Ran across a new breach story this weekend that almost slipped under my radar from the San Francisco Chronicle. Reportedly some “overseas” hackers broke into UC Berkeley computer systems and accessed a proverbial “shit ton” of confidential information.
The databases contained 97,000 Social Security numbers, health insurance information and nontreatment medical information, such as immunization records, names of doctors whom people may have seen and dates of medical visits, said Shelton Waggener, UC Berkeley’s associate vice chancellor for information technology and its chief information officer.
Supposedly though, the large number of Social Security numbers were contained on a separate database than the names and medical histories that coincided with them. However, they are unclear if the “oversea” hackers were able to access both sets of information to be able to match them up and assemble a complete identity.
The hackers, primarily from China and elsewhere in Asia, had access to the information for six months before they were discovered. The breach exposed the records of 160,000 people, of whom 97,000 had Social Security numbers included in the database, officials said.
This is where most of these breach articles lose me. If the people providing the data for this news article honestly aren’t sure about something like the hackers forming a complete identity, how can their IP tracking technology be so rock solid that they are sure that the hackers are legitimately from Asia. Just as Asian as 1,000 email accounts “from Asia” costing a kid in New Jersey a few dollars?
Further evidence of the crack security team’s vast knowledge of this incident is evident here:
The hackers broke into the computer system Oct. 9 and were not discovered until April 9, when administrators performing routine maintenance came across an “anomaly” in the system and found taunting messages that had been posted three days earlier, UC said.
I’d prefer not to touch this part because it seems wrong and easy but what kind of IDS do they have or some seriously huge log files to know how this attack happened 6 months later. OK that is all I’m saying about that.
There are some other people that agree with my line of thought quoted at the end of the article if you’re interested.
This weekend news broke in the Dallas area that Irving area school teachers had their personal information compromised.
From Dallas Morning News:
Irving school officials now say that identity thieves obtained the names and Social Security numbers of 3,400 teachers and other employees contained in an old benefits report and then used the information to make thousands of dollars in purchases.
District security director Pat Lamb said a woman charged in the case said the information came from a list of names pulled out of a trash bin.
“We still do not know how our records were compromised,” said Lamb, who mentioned that his own name was on the list. “We don’t know if somebody was supposed to shred that information, but it ended up in a Dumpster.”
The school district’s policy requires following a schedule for properly destroying records.
I find it interesting that the assumption is that the employee records were compromised due to papers ending up in a dumpster. Was this statement a slip by the spokesperson? The US Secret Service and US Marshals are involved in the case which makes me wonder if the information ended up in a dumpster at all.
At least 64 of the affected people on the list have come forward as having had their identities stolen. This number will most likely grow as other teachers check on their own credit reports.
For the full article read on.
Earlier this week it was reported that a list of Comcast customers’ usernames and passwords, 8,000 entries long, was exposed on a public website for at least two months. A man by the name of Kevin Andreyo who works as a professor at Wilkes University came across the list while performing a search for his own personal e-mail address. The search dug up a website called Scribd which is a document sharing site that housed the list of 8,000 user names and passwords including Mr. Andreyo’s.
Reportedly the list had been viewed “over 345 times and downloaded 27 times.” This in it of itself is a relatively small number but means that the list is still out there and can be shared again or even added to.
A spokesperson for Comcast commented stating that the list contained only 700 active accounts and that the rest were either dead or not Comcast customers. She also stated she does not believe the breach came from within the company because the manner in which the list was created was sloppy.
Comcast can downplay this as much as they’d like but it sounds to me like, at least, 345 people got their hands on a seriously dangerous resource. At the safest end of the spectrum of what could happen with this, people can add to their lists of known usernames and more importantly list of known passwords. I’ve seen what a wordlist compiled of actual passwords can do and 8,000 attempts would fly by in less than 3 or 4 seconds.
Also if only a fraction of items on the list were Comcast customers, what were the other items customers of? Chase? Bank of America? AIG executives?
I guess it’s just a good thing that it was only up for two months, as far as we know, even though that is two months too long.
Tags: comcast, password leak, inadequate response, corporate bullshit
Another ID theft operator gets pinched.
From North Country Gazette:
Manhattan district attorney Robert Morgenthau said that 25-year-old Igor Klopov was sentenced Wednesday to 3 ½ to 10 ½ years in state prison. Klopov, a 24-year-old Russian with an expertise in mining the Internet to obtain personal information about potential victims, was able to gain information easily about the value of property, size of outstanding mortgages and existing lines of credit.
As ringleader of the identity theft ring, Morgenthau said Klopov generally targeted the home equity line of credit (HELOC) accounts of people who owned expensive properties and had large lines of credit.
Among the victims were a Silicon Valley couple, the head of a major credit reporting agency, and a wealthy Texas businessman. Morgenthau said Klopov found many of his victims through the Forbes 400 list. Many of the victims lived in states – such as Texas and California – where property deed information is available online.
And like that, poof, he’s gone. Probably would have been smarter to have gone after smaller fish to avoid detection. Gotta love greed sometimes. It makes smart people foolish. And foolish people dumber than a bag of wet socks.
I stumbled across this article this morning while combing through my RSS feeds. This author used a little bit of ingenuity when disposing of an unwanted credit cards that were sent to them. Normally I, along with most folks, would cut up the cards and dispose of them in trash at a couple locations.
This person went that one step further.
From Parent Hacks:
We got new credit cards in the mail the other day, which necessitated disposing of the old cards. Normally, i cut up the card in several pieces so the card info cannot be retrieved by anyone looking to identity-thieve. Not only that, but I dispose some of the card pieces in one trash can and the rest in another. Well, i looked into the bathroom trashcan, saw a discarded disposable diaper, and a light bulb went off. i opened up the diaper (don’t worry, it was only a wet one), dropped the credit card pieces in, and wrapped it back up.
It might make you squeamish but, I know I wouldn’t go looking for anyone’s personal data there.
OK, I’m out of bed and starting to feel a little more human.
So, first up. It seems that employees of the pharma giant Bristol-Myers Squibb are a little uneasy today. It turns out that a backup tape containing personal info on former and current staff was pilfered from the back of a delivery truck.
Well, that’s gotta suck.
From Network World:
However, according to a security breach notification letter sent by the firm to the New Hampshire Attorney General’s office, personal data of 458 residents of that state was stored on the stolen tape.
Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.
I hope it wasn’t Iron Mountain again. They could use a break. While the 458 affected might seem like a small number consider this,
included the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has Social Security and address information about dependents of former and current employees.
Now, that really sucks.
Um, whoops.
From Consumer Affairs:
A laptop containing personal information on AT&T employees and management was stolen from an employee’s vehicle last month, the company said.
The laptop, which had no encryption or security protection beyond a password lock, contained names, Social Security numbers, and salary information for an undisclosed number of workers.
Employees were notified of the theft on May 22, seven days after the theft, according to privacy watchdog PogoWasRight.org, which first reported the story. In a letter to employees, AT&T said that, “The measures and precautions we put in place to protect the security of company-owned property and our employees’ personal information were not followed.”
AT&T said that the responsible employee “has been disciplined.”
Disciplined you say?
Muawhaha!
The wall of shame has a new candidate for stolen laptops I’m afraid. This time a laptop with personal information for employees at Stanford University was pinched.
From the San Francisco Chronicle:
Stanford University has notified tens of thousands of past and current Stanford University employees that their personal information – including their dates of birth, Social Security numbers and home addresses – was on the hard drive of a stolen university laptop.
A Stanford spokesman said Saturday the stolen computer contained personal information on people hired by the university before Sept. 28, 2007, which could be as many as 72,000 people. Stanford sent out an e-mail message Friday to all the current and former employees it could reach, advising them of the theft.
“While there is no evidence that any of the information on the stolen laptop has been accessed, the University is committed to taking steps to assist individuals whose personal data may be misused,” Stanford Chief Financial Officer Randy Livingston wrote in the e-mail.
Odd that no details of the actual theft were provided save for the fact that it occurred.
A 15 year old student managed to hack into a school computer in Pennsylvania. He got his hands on 2005 tax return information for 41,000 which sent a town meeting for a loop.
From DailyLocal dot com:
Borough police arrested a 15-year-old Downingtown West High School freshman on May 21 and charged him with theft by unlawful taking or disposition, computer theft, unlawful duplication and computer trespass.
District administrators learned about the intrusion on May 9, when a student told Downingtown West’s principal that another student might have personal information, Griffin said. But 71 school employees did not learn their 2005 W-2 forms were copied until May 16, and Griffin said this was because district officials had to first perform “due diligence.”
According to police, the data files contained more than 41,000 adult taxpayers’ names and personal information, including Social Security numbers, and more than 15,000 students’ names and personal information. The school district sent out letters to 16,595 residences about the incident.
Eldredge said he received the school district’s letter but believes it’s a dead issue.
“For me, I’m comfortable that nothing was done with the information,” Eldredge said.
But, not everyone felt the same.
“I have a tremendous objection to anyone but the county having this information,” West Bradford resident Susan Singer said. And if there are instances of identity theft, “I will be more than outraged,” she said.
ID theft can scare the best of us at the worst of times.
Ok, I am sufficiently absent minded. I read this piece yesterday but, I forgot to share it. It turns out that the folks over at Finjan have discovered a server loaded with stolen personal information. Apparently it was housing 1.4GB worth of purloined info. They have dubbed it a “crimeserver”.
How cute.
From Reuters:
A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.
Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called “crimeserver”.
“This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we’ve found in this very short time,” Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.
The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.
Glad to see that they were able to find and shut down this nuisance. Congrats to the folks at Finjan.
