[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] New data security breaches come in fours


By Jaikumar Vijayan
January 29, 2008 

What do Fallon Community Health Plan, Pennsylvania State University, 
OmniAmerican Bank and T. Rowe Price Group Inc. all have in common?

Each of them recently joined the seemingly never-ending parade of 
organizations that have disclosed security breaches resulting in the 
potential compromise of personal data.

Leading the pack in terms of the number of data records known to be 
involved was T. Rowe Price. Two weeks ago, the Baltimore-based 
investment management firm's retirement plan services group began 
notifying about 35,000 current and former participants in "several 
hundred" plans that their names and Social Security numbers might have 
been compromised, a company spokesman confirmed today.

The spokesman said that the possible breach resulted from the theft of 
computers containing the data from the offices of CBIZ Benefits and 
Insurance Services Inc., a third-party services provider that was 
preparing tax-related forms on behalf of T. Rowe Price. The theft took 
place during the last week of December, he added.

T. Rowe Price is offering one year's worth of free credit monitoring 
services and up to $25,000 in identify theft insurance to the 
individuals whose personal data was on the stolen systems, the spokesman 

Meanwhile, a similar laptop theft that also took place in late December 
may have compromised the names, birth dates and some health care data of 
about 29,800 members at Fallon Community Health Plan, a Worcester, 
Mass.-based medical provider and insurer.

A spokesman for Fallon said that the laptop was stolen from the offices 
of a third-party services provider, and that the data stored on the 
system doesn't appear to have been either encrypted or 
password-protected. But the fact that other equipment was taken along 
with the laptop may be an indication that the thieves were after the 
systems and not the data on them, the Fallon spokesman said.

Like T. Rowe Price, Fallon is offering one year's worth of credit 
monitoring to all of the members of its Fallon Senior Plan and Summit 
ElderCare health plans who were affected by the breach. In cases where 
it's needed, the credit monitoring services will be extended to two 
years, the spokesman said, adding that all of the affected plan members 
have been notified of the incident.

In the third incident to make the news over the past few days, Fort 
Worth, Texas-based OmniAmerican Bank said that it had been forced to 
impose unspecified restrictions on ATM and debit card transactions after 
hackers broke into its systems.

In a prepared statement, the bank said that it has also implemented a 
series of new "communications and security measures" in response to 
attempted fraudulent activity stemming from the break-in last week. It 
didn't specify what those measures were, and a call to the bank seeking 
further comment wasn't immediately returned.

In addition, OmniAmerican said in the statement that it is issuing new 
debit cards and personal identification numbers to its customers as a 
precaution against future fraud.

The bank didn't disclose the number of cards that are being blocked and 
reissued. But a story posted last Thursday by the Fort Worth 
Star-Telegram newspaper that quoted OmniAmerican's president said that 
the bank was reissuing about 40,000 cards and that the system break-in 
was the work of an international gang of cybercriminals.

In comparison to the other incidents, the breach reported by Penn State 
appears to have been much smaller in scope. According to a statement 
posted on the university's Web site last week, a laptop computer 
containing personally identifiable information on 677 individuals who 
attended Penn State between 1999 and 2004 was stolen from a faculty 

The theft occurred while the faculty member was traveling and appears to 
have been a random theft of hardware, the statement noted. The 
university said that it currently is in the process of notifying the 
affected individuals.

Subscribe to InfoSec News