Personal Losses

Personal Losses is a compilation of material about the theft of personal data from computers. Most of it first appeared in my weekly Winding Down newsletter. The dates shown are the dates on which I wrote the material, not the dates on which the thefts occured.

We will continue to keep the compilation up to date as new information comes in. If you know of something I've missed, please feel free to send me details and a URL about the theft. E-mail it to alan@ibgames.com and I will take a look and add it to the list.

Alan Lenton

1 October 2006

USA - Washington: This week the US Commerce department, which, among other things, oversees the Census Bureau, has admitted to losing no less that 1,137 laptops since 2001. It claims that all the computers containing personal information were protected by passwords or encryption technology. Really? Oh look, there goes a flying pig!

USA - Connecticut: General Electric admitted this week that a laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September.

20 August 2006

US - Florida: The Florida Department of Transportation suffered the theft of a laptop containing the unencrypted personal details of 133,000 residents. Information on the laptop includes the inevitable social security numbers, plus driving license information and airline license information. It took two weeks for the information to be made public, and it seems unlikely that those affected will be offered free fraud monitoring services.

13 August 2006

USA - Two laptops containing personal data for 31,000 US Navy personnel have been stolen from two different recruiting offices in the last two months. Earlier in July personal details of 100,000 naval aviators were exposed on the Naval Safety Centre's web site, and in June sensitive personal data on 26,000 sailors was similarly exposed. The navy isn't doing very well, to say the least...

USA - Even as the perpetrators of the last major potential leak of Veterans Administration (VA) personal information have their collars felt by the police, new reports have emerged of further leaks. This time a desk top PC belonging to VA subcontractor Unisys has gone for a walk. On its hard drive are the details of 36,000 veterans' names, addresses, social security numbers, dates of birth, and other information useful to identity thieves.

23 July 2006

USA: Western Illinois University announced that a hacker may have copied Social Security and/or credit card information belonging to between 200,000 and 240,000 current or former students.

16 July 2006

US - The Federal Trade Commission is notifying 110 people that two laptops containing their personal data were stolen. The data included Social Security numbers, birth dates and possibly financial account numbers.

US - A contractor installed hacking software in the FBI's computer system and cracked 30,000 agency user names and passwords.

2 July 2006

USA - A hacker broke into the Nebraska Treasurer's Office computer system handling child support. The attack may have compromised the names, social security numbers and other personal information of 9,000 employees and up to 300,000 other people. The computer also contained tax identification information for 9,000 business that collect and send-in child support.

An interesting feature of the attack was that the attacker got into the department's backup computer, rather than the main one. The lesson is, of course, that back-up computers need just as much security as the primary computers - by definition they have the same information on them!

25 June 2006

US - 2,000 Oregon taxpayers had their personal details - names, addresses, social security numbers, etc - lifted when a porn-surfing Department of Revenue employee downloaded a trojan program. The trojan promptly whisked the details off to an unknown destination. Since this little escapade cost the employee his job, one can only hope that the pictures were worth it!

US - Earlier this month a hacker broke into the US Agriculture Department's computer system. The personal details of anything up to 26,000 Washington area employees may well have been compromised.

US - Personal data belonging to 17,000 Medicare beneficiaries was also compromised earlier this month. A gormless insurance company employee called up the information through a hotel computer and then failed to delete the file. Sheesh! What an idiot.

US - A laptop containing personal data for 13,000 District of Columbia employees was stolen this week from the home of an employee of ING US Financial Services. The company, which administers the district's retirement plan, took several days to notify affected employees, because they weren't sure what was on the computer. I wonder if they store their money in the same sort of lackadaisical way as they store their digital information?

18 June 2006

US - An Internal Revenue Service employee managed to lose an agency laptop last month. The computer contained sensitive personal information on 291 workers and job applicants. Apparently the idiot employee actually checked the computer in as baggage, instead of keeping it with him. He never saw it again - which will come as no great surprise to anyone who flies regularly. The computer contained unencrypted names, birth dates, social security numbers and fingerprints.

Presumably the IRS is now going to issue the unfortunate victims with new fingers?

(Info taken from Risks bulletin)

11 June 2006

USA - The names and credit card numbers of nearly a quarter of a million Hotel.com customers were compromised last February after Hotel.com's auditors, Ernst &Young, had a laptop stolen. It has taken until now for the company to get round to telling the 243,000 customers who were compromised as a result. The company claim that there is no need to worry because the computer was password protected. Password protected? What a joke. These people must live in cloud cuckoo land if they think that will make any difference...

USA - A hacker stole a file containing 1,500 names and social security numbers of employees at the Energy Department's nuclear weapons agency. This was last September, and none of the victims has been notified. This seems to me to be yet another case where senior administration officials believe the laws of their country don't apply to civil servants!

USA - The American Institute of Certified Public Accountants (AICPA) admitted this week that it, or to be more accurate, FedEx Corp, had lost a hard drive containing data on all 330,000 of its members. The data is unencrypted on a hard drive, and includes, names, addresses and social security numbers. The drive was sent for repair and was being returned via FedEx when it went AWOL last February. According to FedEx spokesman, Jim McClusky, "At this point we are looking for it as a missing shipment; that doesn't mean it's lost." I think Mr McClusky must have been taking lessons in logic from Lewis Carroll's Red Queen!

28 May 2006

USA - A worker at the Missouri-Illinois region of the American Red Cross used social security numbers to steal personal information of at least 8,000 blood donors and may have compromised up to a million donors. Why on earth is the Red Cross keeping records of its donors social security numbers? This is a classic case of an organisation maintaining personal information from which it has no legitimate use.

USA - Trust the US government to do things in true style. Everyone else compromises a mere few hundred thousand people's personal information, maybe a million at the outside. The US department of Veteran Affairs, though, managed to compromise the records of no less than 26 million citizens when a laptop computer was stolen. And just to compound the matter, it waited nearly three weeks to inform those affected. Sheesh! So much for providing timely warnings.

21 May 2006

UK - ISP Wanadoo managed to mis-configure its web servers so that hackers could obtain customer data including names and password.

Japan - A Japanese nuclear power station run by Chubu Electric power managed to leak personal information about its security personal, and other security data, via a file sharing virus. This is the second such incident this year.

14 May 2006

US - Wells Fargo - Compromise of personal information belonging to mortgage customers and potential clients following the theft of a computer. This is the fourth compromise of Wells Fargo computers in the last two and a half years!

7 May 2006

Japan - 66,000 subscribers to the newspaper 'The Mainichi Shimbun' details leaked onto the Internet.
US - Personal information including Social Security numbers belonging to current and former Drexel employees leaked from a stolen laptop.
US - Personal information including Social Security numbers belonging to up to 17,000 Long Island Railroad employees and former employees lost by Iron Mountain Inc.
US - 200,000 records, including Social Security numbers, at University of Texas business school illegally accessed. This is the third known breach in as many years.

12 March 2006

The Japanese authorities are having a bad time at the moment. The most popular file sharing system in Japan, Winny, is so popular that even bureaucrats have it installed on their laptops. Unfortunately there are viruses that can take advantage of Winny to spread themselves and to transfer data around. The net result? Classified and sensitive data appearing on public web sites. Ooops.

Interesting items making a public appearance so far include armed forces warfare training info and call signals, information about prison inmates, and the leaking of confidential police data. On the non-Governmental front leaks include a school with information about 400+ students being posted to a public web site, and a similar case involving 2,800 hospital patients.

The authorities are trying to stamp on the use of Winny, but I suspect they have an uphill struggle on their hands, since there is nothing else available that is as convenient and easy to use.

5 March 2006

You may have heard of Ernst & Young, they do lots of expensive 'consultation' for large companies with more money than sense. In particular, they have a department specialising in telling companies whether they are compliant with the Sarbanes-Oxley Act (SOX) which was passed after the Enron affair to force companies to become more accountable. It's ironic then that Ernst & Young should feel it unnecessary to admit publicly that they have lost laptop computers containing personal data on its customers, including social security numbers.

The loss didn't become known until The Register followed up a throw away remark by Sun CEO Scott McNealy to the effect that his own data had been compromised by a company advising Sun on SOX compliance. Some detective work by The Register pointed to Ernst & Young, who finally publicly admitted losing the data.

As the saying goes: Who will watch the watchers?

29 January 2006

So many reports of lost data tapes are coming in these days that soon losing a data tape with tens of thousands of your customers' social security numbers won't be news anymore. The latest story to break is of Bridgeport-based People's Bank losing a tape containing information on 90,000 of its customers. The information included names, addresses, social security and checking account numbers.

Meanwhile, many miles away, Kansas City-based H&R Block was busy sending out unsolicited mail to its customers. H&R Block wasn't actually losing computer tapes, instead it was embedding the recipient's social security number in the package tracking number. H&R Block seem to feel that no one is going to notice because the entire tracking code is 47 digits long. I guess it gives a new meaning to the term 'security by obscurity'!

While all this was going on, ChoicePoint, erstwhile involuntary purveyors of identity information to the criminal fraternity, were settling up with the Federal Trade Commission (FTC) to the tune of US$10 million in fines. It was also bound to pay a further US$5 million in restitution to those who suffered from identity theft as a result of it compromising the information of 163,000 people.

Have you noticed how there has been a sudden outbreak of data loss since it became a legal requirement to notify the affected customers? This suggests to me one of three things. Either companies have been getting very careless since the notification laws were passed, or... data thieves have decided the new laws are an opportunity to go high profile. Alternatively, perhaps, it's been like this all the time and illions of people had their personal information compromised, but no one was told about it. Now which do you think is the correct answer?

22 January 2006

More details are gradually emerging about the tax credit fraud perpetrated on the UK's Inland Revenue and Customs. I covered the basics in issue 184, shortly before Christmas - essentially crooks ripped off the IDs of staff at the Department of Work and Pensions, and used the IDs to file false tax credit claims via the revenue's web portal. It now transpires that the staff at Network Rail (a quasi-government body) were also victims of the scammers. They too had their IDs used in the scam. The quaintly named 'Paymaster General' (a government minister), Dawn Primarolo, announced in Parliament that losses had been 'limited' to a mere 2.7 million UK pounds (US$4.6 million). The Treasury, we are given to understand, considers the fact that the fraud was spotted shows how robust the tax system is!

Read other articles about computers and society

Back to the Phlogiston Blue top page