Telstra Data Breach under Investigation by Privacy Commissioner

What Happened? Account details and phone numbers of telecommunications company Telstra’s customers were potentially compromised in a newly reported data breach. The Privacy Commissioner, Timothy Pilgrim, launched an investigation into Telstra’s data breach which occurred when its customer service website was openly accessible online.

Date of Breach: December 2011

Size of Loss: The grocery chain admits over 100 people who used the self-checkout counters in 23 of their northern California Lucky stores (and one SaveMart).

Affected Individuals: About one million

Geographic Focus: National

Data Contained: Account details including account numbers, phone numbers and credit card details of just fewer than one million Telstra customers were potentially compromised by the breach.

Additional Information: As a precaution, the company reset the passwords of around 60,000 customers and notified the Privacy Commissioner.

What Happened? Bay Area Lucky supermarkets have been targeted by identity thieves, who used credit card “skimmers” attached to the terminals to collect the account numbers and PIN codes of everyone who used them to pay for their groceries. The company found out about the scam when routine maintenance at 19 locations turned up suspicious devices attached to the self-service scanners.

Date of Breach: December 2011

Size of Loss: The grocery chain admits over 100 people who used the self-checkout counters in 23 of their northern California Lucky stores (and one SaveMart).

Affected Individuals: Lucky customers

Geographic Focus: California

Data Contained: Credit card data

Additional Information: While Lucky now insists that the machines at all of its over 200 locations are now safe, the company is urging customers who used self-checkout at any of the compromised locations in October or November to immediately close their bank accounts or else risk having their identities stolen.

What Happened?: Hacktivist group TeaMp0isoN hacked into the website of the United Nations Development Programme, stealing sensitive data and dumping it into Pastebin.

Date of Breach: November 2011

Size of Loss: Hundreds

Affected Individuals: Individuals working for the UNDP, the Organisation for Economic Co-operation and Development, UNICEF, the World Health Organisation and other groups

Geographic Focus: Global

Data Contained: Hundreds of email addresses, user names, and plain-text passwords

Additional Information: The hack revealed lax password security at the agencies. Some of the accounts appeared to have a blank password and many more have easily guessable login credentials. And storing passwords in plain-text (rather than an encrypted form) is an even bigger mistake. TeaMp0isoN said that it carried out the attack as a protest against what it sees as corruption at the UN.

What Happened?: A Sutter Medical Foundation data breach occurred in mid-October, when a computer that held information on more than 4 million patients was stolen.

Date of Breach: October 2011

Size of Loss: 4 million

Affected Individuals: Patients, dating back to 1995

Geographic Focus: United States

Data Contained: Names, addresses, email addresses, dates of birth, telephone numbers and names of patients’ health insurance plans dating from 1995 were contained in the computer’s database, as well as dates of services and description of medical diagnoses or procedures used for business operations.

Additional Information: Patients concerned about their information can go to Sutter Health’s website, www.sutterhealth.org, to find a list of affected health providers or call toll-free at (855) 770-0003 between 8 a.m. and 5 p.m.

More Information: Sacramento Bee

What Happened?: Sensitive data  for more than 176,000 current and former students and employees at Virginia Commonwealth University may have been stolen when an attacker hacked a university server in October, 2011.

Date of Report: October 2011

Size of Loss:176,00

Affected Individuals: Current and former students and employees

Geographic Focus: Virginia

Data Contained: This server contained personally identifiable information, including Social Security numbers, names, school and personal email addresses and in some cases dates of birth, job titles and contact information.

Additional Information: The university has emailed all potential victims, sent letters to the same group, and developed a website about the incident to inform the community.