no evidence that the tapes were stolen; it is likely they were delivered
to the wrong location or mistaken for trash and destroyed. The
university is notifying people affected by the data security breach by
letter and email. http://www.wmdt.com/wires/displaystory.asp?id=58386284
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/07/AR2007020701004_pf.html
7 February 2007 - Univ. of Nebraska-Lincoln Data Exposed
The SSNs of 72 University of Nebraska-Lincoln (UNL) students, faculty
and staff were inadvertently posted on the university's public web site;
the information had been accessible for more than two years when the
problem was discovered earlier this week. The university sent
notification letters to those affected by the data security breach. A
similar incident occurred at UNL less than a year ago. In March 2006,
the university discovered that the SSNs, email addresses and GPAs of
nearly 350 engineering students had been accidentally posted to the web.
The university periodically scans its web site for SSNs; the numbers
exposed in the latest incident were not caught because they did not
contain the usual two dashes that normally appear in the numbers.
http://www.omaha.com/index.php?u_page=1000&u_sid=2326625
6 February 2007 - IMF Hard Drives Stolen in Azerbaijan
Police in Baku, Azerbaijan are investigating the apparent theft of four
computer hard drives from the office of the International Monetary Fund
in that city. The drives contain financial, personnel and research
files and "the fund's primary database of information for its
operations" in Azerbaijan.
http://www.abcmoney.co.uk/news/06200718804.htm
5 February 2007 - Computer Taken from State Auditor's Home
A laptop computer stolen from the Glens Falls home of a New York
Department of Labor unemployment auditor holds personally identifiable
information of more than 500 individuals employed by 13 businesses in
and around the Albany area. The state Department of Labor has sent
notification letters to people affected by the breach and is reviewing
its policies regarding employees taking work home.
http://poststar.com/articles/2007/02/06/news/doc45c8abf57b7ae609243186.txt
http://www.wnyt.com/x11919.xml?ag=x995&sb=x183
5 February 2007 - Coroner Allegedly Shared 911 Web Site Account Info with Journalists
The Pennsylvania Attorney General's Office has filed charges against
Lancaster County (PA) Coroner G. Gary Kirchner for allegedly providing
newspaper reporters with his password to the 911 system's confidential
web site. Five reporters from the Lancaster Intelligencer Journal gave
testimony before a grand jury after they were granted immunity from
prosecution. Investigators searched four computer hard drives in the
newspaper's newsroom and found that the 911 site was accessed with
Kirchner's username and password from newspaper offices 57 times.
http://www.phillyburbs.com/pb-dyn/news/103-02052007-1294444.html
2 February 2007 - Michigan Tax Preparer's Computer Stolen
A computer stolen from a tax preparer's office in Cassopolis, Michigan
holds tax records for 800 people. Evidence suggests that thieves broke
into the office in the early morning hours and took the computer,
leaving behind cash and checks. The tax preparer is offering a US
$5,000 reward to help catch the perpetrators. The information includes
SSNs and bank routing numbers. The tax preparer has clients from
Michigan, Indiana, Ohio, Virginia, Illinois and Washington.
http://www.wndu.com/news/headlines/5530966.html
2 February 2007 - Superbowl Sites Infected with Malware
At least two web sites that were likely to have been visited by football
fans in the days before the Superbowl have been discovered to contain
malicious code that can infect users' computers with keylogging and
Trojan horse programs. The malware exploits two known Windows
vulnerabilities; patches for these flaws were released in April 2006 and
January 2007. The Dolphin Stadium web site has reportedly been
cleansed.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2151
http://www.theregister.co.uk/2007/02/05/superbowl_trojan/print.html
2 February 2007 - Duracell Employee Pleads Guilty to Stealing Trade Secrets
Former Duracell employee Edward Grande has pleaded guilty to one count
of stealing trade secrets. According to court documents and records,
Grande downloaded research about Duracell AA batteries to his computer;
he then sent the information to two rival companies. Both companies
reportedly sent the information back to Duracell; neither had solicited
the information from Grande. When he is sentenced, Grande could face
up to 10 years in prison and a fine of as much as US $250,000.
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/02/AR2007020200906_pf.html
2 February 2007 - Missing Hard Drive Holds 48,000 Veterans' Data
The Department of Veterans Affairs (VA) and the FBI are investigating
the disappearance of a portable hard drive from the VA medical center
in Birmingham, Alabama. The drive was reported missing on January 22,
2007; it is believed to hold research project information as well as
personally identifiable information of as many as 48,000 veterans. Some
of the data were encrypted. "Pending results of the investigation, the
VA is planning to send individual notifications and to provide a year
of free credit monitoring" to those affected. The drive was used to
back up data from an employee's office computer. The VA Office of the
Inspector General has taken the employee's work computer and is
analyzing its contents.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=2169
http://www.signonsandiego.com/news/nation/20070202-2112-securitybreach.html
1 February 2007 - Data Security Breach Exposes Workers' Comp Info. in Mass.
The Massachusetts Department of Industrial Accidents (DIA) has
acknowledged a data security breach that exposed personally identifiable
information, including Social Security numbers (SSNs), of as many as
1,200 individuals who had submitted workers' compensation claims. A
former contractor allegedly accessed the database with the intent of
stealing the information; the worker was fired and charged with identity
fraud. Three people have reported that their information was misused.
DIA has sent notification letters to the people whose data were
compromised.
http://www.boston.com/business/ticker/2007/02/workers_comp_da.html
1 February 2007 - MySpace Worm Creator Sentenced
The man believed to be responsible for a worm attack on MySpace.com in
October 2005 has pleaded guilty to a felony charge for his actions.
Samy Kamkar was sentenced to three years of probation and 90 days of
community service for "what is believed to be the first self-propagating
cross-site scripting worm." Kamkar used Asynchronous JavaScript and
XML (AJAX) to carry out his attack. Kamkar must also pay restitution
to MySpace and is prohibited from using the Internet for an unspecified
length of time.
http://www.theinquirer.net/default.aspx?article=37422
1 February 2007 - Vermont Human Svcs. Dept. Computer Attack Exposes Info. of 70,000 Citizens
A computer at Vermont's Human Services Department suffered an automated
attack that could place about 70,000 state residents at risk for
identity fraud. The state will notify affected people by letter. The
computer was taken out of commission in December 2006 when workers
discovered malware on the machine. The computer was supposed to contain
information about people who owed back child-support payments. However,
just 12,000 of the individuals affected by the breach fit that criteria;
the remaining 58,800 are members of the New England Federal Credit
Union. The credit union normally provides the state with information
about people who owe payments, but on two occasions, the state received information on nearly the entire credit union's membership. A patch for
the flaw that was exploited in the attack had been downloaded but not
installed.
http://www.wcax.com/Global/story.asp?S=6006557&nav=4QcS
1 February 2007 - Man Arrested for Software Piracy
A California man has been arrested for allegedly making and selling
counterfeit software. Since 2000, Gad Zamir allegedly netted US
$750,000 selling pirated copies of Microsoft and Adobe software online
at prices far below retail cost. http://www.theregister.com/2007/02/01/counterfeit_arrest/print.html
31 January 2007 - Companies Held Responsible for How Their Ads are Delivered
Priceline.com, Travelocity.com and Cingular Wireless have agreed to pay
fines of between US $30,000 and US $35,000 each for advertising through
illegal adware. All three companies had bought advertisements on
DirectRevenue, which has been the target of a lawsuit for "fraudulent
software installations and serving illegal pop-up ads." The three
companies that purchased the ads paid the fines to settle a separate
lawsuit brought by New York Attorney General Andrew Cuomo. The
settlement sets a precedent for holding companies liable "when their ads
end up on consumers' computers without full notice and consent," said
Cuomo. In the past, companies have claimed ignorance because the
advertising had been outsourced.
http://www.vnunet.com/vnunet/news/2173818/adware-funders-fined-supporting
30 January 2007 - TJX in Violation of Payment Card Industry Data Security Standard
TJX Companies was storing customer credit card information in violation
of the Payment Card Industry Data Security Standard. As a result, the
data thieves were able to obtain Track 2 card information, which
includes the card number, expiration date and card verification value.
Some of the data stored on the TJX system dates back to 2003. The theft
affects millions of cardholders. TJX owns a number of store chains,
including TJ Maxx, Marshalls and HomeGoods. http://www.informationweek.com/news/showArticle.jhtml;jsessionid?articleID=197001447
29 January 2007 - Notre Dame Security Breach Includes Old Graduate Test Data
Simson Garfinkel recently received a letter from Notre Dame University's
Mendoza College of Business informing him that personally identifiable
information, including his Social Security number (SSN), was
inadvertently made available on the Internet. Garfinkel has no
affiliation with the University of Notre Dame; when he took a battery
of graduate school admission exams six years ago, he checked boxes
allowing his information to be sent to the school for recruitment
purposes. Apparently the information had been on a "decommissioned"
computer that was later turned on and connected to the Internet. The
files on the computer were made available through a file-sharing
program. Notre Dame said log files indicate there was no other access
beside the individual who discovered his or her information. Garfinkel
thinks Google also accessed the information.
http://www.technologyreview.com/printer_friendly_blogPost.aspx?id=17512
22 January 2007 - Sophos Security Report 2007 reveals growth in web threats and Trojans
The Sophos Security Threat Report 2007 examines in detail the top ten
malware threats of the last year, and also confirms that malware
authors are continuing to turn their backs on large-scale attacks in
favor of more focused strikes against computer users. If you are
responsible for network security at your business you cannot afford
not to find out more and download this detailed report.
http://s636.link.sophos.com/secrep2007?pl_id=9
19 January 2007 - Storm Trojan spam hits email inboxes
Email users are being bombarded by a widespread spam campaign with a
sting its tail. Since Friday hackers have used disguises such as
breaking news stories (about European storms, Chinese missiles and
Saddam Hussein) as well as messages of love in their attempt to lure
unwary users into clicking on the attachments.
http://s636.link.sophos.com/storm?pl_id=9
http://s636.link.sophos.com/stormreturns?pl_id=9
19 January 2007 - Phishers: Click here, or eBay shuts down
Hackers are claiming the ultra-popular auction site eBay will shut down next month in their latest attempt to extract personal information from web users.
http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Ic
18 January 2007 - T.J. Maxx, Marshalls parent company hacked, unknown amount of customer credit card information stolen
A major clothing retailer announced Wednesday that hackers accessed its network and stole an unknown amount of credit card information.
http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Ih
18 January 2007 - MySpace Sued After Assaults
Four families have filed lawsuits against News Corp. and MySpace after
their 14- and 15-year-old daughters were sexually assaulted by predators
they met on the social networking site. The suits allege negligence,
recklessness, fraud and negligent misrepresentation. MySpace has
responded to concerns about predators by bolstering education and
establishing partnerships with law enforcement. MySpace has also
restricted adults' communication with minors and plans to release a tool
that will allow parents to view certain aspects of their children's
MySpace profiles. A similar suit was filed last June.
http://www.washingtonpost.com/wp-dyn/content/article/2007/01/18/AR2007011800670_pf.html
http://www.informationweek.com/showArticle.jhtml?articleID=196901881&cid=RSSfeed_TechWeb
18 January 2007 - Missing Backup File Holds Information of 500,000 Investors
A backup computer file in transit between offices of CIBC Asset
Management is missing. The file contained personally identifiable
information of nearly 500,000 Talvest Mutual Funds clients. The data
include names, addresses, dates of birth, bank account numbers and
Social Insurance Numbers. Affected clients are being notified by
letter. Canada' s privacy commissioner Jennifer Stoddart is launching
an investigation. http://www.cbc.ca/canada/story/2007/01/18/cibc.html
18 January 2007 - Thirty Computers Stolen from Closed Infirmary
Thirty computers were stolen from a storeroom at the shuttered Lymington
Infirmary in Hampshire, UK earlier this month. It is not believed the
computers hold medical records, but could possibly contain the names and
addresses of patients and hospital employees. Administrators are
conducting an audit to determine exactly what information the computers
hold. Hospital staff received a memo in September 2006 and again in
December 2006 telling them not to store patient records on PCs. The
theft occurred before the computers could be checked for compliance with
the guidance.
http://www.theregister.co.uk/2007/01/18/hospital_pc_theft_fear/print.html
17 January 2007 - California phisher faces century in jail for targeting AOL users
A California man has been convicted of violating the CAN-SPAM Act of 2003 for mass-emailing AOL users and requesting credit card information.
http://haymarket.ec-messenger.com/re?l=evub0cIfvlxf5Il
17 January 2007 - Stolen Water District Computers Hold Customer Credit Card Information
Two computers stolen from the offices of the Rincon del Diablo Municipal
Water District in southern California hold the names and credit card
information of approximately 500 water district customers. People whose
data were compromised were notified of the situation by phone; all water
district customers will receive a letter describing the breach some time
this week. The water district said it is working to encrypt the data
on its computers and is installing fences around the building.
http://www.signonsandiego.com/news/northcounty/20070117-9999-1mi17rincon.html
17 January 2007 - US Nets First Conviction Under Can-Spam Act
Jeffrey Brett Goodin has become the first person to be convicted under
the US Can-Spam Act. Goodin ran a phishing scam that duped AOL users
into divulging credit card information; he was found guilty on charges
of wire fraud, unauthorized use of credit cards, misuse of the AOL
trademark and attempted witness harassment. Goodin's sentencing is
scheduled for June 11; he could receive a prison sentence of up to 101
years.
http://www.zdnet.co.uk/misc/print/0,1000000169,39285508-39001093c,00.htm
16 January 2007 - Keystroke Loggers and Phishing Attacks on the Rise
A white paper from McAfee noted a 250 percent growth in keystroke
logging malware between January 2004 and May 2006. Over that same time
period, the Anti-Phishing Working group observed a 100 percent increase
in phishing attacks. The UK's Home Office places losses from identity
theft at 1.63 billion GBP (US$3.2 billion) over the last three years.
The paper also offers tips for protecting sensitive data.
http://www.vnunet.com/computing/news/2172647/id-fraud-taking-toll
16 January 2007 - Computers Stolen from Univ. of New Mexico Hold Faculty Info.
Three computers stolen from the office of the associate provost of
University of New Mexico (UNM) earlier this month could hold the names
and Social Security numbers (SSNs) of the university's faculty members.
The associate provost's office had recently moved from one location to
another and could not say if everything was accounted for as not all
equipment was set up. Faculty members received email messages on
January 9 alerting them to the theft and the possible compromise of
their personal information.
http://www.dailylobo.com/home/index.cfm?event=displayArticle&uStory_id=abad7ee1-3707-450e-acd5-0e7ed80b86b6
16 January 2007 - Substitute Teacher Convicted After Students See Racy Pop-Ups
A substitute teacher has been convicted of endangering students when
they saw pornographic pop-up advertisements on her computer. A forensic
expert testified that spyware surreptitiously installed on the computer
while visiting a seemingly innocuous site was responsible for the
barrage of pop-ups. Prosecutors question why the teacher did not simply
cut off power to the machine once the offensive content appeared.
Sentencing is scheduled for early March; the teacher could face up to
40 years in prison. http://www.securityfocus.com/brief/408
13 January 2007 - North Carolina Department of Revenue PCs Stolen
The North Carolina Department of Revenue has sent letters to 30,000
taxpayers notifying them that their personal information was held on a
laptop computer stolen from a NC Dept. of Revenue employee's car. The
data include Social Security numbers (SSNs); law enforcement officials
are investigating the theft.
http://www.charlotte.com/mld/charlotte/16451423.htm
11 January 2007 - University of Idaho Advancement Services Office PCs Stolen
Three laptop computers missing from the University of Idaho's
Advancement Services Office hold personally identifiable information of
more than 331,000 alumni, students, employees and donors. The apparent
theft took place over the Thanksgiving weekend.
http://www.ktvb.com/news/localnews/stories/ktvbn-jan1107-stolen_data.2df71504.html
11 January 2007 - Malware Purveyors Prey on Users' Morbid Curiosity
Not surprisingly, people's fascination with the macabre is being
exploited to spread malware. There are reports of email messages
claiming to offer footage of Saddam Hussein's execution; when users
click on the provided link, they are directed to a site that tries to
download a Trojan horse program. Similar emails have been detected that
use attachments rather than links within the body of the message.
Several different pieces of malware that try to download keystroke
loggers
have been detected accompanying messages about the execution.
http://www.vnunet.com/vnunet/news/2172307/saddam-videos-hiding-trojan
11 January 2007 - Chinese Court Cracking Down on Copyright Violators
Luo Zhiguo admitted in a Shanghai court that he profited from illegally
operating an on-line game at prices considerably below those of the
legitimate version. Luo and two accomplices allegedly copied Mir 3 and
made it available for 300 yuan (US$38.50) for permanent access.
Authorized accounts could cost players that much in just one month,
depending on the amount of time they play. "Luo said he was not aware
that they were committing a crime because a lot of other people were
also doing the same." One of Luo's accomplices, You Tangcun, was
arrested in May and sentenced to three years house arrest. The other
accomplice, Ye Weilong, turned himself in last spring "but fled while
on bail." The scheme was discovered when an investigation was launched
in response to complaints from the game's authorized operator that they
were losing millions of yuan every month because of the illegal
activity.
http://news.xinhuanet.com/english/2007-01/11/content_5592977.htm
11 January 2007 - Corporate Security Hole: Employees Forwarding eMail to Personal Accounts
Employees forwarding their work email to "web-accessible personal
accounts" is a growing problem. When away from the corporate network
accessing email from these accounts is usually faster and easier than
going through the corporate remote email solution. Accessing email from
these accounts is usually faster and easier than going through corporate
networks. However, because email sent from these services does not"pass through the corporate mail system, companies could run afoul of
federal laws that require them to archive corporate email and turn it
over during litigation." Atlanta's DeKalb Medical Center began using
systems to monitor outbound email after it became aware of the growing
problem of "doctors and nurses routinely forward[ing] confidential
medical records to their personal Web mail accounts."
http://www.nytimes.com/2007/01/11/technology/11email.html
10 January 2007 - Arrest Made in Towers Perrin Laptop Theft
Towers Perrin has issued a statement saying that "a junior level
administrative employee" has been arrested in connection with the theft
of laptop computers from the New York City-based pension company. The
computers hold personally identifiable information belonging to current
and retired United Technologies Corporation (UTC) employees and current
and former Altria employees. UTC is based in Hartford, CT; Altria is
the parent company of Philip Morris USA.
http://www.wfsb.com/money/10716528/detail.html?taf=hart
8 January 2007 - Phishers Target UK Taxpayers
Phishers have targeted UK taxpayers, sending phony email messages that
appear to come from HM Revenue and Customs claming the recipients are
entitled to a GBP70 (US$136) refund. The email includes a link to what
is supposed to be a form to fill out to get the refund. In a separate
story, the US Computer Emergency Response Team (US-CERT) has warned that
phishers are targeting US taxpayers.
http://www.theregister.co.uk/2007/01/08/hm_revenue_phish/print.html
5 January 2007 - Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site
A 16-year-old Norwegian boy who allegedly ran a file-sharing hub could
face up to 60 days in jail and a fine of NOK4,000 (US$630). The teen
allegedly used the Direct Connect P2P file sharing program to help make
more than 150,000 songs, 7,000 movies and 20,000 video clips available
for free downloading. His parents could also face a substantial fine
to compensate those in the music and film industries for lost revenue.
http://www.theregister.co.uk/2007/01/05/norwegian_filesharer_charged/print.html
4 January 2007 - Intruder Used Univ. of Northern Iowa Server to Store Music Files
In December, officials of the University of Northern Iowa (UNI)
discovered that someone had broken into a server that holds information
related to the school's Wellness Recreation Center. The intruder used
the server to store music files. The data on the server includes names,
addresses and phone numbers belonging to students, faculty and employees
who have used the center. UNI uses randomly generated ID codes rather
than Social Security numbers (SSNs) as unique identifiers.
http://chronicle.com/wiredcampus/index.php?id=1790
http://www.radioiowa.com/gestalt/go.cfm?objectid=BFFAFCD4-41C8-474C-9A44B4316BB5C517&dbtranslator=local.cfm
3 January 2007 - Hard Drive Target Of Office Break-In At A Medical Office
A computer hard drive was stolen from a medical office in Somerset,
Pennsylvania. Whoever broke into the office took just the hard drive,
leading some to suspect that the thief was after the information on the
storage device. The doctor's office did not provide details about what
information the drive may contain.
http://www.tribune-democrat.com/local/local_story_003233725.html
3 January 2007 - SC High School Experiences Third Computer Theft
A laptop computer was stolen from a guidance counselor's office at the
Academic Magnet High School in North Charleston, South Carolina over the
school holiday. The computer holds personally identifiable information
of approximately 500 students. School officials have been trying to
reassure concerned parents and students by telling them the information
is password-protected and encrypted. This is the third computer theft
at the school this academic year. The other thefts - three monitors
and two laptops from the school's media center and another laptop from
the same guidance counselor's office - occurred in November 2006.
Police are investigating.
http://www.wcbd.com/midatlantic/cbd/news.PrintView.-content-articles-CBD-2007-01-03-0015.html
2 January 2007 - New Year's Worm Spreads Warezov Trojan Variant
A worm purporting to be New Year's greetings is spreading a variant of
the Warezov Trojan horse program; the worm appears to be spreading
rapidly across the Internet. The email arrives with an attachment named
postcard.exe or postcard.zip; if Windows users open the attachment,
their computers can become infected. Once a machine is infected, it
starts sending spam to other computers to spread the worm.
Internet Storm Center Notes: http://isc.sans.org/diary.php?storyid=1987
