Stem cell collector settles with FTC after breach

Share this article:

A California blood and tissue bank has agreed to settle Federal Trade Commission (FTC) charges stemming from a breach that affected nearly 300,000 consumers.

The FTC on Monday announced the settlement, which requires Cbr Systems to create and maintain a security program and, for the next 20 years, undergo independent security audits every other year. Cbr Systems will also be barred from misrepresenting its privacy and security practices.

The FTC alleged that Cbr, which collects and stores umbilical cord blood and tissue to be used for stem cell research and potential disease treatment, “misrepresented that it maintained reasonable and appropriate practices to protects consumers' personal information from unauthorized access,” an FTC analysis of the consent agreement said.

In December 2010, four backup tapes, a laptop, external hard drive and USB device containing unencrypted data were stolen from a Cbr employee's vehicle. Data on the devices included names, birth dates, Social Security numbers, driver's license numbers, checking account numbers, credit and debit card numbers, and other sensitive information of approximately 298,000 consumers.

The unencrypted data on the stolen laptop and external hard drive both contained enterprise network information, including passwords and protocols, which an attacker could have used to gain access to Cbr's network, the FTC said.

Since May 2011, the FTC has brought 32 legal actions against organizations that  the agency contends misled consumers about the security of their sensitive information or violated their privacy rights.

A Cbr spokesperson could not immediately be reached for comment on the settlement.

UPDATE: A Cbr spokeswoman told SCMagazine.com on Tuesday that none of the data on the stolen devices was used fraudulently. She also said unencrypted data on the devices did not include health information.

"The FTC has not alleged that any company data from that [incident] has been improperly accessed or used," she said.

[An earlier version of this story incorrectly stated that medical health data of donors, and the credit and debit card information of donors' friends and family were exposed in the breach].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.