Recently in Security Breaches Category

ChoicePoint Inc. will pay federal regulators $275,000 for a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft, the Federal Trade Commission reported.

In April 2008, ChoicePoint turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days.

The FTC’s prior action against ChoicePoint involved a data breach in 2005, which compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft. The settlement and resulting 2006 court order in that case required the company to pay $10 million in civil penalties and $5 million in consumer redress.

Heartland Payment Systems has disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.

Heartland's president and CFO, said in a USA TODAY interview that the intruders had access to Heartland's system for "longer than weeks" in late 2008. The number of victims is unknown. "We just don't have the information right now," Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months' worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

Stanford University sent notification to tens of thousands of past and current employees that their personal information and identity is at risk because of a single stolen laptop that contained their personal information. The laptop was not encrypted.

A Stanford spokesman said that the stolen laptop contained personal information, including birth dates, social security numbers, and home addresses of people hired by the university before September 28th, 2007. According to the university this could be as many as 72,000 individuals.

Stanford has become the latest in a series of organizations to suffer a public relations nightmare - from Wells Fargo Bank to the US Department of Veterans Affairs – because of  a security breaches from a single stolen laptop. The sad fact here is that as the trustee of the personal information given to it, Stanford University has failed tens of thousands of people and put their financial identity at risk of being abused.

An Administaff company laptop containing the personal information of 159,000 employees was stolen from a company employee. The laptop was stolen from a company employee's car while they were shopping for groceries on October 3rd, 2007.

The information on the laptop contained the names, addresses, and social security numbers of current and former employees. The information was not encrypted.

The company has notified all affected persons and has offered one year of free credit-monitoring service. Credit monitoring services, such as LifeLock.com, monitor a person's credit file with the three credit bureaus and alerts people when there is potentially fraudulent activity.

In Washington state, a burglar stole a laptop containing the personal information of 1,400 current and former employees of the King County Transportation Department.

The information contained the names, addresses, and social security numbers of current and former employees.

The laptop belongs to a human resources employee who regularly brings the laptop from one job site to another. The laptop was password protected, but the data was not encrypted. The victims were part of the department’s Roads, Airport and Fleet divisions.

The University of Texas said it works hard to notify students about how to avoid identity theft, but the school put some of its own at risk.

The Personal information, including Social Security numbers of 22 current and former students, was posted and available to access on a university FTP site in late September.

All the students impacted were enrolled in a petroleum and geosystems class during the summers of 2001 and 2002.

The university took the files offline within hours after being notified by SSNBreach.org, but not before 22 students' Social Security numbers were exposed.

The university said there is an ongoing effort to get rid of using Social Security numbers except where they are needed.

The University of Iowa is warning 184 students and graduates that grade information and Social Security numbers were on a laptop stolen from a former teaching assistant. The laptop was stolen in September from the home of a former teaching assistant.

The laptop contains class records, including attendance, test scores and grades of 184 students who took graduate courses between 2002 and 2006. The Social Security numbers of 100 students are also on the laptop.

The Philosophy department chairman is mailing letters to affected students and accepting phone calls from those who are concerned about the incident.

In Massachusetts the Divisions of Professional Licensure and Health Professions Licensure sent out information to marketing firms and other businesses containing the personal data, including Social Security numbers, of 450,000 licensed professionals.

The Division of Professional Licensure notified both the secretary of state and the office of the attorney general about the breach, and has begun notifying all affected individuals.

Affected individuals include engineers, nursing home administrators, certified public accountants and other professionals.

Individuals who feel they may have been affected can contact the Division of Professional Licensure.

In an apparent administrative error, the personal information of more than 600 Queens University students was emailed to other students. Queens University is located in Charlotte, North Carolina.

The information contained names, addresses, student IDs and social security numbers of the affected students.

University administrators have notified affected students by email, U.S. mail, and phone. Additionally, the university has contracted with a fraud and credit monitoring service for the next 12 months. Students will receive email alerts on changes to credit reports and insurance against identity theft.

In a letter to the New Hampshire Attorney General, Voxant revealed that one of it's ecommerce servers was compromised by what appeared to be a phishing scheme. The hackers had the ability to access encrypted credit card information along with the encryption key. As a result Voxant is sending 4,500 customers letters notifying them of the breach and informing them to change their credit card numbers.

 
The point of contact regarding this incident is:

Roylene Julesza
Director, Syndication
1851 Alexander Bell Drive
Reston, VA 20191

Source: Letter to the New Hampshire attorney general, Aug. 31.