Category Archives: Data Loss

Data Published After AmeriCash Advance Refuse to Pay Blackmailers

Payday Loans company AmeriCash Advance have become the latest company to suffer from the actions of a hacking group after they refused to give in to their demands and pay $15,000 for the safe return of the stolen data.

The group of hackers who go by the name Rex Mundi have claimed responsibility for the hack and the eventual publication of the stolen files. It has been reported that the hacking group managed to infiltrate the customer database through an unsecure page which resulted in them obtaining customer names, email addresses and the last four digits of Social Security numbers (SSN). The hacking group Rex Mundi demanded $15,000 for the safe return of the data and described the sum as an idiot tax as they claim that the system was completely unsecure.

Rex Mundi stated, “This company which specializes in payday cash advances (basically small loans for low-income workers, which are vastly overpriced) left a confidential page unsecured on their server. This page allows its affiliates to see how many loan applicants they recruited and how much money they made. Not only was this page unsecured, it was actually referenced in their robots.txt file (Bad, bad move, guys).

Rex Mundi later added, “We managed to download thousands of loan applicant records. This data contains the names of applicants, the amount they applied for, their email addresses and the last four digits of their SSN. In addition, some ‘problematic’ applications also include comments left by AmeriCash Advance’s employees about the applicant and the name of the applicant’s bank. As usual, we will publish those records on the internet if AmeriCash Advance does not pay us by next Tuesday.”

AmeriCash Advance have acknowledged that there system has been successfully hacked and released the following statement. “On June 12, AmeriCash Advance received a fax, telling us that part of our website had been hacked. The letter went on to demand initial payment of $15,000 from us. We immediately notified the appropriate authorities and promptly took steps to ensure that no other data could be accessed. We will not cave in to blackmail, and are cooperating fully with the authorities to protect our customers and bring these criminals to justice.”

AmeriCash Advance later added, “”We have notified those who have been affected and warned them to be vigilant. We are continuing to work closely with the authorities to identify the criminals,”

Rex Mundi have responded and stated that they didn’t need to hack into the system as it was left wide open. Such a claim surely needs to be investigated and if adequate security measures were not in place, surely the authorities should take some kind of action against AmeriCash Advance.

Another NHS Trust Fined After Patient and Staff Files Left Behind

The Information Commissioner’s Office (ICO) have fined the Belfast Health and Social Care Trust a staggering £225,000 after it was revealed that 115,000 patient and staff files were left behind after the hospital closed in 2006.

In total, there were 100,000 patient records and 15,000 staff files that were left behind. These records and files had been left on the floor, in cabinets or on shelves which obviously shows that there was a total disregard towards the security of this confidential data when it came to moving the files and records to a secure location.

The negligence towards the security of such confidential files is the main reason for the ICO imposing such a significant fine. The ICO stated, “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.”

The ICO have also confirmed that all files and records have now been removed from the site and have been appropriately destroyed or filed away in an appropriate secure place.

The Belfast Health and Social Care Trust were given the responsibility to look after the 26 acre site which contains 40 separate buildings in 2007 when six separate Trusts merged into one overall Trust. When the Belfast Health and Social Care Trust took control, they employed two security guards on a permanent basis to patrol the grounds and organised five separate patrols to take place on a daily basis to assist them. CCTV and fire and intruder alarms were already in place but soon failed which left the patrolling guards with a near impossible job to ensure that trespassers didn’t break into any of the buildings.

At the end of 2007, trespassers managed to break into some of the buildings with the patrolling guards being unaware due to the CCTV and fire and intruder alarm systems being inoperative. The trespassers took photographs of the records and posted their finding on the internet.

The Trust didn’t find out about this until 2010 when someone else told them about the confidential information being posted on the internet. The Trust soon acted and started an investigation which couldn’t be conducted properly as certain areas of the site had been cordoned off because of asbestos concerns. The Trust also set about improving the security of the site and fixed damaged windows and doors. The apparent security improvements are seen to have been been futile as the Irish News reported that you could still get onto the site in April 2011.

This is yet another case of an NHS Trust showing negligence towards data belonging to patients and staff and surely an overall review into the handling of data needs to be conducted. The fact that patient records were just left on the floor and on shelves is staggering and it would be very interesting to see if plans were ever put in place to keep the files in a secure location when it was decided to close the hospital down.

Iranian Authorities Prevents Data Loss After Virus Discovered

The Iranian authorities have managed to avoid a potential disastrous data loss by responding very quickly and efficiently to a virus that was discovered at an oil terminal.

The malware was first discovered on Sunday and forced the Iranian authorities to disconnect the main oil export terminal on Kharg Island which is in the Persian Gulf. The virus name has yet to be disclosed but it was a data deleing virus which could have had catastrophic consequences if it wasn’t found when it was done. The Iranian authorities acted decisively and therefore prevented the virus from spreading and therefore made the actions that were undertaken very effective in containing it. The Iranian authorities have confirmed this and stated that they had to disconnect the oil export terminal so prevent the virus from spreading.

Iran’s deputy oil minister, Hamdolah Mohammadnejad has confirmed the events and told the official IRNA news agency that the actions implemented stopped the virus from spreading and therefore limiting the impact it could have had.

Mohammadnejad stated, “We shut computers connected to these servers temporarily and fortunately we were able to stop its spread. Thus no information or data were harmed. We are investigating the causes of these cyber problems and in the next two to three days we hope the problems will be solved.”

As an investigation is underway, David Harley who is a senior researcher at the anti-virus company ESET stated, “”At present, it is difficult to say exactly how the virus was able to infiltrate Iran’s systems. Iran’s computing environments are a little unusual, in that there are no legitimate channels for directly supplying and maintaining standard operating systems and apps. This may result in greater than usual exposure to all kinds of exploits.”

This case does prove that as long as decisive and calculated actions are taken when a threat such as a virus is found, data loss can be minimal or prevented all together. It is important that effective plans are in place alongside an effective security system and to ensure that everyone knows what they are meant to do in such an occasion.

Leicestershire County Council Escape Fine after Data Loss

The Information Commissioner’s Office (ICO) has completed their investigation into a case where a Leicestershire County Council employee lost confidential data belonging to 18 children. Strict data protection laws had been broken and this case could have been prevented if the regulatory laws had been adhered too. The ICO have been critical of Leicestershire County Council but there have been no indication that they impose a fine.

The main role of the ICO is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals in the UK. The ICO can impose a fine of up to £500,000.00 for any serious breach of the Data Protection Act.

Leicestershire County Council initially got into trouble when a social worker took home some confidential court documents in May last year.  These documents were left in a briefcase in the social worker’s home during the night rather than in a secure location in the house. The social worker had obtained permission to take the documents home but they hadn’t received the relevant data protection training and therefore appropriate procedures were not followed. The social worker’s house was broken into that night and the burglar stole the briefcase with the documents inside. If the social worker had received the data protection training, they would have known that the documents should have been kept in a secure location in the house, preferably under lock and key.

Stephen Eckersley, The ICO’s head of enforcements claimed, “While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.”

Eckersley later argued, “Local authorities must recognise social workers are handling some of the most sensitive information available. The fact this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.”

A County Hall spokesman has responded to this outcome stating, “The county council takes data security extremely seriously. As soon as it became aware a briefcase had been stolen from a social worker’s house, the Information Commissioner was informed. We already have comprehensive information security arrangements in place and constantly explore how we can improve these. This case has led us to reorganise our priorities.”

The County Hall spokesman later added, “We have made it clear staff should not take confidential documents home unless it is absolutely necessary for their work and they have their manager’s permission. If they do take documents home, they must lock them in a secure place.”

This latest case of data loss suggests that many people are still acting reactively towards data loss incidents and not proactively. Surely questions should remain why the social worker was allowed to take the confidential court documents home in the first place as they hadn’t even received the relevant data protection training.

Data Loss Results in Convicted Murderer Getting a Re-trial

It has been confirmed that Randy Chavianowho, who was sentenced to life in prison in 2009 after being convicted of second degree murder will be given a new trial. Chavianowho, who is from Florida, USA, was found guilty of fatally shooting Carlos Acosta. Lawyers who were working on an appeal case discovered that the majority of the court transcripts from his trial could not be found.

It soon became apparent that Terlesa Cowart, the court stenograph for Chavianowho’s trial, had transferred the the transcripts to her personal computer and deleted the files from the stenograph. However, Cowart’s personal computer became infected by a virus and all of the files on it were deleted, including the vital transcript notes.

Stenographers are expected to keep two records of the transcripts on both paper and digital disk. Cowart did not follow these regulations as it is believed that she didn’t bring enough rolls of paper to the court case and therefore relied on a digital copy alone.

The Miami Herald has reported that Cowart has been fired after the revelations. It was also reported that her former employer, Goldman Naccarato Patterson Vela & Associates Inc, have claimed that this hasn’t been the only occasion when she has run out of paper during a trial.

As Chavianowho is set to be given a new trial, it will only result in the family and friends of Acosta having to go through the anguish of reliving the event again because of the negligence of one person.

Ed Griffin, Miami-Dade State Attorney’s spokesman stated “The overturning of a murder conviction always means terrible pain for the victim’s family and frustration for prosecutors and police officers.”

As reported, if this wasn’t the only case where Cowart ran out of paper during a trial, there are bound to be concerns whether transcripts are still available from other trials. If it turns out that other transcripts have been lost, it may well result in more than one convicted prisoner being given a new trial.

This latest case of data loss emphasises the importance of backing up important data securely. Long gone are the days where it was satisfactory to keep one copy of an important file, especially on a computer. Hackers have become more sophisticated with their methods and important data is being put at an unnecessary risk of being lost if it hasn’t been backed up.

78% Of British Businesses Experience Data Loss In Last 12 Months.

Disaster Recovery and Business Continuity are concepts not taken seriously enough by many company boards.

A survey released by EMC revealed that the UK is not giving DR the focus it arguably merits.

According to the survey 78% of UK organisations have experienced data loss in the last 12 months. This is higher than the European average of 54%.

The affects of IT outages must me made clear to CEOs and other senior board members, in order to ensure that a serious plan is put in place.

Neil Fisher, Vice Chairman of the information Assurance Advisory Council stated:

“DR is about the survival of the business so it should be a board-level issue. Without board backing, the strategy will never work. ”

Data must be classified in terms of importance. For some data sets it may be acceptable to have two days worth of downtime, whereas for others it is unacceptable to have two seconds.

Tony Lock, analyst at research firm Freeform Dynamics emphasises this point:

“Most companies don’t understand the value of different data sets.”

One of the worst ways in which a company can be caught unprepared is through having unrealistic Recovery Time Objectives or Recovery Point Objectives. Inconsistency in backups or poor management can also present significant threats, should a disaster occur.

Organisations must constantly question what could realistically go wrong within their IT environment, and how those events would affect the rest of the business. Companies are often under the false assumption that their DR plan is sufficient, when in many cases it needs seriously addressing.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal