LifeLock Blog

According to the USA Today Hotel Check-in blog and Nicholas Percoco, who runs SpiderLabs at Trustwave, you are more likely to have your identity stolen from a Hotel breach than any other industry. According to Nicholas Percoco the problem isn’t getting any better either.

Apparently thieves are installing sophisticated malicious software into the hotels computers that can access the registration system. It can go undetected in the computer system for months until an export goes in to look for it. The software is designed to extract information from the hotel’s computer system, information like credit card numbers names and addresses.

Hotels are the most investigated industry for data breaches and restaurants are second. Hotels are starting to realize the threat and have begun spending money to prevent and detect these kinds of breaches. According to ABC news, who covered this story last month, more than 700 Destination Hotel guests have had their credit card information stolen.

What can someone do to prevent this from happening to them? Not a whole lot, because the breach is with the hotel you can’t control it. The only thing a customer can do is monitor their credit and avoid paying for a hotel with a debit card. Debit cards come straight from your checking account and the time period to file charge complaints is shorter. If you use a credit card you will have a long period of time to catch the fraud and file a complaint before the money is actually transferred.

A hacker let himself in through an unlocked virtual door at RockYou Inc and walked off with more than 32.6 million login names and passwords for users of Facebook, MySpace, Friendster and other social networking sites.

The login information was unencrypted and virtually unprotected, and, according to ComputerWorld, the users’ names were the same as those of the users’ Gmail, Yahoo, Hotmail or other web mail accounts. Though few people include Social Security or financial accounts information on their social media sites, any of that information in users’ web mail accounts could be accessed with accessed information.

RockYou says more than 130 million unique users take advantage of their tools for social media sites every month, including applications and services for greeting cards, horoscopes, games, emoticons and photo uploads and slideshows.

A segment of the database was posted on the hacker’s website along with his claim that he accessed 32,603,388 accounts, including their unencrypted, plain-text passwords. He warned RockYou, “Don’t lie to your customers, or i (sic) will publish everything.”

The data breach was discovered after database security firm, Imperva Inc, warned RockYou that hackers were using a serious error in their system to access to RockYou’s massive user database. At least another day passed before RockYou brought down the site, according to Imperva. RockYou said in a statement they immediate brought down the site and addressed the problem.

More than 285 million records were compromised in data breaches last year, and more than 50% of all breaches required little or no technical skill, according to the Verizon Business 2009 Data Breach Investigations Report. The investigators also reported that 83% of all data breaches could have been prevented last year if the victims had employed simple, inexpensive controls.

Some attorneys are ambulance chasers—a term coined to describer personal injury lawyers who follow ambulances from car wrecks to the hospital so they can shove their business cards into the hands of accident victims. Apparently at University Medical Center, attorneys—and possibly others—can simply buy victims’ information from the Las Vegas hospital’s employees.

Kathy Silver, the hospital’s CEO, admitted to legislators this week that she’s know for three weeks that the names, birth dates and Social Security numbers of at least 21 people who were patients at the UMC October 31 and November 1were sold. Those 21 patients were among 71 to receive services on October 31 and November 1, all of whom may be victims of the privacy breach.

The hospital’s chairman of the board, County Commissioner Lawrence Weekly learned of the data breach at the same time Silver did. When asked why he didn’t take steps after learning of the privacy breach when Silver did, he said he didn’t know selling patients’ information is illegal. (more…)

There were three reported data breaches at institutions of higher learning in the United States last month, making November a relatively uneventful month for data breaches. I say relatively uneventful because there have been 72 data breaches so far this year at colleges and universities—an average of more than six a month so far this year.

There were also fewer records exposed than in many other months, with a total of only 5,409; that compares well to October when there were more than twice that number of records exposed in a total of seven reported breaches.

The November data breaches bring the total number of reported exposed records to 868,286. The actual total is much higher than that, though; 11 of the incidents were reported with an “unknown” number of records exposed, and in one incident the number of exposed records was reported as “thousands.”

• 11/1—Bloomsburg University of Pennsylvania, Bloomsburg, PA
• 574 records exposed
• Stolen laptop
• Names, Social Security numbers and grades of students enrolled in a psychology class taught by Julie Kontos between Summer 2004 and Spring 2006 were stored on the laptop stolen from a university office.

(more…)

Connecticut’s Health Net lost a computer hard drive and the personal, medical and financial information of roughly 1.5 million members, including 450,000 Connecticut residents, leaving them vulnerable to ID theft, medical ID theft, financial loss, insurance fraud, credit card fraud and public humiliation.

The data breach occurred in May, but Health Net never notified their customers, state officials or law enforcement until last week.

The lost information covers the period from 2002 to the present, and pertains to past and present members from Arizona, New Jersey, New York and Connecticut who

Connecticut Attorney General Richard Blumenthal said he was “outraged and appalled” not just by the data loss, but by Health Net’s keeping the information loss under wraps for six months. Their silence could be a violation of Connecticut law, he said. (more…)

Police are still investigating a security breach at Mercy Medical Center in Baltimore. The security breach has left a unknown number of victims open to identity theft according to the attorney general’s office.

The Hospital has already sent out letters to the affected former patience of the hospital. The letters expressed that a former employee had accessed patient records for the purpose of applying for credit cards and loans.

The spokesman for the attorney general didn’t know how many people had been sent letters. However, Hugh Williams, who is the coordinator of the identity theft office of the state attorney general’s office, said that the number of people that could have been affected could be significant. He is also not sure when the data breach was discovered, but encouraged people who receive letters to take them serious.

The data breach is still under under investigation. This is a situation that falls under the state law passed last year where businesses are required to inform people promptly of any data breach that could effect them.

Laws like the one past last year in maryland are getting passed all over the US and I think it’s a very good idea. Businesses handle data breaches very differently. Some tend to try and cover it up until the last minute while others do the right thing and informed people early. Laws that force businesses to inform people of data breaches promptly are a step in the right direction.

Somehow consumers aren’t making the connection between receiving a data breach notification and later becoming an identity theft victim, according to a new study. As a result, people whose information has been compromised in a data breach are four times more likely to become victims of either identity theft or credit fraud within the next 12 months.

Yet, when asked later about having become identity theft victims, few of the survey respondents attributed their fraud to the data breach they’d been involved in.

The objective behind sending the data breach notification letters is to let consumers know their personal or financial information has been compromised. The notices should spur credit card and bankcard holders to place fraud alerts or credit freezes on their credit reports, or to enroll in identity theft protection services or credit monitoring services.

Unfortunately, it seems few recipients of the data breach notifications are taking heed. (more…)

Hackers forced payroll processor PayChoice to shut down its online portal again Wednesday, for the second time so far this month. The data breach came to light when PayChoice customers reported fake employees being added to their payroll rosters.

PayChoice is one of the largest payroll processors in the United States. They lease their payroll management product to more than 240 other payroll processors and serve more than 125,000 organizations. There are approximately 20 branch locations in the U.S. serving small and mid-market companies.

Clients received an email alert from the firm Thursday that said an investigation determined valid credentials were used in an unauthorized manner. PayChoice believes the bogus employees were added in order to have paychecks sent to fraudulent bank accounts.

This most recent attack seems to be the follow up to last month’s data breach in which hackers stole customers’ user names and passwords from PayChoice servers. Soon after, customers received emails advising them to download a plug-in to continue their access to the PayChoice portal. Customers who followed those instructions were infected with malicious software designed to steal user names and passwords.

The hackers apparently planned this latest maneuver to coincide with a large payroll processors conference in Utah. Many PayChoice employees and those of their licensees are attending the conference so all operation are being conducted by a diminished staff, according to Steve Friedl, a security expert who works as a consultant for Evolution payroll, a PayChoice competitor.

JP Morgan Chase Bank admits to having lost a computer data tape containing customer information earlier this year. Bank officials have so far refused to reveal how many customers are affected by the data breach, how many customers have been notified, or even when the data breach occurred. But it appears they’ll have to answer those questions soon.

This week two Republican members of the Congressional Committee on Energy and Commerce, Rep. Joe Barton and Rep. George Radanovich, sent a letter to James L. Dimon, Chairman and CEO of JPMorgan Chase and Co. asking these questions and more.

In notifying the untold number of affected customers, the bank offered them one year of free enrollment in Chase Identity Protection. The congressmen asked whether the affected customers will be automatically charged for ongoing participation in the program, or will the program be automatically discontinued unless customers specify otherwise.

The committee members sent the letter October 7, and set a deadline of October 31 for a written response from the bank.

In July 2006 Chase Card Services (a division of JP Morgan Chase) notified 2.6 million current and former Circuit City credit card account holders that five computer tapes containing their personal information had been accidentally sent to the trash. It indicated that it believed the tapes were safely “buried in a landfill.”

In August 2005 JP Morgan Chase admitted that a laptop containing customers’ personal and financial information was stolen. The bank said then that the number of customers affected was unknown.

A new Act has gone into effect as part of the U.S. Department of Health & Human Services, the Health Information Technology for Economic, and Clinical Health (HITECH) Act. According to this Act insurance providers that don’t use the HHS-approved techniques of encrypting and protecting data will be forced to notify individuals within 60 days of a data breach. If the breach affects for than 500 people the breach must be reported to the HHS and to the media.

The Act later goes on to say that “healthcare companies must publicly disclose data breaches only if the breach threatens significant financial or reputational harm to the individuals affected.” The HHS decides whether or not the threat is significant enough to inform the press and make the data breach public.

I feel this law will aid in forcing companies to protect their data better and making them release information about their data breaches. I only hope that the HHS policies on data encryption and security are tight enough to keep people out. If they are not then the law will help protect companies from having to release information about their data breaches. After all the HHS gets to decide what to disclose and what to keep from the public. I feel it could be a step in the right direction to keeping insurance information just a little bit safer.