Customer data leaks and losses abound

Whether it was a government Web site exposing sensitive data or a bank losing with 90,000 customers' Social Security numbers, the past week saw plenty of data security snafus.

People's Bank loses 90,000 people's data
Connecticut state and People's Bank officials revealed Wednesday that a storage tape holding confidential data on 90,000 People's customers was lost while being transported to a credit reporting bureau.

The tape contained customers' and bank employees' personal information -- including names, addresses, Social Security and checking account numbers -- belonging to those who have a People's Bank personal credit line, i.e. "overdraft protection," associated with their personal checking accounts. Those with equity credit lines or any other People's accounts are not affected.

The Bridgeport, Conn.-based financial services firm's tape was en route to credit reporting agency TransUnion LLC. UPS, the carrier transporting the tape, said an internal investigation is underway. The company learned of the incident just before Christmas, and began notifying customers this week after the tape could not be located.

People's said it has no reason to believe the data had been used inappropriately, and that there was no need for customers to close accounts to safeguard their security, as the data did not include enough information to allow unauthorized account access. However, identity thieves could use the Social Security numbers to open new accounts in the names of those affected, according to consumer advocated quoted by The Associated Press.

For more information

See how data breach victims are lashing out

Learn how privacy and security are keys to CRM

People's Bank is the latest in a long line of financial institutions that have lost or exposed sensitive customer data in recent months. A missing backup tape holding valuable data on 2 million mortgage customers of ABN AMRO Mortgage Group Inc., a part of Chicago-based LaSalle Bank Corp., was lost temporarily but recovered by shipper DHL International. Though it's unlikely that customer data was compromised, the company has urged affected customers to monitor their credit activity. In another incident involving UPS, Citigroup Inc. in June lost a data storage tape containing the Social Security numbers and payment histories of nearly 4 million U.S. customers. In April, discount online brokerage Ameritrade Holding Corp. lost a backup tape containing personal information of 200,000 current and former customers. Earlier this year 40 million credit card account numbers in possession of CardSystems Solutions Inc. were compromised by computer hackers. The company later admitted it never should have held onto the data.

Lost in Atlantis: Data on 55,000 Bahamas hotel guests stolen
Apparently data thieves enjoy Paradise Island, too. The Bahama's Atlantis Resort reported this week that cybercriminals broke into its database and may have made off with sensitive information on 55,000 guests.

The 2,300-room resort, owned by Kerzner International, revealed the incident last week in a regulatory filing. It said the information stolen may include customer names, addresses, credit card data, Social Security numbers, bank account numbers and driver's license numbers. The hotel was unsure if the information had been stolen by a malicious hacker inside or outside of the organization.

Atlantis has begun informing affected customers in writing, encouraging them to take the necessary steps to protect themselves from potentially having their identities stolen. It has declined further comment, noting that the incident is an ongoing criminal investigation involving U.S. and Bahamas law enforcement agencies.

Affected customers may take advantage of free credit monitoring services for one year being offered by Kerzner. It currently has no information suggesting that any of the stolen information had been used to commit fraud or identity theft.

Security lapses force down government site
The government's General Services Administration has shuttered a Web site used by government contractors after it was learned that the site's data was not properly secured.

According to a report in The New York Times (via CNET News.com), computer security consultant Aaron Greenspan, president of Dallas-based Think Computer, discovered a flaw on the eoffer.gsa.gov site that enabled him to view and change vendors' corporate and financial data ranging as far back as nine years.

"Theoretically, one could have started a bidding war between Boeing and Lockheed Martin, or Dell and Gateway, or changed the terms of their existing contracts," Greenspan told The Times.

Despite learning of the flaw on Dec. 22, the site was not taken down until Wednesday afternoon, almost three weeks later. The GSA, which purchases equipment and services for the federal government, including information security products, said it is currently investigating "possible irregularities within the electronic tools GSA provides to its customers."

A spokesperson for the GSA said the agency expects the site, which is used by about 1,200 government contractors, is expected to be available again by the middle of next week.

Does iTunes send data back to Apple?
Apple Computer Inc.'s latest version of iTunes may strike a sour note with some users and the security community. According to one Apple expert, the new software sends information about users' music "playlists" back to Apple, and may even blur the line between what is legitimate software and what is spyware or adware.

Apple expert and author Kirk McElhearn has posted a number of articles on his Web site claiming that iTunes version 6.0.2, released this week, includes a new feature called MiniStore that displays links to purchase songs similar to those a user may be listening to.

"In order to examine this further, I used the trusty tcpdump command and checked its output while playing music both with the MiniStore visible and with it hidden," wrote McElhearn. "In the former case, when the MiniStore is displayed, iTunes sends queries to the iTunes Music Store and to an Apple metrics server."

McElhearn discovered that in addition to sending Apple data on songs a user listens to, the program sends a user's Apple ID, the ID linking a user to his or her unique iTunes account. Apple has denied that it saves any user data to create MiniStore recommendations.

While the incident may be considered more of a privacy violation than a true data theft, according to CNET News.com Apple 's iTunes End-User License Agreement (EULA) does not disclose the exchange of any data tied to song information or users' personal accounts, something RealNetworks Inc. was sued for in 1999 when its RealJukebox included code for identifying a listener's specific copy of the player without EULA disclosure.

"Apple is remiss in not providing appropriate information about this new feature to users," wrote McEhearn. "Apple should have been more forthcoming about what this feature does, and how it works."

This article originally appeared on SearchSecurity.com

Dig deeper on Customer privacy and data security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchDataManagement

SearchSAP

SearchOracle

SearchAWS

SearchContentManagement

Close