Risk
7/14/2010
04:50 PM
50%
50%

Two Major Breaches Caused By Loss Of Physical Media

AMR loses data of some 79,000 employees; California agency and Care 1st misplace CD containing data on 29,000 patients

Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.

AMR, the parent company of American Airlines, is in the process of notifying some 79,000 current and former employees of the loss of a hard drive containing microfiche records dating from 1960 to 1995. Some of the records included bank information.

And on July 6, the California Department of Health Care Services (DHCS) reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.

Recent studies indicate that the theft of physical media remains one of the most common causes of data breaches. Both AMR and the California DHCS have discovered that the hard way.

The lost AMR drive contains images of microfilm files, which include names, addresses, dates of birth, Social Security numbers, and a "limited amount" of bank account information, the company told the Associated Press. Some health insurance information might have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

The data spans a period from 1960 to 1995. AMR also believes some of the employee files contained information on beneficiaries, dependents, and other employees. No customer data was affected, the company says.

AMR has sent letters to the people who were impacted by the breach. AMR is offering one year of free credit monitoring for those affected, and is increasing security and testing the vulnerability of its computers.

The data lost between Care 1st and the California DHCS is in peril because the lost CD might not have been encrypted, officials said. Without proper encryption, which is required by DHCS of all of its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users.

Care 1st cannot confirm the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.

When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises, according to a press release. DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format. Care 1st now submits the information using secure electronic transfer rather than CDs.

Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries. The members whose information is contained on the misplaced CD are mostly Medicare recipients. On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.

On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD. The letters gave the members information on steps they could take to protect themselves from any possibility of identity theft. Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.