ID theft : employee information

Binghamton University data breach

IdentityTheft — Fri, 13 Mar 2009 18:10:00 GMT

I’ve written much larger data breaches, but I don’t think I’ve ever been more amazed by an organization’s total disregard for information security than that displayed by Binghamton University in Binghamton New York.

Let me paint the picture: There is on BU’s campus a large lecture hall used on a daily basis and late into the evening. Next to the lecture hall is a two-story storage area. The door to the storage area is open—in fact the latch is taped to prevent the door’s being locked.

News reporters from WHRM casually wandered into the storage room the other night and found dozens of unlocked file cabinets and lots of open shelving. Everywhere in the room were boxes, binders and stacks of files. Within them the reporters found records of current and former student records, some dating back to the mid-90s.

Information within the records included:

Records of tuition payments sorted by Social Security number.
Receipts for tuition payments, complete with credit card account information.
Residency records with tax information and copies of students’ parents’ Social Security cards.
Scans of students’ Social Security cards, driver’s licenses and vehicle registrations.
Scans of a letter from the U.S. government granting a student’s mother asylum.
Scans of W-9 tax forms from a student’s parents, both parents’ social security numbers, tax forms for the parents’ business and Social Security numbers and vital information for the parents’ employees.
Undeliverable mail that included students’ names, addresses and Social Security numbers.

The stairs to the second floor provide the only access to the lecture hall’s lighting system, so it can be reasonably assumed that a number of janitors and maintenance workers have had easy access to the records. In fact, anyone who considered stealing the records would have found the shopping cart and hand truck within the storage area an added convenience.

University officials have since contacted WHRM’s news director and advised him to secure legal representation.

Data breaches, ID theft risks much worse than reported

IdentityTheft — Fri, 06 Mar 2009 16:57:00 GMT

March came in like a data breach lion, with five new reported data breaches, according to the Privacy Rights Clearinghouse's Chronology of Data Breaches. These most recent data breaches add 86,762 to the known number of records exposed in data breaches since in just over four years, bringing that total to a staggering 253,488,925.

The reason for the emphasis of the terms “reported” and “known” is this: The number of reported data breaches is much lower than the actual total, as evidenced by recent surveys.

In December 2008 the Ponemon Institute released the results of a survey in which 92% of information technology professionals said their company had experienced a data breach within the previous year.
In October 2008 Logica, an information security company, announced that their survey of company executives showed only 40% of companies notify their customers of data breaches; only 50% report their data breaches to any law enforcement or government oversight agencies.

Further, many of the organizations that report data breaches cannot or will not reveal the number of compromised records. A powerful example of this is the Heartland Payment Systems data breach. Heartland claims they still don’t know how many records were hacked, however many information security experts expect that the number will exceed 100 million.

Here’s what we know about the five most recently reported breaches:

A city employee in Muskogee, Okla. sold a zip drive as surplus in 2000 with personal information of 4,500 people on it.
A server was hacked at Western Oklahoma State College, exposing the Social Security numbers of 1,500 library users.
An Elk Grove Unified School District (Cal.) employee lost a document containing the Social Security numbers of 520 employees.
An NYPD employee stole pension fund information of 80,000 current and former NYPD officers.
A car belonging to a St. Rita’s Medical Center (Lima, Ohio) employee was broken into and a bag containing 242 patient files was stolen.

Personal, financial info of 80,000 NYPD officers stolen

IdentityTheft — Wed, 04 Mar 2009 20:04:00 GMT

Law enforcement officers choose that career knowing of its inherent risks. But now a new, and unanticipated work-related threat faces the officers of the New York Police Department. It’s identity theft, and the perpetrator is one of their own.

Anthony Bonelli, an employee within the NYPD’s pension fund, was arrested this week and accused of stealing eight tapes which stored the names, Social Security numbers, bank account direct-deposit information for 80,000 NYPD officers.

Bonelli made comments at work last week that raised suspicions. NYPD to sent technology specialists to the undisclosed Staten Island site where the tapes were stored to investigate further. They discovered that the facility’s security cameras had been disabled on Feb. 21 and the back-up tapes were gone.

Bonelli, 46, had 17 years of tenure with the police department and served most recently as the pension fund’s communications director. He did not have authority to access the site.

Officers arrested Bonelli at his home Saturday and found the missing tapes there. He’s been charged with computer trespass, burglary and grand larceny, and is being held on $2 million bail.

The NYPD’s pension fund office is sending out letters today to the 80,000 officers who now face an elevated risk of identity theft.

This isn’t the first time NYPD’s officers have been the target of identity thieves. Jaquaja Price, a housing police officer, was arrested for stealing the personal information of 10 NYPD officers and passing them along to Radio Shack employee Candace Johnson-Davis. Johnson-Davis used the information to open credit accounts at the store and purchased high-end electronics.