Shostack + Friends Blog Archive

 

Breach round-up

Ohio University I [link to http://www.ohio.edu/datasecurity/index.cfm no longer works]:

On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes.

Ohio University II [link to http://www.cantonrep.com/index.php?ID=283728 no longer works]: 300,000 alums and friends. 137,000 have their SSNs exposed. Exposure was under way for over a year before detection.
Ohio University III [link to http://www.newsnet5.com/education/9200413/detail.html no longer works]:

Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school’s Hudson Health Center, the university discovered last Thursday [May 4]. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there.

Mercantile Potomac Bank: Stolen laptop. 48,000 customers exposed. Bank says it was against policy to remove the portable computer from the bank’s premises.
AICPA: Hard drive with member information, including name, address, and SSN, lost. The drive had been sent to a data recovery vendor, and was lost while being shipped back. Notice sent to members was dated May 8. The AICPA has 300,000 members. Based solely on my experience, they prefer to see rules followed, which they reportedly were not in this case.
Columbus Bank and Trust [link to http://www.wtvm.com/Global/story.asp?S=4869299&nav=menu91_2no longer works]: 2,000 cardholders notified they may have had card info stolen. Is this related to the huge debit card mag stripe theft that may or may not involve a large retailer? Nobody is saying.