DSW Case Leads Breach RoundupShoe Retailer Wins Insurance Appeal; Sizing Up FBI Breach Impact
In this week's breach roundup, an appellate court has ruled breached shoe retailer DSW is entitled to $6.8 million in insurance coverage, and experts weigh in on the potential impact of an alleged breach of an FBI computer.
Court: DSW Entitled to Insurance Coverage
A federal appellate court has ruled that DSW Inc. is entitled to $6.8 million in insurance coverage from National Union following a 2005 data breach that compromised 1.4 million credit cards, according to Retail Info Systems News.
The 6th U.S. Circuit Court of Appeals upheld the initial lower-court ruling. National Union had alleged that it didn't have to provide coverage as a result of the breach of the shoe retailer because DSW hadn't experienced direct loss from the theft of computer information. According to the opinion, "Despite defendant's arguments to the contrary, we find that the phrase 'resulting directly from' does not unambiguously limit coverage to loss resulting 'solely' or 'immediately' from the theft itself," the news report said.
Assessing Impact of Alleged FBI Hack
Owners of Apple iPad, iPhone and iPod Touch devices whose unique device identifiers might have been exposed in an alleged breach of an FBI computer would face little, if any, potential harm as a result, some security experts say.
The Anonymous-affiliated hacktivist group AntiSec claims it breached the computer of an FBI agent and downloaded 12 million Apple unique device identifiers, or UDIDs, a string of 40 characters given to each Apple mobile device. AntiSec claims it posted 1 million UDIDs on the website Pastebin.
The FBI denies the breach occurred, saying in a tweet that the hacktivists' claim was "totally false." Apple said it did not provide the FBI with the UDIDs.
A hacker with a UDID wouldn't be able to breach the device without other forms of authentication, such as a password and encrypted key, says former CIA Chief Information Security Officer Bob Bigman, who runs the IT consultancy 2BSecure. "Unless you have the other two steps, it's really not going to help you a whole lot."
Insider Stole Patient Info
The Harris County Hospital District in Texas has notified about 3,000 patients that their information was stolen by an ex-employee in a Medicare fraud scheme.
Although the announcement by the district doesn't identify the number affected, the Houston Chronicle reported the approximate number of patients involved in the breach. The employee had viewed the information to perform his normal daily job requirements, but is accused of misusing the information.
Compromised information includes name, address, phone number, date of birth, sex, Social Security number, medical record number, emergency contact information, payer information and information about the medical care received at the district between April 14, 2008 and Feb. 11, 2011.
The breach most likely occurred through manual printouts, copies or handwritten notes of the information, the district said in its statement. Affected individuals will receive 12 months of free identity theft protection services.
Laptop Robbery Affects Bank Customers
Chicago-based BMO Harris Bank is notifying an undisclosed number of customers that some of their personal information was compromised after an employee from an external vendor had a laptop computer stolen. "The computer was password protected and contained information for a limited segment of our customers," said Jim Kappel, a BMO Harris' vice president.
Exposed information includes names, addresses, dates of birth and credit scores, Kappel said. So far there is no evidence of any unauthorized use of the data, Kappel says. Although the bank wouldn't provide the number of customers affected, Kappel said it didn't represent a large portion of the customer base. The bank is offering 12 months of complimentary credit monitoring and identity theft protection services to affected individuals.
Oil Firm Hit by Unknown Virus
The RasGas energy company confirms that its office computer systems were affected by an unknown virus on Aug. 27. An administrative IT system was still affected a few days after the incident, according to a company statement. Its core operation systems on-site and offshore were secure. "A specialist RasGas IT team, in collaboration with technical experts, is working to resolve the issue as soon as possible," the statement said.
The attack came just weeks after oil firm Saudi Aramco confirmed it fell victim to a substantial malware attack that affected approximately 30,000 workstations.