Thank goodness for dumb criminals.  Unfortunately, in this case, they were not that dumb since they were able to operate a data breach that stole upwards of two million names and social security numbers before they were caught after two years of running the fraud.  The breach is said to be within the top five largest of all time and there are still so many details about the case that information is still sketchy at this point.  The insider at Countrywide was identified as Rene L. Rebollo Jr. and he was working with Wahid Siddiqi, who were both arrested.

It appears that what was going on was that Rebollo was taking the names and social security numbers of people and downloading them 20,000 at a time.  In a statement to the FBI he said that every Sunday night he would go to a computer terminal that did not have the required security settings and download the information onto a flash drive.  He would then take this information and sell it to Siddiqi for next to nothing.  Customer profiles were sold for around 2.5 cents, well below the black market value of this information.  Siddiqi would then sell this information in bundles for around $4,500.  In all, if the two thieves had done their homework they could have made considerably larger amounts of money, since social security numbers alone sell in the $3-4 range.

At this point, it is uncertain if Rebollo and Siddiqi were selling the files to other mortgage lenders or if they were selling the information online.  Selling to other lenders is big business because it can lead to contacting customers who were denied by the larger firms and are in desperate straights.  This has become even more true with the housing market going through free fall at this point.  These other lending companies reap huge amounts of money by acting as the go betweens and are able to do this because of the files they receive from Countrywide or Lending Tree.

The case broke when the FBI bought data discs from Siddiqi.  They were able to arrest him then and learn who the insider at Countrywide was.  The FBI then moved in against Rebollo.  Rebollo was released on an $80,000 bond and is awaiting prosecution.  Siddiqi is still in custody and no bond has been set yet.  The government has stated that they are intending to bring significant charges against the pair that could result in life sentences because of the numbers of incidences.

While Countrywide has not yet begun to contact the two million individuals who are now potentially victims of identity theft, some people are not waiting around.  Knowing the severity of the issue and that tardiness can end up costing a person their financial security for the rest of their lives, people are subscribing to ID theft services.  One of the most widely used services is provided by Lifelock.  By maintaining contacts with all three major credit bureaus, Lifelock works to stop identity theft before it happens.  Whenever a new credit card or loan application is filed, Lifelock contacts its customer.  If the customer verifies they are submitting the information, it continues to be processed.  However, if the customer says that it is fraudulent activity, the application is stopped before any damage to the credit report can be done.

In three separate incidents to report on, some patients throughout England are wondering how hospitals get their clearance from the government to continue their operation.  Two incidents took place at the Stepping Hill Hospital in Hazel Groove, Stockport while one breach happened to patients at the Trinity Medical Centre in Littleborough, Rochdale.  In the most recent incident at Stepping Hill Hospital, information on 1,581 patients was stolen in a burglary.  Although it appears that the laptop was not the specific target of the break in, it was taken, along with a projector and other office supplies.  The perpetrator was caught on security cameras, although an image has not been released to the media yet.

A spokesman for the hospital said that they are working with the Manchester police and think that the individual will be caught shortly.  The laptop had names, addresses, information about billing records, and limited information about medical data of the patients.  The people whose data was on the computer were sent a letter alerting them to the breach.  They are advised that there is little chance that the information could be used for negative means because it contained a triple and complex password system that would be very difficult to break.  As a result of the break in, the hospital is upgrading its network security measures to make sure that all computers contain similar or higher levels of encryption and password protection.

On a physical note, the hospital has stepped up its efforts to monitor the building.  Since the burglar gained entry through a window, new security detectors have been placed on all windows.  Additionally, new cameras have been stationed around the premise with more expected to be added in the coming days and weeks.  All windows will now be checked to make sure that they are locked, although a police spokesman said that the burglar broke a window through a window rather than finding an open one.

Last month Stepping Hill Hospital a worker lost a memory stick containing information about patients while she was walking to her auto.  The data included, names, birth dates, addresses, medical conditions, NHS and Trust numbers.  In this specific instance, the breach was not reported to the public and was only uncovered through an investigation launched by the Manchester Evening News.  At Trinity Medical Centre, another burglary, unrelated to the one at Stepping Hill, resulted in the theft of 3,500 patients medical information.

With data breaches rising at this rate, there is good reason why so many people are subscribing to ID theft services, such as Lifelock.  This company monitors all three credit bureaus for new applications to arrive.  Whenever these credit card or loan apps are filed, Lifelock contacts it customer to make sure that they are submitting the forms.  If the applications are illegitimate, they are prevented from being processed.

Over the years many things have happened at McDonalds restaurants.  Billions of people have been served.  New techniques and policies for getting food to the consumer quickly have been produced.  Ronald McDonald and company have entertained millions of children while Grimace has caused a few to freak out a bit.  This, however, is the first time that sitting at McDonalds having a bit to eat has caused a data breach.  The interesting thing is that the breach did not even impact McDonalds, but rather Delphi.  An employee had a flash drive stolen out of her laptop while she was eating lunch at the restaurant.

The theft took place in Lebanon and impacted 2,600 former employees who had worked for Delphi in the Columbus, Ohio area.  The flash drive contained names, addresses, telephone numbers, but most alarmingly, social security numbers.  This is the exact type of information that an identity thief needs in order to create financial havoc on an unsuspecting victim.  Delphi acted quickly, according to spokeswoman Helen Jones-Kelley, in alerting the affected employees.  Letters were sent out to the individuals letting them know what had happened and that their private data had left the security of the company.

The media was not provided with a copy of a letter.  It was interesting that Jones-Kelley did not mention any credit monitoring that would be provided free by the company.  In many instances when a company loses the personal data of current or former employees they provide a year of monitoring services.  Since Delphi does not appear to be doing that in this case, an option that the 2,600 people might want to consider is enrolling in an ID theft subscription service.  One of the best companies that provides this service is Lifelock.  This company has connections with all three major credit bureaus, Trans Union, Equifax, and Experian, and monitors whenever a new application comes through.  This application is commonly a new credit card or loan form.  Lifelock contacts its customer to see whether or not the application is legitimate.  If it is a fraudulent claim, it is stopped from processing which effectively limits the possibility of identity theft.

At this point, there has been no information released about how the data was protected on the flash drive.  The fact that Jones-Kelley did not mention any password protection or data encryption is a discouraging sign.  She did note that the employee had violated company policy by walking away from the laptop and not making sure that it was secure before she left.  The unnamed employee faces a litany of punishments which might conclude with her termination from the company.  The data breach should cause the company to reconsider its computer policies and determine whether or not people should be allowed to take personal information outside of the main office where the likelihood of data breaches rises significantly.

Loyola University has slowly pulled itself out of the financial trouble it struggled through during the 1990s.  With increased revenue to create new construction on its campuses, the last thing that the university needed was any sort of negative attention in the media.  Unfortunately, this is the situation that they now find themselves in after creating a data breach of their own making.  In a way quite different from a lapse in network security or having private information stored on a flash drive, Loyola simply threw out a hard drive that had not been erased.  Contained on the hard drive were the names, addresses, and social security numbers of 5,800 students.

The desk top computer was scheduled to be destroyed and replaced with a newer model.  One of the steps in the decommissioning process was to copy the contents of the hard drive over to the new machine and then delete the information stored on the old one.  This, however, was not the case.  No one realized the error until after the desk top had been discarded.  There has been no word on whether or not the company that took the old machine destroyed it or not.  A spokeswoman for the university, Susan Malisch, said that there was little chance that any of the sensitive information was accessed by anyone else.

Nevertheless, Malisch recommended that students be vigilant in watching their credit reports.  She said that the university will provide a year’s worth of free credit monitoring.  These types of subscription based ID theft services have become popular in recent years, with Lifelock holding a large share of the market.  The company maintains contacts at Equifax, Trans Union, and Experian.  Whenever a new credit card or loan application is processed through a bureau, Lifelock contacts its customer to make sure that they are the one actually filing the paperwork.  If it the person is not involved, the application is stopped and noted as fraudulent activity.

Most of the 5,600 students were undergraduates, although there was information about a few graduate students also contained on the hard drive.  Letters were sent out to all affected students alerting them about the free credit monitoring services and other steps they should take to protect themselves.  Loyola has said that it will review all of its policies and procedures regarding electronic storage to make sure that future breaches of this type do not take place.  There is a discussion about whether or not an outside consulting company should be brought in to review the policies or if an internal audit will catch all the flaws in the current system.  The computer that was discarded was being used by the Information Technology Services Department when it was designated for replacement.

Second data breach in less than three months has people wondering what is going on at the giant pharmaceutical company.  Whether or not the frequent data breaches are coming from interested hackers, sloppy security systems, or a mixture of the two has yet to been seen.  However, within months of a delayed alert to 17,000 employees that their personal information had been compromised, another 950 people have been affected in a different breach of the security features of the network.

Connecticut state Attorney General issued a public statement stating how disgusted he was with the way that Pfizer is handling personal information of its employees and clients.  At one point Richard Blumenthal notes that “this information should be treated like cash.”  Pfizer has noticed a drop in its stocks as of late as a result of all the negative attention that it has been receiving in the national media in recent months.  In this incident, it was a consulting firm that was working with Pfizer that actually lost the sensitive information.  Two laptops were stolen from a locked car in Boston at the end of May, but a letter was not sent to the Attorney General for another three weeks and it was only now received by him, which generated his public statement about the disarray of the security in the company.

The consulting firm was Axia Ltd. and they have not issued an apology to the public about the incident.  It would appear that the information was neither password protected or encrypted, which makes the likelihood that it will be used by identity thieves even higher.  Unsecured information is unacceptable in this day and age and Pfizer has vowed that it will completely overhaul its security procedures and is bringing in industry leading experts to make sure that nothing of this sort happens again.  Unfortunately, knowing their recent track record it is difficult to believe the sincerity behind Pfizer.  The information on the laptop contained the names, social security numbers, and addresses of health industry consultants who were working to distribute Pfizer products around the world.

At this point, Pfizer has not said if it will continue to work with Axia Ltd. or if it will provide monitoring services to the nearly 1,000 newly affected individuals.  With the size of the recent breaches, a source who wished to remain anonymous has said that certain employees are considering filing a class action suit against the incompetence of the company and the delayed response before alerting people of the breach.  In the mean time, people are being advised to protect themselves by enrolling in ID theft subscription services.  One of the most popular choices has been Lifelock.  A company mainly known for its commercials with display the social security number of the owner on the side of a truck in downtown New York City, people are turning to it because of its successful track record.  By maintaining ties with Equifax, Trans Union, and Experian, Lifelock helps prevent ID theft before it happens.  While it cannot do anything about personal information getting into the hands of crooks, it can stop them from filing fraudulent loan and credit card applications.  Whenever this type of information appears at a credit bureau fro review, the company contacts its customer to make sure it is valid.  If it is a fraudulent piece of work, then it is prevented from being processed which stops the ID thieves from getting the cash or line of credit they were hoping to establish.

Medical records keep getting compromised.  It does not seem to matter where people live, although the vast majority of breaches have been taking place in the northwestern part of the United States.  Even in remote Alaska, people are realizing that their identity is not secure.  The most recent incident took place at the Providence Alaska Medical Center where a laptop with information on over 250 patients has gone missing.  At this point, a spokeswoman for the center said that the laptop was not stolen, although it has not been seen since May 31.  She gave no indication of why she believes that the laptop was not stolen despite its long absence without anyone having seen it.

The laptop contained information on 250 oncology patients.  For most of these individuals, only medical data was lost, although this is still a violation of HIPAA laws and the federal government will investigate the incident to determine whether or not the medical center should suffer any penalty in federal funding.  However, despite the limited information on most patients, some files contained social security numbers, addresses, and dates of birth.  This is more than enough information for an identity thief to ruin the life of an individual.  At this point there is no word on how the laptop was secured, although if it had been password protected or encrypted, it is likely that the spokeswoman would have mentioned this so that peoples’ fears would have been lessened.

The patients information contained on the laptop had all visited the medical center between August 2005 and May 2007.  All the other files at the center are secure.  However, there will be a continuing investigation to see if more safety measures need to be added to the electronic network to prevent this type of thing from happening in the future.  At this time, there is no word as to whether or not outside consultants will be brought in to address this matter.

Letters have been sent out to the 250 affected people.  Within the letter the medical center said that it will provide a year’s worth of free credit monitoring.  One way that monitoring gets done is to enroll people into ID theft subscription services, such as Lifelock.  This company maintains connections with Trans Union, Equifax, and Experian to deal with credit card and loan applications that get filed.  Whenever this paperwork appears, Lifelock stops the process momentarily to contact its customer.  If the customer verifies that the paperwork is legitimate, it is allowed to go through, otherwise it is stopped from going through.  Since this is one of the most common ways that ID thieves use fraudulently gained information, Lifelock helps prevent ID theft before it starts.

One bad apple.  That is all it takes to ruin the whole bushel.  In the case of companies, the same thing can be said about one employee.  At the Legacy Clinic Mount Hood in Portland, Oregon, it was recently discovered that a employee was stealing sensitive information from patients and using the information to profit from their misfortune.  Despite this breach having just been discovered, the clinic has said that it no longer employees the individual and has not for some time.  No name has been given of the individual, but officials for the clinic say that they person is being investigated by law enforcement agencies and that they are closing in on the necessary information to arrest and prosecute them.

The breach took place between January 2006 and February 2007.  It appears that when people went to make their co-pays, the individual would pocket any cash given to them, but also steal social security numbers and credit card numbers.  They were then to get dates of birth and addresses out of the computer system.  With over $13,000 in cash missing over the years, the clinic has been slow to explain why the breach took so long before it was discovered.  An investigation into the incident is underway by both the local authorities and the federal government.  The government agents are checking to see whether or not there were any violations in HIPAA.

The clinic has sent out letters to all the affected individuals.  In all the current total is around 750, although this number might increase as the investigation continues.  A call center has been set up to deal with all the calls that have been coming in with questions about the investigation and what affected people should do.  The clinic has said that they will provide up to $25,000 in identity theft insurance and will also provide credit monitoring services.  These types of services include the ID theft subscription company Lifelock.  By signing up with Lifelock, someone knows that they will have monitoring of all three major credit bureaus.  Whenever a new loan or credit card application is filed, they contact their customer to make sure that they are the person really submitting the information.  If they are not, then the application is scrapped and the identity thief does not win.

Those patients who made the co-pay that was pocketed or had extra money taken from their credit card account have already been repaid.  No word yet on why it took so long for the breach to be reported to the public.  Security officials are also wondering what measures that Legacy Clinic Mount Hood is going to take so that this type of easy access is not given to employees in the future.  This is part of the ongoing debate about digitizing more and more of the medical information about patients that come into medical facilities.  Safeguards need to be put into place so that the system is not manipulated from either the inside or the outside.

Nothing makes the government blush like getting caught with its hand in the cookie jar.  What is even worse is when they set up an organization to deal with identity theft and the head of it soon becomes the victim of a data breach.  Welcome to Norway, where few are happy with the way the government has been addressing the growing spread of ID theft that has started to grip the world.  Yet, this is the exact situation that Georg Apenes finds himself in now.

In a daring hack, over 60,000 Norwegians have been impacted by this most recent breach.  It is the largest to hit the country in a number of years and the more staggering figure is that the 60,000 affected represents over 1.3% of the national population.  The hack did not place on the national level, but came through the communications company Tele2.  The thieves were able to access the network systems to procure the personal identity numbers of people and also their addresses.  With this information, they are able to order goods online for people, access credit card information, and change addresses so that they can get in the mail any of the illegal goods that they are ordering in other peoples’ names.

At this time, no one has reported severe results because of the breach.  It is being speculated at this point by officials within the government’s ID theft prevention agency that Georg Apenes received something just to bring to everyone’s attention how lacking the security was at certain important companies in the country.  Indeed, Tele2 has been cited numerous times that its security and network systems needed to be upgraded to prevent this time of incident.  A spokesman for the company said that they have been working to improve their security measures, but now ill bring in outside consultants from the continent to help them get up to speed quickly.  They also have vowed that nothing of this sort will happen to their company again.

In the United States, stories of this nature have more and more people worrying about their own security.  As a result, individuals are taking matters into their own hands, rather than relying on the companies they interact with to provide ever continuing upgrades to their security systems.  One way that people are able to do this is to subscribe to ID theft services.  One of the most popular of these companies is Lifelock.  They maintain contacts with all three major credit bureaus, Trans Union, Experian, and Equifax.  Whenever a new loan or credit card application comes into be processed, it is temporarily held up.  Lifelock then calls its customer to see if they actually submitted the forms or if someone is attempting a fraudulent activity.  If fraud is determined, then the application is stopped and identity theft is prevented before it starts.  This is always a positive because there are countless examples of people who have been victims of ID theft and spend years trying to correct the matter with little positive result.

If you live in the area of Kingston, Washington, you need to pay attention.  This is especially true if you use a company to take care of your taxes.  The company that is having the most difficulty at the moment is Kingston Tax Services.  They reported earlier today that one of their computers was stolen and the hard drive contained sensitive information on its clients, including names, birth dates, addresses, and social security numbers.  This information also contained this same sensitive information for any dependents that would have been listed on tax records and forms over the last eight years. In all, the company is saying that a huge pool of people have just been opened up to the whims of identity thieves and that immediate action must be taken.

The owner of the company, Tim Winsor, is advising all customers to take immediate action and contact a variety of bureaus to put fraud alerts on their accounts.  These bureaus include the Social Security Administration and the Credit Bureau Fraud Departments.  People are advised to put fraud alerts on their credit cards and also notify banks and credit card companies of the breach and the likelihood that they have been impacted by it.  One option open to people is to subscribe in an ID theft service, like Lifelock.  This company monitors all three credit bureaus and holds any credit card or loan applications until they can verify if they were submitted by the person whose name appears on them.  By creating this slight delay, Lifelock can prevent identity theft before it happens.

In cases like this, time is a critical factor.  The quicker that thieves can move the information before people have put alerts on their accounts, the better off they are at making off with the money of other people.  Despite Winsor’s plea that people start alerting bureaus “RIGHT NOW!” there is no telling how many people have already been affected.  One client said that with the recognition that time was of the essence, it should not have taken six days between the theft and when people started to receive their letters alerting them to the break in.  There is only limited talk at the moment about possible class action lawsuits against Kingston Tax Services and the shoddy care they gave the security systems of their computers.

The theft that resulted in this problem involved a laptop from the office which is under construction.  The information was password protected, but it was not complex.  There was also no encryption on the computers.  Winsor believes that his stolen laptop was for sale on Craiglist within two days of the theft, although he was not able to determine this with 100% certainty because the serial numbers were blurred out on the images available on the website.  Even more troubling is that the breach has resulted in the filing dates for a number of individuals being missed.  This will result in fines from the IRS which Winsor has not said if he will cover them or not.  This will be an ongoing story for some time.

Corporate responsibility.  That is what everyone on the business channels seems to trumpet right now.  And in some cases this is exactly the response that tarnished companies are taking. However, as a consumer it might be better if the companies took proactive approaches and stopped damage from taking place to their customers and company image.  For Dominion Enterprises and their InterActive Financial Marketing Group, this all comes as good ideas a little too late.  It was announced today that a data breach took place at the company on one of its secure servers between November 2007 and February 2008.  There has been no word released yet on why it took so long for the company to alert the public or when they first discovered that the breach had taken place.

Roughly 92,000 people have been affected by the hacking of the server.  While the number of individuals is troubling, what is more problematic is the information that was taken from the server.  This material included names, dates of birth, addresses, social security numbers, and credit card numbers.  In a world where personal data sells for $15-$20 in internet chat rooms, this is a gold mine for identity thieves.  There has been no word yet on how the hackers were able to infiltrate the security measures that were supposed to be in place on the server.  In response to the breach, Dominion has brought in industry leading security experts to review all the company’s network policies and to provide a complete overhaul to the system so that the financial transactions of the company are not at risk in the future.

In letters that are being sent out to all affected people, the company is apologizing profusely.  It is also providing a year’s worth of free credit monitoring.  This type of monitoring comes from companies like Lifelock.  This company maintains contacts with all three major credit bureaus, Equifax, Trans Union, and Experian.  Whenever a new application for a credit card or loan is submitted, Lifelock holds the application from being processed until it can check with its client about the validity of the claim.  If the name of the person on the paperwork did not file it, then it is clearly a case of identity theft and it is prevented from being processed.  With this whole procedure ID thieves are thwarted before they can ruin the lives of innocent people.

Dominion has stated that it has already contacted local and federal law enforcement officials.  They plan to conduct a thorough investigation of the breach to see whether or not the hackers had any inside help that would have allowed them to get through the security features which had been in place.  No more details about the investigation were available since the case is ongoing.  Dominion wants to assure the public that it is safe to invest with the InterActive Financial Marketing Group in the future because a breach of this nature will never happen again.  Time will tell how this plea to the public works out.