In April 2008, ChoicePoint turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days.

The FTC’s prior action against ChoicePoint involved a data breach in 2005, which compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft. The settlement and resulting 2006 court order in that case required the company to pay $10 million in civil penalties and $5 million in consumer redress.

The report released this week shows that users who search for “screensavers” have a 59.1 percent chance that they will be infected by malware on a given page of results.

By category, the most dangerous searches involved keywords containing the word “”lyrics”" (26.3 percent risk) and “”free”" (21.3 percent). The safest category searches, meanwhile, related to “”health”" (four percent) and the “”economic crisis”" (3.5 percent).

The report also warned of the risk generated by searching for information on “”work from home.”" Variations of this search term — considered more popular than ever, given the state of the economy — ranged from a 6.3 percent-risk to a 40 percent-risk of infection.

Popular search terms are used by hackers to attract visitors to web sites that automatically download malware to unsuspecting users. The malware can then be used to build a botnet for the hacker or to gather personal information about the user and steal their identity.

Heartland’s president and CFO, said in a USA TODAY interview that the intruders had access to Heartland’s system for “”longer than weeks”" in late 2008. The number of victims is unknown. “”We just don’t have the information right now,”" Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months’ worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

The researchers have been given access to Secret Service case files on identity theft spanning from 2000 to 2006. The group’s findings provide the first-ever look at the criminals and victims in major identity theft cases.

“Among the results reported were:

• Only 8% of the criminals were friends or relatives of the victims.
• 36% of the identity theft crimes in the case files were committed by
  women. That is a greater percentage of women committing crimes than any
  other category.
• A high percentage of ID crimes were committed using high tech methods such as stealing of data from company databases.
• Mail theft was a factor in only 9% of the cases.

The average loss for each crime was more than $30,000. In one case, criminals stole $1.3 million before being arrested by federal authorities.

The data provided by the Secret Service included about 700 case files. The group omitted so called “existing account” fraud cases from its research, also called “credit-card only” identity theft.

Free Credit Report Offers

The Federal Trade Commission (FTC) advises consumers who order their free annual credit reports online to be sure to correctly spell annualcreditreport.com, or link to it from the FTC’s website to avoid being misdirected to other websites that offer supposedly free reports, but only with the purchase of other products. While consumers may be offered additional products or services while on the authorized website, they are not required to make a purchase to receive their free annual credit reports.

The FTC Gets Tough with Free Credit Report Offers

The FTC recently settled a lawsuit against Consumerinfo.com which did business as Experian Consumer Direct over the free credit report promotion it advertised on television, radio and the Internet, including its websites freecreditreport.com and consumerinfo.com. If you ordered a free credit report from Consumerinfo between November 1, 2000 and September 15, 2003, and were enrolled in its credit monitoring program, you may be eligible for a refund under the FTC’s settlement.

The information on the laptop contained the names, addresses, and social security numbers of current and former employees. The information was not encrypted.

The company has notified all affected persons and has offered one year of free credit-monitoring service. Credit monitoring services, such as LifeLock.com, monitor a person’s credit file with the three credit bureaus and alerts people when there is potentially fraudulent activity.

Source: Chron.com (Houston Chronicle), Oct. 15,  “Laptop Goes Missing with Data on Workers“

The information contained the names, addresses, and social security numbers of current and former employees.

The laptop belongs to a human resources employee who regularly brings the laptop from one job site to another. The laptop was password protected, but the data was not encrypted. The victims were part of the department’s Roads, Airport and Fleet divisions.

“Source: SeattleTimes.nwsource.com (Seattle Times), Oct. 12, “County Workers’ Data on Stolen Laptop.”

The Division of Professional Licensure notified both the secretary of state and the office of the attorney general about the breach, and has begun notifying all affected individuals.

Affected individuals include engineers, nursing home administrators, certified public accountants and other professionals.

Individuals who feel they may have been affected can contact the Division of Professional Licensure.

Source: Boston.com (The Boston Globe), Oct. 3, “Mass. accidentally sends out disks with personal information“

The laptop contains class records, including attendance, test scores and grades of 184 students who took graduate courses between 2002 and 2006. The Social Security numbers of 100 students are also on the laptop.

The Philosophy department chairman is mailing letters to affected students
and accepting phone calls from those who are concerned about the incident.

Source: DesMoinesRegister.com (The Des Moines Register), Oct. 8, “Stolen Laptop Has U of I Student Data“

The Personal information, including Social Security numbers of 22 current and former students, was posted and available to access on a university FTP site in late September.

All the students impacted were enrolled in a petroleum and geosystems class during the summers of 2001 and 2002.

The university took the files offline within hours after being notified by SSNBreach.org, but not before 22 students’ Social Security numbers were exposed.

The university said there is an ongoing effort to get rid of using Social Security numbers except where they are needed.