Stem cell collector settles with FTC after breach

Share this article:

A California blood and tissue bank has agreed to settle Federal Trade Commission (FTC) charges stemming from a breach that affected nearly 300,000 consumers.

The FTC on Monday announced the settlement, which requires Cbr Systems to create and maintain a security program and, for the next 20 years, undergo independent security audits every other year. Cbr Systems will also be barred from misrepresenting its privacy and security practices.

The FTC alleged that Cbr, which collects and stores umbilical cord blood and tissue to be used for stem cell research and potential disease treatment, “misrepresented that it maintained reasonable and appropriate practices to protects consumers' personal information from unauthorized access,” an FTC analysis of the consent agreement said.

In December 2010, four backup tapes, a laptop, external hard drive and USB device containing unencrypted data were stolen from a Cbr employee's vehicle. Data on the devices included names, birth dates, Social Security numbers, driver's license numbers, checking account numbers, credit and debit card numbers, and other sensitive information of approximately 298,000 consumers.

The unencrypted data on the stolen laptop and external hard drive both contained enterprise network information, including passwords and protocols, which an attacker could have used to gain access to Cbr's network, the FTC said.

Since May 2011, the FTC has brought 32 legal actions against organizations that  the agency contends misled consumers about the security of their sensitive information or violated their privacy rights.

A Cbr spokesperson could not immediately be reached for comment on the settlement.

UPDATE: A Cbr spokeswoman told SCMagazine.com on Tuesday that none of the data on the stolen devices was used fraudulently. She also said unencrypted data on the devices did not include health information.

"The FTC has not alleged that any company data from that [incident] has been improperly accessed or used," she said.

[An earlier version of this story incorrectly stated that medical health data of donors, and the credit and debit card information of donors' friends and family were exposed in the breach].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.