Risk
7/14/2010
04:50 PM
50%
50%

Two Major Breaches Caused By Loss Of Physical Media

AMR loses data of some 79,000 employees; California agency and Care 1st misplace CD containing data on 29,000 patients

Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.

AMR, the parent company of American Airlines, is in the process of notifying some 79,000 current and former employees of the loss of a hard drive containing microfiche records dating from 1960 to 1995. Some of the records included bank information.

And on July 6, the California Department of Health Care Services (DHCS) reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.

Recent studies indicate that the theft of physical media remains one of the most common causes of data breaches. Both AMR and the California DHCS have discovered that the hard way.

The lost AMR drive contains images of microfilm files, which include names, addresses, dates of birth, Social Security numbers, and a "limited amount" of bank account information, the company told the Associated Press. Some health insurance information might have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

The data spans a period from 1960 to 1995. AMR also believes some of the employee files contained information on beneficiaries, dependents, and other employees. No customer data was affected, the company says.

AMR has sent letters to the people who were impacted by the breach. AMR is offering one year of free credit monitoring for those affected, and is increasing security and testing the vulnerability of its computers.

The data lost between Care 1st and the California DHCS is in peril because the lost CD might not have been encrypted, officials said. Without proper encryption, which is required by DHCS of all of its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users.

Care 1st cannot confirm the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.

When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises, according to a press release. DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format. Care 1st now submits the information using secure electronic transfer rather than CDs.

Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries. The members whose information is contained on the misplaced CD are mostly Medicare recipients. On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.

On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD. The letters gave the members information on steps they could take to protect themselves from any possibility of identity theft. Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.