Category Archives: Breaches

Breach Notifications

Espionage of the Century

Computer spies have broken into the DoD’s most expensive weapons program in history. The program is the $300B the Joint Strike Fighter, also known as the F-35 Lightning II. The intruders entered through two or three contractors’ networks. Lockheed Martin is the lead contractor on the program, and Northrop Grumman Corp. and BAE Systems PLC also play major roles. The intruders compromised several terabytes of data related to design and electronics systems responsible for diagnosing a plane’s maintenance problems during flight. Forensic investigators are unable to determine what data has been taken because the spies inserted technology that encrypts the data as it’s being stolen. Many have alluded to source IP addresses being those originating from within China but IP spoofing makes this ambiguous.

TSA contractor loses private data of 3,930

TSA, the department in charge of homeland security, has had two contractor’s laptop computers stolen which contained the names, addresses, birthdays, commercial driver’s license numbers and, in some cases, Social Security numbers of 3,930 commercial drivers across the country who transport hazardous materials.
The contractor, Integrated Biometric Technology, told TSA that the personal information was deleted from the computers before they were stolen. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills could recover the information. Integrated Biometric Technology will provide one year of free credit-monitoring services to the 3,930 people affected.

TSA has since instructed the contractor to fully encrypt all laptop hard drives. The TSA program is called the Hazardous Materials Endorsement Threat Assessment. It collects information for security-clearance purposes for any driver who transports hazardous materials.

Also in 2007, TSA lost a computer with sensitive bank and payroll data for 100,000 employees. The hard drive contained historical payroll data, Social Security numbers, dates of birth, addresses, time and leave data, bank account and routing information, and details about financial allotments and deductions.

Marriott Discloses Missing Data Files

Backup Tapes Lost At Time-Share Unit

 

By Michael S. RosenwaldWashington Post Staff Writer
Wednesday, December 28, 2005; Page D01
Washington Post Staff WriterWednesday, December 28, 2005; Page D01

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company.

Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company’s Orlando headquarters or whether they were simply lost.

An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes.

The company began sending letters to time-share owners and customers Saturday, and issued a press release about the loss yesterday. Company officials said they delayed making the matter public until they had researched what information was on the tapes and whom it affected, and determined the issue was sensitive enough to warrant a broad disclosure.

“At this point, we are taking all things into consideration,” company spokesman Ed Kinney said. “The tapes may have been taken, but they could have been misplaced. We’re still investigating the situation.”

The Vacation Club has told time-share owners, customers and the division’s employees to be on the alert for changes to their credit histories or accounts. So far no one has reported any misuse, Kinney said. Those affected have been offered free credit monitoring services.

“We regret this situation has occurred and realize this may cause concern for our associates and customers,” said Stephen P. Weisz, president of Marriott Vacation Club International, a wholly owned subsidiary of the Bethesda hotel chain. More than 280,000 families use its time-shares worldwide.

The loss of Marriott’s tapes is the latest in a series of high-profile security lapses involving data that can be used in identity theft schemes. In 2005, there were at least 134 data breaches affecting more than 57 million people, according to the Identity Theft Resource Center, a California nonprofit that helps people hurt by identity theft and lobbies on computer-privacy issues.

Last February, ChoicePoint Inc. disclosed that it had released thousands of reports containing names, addresses, Social Security numbers and financial information to people posing as officials in legitimate insurance, debt-collection and check-cashing businesses. In June, MasterCard International said that Card Systems Solutions, which processes credit card transactions, had been hacked and that forty million people had their credit card information exposed.

Even high-security defense companies have been victimized. In January, thieves stole computers from Science Applications International Corp. of San Diego that contained personal data on thousands of current and past employees, including former military and intelligence officials.

It is not clear how many cases of identity theft have been caused by the data breaches. There are about 10 million cases of identify theft a year, with total losses of $53 billion, said Robert Douglas, a Colorado privacy consultant and chief executive of PrivacyToday.com.

The costly identity theft schemes have caused state and federal lawmakers to fight for tighter protection of personal data and quick disclosures of breaches.

In 2003, California became the first state to pass a rigorous disclosure law requiring that organizations inform individuals if their personal information is compromised. More than 20 states have passed similar laws since then. Congress is considering more than two dozen bills on what companies should be required to do in data breach cases.

“For the longest time, people have said it’s the consumers’ fault,” Douglas said. “They don’t shred their bank statements at home, or what have you. But since the California law was passed now we are learning how much of this information has been breached and is floating around out there.”

“We try to be proactive in cases like this,” Kinney said. “We followed our own process of being open and proactive.”

Kinney said the tapes, which require specialized equipment to access, were the responsibility of the company’s information resources group. Citing company policy, he declined to say if anyone from the group had been dismissed or disciplined because of the disappearance of the tapes.