Identity Breaches are everywhere

Commercial businesses, colleges and universities, government offices, and medical facilities of varying sizes share the common label of being hit by identity thieves.

167 breaches revealing over 8.3 million records happened or became public in the first three months of 2008, according to the nonprofit Identity Theft Resource Center. Targets of attacks ranged from a Vermont ski resort to the University of Georgia, and plenty of points in between.

Some of the breaches happened due to internal misuse of customer data. At Bank of the West in Washington state, a loan officer used applications from customers to steal identities. Cassidy Janosky and her mother rang up $16,000 grand in purchases like plasma TVs and electronics from a local Sears store.

Other breaches happened due to laptop theft, like that of the Florida Department of Children and Families. Five laptops stoled from their Orlando office forced them to alert 1,200 staffers that their Social Security numbers, birth dates, and other information was at risk.

Then there was the old standby, the lost backup tape. In one particularly embarrassing case, secure storage business Iron Mountain lost one with credit card information on 650,000 customers. Names, addresses, and Social Security numbers were on it as well.

Oh, there were network breaches as well. One can essentially envision an attack vector, and something probably happened along those lines, since reported incidents for Q1 2008 more than doubled what ITRC picked up on for the same period last year.

Nick Cavalancia of ScriptLogic said in commenting on the report that security pros need near-real time notification of sensitive file system events, especially in environments where regulatory compliance like Sarbanes-Oxley is a reality.

“Businesses must be able to provide reports indicating permission changes, highlighting what changes were made, who made them and when they were made,” he said. Cavalancia also recommended administrators be able to lock down the myriad devices like iPods people bring into workplaces, to mitigate data theft.

International Hackers Redirect Their Efforts from Government Secrets to Personal Health Information

 

According to a story by Nancy Ferris of Government Health IT, the Department of Homeland Security believes Russian, Chinese and other off-shore hackers are trying to gain illegal access to health care records of American citizens.

Early last year, a virus made its way to a web site run by the Centers for Disease Control and Prevention in Atlanta. In April, a Military Health System server holding Tricare records was hacked. Mark Walker, of DHS’ Critical Infrastructure Protection Division, revealed the breaches during a recent security workshop at the National Institute of Standards and Technology but added that the department does not know why it is happening.

“The hackers’ primary motive seems to be espionage,” Walker said. “We don’t know why they are attempting to exfiltrate health care data but we want to know why.” He offered a theory that medical information of a nation’s leaders might be of interest to potential enemies. “They have been focused on military data but now are spreading out into the health care private sector.”

Urging the NIST audience to spread the word that healthcare providers should be vigilant and report data breaches to the authorities, Walker said DHS is increasing its analysis staff to monitor such threats and will be issuing more alerts about cyber threats to health care data.

“Today, only the Veterans Affairs Department consistently reports health data breaches,” he added. “As a result, our understanding of the cyber threat to health and human services is vague at this point.” One thing DHS does know, he concluded, is that poor security practices among those who use health information systems and disgruntled employees are as much of a threat as foreign cyber intruders.

Not the first time
There are echoes here of a similar incident that led the government to accuse one of its multi-million dollar contractors of sloppy security practices just last September.

A Congressional probe found that the Department of Homeland Security (DHS) and Transportation Security Agency (TSA) systems run by government contractor Unisys were hit by 844 cyber-security incidents between 2005 and 2006. Lawmakers at that time accused Unisys of incompetence and possible illegal activity related to its handling of Department of Homeland Security network security and hacks originating in China.

Unisys, based in Blue Bell, Pa., won a $1.7 billion contract with the DHS in 2002 to build, manage and protect networks at TSA and DHS headquarters. Since then, according to a report by the House Committee on Homeland Security, the systems have been hit by 844 cyber-security incidents in the 2005 to 2006 time period.

“Dozens of DHS computers were compromised by hackers. These incidents were not noticed until months after the initial attacks,” Rep. Bennie Thompson (D-Miss.), chairman of the Committee on Homeland Security, wrote in a Sept. 21 letter to DHS Inspector General Richard L. Skinner. Thompson asked Skinner to initiate an immediate inquiry into the issue and, if necessary, refer the matter for criminal investigation.

Thompson wrote, “Hackers exfiltrated information out of DHS systems to a Web hosting service that connects to Chinese web sites.” Thompson’s committee became involved in the security of government networks after a series of 2006 hacking incidents that targeted the systems of the Departments of State and Commerce. Thompson said the attacks were “most likely” from China.

Thompson said the hackers used a rootkit program that allows hackers to mask their presence while gaining privileged access to the system. “Although IT specialists discovered the incident in October 2006, they could not determine the date of the initial hack or the amount of information that was exfiltrated out of Commerce systems,” he wrote.

“Although DHS contracted for network intrusion detection systems … these systems were not fully deployed at the time of the initial incidents,” Thompson wrote. “If network security engineers were running these systems, the initial intrusions [might] have been detected and prevented.”

Thompson further claims contractors provided “inaccurate and misleading” information to DHS officials about the source of the attacks and “attempted to hide security gaps in their capabilities.” Unisys said in its statement, “We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customers security requirements.