Stem cell collector settles with FTC after breach

Share this article:

A California blood and tissue bank has agreed to settle Federal Trade Commission (FTC) charges stemming from a breach that affected nearly 300,000 consumers.

The FTC on Monday announced the settlement, which requires Cbr Systems to create and maintain a security program and, for the next 20 years, undergo independent security audits every other year. Cbr Systems will also be barred from misrepresenting its privacy and security practices.

The FTC alleged that Cbr, which collects and stores umbilical cord blood and tissue to be used for stem cell research and potential disease treatment, “misrepresented that it maintained reasonable and appropriate practices to protects consumers' personal information from unauthorized access,” an FTC analysis of the consent agreement said.

In December 2010, four backup tapes, a laptop, external hard drive and USB device containing unencrypted data were stolen from a Cbr employee's vehicle. Data on the devices included names, birth dates, Social Security numbers, driver's license numbers, checking account numbers, credit and debit card numbers, and other sensitive information of approximately 298,000 consumers.

The unencrypted data on the stolen laptop and external hard drive both contained enterprise network information, including passwords and protocols, which an attacker could have used to gain access to Cbr's network, the FTC said.

Since May 2011, the FTC has brought 32 legal actions against organizations that  the agency contends misled consumers about the security of their sensitive information or violated their privacy rights.

A Cbr spokesperson could not immediately be reached for comment on the settlement.

UPDATE: A Cbr spokeswoman told SCMagazine.com on Tuesday that none of the data on the stolen devices was used fraudulently. She also said unencrypted data on the devices did not include health information.

"The FTC has not alleged that any company data from that [incident] has been improperly accessed or used," she said.

[An earlier version of this story incorrectly stated that medical health data of donors, and the credit and debit card information of donors' friends and family were exposed in the breach].

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.