* 98% of all data breached came from hacked servers.
* 96% of these breaches were avoidable through simple intermediate controls.
* 85% of these attacks were not considered highly difficult.
Wednesday, January 26, 2011
2010 DATA BREACH STATISTIC FROM SECRET SERVICE
* 98% of all data breached came from hacked servers.
* 96% of these breaches were avoidable through simple intermediate controls.
* 85% of these attacks were not considered highly difficult.
CIOs See Smartphones As Data Breach Time Bomb
Eight out of 10 CIOs think that using smartphones in the workplace
increases the business's vulnerability to attack, and rank data
breaches as their top related security concern. Yet half of
organizations fail to authenticate their employees' mobile devices,
among other basic security measures.
Those finding come from a report released Wednesday conducted by
market researcher Ovum together with the European Association for
e-Identity and Security (EEMA).
The study found that the so-called consumerization of enterprise IT,
meaning employees who bring ostensibly consumer devices to work,
continues at full pace. According to the report, 48% of employees are
allowed to use mobile devices that they own to connect to corporate
systems. Meanwhile, 70% of employees can currently use corporate-owned
computing devices for personal activities.
"Employees will want to use their devices, no matter who owns them,
for both their work and personal lives," said Graham Titterington, a
principal analyst at Ovum, in a statement. "It is unrealistic to
delineate between these uses for employees who are mobile and working
out of the office for a large part of their time."
Interestingly, 90% of organizations provide -- or will soon offer --
mobile devices to their employees. A majority said those devices would
be BlackBerry smartphones, which mirrors the continuing market
dominance of the BlackBerry platform -- with a 37% market share, ahead
of Apple (24%) and Android (21%).
But mobile device security controls remain a weak point, with only
half of organizations authenticating their mobile device users. Among
those, about two-thirds rely on usernames and passwords, while 18% use
public key infrastructure (PKI) certificates, and only 9% employ
two-factor authentication with one-time passwords. Furthermore, only
about 25% of organizations ensure that employees' mobile devices are
running antivirus and anti-malware software.
"As this new study bears out, putting a smartphone security strategy
in place is now a business imperative," said Roger Dean, director at
EEMA, in a statement. "But how many organizations have the in-house
expertise required to develop and implement a mobile strategy that
fits seamlessly with their overall security profile?"
According to Titterington, "organizations must establish a holistic
security strategy that addresses the consumerization of this
fast-growing channel into corporate networks and data."
increases the business's vulnerability to attack, and rank data
breaches as their top related security concern. Yet half of
organizations fail to authenticate their employees' mobile devices,
among other basic security measures.
Those finding come from a report released Wednesday conducted by
market researcher Ovum together with the European Association for
e-Identity and Security (EEMA).
The study found that the so-called consumerization of enterprise IT,
meaning employees who bring ostensibly consumer devices to work,
continues at full pace. According to the report, 48% of employees are
allowed to use mobile devices that they own to connect to corporate
systems. Meanwhile, 70% of employees can currently use corporate-owned
computing devices for personal activities.
"Employees will want to use their devices, no matter who owns them,
for both their work and personal lives," said Graham Titterington, a
principal analyst at Ovum, in a statement. "It is unrealistic to
delineate between these uses for employees who are mobile and working
out of the office for a large part of their time."
Interestingly, 90% of organizations provide -- or will soon offer --
mobile devices to their employees. A majority said those devices would
be BlackBerry smartphones, which mirrors the continuing market
dominance of the BlackBerry platform -- with a 37% market share, ahead
of Apple (24%) and Android (21%).
But mobile device security controls remain a weak point, with only
half of organizations authenticating their mobile device users. Among
those, about two-thirds rely on usernames and passwords, while 18% use
public key infrastructure (PKI) certificates, and only 9% employ
two-factor authentication with one-time passwords. Furthermore, only
about 25% of organizations ensure that employees' mobile devices are
running antivirus and anti-malware software.
"As this new study bears out, putting a smartphone security strategy
in place is now a business imperative," said Roger Dean, director at
EEMA, in a statement. "But how many organizations have the in-house
expertise required to develop and implement a mobile strategy that
fits seamlessly with their overall security profile?"
According to Titterington, "organizations must establish a holistic
security strategy that addresses the consumerization of this
fast-growing channel into corporate networks and data."
Google, UK Reach Deal Over Street View Wi-Fi Data
The UK Information Commissioner's Office (ICO) signed an agreement
with Google Friday that requires the search engine giant to implement
more security training for employees and data protection requirements
for new features in the wake of Google's Wi-Fi data collection breach.
Google already announced that it would make these changes to its
internal policies, however, so the agreement is somewhat of a
formality, though the ICO said it would conduct a "full audit of
Google's internal privacy structure, privacy training programs, and
its system of privacy reviews for new products" sometime in the next
nine months.
The agreement was signed by Alan Eustace, senior vice president at Google.
"I am very pleased to have a firm commitment from Google to work with
my office to improve its handling of personal information,"
information commissioner Christopher Graham said in a statement. "We
don't want another breach like the collection of payload data by
Google Street View vehicles to occur again."
The agreement comes almost a month after the ICO re-opened its
investigation into Google's Wi-Fi data collection. That came days
after Google said that it collected entire e-mails, URLs, and
passwords when its Street View cars accidentally sniffed unencrypted
Wi-Fi networks. The company first admitted the misstep in May, but had
not yet determined whether personally identifiable information was
included among the data. In July, the ICO said the issue was closed,
but re-opened its case after Google's admission.
In the U.S., the Federal Trade Commission closed its investigation on
the issue after Google implemented its privacy changes, but the
Federal Communications Commission announced recently that it would
conduct its own inquiry.
with Google Friday that requires the search engine giant to implement
more security training for employees and data protection requirements
for new features in the wake of Google's Wi-Fi data collection breach.
Google already announced that it would make these changes to its
internal policies, however, so the agreement is somewhat of a
formality, though the ICO said it would conduct a "full audit of
Google's internal privacy structure, privacy training programs, and
its system of privacy reviews for new products" sometime in the next
nine months.
The agreement was signed by Alan Eustace, senior vice president at Google.
"I am very pleased to have a firm commitment from Google to work with
my office to improve its handling of personal information,"
information commissioner Christopher Graham said in a statement. "We
don't want another breach like the collection of payload data by
Google Street View vehicles to occur again."
The agreement comes almost a month after the ICO re-opened its
investigation into Google's Wi-Fi data collection. That came days
after Google said that it collected entire e-mails, URLs, and
passwords when its Street View cars accidentally sniffed unencrypted
Wi-Fi networks. The company first admitted the misstep in May, but had
not yet determined whether personally identifiable information was
included among the data. In July, the ICO said the issue was closed,
but re-opened its case after Google's admission.
In the U.S., the Federal Trade Commission closed its investigation on
the issue after Google implemented its privacy changes, but the
Federal Communications Commission announced recently that it would
conduct its own inquiry.
After FTC Settlement, LifeLock Refund Checks Going out
More interesting SSN factoids from the Dataloss Database. Do you remember
those [obnoxious?] Todd Davis commercials? At least 13 identity theft
incidences occurred.....
"LifeLock drew attention after CEO Todd Davis published his Social
Security number in company advertisements, saying he was so confident in
his company's services that he was making it public. It was later
discovered that Davis had become the victim in at least 13 cases of
identity theft."
those [obnoxious?] Todd Davis commercials? At least 13 identity theft
incidences occurred.....
"LifeLock drew attention after CEO Todd Davis published his Social
Security number in company advertisements, saying he was so confident in
his company's services that he was making it public. It was later
discovered that Davis had become the victim in at least 13 cases of
identity theft."
Two charged in BECU ID theft thought to impact 100s
Prosecutors have filed charges against two men believed to have defrauded hundreds of BECU members by "skimming" debit cards at
Seattle-area ATMs. Having filed ID theft-related charges against the men, King County prosecutors contend Seattle resident Claudiu
Flaviu Tudor and Mihai Podaru stole the account information of hundreds of BECU users during a sophisticated scheme that saw cameras
and debit card skimmers attached to a Renton ATM.
...
For short periods over four days in September, the thieves attached a credit card skimmer to a BECU ATM at 4250 N.E. Fourth St. in
Renton, Carroll told the court. At least 55 BECU members who used the ATM while the skimmer was in place have since experienced
fraud on their accounts; the bank has lost $170,442 due to fraud on those accounts.
The thieves, Carroll continued, also had placed a camera over the ATM PIN pad to capture the personal identification numbers of
those using the machine.
Seattle-area ATMs. Having filed ID theft-related charges against the men, King County prosecutors contend Seattle resident Claudiu
Flaviu Tudor and Mihai Podaru stole the account information of hundreds of BECU users during a sophisticated scheme that saw cameras
and debit card skimmers attached to a Renton ATM.
...
For short periods over four days in September, the thieves attached a credit card skimmer to a BECU ATM at 4250 N.E. Fourth St. in
Renton, Carroll told the court. At least 55 BECU members who used the ATM while the skimmer was in place have since experienced
fraud on their accounts; the bank has lost $170,442 due to fraud on those accounts.
The thieves, Carroll continued, also had placed a camera over the ATM PIN pad to capture the personal identification numbers of
those using the machine.
Using stolen SSN isn't criminal impersonation, court says
This head-scratcher happened a couple of weeks ago but hasn't gotten
anywhere near the attention it deserves.
The Colorado Supreme Court by a vote of 4-3 has overturned the
conviction of a man who used a woman's Social Security number to apply
for a car loan. The action did not constitute criminal impersonation,
says the court's majority, because the man provided his real name,
address and place of employment, in addition to the purloined Social
Security number.
>From a story in the Greeley (Colo.) Gazette:
In the decision the court ruled, "The defendant (Felix
Montes-Rodriguez ) did not assume a false or fictitious identity or
capacity," and that he "did not hold himself out to be another person
when he used another person's social security number to obtain an
automobile loan."
During the trial, representatives from Hajek Chevrolet testified a
social security number was required as part of their application
process in order to conduct a credit check.
The court ruled that was irrelevant as it was a lender requirement,
not a legal requirement. They stated that even though Montes-Rodriguez
may have "lacked the practical capacity to obtain a loan ...because
they could not check his credit without a social security number" he
did not lack the legal capacity to receive a loan. The court went on
to state there is "no evidence a social security number is a legal
requirement to obtain a loan."
Justice Nathan Coats, writing in the dissent, said, "The defendant's
deliberate misrepresentation of the single most unique and important
piece of identifying data for credit-transaction purposes" was
"precisely the kind of conduct meant to be proscribed as criminal."
Coats went on to say that an individual's credit history is often only
available through their social security number and when a person is
using someone else's social security number that person is assuming
the other's credit history.
That would seem to be as clear as the digits on my Social Security card.
As might be expected, the majority's ruling is not getting a lot of
support among experts in the fields of law, privacy and common sense.
Writes Adam Levin, co-founder of Credit.com and Identity Theft 911:
So while the defendant walks away a free man, after knowingly using a
Social Security number that was not his own to obtain credit, Colorado
consumers, ironically enough, wind up feeling less free.
While I understand the narrowness of the majority's viewpoint, you
can't make the case that a man using a Social Security number that
belonged to someone else wasn't engaging in what Colorado law cites as
"criminal impersonation". More so, I categorically reject the notion
that Social Security numbers should take a back seat to any piece of
personal financial information when seeking to establish credit, as
the court suggests. On the contrary, the Social Security number is the
most critical piece of data when obtaining a loan, far more important
than a name or address.
Another expert noted that when it comes to identity theft, a Social
Security number can be the "key to the kingdom:"
The Colorado ruling highlights an underlying misunderstanding about
identity theft, criminal impersonation and the ease with which
criminals can access and exploit Social Security numbers, (attorney
and information privacy expert Mari) Frank says, who adds that several
of her clients have had their Social Security numbers stolen,
including a 7-year-old victim.
"He is 21 now, and last year he tried to get a car loan from his
credit union; but they did not want to give it to him," she says. "His
credit union purchased a Social Security search from Experian and
found that three other people were using his credit and his Social
Security number." Frank later learned from credit bureau Experian
Information Solutions Inc. that her client's Social Security number
had been used by those three individuals to build individual credit
profiles. In each case, the Social Security number was affiliated with
a separate individual's name.
The good news is that Colorado's laws against the misuse of Social
Security numbers have been stiffened since this case was initiated,
according to this report.
anywhere near the attention it deserves.
The Colorado Supreme Court by a vote of 4-3 has overturned the
conviction of a man who used a woman's Social Security number to apply
for a car loan. The action did not constitute criminal impersonation,
says the court's majority, because the man provided his real name,
address and place of employment, in addition to the purloined Social
Security number.
>From a story in the Greeley (Colo.) Gazette:
In the decision the court ruled, "The defendant (Felix
Montes-Rodriguez ) did not assume a false or fictitious identity or
capacity," and that he "did not hold himself out to be another person
when he used another person's social security number to obtain an
automobile loan."
During the trial, representatives from Hajek Chevrolet testified a
social security number was required as part of their application
process in order to conduct a credit check.
The court ruled that was irrelevant as it was a lender requirement,
not a legal requirement. They stated that even though Montes-Rodriguez
may have "lacked the practical capacity to obtain a loan ...because
they could not check his credit without a social security number" he
did not lack the legal capacity to receive a loan. The court went on
to state there is "no evidence a social security number is a legal
requirement to obtain a loan."
Justice Nathan Coats, writing in the dissent, said, "The defendant's
deliberate misrepresentation of the single most unique and important
piece of identifying data for credit-transaction purposes" was
"precisely the kind of conduct meant to be proscribed as criminal."
Coats went on to say that an individual's credit history is often only
available through their social security number and when a person is
using someone else's social security number that person is assuming
the other's credit history.
That would seem to be as clear as the digits on my Social Security card.
As might be expected, the majority's ruling is not getting a lot of
support among experts in the fields of law, privacy and common sense.
Writes Adam Levin, co-founder of Credit.com and Identity Theft 911:
So while the defendant walks away a free man, after knowingly using a
Social Security number that was not his own to obtain credit, Colorado
consumers, ironically enough, wind up feeling less free.
While I understand the narrowness of the majority's viewpoint, you
can't make the case that a man using a Social Security number that
belonged to someone else wasn't engaging in what Colorado law cites as
"criminal impersonation". More so, I categorically reject the notion
that Social Security numbers should take a back seat to any piece of
personal financial information when seeking to establish credit, as
the court suggests. On the contrary, the Social Security number is the
most critical piece of data when obtaining a loan, far more important
than a name or address.
Another expert noted that when it comes to identity theft, a Social
Security number can be the "key to the kingdom:"
The Colorado ruling highlights an underlying misunderstanding about
identity theft, criminal impersonation and the ease with which
criminals can access and exploit Social Security numbers, (attorney
and information privacy expert Mari) Frank says, who adds that several
of her clients have had their Social Security numbers stolen,
including a 7-year-old victim.
"He is 21 now, and last year he tried to get a car loan from his
credit union; but they did not want to give it to him," she says. "His
credit union purchased a Social Security search from Experian and
found that three other people were using his credit and his Social
Security number." Frank later learned from credit bureau Experian
Information Solutions Inc. that her client's Social Security number
had been used by those three individuals to build individual credit
profiles. In each case, the Social Security number was affiliated with
a separate individual's name.
The good news is that Colorado's laws against the misuse of Social
Security numbers have been stiffened since this case was initiated,
according to this report.
After FTC Settlement, LifeLock Refund Checks Going out
The check is in the mail for nearly a million LifeLock customers,
after the provider of identity-theft protection services settled
accusations of deceptive advertising.
The checks, for US$10.87, started going out Wednesday, according to
the U.S. Federal Trade Commission, which is managing part of the $12
million settlement.
LifeLock drew attention after CEO Todd Davis published his Social
Security number in company advertisements, saying he was so confident
in his company's services that he was making it public. It was later
discovered that Davis had become the victim in at least 13 cases of
identity theft.
The FTC and 35 state attorneys general accused LifeLock of making
false claims, saying it didn't protect against some of the most common
types of identity theft, such as theft from existing bank accounts.
They reached a little settlement with LifeLock in March and the checks
are being mailed as part of that settlement.
In March, LifeLock said it was pleased with this agreement because it
set advertising guidelines for the entire identity-theft protection
industry.
The checks are being sent to 957,928 people who signed up for
LifeLock's $10-per-month identity-theft protection service. Customers
will have 60 days to cash their checks. The refund's administrator has
set up a toll-free number for people with questions at 1-888-288-0783.
after the provider of identity-theft protection services settled
accusations of deceptive advertising.
The checks, for US$10.87, started going out Wednesday, according to
the U.S. Federal Trade Commission, which is managing part of the $12
million settlement.
LifeLock drew attention after CEO Todd Davis published his Social
Security number in company advertisements, saying he was so confident
in his company's services that he was making it public. It was later
discovered that Davis had become the victim in at least 13 cases of
identity theft.
The FTC and 35 state attorneys general accused LifeLock of making
false claims, saying it didn't protect against some of the most common
types of identity theft, such as theft from existing bank accounts.
They reached a little settlement with LifeLock in March and the checks
are being mailed as part of that settlement.
In March, LifeLock said it was pleased with this agreement because it
set advertising guidelines for the entire identity-theft protection
industry.
The checks are being sent to 957,928 people who signed up for
LifeLock's $10-per-month identity-theft protection service. Customers
will have 60 days to cash their checks. The refund's administrator has
set up a toll-free number for people with questions at 1-888-288-0783.
Unencrypted thumb drive causes breach at VA
Two recent privacy breaches at the Veterans Affairs Department involved
employees who disregarded information security protocols they were trained
to follow, said Roger Baker, assistant secretary for information and
technology at VA.
One incident involved an employee who plugged a personal unencrypted thumb
drive into his computer at work and used it to inappropriately store
Social Security numbers and other personal data for 240 veterans. The
thumb drive was then lost inside a VA facility, found by a VA security
guard, taken home by the guard and finally returned to VA officials, who
declared the events a security breach.
In the other incident, a VA employee printed out Social Security numbers
and other personal information on 180 veterans and took the papers home,
where he typed the information into a Microsoft Word file on his home
computer. When he tried to send the file to his work account via e-mail,
VA's system flagged the message, resulting in discovery of the breach.
employees who disregarded information security protocols they were trained
to follow, said Roger Baker, assistant secretary for information and
technology at VA.
One incident involved an employee who plugged a personal unencrypted thumb
drive into his computer at work and used it to inappropriately store
Social Security numbers and other personal data for 240 veterans. The
thumb drive was then lost inside a VA facility, found by a VA security
guard, taken home by the guard and finally returned to VA officials, who
declared the events a security breach.
In the other incident, a VA employee printed out Social Security numbers
and other personal information on 180 veterans and took the papers home,
where he typed the information into a Microsoft Word file on his home
computer. When he tried to send the file to his work account via e-mail,
VA's system flagged the message, resulting in discovery of the breach.
CA: Pacific Hospital Self-Reported Employee Fraud, Still Fined $225k
The California Department of Public Health (CDPH) on Friday levied a $225,000 fine against Pacific Hospital of Long Beach, alleging that the facility "failed to prevent unauthorized access" after an employee obtained patients' personal information - including names and social security numbers - and used it to open fraudulent telephone service accounts in late 2009.
An official report of findings by the CDPH indicates that Pacific Hospital self-reported the violation and terminated the employee, working closely with local law enforcement. Police arrested the healthcare worker - a female telemetry technician/unit clerk in the Medical/Surgical unit - on November 5, 2009. The CDPH began their investigation the following day.
An official report of findings by the CDPH indicates that Pacific Hospital self-reported the violation and terminated the employee, working closely with local law enforcement. Police arrested the healthcare worker - a female telemetry technician/unit clerk in the Medical/Surgical unit - on November 5, 2009. The CDPH began their investigation the following day.
2010's biggest security SNAFUs
That old phrase SNAFU ("Situation Normal, All F---ked Up!") certainly
describes our choices for 2010's top 10 security screw-ups.
Not surprisingly some of the biggest names in technology – Google,
Cisco, McAfee, AT&T – are prominent on the list, either because
they're obvious hacker targets or because whenever they make a
security mistake, it's big news. Without further ado, the list:
Aurora attacks on Google. In what's come to be called the "Aurora
attacks," Google in January acknowledges valuable intellectual
property was stolen via a network break-in during that past December,
intimating China to be the origin of the cyberattack. About a dozen
other high-tech and industrial companies appear to have been struck
in similar fashion. The Chinese government says it doesn't know what
they're talking about. Outraged over thecyber-intrusion, Google, which
had been adhering to Chinese dictates regarding search-engine
censorship, says it will defy them, putting its search-engine license
in China in jeopardy. But by year-end, under Chinese pressure, Google
abandons its tactic of re-directing Chinese user traffic to its more
liberal Hong Kong site and its renewed China license requires
censorship.
China ISP takes Internet for a ride.A small Chinese ISP called IDC
China Telecommunication brieflyhijacked the Internet by sending out
wrong routing data, which was re-transmitted by state-owned China
Telecommunications, affecting service providers around the world. The
event was noted in the "2010 U.S.-China Economic and Security Review"
commission report presented this November to Congress, which pointed
out for 18 minutes on April 8, China Telecom rerouted 15% of the
Internet's traffic through Chinese servers, affecting U.S. government
and military Web sites. Widely reported, media attention raised the
question of whether China was somehow testing a cyberattack
capability, but China Telecom rejected those claims, calling the April
traffic re-direction an accident.
McAfee's oopsie. McAfee goofs up by issuing a faulty anti-virus update
— the now-infamous McAfee DAT file 5958 — which wreaked havoc on PCs
of countless McAfee customers by causing malfunctions like the
Microsoft 'Blue Screen of Death' and creating the effect of a
denial-of-service. With CEO and President Dave DeWalt apologized
profusely, McAfee worked to rush out various fixes for the SNAFU it
had caused by mistake, but some irate McAfee customers felt it all
could have been done better.
Showtime for Cisco. Not the biggest data breach to be sure, but
embarrassing for a networking company that wants the world to consider
it a leader in security, having the sales to show for it -- and that's
Cisco. Someone hacked into the list of attendees for the Cisco Live
2010 users' conference, a security breach that led Cisco to notify the
customers as well as a broader group with dealings with the company.
Though Cisco prefers to keep mum on some details, it appears a vendor
told Cisco that someone had made "an unexpected attempt to access
attendee information through ciscolive2010.com," the event site. Cisco
said the breach was closed quickly, "but not before some conference
listings were accessed." The compromised information consisted of
Cisco Live badge numbers, names, title, company addresses and e-mail
addresses. Cisco apologized by e-mail to both attendees and those who
were invited but didn't attend.
describes our choices for 2010's top 10 security screw-ups.
Not surprisingly some of the biggest names in technology – Google,
Cisco, McAfee, AT&T – are prominent on the list, either because
they're obvious hacker targets or because whenever they make a
security mistake, it's big news. Without further ado, the list:
Aurora attacks on Google. In what's come to be called the "Aurora
attacks," Google in January acknowledges valuable intellectual
property was stolen via a network break-in during that past December,
intimating China to be the origin of the cyberattack. About a dozen
other high-tech and industrial companies appear to have been struck
in similar fashion. The Chinese government says it doesn't know what
they're talking about. Outraged over thecyber-intrusion, Google, which
had been adhering to Chinese dictates regarding search-engine
censorship, says it will defy them, putting its search-engine license
in China in jeopardy. But by year-end, under Chinese pressure, Google
abandons its tactic of re-directing Chinese user traffic to its more
liberal Hong Kong site and its renewed China license requires
censorship.
China ISP takes Internet for a ride.A small Chinese ISP called IDC
China Telecommunication brieflyhijacked the Internet by sending out
wrong routing data, which was re-transmitted by state-owned China
Telecommunications, affecting service providers around the world. The
event was noted in the "2010 U.S.-China Economic and Security Review"
commission report presented this November to Congress, which pointed
out for 18 minutes on April 8, China Telecom rerouted 15% of the
Internet's traffic through Chinese servers, affecting U.S. government
and military Web sites. Widely reported, media attention raised the
question of whether China was somehow testing a cyberattack
capability, but China Telecom rejected those claims, calling the April
traffic re-direction an accident.
McAfee's oopsie. McAfee goofs up by issuing a faulty anti-virus update
— the now-infamous McAfee DAT file 5958 — which wreaked havoc on PCs
of countless McAfee customers by causing malfunctions like the
Microsoft 'Blue Screen of Death' and creating the effect of a
denial-of-service. With CEO and President Dave DeWalt apologized
profusely, McAfee worked to rush out various fixes for the SNAFU it
had caused by mistake, but some irate McAfee customers felt it all
could have been done better.
Showtime for Cisco. Not the biggest data breach to be sure, but
embarrassing for a networking company that wants the world to consider
it a leader in security, having the sales to show for it -- and that's
Cisco. Someone hacked into the list of attendees for the Cisco Live
2010 users' conference, a security breach that led Cisco to notify the
customers as well as a broader group with dealings with the company.
Though Cisco prefers to keep mum on some details, it appears a vendor
told Cisco that someone had made "an unexpected attempt to access
attendee information through ciscolive2010.com," the event site. Cisco
said the breach was closed quickly, "but not before some conference
listings were accessed." The compromised information consisted of
Cisco Live badge numbers, names, title, company addresses and e-mail
addresses. Cisco apologized by e-mail to both attendees and those who
were invited but didn't attend.
Evaluating Data Breach Disclosure Laws
I imagine most of you have received one or more letters from companies
informing you that they lost your personal information. If so, what,
if anything, did you do about it? Did you check your credit history?;
close a financial account?; something else?; or nothing at all? If you
did act, you likely did it to reduce your risk of suffering identity
theft. My research question is: did it work? This is something that
I’ve been examining for a number of years now.
In a paper coauthored with Rahul Telang and Alessandro Acquisti at
Carnegie Mellon University, we empirically examine the effect of data
breach disclosure (security breach notification) laws on identity
theft. For a policy researcher, this represents a fantastic
opportunity: a clear policy intervention (adoption of laws across
different states), a heated controversy regarding the benefits and
consequences of the laws that is both practically and academically
interesting, good field data, and a powerful empirical analysis
methodology to leverage (criminology).
An initial version of the paper used consumer reported identity theft
data collected from the FTC from 2002-2006. Using just these data, we
found a negative but not statistically significant result. In fact, I
was quoted as saying, “we find no evidence that the laws reduce
identity theft.” And it was true, we didn’t.
However, we have since augmented that work to include data up to 2009,
which allowed us to include more observations, allowed the law to
exist for longer, and allowed companies to adapt to them, and perhaps
empowered more consumers to take action. We find that the laws did,
indeed, reduce identity theft by about 6%. Moreover, we can say that
we have a fair amount of confidence in this estimate because the
results hold up to many kinds of permutations and transformations —
which is very nice to see.
Interpreting the magnitude of that estimate is another issue. Is 6%
good? Is it big? That’s an important question, and one to which I wish
I had a better answer. If it’s true that the losses from identity
theft to companies and consumers are in the tens of billions (say,
conservatively, $40B), and that data breaches cause around 20% of all
identity theft (a rough estimate based on the limited data we have),
then a 6% reduction represents a savings of $480M. Not bad.
So if that’s the benefit, then what’s the cost of the laws? As a
researcher, one way to gauge the law’s success (at least, in part) is
to compare this estimated benefit with the costs that companies incur
because of the laws. There is a cost to compliance, after all — costs
that companies would otherwise not have borne but-for the laws. If
it’s the case that the costs are greater than this 6% benefit from
reduced consumer identity theft, is it still possible that the laws
are worthwhile? How would we even go about answering that?
One of the interesting consequences of the data breach disclosure laws
has been to raise awareness of breaches and resulting privacy harms.
And what happens when people are harmed? They tend to sue. Danielle
Citron and Daniel Solove (among others) have written about the
difficulties that plaintiffs face when bringing legal actions against
companies for data breaches. Nevertheless, the lawsuits do have an
effect: they force companies to internalize some portion of consumer
loss (fraud, etc.). But I argue that this loss isn’t fixed – it
changes based on how much effort consumers take to mitigate losses
(i.e. remember those steps you took after receiving that breach
notice?). This creates an interesting dependency among the portion of
costs borne by the company versus the portion borne by the consumer.
But moreover, the laws impose a real cost on the firms, too, in what
I’ve described as a ‘disclosure tax.’
The fascinating outcome of all this is that the change in social cost
(the net change in company and consumer losses) is very unclear.
Social cost may increase because of this new disclosure tax, or it may
decrease because newly-informed consumers are reducing their losses.
But if a company’s investment in data security increases with consumer
losses (say, from greater liability) and if those losses are declining
(because of these disclosure information), this suggests that
companies could end up spending less on data security.
I find the study of these dynamics very interesting because I think
the topics are important (data breaches, disclosure laws and consumer
loss) and, as I mentioned, the outcome is quite uncertain. But
moreover, this affords us an opportunity to apply analytical modeling
in order to better understand how (and why) company and firm
incentives change, and the conditions under which overall social costs
can decline. I’ll discuss more about the modeling approach in another
article.
informing you that they lost your personal information. If so, what,
if anything, did you do about it? Did you check your credit history?;
close a financial account?; something else?; or nothing at all? If you
did act, you likely did it to reduce your risk of suffering identity
theft. My research question is: did it work? This is something that
I’ve been examining for a number of years now.
In a paper coauthored with Rahul Telang and Alessandro Acquisti at
Carnegie Mellon University, we empirically examine the effect of data
breach disclosure (security breach notification) laws on identity
theft. For a policy researcher, this represents a fantastic
opportunity: a clear policy intervention (adoption of laws across
different states), a heated controversy regarding the benefits and
consequences of the laws that is both practically and academically
interesting, good field data, and a powerful empirical analysis
methodology to leverage (criminology).
An initial version of the paper used consumer reported identity theft
data collected from the FTC from 2002-2006. Using just these data, we
found a negative but not statistically significant result. In fact, I
was quoted as saying, “we find no evidence that the laws reduce
identity theft.” And it was true, we didn’t.
However, we have since augmented that work to include data up to 2009,
which allowed us to include more observations, allowed the law to
exist for longer, and allowed companies to adapt to them, and perhaps
empowered more consumers to take action. We find that the laws did,
indeed, reduce identity theft by about 6%. Moreover, we can say that
we have a fair amount of confidence in this estimate because the
results hold up to many kinds of permutations and transformations —
which is very nice to see.
Interpreting the magnitude of that estimate is another issue. Is 6%
good? Is it big? That’s an important question, and one to which I wish
I had a better answer. If it’s true that the losses from identity
theft to companies and consumers are in the tens of billions (say,
conservatively, $40B), and that data breaches cause around 20% of all
identity theft (a rough estimate based on the limited data we have),
then a 6% reduction represents a savings of $480M. Not bad.
So if that’s the benefit, then what’s the cost of the laws? As a
researcher, one way to gauge the law’s success (at least, in part) is
to compare this estimated benefit with the costs that companies incur
because of the laws. There is a cost to compliance, after all — costs
that companies would otherwise not have borne but-for the laws. If
it’s the case that the costs are greater than this 6% benefit from
reduced consumer identity theft, is it still possible that the laws
are worthwhile? How would we even go about answering that?
One of the interesting consequences of the data breach disclosure laws
has been to raise awareness of breaches and resulting privacy harms.
And what happens when people are harmed? They tend to sue. Danielle
Citron and Daniel Solove (among others) have written about the
difficulties that plaintiffs face when bringing legal actions against
companies for data breaches. Nevertheless, the lawsuits do have an
effect: they force companies to internalize some portion of consumer
loss (fraud, etc.). But I argue that this loss isn’t fixed – it
changes based on how much effort consumers take to mitigate losses
(i.e. remember those steps you took after receiving that breach
notice?). This creates an interesting dependency among the portion of
costs borne by the company versus the portion borne by the consumer.
But moreover, the laws impose a real cost on the firms, too, in what
I’ve described as a ‘disclosure tax.’
The fascinating outcome of all this is that the change in social cost
(the net change in company and consumer losses) is very unclear.
Social cost may increase because of this new disclosure tax, or it may
decrease because newly-informed consumers are reducing their losses.
But if a company’s investment in data security increases with consumer
losses (say, from greater liability) and if those losses are declining
(because of these disclosure information), this suggests that
companies could end up spending less on data security.
I find the study of these dynamics very interesting because I think
the topics are important (data breaches, disclosure laws and consumer
loss) and, as I mentioned, the outcome is quite uncertain. But
moreover, this affords us an opportunity to apply analytical modeling
in order to better understand how (and why) company and firm
incentives change, and the conditions under which overall social costs
can decline. I’ll discuss more about the modeling approach in another
article.
Hacker Fail: Two College Kids Discover Police Are Not as ‘Dumb’ As They Thought
In the fall of 2009, University of Central Missouri students Joseph
Camp and Daniel Fowler were busy trying to improve their grades — not
through cramming for finals, but by hacking into the university’s
computer systems. In addition to bumping up their GPAs, they planned
to tap into university bank accounts and to harvest information about
faculty, staff and alumni in order to sell their identities to
interested buyers.
They may not have cracked books that semester, but they did crack into
the university’s databases fairly easily. According to an indictment
(via Courthouse News Service), the two co-ed hackers developed a virus
to infect the computers of fellow students and administrators. They
spread it by putting it on computers at public computer labs and in
the library, sending it out in emails, and putting it on thumb drives.
(In one case, an administrator let them plug their thumb drive into
his computer to share vacation photos.) The virus installed Spector
Pro and Poison Ivy keystroke software and gave Camp and Fowler remote
control over infected computers so that they could monitor people’s
activity, turn on webcams, read emails, and collect user names and
passwords from administrators that they were able to use to get into
relevant databases.
Unclear whether these skills came out of classes the two were taking
at UCM. The indictment doesn’t mention their majors at the university.
Soon Camp was transferring thousands of dollars, in small amounts,
from the university bank account into his own, and into the account of
another lucky/unlucky student who Camp hoped to frame for the crime.
He did it over Thanksgiving break of 2009, hoping that people wouldn’t
be paying attention. They were. Police arrested him on November 25th.
But that didn’t stop Fowler and Camp…
Despite their being savvy in the ways of surveillance and electronic
monitoring, Camp decided to post away on his Facebook page about the
charges. In December, Fowler and Camp tapped back into the network to
get a copy of the affidavit for a search warrant of Camp’s apartment
and to download databases with faculty, staff, alumni, and student
information.
Camp then posted portions of the affidavit to his Facebook page to try
to intimidate those who ratted him out, writing, ““I am very concerned
about anyone who lies to the police! Think I don’t know? I have the
papers now! I KNOW WHOs THE SNITCH!” and “I am not a fan of people who
lie to the police to get other innocent people in trouble. I will make
it a point to post anything that I find out here on facebook so that
you feel ashamed about l[y]ing to the police. I wont reda[ct]
anything. I will MAKE SURE that your name is posted with the lies you
told!”
After a little public witness intimidation on Facebook, Camp contacted
a potential buyer in New York for the University of Central Missouri
identities, not realizing that the purported identity thief was
actually an undercover agent. According to the indictment, Camp told
the agent that the university wouldn’t do anything about the
Thanksgiving hack, because it would embarrass the institution.
“The cops were dumb to bust us so quick,” said Camp, according to the
complaint. “If they knew the scope of this, they would have involved
the feds.”
Camp and Daniel Fowler were busy trying to improve their grades — not
through cramming for finals, but by hacking into the university’s
computer systems. In addition to bumping up their GPAs, they planned
to tap into university bank accounts and to harvest information about
faculty, staff and alumni in order to sell their identities to
interested buyers.
They may not have cracked books that semester, but they did crack into
the university’s databases fairly easily. According to an indictment
(via Courthouse News Service), the two co-ed hackers developed a virus
to infect the computers of fellow students and administrators. They
spread it by putting it on computers at public computer labs and in
the library, sending it out in emails, and putting it on thumb drives.
(In one case, an administrator let them plug their thumb drive into
his computer to share vacation photos.) The virus installed Spector
Pro and Poison Ivy keystroke software and gave Camp and Fowler remote
control over infected computers so that they could monitor people’s
activity, turn on webcams, read emails, and collect user names and
passwords from administrators that they were able to use to get into
relevant databases.
Unclear whether these skills came out of classes the two were taking
at UCM. The indictment doesn’t mention their majors at the university.
Soon Camp was transferring thousands of dollars, in small amounts,
from the university bank account into his own, and into the account of
another lucky/unlucky student who Camp hoped to frame for the crime.
He did it over Thanksgiving break of 2009, hoping that people wouldn’t
be paying attention. They were. Police arrested him on November 25th.
But that didn’t stop Fowler and Camp…
Despite their being savvy in the ways of surveillance and electronic
monitoring, Camp decided to post away on his Facebook page about the
charges. In December, Fowler and Camp tapped back into the network to
get a copy of the affidavit for a search warrant of Camp’s apartment
and to download databases with faculty, staff, alumni, and student
information.
Camp then posted portions of the affidavit to his Facebook page to try
to intimidate those who ratted him out, writing, ““I am very concerned
about anyone who lies to the police! Think I don’t know? I have the
papers now! I KNOW WHOs THE SNITCH!” and “I am not a fan of people who
lie to the police to get other innocent people in trouble. I will make
it a point to post anything that I find out here on facebook so that
you feel ashamed about l[y]ing to the police. I wont reda[ct]
anything. I will MAKE SURE that your name is posted with the lies you
told!”
After a little public witness intimidation on Facebook, Camp contacted
a potential buyer in New York for the University of Central Missouri
identities, not realizing that the purported identity thief was
actually an undercover agent. According to the indictment, Camp told
the agent that the university wouldn’t do anything about the
Thanksgiving hack, because it would embarrass the institution.
“The cops were dumb to bust us so quick,” said Camp, according to the
complaint. “If they knew the scope of this, they would have involved
the feds.”
WikiLeaks shows gap in current document security measures
As demonstrated by the leak of hundreds of thousands of sensitive US
documents to WikiLeaks, organizations need to do more to protect their
documents than preventing their unauthorized disclosure, according to
Adi Ruppin, vice president of marketing at WatchDox.
Simply taking steps to protect the data loss is no longer enough;
organizations need to implement measures to control and track
documents even after they have been transferred or leaked, Ruppin told
Infosecurity.
“People are not aware enough of the problem….Organizations might have
access controls in place and encryption, but people don’t realize that
if a person already has access to these documents, there is little to
prevent that person from forwarding them to someone else or
downloading them to a USB drive”, he said.
“Most people still think, ‘I have this password and this encryption,
so I’m fine.’ They don’t realize that this is just one point of
protection; these documents still need to be protected wherever they
go afterward”, he added.
WatchDox offers products that enable an organization to deny access to
documents even after they are no longer under the organization’s
direct control.
Ruppin said he was “surprised” at the extent of the US government's
data loss to WikiLeaks. “You would expect [the US government] to have
some tools in place” that would enable control of documents even after
an unauthorized disclosure.
According to the WikiLeaks website, it has over 391 000 US military
reports on the Iraq and Afghanistan wars, as well as more than 250 000
leaked US embassy cables.
According to a WatchDox survey of 500 corporate executives and IT
professionals, 65% of respondents said they share sensitive data with
third parties. Of those, 96% said they are concerned that data they
share with other organizations might get into the wrong hands.
One-third admitted that they have had a least one incident of data
loss.
A full 83% of those surveyed ranked document and intellectual property
security as very important, ahead of anti-virus and network security.
But only 12% are using a data loss prevention (DLP) or digital rights
management (DRM) system.
But even these systems are not adequate to prevent a massive loss of
documents like WikiLeaks. “If you look at DLP or DRM, they are mostly
built around preventing the stuff from going out, which is not a
complete solution”, Ruppin said.
“Once these documents go to another destination, you still need to
maintain control over them, otherwise you get a WikiLeaks or somebody
posting the [Transportation Security Administration’s] screening
manual online. You cannot relinquish control of documents once they
are shared”, he stressed.
documents to WikiLeaks, organizations need to do more to protect their
documents than preventing their unauthorized disclosure, according to
Adi Ruppin, vice president of marketing at WatchDox.
Simply taking steps to protect the data loss is no longer enough;
organizations need to implement measures to control and track
documents even after they have been transferred or leaked, Ruppin told
Infosecurity.
“People are not aware enough of the problem….Organizations might have
access controls in place and encryption, but people don’t realize that
if a person already has access to these documents, there is little to
prevent that person from forwarding them to someone else or
downloading them to a USB drive”, he said.
“Most people still think, ‘I have this password and this encryption,
so I’m fine.’ They don’t realize that this is just one point of
protection; these documents still need to be protected wherever they
go afterward”, he added.
WatchDox offers products that enable an organization to deny access to
documents even after they are no longer under the organization’s
direct control.
Ruppin said he was “surprised” at the extent of the US government's
data loss to WikiLeaks. “You would expect [the US government] to have
some tools in place” that would enable control of documents even after
an unauthorized disclosure.
According to the WikiLeaks website, it has over 391 000 US military
reports on the Iraq and Afghanistan wars, as well as more than 250 000
leaked US embassy cables.
According to a WatchDox survey of 500 corporate executives and IT
professionals, 65% of respondents said they share sensitive data with
third parties. Of those, 96% said they are concerned that data they
share with other organizations might get into the wrong hands.
One-third admitted that they have had a least one incident of data
loss.
A full 83% of those surveyed ranked document and intellectual property
security as very important, ahead of anti-virus and network security.
But only 12% are using a data loss prevention (DLP) or digital rights
management (DRM) system.
But even these systems are not adequate to prevent a massive loss of
documents like WikiLeaks. “If you look at DLP or DRM, they are mostly
built around preventing the stuff from going out, which is not a
complete solution”, Ruppin said.
“Once these documents go to another destination, you still need to
maintain control over them, otherwise you get a WikiLeaks or somebody
posting the [Transportation Security Administration’s] screening
manual online. You cannot relinquish control of documents once they
are shared”, he stressed.
Blizzard’s Chinese GM quits after large data breach
All is not well at the offices of Blizzard China. Last week a large
data breach occurred which saw financial data, media packages,
commercial budgets, global subscriber details, and worst of all–the
road map for future game releases all taken.
Here’s the road map that is now widely available:
As well as giving competitors a clear timetable to which to compete
against, it also reveals a new game called Titan.
The fallout from this data breach is Blizzard’s General Manager for
China, one Ye Weilun, has either left or been kicked out, but the
reports suggest a resignation. We don’t know the details of how the
leak occurred, but his departure could either be directly linked to
the breach, or because it was allowed to happen in the first place.
For the moment, Blizzard has set in motion an internal investigation
with Global COO Paul Sams arriving in Shanghai this week.
Read more at BGR, via MMOGameSite.com
Matthew’s Opinion
For gamers, this isn’t bad news at all. We get to see when Blizzard
plans to release new games and updates, plus we also see a brand new
game on the horizon called Titan.
For Blizzard, it’s a big problem. The game launch windows are an issue
as it gives competitors an advantage. But when it’s combined with the
media package information it could cause some upset in the advertising
and marketing world. If Blizzard is advertising X on date Y, then
competitors can counter that at the appropriate time.
One thing that is a little concerning is the subscriber data that was
included in the leak. Hopefully this was just usage statistics and not
credit card and login details. If it was then I think Blizzard would
have already done something to protect its millions of customers by
e-mailing with forced login changes etc.
With Paul Sams visiting China this week we could see a more public
acknowledgement from Blizzard as to what has happened and how things
are changing at the Chinese offices.
data breach occurred which saw financial data, media packages,
commercial budgets, global subscriber details, and worst of all–the
road map for future game releases all taken.
Here’s the road map that is now widely available:
As well as giving competitors a clear timetable to which to compete
against, it also reveals a new game called Titan.
The fallout from this data breach is Blizzard’s General Manager for
China, one Ye Weilun, has either left or been kicked out, but the
reports suggest a resignation. We don’t know the details of how the
leak occurred, but his departure could either be directly linked to
the breach, or because it was allowed to happen in the first place.
For the moment, Blizzard has set in motion an internal investigation
with Global COO Paul Sams arriving in Shanghai this week.
Read more at BGR, via MMOGameSite.com
Matthew’s Opinion
For gamers, this isn’t bad news at all. We get to see when Blizzard
plans to release new games and updates, plus we also see a brand new
game on the horizon called Titan.
For Blizzard, it’s a big problem. The game launch windows are an issue
as it gives competitors an advantage. But when it’s combined with the
media package information it could cause some upset in the advertising
and marketing world. If Blizzard is advertising X on date Y, then
competitors can counter that at the appropriate time.
One thing that is a little concerning is the subscriber data that was
included in the leak. Hopefully this was just usage statistics and not
credit card and login details. If it was then I think Blizzard would
have already done something to protect its millions of customers by
e-mailing with forced login changes etc.
With Paul Sams visiting China this week we could see a more public
acknowledgement from Blizzard as to what has happened and how things
are changing at the Chinese offices.
GAA data theft 'unlikely to lead to identity fraud'
BACKGROUND: Data leak allegedly came from a man who held a grudge
against the Belfast-based database firm
THE THEFT of the GAA’s membership database is unlikely to lead to
identity theft, the Office of the Data Protection Commissioner has
said.
The database contains the names, addresses, phone numbers, e-mail
addresses and, in a small number of cases, the medical records of
every single member of the GAA.
The theft is now the subject of a criminal investigation by the PSNI
who have already arrested a man and released him on police bail
without charge.
Sources close to the investigation say the security leak came from a
man with a grudge against Servasport Ltd, the Belfast-based company
that was maintaining the database on behalf of the association.
A statement from the company said the PSNI were making “good progress”
with the investigation and they were confident “no misuse of the
information” had taken place.
The company also apologised to the GAA and its members.
Data Protection assistant commissioner Diarmuid Hallinan said from
what they knew of the investigation, the information that was stolen
was not subsequently used for criminal purposes.
He said the absence of financial information or personal password
details from the files that were stolen would make it highly unlikely
that it could be used to access somebody’s bank account.
“It is not impossible, but our view is that this would be best used
indirectly to gain access to information,” he explained.
The commissioner has advised GAA members to be cautious in not
disclosing any more information if they receive unsolicited contacts
through the post, over the phone or through e-mail that refer to their
association membership.
Information security consultant Brian Honan said the information on
its own was “low risk”, but he would be concerned that personal
medical information could be misused if it fell into the wrong hands.
The data is compiled by every GAA club and collated centrally to aid
the registration of players who move from club to club.
Ex-GAA president Nickey Brennan, who is the chair of the association’s
IT committee, said they had employed consultants Deloitte to look at
Servasport and other suppliers of IT to the association.
He moved to reassure members that the database was not hacked by any
sectarian element inimical to the GAA as many members in the North
would be sensitive about their addresses being public knowledge. He
described the motivations of the person involved as “interesting”
given that it was still a mystery why copies of the database were sent
to the data information commissioners north and south of the Border
and to the Gaelic Players Association (GPA).
“Trying to understand the psyche of the individual is something that
is exercising people’s minds at the moment. We are hoping that a
subsequent investigation by the police will get to the bottom of it,”
he said.
The players association handed over the tape to GAA headquarters on
November 19th and the information was not disclosed until yesterday at
the request of the police service.
GPA spokesman Seán Potts said: “We’re aware of the seriousness of the
matter and we’re satisfied that the authorities are dealing with it
properly.”
Mr Potts said they had “no idea whatsoever” why the GPA was sent the
database. “As far as we are concerned we received a disk and we passed
it on to the authorities immediately.”
One GAA club secretary and coach, who did not wish to be named, said
the hacker had done the association a favour by exposing its lax
security protocols.
“I’m dismayed. Not having this information encrypted properly is
unforgivable, I’m absolutely livid,” he said.
He went on to say that though the GAA has a policy that the mobile
phone numbers or e-mail details of minors under the age of 18 should
not be stored, in reality they are often collated by club secretaries.
The association has written to the 544 members who have had their
medical conditions detailed on the database. They have also set up a
helpline for those who are concerned about the information contained
on the database. The number is 1890 987 807 for the Republic and 0800
0114787 for Northern Ireland.
THE DATA: NAMES AND NUMBERS:
501,786
names and addresses of members
288,511
dates of birth
107,212
mobile numbers
63,695
landline numbers
30,171
e-mail addresses
167,157
of the members on the database are under 18
544
the database contains medical information about 544 players
against the Belfast-based database firm
THE THEFT of the GAA’s membership database is unlikely to lead to
identity theft, the Office of the Data Protection Commissioner has
said.
The database contains the names, addresses, phone numbers, e-mail
addresses and, in a small number of cases, the medical records of
every single member of the GAA.
The theft is now the subject of a criminal investigation by the PSNI
who have already arrested a man and released him on police bail
without charge.
Sources close to the investigation say the security leak came from a
man with a grudge against Servasport Ltd, the Belfast-based company
that was maintaining the database on behalf of the association.
A statement from the company said the PSNI were making “good progress”
with the investigation and they were confident “no misuse of the
information” had taken place.
The company also apologised to the GAA and its members.
Data Protection assistant commissioner Diarmuid Hallinan said from
what they knew of the investigation, the information that was stolen
was not subsequently used for criminal purposes.
He said the absence of financial information or personal password
details from the files that were stolen would make it highly unlikely
that it could be used to access somebody’s bank account.
“It is not impossible, but our view is that this would be best used
indirectly to gain access to information,” he explained.
The commissioner has advised GAA members to be cautious in not
disclosing any more information if they receive unsolicited contacts
through the post, over the phone or through e-mail that refer to their
association membership.
Information security consultant Brian Honan said the information on
its own was “low risk”, but he would be concerned that personal
medical information could be misused if it fell into the wrong hands.
The data is compiled by every GAA club and collated centrally to aid
the registration of players who move from club to club.
Ex-GAA president Nickey Brennan, who is the chair of the association’s
IT committee, said they had employed consultants Deloitte to look at
Servasport and other suppliers of IT to the association.
He moved to reassure members that the database was not hacked by any
sectarian element inimical to the GAA as many members in the North
would be sensitive about their addresses being public knowledge. He
described the motivations of the person involved as “interesting”
given that it was still a mystery why copies of the database were sent
to the data information commissioners north and south of the Border
and to the Gaelic Players Association (GPA).
“Trying to understand the psyche of the individual is something that
is exercising people’s minds at the moment. We are hoping that a
subsequent investigation by the police will get to the bottom of it,”
he said.
The players association handed over the tape to GAA headquarters on
November 19th and the information was not disclosed until yesterday at
the request of the police service.
GPA spokesman Seán Potts said: “We’re aware of the seriousness of the
matter and we’re satisfied that the authorities are dealing with it
properly.”
Mr Potts said they had “no idea whatsoever” why the GPA was sent the
database. “As far as we are concerned we received a disk and we passed
it on to the authorities immediately.”
One GAA club secretary and coach, who did not wish to be named, said
the hacker had done the association a favour by exposing its lax
security protocols.
“I’m dismayed. Not having this information encrypted properly is
unforgivable, I’m absolutely livid,” he said.
He went on to say that though the GAA has a policy that the mobile
phone numbers or e-mail details of minors under the age of 18 should
not be stored, in reality they are often collated by club secretaries.
The association has written to the 544 members who have had their
medical conditions detailed on the database. They have also set up a
helpline for those who are concerned about the information contained
on the database. The number is 1890 987 807 for the Republic and 0800
0114787 for Northern Ireland.
THE DATA: NAMES AND NUMBERS:
501,786
names and addresses of members
288,511
dates of birth
107,212
mobile numbers
63,695
landline numbers
30,171
e-mail addresses
167,157
of the members on the database are under 18
544
the database contains medical information about 544 players
Hackers Steal McDonald's Customer Data
McDonald's is working with law enforcement authorities after malicious
hackers broke into another company's databases and stole information
about an undetermined number of the fast food chain's customers.
"We have been informed by one of our long-time business partners, Arc
Worldwide, that limited customer information collected in connection
with certain McDonald's websites and promotions was obtained by an
unauthorized third party," a McDonald's spokeswoman said via e-mail on
Saturday.
McDonald's hired Arc to develop and coordinate the distribution of
promotional e-mail messages, and Arc in turn relied on an unidentified
e-mail company to manage the customer information database. This
e-mail company's systems were hacked into.
The data, which customers had provided voluntarily, doesn't include
Social Security Numbers, credit card numbers, nor any sensitive
financial information, she said.
"Rather, the limited information includes what was required to confirm
the customer's age, methods to contact the customer, and other general
preference information," the spokeswoman added.
This means that customer data likely includes full names, phone
numbers, postal addresses and e-mail addresses. The spokeswoman didn't
say what information was required for age confirmation, so it's not
clear if customers simply checked a box saying they were adults or if
they had to provide their date of birth.
"In the event that you are contacted by someone claiming to be from
McDonald's asking for personal or financial information, do not
respond and instead immediately contact us," reads the McDonald's note
to customers. The number to call is 1-800-244-6227.
In addition to working with law enforcement agencies, McDonald's is
probing the security breakdown at the company hired by Arc, which is
the marketing services division of ad agency Leo Burnett. Arc's
specialities include digital communications, direct marketing,
promotions and shopper marketing, according to its website.
The spokeswoman didn't say how many people are potentially affected
and in what countries, besides the U.S. She also didn't say when the
breach happened.
hackers broke into another company's databases and stole information
about an undetermined number of the fast food chain's customers.
"We have been informed by one of our long-time business partners, Arc
Worldwide, that limited customer information collected in connection
with certain McDonald's websites and promotions was obtained by an
unauthorized third party," a McDonald's spokeswoman said via e-mail on
Saturday.
McDonald's hired Arc to develop and coordinate the distribution of
promotional e-mail messages, and Arc in turn relied on an unidentified
e-mail company to manage the customer information database. This
e-mail company's systems were hacked into.
The data, which customers had provided voluntarily, doesn't include
Social Security Numbers, credit card numbers, nor any sensitive
financial information, she said.
"Rather, the limited information includes what was required to confirm
the customer's age, methods to contact the customer, and other general
preference information," the spokeswoman added.
This means that customer data likely includes full names, phone
numbers, postal addresses and e-mail addresses. The spokeswoman didn't
say what information was required for age confirmation, so it's not
clear if customers simply checked a box saying they were adults or if
they had to provide their date of birth.
"In the event that you are contacted by someone claiming to be from
McDonald's asking for personal or financial information, do not
respond and instead immediately contact us," reads the McDonald's note
to customers. The number to call is 1-800-244-6227.
In addition to working with law enforcement agencies, McDonald's is
probing the security breakdown at the company hired by Arc, which is
the marketing services division of ad agency Leo Burnett. Arc's
specialities include digital communications, direct marketing,
promotions and shopper marketing, according to its website.
The spokeswoman didn't say how many people are potentially affected
and in what countries, besides the U.S. She also didn't say when the
breach happened.
Data Breaches Double Since July
The number of entities reporting breaches of unsecured protected
health information (PHI) affecting 500 or more individuals is close to
reaching the 200 mark.
As of Tuesday, November 30, the number of entities reporting breaches
to the government's HIPAA privacy and security enforcer hit 197. The
number of entities—listed on the Office for Civil Rights (OCR) breach
notification website--has almost doubled since July, when the number
hit 107.
In the past five months, 90 new reports have surfaced, or an average
of 18 per month, a higher pace than the 15-per-month the first five
months after OCR launched the website.
The list is required by HITECH, the American Recovery and Reinvestment
Act of 2009 privacy subpart that includes greater breach notification
requirements, more public scrutiny and increased fines for HIPAA
violations.
The reporting requirement is included in the interim final rule on
breach notification, which became effective on September 23, 2009.
The breach affecting the most individuals is still AvMed, Inc. of
Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22
million individuals.
Laptops are still the number one location of breach information on the
list, accounting for 55 of the 197 reports (27.9%). Paper records (41
reports), desktop computers (32) and portable electronic devices (29)
follow.
The top five breaches with the largest number of affected individuals are:
AvMed, Inc.
State: Florida
Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 1,023,209
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives
South Shore Hospital (MA)
State: Massachusetts
Approximate number of individuals affected: 800,000
Date of breach: Feb. 26, 2010
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device,
Electronic Medical Record, Other
Puerto Rico Department of Health
State: Puerto Rico
Approximate number of individuals affected: 400,000
Date of breach: Sept. 21, 2010
Type of Breach: Unauthorized access/disclosure, hacking/IT incident
Location of Breached Information: Network Server
Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other
health information (PHI) affecting 500 or more individuals is close to
reaching the 200 mark.
As of Tuesday, November 30, the number of entities reporting breaches
to the government's HIPAA privacy and security enforcer hit 197. The
number of entities—listed on the Office for Civil Rights (OCR) breach
notification website--has almost doubled since July, when the number
hit 107.
In the past five months, 90 new reports have surfaced, or an average
of 18 per month, a higher pace than the 15-per-month the first five
months after OCR launched the website.
The list is required by HITECH, the American Recovery and Reinvestment
Act of 2009 privacy subpart that includes greater breach notification
requirements, more public scrutiny and increased fines for HIPAA
violations.
The reporting requirement is included in the interim final rule on
breach notification, which became effective on September 23, 2009.
The breach affecting the most individuals is still AvMed, Inc. of
Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22
million individuals.
Laptops are still the number one location of breach information on the
list, accounting for 55 of the 197 reports (27.9%). Paper records (41
reports), desktop computers (32) and portable electronic devices (29)
follow.
The top five breaches with the largest number of affected individuals are:
AvMed, Inc.
State: Florida
Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 1,023,209
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives
South Shore Hospital (MA)
State: Massachusetts
Approximate number of individuals affected: 800,000
Date of breach: Feb. 26, 2010
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device,
Electronic Medical Record, Other
Puerto Rico Department of Health
State: Puerto Rico
Approximate number of individuals affected: 400,000
Date of breach: Sept. 21, 2010
Type of Breach: Unauthorized access/disclosure, hacking/IT incident
Location of Breached Information: Network Server
Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other
Hackers steal Walgreens e-mail list, attack consumers
Pharmacy giant Walgreens had to swallow some bitter medicine on Friday
when it told customers that a computer criminal had stolen its e-mail
marketing list. The criminal used the list to send out
realistic-looking spam that asked recipients to enter their personal
information into a Web page controlled by hackers.
"We are sorry this has taken place and for any inconvenience to you,"
the e-mail said.
No prescription information or other health information was stolen,
the company said — the criminal only managed to pilfer customer e-mail
addresses.
But even customers who had opted out of receiving marketing materials
via e-mail from Walgreens had their addresses stolen in the heist.
That means the firm stores customers' e-mail addresses even after they
ask not to participate in e-mail marketing.
"We realize you previously unsubscribed from promotional emails from
Walgreens, and that will continue," the e-mail to customers said.
Walgreens spokesman Michael Polzin said criminals so far have not
attempted to imitate Walgreens corporate logo in the phishing e-mail
they sent to consumers.
"The e-mails said they were from another company and asked (users) to
update some information," he said. Walgreens would never ask consumers
to e-mail personal information like credit card numbers or Social
Security numbers, he said.
The company "became aware" of the heist within the past week, he said.
He refused to disclose the number of customers impacted by it.
"We are in the process of contacting those customers," he said. "We
are not going to get into specifics."
Walgreens, which has $60 billion in annual sales, is expanding at an
astonishing pace. In November, it added 50 stores to its ranks of
8,000 retail outlets across the country.
when it told customers that a computer criminal had stolen its e-mail
marketing list. The criminal used the list to send out
realistic-looking spam that asked recipients to enter their personal
information into a Web page controlled by hackers.
"We are sorry this has taken place and for any inconvenience to you,"
the e-mail said.
No prescription information or other health information was stolen,
the company said — the criminal only managed to pilfer customer e-mail
addresses.
But even customers who had opted out of receiving marketing materials
via e-mail from Walgreens had their addresses stolen in the heist.
That means the firm stores customers' e-mail addresses even after they
ask not to participate in e-mail marketing.
"We realize you previously unsubscribed from promotional emails from
Walgreens, and that will continue," the e-mail to customers said.
Walgreens spokesman Michael Polzin said criminals so far have not
attempted to imitate Walgreens corporate logo in the phishing e-mail
they sent to consumers.
"The e-mails said they were from another company and asked (users) to
update some information," he said. Walgreens would never ask consumers
to e-mail personal information like credit card numbers or Social
Security numbers, he said.
The company "became aware" of the heist within the past week, he said.
He refused to disclose the number of customers impacted by it.
"We are in the process of contacting those customers," he said. "We
are not going to get into specifics."
Walgreens, which has $60 billion in annual sales, is expanding at an
astonishing pace. In November, it added 50 stores to its ranks of
8,000 retail outlets across the country.
Gawker Shuts Down After Hackers
Web sites belonging to Gawker Media abruptly stopped publishing on Sunday
after mischief-making hackers gained access to the company?s servers.
People who had accounts on the flagship Gawker, Gizmodo, Jezebel and the
company?s other Web sites were told to change their passwords because, it
said in a statement, ?our user databases appear to have been compromised.?
Working anonymously, the hackers indicated that they had found more than
1.3 million user names and passwords, though it was unclear whether all of
the data had been decrypted.
The hackers published the passwords of some Gawker staff members and
mockingly identified thousands of users who had listed their password as
?password.?
?We?re deeply embarrassed by this breach,? Gawker said in a statement that
was posted across its suite of Web sites Sunday afternoon.
The incident was a black eye for Gawker, an eight-year-old digital media
company founded by Nick Denton that has grown up in New York.
after mischief-making hackers gained access to the company?s servers.
People who had accounts on the flagship Gawker, Gizmodo, Jezebel and the
company?s other Web sites were told to change their passwords because, it
said in a statement, ?our user databases appear to have been compromised.?
Working anonymously, the hackers indicated that they had found more than
1.3 million user names and passwords, though it was unclear whether all of
the data had been decrypted.
The hackers published the passwords of some Gawker staff members and
mockingly identified thousands of users who had listed their password as
?password.?
?We?re deeply embarrassed by this breach,? Gawker said in a statement that
was posted across its suite of Web sites Sunday afternoon.
The incident was a black eye for Gawker, an eight-year-old digital media
company founded by Nick Denton that has grown up in New York.
Canada: Veteran gets medical info of other members
HALIFAX - The Department of Defence has launched an investigation
after a former member of the Canadian Forces found sensitive health
and personal information about other military personnel in his medical
file.
Wayne Finn said he was stunned to discover everything from other
service members' social insurance numbers, blood test results, X-ray
reports to dates of birth mixed in with his military medical file.
The 49-year-old Nova Scotia man said he still has information
referring to about 20 people in his file, even after returning the
files of eight others to the base in Halifax where he was serving.
after a former member of the Canadian Forces found sensitive health
and personal information about other military personnel in his medical
file.
Wayne Finn said he was stunned to discover everything from other
service members' social insurance numbers, blood test results, X-ray
reports to dates of birth mixed in with his military medical file.
The 49-year-old Nova Scotia man said he still has information
referring to about 20 people in his file, even after returning the
files of eight others to the base in Halifax where he was serving.
DeviantART Members Have Their Email Addresses Leaked
The company does not specify the circumstances under which the breach
occurred, but notes that besides email addresses, usernames and birth
dates might also have been copied by unauthorized persons.
"Silverpop Systems, Inc., a leading marketing company that sends email
messages for its clients, told us that information was taken from its
servers. This was probably part of a sweep by spammers.
"As a result, email addresses belonging to deviantART members were
copied. Corresponding usernames and birth date may also have been
removed," the company wrote in an email to its users.
occurred, but notes that besides email addresses, usernames and birth
dates might also have been copied by unauthorized persons.
"Silverpop Systems, Inc., a leading marketing company that sends email
messages for its clients, told us that information was taken from its
servers. This was probably part of a sweep by spammers.
"As a result, email addresses belonging to deviantART members were
copied. Corresponding usernames and birth date may also have been
removed," the company wrote in an email to its users.
Feds probe '100 site' data breachFeds probe '100 site' data breach
FBI agents looking into the theft of customer data belonging to
McDonald's are investigating similar breaches that may have hit more
than 100 other companies that used email marketing services from
Atlanta-based Silverpop Systems .
“The breach is with Silverpop, an email service provider that has over
105 customers,” Stephen Emmett, a special agent in the FBI's Atlanta
field office, told The Register. “It appears to be emanating from an
overseas location.”
He declined to provide further details.
Over the past week, at least two other sites – one known to have ties
to Silverpop and the other that appears to – offered similar warnings
to their customers. deviantART, a website that boasts more than 16
million registered accounts, warned its users that their email
addresses, user names and birth dates were exposed to suspected
spammers as a result of a breach at the email provider.
“Silverpop Systems, Inc., a leading marketing company that sends email
messages for its clients, told us that information was taken from its
servers,” devantART's email stated. “We can assure you that nothing
occurred on our systems with respect to this incident and no access
was gained to private information on deviantART's servers. Because we
value the information that members give us, we have decided not to
rely on the services of Silverpop in the future and their servers will
no longer hold any data from us.”
And late last week, Walgreens, the largest US drugstore chain, warned
that hackers stole a customer list and used it to send them phishing
emails that sought additional personal information.
Walgreens didn't say how the list was stolen, but according to this
press release, the drugstore chain uses Arc Worldwide as its
"promotional marketing 'agency of record.'" The marketing services arm
of Leo Burnett USA, Arc Worldwide was the same business partner that
hired the unnamed email database provider that lost the McDonald's
customer list. And as the press release here makes clear, Arc
Worldwide counts Silverpop as a partner.
A receptionist answering main number for marketing company Arc
Worldwide said she didn't have a public relations department to
transfer reporters to. A spokeswoman for Silverpop declined to answer
questions, but issued a statement that read in part:
When we recently detected suspicious activity in a small percentage of
our customer accounts, we took aggressive measures to stop that
activity and prevent future attempts. Among other things, we
unilaterally changed all passwords to protect customer accounts and
engaged the FBI's cybercrime division. It appears Silverpop was among
several technology providers targeted as part of a broader cyber
attack. We have notified all customers impacted by this activity. We
are currently focused on working with our customers, especially the
small percentage impacted by these events.
Beyond the cliche about chains being only as strong as their weakest
links, the lesson here is that companies that expose their customers'
secret data can't be trusted unless they come clean about what went
wrong and what they've done to prevent it from happening again. So
far, Silverpop hasn't done that, which is something readers should
remember the next time they're asked to share their personal details
with Salesforce.com, Ciena, Edgar Online; IBM's Coremetrics division
or Adobe's Omniture business unit, to name just a few.
McDonald's are investigating similar breaches that may have hit more
than 100 other companies that used email marketing services from
Atlanta-based Silverpop Systems .
“The breach is with Silverpop, an email service provider that has over
105 customers,” Stephen Emmett, a special agent in the FBI's Atlanta
field office, told The Register. “It appears to be emanating from an
overseas location.”
He declined to provide further details.
Over the past week, at least two other sites – one known to have ties
to Silverpop and the other that appears to – offered similar warnings
to their customers. deviantART, a website that boasts more than 16
million registered accounts, warned its users that their email
addresses, user names and birth dates were exposed to suspected
spammers as a result of a breach at the email provider.
“Silverpop Systems, Inc., a leading marketing company that sends email
messages for its clients, told us that information was taken from its
servers,” devantART's email stated. “We can assure you that nothing
occurred on our systems with respect to this incident and no access
was gained to private information on deviantART's servers. Because we
value the information that members give us, we have decided not to
rely on the services of Silverpop in the future and their servers will
no longer hold any data from us.”
And late last week, Walgreens, the largest US drugstore chain, warned
that hackers stole a customer list and used it to send them phishing
emails that sought additional personal information.
Walgreens didn't say how the list was stolen, but according to this
press release, the drugstore chain uses Arc Worldwide as its
"promotional marketing 'agency of record.'" The marketing services arm
of Leo Burnett USA, Arc Worldwide was the same business partner that
hired the unnamed email database provider that lost the McDonald's
customer list. And as the press release here makes clear, Arc
Worldwide counts Silverpop as a partner.
A receptionist answering main number for marketing company Arc
Worldwide said she didn't have a public relations department to
transfer reporters to. A spokeswoman for Silverpop declined to answer
questions, but issued a statement that read in part:
When we recently detected suspicious activity in a small percentage of
our customer accounts, we took aggressive measures to stop that
activity and prevent future attempts. Among other things, we
unilaterally changed all passwords to protect customer accounts and
engaged the FBI's cybercrime division. It appears Silverpop was among
several technology providers targeted as part of a broader cyber
attack. We have notified all customers impacted by this activity. We
are currently focused on working with our customers, especially the
small percentage impacted by these events.
Beyond the cliche about chains being only as strong as their weakest
links, the lesson here is that companies that expose their customers'
secret data can't be trusted unless they come clean about what went
wrong and what they've done to prevent it from happening again. So
far, Silverpop hasn't done that, which is something readers should
remember the next time they're asked to share their personal details
with Salesforce.com, Ciena, Edgar Online; IBM's Coremetrics division
or Adobe's Omniture business unit, to name just a few.
Vodafone sacks staff over data breach
Vodafone has sacked several employees over the privacy leak that
exposed up to four million customer records.
The telco fell into hot water following allegations that criminals had
been sold access to its sensitive customer database and planned to use
the information, which included voice and SMS logs, to blackmail
customers.
Vodafone subsequently started an investigation, which is still
underway. As a result of its findings up to this point, Vodafone has
terminated the employment of several staff members and referred their
actions on to the New South Wales Police Service.
ZDNet Australia contacted Vodafone to confirm how many staff members
had been terminated and where they worked, but the telco refused to
provide specific details as they were part of the ongoing
investigation.
Vodafone also said it was improving its security.
"We take data security and the storage of our customers information
extremely seriously," VHA CEO Nigel Dews said in a statement.
"Some of the initiatives we had already planned for this year are
being brought forward and we will also be conducting an additional
independent security review."
Following the Vodafone breach on Monday, Optus said it would also
conduct a review of its security policies.
Law firm Piper Alderman said this week it is investigating whether or
not to include the breach of customer details in its class action
against the telco. According to The Australian Financial Review this
week, 15,000 people had signed onto the action, up from 9000 just over
a week ago.
Vodafone contacted customers earlier this week via email, assuring
them that their details were not available publicly on the internet.
exposed up to four million customer records.
The telco fell into hot water following allegations that criminals had
been sold access to its sensitive customer database and planned to use
the information, which included voice and SMS logs, to blackmail
customers.
Vodafone subsequently started an investigation, which is still
underway. As a result of its findings up to this point, Vodafone has
terminated the employment of several staff members and referred their
actions on to the New South Wales Police Service.
ZDNet Australia contacted Vodafone to confirm how many staff members
had been terminated and where they worked, but the telco refused to
provide specific details as they were part of the ongoing
investigation.
Vodafone also said it was improving its security.
"We take data security and the storage of our customers information
extremely seriously," VHA CEO Nigel Dews said in a statement.
"Some of the initiatives we had already planned for this year are
being brought forward and we will also be conducting an additional
independent security review."
Following the Vodafone breach on Monday, Optus said it would also
conduct a review of its security policies.
Law firm Piper Alderman said this week it is investigating whether or
not to include the breach of customer details in its class action
against the telco. According to The Australian Financial Review this
week, 15,000 people had signed onto the action, up from 9000 just over
a week ago.
Vodafone contacted customers earlier this week via email, assuring
them that their details were not available publicly on the internet.
Widespread data-snooping revealed in Yorkshire’s public sector
Criminal records and private medical information accessed inappropriately
Newly-released disciplinary records for police forces, NHS trusts and
local councils in Yorkshire have revealed that data protection
breaches have been widespread in the region over the past few years.
An investigation by regional paper Yorkshire Post has discovered cases
where public sector workers have been reprimanded for offences ranging
from running inappropriate criminal record checks on family members,
to looking up private medical test results.
Most data protection breaches took place at Yorkshire’s four police
forces, Humberside Police, North Yorkshire Police, South Yorkshire
Police and West Yorkshire police.
Microsoft cloud data breach heralds shape of things to come
Information Commissioner hands out first data breach fines ICO:
Business lags public sector in data protection awareness
At Humberside, a total 31 members of staff had been disciplined over
the past few years for inappropriately accessing data, with one
employee being dismissed. Cases included one CID officer who ran a
criminal record check on his nephew, an incident resolution officer
who looked up information on their step-daughter’s new boyfriend, and
a traffic officer who checked his mother’s neighbour’s criminal
records after his mother was burgled.
This is despite the force having a “dedicated team of experienced
individuals” who focus on maintaining the “integrity and security” of
its databases, according to Humberside’s head of professional
standards, superintendent Ray Higgins.
Over the past three years, North Yorkshire Police said it had
reprimanded staff and officers over 39 cases.
“The use of restricted force data systems and email is monitored. This
enables the force to identify any non-compliance and to investigate
any suspected transgressions,” Assistant Chief Constable Sue Cross at
North Yorkshire told the Yorkshire Post.
“A full range of sanctions are available to deal with the relatively
small number of individuals who breach force policies, including
verbal advice, written warnings, formal reprimands and, in the most
serious cases, dismissal.”
Furthermore, South Yorkshire Police reported 48 cases of data
protection breaches since 2005, while West Yorkshire had 22 cases of
inappropriate access of data and 26 cases of police staff conducting
unspecified ‘misuse of computer offences’.
West Yorkshire was also forced to send written warnings in November to
around 70 staff members who looked up the criminal records of a TV
talent show contest contestant following the appearance of allegations
about her in the tabloids.
Meanwhile, data protection breaches also occurred in nine of
Yorkshire’s NHS trusts, including Wakefield, Barnsley, Rotherham and
Doncaster.
At Doncaster and Bassetlaw Hospitals NHS Trust, a nurse was dismissed,
but then reinstated on appeal, after she accessed private medical test
results of her daughter’s father. A clerk was also given a written
warning after looking up her brother’s test results.
A spokesperson for the trust told Yorkshire Post: "We take data
security very seriously and have a number of means of ensuring that
patients' personal data is not accessed inappropriately. All six cases
of inappropriate access to medical records related to an individual's
colleague, partner, or relative – and while this is inexcusable, it
does not indicate misuse of the millions of patient records we hold."
However, a receptionist at a hospital in Sheffield was also caught
collating patients’ personal contact records and using them for market
research in her second job.
In seven of Yorkshire’s 22 councils, staff were disciplined for
accessing private data on members of the public, including two at
Wakefield Council who looked up information on family members.
Meanwhile, at Rotherham Borough Council, an audit and finance officer
resigned after being caught accessing the records of 72 neighbours to
satisfy their “personal curiosity”.
A spokesperson for the Information Commissioner’s Office (ICO) said:
“As with many organisations that hold a significant amount of personal
data, we have regular contact with a range of public authorities
regarding allegations of staff inappropriately accessing records.
"The usual and most appropriate outcome in these cases is disciplinary
action taken by the employer. However, where that employee is
accessing records for personal gain, such as selling the data on to
third parties, the ICO may open a criminal investigation.”
Newly-released disciplinary records for police forces, NHS trusts and
local councils in Yorkshire have revealed that data protection
breaches have been widespread in the region over the past few years.
An investigation by regional paper Yorkshire Post has discovered cases
where public sector workers have been reprimanded for offences ranging
from running inappropriate criminal record checks on family members,
to looking up private medical test results.
Most data protection breaches took place at Yorkshire’s four police
forces, Humberside Police, North Yorkshire Police, South Yorkshire
Police and West Yorkshire police.
Microsoft cloud data breach heralds shape of things to come
Information Commissioner hands out first data breach fines ICO:
Business lags public sector in data protection awareness
At Humberside, a total 31 members of staff had been disciplined over
the past few years for inappropriately accessing data, with one
employee being dismissed. Cases included one CID officer who ran a
criminal record check on his nephew, an incident resolution officer
who looked up information on their step-daughter’s new boyfriend, and
a traffic officer who checked his mother’s neighbour’s criminal
records after his mother was burgled.
This is despite the force having a “dedicated team of experienced
individuals” who focus on maintaining the “integrity and security” of
its databases, according to Humberside’s head of professional
standards, superintendent Ray Higgins.
Over the past three years, North Yorkshire Police said it had
reprimanded staff and officers over 39 cases.
“The use of restricted force data systems and email is monitored. This
enables the force to identify any non-compliance and to investigate
any suspected transgressions,” Assistant Chief Constable Sue Cross at
North Yorkshire told the Yorkshire Post.
“A full range of sanctions are available to deal with the relatively
small number of individuals who breach force policies, including
verbal advice, written warnings, formal reprimands and, in the most
serious cases, dismissal.”
Furthermore, South Yorkshire Police reported 48 cases of data
protection breaches since 2005, while West Yorkshire had 22 cases of
inappropriate access of data and 26 cases of police staff conducting
unspecified ‘misuse of computer offences’.
West Yorkshire was also forced to send written warnings in November to
around 70 staff members who looked up the criminal records of a TV
talent show contest contestant following the appearance of allegations
about her in the tabloids.
Meanwhile, data protection breaches also occurred in nine of
Yorkshire’s NHS trusts, including Wakefield, Barnsley, Rotherham and
Doncaster.
At Doncaster and Bassetlaw Hospitals NHS Trust, a nurse was dismissed,
but then reinstated on appeal, after she accessed private medical test
results of her daughter’s father. A clerk was also given a written
warning after looking up her brother’s test results.
A spokesperson for the trust told Yorkshire Post: "We take data
security very seriously and have a number of means of ensuring that
patients' personal data is not accessed inappropriately. All six cases
of inappropriate access to medical records related to an individual's
colleague, partner, or relative – and while this is inexcusable, it
does not indicate misuse of the millions of patient records we hold."
However, a receptionist at a hospital in Sheffield was also caught
collating patients’ personal contact records and using them for market
research in her second job.
In seven of Yorkshire’s 22 councils, staff were disciplined for
accessing private data on members of the public, including two at
Wakefield Council who looked up information on family members.
Meanwhile, at Rotherham Borough Council, an audit and finance officer
resigned after being caught accessing the records of 72 neighbours to
satisfy their “personal curiosity”.
A spokesperson for the Information Commissioner’s Office (ICO) said:
“As with many organisations that hold a significant amount of personal
data, we have regular contact with a range of public authorities
regarding allegations of staff inappropriately accessing records.
"The usual and most appropriate outcome in these cases is disciplinary
action taken by the employer. However, where that employee is
accessing records for personal gain, such as selling the data on to
third parties, the ICO may open a criminal investigation.”
Kadlec computer servers hacked
RICHLAND -- Kadlec Regional Medical Center officials announced Wednesday
that patients are being notified that one of the hospital's computer
servers containing brain scan and other patient studies was hacked in
September.
Files housed on the server included information with a patient's name,
birth date, age, gender, medical record number and doctor's name, but did
not include any patient financial information, address, Social Security
number or insurance data.
Kadlec officials first discovered the unauthorized access during routine
monitoring of computer network backups Nov. 11, according to a news
release.
Kadlec immediately removed the server from service and hired a national
company that specializes in computer security to investigate the cause of
the incident and scope of the breach.
that patients are being notified that one of the hospital's computer
servers containing brain scan and other patient studies was hacked in
September.
Files housed on the server included information with a patient's name,
birth date, age, gender, medical record number and doctor's name, but did
not include any patient financial information, address, Social Security
number or insurance data.
Kadlec officials first discovered the unauthorized access during routine
monitoring of computer network backups Nov. 11, according to a news
release.
Kadlec immediately removed the server from service and hired a national
company that specializes in computer security to investigate the cause of
the incident and scope of the breach.
Scandinavian gamers hack NH medical center to play Call of Duty; compromise records of 230,000
ROCHESTER -- Some Scandinavian nerds went above and beyond to play their
favorite video game last year when they hacked a server for Seacoast
Radiology to get more bandwidth, a move that gave them access to the
personal information of more than 230,000 patients.
The gamers preyed on the server to play "Call of Duty: Black Ops," a
popular, first-person military-style game that can be played online, said
Lisa MacKenzie, a spokesman for ID Experts, an outside security firm
brought in to deal with the data breach.
"Based on the investigation, there's no belief that any personal
information was compromised in any way," MacKenzie said. "They were not
hacking in to get any medical billing codes or any personal information or
anything like that."
The radiology practice discovered the hack on Nov. 12 after IT officials
noticed bandwidth was being leeched and immediately shut off access to the
server.
favorite video game last year when they hacked a server for Seacoast
Radiology to get more bandwidth, a move that gave them access to the
personal information of more than 230,000 patients.
The gamers preyed on the server to play "Call of Duty: Black Ops," a
popular, first-person military-style game that can be played online, said
Lisa MacKenzie, a spokesman for ID Experts, an outside security firm
brought in to deal with the data breach.
"Based on the investigation, there's no belief that any personal
information was compromised in any way," MacKenzie said. "They were not
hacking in to get any medical billing codes or any personal information or
anything like that."
The radiology practice discovered the hack on Nov. 12 after IT officials
noticed bandwidth was being leeched and immediately shut off access to the
server.
Bank exec sold customer data to ease financial woes
FACED with financial problems, a bank executive sold customers'
confidential details to several buyers, including an illegal
moneylender, a court heard yesterday.
In return, Sazaly Selamat, who worked for DBS Bank, was paid a total of $2,625.
Yesterday, the 40-year-old pleaded guilty to seven charges of
corruption and two of computer misuse.
He was authorised to access the bank's in-house customer database
system to retrieve information such as customers' identity card
numbers, addresses and other contact details, Assistant Public
Prosecutor Puspha S. told the court.
But he was not allowed to disclose this information to third parties.
Some time in 2003, he began to experience financial difficulties. His
car was repossessed two years later, after he defaulted on two months
of payment.
Sazaly got to know one of the repossessors, Mr Alex Lian Teck Huat,
who found out he could access DBS' customer database. Mr Lian is said
to have then asked Sazaly if he wanted to make some money.
Sazaly agreed and Mr Lian offered him $50 for each customer whose
details he retrieved, the court heard. He also told others of Sazaly's
'services'.
Eventually, the news reached an illegal football bookmaker known as
Wei Keong, who operated in the Yishun area.
With Sazaly's help, Wei Keong tracked down debtors who owed him money.
Through another bookmaker, Wei Keong transferred three sums of between
$50 and $100 to Sazaly's account.
APP Puspha said Sazaly 'had no qualms about selling this information
to these individuals due to his financial problems'.
Pleading for leniency, Sazaly, a divorced father of two, asked for a
'low fine', saying he had got his life sorted out and a stable job.
District Judge F.G. Remedios will sentence him on Jan 26.
It is not known whether Mr Lian has faced any charges in connection
with the case.
confidential details to several buyers, including an illegal
moneylender, a court heard yesterday.
In return, Sazaly Selamat, who worked for DBS Bank, was paid a total of $2,625.
Yesterday, the 40-year-old pleaded guilty to seven charges of
corruption and two of computer misuse.
He was authorised to access the bank's in-house customer database
system to retrieve information such as customers' identity card
numbers, addresses and other contact details, Assistant Public
Prosecutor Puspha S. told the court.
But he was not allowed to disclose this information to third parties.
Some time in 2003, he began to experience financial difficulties. His
car was repossessed two years later, after he defaulted on two months
of payment.
Sazaly got to know one of the repossessors, Mr Alex Lian Teck Huat,
who found out he could access DBS' customer database. Mr Lian is said
to have then asked Sazaly if he wanted to make some money.
Sazaly agreed and Mr Lian offered him $50 for each customer whose
details he retrieved, the court heard. He also told others of Sazaly's
'services'.
Eventually, the news reached an illegal football bookmaker known as
Wei Keong, who operated in the Yishun area.
With Sazaly's help, Wei Keong tracked down debtors who owed him money.
Through another bookmaker, Wei Keong transferred three sums of between
$50 and $100 to Sazaly's account.
APP Puspha said Sazaly 'had no qualms about selling this information
to these individuals due to his financial problems'.
Pleading for leniency, Sazaly, a divorced father of two, asked for a
'low fine', saying he had got his life sorted out and a stable job.
District Judge F.G. Remedios will sentence him on Jan 26.
It is not known whether Mr Lian has faced any charges in connection
with the case.
Agency: Records of employees may have been breached
South Carolina officials on Friday notified people who had coverage
from the state's insurance program that their personal information may
have been obtained illegally.
The state Budget and Control Board mailed letters Friday to people who
may have been affected by the breach.
State Employee Insurance Program director Stephen Van Camp said a
computer virus attack on a single computer could have allowed the
hacker to access to names, addresses, Social Security numbers and
birth dates of up to 5,600 of insured employees, retirees dependents
and survivors on that computer. Those records also included about 800
people who are dead, he said.
The breach occurred between Nov. 8 and Nov. 18, when it was
discovered, and the South Carolina Law Enforcement Division was also
notified, Van Camp said. "Then our problem was to determine what had
been accessed and who was involved," he said.
The records could be exploited for identity theft. Van Camp said
people who receive the letters are also getting instructions about
contacting credit services.
The Employee Insurance Program's plans serve about 528,000 people.
Gov. Nikki Haley is chairman of the Budget and Control Board, a
position that came with her inauguration Wednesday. Haley spokesman
Rob Godfrey had no details about the breach.
"Obviously, this is a terrible situation, and we feel for all those
whose privacy may have been compromised," Godfrey said.
Godfrey noted that at Haley's first board meeting Thursday the board
unanimously agreed to hire a new director, Eleanor Kitzman, who is
"committed to making sure that changes are implemented, quickly, so
something like this never happens again."
from the state's insurance program that their personal information may
have been obtained illegally.
The state Budget and Control Board mailed letters Friday to people who
may have been affected by the breach.
State Employee Insurance Program director Stephen Van Camp said a
computer virus attack on a single computer could have allowed the
hacker to access to names, addresses, Social Security numbers and
birth dates of up to 5,600 of insured employees, retirees dependents
and survivors on that computer. Those records also included about 800
people who are dead, he said.
The breach occurred between Nov. 8 and Nov. 18, when it was
discovered, and the South Carolina Law Enforcement Division was also
notified, Van Camp said. "Then our problem was to determine what had
been accessed and who was involved," he said.
The records could be exploited for identity theft. Van Camp said
people who receive the letters are also getting instructions about
contacting credit services.
The Employee Insurance Program's plans serve about 528,000 people.
Gov. Nikki Haley is chairman of the Budget and Control Board, a
position that came with her inauguration Wednesday. Haley spokesman
Rob Godfrey had no details about the breach.
"Obviously, this is a terrible situation, and we feel for all those
whose privacy may have been compromised," Godfrey said.
Godfrey noted that at Haley's first board meeting Thursday the board
unanimously agreed to hire a new director, Eleanor Kitzman, who is
"committed to making sure that changes are implemented, quickly, so
something like this never happens again."
Two charged in AT&T-iPad data breach
Two men were charged with computer crimes today for allegedly hacking
into AT&T servers and stealing e-mail addresses and other information
of about 120,000 iPad users last summer.
Andrew Auernheimer, 25, was arrested in his home town of Fayetteville,
Ark., while appearing in state court on unrelated drug charges, and
Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in
Newark, N.J., according to the U.S. Attorney's office in New Jersey.
Both men were expected to appear before federal judges in Arkansas and
New Jersey.
They each face one count of conspiracy to access a computer without
authorization and one count of fraud in connection with personal
information. They're also looking at a maximum of 10 years in prison
and a $500,000 fine.
Auernheimer was ordered held until a bail hearing set for Friday,
while Spitler was released on $50,000 bail and ordered not to use the
Internet except at his job as a security at a Borders bookstore,
according to an Associated Press report. In comments to reporters
outside the Newark courthouse, Spitler said he was innocent and that:
"The information in the complaint is false. This case has been blown
way out of proportion."
Auernheimer told the magistrate that he had been drinking until 6:30
that morning and said of the complaint: "This is a great
affidavit--fantastic reading," according to the AP report.
Last June, Auernheimer told CNET that members of his hacker group,
which calls itself Goatse Security, uncovered a hole in AT&T's Web
site used by iPad customers on the 3G wireless network and went public
with it by revealing details to Gawker Media.
Up until then, AT&T automatically linked an iPad 3G user's e-mail
address to the iPad's unique number, called Integrated Circuit Card
Identifier (ICC-ID) so that whenever the customer accessed the AT&T
Web site, the ICC-ID was recognized, the e-mail address was
automatically populated and the ICC-ID was displayed in the URL in
plain text.
Spitler is accused of writing a script called the "iPad 3G Account
Slurper" and using it to harvest AT&T customer data via a brute force
attack on the site, which fooled the site into revealing the
confidential information, according to the criminal complaint filed
last week but unsealed and released publicly today.
The complaint includes Internet Relay Chat messages supposedly sent
between Auernheimer and Spitler in which they talk about selling the
e-mail addresses to spammers, shorting AT&T stock before releasing
details of the breach, and destroying evidence.
"If we can get a big dataset we could direct market iPad accessories,"
Auernheimer says in a message to Spitler, according to the complaint.
In another chat session included in the complaint, Spitler says he
would like to stay anonymous so he doesn't get sued. "Absolutely may
be legal risk yeah, mostly civil you absolutely could get sued,"
Auernheimer replied, the complaint read.
Before going to Gawker, Auernheimer also allegedly contacted
Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to
a board member at News Corp. whose e-mail address was leaked in the
breach in attempts to get news articles written about the incident,
according to the complaint.
Asked if he reported the hole to AT&T, Auernheimer replied "totally
but not really...I don't (expletive) care I hope they sue me,"
according to the chat logs.
"Those chats not only demonstrate that Spitler and Auernheimer were
responsible for the data breach, but also that they conducted the
breach to simultaneously damage AT&T and promote themselves and Goatse
Security," the U.S. Attorney's office said in a statement.
AT&T has spent about $73,000 as a result of the breach, including
contacting all iPad 3G customers to notify them, the complaint says.
Among the iPad users who appeared to have been affected were White
House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York
Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York
Times CEO Janet Robinson.
Auernheimer told CNET last summer that the data exposed in the breach
was contained. The concern was that iPad users who had their e-mail
addresses exposed would then be at risk of receiving phishing or spam
e-mail that appeared to be from Apple or AT&T but which was designed
instead to trick them into revealing more information or downloading
malware.
Auernheimer did not return an e-mail seeking comment, and Spitler
could not be reached. AT&T did not immediately respond to a request
for comment.
Auernheimer, a self-described Internet "troll," was arrested last June
when authorities found drugs while searching his home for evidence
related to the AT&T-iPad investigation. He was later released on bail.
into AT&T servers and stealing e-mail addresses and other information
of about 120,000 iPad users last summer.
Andrew Auernheimer, 25, was arrested in his home town of Fayetteville,
Ark., while appearing in state court on unrelated drug charges, and
Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in
Newark, N.J., according to the U.S. Attorney's office in New Jersey.
Both men were expected to appear before federal judges in Arkansas and
New Jersey.
They each face one count of conspiracy to access a computer without
authorization and one count of fraud in connection with personal
information. They're also looking at a maximum of 10 years in prison
and a $500,000 fine.
Auernheimer was ordered held until a bail hearing set for Friday,
while Spitler was released on $50,000 bail and ordered not to use the
Internet except at his job as a security at a Borders bookstore,
according to an Associated Press report. In comments to reporters
outside the Newark courthouse, Spitler said he was innocent and that:
"The information in the complaint is false. This case has been blown
way out of proportion."
Auernheimer told the magistrate that he had been drinking until 6:30
that morning and said of the complaint: "This is a great
affidavit--fantastic reading," according to the AP report.
Last June, Auernheimer told CNET that members of his hacker group,
which calls itself Goatse Security, uncovered a hole in AT&T's Web
site used by iPad customers on the 3G wireless network and went public
with it by revealing details to Gawker Media.
Up until then, AT&T automatically linked an iPad 3G user's e-mail
address to the iPad's unique number, called Integrated Circuit Card
Identifier (ICC-ID) so that whenever the customer accessed the AT&T
Web site, the ICC-ID was recognized, the e-mail address was
automatically populated and the ICC-ID was displayed in the URL in
plain text.
Spitler is accused of writing a script called the "iPad 3G Account
Slurper" and using it to harvest AT&T customer data via a brute force
attack on the site, which fooled the site into revealing the
confidential information, according to the criminal complaint filed
last week but unsealed and released publicly today.
The complaint includes Internet Relay Chat messages supposedly sent
between Auernheimer and Spitler in which they talk about selling the
e-mail addresses to spammers, shorting AT&T stock before releasing
details of the breach, and destroying evidence.
"If we can get a big dataset we could direct market iPad accessories,"
Auernheimer says in a message to Spitler, according to the complaint.
In another chat session included in the complaint, Spitler says he
would like to stay anonymous so he doesn't get sued. "Absolutely may
be legal risk yeah, mostly civil you absolutely could get sued,"
Auernheimer replied, the complaint read.
Before going to Gawker, Auernheimer also allegedly contacted
Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to
a board member at News Corp. whose e-mail address was leaked in the
breach in attempts to get news articles written about the incident,
according to the complaint.
Asked if he reported the hole to AT&T, Auernheimer replied "totally
but not really...I don't (expletive) care I hope they sue me,"
according to the chat logs.
"Those chats not only demonstrate that Spitler and Auernheimer were
responsible for the data breach, but also that they conducted the
breach to simultaneously damage AT&T and promote themselves and Goatse
Security," the U.S. Attorney's office said in a statement.
AT&T has spent about $73,000 as a result of the breach, including
contacting all iPad 3G customers to notify them, the complaint says.
Among the iPad users who appeared to have been affected were White
House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York
Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York
Times CEO Janet Robinson.
Auernheimer told CNET last summer that the data exposed in the breach
was contained. The concern was that iPad users who had their e-mail
addresses exposed would then be at risk of receiving phishing or spam
e-mail that appeared to be from Apple or AT&T but which was designed
instead to trick them into revealing more information or downloading
malware.
Auernheimer did not return an e-mail seeking comment, and Spitler
could not be reached. AT&T did not immediately respond to a request
for comment.
Auernheimer, a self-described Internet "troll," was arrested last June
when authorities found drugs while searching his home for evidence
related to the AT&T-iPad investigation. He was later released on bail.
Error in Register Sends Wandsworth Residents’ Personal Details to Cyberspace
A constituent of Tooting MP Sadiq Khan has drawn the attention of
Information Commissioner’s Office to a privacy breach he discovered
from a website that lists personal details including names, addresses,
age of individuals, and business locations and data, a Wandsworth
online news source reported.
The personal details originated from an automated electoral roll
register which went defective, resulting in the information listed
there being published in 192.com, an online directory that has a
section for people’s addresses, phone numbers, age guides, property
prices, and aerial photos obtained from electoral rolls beginning 2002
through 2010.
The concerned resident, who requested anonymity, said he initially
told Wandsworth Council not to redistribute his personal details to
third parties, but he got surprised when he saw them published in
192.com, which prompted him to report the data breach to the ICO and
his MP.
Investigation showed a malfunction befell one telephone facility that
compiles the 2008 edited register. Personal details of those who chose
not to enlist in the register were disclosed and the ones belonging to
those that opted otherwise were kept undisclosed.
The council pointed to a system glitch in the register that led to the
unwanted disclosure of Wandsworth residents’ personal details. Its
officials have already issued a public apology, adding that the
council took appropriate steps immediately not to let the data breach
take place again.
Despite the data breach, ICO has no plans to impose penalty upon the
council for its immediate action to address the matter.
Wandsworth Council has also directed the complaint to the website
publishing the personal details to remove all information that must
not be displayed there.
Information Commissioner’s Office to a privacy breach he discovered
from a website that lists personal details including names, addresses,
age of individuals, and business locations and data, a Wandsworth
online news source reported.
The personal details originated from an automated electoral roll
register which went defective, resulting in the information listed
there being published in 192.com, an online directory that has a
section for people’s addresses, phone numbers, age guides, property
prices, and aerial photos obtained from electoral rolls beginning 2002
through 2010.
The concerned resident, who requested anonymity, said he initially
told Wandsworth Council not to redistribute his personal details to
third parties, but he got surprised when he saw them published in
192.com, which prompted him to report the data breach to the ICO and
his MP.
Investigation showed a malfunction befell one telephone facility that
compiles the 2008 edited register. Personal details of those who chose
not to enlist in the register were disclosed and the ones belonging to
those that opted otherwise were kept undisclosed.
The council pointed to a system glitch in the register that led to the
unwanted disclosure of Wandsworth residents’ personal details. Its
officials have already issued a public apology, adding that the
council took appropriate steps immediately not to let the data breach
take place again.
Despite the data breach, ICO has no plans to impose penalty upon the
council for its immediate action to address the matter.
Wandsworth Council has also directed the complaint to the website
publishing the personal details to remove all information that must
not be displayed there.
Telecoms companies are wary of data breach law
Telecoms providers and data-protection authorities are worried by the
potential fallout of an upcoming European data-breach notification
law, according to the European Network Information Security Agency.
Enisa, the EU's information security policy adviser, outlined its
concerns in a report on the effects of the ePrivacy Directive issued
on Friday. The study is designed to provide guidance to
telecommunication providers as they prepare for the law, which forces
companies to inform customers about data breaches.
"Gaining and maintaining the trust and buy-in of citizens that their
data is secure and protected represents a potential risk to the future
development and take-up of innovative technologies and higher
value-added online services across Europe, and will be a key challenge
for organisations," said the report.
Under the ePrivacy Directive, from March telecoms companies must
publicise data breaches. In addition, the banking, healthcare and
small business sectors are being considered for inclusion in
data-breach notification law by the European Commission.
The study found that electronic communications companies are concerned
about the damage that breach notification could do to their brands.
They also wanted guidance on how to prioritise breaches according to
severity and advice on categorising types of data.
For their part, data-protection regulators are worried about having
sufficient resources to cope with notification, a lack of sanctions, a
lack of technical expertise, and how to raise data-protection
awareness, according to Enisa.
Public confidence
The ePrivacy Directive gives businesses a legal impetus to guard
against data breaches, in addition to the reputational impetus,
according to the EU body. High-profile incidents of data loss and
exposure have shaken public confidence in organisations' abilities to
keep personal data safe, it said.
"Every day there seems to be headlines that personal data has been
leaked, that someone has found a laptop on a train," Enisa data-breach
expert Sławomir Górniak told ZDNet UK.
Organisations must gain public trust that personal data will not be
divulged, otherwise they risk hindering the take-up of innovative
technologies, according to Enisa. Measures such as encryption can
mitigate the risk, said Górniak. "If you lose a laptop, and it's
encrypted, and you have the keys, then this is not a data breach," he
said.
In the UK, the data-protection regulator is the Information
Commissioner's Office (ICO). The regulator has the power to fine
organisations for breaching data-protection laws, but did not fine
Google over its Street View collection of personal data. In November,
the ICO levied its first fines, against Hertfordshire County Council
and employment services company A4e.
potential fallout of an upcoming European data-breach notification
law, according to the European Network Information Security Agency.
Enisa, the EU's information security policy adviser, outlined its
concerns in a report on the effects of the ePrivacy Directive issued
on Friday. The study is designed to provide guidance to
telecommunication providers as they prepare for the law, which forces
companies to inform customers about data breaches.
"Gaining and maintaining the trust and buy-in of citizens that their
data is secure and protected represents a potential risk to the future
development and take-up of innovative technologies and higher
value-added online services across Europe, and will be a key challenge
for organisations," said the report.
Under the ePrivacy Directive, from March telecoms companies must
publicise data breaches. In addition, the banking, healthcare and
small business sectors are being considered for inclusion in
data-breach notification law by the European Commission.
The study found that electronic communications companies are concerned
about the damage that breach notification could do to their brands.
They also wanted guidance on how to prioritise breaches according to
severity and advice on categorising types of data.
For their part, data-protection regulators are worried about having
sufficient resources to cope with notification, a lack of sanctions, a
lack of technical expertise, and how to raise data-protection
awareness, according to Enisa.
Public confidence
The ePrivacy Directive gives businesses a legal impetus to guard
against data breaches, in addition to the reputational impetus,
according to the EU body. High-profile incidents of data loss and
exposure have shaken public confidence in organisations' abilities to
keep personal data safe, it said.
"Every day there seems to be headlines that personal data has been
leaked, that someone has found a laptop on a train," Enisa data-breach
expert Sławomir Górniak told ZDNet UK.
Organisations must gain public trust that personal data will not be
divulged, otherwise they risk hindering the take-up of innovative
technologies, according to Enisa. Measures such as encryption can
mitigate the risk, said Górniak. "If you lose a laptop, and it's
encrypted, and you have the keys, then this is not a data breach," he
said.
In the UK, the data-protection regulator is the Information
Commissioner's Office (ICO). The regulator has the power to fine
organisations for breaching data-protection laws, but did not fine
Google over its Street View collection of personal data. In November,
the ICO levied its first fines, against Hertfordshire County Council
and employment services company A4e.
Got $500? You can buy a hacked U.S. military website
If you're a criminal looking for full control of the Web used by the U.S.
Army's Communications-Electronics Command (CECOM), you can get it for just
under US$500.
At least that's what one hacker is offering in underground forums.
Security vendor Imperva found the black market sales pitch Thursday and
posted details of the incident on Friday.
The hacker says he has control over a number of websites, including other
military sites, government sites, and those belonging to universities,
said Noa Bar-Yosef, Imperva senior security strategist. Prices range from
$33 to $499, depending on how important or widely used the website is.
"You can actually buy the capability of being the administrator of the
website," she said.
The hacker is also selling databases of personal information he's stolen
from the websites for $20 per thousand records, she said. That data could
be used by spammers, or by fraudsters to break into online accounts.
Army's Communications-Electronics Command (CECOM), you can get it for just
under US$500.
At least that's what one hacker is offering in underground forums.
Security vendor Imperva found the black market sales pitch Thursday and
posted details of the incident on Friday.
The hacker says he has control over a number of websites, including other
military sites, government sites, and those belonging to universities,
said Noa Bar-Yosef, Imperva senior security strategist. Prices range from
$33 to $499, depending on how important or widely used the website is.
"You can actually buy the capability of being the administrator of the
website," she said.
The hacker is also selling databases of personal information he's stolen
from the websites for $20 per thousand records, she said. That data could
be used by spammers, or by fraudsters to break into online accounts.
Dominos Pizza website hacked, customer data leaked
Dominos Pizza has been in India for more than a decade now and with
much enthusiasm it decided to tap into the rapidly growing internet
population by launching its online ordering system late last year.
Recently a hacker managed to get away with a lot of customer data by
hacking into their server. Though the company is tight lipped on the
extend of the damage in an apologetic letter to its customers it
shamefully says that 'We have come to know that someone has hacked our
website with malicious intent and with the help of a script, managed
to extract some information on customer phone nos, email id and
delivery address of some customers. Although this data is not
classified information about our customers, still as a responsible
corporate we thought its important to inform you about this.. Online
privacy is still taken very lightly in India which reflects in the
fact that a company like Dominos treats customers address, mobile
phone numbers and email as non-confidential and has a privacy policy
dated in 2005.
much enthusiasm it decided to tap into the rapidly growing internet
population by launching its online ordering system late last year.
Recently a hacker managed to get away with a lot of customer data by
hacking into their server. Though the company is tight lipped on the
extend of the damage in an apologetic letter to its customers it
shamefully says that 'We have come to know that someone has hacked our
website with malicious intent and with the help of a script, managed
to extract some information on customer phone nos, email id and
delivery address of some customers. Although this data is not
classified information about our customers, still as a responsible
corporate we thought its important to inform you about this.. Online
privacy is still taken very lightly in India which reflects in the
fact that a company like Dominos treats customers address, mobile
phone numbers and email as non-confidential and has a privacy policy
dated in 2005.
The Office of Management and Budget asked government agencies to spell out their strategies for minimizing insider risk.
Last week, the Office of Management and Budget asked government
agencies to spell out their strategies for minimizing insider risk.
The memo, published by MSNBC, asked agencies to assess their security
efforts and compliance to federal standards following the release of a
trove of government documents, including classified State Department
memos, by Wikileaks.
It's likely that federal contractors and government suppliers will
also find themselves responding to this list of questions [PDF] and
the central issue of preventing the unauthorized disclosure of
sensitive and classified materials. In a key section of the memo, the
OMB requests information on whether organizations are measuring the
"trustworthiness" of their employees and whether they use a
psychiatrist or sociologist to measure the unhappiness of an employee
as a measure of trustworthiness.
In an effort to prevent the leak of the crown jewels, government
agencies and companies with significant intellectual property may be
moving to stricter management of employees, says Ken Ammon, chief
strategy officer for network access control firm Xceedium.
"Historically, policy and training have been the way (organizations)
have handled insiders," Ammon says. "But if you talk with the DOD
(Department of Defense), their most significant threat is an
intelligent and motivated insider system administrator."
Privileged insiders are not responsible for the loss of great
quantities of data, but they steal the more valuable data, according
to Verizon Business's Data Breach Investigations Report, which it
released last year.
"In general, we find that employees are granted more privileges than
they need to perform their job duties and the activities of those that
do require higher privileges are usually not monitored in any real
way," the report states.
Xceedium focuses its efforts on monitoring and auditing the access of
such privileged insiders, blocking any attempts to access data and
resources outside of explicit policy.
With privileged insiders, "you have to go with the zero-trust model,"
says Ammon.
The Department of Defense is doing just that. Last year, the research
arm of the Pentagon, known as DARPA (Defense Advanced Research
Projects Agency), tasked researchers with finding better methods of
detecting government employees and soldiers who may be planning to go
rogue. The program, dubbed ADAMS (Anomaly Detection at Multiple
Scales), aims to detect changes in behavior that could suggest a
decision to attack. In another proposal, issued in August, DARPA asked
for technological solutions to better detect enemies already present
in networks.
The WikiLeaks memo and the ADAMS project seem to indicate that the
government will be looking more closely at the people with access to
critical assets and data. With the government focusing on increasing
the security of government contractors, it's likely that corporate
America will take a greater interest in the happiness and
trustworthiness of its IT staff as well.
It's time to grit your teeth and be happy, folks.
SOURCE - http://www.infoworld.com/t/insider-threat/the-fed-goes-hunting-malcontents-411
agencies to spell out their strategies for minimizing insider risk.
The memo, published by MSNBC, asked agencies to assess their security
efforts and compliance to federal standards following the release of a
trove of government documents, including classified State Department
memos, by Wikileaks.
It's likely that federal contractors and government suppliers will
also find themselves responding to this list of questions [PDF] and
the central issue of preventing the unauthorized disclosure of
sensitive and classified materials. In a key section of the memo, the
OMB requests information on whether organizations are measuring the
"trustworthiness" of their employees and whether they use a
psychiatrist or sociologist to measure the unhappiness of an employee
as a measure of trustworthiness.
In an effort to prevent the leak of the crown jewels, government
agencies and companies with significant intellectual property may be
moving to stricter management of employees, says Ken Ammon, chief
strategy officer for network access control firm Xceedium.
"Historically, policy and training have been the way (organizations)
have handled insiders," Ammon says. "But if you talk with the DOD
(Department of Defense), their most significant threat is an
intelligent and motivated insider system administrator."
Privileged insiders are not responsible for the loss of great
quantities of data, but they steal the more valuable data, according
to Verizon Business's Data Breach Investigations Report, which it
released last year.
"In general, we find that employees are granted more privileges than
they need to perform their job duties and the activities of those that
do require higher privileges are usually not monitored in any real
way," the report states.
Xceedium focuses its efforts on monitoring and auditing the access of
such privileged insiders, blocking any attempts to access data and
resources outside of explicit policy.
With privileged insiders, "you have to go with the zero-trust model,"
says Ammon.
The Department of Defense is doing just that. Last year, the research
arm of the Pentagon, known as DARPA (Defense Advanced Research
Projects Agency), tasked researchers with finding better methods of
detecting government employees and soldiers who may be planning to go
rogue. The program, dubbed ADAMS (Anomaly Detection at Multiple
Scales), aims to detect changes in behavior that could suggest a
decision to attack. In another proposal, issued in August, DARPA asked
for technological solutions to better detect enemies already present
in networks.
The WikiLeaks memo and the ADAMS project seem to indicate that the
government will be looking more closely at the people with access to
critical assets and data. With the government focusing on increasing
the security of government contractors, it's likely that corporate
America will take a greater interest in the happiness and
trustworthiness of its IT staff as well.
It's time to grit your teeth and be happy, folks.
SOURCE - http://www.infoworld.com/t/insider-threat/the-fed-goes-hunting-malcontents-411
Subscribe to:
Posts (Atom)