Risk
7/14/2010
04:50 PM
50%
50%

Two Major Breaches Caused By Loss Of Physical Media

AMR loses data of some 79,000 employees; California agency and Care 1st misplace CD containing data on 29,000 patients

Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.

AMR, the parent company of American Airlines, is in the process of notifying some 79,000 current and former employees of the loss of a hard drive containing microfiche records dating from 1960 to 1995. Some of the records included bank information.

And on July 6, the California Department of Health Care Services (DHCS) reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.

Recent studies indicate that the theft of physical media remains one of the most common causes of data breaches. Both AMR and the California DHCS have discovered that the hard way.

The lost AMR drive contains images of microfilm files, which include names, addresses, dates of birth, Social Security numbers, and a "limited amount" of bank account information, the company told the Associated Press. Some health insurance information might have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

The data spans a period from 1960 to 1995. AMR also believes some of the employee files contained information on beneficiaries, dependents, and other employees. No customer data was affected, the company says.

AMR has sent letters to the people who were impacted by the breach. AMR is offering one year of free credit monitoring for those affected, and is increasing security and testing the vulnerability of its computers.

The data lost between Care 1st and the California DHCS is in peril because the lost CD might not have been encrypted, officials said. Without proper encryption, which is required by DHCS of all of its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users.

Care 1st cannot confirm the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.

When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises, according to a press release. DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format. Care 1st now submits the information using secure electronic transfer rather than CDs.

Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries. The members whose information is contained on the misplaced CD are mostly Medicare recipients. On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.

On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD. The letters gave the members information on steps they could take to protect themselves from any possibility of identity theft. Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?