Sunday, December 19, 2010

Biggest ID Theft Hack of 2010

The story below is all too familiar to us. Massive quantities of highly sensitive data are breached. An institution freaks out and comes up with a good response. the response is the same as always and the solution is standard operating procedure SOP. Hundreds of thousands of people's tranquility is now shaken for many years going forward. Our defenses are still ridiculously weak against cyber attacks. Our attitude is not urgent and we move on to the next attack.

Here is the story.

Ohio State University is notifying about 760,000 people whose personal information was stored in the university’s computer server that a data breach could put them at risk for identity theft.

The university, located in Columbus, began sending letters on Wednesday to current and former faculty and staff members, students and applicants, telling them that hackers had broken into the server that stored their names, Social Security numbers, dates of birth and addresses.

The university said that although there was no evidence that the information had been used for identity theft, it was nonetheless offering a year of free credit protection to everyone whose data was on the server.

“We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected,” Joseph A. Alutto, the university provost, said in a news release.

While suspicious activity on the server was discovered in late October, said Jim Lynch, a university spokesman, the disclosure was delayed to give Ohio State time to investigate and set up support systems, including a call center, for those affected.

Mr. Lynch said that as soon as the university found that unauthorized people had logged into the server, it hired computer forensic consultants to investigate.

“They found no evidence that any of the data was taken out of the system,” he said. “They did find evidence that the purpose of the unauthorized access was to launch cyberattacks on online business entities. Apparently, if you’re going to flood a company with e-mails, you don’t use your home computer, but you slip into someone else’s server.”

While dozens of universities have been plagued by hackers gaining access to their servers, the Ohio State intrusion was, by far, the largest breach of security this year, according to the Privacy Rights Clearinghouse, a nonprofit consumer group.

Paul Stephens, director of policy and advocacy at the clearinghouse, said that despite the university’s assertion that no information had been taken from the server, people whose information was compromised should take heed.

“If it were me, obviously, I’d take the year of credit protection,” he said. “The fact that there are Social Security numbers involved makes it somewhat worrisome. On the other hand, one can take some comfort in the fact that there are so many records involved. Would it be physically possible for a criminal to use them all?”

Those who could be affected by the breach can get information at

Now the question for you, class, is - "What in this story is the typical response of companies, government entities, or organizations that have sensitive data intruded upon?"

The answer -"There is no evidence that identities were stolen or crimes committed."

Of course y'all KNOW that that is an unverifiable statement because criminals don't use hacked data right away.

Amazingly someone who should know better said there was too much data stolen for criminals to use it all. Oh Really!? Have you not heard Mister, of the vast retail ID information market on the Internet where millions of pieces of information and identities are bought and sold every day?!

Labels: ,

Wednesday, December 08, 2010

Military Fails the Identity Security Test - Big Time!

Photo courtesy of US Department of defense

The New York Times reports that,
"The government warns Americans to closely guard their Social
Security numbers. But it has done a poor job of protecting those
same numbers for millions of people: the nation’s soldiers, sailors,
airmen and Marines."
Read the entire article and be shocked! If you have anyone in the service tell them to up their guard because the military is failing to protect its members from ID theft.

The article quotes the report just released on this issue which says that,
“Service members and their families are burdened with a work environment that shows little regard for their personal information,” the report says, adding that the service members, “their units, military preparedness and combat effectiveness all will pay a price for decades to come.”
Basically they seem to never have heard of ID theft so the US armed services continue to use the Social Security number for all identification, often even on soldiers laundry bags! This is a full blown disgrace and YOU (not someone else) need to contact you Senator and Congressman and tell them to issue a cease and desist order now.

The US military needs to immediately do what most states and colleges have done which is to issue an ID number to replace the SS number for all trivial identification purposes. The SS number should ONLY be used for payroll type information and should (as you and I know) be secured.

Also if they can, members of the armed forces should take out ID theft insurance because often they are in places overseas where ID theft is rampant.

Wouldn't ID theft insurance make a great Christmas gift for a soldier you know? Better than another piece of junk made in China!

Merry Christmas and Happy Holidays from Dr. Steffen Schmidt and the ID Theft Education Staff.



Labels: ,

Tuesday, December 07, 2010

How Wiki Leaks Got out! Shocking news!

Be VERY afraid when you read and view this. A lowly US PFC in Baghdad was able to access a massive number of classified documents from American Embassies and other sources. If he can do that, and the US Defense Department and the State Department have a Top Secret regime SO WEAK that he was able to "google" the classified network and download all these 300,000 documents.

Imagine how threatened and vulnerable we all are in our own information which is not even classified or top secret!

Not only should the PFC be punished but the Defense Department and State security officers need to be hauled in for an "enhanced interrogation" grilling. And, there needs to be an immediate and emergency upgrade of all US government security system.

Gays in the military, tax cuts for millionaires, and all the other issues that Washington is preoccupied with are meaningless as our nation sits vulnerable and helpless to hacking and cyber attacks. CONTACT YOUR congressman and senator now. DEMAND enhanced national cyber security!

Army Pvt. Claims Credit for WikiLeaks Spill

"While founder Julian Assange is at the center of the ongoing WikiLeaks controversy, 23-year-old Army private Bradley Manning reportedly made it all possible. David Martin reports on the latest. "

Stay tuned for the fallout from this one. The second show has not dropped yet.

Labels: , , ,

Saturday, December 04, 2010

A new twist on dumpster diving

Here is a new one from San Antonio. It is a classic case study of how financial identities are stolen and an alarming reminder that we are all vulnerable no matter how careful we personally are with our confidential information.

"The white Cadillac Escalade scoured the San Antonio area for storage rooms of local hotels, looking for a jackpot.

During one of those trips, the vehicle idled downtown near the Shrine of Texas Liberty as its driver, a man known on the streets as “Hollywood,” instructed two accomplices to go into the Emily Morgan Hotel and retrieve some papers from a storage room on the 12th floor.

There, authorities say, Cody Quincy Jones and Randy Ray Flaharty found boxes of monthly credit card receipts from previous hotel guests. Box by box, they and others lifted them from the hotel, officials allege.

The receipts, officials say, helped the men manufacture counterfeit credit cards in document “boiler rooms” and card “chop shops,” which they then used to buy $300,000 worth of merchandise in Texas, Oklahoma and Louisiana"

How many times have I told you NOT TO BELIEVE IT when after a data loss or breach the company, university, government agency or whoever says - maybe a few weeks after the information loss is revealed - "there is no evidence that this personal information was used in any illegal way"?

Remember what I have always said - you wont know for months or years. Right?!

Well here is the info on the San Antonio case - "The cardholders never realized their credit card accounts had been compromised until months, even years, after they stayed at the hotel. But the damage made it hard for some of them to get loans and left lingering headaches in trying to straight things out, officials said.“When you look at these types of crimes, you may think the victim is the vendor or the credit card companies,” Assistant U.S. Attorney Tom McHugh said. “What we see is that the person whose identity is stolen, his problems may go on for years.”

Once again a reminder that we need to be defensive and monitor our credit ratings very clsely and constantly to correct these types of very damaging breaches.

Steffen Schmidt, PhD

Labels: ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -