Tardy Notification: TD Bank BreachBank Takes Six Months to Notify Customers
In this week's breach roundup, TD Bank notified customers six months after two backup tapes containing sensitive information went missing. Also, the UK Information Commissioner's Office fined a social care charity Â£70,000 after one if its social workers failed to safeguard sensitive reports.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
TD Bank Notifies Customers 6 Months after Breach
An undisclosed number of TD Bank customers are being notified of a data breach six months after it occurred.
Two backup computer tapes moving to a different bank location were lost in March, purportedly in Massachusetts, according to the Portland Press Herald. Personal information on those tapes included names, addresses and Social Security numbers.
It's unclear whether the tapes were encrypted. A TD Bank spokeswoman said it took six months to notify customers because the bank was investigating the incident. "We wanted to conduct a diligent search and full investigation of the situation before reaching out to impacted customers," she said.
Affected customers are being offered free credit monitoring and identity theft protection. Customers from Maine to Florida were sent letters detailing the incident, the report said.
Charity Fined Â£70,000 Over Breach
The UK Information Commissioner's Office has fined Norwood Ravenswood Ltd., a social care charity, Â£70,000 after one if its social workers failed to safeguard detailed reports containing sensitive information about the care of four young children.
On Dec. 5, 2011, the social worker was attempting to deliver the information to the children's prospective adoptive parents, who weren't home at the time. The worker tried to fit the package through the letter-box of the home, but it wouldn't fit, according to the monetary penalty notice. She then called the prospective adopters and informed them that she had left the package in a concealed area at the side of the house. When the prospective adopters returned home, the reports were gone, the ICO said in a statement. The information hasn't been recovered.
The reports contained details of any neglect and abuse suffered by the children, along with information about their birth families. An investigation determined that the social worker never received data protection training and received no guidance on how to send personal data securely to prospective adopters.
Gaming Site Breach Exposes User IDs
User IDs, e-mail addresses and encrypted passwords for PlaySpan users were leaked online, according to Develop, a trade website covering the global games market. PlaySpan is an online marketplace where gamers can obtain virtual goods used in online games such as Guild Wars.
It's unclear how many users were affected.
According to the report, hackers breached the PlaySpan marketplace and obtained the sensitive information. "When PlaySpan detected the breach, we immediately shut down the hacker's access to our systems and took steps to protect our customers' PlaySpan accounts," a company spokesperson told Develop.
The incident is being investigated by the company and law enforcement officials. All accounts have been locked, and PlaySpan has asked users to reset their passwords. PlaySpan, which was acquired by Visa for $190 million last year, has 28 million users.
600 Affected in Ohio State University Breach
More than 600 individuals affiliated with the Ohio State College of Dentistry have been affected by a data breach caused by hacktivists known as TeamGhostShell, according to The Lantern, Ohio State University's student newspaper.
Hackers were able to obtain names, addresses, phone numbers, e-mail addresses and passwords, the report said.
"For Ohio State, the information accessed was five-year-old, non-restricted data from the College of Dentistry," University spokesman Jim Lynch said. "The vulnerability was addressed within less than one half-hour after we noticed suspicious server activity, and thankfully no restricted data was taken from the system."
Last week, TeamGhostShell published the results of its operation, known as Project WestWind, which targeted universities around the world. The hackers claimed to have leaked more than 120,000 accounts and records from top universities such as Harvard and Cambridge.