The Breach Blog
The Breach Blog

Thank You and Moving On

First, I want to sincerely thank all of the readers of the Breach Blog.  I have been blessed with the opportunity to meet some very genuine and talented people during my time writing here.

Now is the time for me to move on.  I am moving on to other information security related projects.  I am moving on to projects that play more into my strengths as an information security practitioner and give more value to a greater number of people.  The project taking up most of my time right now is the creation of a series of information security training classes and seminars.  It is just one way that I think I can contribute more.

The Breach Blog will still remain active, it just won't be updated on a regular basis anymore.  Sometime within the next few weeks, I will post links to one or more of my new projects in a hope that you will find me and my work there.

The Breach Blog started out 18 months ago as a place where I could jot down my thoughts about breaches.  It was a place that allowed me to read about current breaches, learn from mistakes, and make comments about my thoughts.  What started out small, grew over time and I was (and continue to be) glad to share.  In the end, I just want to help people do a better job securing the information assets that they are responsible for.

There are many sites that do a great job of staying current with today's breaches.  These sites are maintained by talented and passionate information security professionals.  True patriots.  Check them out at the links below.

PogoWasRight
Inside ID Theft
Emergent Chaos
Personal Health Information Privacy
Office of Inadequate Security
Merchant 911
Identity Theft Resource Center
Open Security Foundation Dataloss db
National ID Watch
Streetwise Security Zone

If I forgot a site, my apologies in advance.

I still have plenty of opinions, I will just be voicing them in a different manner in a different place.

Again, a sincere thank you to everyone who read and participated.  I hope to run into you all again soon!

Evan Francen
P.S.  The "Contact Me" link on the right sidebar will remain active for anyone who wishes to use it.

Kaiser Permanente personnel files found after arrest

Technorati Tag:

Date Reported:
2/6/09

Organization:
Kaiser Permanente

Contractor/Consultant/Branch:
None

Location:
Sacramento, California

Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"

Number Affected:
"nearly 30,000"

Types of Data:
Personal information, including "names, social security numbers and birthdates"

Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."

<< MORE >>

Purdue mailing error hits temporary workers

Technorati Tag:

Date Reported:

2/3/09

Organization:
Purdue University

Contractor/Consultant/Branch:
None

Location:
West Lafayette, Indiana

Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"

Number Affected:
"248 companies and 962 individuals"

Types of Data:
Personal information, including that found on IRS 1099 forms (Names, addresses, employer identification numbers, Social Security numbers, etc.)

Breach Description:
"WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008.  Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization."

<< MORE >>

Credit card skimming may affect 4,000 Best Buy customers

Technorati Tag:

Date Reported:
2/6/09

Organization:
Best Buy Co., Inc.

Contractor/Consultant/Branch:
West Palm Beach, Florida store

Location:
West Palm Beach, Florida

Victims:
Customers during November and December, 2008

Number Affected:
"approximately 4,000"

Types of Data:
"credit card information"

Breach Description:
"An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device."

<< MORE >>

Laptop stolen from Educational Testing Service office

Technorati Tag:

Date Reported:
1/29/09

Organization:
Educational Testing Service ("ETS")

Contractor/Consultant/Branch:
None

Location:
Unknown

Victims:
Readers

Number Affected:
Unknown

Types of Data:
Personal information, including names and Social Security numbers

Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS).  The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."

<< MORE >>

Successful social engineering attack leads to 45 vitcims

Technorati Tag:

Date Reported:
1/30/09

Organization:
State of Oregon

Contractor/Consultant/Branch:
Department of Human Services

Location:
Salem, Oregon

Victims:
"Coos County residents applying for assistance"

Number Affected:
45

Types of Data:
Personal information, including Social Security numbers

Breach Description:
"COOS BAY, Ore. (AP) — An online scam resulted in the theft of 45 Social Security numbers at the Oregon Department of Human Services office in Coos Bay last week."

<< MORE >>

Georgia parolee information lost on stolen computer

Technorati Tag:

Date Reported:
2/3/09

Organization:
State of Georgia

Contractor/Consultant/Branch:
State Board of Pardons and Paroles

Location:
Roswell, Georgia

Victims:
"current and past parolees supervised by the agency since 1998"

Number Affected:
Unknown

Types of Data:
"names, dates of birth and social security numbers"

Breach Description:
The Georgia State Board of Pardons and Paroles has issued a News Release announcing the theft of a computer from a contractor working on behalf of the agency.  The computer contained sensitive information belonging to certain current and former parolees.

<< MORE >>

Virus hits SRA International and leads to potential compromise

Technorati Tag:

Date Reported:
1/20/09

Organization:
SRA Interational, Inc.

Contractor/Consultant/Branch:
None

Location:
Fairfax, Virginia*

*SRA International headquarters are in Fairfax, but this incident may be global

Victims:
Employees, former employees, and dependents of employees who may be enrolled in the SRA benefits program

Number Affected:
Unknown (1,397 Maryland residents mentioned)

Types of Data:
"personal information such as name, address, date of birth, health information and Social Security Number"

Breach Description:
"The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data."

<< MORE >>

Beaumont city worker information posted online by mistake

Technorati Tag:

Date Reported:
1/26/09

Organization:
City of Beaumont (TX)

Contractor/Consultant/Branch:
None

Location:
Beaumont, Texas

Victims:
"current and former city employees"

Number Affected:
"about 500"

Types of Data:
"personal information including birth dates and social security numbers"

Breach Description:
"BEAUMONT, Texas — Personal information of about 500 current and former Beaumont city workers accidentally was posted online."

<< MORE >>

Innodata Isogen employee data stolen from car

Technorati Tag:

Date Reported:
1/5/09

Organization:
Innodata Isogen, Inc.

Contractor/Consultant/Branch:
None

Location:
Hackensack, New Jersey

Victims:
"current and certain former Innodata Isogen employees"

Number Affected:
"as many as 141"

Types of Data:
"personal information, such as Social Security number, date of birth and home address"

Breach Description:
"On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with benefit plan enrollment sheets, and some of her personal information, was stolen.

<< MORE >>

45 Kansas State students' information sat exposed since 2001

Technorati Tag:

Date Reported:
1/30/09

Organization:
Kansas State University

Contractor/Consultant/Branch:
College of Agriculture

Location:
Manhattan, Kansas

Victims:
Students who "were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001"

Number Affected:
45

Types of Data:
"Names, Social Security numbers and grades"

Breach Description:
"Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site."

<< MORE >>

CityStage gift card customer information exposed

Technorati Tag:

Date Reported:
1/28/09

Organization:
Springfield Performing Arts Development Corporation

Contractor/Consultant/Branch:
CityStage

Location:
Springfield, Massachusetts

Victims:
Customers

Number Affected:
60

Types of Data:
"credit card information"

Breach Description:
"SPRINGFIELD - A security breach involving CityStage's computer system might have exposed credit card information of 60 customers on the Internet, theater officials acknowledged Tuesday."

<< MORE >>

Citi Habitats client information strewn across four city blocks

Technorati Tag:

Date Reported:
1/27/09

Organization:
Citi Habitats

Contractor/Consultant/Branch:
None

Location:
New York, New York*

*465 Columbus Ave.

Victims:
Clients

Number Affected:
Unknown

Types of Data:
"bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count"

Breach Description:
"Thousands of pages of bank statements, credit reports, tax returns and driver's licenses were discovered along Columbus Avenue afternoon yesterday, just waiting to be picked up by would-be identity thieves"

<< MORE >>

Jobseekers at risk after another Monster breach

Technorati Tag:

Date Reported:
1/23/09

Organization:
Monster Worldwide, Inc

Contractor/Consultant/Branch:
Monster's online job seeking communities (Monster.com, Monster.co.uk, etc.)

Location:
New York, New York*

*The Monster Worldwide, Inc. headquarters is located in New York, New York.  This incident was an online breach, so physical location is difficult to determine.

Victims:
Job seekers and other customers

Number Affected:
Unknown**

**BBC News reports "Users around the world have been affected, including the 4.5 million users of the UK site."

Types of Data:
"user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity"

Breach Description:
"Hackers are believed to have stolen the personal details of millions of people using the online job site Monster."

<< MORE >>

MSU foreign students at risk after errant email

Technorati Tag:

Date Reported:
1/21/09

Organization:
Missouri State University ("MSU")

Contractor/Consultant/Branch:
International Student Services

Location:
Springfield, Missouri

Victims:
"foreign students"

Number Affected:
565

Types of Data:
"Sensitive personal information -- including Social Security numbers"

Breach Description:
"Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached."

<< MORE >>

Pflugerville ISD students charged with intrusion

Technorati Tag:

Date Reported:
1/26/09

Organization:
Pflugerville Independent School District

Contractor/Consultant/Branch:
None

Location:
Pflugerville, Texas

Victims:
Staff and students

Number Affected:
Unknown

Types of Data:
"all of the Pflugerville Independent School District security files which contained passwords, alarm codes, staff personal information, school tests etc."

Breach Description:
"Two Pflugerville teenagers are charged with hacking into their school districts computer system.  Investigators say they gained access to personal information, alarm codes, tests, even grades."

<< MORE >>

Laptop stolen from the City of Madison is recovered

Technorati Tag:

Date Reported:
1/26/09

Organization:
City of Madison (WI)

Contractor/Consultant/Branch:
Human Resources

Location:
Madison, Wisconsin

Victims:
Employees

Number Affected:
"300 to 500"

Types of Data:
"names, photos, and Social Security numbers"

Breach Description:
"An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday."

<< MORE >>

Southwestern Oregon Community College announces stolen laptop

Technorati Tag:

Date Reported:
1/16/09

Organization:
Southwestern Oregon Community College

Contractor/Consultant/Branch:
None

Location:
Coos Bay, Oregon

Victims:
"current and former students"

Number Affected:
"approximately 200"

Types of Data:
"student record information"

Breach Description:
"COOS BAY, ORE - The privacy of hundreds of community college students is put at risk, after someone steals a laptop computer from the campus at Southwestern Oregon Community College."

<< MORE >>

Kanawha-Charleston Health Department warns 11,000

Technorati Tag:

Date Reported:
1/21/09

Organization:
Kanawha-Charleston Health Department

Contractor/Consultant/Branch:
Express Personnel Services

Location:
Charleston, West Virginia

Victims:
Patients receiving flu shots between October 1, 2008 and December 31, 2008

Number Affected:
"approximately 11,000"

Types of Data:
"names, address, Social Security, numbers, dates of birth, marital status, employment
information, insurance information and telephone numbers"

Breach Description:
"Kanawha-Charleston Health Department officials today announced that a temporary worker who was assigned the task of performing medical billing for Department’s influenza shot campaign has been identified as a suspect in an identity theft crime that is currently under investigation by the Kanawha County Sheriff’s Office."

<< MORE >>

Laptop used in background checks stolen from Continental Airlines

Technorati Tag:

Date Reported:
1/12/09

Organization:
Continental Airlines, Inc.

Contractor/Consultant/Branch:
None

Location:
Newark, New Jersey

Victims:
Some employees, vendors, and "new hire candidates"

Number Affected:
230

Types of Data:
"name, Social Security number, fingerprint images, date of birth, address and other information"

Breach Description:
"Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office.  This laptop was used for certain background checks, and it contained confidential data files on 230 individuals."

<< MORE >>