Flurry of new data breaches disclosed

Computerworld - The dizzying pace of data-breach notifications in recent months shows no signs of slowing, as several more organizations have disclosed major data compromises over the past few days.

Among them are American International Group Inc. (AIG), ING Financial Services LLC, Union Pacific Corp. and Western Illinois University (WIU).

The latest disclosures bring to more than 190 the number of such incidents reported since the ChoicePoint Inc. breach of February 2005, according to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group. Of that number, more than 90 have been disclosed since January.

The total number of records containing personal information that may have been exposed by such breaches since the ChoicePoint incident is now over 88 million, according to the Privacy Rights Clearinghouse. The latest breaches include the following:

• The burglary of a password-protected file server at New York-based AIG resulted in the potential compromise of personal data belonging to about 970,000 people. That theft took place on March 31, but it has taken the company until now to determine exactly what information the server contained, said AIG spokesman Christian Murray.

  As a result, AIG will start notifying affected individuals of the breach next week, he said. According to Murray, the server was stolen from inside a locked room and contained insurance information submitted by brokers on behalf of various employers. In addition to names, addresses and Social Security numbers, the stolen server also held medical information on "a very small" number of people, he said without elaborating.

• Multiple servers were recently hacked at WIU, in Macomb, Ill., resulting in the potential compromise of the names, credit card numbers and Social Security numbers of up to 240,000 people. The break-in was discovered on June 5, although the school has only now begun notifying affected individuals. "Our first efforts were focused on fixing the breach and taking additional security measures," the school said in a statement. "The process of determining the number of records potentially viewed and preparing mailings has taken longer than anticipated in the notification process."

  According to a university spokeswoman, the hacked systems contained personal data on students had registered for courses at WIU. The systems also contained credit card information for those who had purchased merchandise online through the university book store or stayed at the University Union hotel, she said.

• In Washington, a laptop computer containing Social Security numbers and other personal data on about 13,000 District of Columbia government workers and retirees was stolen. It was reported stolen last Monday, apparently taken during a burglary at the home of an employee of the firm that runs the district's deferred employee compensation plan.

  Mary Ann Young, a spokeswoman for Washington's chief financial officer, said the laptop was being used by an employee of ING Financial Services, which administers the optional DCPlus 457 Deferred Compensation Plan program for district workers. The data on the machine was not encrypted, nor was the machine password-protected, Young said.

  A police investigation is continuing into the incident, and affected employees and retirees are being contacted by mail about monitoring their credit records and watching for suspicious activity, Young said. The affected employees and retirees are being offered one year of free credit-monitoring services by ING, she said.

  Caroline Campbell, a spokeswoman for ING, said in a statement that the company is now "aggressively moving forward with a comprehensive confirmation process [so] that all of our laptops meet our encryption and password-protection policy requirements. We are utilizing state-of-the-art encryption technology to provide maximum protection to sensitive customer data."

  The company has also "implemented an immediate policy to restrict any laptop from being exposed to the public domain until properly protected," she said. "ING will indemnify anyone who experiences identity theft due to this incident."

• In April, a laptop that held personal data on about 30,000 employees at Omaha-based Union Pacific was stolen. The laptop belonged to an employee at the railroad company and was among several items stolen, said James Barnes, a spokesman for the railroad giant.

  According to Barnes, the employee had legitimate business reasons for having the sensitive data on the laptop but did not have the recommended measures in place for protecting it.

  Barnes did not say where the laptop was when it was stolen, citing the ongoing investigation. But he said there is no evidence to date that the stolen information has been misused in any way. He suggested that the thieves were after the hardware and not the data in it.

  All affected employees were informed of the incident shortly after the theft and have been offered a year's worth of free credit monitoring, he said.

Read more about Privacy in Computerworld's Privacy Topic Center.