- News & Events
October 24, 2013
One website’s anecdotal coverage of September’s data breaches is hardly a scientific sampling. But it does offer some very interesting insights into security problems, not the least of which is how often carelessness, sometimes carelessness bordering on stupidity, can have dramatic security repercussions.
Following is esecurityplanet.com’s September breaches by category.
Buckeye Check Cashing: A laptop was stolen from a vehicle, exposing an undisclosed number of names, addresses, bank account information and/or Social Security numbers.
Dr. Hankyu Chung: A password-protected laptop was stolen, exposing an undisclosed number of patients’ names, phone numbers, birthdates and medical records, including visit dates, complaints, physical examination notes, diagnoses, and testing and medication information.
Edgewood Partners Insurance Center: Five password-protected but unencrypted laptops were stolen, exposing an undisclosed number of names, addresses, birthdates, driver’s license numbers, benefits information and Social Security numbers, along with some bank account information and health information.
InterContinental Mark Hopkins San Francisco: A hard drive was accessed but not stolen during a burglary, potentially exposing an undisclosed number of guests’ names, mailing addresses, email addresses, phone numbers and credit/debit card numbers.
NHC Healthcare: An unencrypted backup tape was discovered missing. The backup tape contained an undisclosed number of patients’ names, Social Security numbers, birthdates, home addresses and medical information.
Olson & White Orthodontics: Password-protected computers were stolen. Ten thousand patients’ names, addresses, x-rays, photos and diagnostic findings were exposed, along with parents’ or insured parties’ names, email addresses, Social Security numbers and credit scores.
St. Anthony’s Medical Center: A password-protected laptop and flash drive were stolen, providing the thieves with access to 2,600 patients’ names and birthdates, and possibly their medical records.
Unhealthy: An unencrypted laptop was discovered missing. The laptop contained 596 patients’ names, birthdates and medical record numbers.
Columbia University Medical Center: A hidden column in a widely emailed spreadsheet contained personal data, exposing 407 medical students’ names and Social Security numbers.
Georgia Department of Labor: An employee mistakenly emailed a spreadsheet containing 4,457 people’s names, Social Security numbers, phone numbers and email addresses to approximately 1,000 people.
Hill Air Force Base: An employee forwarded sensitive data to an unprotected email address in order to work from home, potentially exposing 525 Air Force employees’ names and Social Security numbers.
PLS Financial: A programming error exposed customers’ names, addresses, email addresses and Social Security numbers.
Virginia Department of Human Resources Management: A Conexis employee mistakenly sent 13,000 state employees’ personal information, including names and Social Security numbers, to 11 state employees.
BEL USA LLC: A server was breached, exposing an undisclosed number of customers’ names, addresses, phone numbers, credit or debit card numbers, expiration dates and CVV codes.
Bell Helicopter: A database was breached, exposing an undisclosed number of email addresses along with some credit card numbers.
Creative Banner Assemblies: The company’s website was hacked and infected with malware, providing the hackers with access to 232 customers’ names, addresses, phone numbers and credit card information.
ICG America: The company’s payment processing system was hacked, exposing an undisclosed number of customers’ names, addresses, email addresses, credit/debit card numbers, expiration and CVV codes.
NetCologne: The company’s website was hacked via SQL injection. The hackers published a list of 15 user names, encrypted passwords, email addresses, registration dates and display names.
Outdoor Network, LLC: The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers’ names, addresses, credit card numbers, expiration dates and CVV codes.
Unique Vintage: The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers’ names, email addresses, phone numbers and credit card numbers.
Virginia Tech: A server in the university’s human resources department was hacked, exposing 144,963 job applicants’ names, addresses, employment history, education history and prior convictions, along with 16,642 applicants’ driver’s license numbers.
State Farm: A call center employee stole customers’ credit card numbers. Nearly 700 customers were potentially affected.
Vodafone Germany: The company says the breach was only made possible through insider access. Two million customers’ names, addresses, birthdates, genders, bank sort codes and account numbers were accessed.
Partner Company Hacked
Medical University of South Carolina: Credit card processor Blackhawk Consulting Group was hacked, exposing 7,000 customers’ names, billing addresses, email addresses, credit/debit card numbers, expiration dates and CVV numbers.
Paymast’r Services: A website hosted by the company’s service partner was hacked, exposing an undisclosed number of names, addresses, Social Security numbers, driver’s license numbers and payroll card numbers.
Windhaven Investment Management: A third-party vendor’s Web server was hacked, exposing an undisclosed number of clients’ names, account numbers, custodians, and investment positions.
U.S. House of Representatives: A spear phishing attack appears to have provided hackers with access to five names, email addresses, encrypted passwords, IP addresses and photos.
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Botnets, CNP fraud, Cookieless Device Identification, Cookies, Credit Card Fraud, Cyber attacks, Cyber Warfare, Data Breach, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Malware, Malware Detection, Malware Protection, MitB, Mobile fraud, National Cyber Security Awareness Month, Online Fraud, Phishing, Phishing Detection, PII, ThreatMetrix, ThreatMetrix Global Trust Intelligence Network, ThreatMetrix Web Fraud Map, TrustDefender Cybercrime Protection Platform, Web Fraud