Flurry of Data Breaches Exposes Personal Data on Thousands

Location: New York
Author: Jaikumar Vijayan for Computerworld
Date: Thursday, August 31, 2006
 

Computerworld - Personal data belonging to thousands of people has been exposed in several separate security breaches over the past few days.

Sovereign Bank laptops stolen

Reading, Pa.-based Sovereign Bank today confirmed that it has sent letters to thousands of its customers warning them that their personal information may have been compromised in two separate incidents in which a total of three laptops were stolen in early August.

Carl Brown, a bank spokesman, refused to disclose the number of people who may have been affected by the thefts but said it involved roughly 1% of the bank's total customer base.

The thefts were reported in "early August," but the company didn't start sending letters to the affected customers until Aug. 21, after completing a "thorough investigation" of the incidents, Brown said. All three laptops were stolen from undisclosed locations within Massachusetts. Two of the laptops were stolen from one location, while the third was reported stolen in a separate incident from a different location, he said. The company has 800 community banks and does business primarily in the Northeast.

The stolen laptops, all three of which were company-issued, are believed to have contained personally identifiable information such as the names, dates of birth and Social Security numbers of the bank's account holders, Brown said. Though the systems were password-protected, the data was not encrypted, he said.

At this point, there is no evidence that the compromised data has been misused, although customers are being advised to be on the alert for fraud, Brown said.

Accidental e-mail attachment at Verizon

In a separate incident on Aug. 21, an employee at Verizon Wireless accidentally sent an e-mail with an attachment containing the names, mobile numbers, equipment type and e-mail addresses of nearly 5,000 customers to about 1,800 other Verizon Wireless subscribers. The intended e-mail attachment was supposed to have been an electronic order form.

In an e-mailed comment, a Verizon spokesman said the errant e-mail was "quickly recalled," but he added that some of the recipients had viewed the contents of the file before the recall notice was sent.

The company said it had contacted the 5,000 affected customers and informed them about the breach and advised them of additional "quality control procedures and process improvement" measures that have been implemented to prevent similar lapses in the future.

"We also advised them that the four items accidentally disclosed would not give unauthorized persons access to their Verizon Wireless account, and it is highly unlikely that this information could be used to compromise any other account," the statement said.

US DOT laptop stolen in Baltimore

Meanwhile, a government-issued laptop computer belonging to the Federal Motor Carrier Safety Administration (FMCSA) of the US Department of Transportation was stolen from a vehicle in the Baltimore area on Aug. 22.

The laptop is believed to have contained personal information, including the names, dates of birth and Social Security numbers, of about 193 individuals who hold commercial driver's licenses across 14 states.

Ian Grossman, an FMCSA spokesman, said that the agency is not 100% sure whether the stolen laptop contained that information and that it had only come to that assumption based on the system's last interactions with the FMCSA network.

However, the agency notified 40 motor-carrier companies where the individuals worked and informed them about the potential security breach, Grossman said. He added that the laptop had been password-protected but none of the data had been encrypted. So far, there is no sign that the compromised data has been misused, he said.

Database breach at University of South Carolina

Some news media outlets also reported a database breach at the University of South Carolina that may have resulted in the compromise of personal information belonging to more than 5,000 current and former students.

University officials could not be reached for comment at deadline. According to published reports, the database may have been breached in September 2005, but the incident remained undiscovered until a routine security audit of the university's networks this summer. The data that may have been exposed included the names and Social Security numbers of students.

This article was first published in Computerworld.