August Data Breach Round-Up in the Month of #CloudSecurity September 5, 2013 Tina Stewart | Vice President of Market Strategy More About This Author > In the month of August, we saw a continued spike in data breaches across a variety of industries – something that will undoubtedly continue. While the Vormetric team enjoyed a great event at VMworld, where there was much conversation to be had around the security of the cloud and virtualized environments, organizations of all shapes and sizes had sensitive data accessed through a variety of methods. As always, we would like to extend a tip of the hat to Adam Greenberg and the team at SC Magazine for their data breach blog. Last month was quite interesting. The news seemed to focus pretty tightly on healthcare and education when it came to data breaches. At the same time, we saw another round of gaming site hacks, proving once again, as our own Derek Tumulak pointed out to Tom’s Guide, that there is clearly a trend at play in breaching gaming sites. In addition, the breaches were a mix of physical loss (such as the BPS flash drive), software hacks (such as League of Legends) and network cracking (such as the Rocky Mountain Spine Clinic). Without further ado, here is our August Data Breach Wrap-up: Government The linguist program of Virginia-based defense contractor Northrop Grumman had sensitive employee and applicant information compromised when a database was accessed by an unauthorized party. This breach occurred sometime between November 2012 and May 2013. Education Tens of thousands of University of Delaware employees in Newark had their personal information compromised in an attack last month. Further investigation pinned the breach, which was through an unnamed vulnerability, around July 17. It sounds like the vulnerability was in Apache Struts 2, according to reports A startling 20,000+ students across 36 schools in the Boston Public School (BPS) system had data compromised when the district’s ID card vendor Plastic Card Systems lost a flash drive containing the information. The drive was misplaced at some point on August 9. Ferris State University in Michigan was the victim of an unauthorized person dodging network security to gain access to a database that housed tens of thousands of staffers and students personal information. The university learned of the incident on July 23 and began notifying people in the middle of August. Investigators did not find evidence that the personal information was viewed or removed. So far, the university has not received reports from students or employees that any personal information has been misused. Health information and Social Security numbers are among data that may have been compromised for faculty, staff and students in a data breach at Emory University in Atlanta. Staff, faculty and students were notified on August 8. Airlines US Airways said Friday that an unauthorized user gained access to Dividend Miles accounts – for the second time in a month. The breach was discovered on July 12 (and made public in early August). Flight miles were improperly taken from accessed accounts in very limited instances, according to the letter mailed to victims. US Airways officials have no reason to believe that full credit card information was accessed. Healthcare The California-based Retinal Consultants Medical Group was the victim of having a laptop stolen, leading to a compromise of data. Employees discovered on June 7 that the laptop, a component of a diagnostic imaging machine, was stolen sometime after the offices closed on June 5. An investigation is ongoing. Emailing protected health information (PHI) to a personal email address cost one Rocky Mountain Spine Clinic employee her job last week. The employee, who was reportedly just trying to work from home, was fired for her offense. No charges were filed, since it was considered to be bad judgment, rather than malicious intent. A former employee of the North Texas Comprehensive Spine and Pain Center stole an external hard drive containing personal medical information on thousands of patients. So far, there is no evidence that any data on the drive was used improperly. Online Merchants Smartphone Experts, a Florida-based online retailer of smartphone accessories, was the victim of a hack in July that compromised customer card information. The California data breach notification website lists the breach as having occurred on June 13 and being discovered on July 19. Letters mailed to affected customers are dated for August. The letters contain the dates the customers used their cards to make purchases on the Midwest Supplies website. Alcohol aficionados who made purchases with home brewing and wine making company Midwest Supplies may have had their credit card details compromised in a website breach. Gaming The popular online game League of Legends was the victim of a compromise affecting tens of thousands of North American accounts. Details were sparse as the investigation is ongoing. Riot Games is just one video game company to be compromised recently – Nintendo, Ubisoft and Konami were hit in July. Clearly, data breaches are a growing problem in virtually every business and government vertical. Our solutions help ensure that a network breach doesn’t have to mean a data breach, too – something that is increasingly important not just for our customers, but for industries worldwide, at large.