April 2005 Roundup
April has been a busy month from a number of points of view. Identity theft and personal privacy breaches continue to get worse, with recent problems for Ameritrade, Carnegie Mellon University, Iron Mountain, and Polo / Ralph Lauren and HSBC surfacing since the article on identity theft was written.
Ameritrade, an online brokerage firm, lost a backup tape which contained up to 200,000 individual account details, covering the period 2000 - 2003. Ameritrade knew of the loss back in February, however the loss did not get widely reported until April. The claim is that a freight company lost the tape during shipping to an archive location, and it has been subsequently destroyed, or is being held by the freight company for Ameritrade to collect.
Only in the last 96 hours has Carnegie Mellon University and Iron Mountain had the compromise of data publicised. In Carnegie Mellon University's case, more than 5,000 students, staff and alumni (potentially as early as the 1950s) were notified that their personal data, including Social Security Numbers, may have been compromised in a recent network intrusion on April 10. The irony of this case is that the US CERT is based at Carnegie Mellon University (although in an unrelated area). The FBI is now involved with the investigation. In addition to the identified 5,000 - 6,000 identities compromised, another 14,000 - 15,000 students may have had sensitive data exposed from 1985 onwards. While not as serious as the first breach, this data may have included job offers, grades, and personal contact information. Given that the Business School, which was compromised, only has 14,000 alumni, essentially everyone associated with the school has had personal information stolen.
Iron Mountain is a US based data backup and storage specialist, providing storage services for a large number of important customers. Iron Mountain did not specify the size of the disclosure, nor the client company that was involved, but did specify that the backup tapes for that customer were lost.
Clothier Polo / Ralph Lauren was the company involved when HSBC North America notified 180,000 "General Motors" brand MasterCard holders that they should cancel their cards and request replacements as previous transaction information had been compromised. It is believed that many more people may have been involved, but it is believed that other credit card providers are waiting for more information prior to notifying their clients.
Other breaches over the last two months which have not been publicised widely include US health care provider San Jose Medical Group, and 106,000 alumni from Tufts University in Boston when an alumn donor database was compromised.
The reason why a lot of these breaches are limited to the United States is due to the reliance upon the abuse of Social Security Numbers, which are personally identifying numbers which can be used for almost any purpose. It is the abuse of them in terms of using them for almost any purpose which is causing major problems for US residents. A SSN can be used for obtaining lines of credit, credit cards, insurance, licences, bank accounts, student loans, and any number of other things that it was not designed for. It would be similar to an Australian being required to provide their Tax File Number every time that they wanted to do anything. Also contributing to the public reporting is the Californian State Law SB 1386, which requires any company doing business with Californian residents to notify them of any breach of privacy information which belongs to Californian residents.
Also making April busy has been problems encountered by different Internet Service Providers as machines on their networks compromised by trojan horse software have been conducting dDOS attacks against their DNS servers. Australia's largest ISP, BigPond, suffered from this attack, and US network Provider Comcast even disappeared from the Internet for short periods of time as they struggled with different network outages and the dDOS attacks. These attacks are not related to the earlier reported issues with the DNS, but have a similar end result - denying useful internet access through domain names. It also results in bandwidth restrictions for customers due to the fake data clogging the networks. The earlier DNS issues are still being debated with the ISC continuing to assert that DNS cache poisoning was occuring, and that it still is, with some new reports in the last 24 hours. Other agencies and bodies are denying that it was an issue, including Microsoft and Symantec, the two companies whose products were deemed vulnerable by the ISC.
25 April 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.