UNC Charlotte: 350,000 SSNs Exposed in Decade-long Data Breach
Posted on 14 May 2012
Two issues exposed financial data and Social Security numbers for 350,000 people, although it is thought the information has not been abused, the University of North Carolina at Charlotte said.
The university said in a statement earlier this week that it has fixed both problems, one of which lasted three months and the other more than a decade.
It blamed a system misconfiguration and incorrect access settings for the exposures, which also involved names and addresses of people who had done transactions with the university.
“The university has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime,” it said.
The problems were discovered by university staff. State and federal regulatory and law enforcement agencies have been contacted, the university said. It encouraged people who are concerned to place a free fraud alert with the major credit rating agencies and report fraudulent activity to the police and the university.
Source: PC World
Hackers target Twitter spammers in massive account data breach
Posted on 11 May 2012
Summary: A massive breach has led to more than 55,000 Twitter accounts being published on the Web. But it appears the hackers may have targeted spammers over ordinary users.
Account details seemingly belonging to spammers were uploaded to Pastebin, a code-sharing site often used by hackers to post the results of their hacking escapades.
The accounts were published over five Pastebin pages — one, two, three, four, five. Legitimate users who are on the list are advised to change their passwords immediately.
A Twitter spokesperson said the company was looking into the situation. ”We have pushed out password resets to accounts that may have been affected,” they added.
“We’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked — that is, the password and username are not actually associated with each other.”
Many of the accounts however appear to be associated with ‘bot’ users, such as those representing machines which tweet based on keyword recognition or otherwise.
One user on Y Combinator’s Hacker News noted that many of the accounts when logged in requested an email confirmation, suggesting the accounts may not in fact belong to human users.
Many were suspended or only had a small number of followers, the user said.
“All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.”
Speculation has already erupted as to the source of the breach.
At this stage, it’s unlikely to point the finger at Twitter itself. Based on the number of ’spam’ accounts listed in the breach, it would not come as a massive surprise to learn that a third-party breach may have led to the disclosure.
Twitter has become a short-message haven to all but every kind of person from all walks of life, from politicians to journalists, news wires and celebrities.
But it has also become a haven for spammers and bots that retweet and generate malicious links to tempt ordinary users into downloading malware. Twitter regularly shuts down spambots and fake accounts regularly, but many ordinary users notice spam on a daily basis.
The site recently said it would take spammers to court, claiming “bad actors who build tools designed to distribute spam on Twitter” make it easier for others to “engage in this annoying and potentially malicious activity.”
Some suggest that these bot accounts are used to boost the popularity and follower share of other users, leading to suggestions there could be a ‘black market’ type situation outside the site’s control.
One user explained: “Automatically generated accounts, profiles, and tweets. These accounts are used for services that provide paid followers and retweets. It’s actually pretty interesting stuff if you look at the automatically generated ‘Twitter Ipsum’ that is their profile descriptions and how they randomly pick quotes from famous people to tweet.”
How Twitter will respond to this will be interesting.
It can denounce the leak — despite the high chances of the data breach not coming from Twitter itself — or it can actively do something about the persistent spam issue.
Either way, Twitter has to acknowledge that while the vast majority of its 140 million users are legitimate, the site still has a large proportion of fake accounts and those that tweet vast amounts of spam to its users.
Source: ZDNet
Kingston Council faces privacy breach claim
Posted on 9 May 2012
Kingston Council could be faced with fines of thousands of pounds if an investigation finds it has breached data protection laws.
The Information Commissioner’s Office (ICO) is set to investigate after more than 100 rent statements were posted to the wrong addresses in Chessington.
Residents in Charles Lesser House, Hereford Way, were shocked to find their two-page rent statements contained one sheet of their own information and a second page with somebody else’s personal data.
The council has apologised for the blunder and vowed to carry out a review of its mailing system, but many residents were outraged that their privacy had been compromised.
The data included details of housing benefits entitlements and other benefits, the name of the bank each tenant used, their rent account number and any supporting people’s transfer details.
The head of Charles Lesser House Residents’ Association, Keith Dickinson, 62, said: “It seems a total breach of confidentiality between the royal borough of Kingston and their clients.
“I am more than a bit disappointed – we have been let down. This is a sheltered housing group and we have a lot of vulnerable people living here. This was an invasion of privacy.”
Retired Mohammed Mohammed, 68, who has lived in Charles Lesser House for three years, said: “I feel bad because I have got nothing to hide in my statement but someone else could have money troubles – they would not want their neighbours to know. Now everyone knows.”
Kingston Council issues 7,000 rent statements to tenants on a quarterly basis.
The latest rent statements were affected by a problem with the council’s mailing machine that resulted in an error.
A spokesman for Kingston Council said: “This is an isolated problem affecting less than 2 per cent of the statements sent out.
“It is also important to note that no bank account information, national insurance or anything that could compromise the safety of tenants or be used to commit fraud are included in the rent statement.
“The council regrets any inconvenience this error caused and we are reviewing our quality control arrangements for mass mailing.
“We will also be re-issuing the statements to those affected along with an apology.”
In the mix-up, which was predominantly in Chessington, a rent statement from Ewell Road in Surbiton also ended up with a Charles Lesser House tenant.
An ICO spokesman said organisations must make sure that appropriate technical and organisational measures are taken to prevent unauthorised or unlawful processing of personal data.
If organisations were found to have seriously breached the rules a fine of up to £500,000 could be imposed.
The spokesman said: “We will be making inquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
Source: Your Local Guardian
Mastercard drops Global Payments from PCI approved vendors list
Posted on 8 May 2012
Credit card company follows Visa’s lead by axing support for Global Payments over data breach.
Mastercard has become the latest credit card company to drop payment processor Global Payments from its list of approved service providers, following its data breach earlier this year.
As reported by IT Pro, Global Payments confirmed last month that up to 1.5 million credit card numbers had been stolen following a security attack on its systems in North America.
Global Payments is responsible for processing payments for several credit card companies, including Visa, Mastercard and American Express.
The breach prompted Visa to remove the firm from its list of Payment Card Industry Data Security Standard (PCI DSS) compliant vendors, and now its rival Mastercard has followed suit.
Mastercard confirmed the move in a statement to the Wall Street Journal.
“As a result of the preliminary investigation findings regarding the [Global Payments] breach, MasterCard has removed Global Payments from our list of PCI compliant service providers,” the statement said.
Earlier this week, Global Payments issued an update about the breach, stating that “some card brands” had withdrawn its PCI DSS compliant status.
“They have requested we re-validate our PCI status, which we will do following our current investigation,” the statement said. “We anticipate that we will be reinstated to those lists.”
The Wall Street Journal has also reported that many more card details may have been compromised than first thought.
Quoting sources familiar with the situation, it is claimed that up to seven million credit cards could have been affected by the breach.
Global Payments declined to comment on the claims, except to state that it was still investigating the cause of the breach.
“In any matter of this nature, the card brands cast a wide net to protect consumers and we supply as much information as possible to assist in the course of the investigation,” said the company in a statement.
Source: IT Pro
NHS could face more data breach fines soon, warns ICO
Posted on 8 May 2012
The Information Commissioner’s Office is “looking at” imposing more fines on the NHS in the near future for serious breaches of the Data Protection Act, it has been confirmed, with individual penalties expected to reach anywhere up to £500,000.
The Aneurin Bevan Health Board became the first NHS body to be fined by the ICO yesterday, receiving a £70,000 penalty after it sent sensitive medical information to the wrong patient – something the regulator said was the result of poor practices, a lack of training, and which risked “extreme distress” for those involved.
But it has now emerged that at least three more fines could be on the way for the NHS.
Speaking to BBC Radio Wales, David Smith, the deputy information commissioner and director for data protection at the ICO said that of “the next six or so we are looking at, at least half of those are health bodies”.
“So I think there will be others close behind,” he said. “Health bodies which we trust with our most sensitive information must look after it safely and properly.”
Speaking to Publicservice.co.uk, a spokesman for the ICO said it was not currently possible to confirm any further details of future monetary penalties at this point. But the regulator does have the power to issue fines of up to £500,000.
To date the majority of data breach fines have been issued to local councils. But the regulator has complained for some time about problems within the health service, where a significant number of data breaches have been recorded.
Information Commissioner Christopher Graham has warned of a “systemic problem” in the health service, with repeated incidents of sensitive personal data being lost or put at risk.
Source: Public Service
Health board fined for data breach
Posted on 3 May 2012
A Welsh health board has become the first NHS organisation to be fined following a “serious breach” of the Data Protection Act, The Information Commissioner’s Office (ICO) has said.
The privacy watchdog confirmed the Aneurin Bevan Health Board (ABHB) has been issued with a penalty of £70,000 after a sensitive report – containing details relating to a patient’s health – was sent to the wrong person.
ICO officials said the error occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient.
They added that a doctor also mis-spelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name in March last year.
An ICO investigation later found that neither member of staff had received data protection training and the organisation did not have “adequate checks” in place to ensure personal information was sent to the correct person.
These “poor practices” were also used by other clinical and secretarial staff across the organisation, which is named after the founder of the NHS, Welsh politician Aneurin Bevan.
Stephen Eckersley, the ICO’s head of enforcement, stressed it was vital that NHS organisations had adequate data protection practices: “The health service holds some of the most sensitive information available. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.”
Following the investigation, a spokesman said the ICO was pleased the ABHB was “committed to taking action” to address the problems highlighted by the report.
But Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, said ABHB’s mistake was not an “isolated one” within the NHS and called for changes to the way data breaches are investigated.
He added: “The NHS needs to get a grip on data protection urgently before patients lose faith in the system and begin to withhold important information from doctors out of fear it may be lost or used inappropriately.”
Source: UKPA C/O Google
Aneurin Bevan Health Board fined £70,000 for data breach
Posted on 2 May 2012
A Welsh health board has become the first NHS body to be fined for breaching the Data Protection Act after it released sensitive data about a patient to the wrong person.
Aneurin Bevan Health Board (ABHB) will have to pay a £70,000 penalty.
A doctor misspelt a name and did not give enough detail about a patient to his secretary, meaning a report was sent to someone with a similar name.
The board has apologised to the patient concerned.
The Information Commissioner’s Office (ICO) said the report contained explicit details relating to the patient’s health and represented a serious breach of the Data Protection Act.
The error occurred when the patient’s consultant emailed a letter to a secretary but did not provide enough information for the secretary to be able to identify the correct person.
The mistake was compounded by the doctor misspelling the patient’s name at one point, which resulted in the report being sent to a former patient with a very similar name in March last year.
“Start Quote
Organisations across the health service must stand up and take notice of this decision”
End Quote Stephen Eckersley
An investigation by the ICO found neither member of staff had received training in data protection and there were inadequate checks in place within the board to ensure personal information was only sent to the correct recipient.
These poor practices were also used by other clinical and secretarial staff across the organisation.
Stephen Eckersley, the ICO’s head of enforcement said: “The health service holds some of the most sensitive information available.
“The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate.
“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.
“We are pleased that the health board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”
Data policies
ABHB is introducing some measures following the incident including ensuring all staff are trained on the storage and use of data policies, regular monitoring of compliance with data protection and IT policies, and new checking processes to confirm a patient’s identity before personal information is sent out.
“Start Quote
This was a genuine and unintended individual error”
End Quote Aneurin Bevan Health Board
The board has signed an undertaking to address the ICO’s concerns.
A spokesman for ABHB said it had approached the patient before contacting the information commission to apologise and make the person aware of events.
The board said it was disappointed by the penalty as it took protecting patient information seriously.
“We have 14,000 staff and have hundreds of thousands of contacts with patients each year, with systems in place to discharge these patient contacts confidentially,” said the spokesman.
“The health board has always sought to be compliant with the commissioner’s requirements for public service organisations in this critical area.
“This was a genuine and unintended individual error, which was self-reported by the organisation to the information commissioner, because of the importance the health board places on information governance and in line with the commissioner’s own guidance.”
Source: BBC
Islington Council breach left drug-takers with residents’ details
Posted on 2 May 2012
A data breach led to people reported for anti-social behaviour and drug taking getting information on those who complained.
Extra police patrols are now in place at the Andover Estate in Holloway, north London, following the breach by Islington Council.
Names and phone numbers of 51 complainants were passed to 10 people facing a ban from the estate.
The council has apologised to the affected residents.
A group of people, who are not from estate, began gathering there earlier this year and residents complained about loud music, smoking drugs and verbal abuse.
The council had prepared legal injunctions against 13 people to ban them from the area, and 10 had been served this month.
But those 10 were also given paperwork including a log of all calls reporting anti-social behaviour, with names, phone numbers and street or estate names if they were given.
Louise Round, Islington Council’s corporate director of resources, said: “This information should not have been released, and we are extremely sorry that, through an error on our part, it has been disclosed.
“The council is in the process of contacting every single person who is on that list – in total 51 people – to offer our apology and any practical support we can give.
“This includes additional security measures if they request it.
“We’re working closely with the police, who are putting extra patrols on the estate to reassure residents and deter any further anti-social behaviour.”
She added the breach has been reported to the Information Commissioner and a review of procedures is taking place to help prevent such an incident again.
Source: BBC