State of Rhode Island, 4,118 or 53,000 CC, Hacker

Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday.

The private company that runs http://www.ri.gov said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any possible security problems could be fixed.

The breach was uncovered when a security company discovered a Web site in Russian, Najarian said. The author claimed he obtained 53,000 credit card numbers.

Loring said Web site was breached on Dec. 28, and far fewer than 53,000 numbers were stolen. She said the company notified credit card companies of the breach, but did not notify card holders.

From the AP, via techdirt, who ask, “So, if the government is out fining those, like ChoicePoint, who leak data to criminals, what do they do when they’re the ones doing the leaking?”

Octopus vs. Submarine

octopus.jpg

Rare video footage shows a giant octopus attacking a small submarine off the west coast of Vancouver Island.

Salmon researchers working on the Brooks Peninsula were shocked last November when an octopus attacked their expensive and sensitive equipment.

The giant Pacific octopus weighs about 45 kilograms, powerful enough to damage Mike Wood’s remote-controlled submarine.

From “Video captures octopus attack on sub in B.C..” Video links on the CBC page. [Update: check out the the voice over at Irregular Times. I do question the ability of a five year old to independently and authoritatively answer a leading question like "Is it a nice octopus?" However, alternate and plausible interpretations are welcome.]

Providence Home Services, 365,000 medical records, Car Thief

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system…The data on the tapes was encrypted, Walker said. The data on the disks was in a proprietary file format that was not encrypted, but “is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it,” he said.

As far as I know, there is no law requiring that the loss of encrypted data be reported. The new rules around disclosure march onwards.
(From Computerworld, via InfoSec News.

Providence Home Services, 365, 000 people, health records, theft from employee vehicle

From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was not. Specifics on what was stolen:

The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.

Funny. A guy at Ameriprise (foolishly) takes his work home and gets canned for it. Meanwhile, the exact same activity is mandatory at another regulated institution.
(BTW, sorry if I sound snarky — low on caffeine at the moment)
Update 02/04/2006: The police report is now available online. It is very interesting. It’s also worthy of note that a single individual whose PII was stolen has so quickly created a community web site dealing with the breach through which his information was revealed.

Choicepoint to Pay $15M Fine

Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans.

The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest civil penalty ever obtained by the agency.

Via Brian Krebs at the Security Fix blog.

Ameriprise, 230,000 SSNs, Stolen Laptop

On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports.

The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current and former financial advisors, as well as the names and internal account numbers of about 158,000 customers.

Andrew MacMillan, Ameriprise spokesperson, said the culprits likely had no idea that the laptop contained sensitive information, and in turn, the potential risk of “any data being used or discovered is very low.” MacMillan noted that the laptop was protected by a password, but the data was not encrypted, a blatant breach of the company’s privacy regulations. Ameriprise has fired the employee involved.

Via CSOBlog.

Introducing Debix

debix.gifI’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board:

In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes to bicycles. Debix offers physical locks that put you in control of your electronic accounts.

Using patent-pending Debix Lock(TM) technology, Debix provides consumers with a familiar and convenient way to lock and unlock access to your most important on-line information making your passwords, social security number, and other personal information useless to identity thieves.

UDel breach twofer

The University of Delaware “UDaily” reports on two breaches:

[A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students.
[...]
A back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology some time between Dec. 16-18, and a police report was filed Dec. 19. [...] [I]t is believed the theft of the hard drive was an afterthought. The hard drive contained personal information on a few individuals, and Jack B. Gingrich, a postdoctoral fellow in the department whose hard drive was stolen, has informed all those involved.

From the Do As We Say Dept.

Everyone knows that the Motion Picture Association of America is very much against unauthorized copying of movies. Then why is the MPAA admitting that it copied a movie, when it was specifically told not to by the copyright owner.

The movie in question is Kirby Dick’s This Film Is Not Yet Rated. According to the story on Los Angeles Times, Dick specifically requested via e-mail that the MPAA not make copies of the movie. In spite of the very clear wishes of the copyright owner, the MPAA goes ahead and makes additional copies for its internal use anyways.

Via Dan Kim, “MPAA Hypocrisy.”