A hacker let himself in through an unlocked virtual door at RockYou Inc and walked off with more than 32.6 million login names and passwords for users of Facebook, MySpace, Friendster and other social networking sites.

The login information was unencrypted and virtually unprotected, and, according to ComputerWorld, the users’ names were the same as those of the users’ Gmail, Yahoo, Hotmail or other web mail accounts. Though few people include Social Security or financial accounts information on their social media sites, any of that information in users’ web mail accounts could be accessed with accessed information.

RockYou says more than 130 million unique users take advantage of their tools for social media sites every month, including applications and services for greeting cards, horoscopes, games, emoticons and photo uploads and slideshows.

A segment of the database was posted on the hacker’s website along with his claim that he accessed 32,603,388 accounts, including their unencrypted, plain-text passwords. He warned RockYou, “Don’t lie to your customers, or i (sic) will publish everything.”

The data breach was discovered after database security firm, Imperva Inc, warned RockYou that hackers were using a serious error in their system to access to RockYou’s massive user database. At least another day passed before RockYou brought down the site, according to Imperva. RockYou said in a statement they immediate brought down the site and addressed the problem.

More than 285 million records were compromised in data breaches last year, and more than 50% of all breaches required little or no technical skill, according to the Verizon Business 2009 Data Breach Investigations Report. The investigators also reported that 83% of all data breaches could have been prevented last year if the victims had employed simple, inexpensive controls.

Some attorneys are ambulance chasers—a term coined to describer personal injury lawyers who follow ambulances from car wrecks to the hospital so they can shove their business cards into the hands of accident victims. Apparently at University Medical Center, attorneys—and possibly others—can simply buy victims’ information from the Las Vegas hospital’s employees.

Kathy Silver, the hospital’s CEO, admitted to legislators this week that she’s know for three weeks that the names, birth dates and Social Security numbers of at least 21 people who were patients at the UMC October 31 and November 1were sold. Those 21 patients were among 71 to receive services on October 31 and November 1, all of whom may be victims of the privacy breach.

The hospital’s chairman of the board, County Commissioner Lawrence Weekly learned of the data breach at the same time Silver did. When asked why he didn’t take steps after learning of the privacy breach when Silver did, he said he didn’t know selling patients’ information is illegal.

Silver said she’d heard rumors about patient information being sold, but gave it rudimentary investigation and then let it go. Three weeks ago the rumors were confirmed, but patients weren’t notified. The law allows 60 days to make a data breach notification, but The FBI is now investigating the hospital.

Some of the patients learned their information had been bought and sold when they received a call from a reporter at the Las Vegas Sun. An unnamed whistleblower gave the 21 records to the newspaper because of his or her concern about the leak.

Personal information has been flowing from the hospital in a slow, steady stream for several months, and possibly for several years, the source said. If that’s true, the public’s trust and the hospital’s fundraising ability could be eroded in the same way the Colorado River created the Grand Canyon.

There were three reported data breaches at institutions of higher learning in the United States last month, making November a relatively uneventful month for data breaches. I say relatively uneventful because there have been 72 data breaches so far this year at colleges and universities—an average of more than six a month so far this year.

There were also fewer records exposed than in many other months, with a total of only 5,409; that compares well to October when there were more than twice that number of records exposed in a total of seven reported breaches.

The November data breaches bring the total number of reported exposed records to 868,286. The actual total is much higher than that, though; 11 of the incidents were reported with an “unknown” number of records exposed, and in one incident the number of exposed records was reported as “thousands.”

• 11/1—Bloomsburg University of Pennsylvania, Bloomsburg, PA
• 574 records exposed
• Stolen laptop
• Names, Social Security numbers and grades of students enrolled in a psychology class taught by Julie Kontos between Summer 2004 and Spring 2006 were stored on the laptop stolen from a university office.

• 11/6—Chaminade University, Honolulu, HI
• 4,500 records exposed
• Erroneous Internet posting
• Names and Social Security numbers of undergraduate students enrolled between 1997 and 2006 when an internal report was inadvertently posted in March of this year on a publicly accessible website.

• 11/15—California State Polytechnic University, Pomona, CA
• 355 records exposed
• Erroneous Internet posting
• Names and Social Security numbers of university applicants from 2003 remained on a publicly accessible website from November 2003 to November 2008. The file was removed from the website last year, but remained in search engine caches and indexes and so was still accessible until November 2009. The error was discovered by a former student when he found his own university records online with a simple Google search.

Connecticut’s Health Net lost a computer hard drive and the personal, medical and financial information of roughly 1.5 million members, including 450,000 Connecticut residents, leaving them vulnerable to ID theft, medical ID theft, financial loss, insurance fraud, credit card fraud and public humiliation.

The data breach occurred in May, but Health Net never notified their customers, state officials or law enforcement until last week.

The lost information covers the period from 2002 to the present, and pertains to past and present members from Arizona, New Jersey, New York and Connecticut who

Connecticut Attorney General Richard Blumenthal said he was “outraged and appalled” not just by the data loss, but by Health Net’s keeping the information loss under wraps for six months. Their silence could be a violation of Connecticut law, he said.

A Health Net spokeswoman explained the lengthy interval between the event and their disclosure of it by saying they were performing an internal investigation and detailed forensic review to determine exactly what information was on the stolen hard drive.

The patients’ information was unencrypted though it included their names, Social Security numbers, private health information and bank and credit card account numbers.

“Protecting the privacy of our members is extremely important to us,” the company said in a statement. “We apologize for any inconvenience or concern this may cause our members.”

A Health Net representative said they haven’t received any reports of ID theft because of the data breach.

Health Net experienced a similar data breach last year when a laptop was stolen from a company vendor. The laptop contained the names and Social Security numbers of 5,000 employees and an undisclosed number of health-care providers. In that case Health Net notified their employees of their increased risk of ID theft roughly a month after the laptop was stolen.

Hackers forced payroll processor PayChoice to shut down its online portal again Wednesday, for the second time so far this month. The data breach came to light when PayChoice customers reported fake employees being added to their payroll rosters.

PayChoice is one of the largest payroll processors in the United States. They lease their payroll management product to more than 240 other payroll processors and serve more than 125,000 organizations. There are approximately 20 branch locations in the U.S. serving small and mid-market companies.

Clients received an email alert from the firm Thursday that said an investigation determined valid credentials were used in an unauthorized manner. PayChoice believes the bogus employees were added in order to have paychecks sent to fraudulent bank accounts.

This most recent attack seems to be the follow up to last month’s data breach in which hackers stole customers’ user names and passwords from PayChoice servers. Soon after, customers received emails advising them to download a plug-in to continue their access to the PayChoice portal. Customers who followed those instructions were infected with malicious software designed to steal user names and passwords.

The hackers apparently planned this latest maneuver to coincide with a large payroll processors conference in Utah. Many PayChoice employees and those of their licensees are attending the conference so all operation are being conducted by a diminished staff, according to Steve Friedl, a security expert who works as a consultant for Evolution payroll, a PayChoice competitor.

JP Morgan Chase Bank admits to having lost a computer data tape containing customer information earlier this year. Bank officials have so far refused to reveal how many customers are affected by the data breach, how many customers have been notified, or even when the data breach occurred. But it appears they’ll have to answer those questions soon.

This week two Republican members of the Congressional Committee on Energy and Commerce, Rep. Joe Barton and Rep. George Radanovich, sent a letter to James L. Dimon, Chairman and CEO of JPMorgan Chase and Co. asking these questions and more.

In notifying the untold number of affected customers, the bank offered them one year of free enrollment in Chase Identity Protection. The congressmen asked whether the affected customers will be automatically charged for ongoing participation in the program, or will the program be automatically discontinued unless customers specify otherwise.

The committee members sent the letter October 7, and set a deadline of October 31 for a written response from the bank.

In July 2006 Chase Card Services (a division of JP Morgan Chase) notified 2.6 million current and former Circuit City credit card account holders that five computer tapes containing their personal information had been accidentally sent to the trash. It indicated that it believed the tapes were safely “buried in a landfill.”

In August 2005 JP Morgan Chase admitted that a laptop containing customers’ personal and financial information was stolen. The bank said then that the number of customers affected was unknown.

A new Act has gone into effect as part of the U.S. Department of Health & Human Services, the Health Information Technology for Economic, and Clinical Health (HITECH) Act. According to this Act insurance providers that don’t use the HHS-approved techniques of encrypting and protecting data will be forced to notify individuals within 60 days of a data breach. If the breach affects for than 500 people the breach must be reported to the HHS and to the media.

The Act later goes on to say that “healthcare companies must publicly disclose data breaches only if the breach threatens significant financial or reputational harm to the individuals affected.” The HHS decides whether or not the threat is significant enough to inform the press and make the data breach public.

I feel this law will aid in forcing companies to protect their data better and making them release information about their data breaches. I only hope that the HHS policies on data encryption and security are tight enough to keep people out. If they are not then the law will help protect companies from having to release information about their data breaches. After all the HHS gets to decide what to disclose and what to keep from the public. I feel it could be a step in the right direction to keeping insurance information just a little bit safer.

Women who get mammograms improve their chances of surviving breast cancer, but 236,000 women who get mammograms in North Carolina are now at an increased risk of becoming ID theft victims because a hacker attacked a University of North Carolina server containing their information.

Among the compromised records were those of 163,000 women that included their Social Security numbers, placing them at a very high risk of identity theft.

The accessed server at UNC-Chapel Hill contained information from the Carolina Mammography Registry, a compilation of data from 31 mammography sites in the state. The project is funded by the National Institutes of Health.

Little is known about the breach, which was discovered in July. Forensics experts haven’t yet been able to determine who committed the attack, its origin, or its impact. One thing they have learned, however, is that some of the viruses were installed as far back as 2007.

The university waited to notify individuals until they knew how many women were affected and could identify them, according to university officials.

The compromised server was one of two that stored a total of more than 662,000 women’s information. The second server wasn’t part of the data breach. 

Social Security number used to be used as patient identifiers, but are no longer. That’s why only some of the records included Social Security numbers, which are considered the most valuable information for identity thieves.

One of the biggest worries now for the researchers who study the compiled information is that the data breach may cause them to lose their NIH five-year, $2 million grant in the future.

Social networking site have been a topic of discussion in security circles for some time now. Everyone has heard or read a story about how you should be careful about what you put on a social networking profile because that information could be used to steal your identity.

Well what about the information that is being leaked out of Social networking site in order to send advertisements out targeted for you. According to a study done at AT&T Labs and the Worchester Polytechnic Institute several social networking sites are leaking out personal information about you. They take information about you from your profile and your viewing habits, which are then stored in a cookie and used by data aggregators.

What does that mean? Well that means the social networking sites store who you are, what you like, and what you look at so that advertisers can target people that would most likely be interested in a product or service. That’s not all though, once they have this information they can track where you go and what you see when you’re not on the social networking site.  If they have a tracker on another site you visit they will see you visited that site and can match your IP address to your social media profile. Which makes browsing the Internet less anonymous.

This is truly scary and bothersome. I know it’s a good way to make ads smarter and better targeted to a specific audience, but I don’t like my information being released like that. I am not worried about what the aggregators and advertisers are doing with the information I’m worried about how secure the information is.

This could be a security threat and could lead to people stealing this information and using it to steal identities. Many data breaches are a result of a company or organization giving information to a third party who ends up loosing it. I am sure that this type of information would he helpful in the pursuit of identity theft.

So once again be careful what information you put on your social networking site. The less a stranger can find out about you the better. Try not to use your full legal name and leave out your birthday or use a fake one when possible. Never allow yourself to give out information that could be a part of a security question, like the name of your pet or your mother’s maiden name. If your mom is on Facebook and has her maiden name as her middle name make sure she leaves it out, so people can’t just look for family and find it. Things like these can make your social networking experience a lot more secure.

August was an especially busy month for hackers, thieves and inept university IT employees. There were nine reported data breaches at American educational institutions last month—hackers were blamed for two; thieves for three; and, inept employees who inadvertently exposed personally identifying information caused three more.

The ninth incident occurred at the University of Texas, Brownsville and involved student and employee fraud. The security breach involved stolen test answers and no personally identifying information was revealed.

The total reported number of compromised records is low—roughly 2,000—but three of the universities failed to reveal the number of compromised records, so the total is undoubtedly higher.

• University of Oregon
  Unauthorized disclosure
  Roughly 20 student records exposed because of a flaw in the university’s degree auditing system.
• University of California, Berkeley
  School of Journalism
  Hacking
  Names, birth dates, and Social Security numbers of 493 students who applied for admission between September 2007 and May 2009 were vulnerable when the school’s web server was breached.
• Louisiana State University
  Unauthorized disclosure
  Number of affected records unknown
  Students’ personal information, including names and Social Security numbers, was inadvertently posted on an LSU web site.
• Northern Kentucky University
  Computer theft
  Names and Social Security numbers of at least 200 current and former students were contained on a laptop stolen from an on-campus, secured location. There was no mention of whether the information was encrypted or password-protected.
• California State University, Los Angeles
  Computer theft
  Names, address and Social Security numbers of more than 600 CSULA employees and former students were contained on two desktop computers and 12 laptops stolen from campus.
• Boston University
• ROTC Program
  Unauthorized disclosure
  6,675 ROTC students (406 from BU; the balance from other ROTC programs around the country) were affected when their records were inadvertently exposed on the Internet via a file-sharing program installed on a university computer.
• University of Massachusetts, Amherst
  Hacking
  Number of affected records unknown
  20 years of student records exposed in a data breach, which occurred last year between September 15 and October 27. Information includes names, Social Security numbers and some credit card information of current and former students who attended the university between 1982 and 2002.
• Bluegrass Community and Technical College, Lexington, KY
  Theft
  Little information is available, other than that personal information including Social Security numbers of 100 or fewer students was stolen from the college.

Information for this post was gathered from ESI (Education Security Incidents). For more information on data breaches at colleges and universities, visit www.adamdodge.com/esi/month/2009/08.