CBR maintains that while the lost data did contain personally identifiable information (PII), medical details were not included. Said CBR’s director of corporate communications, Kathy Engle, “The tapes may have contained personal client data of adults (credit card numbers, driver’s license numbers or social security numbers); nothing on children and no health information at all.”

It costs a lot of money to mail 300,000 letters. As the new Ponemon Cost of a Data Breach Study confirms yet again, the costs may be only beginning.

We plan to spend the next several posts digesting the new study. For now, some interesting key findings (please be sure to visit the links above and download the full study):

• The average organizational cost of a data breach rose to $7.2 million.
• The average cost per breached data record rose to $214 from $204 in 2009.
• Rapid response to data breaches is costing companies 54 percent more per record that a slower response.

That last point will yield some further discussion over the coming weeks. It’s been said many times that a very slow response will cost an organization dearly. But it has also been said, and is now becoming clearer, that responding too rapidly is also more damaging. There’s a fine line to walk, but walking it correctly makes a very large financial difference to a breaching organization. Preparedness is a key.

But there is good news. According to officials at the Salvation Army, “We’re password protected and then we have two more layers of protection… Their information, I feel very confident that it’s secure. It’s very difficult to break into our systems that we’ve been using.”

Of course, the “password protection” part doesn’t inspire confidence, as usual. But multi-layered security? That’s a very good sign. Let’s hope it holds, indeed.

82% of respondents claimed to be extensively involved in security functions, or involved in a limited/supporting role. Overall, the survey showed a “surprising lack of awareness of security issues.”

For example:

• Only 4% admitted to being fully informed about security breaches within their organizations
• 80% of those who said their organizations had suffered a recent data breach were unable to tell which IT components might have been impacted
• 90% of those who had been breached had “no idea” of the resulting costs to their companies
• 53% said they had no idea what the security budget was, or weren’t privy to it
• 33% expressed a lack of understanding of security threats
• 50% expressed the belief that security efforts were being constrained by low budgets

The article mentions the OAUG’s response:

Mark Clark, president of the OAUG, expressed surprise at the broad takeaway from the survey results. “While OAUG members may not be the primary points of contact for IT security in their organizations, it is a bit surprising that many of the respondents to the survey indicate they are unaware or unsure of the security efforts taking place in their organizations,” he said.

“The opportunity to provide its members information and education in this area is something the OAUG will explore,” Clark added.

Indeed, this survey reveals another example of a very pervasive lack of security/risk knowledge in IT organizations, which highlights the danger of personal data in the hands of many stewards. Many thanks to Redemtech for the tip.

A key element of the attack is the fact that in many cases a bank or financial institution will ALLOW a red-flagged transaction to proceed, even in the midst of fraud suspicion, if the institution cannot get ahold of the account owner. It may seem odd, but in many cases the default posture is to hold, check, then allow if not denied.

The ring of thieves used a malware program called “Zeus Trojan” to hijack bank account info. They embedded the malware in emails and attachments. Once in possession of the necessary account access, the crooks were ready to strike. But what to do about the alert responses that the institutions would make–the calls to account owners to verify suspicious transactions?

Just ask good old Joe Jones: “You Talk Too Much.” The thieves used automated calling programs to bombard the victims’ telephone lines with bogus calls. While the lines were tied up with this bogus traffic (essentially a telephone DDOS), the financial institutions couldn’t get through to verify transactions. And because of the “proceed if not denied” policy in play in many cases, the transactions succeeded, with funds shuttled off to standard “mule” accomplices who could transfer it overseas.

Read the full article for details. You just never know what creativity these criminals will show.

An Indiana adoption lawyer whose client files were scattered in the wind after his adult children left boxes of them beside a recycling bin has received a public reprimand.

The Indiana Supreme Court on Sept. 30 issued the reprimand against Steven Litz, whose Monrovia, Ind., practice focuses on adoption and criminal law. The court noted that it was the third time Litz had received a public reprimand.

Litz directed his two children to take about 14 boxes of client files he wanted to discard to a local recycling bin, according to the decision. Finding that the bins were full, they left the boxes on the ground beside the bins and did not tell Litz. The wind later blew the tops off the boxes and sent some of the papers flying into public view. After someone notified Litz of the situation, he and his children retrieved the documents.

Wow. This immediately brought Kansas to mind. Not the state. The band.

This data breach gets a theme song–a true classic:

An alert systems admin intercepted the emails and deleted them, but Parker found himself smack in the middle of a courtroom hoping to fend off a jail sentence.

You just never know what a stolen laptop will be good for. Many thanks to security curmudgeon for the lead.

Verse 1: Car thieves get personal data on Portland psychology patients, unemployed Oregonians (thanks to Jake K and lyger on DataLoss DB)
4,000 psychology patients and 2,900 jobless residents breached by stolen laptop and stolen data storage device in Oregon.

Verse 2: Stolen laptop puts data at risk: Information on Texas Children’s Hospital patients was compromised (thanks to lyger on DataLoss DB)
Doctor’s laptop containing clinical and demographic information of about 1,600 patients stolen.

Verse 3: Fort Worth medical clinic spends $15,000 notifying patients of theft (thanks to security curmudgeon on DataLoss DB)
Employees at a Fort Worth allergy clinic found the office door kicked in and four computers gone, containing PII and SSNs for 25,000 patients.

Verse 4: Aultman Health Foundation Laptop Computer Stolen (thanks to Redemtech)
13,800 home health care patients breached by a stolen laptop.

Verse 5: Boise Employee Information on Lost Tape (thanks to Redemtech)
About 300 employees breached by a missing backup tape.

It’s difficult to decide where to stop once this river gets flowing. We’ll call it good at five.