Data Losses/Breaches Keep Growing In UK, US and Around the World

Security Lessons Going Unlearned

Advertisement

An article this week at The Register states that between November 2008 and September 2009, there were 356 self-reported data losses this year by UK companies and government departments. In the same time frame a year before, there were 190 such incidents reported.

The information was compiled by Software AG, which used a Freedom of Information Act request to get the data from the UK Information Commissioner's Office.

After a rash of commercial and especially government data losses last year and in 2007, the UK government promised that data security would be improved, including the encryption of personal data..

The data released by Software AG show otherwise.

Here the US, ComputerWorld reports that CalOptima, an integrated health care system that administers health insurance programs for Orange County, California children, low income families, and persons with disabilities, announced last Friday that 68,000 of its members personal information including member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers may have been compromised.

The information, CalOptima stated, was on several unencrypted CDs that were sent by a claims processing vendor to CalOptima by US Postal certified mail. The mail package containing the CDs showed up, but the CDs were missing.

CalOptima will be sending out notices soon to those affected.

Last month I blogged the University of North Carolina School of Medicine at Chapel Hill discovering in late July that one of its servers had been hacked into, and that the social security numbers of 163,000 women participating in a UNC medical study were at risk.

In a follow up story in the Winston-Salem Journal  a few days ago, many of the women who had their personal information hacked into did not know that their private medical information was being used in a federally mandated study.

It turns out that, as the W-S Journal, notes, "Federal regulations allow radiologists to submit the information to the registry without getting permission from their patients because it is a population-based study dealing with large amounts of data, officials say."

As electronic medical records become more prevalent, it will be "interesting" to see what happens in terms of hacker activity when tens of millions of records start to become aggregated for federal government research programs. They would certainly make highly lucrative targets to go after.

There was also a story earlier this week about hackers penetrating the Swiss foreign ministry's computer systems, forcing elements of it to shut down for several day. The AFP story says that "well hidden" hacking software was found on the 22nd of October.

In addition, a story in the London Times late last week, said that Zurich Insurance had admittedly losing a tape a year ago containing the confidential personal details of 51,000 of its British, 550,000 of its South African and 40,000 of its Botswana customers. A Zurich spokesperson was quoted as saying that the loss was "unacceptable." 

Also, a Washington Post story in Brian Krebs' Security Fix blog reports that hackers have stolen over $40 million from 205 small and mid-size US businesses over the past four years. The attacks have the same general modus operandi: use malware infected spam to get inside the business's computing systems to steal banking credentials. Then once captured, the hackers use them to steal from their victim's chunks of money in amounts under $10,000 to avoid alerting the bank's anti-money-laundering reporting requirements.

The FBI, which provided the information, says that small and mid-size businesses need to be increasingly aware of this problem, which apparently is growing.

This is probably good advice. This story last week in Government Computer News says that over the last few months, there have been repeated spikes in computer viruses that are not being detected by major antivirus software programs. The information from the story comes from a report by the security firm Commtouch.

Virus writers are moving to guerrilla hit-and-run tactics, distributing massive outbreaks of a variant of a single virus in hopes of compromising a large system somewhere before the antivirus companies can react.

Lovely.

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.