Creative Commons License


« Previous post | Home | Next post »

Cord Blood Registry Data Theft [UPDATED 3-7-11]

(Update below)

ScamSafe appears to be the first to report a serious data breach at Cord Blood Registry (www.cordblood.com). No mention has been found of this breach in the news or the Data Loss database.

The author received a notification letter as a customer of CBR dated February 14 2011.

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

CBR said in their letter to those effected: "CBR hired computer security experts to investigate the incident and they determined that there is no indication that the person information has been accessed or misused." This is a typical PR spin statement that companies who have suffered a breach use to make their customers feel better. Unfortunately it is, at best, meaningless. How could they really know whether the information was used to commit identity fraud? If they have a method, we're all ears.

There is no mention of the stolen computer and data tapes on the company web site or blog.

Cord Blood Registry® (CBR®) is the world's largest stem cell bank. The company is entrusted with storing more than 350,000 cord blood collections for individuals and their families. Headquarters are in San Bruno, California, and laboratory and storage facility is located in Tucson, Arizona.

UPDATE 3/3/11: Read the police report. The theft happened on December 13 2010. The CBR employee had the computer and data tapes in a backpack in the trunk of his car. He left it unattended at 11:35pm and returned around 15 minutes later and it had been broken into. The location of the theft is actually a large data center at 365 Main St in San Francisco.

UPDATE #2 3/3/11: This breach appears to effect virtually EVERY CBR customer (over 300,000). You can read the breach notification letter. For help call CBR at (888) 578-4480.

UPDATE #3 3/7/11: Read more about the breach at Network World and on Databreaches.net

Category: FRAUD ALERTS
Posted on March 2, 2011 at 10:32 AM | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83452034a69e20147e2f211a1970b

Listed below are links to weblogs that reference Cord Blood Registry Data Theft [UPDATED 3-7-11]:

Comments

Compare the top cord blood banking companies here: http://cordadvantage.com/product-comparison.html

Posted by: Americord Registry at Nov 23, 2011 2:47:08 AM

Compare the top cord blood banking companies here: http://cordadvantage.com/product-comparison.html

Posted by: Americord Registry at Nov 23, 2011 2:45:47 AM

CBR is offering one year credit monitoring. Is that fair for loosing all customer's private info? I am just amazed that data was not encrypted and transferred casually w/o any protection by employee!

Posted by: APS at Mar 20, 2011 9:03:11 PM

Hi. I'm a journalist with Credit.com, and I'm writing a story about this Cord Blood Registry brief. I'd like to ask you a couple quick questions since you say that you're a customer of the registry, and that you personally received the company's notification letter. Could you please call me? My number 216-570-2661, or email at chris@credit.com.

Thank you!

-Chris

Posted by: Chris Maag at Mar 10, 2011 1:46:44 PM

Not only do my wife and I feel scammed by the whole CBR deal after we bought into the hype of future potential uses now we have to worry about this? Who's running the show there the 3 stooges?

Posted by: Concerned Member at Mar 8, 2011 8:31:06 AM

This is ridiculous and obviously an inside job. It is laughable. An employee had unencrypted tapes, in a backpack --no less, that was stolen from their car OUTSIDE the datacenter (because everyone targets datacenters). What. A. Joke. Even I can put 2 and 2 together -- they SOLD it!

Posted by: CBR at Mar 7, 2011 2:25:13 PM

Thanks to you submitting it to DataLossDB, I investigated and that's when I learned that it affected 300,000 people. I blogged about this yesterday at http://www.databreaches.net/?p=16962. Pretty mammoth breach.

Thanks for alerting people to it.

Posted by: Dissent at Mar 4, 2011 4:18:00 PM