Home Products Application & Reference Contact Us Customer Login
 

In The News

  
Gear Left Data Storage Losses Gear Right

You may be surprised at just how much data goes astray. The articles below are taken from press stories and are here to highlight the different types of data that goes missing. There are plenty more similar stories but many more go unreported because the companies cannot afford the result of the bad publicity resulting in such a loss. Follow the links for the full stories. Could your business end up in this type of story?

Gear Left Possible repercussion of data loss Gear Right
  • Company reputation damaged causing loss of business

  • Company officers liable for legal action

  • Share price falls as investor confidence wavers

  • Competitors gain internal knowledge of company

  • Customers take their business away due to insecurity

  • Loss of job, future employment prospects poor

11 December 2006

Dailyrecord.co.uk

ID FRAUD FEARS AS DISABLED RECORDS PINCHED

Thieves target fund group

By Paula Murray

THOUSANDS of disabled people have been warned to be vigilant after their personal details were stolen from a support group.

The data had been put on a computer back-up tape by Government-backed Independent Living Funds.

But the tape was stolen from a van and now clients have been told their details could be in the hands of identity thieves.

The information includes full names, dates of birth, addresses, national insurance numbers and bank details of thousands of vulnerable customers.

More than 19,000 severely disabled people in the UK receive financial support from the ILF, who have an annual budget of more than £240million.

It enables them to live in the community rather than stay in residential care.

ILF refuse to say when the incident took place - and angry clients fear there's been a delay in telling them about it.

Christopher Fisher, who is bedbound and suffers a neurological condition, received a courtesy letter at the end of last week. It was dated November.

The 53-year-old, who lives in Rhu, Argyll and Bute, said: "It is very distressing, especially as there has been so much in the news about identity thieves lately.

"I think they should have phoned us immediately. This kind of information can be sold and that worries me."

A spokesman for the ILF said a helpline has been set up and added: "As a police investigation is now ongoing, it would be inappropriate to comment."

<TOP>

IBM Loses personal records on Tape

May 16th 2007

Newsday.com is reporting that IBM Corp., one of the world's leading providers of encryption and other data-management technologies, is in the uncomfortable position of trying to solve its own mystery involving missing computer tapes with sensitive information about employees and records of customer transactions.

An outside vendor was transporting the tapes from one IBM facility to another on Feb. 23 when the tapes fell out of a contractor's vehicle in Westchester County, N.Y., not far from IBM headquarters in Armonk. IBM representatives went to the scene and couldn't find the tapes, spokesman Fred McNeese said Tuesday.

The incident surfaced in recent weeks when IBM's human-resources department wrote to affected workers -- primarily former employees -- to inform them. The letter said the tapes held archival information "such as your Social Security number, your dates of employment with IBM, birth date, contact information such as your address, and your IBM work history."

IBM also advertised in a local newspaper to ask for the return of the tapes.

Even one backup tape likely has room for information on thousands of employees or customer accounts. McNeese would not reveal how many tapes were gone or how many employees or clients were affected. He said some of the tapes were cloaked by encryption, but not all of them.

McNeese said there is no indication the information on the tapes has been exploited. But as a protection, IBM has offered a year of a credit-monitoring service to the affected employees, McNeese said. As for the customer information, McNeese said it included records of business transactions between IBM and certain clients, but he called the data "inconsequential."



<TOP>

Jobs lost after tapes stolen.

FEBRUARY 28, 2006 (COMPUTERWORLD) - One employee was fired and three others resigned in connection with the theft in late December of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients from a parked car in Portland , Ore.

In an announcement late last week, Providence Home Services, a division of Seattle-based Providence Health System, said the four workers left the company after “a confidential and thorough internal review process of the data storage procedures that led to the theft.” A Providence spokesman confirmed that three of the workers resigned, while one was fired. The spokesman could not confirm the job titles of the workers, but said that all four had jobs related to the data-theft incident.

The theft took place Dec. 31, when a Providence Home Services IT department worker took backup tapes and disks home in his car as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight (see Update: Thief nabs backup data on 365,000 patients”). The division has since discontinued that backup procedure and brought in more traditional means of protecting data.

Some of the data on the tapes was password-protected at the application level, while the rest of the data was stored in proprietary file formats without password protection. After the incident, the company decided to make all of its data more secure by using additional technologies, including encryption.

Providence notified all affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the company. Some of the records also included patient financial information.

Providence said it has received no verified reports that the stolen data has been used illegally.

The health care group has also reached a deal with security vendor Kroll Inc. to provide Kroll’s ID TheftSmart credit monitoring and restoration services for free to those affected by the theft. ID TheftSmart allows individuals to continuously monitor their credit files, investigates potential identity theft cases and can help identity theft victims restore their identity if data theft occurs.

Starting next week, affected patients will get a letter from Kroll detailing how to sign up for the program.

“We think this will help address the concerns of our patients and their families and help put their minds at ease,” Rick Cagen, CEO of Providence Health System’s Portland Service Area, said in a statement. “We have heard from patients that the process to notify the credit agencies can be difficult, and we appreciate the time they have spent as a result of the theft.”

The data theft incident is under investigation by the Oregon attorney general’s office. A spokesman for the attorney general’s office could not be reached for comment.



<TOP>

Iron Mountain Admits Tape Loss, Recommends Encryption
April 22, 2005
By Paul Shread, on www.enterprisestorageforum.com

In a move that could fuel efforts to change data storage practices, records management giant Iron Mountain has admitted losing a customer's backup tapes and is recommending that customers begin encrypting tapes.

"Iron Mountain performs upwards of five million pickups and deliveries of backup tapes each year, with greater than 99.999% reliability," the company said in a statement Thursday. "Nevertheless, since the beginning of the year, four events of human error at Iron Mountain resulted in the loss of a customer's computer backup tapes. While four losses is not a large number in comparison to an annual rate of five million transportation events, any loss is important to customers and to Iron Mountain."

Iron Mountain did not name the customer, but the admission comes on the heels of announcements from Bank of America and Ameritrade that the financial firms had lost backup tapes containing customer data and were notifying customers.

"Iron Mountain is advising its customers that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure," the company said.

Companies commonly create multiple copies of their computer data on backup tapes and move them off site to allow for recovery in case of a disaster. According to a recent report from the Enterprise Strategy Group, only seven percent of businesses encrypt all of their backup tapes.

Many businesses don't encrypt because the process increases the complexity of the backup process and may reduce the reliability of an effective disaster recovery plan, Iron Mountain said.

"Iron Mountain, therefore, is recommending that companies encrypt backup tapes containing personal information, but take care to incorporate encryption in a way that does not compromise their overall disaster recovery plans," the company said. "This announcement is the beginning of a campaign to educate our customers on these important issues so that together we can start to work toward solutions."

Iron Mountain noted that the accidental loss of backup tapes "poses a potential risk if sensitive information stored on those tapes is unencrypted. ... Iron Mountain is not aware of any incident in which the physical loss of a backup tape resulted in the unauthorized access of personal information. It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."

"We invest more in training, automation and process controls than anyone in our industry," stated Iron Mountain CEO Richard Reese. "But even Iron Mountain is not immune from human error. The only effective means to prevent unauthorized access to data is the use of encryption."

Iron Mountain spokesperson Melissa Burman said the company made the announcement "to create awareness and educate our customers on this issue. We believe encryption is the best way for businesses to meet the increasing need for privacy protection."

The company isn't currently working with storage security vendors or offering an encryption solution, she said.

"For now, we're focused on the education component, but we are evaluating solutions to bring to our customers, either directly or indirectly, that will make it easier for them to implement encryption into the tape backup process without compromising disaster recovery objectives," Burman told Enterprise Storage Forum.



<TOP>

DISUK expands in Central Europe with opening of German offices

2nd June 2005 – Northampton , UK – Data at rest encryption specialist, DISUK today announces the opening of its central European offices in Munich , Germany . Marcus Schmitt will lead DISUK Deutschland operations covering Germany and Austria

Schmitt joins DISUK from business development and general management roles with various start-ups entering the German market. Prior to this, Schmitt was with Computer Associates and OCÉ Printing Systems. He will be responsible for educating and working with end users on DISUK’s product, Paranoia2™.

DISUK’s Paranoia2 is a fast, robust, ‘on the fly’ encryption technology that sits between the data path and the tape storage device.  By using the strong encryption protocol 3DES2, it is a primary security tool for safeguarding backup tapes.

Paranoia2 meets an emerging business security need to protect data held on backup tapes.  It can be sold as an infrastructure or a standalone solution, perfect for mid-market, departmental and SME sales.

Marcus Schmitt, managing director of DISUK Deutschland said on this new opportunity: Germany has some of the most comprehensive legislation to protect individual’s personal information, whether they are an employee or customer. Everyone in Germany will have personal data held on a backup tape somewhere. Once a copy exists, that data is vulnerable, unless it’s encrypted.  This presents an excellent opportunity for resellers to help businesses to eliminate a weak spot in their security arrangements before someone successfully takes advantage.”

Paul Howard, managing director of DISUK, explains: “Marcus has a prestigious track record of working with organisations to develop sound data security strategies. He is the ideal candidate to lead our efforts in Germany . We are very excited to have him on board.”

[ends]

Media contacts

Photographs and interviews available.  Please contact:

Rose Ross / Hannah Knowles
Omarketing Limited (for DISUK EMEA)
T: +44 (0)20 8255 5225
E: rose@omarketing.co.uk / hannah@omarketing.co.uk

<TOP>
Cablevision: Employee Data Lost

Multichannel News July 7th 2006

Cablevision Systems said late Tuesday that an external vendor it hired to deliver a package containing computer tapes with the personal information of some of its current and former employees lost that information in transit.

Although Cablevision did not release how many employees were affected or what type of information was contained in the package, a person familiar with the matter said the computer tape included social security and certain salary information for about 13,700 current and former Cablevision employees.

In a statement, Cablevision stressed that the specialized magnetic tape did not include personal data on Cablevision customers.

Cablevision said the tape was lost during a routine delivery, using a nationally recognized courier to its external 401(k) record keeper. The company added that it has contacted law enforcement -- which is investigating the matter -- and it is working with the courier and its 401(k) record keeper to recover the tape.

Cablevision takes the security of our employees' personal information extremely seriously, and we deeply regret that this incident occurred," the company said in a prepared statement.

While we have no evidence to date to suggest that the tape has been accessed or misused, we are providing current and former employees with resources to monitor their credit as we continue to work with law enforcement, the courier and our 401(k) vendor to thoroughly investigate and resolve this matter," Cablevision added, declining further comment.

Copyright The Associated Press 2006. All Rights Reserved

<TOP>

Bank of America: 1.2 million accounts jeopardized

February 25, 2005 CNN

Firm says tapes containing information about government cardholders, including U.S. senators, went missing.

NEW YORK (CNN/Money) - Bank of America said Friday it lost computer tapes containing account information on 1.2 million federal employee credit cards, among them those of U.S. senators, potentially exposing them to theft or hacking.

The bank told CNN/Money that federal government's General Services Administration (GSA) cardholders' account information may have been on the tapes.

The tapes were lost in December, but a bank spokeswoman told Reuters that bank officials were not allowed to notify cardholders until they received permission from federal law enforcement authorities

The missing tapes may contain information, including cardholders' names, addresses and social security numbers. But it varies from account to account.

According to Time.com, which cited an unnamed U.S. official, a large percentage of the accounts are for the Pentagon, in addition to 40 federal agencies and other entities.

Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

"Whether it is identity theft, terrorism or other theft, in this new and complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," he added.

Bank of America declined to reveal how many GSA accounts they handle but a spokeswoman said federal law enforcement is investigating the loss.

The financial giant said it has sent out a letter to inform its GSA cardholders whose information may have been on the tapes.

"So far no evidence to suggest the tapes have been accessed or misused," said Eloise Hale, spokeswoman for Bank of America. "The tapes are now presumed lost."

<TOP>
Loan records vanish

1.3 million files include Texas students' names, Social Security numbers


June 2, 2006 - By PETE SLOVER - The Dallas Morning News


AUSTIN – Don't breathe easy just because your student loans are long paid off: Names and Social Security numbers from accounts closed more than a decade ago were among at least 1.3 million records recently lost by a computer contractor for the Texas student loan company.

The Texas Guaranteed Student Loan Corp., created in 1979, urged anybody who has ever borrowed through the agency to verify whether his or her records were among those on an unspecified piece of computer equipment that disappeared May 24. I think anybody who has concerns should go ahead and contact our call center," spokeswoman Kristin Boyer said.

The toll-free number is 1-800-530-0626. The corporation has also set up a Web site instructing affected individuals how best to prevent identity theft if the missing information falls into criminal hands. Go to www.tgslc.org and click on "Customer Data."

Ms. Boyer said the corporation is required by state and federal laws to keep records for at least five years after loans are paid off, longer for loans that had delinquencies, she said.

There is no time limit after which dormant records are purged, she said. And, she added, records imported from older computer systems are sometimes unable to be indexed or sorted by date, making it technologically impractical to purge data on that basis.

The nonprofit corporation, created by the Legislature to administer federal student loan programs, answers to lawmakers and a board made up of the state comptroller and 11 members appointed by the governor. Governor Perry is concerned about the compromise of personal data and expects the agency to take swift action to rectify the problem and prevent future incidents," Perry spokeswoman Rachael Novier said.

The Round Rock-based loan corporation said in its press release that all of its security procedures were followed and that the data was decrypted and left unsecured only while in the possession of the contractor, Toronto-based Hummingbird Ltd.

Both companies were purposely vague about the circumstances of the breach, declining to release information about the nature of the "device" containing the data, the city in which it was lost or the circumstances of the loss.

"We don't want to create a scavenger hunt by those that would abuse the data," Ms. Boyer said. "As of now, we have no indication that this data has been accessed."

This much was reported by the loan corporation and Hummingbird, which was working on a data management project:

In January, the loan corporation prepared and encrypted a series of files containing the sensitive information.

Sometime after that, those files were downloaded by a Hummingbird employee, who decrypted them and stored them on some sort of device that was "subsequently lost." That device is password-protected, Hummingbird said.

A spokesman for Hummingbird declined to expand on a news release in which the company said it "has no reason to believe that the piece of equipment has been stolen to gain access to confidential data."

"Given the technology that would be required to retrieve the data, Hummingbird believes that any misuse of the data is extremely unlikely," the release said. "However, Hummingbird has exhausted every possibility to recover the equipment and has filed a lost property report with the police."

That police report could not be located because the companies declined to identify which of Hummingbird's offices around the world was involved. Ms. Boyer said it was one of the firm's nine U.S. locations, which include a Dallas office.

There might be fewer than 1.3 million people affected by the breach because some of the records are likely duplicates of borrowers with more than one loan, Ms. Boyer said.

The current estimate of missing records represents about 10 percent of the company's borrowers. The number might rise, she said, because the companies are still working to identify which files were on the missing apparatus.

Because of that, the loan company said it is important for clients to call in and update their addresses so they can be notified if the companies learn more about which records were affected or if the case is solved.

E-mail pslover@dallasnews.com



.<TOP>
Two IT execs at Ohio University fired after data breaches

The personal data on thousands of students was exposed

Todd R. Weiss August 04, 2006 (Computerworld)

Two top IT officials at Ohio University (OU) who were suspended in June in connection with data security breaches at the school in recent months were fired yesterday.

In a statement, the Athens, Ohio-based school announced that Tom Reid, the university's director of communication network services, and Todd Acheson, the manager of Internet and systems for the school, were dismissed in the wake of the breaches -- including one that exposed personal information on 137,000 alumni.

The firings come three weeks after the school's CIO, William Sams, resigned following the disclosure of the security breaches. Sams is continuing to serve as CIO until the university hires his replacement.

In two-page termination letters to Reid and Acheson, Sams said, "It has become clear from my analysis that you clearly should have foreseen the risks and consequences of IT security breaches, and also should have taken a much more responsible role in securing the wide are and local area networks under your responsibility."

In a statement, Reid said he is "disappointed by Ohio University's decision ... to fire me after 22 years of dedicated and exemplary service. By firing me the University is wrongfully damaging my credibility and professional standing on a global scale. To single me out as being responsible for the recent data thefts is simply not supported by the facts or by industry-leading advice on securing information at large, research intensive universities."

Reid was also critical of a recent consultant's report that looked into the university's security breaches, saying it contained errors and that the supporting documentation used to create it had been destroyed, giving him no ability to review the case. The destruction of such records is in violation of Ohio public records laws, he said.

Frederick Gittes, a Columbus, Ohio-based attorney representing Acheson, called the firings "a disgraceful, disgusting coverup." "The computers hacked at OU were not in Acheson's area of responsibility, yet somehow he is being blamed," Gittes said. "The same is true of Tom Reid."

Gittes said Acheson will file an administrative appeal of his firing to try to get his job back. "We are exploring other possible legal action," he said. "These two guys' careeers are being trashed and it is totally ridiculous."

Last week, the university announced a 20-point plan to improve information security at the school, which has about 16,640 undergraduate students and 862 full-time faculty members on its Athens campus.

The initiatives that are scheduled to be completed over the next nine to 12 months include the installation of a perimeter firewall, implementation of a system to classify data by the level of security required and an effort to reduce the use of Social Security numbers at the university. When Social Security numbers are needed, the school plans to encrypt them. Also planned is the reorganization of the school's central IT organization to establish clear roles and responsibilities for each division.

The initiatives are expected to cost between $5.5 million and $8 million.

The changes at OU follow a review of an independent report commissioned to assess the university's IT security practices. The first breach involved a server containing patent data and intellectual property files at the university's Innovation Center. That breach was discovered when the FBI told the university it had been provided with disk drives from the server.

A few days later, IT officials noticed that a server supporting alumni relations and development had been compromised and was being used to launch distributed denial-of-service attacks against an external target. That breach -- which had remained undiscovered for more than a year -- prompted the university to notify alumni of the potential compromise of their Social Security numbers and other personal data.

Then, on May 4, the university discovered that a system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

The discovery of the three break-ins prompted the school's IT organization to bring in outside experts to conduct a sweeping review of systems housed in the school's Computer Services Center. The review led to the discovery of two more breaches: One involved a computer that contained IRS 1099 forms for nearly 2,500 vendors and contractors that had done work for the university in 2004 and 2005; the other involved a computer that hosted a variety of Web-based forms, including some that processed online business transactions.



<TOP>