FTC Settlement Leads Breach RoundupStem Cell Bank Breach Affected 300,000
In this week's breach roundup, a stem cell bank has reached a settlement with the Federal Trade Commission tied to a 2010 breach that affected 300,000 individuals. Also, authorities are investigating unauthorized access to an Alabama state computer network.
See Also: The Global State of Online Digital Trust
Settlement in Stem Cell Bank Breach
The stem cell bank Cbr Systems Inc. has agreed to a settlement with the Federal Trade Commission tied to a December 2010 data breach that exposed the Social Security numbers and credit and debit card numbers of nearly 300,000 consumers.
The company specializes in storing newborn's stem cells, offering umbilical cord blood and tissue banking services.
The FTC settlement agreement requires Cbr to establish and maintain a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years. The settlement also bars Cbr from misrepresenting its privacy and security practices. The FTC did not impose a monetary penalty.
In the breach incident, unencrypted backup tapes containing consumers' personal information, but no health information, were stolen from an employee's vehicle, according to the FTC.
Information on the stolen tapes included parents' names, Social Security numbers, drivers' license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, e-mail addresses and telephone numbers, plus information about newborns.
Affected individuals were offered one year's worth of free credit protection as part of its risk management effort when the breach was initially reported (see: 300,000 Alerted to Stem Cell Bank Breach).
Alabama Investigates Security Incident
The Alabama Department of Homeland Security is investigating unauthorized access to a computer network at the Alabama Information Services Division.
The division, part of the Alabama Department of Finance, is responsible for information technology services for the state. The state's IT network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security.
ALDHS confirmed in a statement that someone obtained unauthorized access to the state network and examined multiple computers. At least one server containing malware was used to gain access to the systems, ALDHS reports.
Upon discovering the incident, the Alabama Information Services Division activated a computer emergency response team to monitor network activity; deployed additional firewalls to monitor and control access to state systems; consulted with local and federal officials to assist in the investigation; obtained the services of a national cybersecurity consulting firm to help collect and analyze attack data; and began examining Internet-accessible applications to help ensure they're not vulnerable to attacks.
"We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cybersecurity," said Spencer Collier, director of the Alabama Department of Homeland Security. "We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature and to prevent future intrusions."
E-mail Error Exposes SSNs
Cheyney University of Pennsylvania is reportedly notifying more than 2,000 current and former students that their names, mailing addresses and Social Security numbers were exposed because of an e-mail error.
On January 24, one of the university's administrative offices sent an e-mail message to university students and attached a file that included all of the students' personal information, according to the university's online breach incident report.
Affected individuals will receive free credit monitoring services.
Although the university hasn't revealed the total number of students affected, CBS Philly is reporting 2,100 current and former students were affected.