Unauthorized Access to Alabama Network Probed

Breach Roundup: E-mail Error at University Exposes SSNs

By , January 30, 2013.
Unauthorized Access to Alabama Network Probed

In this week's breach roundup, authorities investigate unauthorized access to an Alabama state computer network. Also, an e-mail error exposed Social Security numbers at a state university in Pennsylvania.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

Alabama Investigates Security Incident

The Alabama Department of Homeland Security is investigating unauthorized access to a computer network at the Alabama Information Services Division.

The division, part of the Alabama Department of Finance, is responsible for information technology services for the state. The state's IT network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security.

Homeland Security confirmed in a statement that someone obtained unauthorized access to the state network and examined multiple computers. At least one server containing malware was used to gain access to the systems, the department reports.

Upon discovering the incident, the Alabama Information Services Division activated a computer emergency response team to monitor network activity; deployed additional firewalls to monitor and control access to state systems; consulted with local and federal officials to assist in the investigation; obtained the services of a national cybersecurity consulting firm to help collect and analyze attack data; and began examining Internet-accessible applications to help ensure they're not vulnerable to attacks.

"We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cybersecurity," state Homeland Security Director Spencer Collier said. "We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature and to prevent future intrusions."

E-mail Error Exposes SSNs

Cheyney University of Pennsylvania is reportedly notifying more than 2,000 current and former students that their names, mailing addresses and Social Security numbers were exposed because of an e-mail error.

On Jan. 24, one of the university's administrative offices sent an e-mail message to university students and attached a file that included all of the students' personal information, according to the university's online breach incident report.

Affected individuals will receive free credit monitoring services.

Although the university hasn't revealed the total number of students affected, CBS Philly is reporting 2,100 current and former students were affected.

Settlement in Stem Cell Bank Breach

The stem cell bank Cbr Systems Inc. has agreed to a settlement with the Federal Trade Commission tied to a December 2010 data breach that exposed the Social Security numbers and credit and debit card numbers of nearly 300,000 consumers.

The company specializes in storing newborn's stem cells, offering umbilical cord blood and tissue banking services.

The FTC settlement agreement requires Cbr to establish and maintain a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years. The settlement also bars Cbr from misrepresenting its privacy and security practices. The FTC did not impose a monetary penalty.

In the breach incident, unencrypted backup tapes containing consumers' personal information, but no health information, were stolen from an employee's vehicle, according to the FTC.

Information on the stolen tapes included parents' names, Social Security numbers, drivers' license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, e-mail addresses and telephone numbers, plus information about newborns.

"Cbr failed to use reasonable and appropriate procedures for handling customers' personal information, making its privacy policy claim deceptive under the FTC Act," according to a statement from the FTC.

Affected individuals were offered one year's worth of free credit protection as part of its risk management effort when the breach was initially reported [see: 300,000 Alerted to Stem Cell Bank Breach].

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

Latest Tweets and Mentions

ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

The ISMG Network