Jaime Chanaga, CISSP, CISA

Image via Wikipedia

The University of California, Berkeley, has setup a website http://datatheft.berkeley.edu/ informing the general public about a data security breach carried out by hackers who may have accessed a database at the university's campus health services center.

My thoughts...It is my hope, this incident will serve as a wake up call to healthcare organizations and educational institutions of the need for stronger information security management.  I've long believed that healthcare and educational institutions have a greater responsibility for the confidentiality, integrity, and availability of the personal information entrusted to them by their students, staff, and business partners. 

As a former Chief Information Security Officer (CISO) in healthcare, I know first hand the data security and privacy risks for that industry.The healthcare industry collects and processes more personal information on patients, than most financial institutions. For hackers seeking to steal personal information to be able to conduct financial fraud, healthcare organizations are easy targets, given the limited financial resources those organizations have devoted to protecting the personal information of patients, staff, and business partners. Healthcare organizations need to invest in more information security defenses and education for their staff.  Meeting an audit report for regulatory compliance is not sufficient and healthcare organizations must invest in information security as an integral part of their way of doing business.

The Virginia Prescription Monitoring Program (PMP) was hit by hackers according to media reports. (See Washington Post: http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html)

The suspected hackers deleted the pharmacy records of 8 million patients in the state's databases and hijacked the PMP website with a $10 million dollar ransom note to return the data records.  The state is referring all inquiries to the U.S. FBI.

More news regarding this incident:

FBI Probes $10M Hacker-Ransom Claim in Virginia
http://www.cbsnews.com/stories/2009/05/05/tech/main4992372.shtml

Alleged hacker demands $10 mil for Va medical records
http://www.timesdispatch.com/rtd/news/local/article/HACKGAT05_20090504-212004/265693/

The University of Rochester has disclosed (see official notice) that a non-academic student database was compromised resulting in the data theft of social security numbers of current and former students.  Estimates by the university are that approximately 450 people are affected in this incident.

The University has notified the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security.  The University is also offering to pay for credit monitoring services for the victims affected by this data breach. 

Shell Oil Co. is warning (click here for link to notification) U.S. based staff that a database containing the names, dates of birth, and social security numbers (SSN) for former and current employees was misused by an IT contractor. 

The allegation is that the IT contractor filed false unemployment claims using the identities of four Shell employees.  Shell has terminated its contract with the IT contract firm in question and is cooperating with local and State of Texas authorities to completely investigate this fraud incident.

Shell should be applauded for their prompt action to investigate and find ways of mitigating the impact of this incident.  Hopefully those guilty of conducting this fraud successfully prosecuted for their egregious breach of trust.

The Bank of New York Mellon (NYSE: BK) suffered the loss of 10 unencrypted data tapes in May 2008.  At the time of this incident, the bank estimated the tapes contained the personal information on approximately 4.5 million customers. 

After subsequent computer forensic examination of the data tapes, the bank is now reporting that the data tapes could contain the personal information on as many as 12.5 million bank customers.

Opinion: A lesson that all businesses should learn is to consider data encryption as another layer of security when storing sensitive personal and financial information.  Encryption won't prevent data breaches or accidental disclosure of sensitive business information, however encryption can prevent your sensitive business information from falling into the wrong hands.

Bank of NY Mellon data breach now affects 12.5 mln
http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true

The New York Times broke the story that The Princeton Review's website exposed the personal data and standardized test scores of approximately 100,000 students. 

The New York Times article - Student Files Are Exposed on Web Site

Stanford University has announced that a data breach related to the physical theft of a laptop computer has potentially put at risk the identities and social security numbers of 62,000 people currently or previously employed by the university.

Stanford University has provided an extensive FAQ regarding this incident located at: http://www.stanford.edu/privacy/faq/

University of Utah Hospitals & Clinics have announced that computer backup tapes containing 2.2 million patient and guarantor billing reocords have been stolen.  The computer back up tapes also contained social security numbers for 1.3 million patients.

The University of Utah Hospitals & Clinics have taken the steps to notify all 2.2 million patients and guarantors as well as providing free credit monitoring and restoration services to those affected. 

If anyone has questions on this incident, you may call 1-866-581-3599 for more information.

University of Utah Hospitals & Clinics -- Press Release
http://healthcare.utah.edu/billingrecordstheft/

Georgetown University in Washington, D.C. has alerted the public via a press release (http://explore.georgetown.edu/news/?ID=30979) of a data breach incident stemming from the loss of an external computer hard drive.  The lost hard drive contained the personally identifiable information including names and social security numbers for approximately 38,000 current and former students, faculty, and staff.

Georgetown is offering free credit monitoring for those affected by this data loss incident.  A toll-free telephone number (866-740-2458) has been setup to handle questions by those who may be affected by this information security breach.   Georgetown is taking the correct steps in recovering from this incident. 

However, it is still amazing to me with the current proliferation of portable storage devices such as external hard drives and USB memory sticks, that organizations don't put into place and enforce stronger IT policies to prevent storage of such sensitive data without any encryption on removable disks and/or memory media.

When will organizations learn to better protect the personally identifiable information they have been entrusted with by their clients, business partners, and employees?  It is my hope this lesson is learned and these types of data loss incidents don't keep occurring.