The InfoWatch analytical center calculates that the most common information leak channel in 2006 was mobile devices. As though confirming this view, at the beginning of January news agencies continued reporting multiple internal security incidents arising from laptop use affecting tens of thousands of victims among Tower Perrin clients, more than 100,000 clients of ERS, and also 70,000 students in Moscow and North Charleston. According to InfoWatch experts, this tendency will continue into the first third of this year at least.
Five laptops with the private data of tens of thousands of people were stolen from the consulting company, Tower Perrin, at the end of November. According to The Wall Street Journal, the computers contained information on private citizens’ pension contributions as well as company employee details. Among the victims are over 6,000 employees at Philip Morris. Tower Perrin brought in the police on December 7th, although it is thought that the break-in occurred on November 27th. In the lead-up to New Year, on December 28th police arrested a suspect in the case, but did not find the stolen computers. The suspect, Dewayne Rivers, had worked at Tower Perrin for 4 years. This fact shows that the company was not free from insiders.
Tower Perrin has promised to review its information protection measures. At present, according to a company spokesman, all laptops are protected by nothing more than a login and password. In addition, the company is looking at the issue of providing bank account monitoring services for those affected by the incident.
Meanwhile, unknown persons made off with computers containing information on the clients of 5 insurance companies in 5 different states from the offices of Electronic Registry Systems Inc. (ERS). Among the victims were Emory Healthcare from Atlanta, Geisinger Health System from Denville, Pennsylvania, and Williamson Medical Center from Franklin, Tennessee. The names of two other companies have not been make public since they have not yet begun notifying their clients.
ERS is a subcontractor for many American insurance companies. More than 300 health institutions across the country use ERS’s services to manage their patient digital data banks.
At the present time, ERS is attempting to minimize the likely consequences of an information breach on public opinion. Specifically, ERS does not think that the theft was targeted on them since it affected several other companies’ offices in the same building. In addition, we know that the computers were password-protected. According to the company, it is a very reliable means of protection, and there is little chance of the thieves gaining access to the data. But in the view of InfoWatch’s experts, a professional requires only a few minutes to get round a password. Moreover, the computers contained complete personal records, including: Names, addresses, illness histories, and Social Security numbers. This is more than enough to effect identity theft.
The insurance companies are also shaken up by the incident. Geisinger has already informed 25,000 of its clients about the incident and Emory, 36,000 of its patients. The number of the victims of this leak now stands at over 100,000.
In South Carolina, police have begun looking for thieves who stole a laptop from the Higher Academic School of Magnetism. And the school, situated at the small town of North Charleston, seems to attract thieves like a magnet, this being the third theft in a month and a half. The first took place on November 17th, when thieves stole a personal computer from the administration building. Then, on November 30th, two laptops went missing from the information center. And now, laptops have again been stolen from the administration building. The school’s officials are working closely with police to prevent the identity theft of over 1,500 teenagers.
A more recent internal security incident took place in Moscow. Not Moscow, Russia, but the city in the US. Three laptops with the personal details of 70,000 students, graduates, as well as current and former employees, were stolen from the University of Idaho, Moscow. The information held on the computers included Social Security numbers, making identity theft possible.
There is nothing, as yet, to indicate that the thieves have made use of the lost information. Nevertheless, the university’s staff have been fully professional in the matter and sent notifications to everyone affected by the incident. Despite the fact that the laptop contained data on 70,000 students and staff, the university decided to inform 332,000 people since the internal investigation has not yet been able to establish exactly which 70,000 records have been stolen.
Apart from warning private citizens, the university has taken measures to prevent such leaks in the future, namely, the deletion of certain delicate information from some computers altogether, the installation of encryption programs on all computers and laptops containing confidential information, and the upgrading of physical and electronic computer protection.
And in yet more news from the US, another huge leak occurred at the end of last year. In this leak, a laptop with unprotected information about 382,000 current and former Boeing employees was stolen. It is probable that the company has decided to beef up its disciplinary code since its Managing Director, Jim McNerney, has announced that the employee responsible for the incident is to be fired.
Denis Zenkin, InfoWatch’s Marketing Director said, “There is nothing surprising about what we see today. All that has happened is that we are in a new calendar year. But as concerns the protection of information, we are still where we were. The news agencies continue to report leaks from last year, as well as new examples of slap-dash attitudes to the protection of confidential information. Time is needed for things to change. Plus, of course, the implementation of proper internal security measures.”
Sources: The Wall Street Journal, CSO, Computerworld, News.now, internetnews.com, TimesDispatch.com, Yahoo.com, Help Net Security, FOX12 News, FinanzNachrichte
