More breaches reported to Maryland that we didn’t know about

Posted on by Dissent

In response to a Freedom of Information request, Maryland Attorney General’s Office sent me the 14 breach reports they received in March of this year.  Of the 14,  six were never previously reported on this site and four others gave us breach reports for incidents that we were aware of but had few details for:

Newly revealed:

  • Thomson Reuters reported that in January, the St. Paul police contacted them and informed them that during the course of an investigation into a residential burglary, they had uncovered evidence that an employee had removed some papers containing names, addresses and credit card information on certain Thomson CompuMark customers.  Further investigation revealed that between May and December of 2009, the employee had processed payments from 140 customers but only processed manual payments and did not have access to the electronic database.  The firm reported that there had been no reports of fraud linked to the breach.
  • NBC Universal reported that a laptop belonging to an employee of NBC News was stolen from a home in California on February 4.  The laptop contained names and Social Security Numbers of  “certain employees, daily hires, temporary employees and former employees of NBC and NBC Universal or YOH Services.”   Law enforcement recovered the laptop on February 24 along with other property from residential burglaries.  To their credit, NBC informed employees of the details of the incident and offered them free credit monitoring services, even though this is one of those incidents that really does seem like opportunistic theft where there’s a low risk of data misuse.
  • LPL Financial had  learned on February 24 of the theft of an unencrypted  portable drive from the car of Christian D’Urso (one of their advisors) and reported  that to the New Hampshire Attorney General, as previously reported on this site.  But it seems that they were also busy informing the Maryland Attorney General’s Office of a second breach that they had learned of on February 23. In the newly revealed incident,  another advisor, Sam Eisen, had sent an e-mail to his clients with an attachment that exposed the names and account numbers of 38 other clients.
  • Fox Entertainment reported that JPMorgan Chase Bank had inadvertently disclosed one pension member’s name, address, Social Security number, and pension information in an errant email attachment to another pension member.   The bank administers the pension payments.
  • ProAssurance Mid-Continent Underwriters reported they became aware of a compromise involving their Per Diem Insurance web site at hsi.perdieminsurance.com.   The compromise involved 141 121 customers’ names, addresses, dates of birth, and Social Security numbers, although the company reports that it had received no information of any misuse of the data.
  • NVR, t/a Ryan Homes reported that a laptop stolen from an employee’s car contained the unencrypted names and Social Security numbers of 8 individuals.

New Information on Previously Known Incidents:

  • Thrivent Financial for Lutherans reported that a laptop was stolen from a field representative’s office.  Although we knew something about this breach already from media and other sources,  including their report to Maine that the breach affected 9,386 individuals, this is the first time we’ve seen their actual breach report.  It indicates that the “laptop had strong password requirements to access the laptop and all information on the laptop is encrypted.  However, we believe that some of the information stored on the laptop may be at risk. Information at risk included name, address, phone number, birth date, health information and Social Security number, and in some cases personal health information.
  • State Farm had made two reports to New York State earlier this year about insider wrongdoing, but we didn’t have the actual reports.  One of them may be a March 5 report that the company had discovered that a State Farm agent had used credit card information of two customers for fraudulent purposes.  At the time of the notification, the firm was still investigating the possibility that other customers’ information had also been misused.
  • Ahold USA had reported the loss of two DVDs to NYS (as noted here), but until now, we didn’t have the actual breach report.   The report indicates that the unnamed service provider lost the unencrypted DVDs in early February but didn’t notify Ahold until “recently.”   The DVDs, which were supposed to have been encrypted,  contained unencrypted names and SSN of employees, including employees of American Sales Company, an Ahold subsidiary.
  • The General Motors inadvertent disclosure incident noted here was due to an electronic file being erroneously sent to an outside email address.  The file contained names, e-mail addresses and Social Security numbers.  GM contacted the recipient and their employer, who both confirmed that the errant email had been deleted without ever being opened.  Despite that, GM sent a letter to those affected that begins, “The purpose of this letter is to advise you of an incident that may expose you to the risk of identity theft.”   While they forthrightly described their error, it is somewhat surprising to me that they would say that the incident might expose them to the risk of identity theft and yet not offer them any free services.

As with previous reports, all of the breach reports have been sent to the Open Security Foundation for inclusion in the DataLossDB.  They could probably use some help entering the files in the database, so if you’ve got some time and would like to help with a great project, why not contact them and offer to pitch in on the Primary Sources project.

[8-12: Corrected number for ProAssurance to 121. Thanks to the alert reader who caught my mistake and apologies to ProAssurance.]

Category: Business SectorFinancial SectorID TheftMiscellaneousU.S.