As the nation moves toward growing use of electronic medical records,
data vulnerability becomes increasingly evident.
A new report released on Wednesday by Kaufman, Rossin & Co., showed
4.9 million patients had their personal health information compromised
as a result of 166 data breaches that occurred during the first year
of the Health Information Technology for Economic and Clinical Health
(HITECH) Act
The act was signed into law in February 2009 to promote the adoption
and meaningful use of health information technology. It also provides
for more stringent fines for privacy breaches.
Of the breaches in the study, laptops were the greatest source, being
involved in 43 cases and affecting more than 1.5 million individuals.
All of the breaches occurred between Sept. 21, 2009 and Sept. 21 2010,
the first year when breach incidents were publicly reported to the
Secretary of the Department of Health and Human Services
“There are so many various ways for data to be breached in this day
and age and many businesses are not properly prepared or are
completely unaware of just how vulnerable this information is,” said
Jorge Rey, the study’s co-author and director of information security
and compliance with Kaufman, Rossin. “The HITECH Act is changing the
way PHI must be protected and those companies that are not serious
about protecting their patients’ information find themselves facing
serious reputation, legal and financial repercussions.”
Among other findings:
Theft was the primary cause of a data breach, occurring 58 percent of
the time; loss and other were tied in second at 14 percent.
20 percent of the breaches occurred at a business associates.
Theft affected the highest number of individuals: 3.12 million
32 percent of breaches were reported within the first three months
The report notes that data breaches come in various forms, from
hacking to medical information that is mailed to the wrong address,
though the later is responsible for a very small amount of the
breaches.
The report sites some examples of theft such as:
An impostor posing as a representative of a legitimate vendor stole
several barrels of purged x-ray films, which contained the health care
information of approximately 1,300 patients.
A laptop computer was stolen from a hospital employee’s vehicle that
contained the health care information of 943 patients
A binder with printed protected health information was stolen from an
employee’s vehicle and contained the information of up to 1,272
patients.
The report goes on to recommend that health care organizations review
their security policies, encrypt new and existing laptops and perform
detailed annual risk assessments, among other things.
Friday, February 25, 2011
HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule
HHS imposes a $4.3 million civil money penalty for violations of the
HIPAA Privacy Rule
Action marks first civil money penalty issued by HHS for HIPAA Privacy
Rule violations
The U.S. Department of Health and Human Services’ (HHS) Office for
Civil Rights (OCR) has issued a Notice of Final Determination finding
that Cignet Health of Prince George’s County, Md., (Cignet) violated
the Privacy Rule of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). HHS has imposed a civil money
penalty (CMP) of $4.3 million for the violations, representing the
first CMP issued by the Department for a covered entity’s violations
of the HIPAA Privacy Rule.
The CMP is based on the violation categories and increased penalty
amounts authorized by Section 13410(d) of the Health Information
Technology for Economic and Clinical Health (HITECH) Act.
“Ensuring that Americans’ health information privacy is protected is
vital to our health care system and a priority of this Administration.
The U.S. Department of Health and Human Services is serious about
enforcing individual rights guaranteed by the HIPAA Privacy Rule,”
said HHS Secretary Kathleen Sebelius.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found
that Cignet violated 41 patients’ rights by denying them access to
their medical records when requested between September 2008 and
October 2009. These patients individually filed complaints with OCR,
initiating investigations of each complaint. The HIPAA Privacy Rule
requires that a covered entity provide a patient with a copy of their
medical records within 30 (and no later than 60) days of the patient’s
request. The CMP for these violations is $1.3 million.
During the investigations, Cignet refused to respond to OCR’s demands
to produce the records. Additionally, Cignet failed to cooperate with
OCR’s investigations of the complaints and produce the records in
response to OCR’s subpoena. OCR filed a petition to enforce its
subpoena in United States District Court and obtained a default
judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet
produced the medical records to OCR, but otherwise made no efforts to
resolve the complaints through informal means.
OCR also found that Cignet failed to cooperate with OCR’s
investigations on a continuing daily basis from March 17, 2009, to
April 7, 2010, and that the failure to cooperate was due to Cignet’s
willful neglect to comply with the Privacy Rule. Covered entities are
required under law to cooperate with the Department’s investigations.
The CMP for these violations is $3 million.
“Covered entities and business associates must uphold their
responsibility to provide patients with access to their medical
records, and adhere closely to all of HIPAA’s requirements,” said OCR
Director Georgina Verdugo. “The U.S. Department of Health and Human
Services will continue to investigate and take action against those
organizations that knowingly disregard their obligations under these
rules.”
HIPAA Privacy Rule
Action marks first civil money penalty issued by HHS for HIPAA Privacy
Rule violations
The U.S. Department of Health and Human Services’ (HHS) Office for
Civil Rights (OCR) has issued a Notice of Final Determination finding
that Cignet Health of Prince George’s County, Md., (Cignet) violated
the Privacy Rule of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). HHS has imposed a civil money
penalty (CMP) of $4.3 million for the violations, representing the
first CMP issued by the Department for a covered entity’s violations
of the HIPAA Privacy Rule.
The CMP is based on the violation categories and increased penalty
amounts authorized by Section 13410(d) of the Health Information
Technology for Economic and Clinical Health (HITECH) Act.
“Ensuring that Americans’ health information privacy is protected is
vital to our health care system and a priority of this Administration.
The U.S. Department of Health and Human Services is serious about
enforcing individual rights guaranteed by the HIPAA Privacy Rule,”
said HHS Secretary Kathleen Sebelius.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found
that Cignet violated 41 patients’ rights by denying them access to
their medical records when requested between September 2008 and
October 2009. These patients individually filed complaints with OCR,
initiating investigations of each complaint. The HIPAA Privacy Rule
requires that a covered entity provide a patient with a copy of their
medical records within 30 (and no later than 60) days of the patient’s
request. The CMP for these violations is $1.3 million.
During the investigations, Cignet refused to respond to OCR’s demands
to produce the records. Additionally, Cignet failed to cooperate with
OCR’s investigations of the complaints and produce the records in
response to OCR’s subpoena. OCR filed a petition to enforce its
subpoena in United States District Court and obtained a default
judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet
produced the medical records to OCR, but otherwise made no efforts to
resolve the complaints through informal means.
OCR also found that Cignet failed to cooperate with OCR’s
investigations on a continuing daily basis from March 17, 2009, to
April 7, 2010, and that the failure to cooperate was due to Cignet’s
willful neglect to comply with the Privacy Rule. Covered entities are
required under law to cooperate with the Department’s investigations.
The CMP for these violations is $3 million.
“Covered entities and business associates must uphold their
responsibility to provide patients with access to their medical
records, and adhere closely to all of HIPAA’s requirements,” said OCR
Director Georgina Verdugo. “The U.S. Department of Health and Human
Services will continue to investigate and take action against those
organizations that knowingly disregard their obligations under these
rules.”
Security vow after vulnerable adults memory stick lost
A council has agreed to improve its security after losing a memory
stick which contained the details of at least six vulnerable adults in
November 2010.
Cambridgeshire County Council notified the Information Commissioner's
Office (ICO) after the breach.
An employee lost an unencrypted and unapproved device containing case
notes and minutes of meetings.
The member of staff had previously experienced problems using one of
the council's encrypted memory sticks.
The breach of the Data Protection Act happened just after the council
had undertaken an internal campaign aimed at promoting its encryption
policy.
Employees had been asked to hand in unencrypted devices and were
warned about the importance of keeping personal information secure.
Council apology
The ICO's enforcement group manager Sally Anne Poole said:
"Cambridgeshire County Council clearly recognises the importance of
encrypting devices in order to keep personal data secure.
"However this case shows that organisations need to check that their
data protection policies are continually followed and fully understood
by staff.
"We are pleased that Cambridgeshire County Council has taken action to
improve its existing security measures."
A council spokesman said: "Cambridgeshire County Council takes the
storage of personal data very seriously and has strict procedures on
how it should be stored.
"We apologise that this loss happened and contacted the relevant
people as soon as we were made aware.
"In this case the member of staff did not follow the council's policy
of using a password protected and encrypted memory stick.
"The loss of the memory stick was immediately reported by the member
of staff who, following a full investigation, has been disciplined and
given advice on their future professional conduct."
The missing device has not been found.
stick which contained the details of at least six vulnerable adults in
November 2010.
Cambridgeshire County Council notified the Information Commissioner's
Office (ICO) after the breach.
An employee lost an unencrypted and unapproved device containing case
notes and minutes of meetings.
The member of staff had previously experienced problems using one of
the council's encrypted memory sticks.
The breach of the Data Protection Act happened just after the council
had undertaken an internal campaign aimed at promoting its encryption
policy.
Employees had been asked to hand in unencrypted devices and were
warned about the importance of keeping personal information secure.
Council apology
The ICO's enforcement group manager Sally Anne Poole said:
"Cambridgeshire County Council clearly recognises the importance of
encrypting devices in order to keep personal data secure.
"However this case shows that organisations need to check that their
data protection policies are continually followed and fully understood
by staff.
"We are pleased that Cambridgeshire County Council has taken action to
improve its existing security measures."
A council spokesman said: "Cambridgeshire County Council takes the
storage of personal data very seriously and has strict procedures on
how it should be stored.
"We apologise that this loss happened and contacted the relevant
people as soon as we were made aware.
"In this case the member of staff did not follow the council's policy
of using a password protected and encrypted memory stick.
"The loss of the memory stick was immediately reported by the member
of staff who, following a full investigation, has been disciplined and
given advice on their future professional conduct."
The missing device has not been found.
Security breach 'won't result in identity theft'
ACT Minister for Disability, Housing and Community Services Joy Burch
says a security breach involving data from her department is unlikely
to result in identity theft.
In November last year, a department employee breached protocol and
downloaded information onto a laptop to take home.
The laptop was stolen during a home burglary.
Ms Burch says clients have been notified about the breach.
"Certainly the advice to me is that the data did contain information,
such as family names, some given names and a postcode and or a date of
birth," she said.
"But there is an absolute guarantee that no addresses or phone numbers
or any other personal details was included in the data and in the
information that was lost."
But Opposition spokesman Steve Doszpot says clients were not informed
of the incident until this month and should have been notified
immediately.
"I haven't heard a clear explanation given of why it took
two-and-a-half months to inform the people whose records had been
stolen, that situation had occurred, the theft of the laptop," he
said.
"That should have been first and foremost in case there was any other
untoward activity that was taking place."
Ms Burch says there was a good reason for the delay.
"The delay in writing to our clients was to go through an exercise of
looking at the data and matching as much as we can so we had
confidence of being able to write off the people that were concerned.
We've written to more probably than what we need to," she said.
says a security breach involving data from her department is unlikely
to result in identity theft.
In November last year, a department employee breached protocol and
downloaded information onto a laptop to take home.
The laptop was stolen during a home burglary.
Ms Burch says clients have been notified about the breach.
"Certainly the advice to me is that the data did contain information,
such as family names, some given names and a postcode and or a date of
birth," she said.
"But there is an absolute guarantee that no addresses or phone numbers
or any other personal details was included in the data and in the
information that was lost."
But Opposition spokesman Steve Doszpot says clients were not informed
of the incident until this month and should have been notified
immediately.
"I haven't heard a clear explanation given of why it took
two-and-a-half months to inform the people whose records had been
stolen, that situation had occurred, the theft of the laptop," he
said.
"That should have been first and foremost in case there was any other
untoward activity that was taking place."
Ms Burch says there was a good reason for the delay.
"The delay in writing to our clients was to go through an exercise of
looking at the data and matching as much as we can so we had
confidence of being able to write off the people that were concerned.
We've written to more probably than what we need to," she said.
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little
secret has been acknowledged: the Office of Civil Rights does not
have the resources to review all reported breaches of health
information. In fact, if you have a breach that impacts up to 499
people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than
500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled
for future reporting
to Congress; however they are treated as discretionary and only
investigated if resources
permit.
While this prioritization makes a certain amount of sense, it leaves
the vast majority of breaches unreviewed. According to that same
budget report, "[a]s of September 30, 2010, OCR has received a total
of 9,300 breach reports (191 impact more than 500 individuals and
9,109 impact less than 500 individuals)." That's a mere 2% of all
breaches that have OCR's full attention. The takeaway from this is to
count your breaches carefully before reporting, as there seems to be a
real benefit to being able to report an impact on less than 500
individuals.
secret has been acknowledged: the Office of Civil Rights does not
have the resources to review all reported breaches of health
information. In fact, if you have a breach that impacts up to 499
people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than
500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled
for future reporting
to Congress; however they are treated as discretionary and only
investigated if resources
permit.
While this prioritization makes a certain amount of sense, it leaves
the vast majority of breaches unreviewed. According to that same
budget report, "[a]s of September 30, 2010, OCR has received a total
of 9,300 breach reports (191 impact more than 500 individuals and
9,109 impact less than 500 individuals)." That's a mere 2% of all
breaches that have OCR's full attention. The takeaway from this is to
count your breaches carefully before reporting, as there seems to be a
real benefit to being able to report an impact on less than 500
individuals.
Identity and Passport Service breaches data act
The Information Commissioner's Office has found the Identity and
Passport Service in breach of the data protection act after it lost 21
passport renewal applications
The loss occurred in May 2010 and included the personal data of both
applicants and their countersignatories.
All the individuals affected were informed and offered new passports
and no complaints have been received to date, said the ICO. The IPS
has also signed an undertaking and has agreed to put in place a number
of measures including ensuring that staff are aware of policies for
the storage and use of personal data and IT security.
It has also agreed to carry out and document regular inspections of
the security of the methods used for the processing of personal data
as well as undertake regular audits, where an appointed data processor
carries out certain tasks on its behalf.
Mick Gorrill, head of enforcement at the ICO, said: "A passport is an
important identification document and it is clearly of concern that
information relating to renewal applications has been lost.
"However, there is no evidence to suggest that the applications have
fallen into the wrong hands and we are pleased that the Identity and
Passport Service is taking steps to stop this happening again."
A spokesman for the IPS said that it takes the security of its
customer data "extremely seriously", and added that immediate action
was taken to cancel the application information.
"An internal security review has since been carried out and we have
already significantly tightened our processes to prevent such an
incident happening again," he said.
"During the past five years the IPS has safely handled more than 25
million passport applications."
Passport Service in breach of the data protection act after it lost 21
passport renewal applications
The loss occurred in May 2010 and included the personal data of both
applicants and their countersignatories.
All the individuals affected were informed and offered new passports
and no complaints have been received to date, said the ICO. The IPS
has also signed an undertaking and has agreed to put in place a number
of measures including ensuring that staff are aware of policies for
the storage and use of personal data and IT security.
It has also agreed to carry out and document regular inspections of
the security of the methods used for the processing of personal data
as well as undertake regular audits, where an appointed data processor
carries out certain tasks on its behalf.
Mick Gorrill, head of enforcement at the ICO, said: "A passport is an
important identification document and it is clearly of concern that
information relating to renewal applications has been lost.
"However, there is no evidence to suggest that the applications have
fallen into the wrong hands and we are pleased that the Identity and
Passport Service is taking steps to stop this happening again."
A spokesman for the IPS said that it takes the security of its
customer data "extremely seriously", and added that immediate action
was taken to cancel the application information.
"An internal security review has since been carried out and we have
already significantly tightened our processes to prevent such an
incident happening again," he said.
"During the past five years the IPS has safely handled more than 25
million passport applications."
Tuesday, February 22, 2011
Emory Health Care Records Hacked
ATLANTA-- Emory Health Care says computer hackers lifted at least 77
patient records with personal information from it's orthopedic clinic
off North Druid Hills.
As a precaution, Emory spokesperson Jeffrey Molter says a letter dated
February 14, 2011 was sent to 2,400 patients alerting them of the
security breach.
In it, the company warns that information stolen "included name,
Social Security Number, address, date of brith ad/or limited health
information".
It was federal authorties who tipped off Emory about the stolen records.
Molter would not appear on camera for an interview because he said
there is an ongoing criminal investigation, but 11Alive News did
conduct a phone interview.
"According to the IRS this information appears to have been
subsequently used for the filing of fraudulent federal tax returns
with the intent of collecting associated tax returns," Molter said.
All patients of The Emory Clinic Section of Orthpedics at Emory
Healthcare are being advised to place fraud alerts on their credit
reports and sign up for identity theft protection. Emory says it will
cover the costs.
patient records with personal information from it's orthopedic clinic
off North Druid Hills.
As a precaution, Emory spokesperson Jeffrey Molter says a letter dated
February 14, 2011 was sent to 2,400 patients alerting them of the
security breach.
In it, the company warns that information stolen "included name,
Social Security Number, address, date of brith ad/or limited health
information".
It was federal authorties who tipped off Emory about the stolen records.
Molter would not appear on camera for an interview because he said
there is an ongoing criminal investigation, but 11Alive News did
conduct a phone interview.
"According to the IRS this information appears to have been
subsequently used for the filing of fraudulent federal tax returns
with the intent of collecting associated tax returns," Molter said.
All patients of The Emory Clinic Section of Orthpedics at Emory
Healthcare are being advised to place fraud alerts on their credit
reports and sign up for identity theft protection. Emory says it will
cover the costs.
eHarmony Plays Down Data Breach On Dating Advice Site
Online dating site eHarmony is asking some of its users to change their
passwords following the discovery of a security breach.
A SQL injection vulnerability on a secondary site created a possible
means for screen names, email addresses and hashed passwords to be
extracted.
passwords following the discovery of a security breach.
A SQL injection vulnerability on a secondary site created a possible
means for screen names, email addresses and hashed passwords to be
extracted.
Burglary in minister's chamber
KOLKATA: In a major security breach at Writers' Buildings, thieves
broke into the ante-chamber of the minister of state for information
and cultural affairs, Soumendranath Bera, on Friday morning and stole
the RAM and hard disc from his personal assistant's computer.
The minister's room is on the secretariat's second floor, just above
the rotunda and beside the cabinet room. The police suspect insiders
are involved in the theft that was noticed in the morning. The
miscreants who probably wanted to access data stored in the computer
in the minister's office are suspected to have opened the CPU in the
morning when the room was opened for cleaning around 8 am.
Rana Ray, PA to Bera, lodged a complaint with Hare Street police
station. Police officers inspected the PA's room, adjoining the
minister's chamber, and started a probe on Friday afternoon.
The PA's room is just outside the minister's chamber. One can enter it
from the minister's room as well as the corridor. Police suspect that
the miscreants entered from the corridor.
Ray said that they were in office till 7.30 pm on Thursday and the
computer was in order when they left office. He admitted some
important data had gone with the stolen hard disc and RAM.
Noticing the crime when he tried switching on the computer in the
morning, Ray said, "It would not operate... it must have got locked
when the thief tried to log in but failed to give the right password."
The thief then reportedly snapped the mouse of his computer.
Bera, who was in office when the crime was discovered, was at his
wit's end and the chief secretary was informed.
Earlier, two incidents of theft had been reported from the chief
minister's office at New Delhi's Banga Bhavan in 2009. In those
thefts, too, the RAM and hard disc had been stolen but none was
arrested.
The theft inside Writers' left security staff puzzled as surveillance
had been increased in the secretariat following terror threats over
the years. "The crime is an eye-opener, showing that even a minister's
chamber is not safe," an official said.
broke into the ante-chamber of the minister of state for information
and cultural affairs, Soumendranath Bera, on Friday morning and stole
the RAM and hard disc from his personal assistant's computer.
The minister's room is on the secretariat's second floor, just above
the rotunda and beside the cabinet room. The police suspect insiders
are involved in the theft that was noticed in the morning. The
miscreants who probably wanted to access data stored in the computer
in the minister's office are suspected to have opened the CPU in the
morning when the room was opened for cleaning around 8 am.
Rana Ray, PA to Bera, lodged a complaint with Hare Street police
station. Police officers inspected the PA's room, adjoining the
minister's chamber, and started a probe on Friday afternoon.
The PA's room is just outside the minister's chamber. One can enter it
from the minister's room as well as the corridor. Police suspect that
the miscreants entered from the corridor.
Ray said that they were in office till 7.30 pm on Thursday and the
computer was in order when they left office. He admitted some
important data had gone with the stolen hard disc and RAM.
Noticing the crime when he tried switching on the computer in the
morning, Ray said, "It would not operate... it must have got locked
when the thief tried to log in but failed to give the right password."
The thief then reportedly snapped the mouse of his computer.
Bera, who was in office when the crime was discovered, was at his
wit's end and the chief secretary was informed.
Earlier, two incidents of theft had been reported from the chief
minister's office at New Delhi's Banga Bhavan in 2009. In those
thefts, too, the RAM and hard disc had been stolen but none was
arrested.
The theft inside Writers' left security staff puzzled as surveillance
had been increased in the secretariat following terror threats over
the years. "The crime is an eye-opener, showing that even a minister's
chamber is not safe," an official said.
ICO raps Gwent Police for emailing 10, 000 CRB checks to journalist
Gwent Police has been found to have breached the Data Protection Act
(DPA) after it accidentally emailed the results of 10,006 Criminal
Reference Bureau (CRB) checks to a journalist.
A CID data management staff member at Gwent Police mistakenly copied
the journalist, from online news site The Register, into an email that
contained a spreadsheet of the CRB results. The IT staff member was
using the auto-complete function in Novell’s email software and had
intended to send the email to five police staff colleagues.
Although the Microsoft Excel file did not contain details of criminal
convictions, and the information was not identifiable, 863 of the
records highlighed incidents with the police, as well as providing
full names, dates of birth and occupation.
The Register said that it had deleted the file after Gwent Police’s
professional standards offices travelled to their London offices two
days after being contacted.
The police force criticised the member of staff for sending the email
without following its IT security policies around the importance of
password protection and only sharing information when absolutely
necessary.
Although Gwent Police have taken steps to avoid such a breach occuring
again, Anne Jones, assistant commissioner for Wales, said: “Such a
huge amount of sensitive personal information should never have been
circulated via email, especially when there was no password or
encryption in place.”
The police force has agreed to implement stricter rules to ensure that
wherever possible, information is accessed directly via secure
databases, and to stop the use of generic passwords. It will also
install new technology to prevent the inappropriate auto-completion of
addresses in internal and external email accounts.
This data breach comes as the UK government announced the new
Protection of Freedoms Bill, which Home Secretary Theresa May said
will boost citizen's privacy rights and protect themfrom unwarranted
state intrusion in their private lives.
For example, the Bill will see the deletion of DNA samples and
fingerprints of innocent people from police database, and the
extension of the scope of the Freedom of Information Act (FOI).
Christopher Graham, Information Commissioner, welcomed the Bill,
saying that it addresses issues that the ICO has been concerned with
for a long time.
“I support the Bill’s aims of strengthening privacy, delivering
greater transparency and achieving improved accountability, as well as
greater independence for the ICO.
“The detail of these important provisions will need careful
consideration. The current proposals on improved regulation of CCTV
and ANPR (Automatic Number Plate Recognition systems] are limited to
the police and local government only but their use is much more
widespread. We will be examining all of the Bill’s provisions closely
to be satisfied that they will deliver in practice,” he said.
(DPA) after it accidentally emailed the results of 10,006 Criminal
Reference Bureau (CRB) checks to a journalist.
A CID data management staff member at Gwent Police mistakenly copied
the journalist, from online news site The Register, into an email that
contained a spreadsheet of the CRB results. The IT staff member was
using the auto-complete function in Novell’s email software and had
intended to send the email to five police staff colleagues.
Although the Microsoft Excel file did not contain details of criminal
convictions, and the information was not identifiable, 863 of the
records highlighed incidents with the police, as well as providing
full names, dates of birth and occupation.
The Register said that it had deleted the file after Gwent Police’s
professional standards offices travelled to their London offices two
days after being contacted.
The police force criticised the member of staff for sending the email
without following its IT security policies around the importance of
password protection and only sharing information when absolutely
necessary.
Although Gwent Police have taken steps to avoid such a breach occuring
again, Anne Jones, assistant commissioner for Wales, said: “Such a
huge amount of sensitive personal information should never have been
circulated via email, especially when there was no password or
encryption in place.”
The police force has agreed to implement stricter rules to ensure that
wherever possible, information is accessed directly via secure
databases, and to stop the use of generic passwords. It will also
install new technology to prevent the inappropriate auto-completion of
addresses in internal and external email accounts.
This data breach comes as the UK government announced the new
Protection of Freedoms Bill, which Home Secretary Theresa May said
will boost citizen's privacy rights and protect themfrom unwarranted
state intrusion in their private lives.
For example, the Bill will see the deletion of DNA samples and
fingerprints of innocent people from police database, and the
extension of the scope of the Freedom of Information Act (FOI).
Christopher Graham, Information Commissioner, welcomed the Bill,
saying that it addresses issues that the ICO has been concerned with
for a long time.
“I support the Bill’s aims of strengthening privacy, delivering
greater transparency and achieving improved accountability, as well as
greater independence for the ICO.
“The detail of these important provisions will need careful
consideration. The current proposals on improved regulation of CCTV
and ANPR (Automatic Number Plate Recognition systems] are limited to
the police and local government only but their use is much more
widespread. We will be examining all of the Bill’s provisions closely
to be satisfied that they will deliver in practice,” he said.
Howard Brown Health Center Breach
Dear Howard Brown Donor and Friend,
At Howard Brown Health Center, we take the security and privacy of our
donors' information very seriously. Yesterday, we identified a
potential breach in our donor database. The donor database that was
potentially breached includes personal phone numbers and email
addresses. At this point, we have no reason to believe that credit
card information has been compromised. We also have no reason to
believe that confidential patient records were inappropriately
accessed.
Howard Brown Health Center is alerting the appropriate authorities and
conducting an internal investigation of this incident. All parties,
including current and former staff members, who played a role in this
unlawful and inappropriate activity will be held accountable, and we
will pursue all available recourse to the fullest extent of the law.
This incident came to our attention because several concerned donors
recently received a libelous anonymous email about Howard Brown Health
Center and its staff. Howard Brown is fortunate to have the support of
a caring community that came to its assistance at its most fragile
moment. Today, thanks to our donors and steadfast allies, like you, we
are paying down our debt; existing on a leaner, balanced budget; and
providing more services to the patients and clients who have come to
rely on us. In this new day at Howard Brown Health Center, we are
thankful for your support as we manage a healthy change to secure the
future of our vital health and wellness programs for generations to
come.
Howard Brown Health Center will continue to provide you with updates
as additional information becomes available. We apologize for the
inconvenience and want to assure you that working expeditiously to
address this matter. If you have any questions about this incident,
please contact Chuck Benya, Vice President and Chief Development
Officer, at (773) 388-8793 or chuckb@howardbrown.org. Thank you for
your understanding and have a pleasant President's Day Weekend.
At Howard Brown Health Center, we take the security and privacy of our
donors' information very seriously. Yesterday, we identified a
potential breach in our donor database. The donor database that was
potentially breached includes personal phone numbers and email
addresses. At this point, we have no reason to believe that credit
card information has been compromised. We also have no reason to
believe that confidential patient records were inappropriately
accessed.
Howard Brown Health Center is alerting the appropriate authorities and
conducting an internal investigation of this incident. All parties,
including current and former staff members, who played a role in this
unlawful and inappropriate activity will be held accountable, and we
will pursue all available recourse to the fullest extent of the law.
This incident came to our attention because several concerned donors
recently received a libelous anonymous email about Howard Brown Health
Center and its staff. Howard Brown is fortunate to have the support of
a caring community that came to its assistance at its most fragile
moment. Today, thanks to our donors and steadfast allies, like you, we
are paying down our debt; existing on a leaner, balanced budget; and
providing more services to the patients and clients who have come to
rely on us. In this new day at Howard Brown Health Center, we are
thankful for your support as we manage a healthy change to secure the
future of our vital health and wellness programs for generations to
come.
Howard Brown Health Center will continue to provide you with updates
as additional information becomes available. We apologize for the
inconvenience and want to assure you that working expeditiously to
address this matter. If you have any questions about this incident,
please contact Chuck Benya, Vice President and Chief Development
Officer, at (773) 388-8793 or chuckb@howardbrown.org. Thank you for
your understanding and have a pleasant President's Day Weekend.
Friday, February 11, 2011
Book Store Security Breach Causing Financial Aid Problems For Some ECU Students
Almost a month after a security breach was recognized and fixed at a
local bookstore near East Carolina University, unauthorized charges
are still posting to some students' accounts. One student says that's
a problem because he's temporarily losing financial aid money.
Andrew Boyd says he bought his books from University Book Exchange in
early January and says on Sunday, he noticed three unauthorized
charges for about $200 on his ECU Higher One card, which he used to
buy his books with.
Higher One distributes financial aid monies to students at East
Carolina and many other universities across the country. Students can
receive the money through a Higher One debit card, or they can choose
to receive a paper check or have the money deposited into a separate
checking account. Boyd says his financial aid money was on his Higher
One card, which was compromised during UBE's security breach. He says
he's contacted Higher One, and was told it could take up to 90 days to
get his money back - a problem because he lives off his financial aid
money.
"I use that money to pay off bills- cell phone, food and stuff - it
kind of puts me at a pretty hard place for paying all that stuff
back," said Boyd.
WITN also talked with ECU's financial aid director Julie Poorman, who
said once financial aid money is distributed, it's not really
considered financial aid anymore - and having it stolen is like having
a computer or other property stolen.
Poorman says if your card has been compromised, you should file a
police report, and says ECU may be able to do a budget adjustment to
help students get more financial aid if they're struggling- although
getting more aid is not guaranteed. UBE says the security breach has
been fixed. It says it's added new security software and is
implementing other security measures in the store as well, but didn't
want to announce what those were.
local bookstore near East Carolina University, unauthorized charges
are still posting to some students' accounts. One student says that's
a problem because he's temporarily losing financial aid money.
Andrew Boyd says he bought his books from University Book Exchange in
early January and says on Sunday, he noticed three unauthorized
charges for about $200 on his ECU Higher One card, which he used to
buy his books with.
Higher One distributes financial aid monies to students at East
Carolina and many other universities across the country. Students can
receive the money through a Higher One debit card, or they can choose
to receive a paper check or have the money deposited into a separate
checking account. Boyd says his financial aid money was on his Higher
One card, which was compromised during UBE's security breach. He says
he's contacted Higher One, and was told it could take up to 90 days to
get his money back - a problem because he lives off his financial aid
money.
"I use that money to pay off bills- cell phone, food and stuff - it
kind of puts me at a pretty hard place for paying all that stuff
back," said Boyd.
WITN also talked with ECU's financial aid director Julie Poorman, who
said once financial aid money is distributed, it's not really
considered financial aid anymore - and having it stolen is like having
a computer or other property stolen.
Poorman says if your card has been compromised, you should file a
police report, and says ECU may be able to do a budget adjustment to
help students get more financial aid if they're struggling- although
getting more aid is not guaranteed. UBE says the security breach has
been fixed. It says it's added new security software and is
implementing other security measures in the store as well, but didn't
want to announce what those were.
Oregon Prisons Hit by Worker Info Breach
SALEM, Ore. -- The Oregon Department of Corrections revealed Wednesday
that personal data on hundreds of its employees may have been found on
a portable "thumb drive," including payroll information and Social
Security numbers, but said all indications are that it was accidental
and there's no indication any of the info was misused.
The agency received word on Jan. 27 of the potential information
security breach from a non-employee, member of the public. The breach
involved a thumb drive that "allegedly contained personally
identifiable information about DOC employees," the department said.
The agency immediately began an investigation to verify the report and
to determine what data may have actually been on the thumb drive. The
Oregon State Police were notified and are assisting with DOC's
investigation, in addition to facilitating their own external
investigation, officials said.
"Because the thumb drive was damaged prior to the department receiving
it, we cannot know what was on it," the DOC news release said.
However, they added, "Initial forensic findings indicate that at least
two types of information may have been breached:
Staff members' personal information, including social security numbers:
• Payroll reports from Warner Creek Correctional Facility (WCCF) from
July 31, 2005 to Sept. 30, 2007, which included names, social security
numbers and other payroll information.
• Payroll reports from Deer Ridge Correctional Institution (DRCI) near
Madras from Aug. 31, 2006 to Sept. 30, 2007, which included names,
social security numbers and other payroll information.
Staff members' personal information, not including social security numbers:
• Payroll reports from WCCF, DRCI and Shutter Creek Correctional
Institution (SCCI) from Oct. 1, 2007 to present, which included staff
names and other payroll related information similar to what's found on
a pay stub. These reports did not include social security numbers.
At this time, the scope of the potential breach is limited to just
under 550 total staff members; just under 300 staff members' Social
Security numbers have potentially been breached.
"We have no reason to believe staff at institutions other than WCCF,
DRCI, or SCCF should be concerned," the agency's statement said.
"We do not believe the breach was malicious in intent, nor do we have
any indication at this time that the personal information has been
used or misused," they added.
As a precaution, DOC has contracted with ID Experts, a data breach and
recovery services expert to ensure protection for staff members whose
social security numbers may have been compromised. This service will
be free to affected staff. ID Experts will provide staff, whose
personal information (names and SS#s) was potentially breached, with
fully managed recovery services including:
- 12 months of credit and CyberScan monitoring
- A $20,000 insurance reimbursement policy
- Educational materials; and
- Access to fraud resolution representatives
In addition to notifying staff of the breach and providing credit
monitoring services to those whose social security numbers were
involved, DOC is continuing to investigate the situation to determine
exactly how the thumb drive got into the hands of a non-employee.
The agency is also examining internal practices to ensure that the
security of personal information isn't breached in the future.
The department employs approximately 4,500 staff across the state and
operates 14 institutions and multiple worksites.
that personal data on hundreds of its employees may have been found on
a portable "thumb drive," including payroll information and Social
Security numbers, but said all indications are that it was accidental
and there's no indication any of the info was misused.
The agency received word on Jan. 27 of the potential information
security breach from a non-employee, member of the public. The breach
involved a thumb drive that "allegedly contained personally
identifiable information about DOC employees," the department said.
The agency immediately began an investigation to verify the report and
to determine what data may have actually been on the thumb drive. The
Oregon State Police were notified and are assisting with DOC's
investigation, in addition to facilitating their own external
investigation, officials said.
"Because the thumb drive was damaged prior to the department receiving
it, we cannot know what was on it," the DOC news release said.
However, they added, "Initial forensic findings indicate that at least
two types of information may have been breached:
Staff members' personal information, including social security numbers:
• Payroll reports from Warner Creek Correctional Facility (WCCF) from
July 31, 2005 to Sept. 30, 2007, which included names, social security
numbers and other payroll information.
• Payroll reports from Deer Ridge Correctional Institution (DRCI) near
Madras from Aug. 31, 2006 to Sept. 30, 2007, which included names,
social security numbers and other payroll information.
Staff members' personal information, not including social security numbers:
• Payroll reports from WCCF, DRCI and Shutter Creek Correctional
Institution (SCCI) from Oct. 1, 2007 to present, which included staff
names and other payroll related information similar to what's found on
a pay stub. These reports did not include social security numbers.
At this time, the scope of the potential breach is limited to just
under 550 total staff members; just under 300 staff members' Social
Security numbers have potentially been breached.
"We have no reason to believe staff at institutions other than WCCF,
DRCI, or SCCF should be concerned," the agency's statement said.
"We do not believe the breach was malicious in intent, nor do we have
any indication at this time that the personal information has been
used or misused," they added.
As a precaution, DOC has contracted with ID Experts, a data breach and
recovery services expert to ensure protection for staff members whose
social security numbers may have been compromised. This service will
be free to affected staff. ID Experts will provide staff, whose
personal information (names and SS#s) was potentially breached, with
fully managed recovery services including:
- 12 months of credit and CyberScan monitoring
- A $20,000 insurance reimbursement policy
- Educational materials; and
- Access to fraud resolution representatives
In addition to notifying staff of the breach and providing credit
monitoring services to those whose social security numbers were
involved, DOC is continuing to investigate the situation to determine
exactly how the thumb drive got into the hands of a non-employee.
The agency is also examining internal practices to ensure that the
security of personal information isn't breached in the future.
The department employs approximately 4,500 staff across the state and
operates 14 institutions and multiple worksites.
Visa Introduces Non-U.S. PCI Relief to Push EMV, Pays $190 Million for PlaySpan
Visa Inc. on Wednesday said it will relieve merchants outside the U.S.
of the requirement to validate compliance with the Payment Card
Industry data-security standard (PCI) if the merchants process at
least three-quarters of their Visa transactions from chip-enabled
terminals. In a busy day at the world’s largest payments network, Visa
also announced it is shelling out $190 million in cash to buy PlaySpan
Inc., a Santa Clara, Calif.-based processor of digital-goods
transactions, particularly so-called in-game payments.
The new PCI policy, intended as in incentive to speed up deployment of
so-called Europay-MasterCard-Visa (EMV) chip-and-PIN systems,
apparently represents the first time a major card network has offered
to lift the PCI-validation requirement from merchants’ shoulders since
data-security standard was introduced six years ago. Though effective
in combating data breaches if followed rigorously, PCI and its complex
rules often provoke protests from merchants trying to stretch scarce
resources over a wide range of functions.
But Visa is pointedly excluding the U.S. market from its new policy,
which it calls its Technology Innovation Program, citing uncertainties
created by the Durbin Amendment to the Dodd-Frank Act. That law, along
with implementing rules proposed by the Federal Reserve, will
drastically cut the debit card interchange income flowing to issuers.
While the amendment makes allowances for issuers’ fraud-fighting
expenses, how costs for EMV and other such technologies might
ultimately be incorporated into the Fed’s rules remains unclear. The
Fed released its proposal in December and is expected to issue final
rules by April 21.
Many regions of the world, including, most recently, Canada, have
rolled out or are starting to rollout EMV, a technology that
ultimately replaces magnetic stripes with chips that store and protect
cardholder credentials. A security technology that works with EMV, and
one that Visa has been heavily promoting, is dynamic data
authentication. With this technology, the chip transmits back to the
issuer a cryptographic message that authenticates the card as genuine.
The message changes with each transaction, so it is useless if
intercepted.
The Technology Innovation Program is intended to give merchants an
incentive to install and use EMV by relieving them of the costs and
hassles of PCI-compliance validation, Visa says. “It wasn’t prompted
out of concern for the rate of adoption, although we want to
accelerate the rate of adoption [among merchants] that have decided to
adopt EMV technology,” Eduardo Perez, head of global data security at
Visa, tells Digital Transactions News.
To qualify for the program, a merchant must have installed and enabled
chip-reading terminals. “The terminal has to be enabled, it can’t just
be capable,” says Perez. The merchant must also: have previously
validated its PCI compliance or have submitted a plan to do so; not
have sustained a data breach recently; not store card data; and comply
with PCI, even if it no longer has to prove that it does.
While leaving out the U.S. market might seem at first glance a glaring
omission, Perez says lack of clarity about how issuers’ security
investments will be allowed for against the Fed’s stringent debit card
interchange caps makes it difficult to ask banks to take on EMV costs.
Merchants would buy and install chip card readers, but banks would
have to issue chip cards to replace mag-stripe cards. Because of
Durbin, “it’s unfeasible at this point to move the [U.S.] market in
that direction,” Perez notes.
of the requirement to validate compliance with the Payment Card
Industry data-security standard (PCI) if the merchants process at
least three-quarters of their Visa transactions from chip-enabled
terminals. In a busy day at the world’s largest payments network, Visa
also announced it is shelling out $190 million in cash to buy PlaySpan
Inc., a Santa Clara, Calif.-based processor of digital-goods
transactions, particularly so-called in-game payments.
The new PCI policy, intended as in incentive to speed up deployment of
so-called Europay-MasterCard-Visa (EMV) chip-and-PIN systems,
apparently represents the first time a major card network has offered
to lift the PCI-validation requirement from merchants’ shoulders since
data-security standard was introduced six years ago. Though effective
in combating data breaches if followed rigorously, PCI and its complex
rules often provoke protests from merchants trying to stretch scarce
resources over a wide range of functions.
But Visa is pointedly excluding the U.S. market from its new policy,
which it calls its Technology Innovation Program, citing uncertainties
created by the Durbin Amendment to the Dodd-Frank Act. That law, along
with implementing rules proposed by the Federal Reserve, will
drastically cut the debit card interchange income flowing to issuers.
While the amendment makes allowances for issuers’ fraud-fighting
expenses, how costs for EMV and other such technologies might
ultimately be incorporated into the Fed’s rules remains unclear. The
Fed released its proposal in December and is expected to issue final
rules by April 21.
Many regions of the world, including, most recently, Canada, have
rolled out or are starting to rollout EMV, a technology that
ultimately replaces magnetic stripes with chips that store and protect
cardholder credentials. A security technology that works with EMV, and
one that Visa has been heavily promoting, is dynamic data
authentication. With this technology, the chip transmits back to the
issuer a cryptographic message that authenticates the card as genuine.
The message changes with each transaction, so it is useless if
intercepted.
The Technology Innovation Program is intended to give merchants an
incentive to install and use EMV by relieving them of the costs and
hassles of PCI-compliance validation, Visa says. “It wasn’t prompted
out of concern for the rate of adoption, although we want to
accelerate the rate of adoption [among merchants] that have decided to
adopt EMV technology,” Eduardo Perez, head of global data security at
Visa, tells Digital Transactions News.
To qualify for the program, a merchant must have installed and enabled
chip-reading terminals. “The terminal has to be enabled, it can’t just
be capable,” says Perez. The merchant must also: have previously
validated its PCI compliance or have submitted a plan to do so; not
have sustained a data breach recently; not store card data; and comply
with PCI, even if it no longer has to prove that it does.
While leaving out the U.S. market might seem at first glance a glaring
omission, Perez says lack of clarity about how issuers’ security
investments will be allowed for against the Fed’s stringent debit card
interchange caps makes it difficult to ask banks to take on EMV costs.
Merchants would buy and install chip card readers, but banks would
have to issue chip cards to replace mag-stripe cards. Because of
Durbin, “it’s unfeasible at this point to move the [U.S.] market in
that direction,” Perez notes.
Labour Forum Leaks Email Addresses
Basic design flaws on a Labour party members forum exposed the email
addresses of users to harvesting.
Surfers who register through the site http://members.labour.org.uk were
invited to confirm their membership, and activate their account, by
clicking on the link in an email sent to a specified account.
The email follows the form
http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX
A Reg reader who registered through the site realised that the number at
the end of this URL is probably sequential, a unique id which refers to
the account just registered. Sure enough, just changing the ID in the
URL to a lower number led to the presentation of an email address of
another registrant ...
addresses of users to harvesting.
Surfers who register through the site http://members.labour.org.uk were
invited to confirm their membership, and activate their account, by
clicking on the link in an email sent to a specified account.
The email follows the form
http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX
A Reg reader who registered through the site realised that the number at
the end of this URL is probably sequential, a unique id which refers to
the account just registered. Sure enough, just changing the ID in the
URL to a lower number led to the presentation of an email address of
another registrant ...
Oil Firms Hit by Hackers From China, Report Says
Hackers who appear to be based in China have conducted a "coordinated,
covert and targeted" campaign of cyber espionage against major Western
energy firms, according to a report expected to be issued Thursday by
cybersecurity firm McAfee Inc.
Law-enforcement agencies said they are investigating the incidents,
which McAfee said have been going on at least since late 2009 but may
have started as early as 2007. The company said the attacks, which
they dubbed "Night Dragon," were still occurring.
McAfee said the hackers targeted five multinational firms, but
wouldn't identify the companies by name because some of them are
clients. McAfee said it was sharing the findings "to protect those not
yet impacted and to repair those who have been." Asked if they were
victims of the hacking, BP PLC and ExxonMobil Inc., among other large
oil companies, declined to comment. Chevron Corp. said it wasn't aware
of any successful hacks into the company's data systems by Night
Dragon.
Sensitive Internal Documents Taken
According to McAfee, the cyberattacks successfully took gigabytes of
highly sensitive internal documents, including proprietary information
about oil- and gas-field operations, project financing and bidding
documents. And that pattern of espionage, the company said, should
raise fresh alarms in the corporate world about information theft.
"While Night Dragon attacks focused specifically on the energy sector,
the tools and techniques of this kind can be highly successful when
targeting any industry," the report states.
McAfee and its competitors have an incentive for publicizing threats
like Night Dragon because they are in the business of selling
cybersecurity services. The company has informed the FBI of its
report, which said it was investigating the attacks and took the
matter seriously.
U.S. intelligence agencies have warned in recent years that China is
developing sophisticated cyber warfare strategies which could be used
to attack governments and key industries. China, the second-largest
economy after the U.S., is keenly interested in competing for energy
resources around the world to fuel domestic growth.
"It's important to get this out in public discussion, so companies can
identify that kind of threat," said Ron Plesco, CEO of the National
Cyber Forensic Training Alliance Foundation, a group that tracks
cybercrime threats. "And sharing information adds toward the ultimate
goal of mitigation."
The Night Dragon attacks used hacking tools that exploited Microsoft
Corp. operating systems and remote administration tools to copy and
extract information, according to McAfee. It appears to have been
designed purely for spying. "We saw no evidence of sabotage
activities" in these attacks, said Dmitri Alperovitch, vice president
of threat research at McAfee.
Trail Leads Back to China
Mr. Alperovitch said researchers were able to trace data taken from
those companies back to Chinese Internet addresses in Beijing. The
hacking tools used were mainly of Chinese origin, he said and the
hackers didn't take steps to cover their tracks.
"These individuals almost seemed like company worker bees," he said.
"They operated on a strict weekdays, nine-to-five Beijing time-zone
schedule."
Through forensic research, McAfee identified one individual who
appeared to provide the external servers used by the hackers. McAfee
identified this individual as Song Zhiyue, based in Heze City,
Shandong Province, China. It is unclear to what extent Mr. Song might
have been aware of the espionage. McAfee believes many actors
participated in these attacks.
Mr. Alperovitch said it was unclear if the attacks were done with any
official sanction. "The facts point to Chinese hacker activity that is
organized, so [it is] potentially directed either by the private
sector or the public sector. But it's impossible for me to know for
sure which one," he said.
Wang Baodong, a spokesman for the Chinese embassy in Washington, said
he had no knowledge of the report, but added that past allegations
about Chinese hacking had been raised unfairly. "China has very strict
laws against hacking activities, and China is also a victim of such
activity," he said.
A 2010 Defense Department report to Congress on Chinese military
capabilities said computer systems around the world, including U.S.
government networks, had been the target of intrusions that appear to
originate from China. The report added that it was unclear if those
intrusions were done at the behest of the Chinese military of elements
of the Chinese government.
Early last year, Google Inc. took the unusual step of complaining
publicly about sophisticated cyberattacks that it claimed had
originated in China. McAfee investigated those attacks, which it
dubbed Operation Aurora. Leaked U.S. diplomatic cables collected by
the WikiLeaks website included allegations that the attacks were
ordered by top Chinese leaders.
covert and targeted" campaign of cyber espionage against major Western
energy firms, according to a report expected to be issued Thursday by
cybersecurity firm McAfee Inc.
Law-enforcement agencies said they are investigating the incidents,
which McAfee said have been going on at least since late 2009 but may
have started as early as 2007. The company said the attacks, which
they dubbed "Night Dragon," were still occurring.
McAfee said the hackers targeted five multinational firms, but
wouldn't identify the companies by name because some of them are
clients. McAfee said it was sharing the findings "to protect those not
yet impacted and to repair those who have been." Asked if they were
victims of the hacking, BP PLC and ExxonMobil Inc., among other large
oil companies, declined to comment. Chevron Corp. said it wasn't aware
of any successful hacks into the company's data systems by Night
Dragon.
Sensitive Internal Documents Taken
According to McAfee, the cyberattacks successfully took gigabytes of
highly sensitive internal documents, including proprietary information
about oil- and gas-field operations, project financing and bidding
documents. And that pattern of espionage, the company said, should
raise fresh alarms in the corporate world about information theft.
"While Night Dragon attacks focused specifically on the energy sector,
the tools and techniques of this kind can be highly successful when
targeting any industry," the report states.
McAfee and its competitors have an incentive for publicizing threats
like Night Dragon because they are in the business of selling
cybersecurity services. The company has informed the FBI of its
report, which said it was investigating the attacks and took the
matter seriously.
U.S. intelligence agencies have warned in recent years that China is
developing sophisticated cyber warfare strategies which could be used
to attack governments and key industries. China, the second-largest
economy after the U.S., is keenly interested in competing for energy
resources around the world to fuel domestic growth.
"It's important to get this out in public discussion, so companies can
identify that kind of threat," said Ron Plesco, CEO of the National
Cyber Forensic Training Alliance Foundation, a group that tracks
cybercrime threats. "And sharing information adds toward the ultimate
goal of mitigation."
The Night Dragon attacks used hacking tools that exploited Microsoft
Corp. operating systems and remote administration tools to copy and
extract information, according to McAfee. It appears to have been
designed purely for spying. "We saw no evidence of sabotage
activities" in these attacks, said Dmitri Alperovitch, vice president
of threat research at McAfee.
Trail Leads Back to China
Mr. Alperovitch said researchers were able to trace data taken from
those companies back to Chinese Internet addresses in Beijing. The
hacking tools used were mainly of Chinese origin, he said and the
hackers didn't take steps to cover their tracks.
"These individuals almost seemed like company worker bees," he said.
"They operated on a strict weekdays, nine-to-five Beijing time-zone
schedule."
Through forensic research, McAfee identified one individual who
appeared to provide the external servers used by the hackers. McAfee
identified this individual as Song Zhiyue, based in Heze City,
Shandong Province, China. It is unclear to what extent Mr. Song might
have been aware of the espionage. McAfee believes many actors
participated in these attacks.
Mr. Alperovitch said it was unclear if the attacks were done with any
official sanction. "The facts point to Chinese hacker activity that is
organized, so [it is] potentially directed either by the private
sector or the public sector. But it's impossible for me to know for
sure which one," he said.
Wang Baodong, a spokesman for the Chinese embassy in Washington, said
he had no knowledge of the report, but added that past allegations
about Chinese hacking had been raised unfairly. "China has very strict
laws against hacking activities, and China is also a victim of such
activity," he said.
A 2010 Defense Department report to Congress on Chinese military
capabilities said computer systems around the world, including U.S.
government networks, had been the target of intrusions that appear to
originate from China. The report added that it was unclear if those
intrusions were done at the behest of the Chinese military of elements
of the Chinese government.
Early last year, Google Inc. took the unusual step of complaining
publicly about sophisticated cyberattacks that it claimed had
originated in China. McAfee investigated those attacks, which it
dubbed Operation Aurora. Leaked U.S. diplomatic cables collected by
the WikiLeaks website included allegations that the attacks were
ordered by top Chinese leaders.
Security site gets 'pwned'
In cyberspace they call it "getting pwned". It happened to the
American tech-security company HBGary Federal when it tried to
infiltrate a hacktivist network called Anonymous.
Aaron Barr, chief executive of the Washington-based company, said his
firm infiltrated the collective behind recent pro-WikiLeaks cyber
protests.
Anonymous's revenge was swift. They defaced HBGary's website, broke
into its messaging system, dumped 60,000 emails and hijacked Barr's
Twitter account to tweet abuse and personal information.
The term "pwned" - pronounced poned - originated from a typo in online
gaming and means to be dominated.
Over the past four years Anonymous has gained a reputation for being
one of the most mercurial and chaotic meeting spaces for online
mischief-makers. Recently it has gained notoriety for assaults on
government and commercial sites criticising WikiLeaks.
Its damaging "denial-of-service" attacks on companies such as PayPal,
Mastercard and Visa have resulted in recent arrests in Europe and the
United States. Private security firms are determined to uncover the
site's management.
Barr said his firm had managed to infiltrate Anonymous through its
chat rooms and that the organisation was run by a hardcore of 30
members with 10 who "are the most senior and co-ordinate and manage
most of the decisions". Anonymous has always styled itself as an
anarchic democratic collective with no leadership.
In a message left on HBGary's website, the hackers taunted their
pursuers with the message: "You think you've gathered full names and
addresses of the 'higher-ups' of Anonymous? You haven't. You think
Anonymous has a founder and various co-founders? False."
The attack successfully penetrated HBGary's website through a
compromised support server.
HBGary founder Greg Hoglund has promised revenge. "We try to protect
the US Government from hackers. They couldn't have chosen a worse
company to pick on," he said.
American tech-security company HBGary Federal when it tried to
infiltrate a hacktivist network called Anonymous.
Aaron Barr, chief executive of the Washington-based company, said his
firm infiltrated the collective behind recent pro-WikiLeaks cyber
protests.
Anonymous's revenge was swift. They defaced HBGary's website, broke
into its messaging system, dumped 60,000 emails and hijacked Barr's
Twitter account to tweet abuse and personal information.
The term "pwned" - pronounced poned - originated from a typo in online
gaming and means to be dominated.
Over the past four years Anonymous has gained a reputation for being
one of the most mercurial and chaotic meeting spaces for online
mischief-makers. Recently it has gained notoriety for assaults on
government and commercial sites criticising WikiLeaks.
Its damaging "denial-of-service" attacks on companies such as PayPal,
Mastercard and Visa have resulted in recent arrests in Europe and the
United States. Private security firms are determined to uncover the
site's management.
Barr said his firm had managed to infiltrate Anonymous through its
chat rooms and that the organisation was run by a hardcore of 30
members with 10 who "are the most senior and co-ordinate and manage
most of the decisions". Anonymous has always styled itself as an
anarchic democratic collective with no leadership.
In a message left on HBGary's website, the hackers taunted their
pursuers with the message: "You think you've gathered full names and
addresses of the 'higher-ups' of Anonymous? You haven't. You think
Anonymous has a founder and various co-founders? False."
The attack successfully penetrated HBGary's website through a
compromised support server.
HBGary founder Greg Hoglund has promised revenge. "We try to protect
the US Government from hackers. They couldn't have chosen a worse
company to pick on," he said.
[Dataloss] Identity-theft statistics look better, but you still don't want to be one
There's some good news and some bad news about identity theft.
Identity-theft statistics look better, but you still don't want to be one
The good news is that last year the number of people victimized
decreased 28 percent, to 8.1 million, according to a report by Javelin
Strategy & Research. Although that's still a huge number, it's 3
million fewer victims than in 2009. Overall losses from identity fraud
also fell last year, to $37 billion, from $56 billion in 2009.
Using stolen Social Security numbers or credit cards and other
financial information, identity thieves, among other crimes, buy cars,
get cellphones and open new credit card accounts.
For eight years, Javelin has been tracking trends in identity theft,
helping to keep a national focus on this category of crime. Last year,
the plummet in the crime was the largest annual decrease since Javelin
started tracking it in 2003.
So, what's different?
For one thing, there has been a significant drop in data breaches, or
situations in which batches of personal information have become
vulnerable to identity thieves. The number of breaches last year was
down by almost one-third, to 407 incidents, or 26 million records
exposed, according to the DataLossDB project. Again, still a huge
number, but at least it's down - from 604 breaches, or 221 million
records exposed, in 2009.
"We definitely see evidence that the banks and other institutions are
taking stronger precautions to prevent data breaches," said James Van
Dyke, president and founder of Javelin. "Data breaches are a big deal.
You are eight times more likely to be a victim of fraud if you get a
data-breach notice." Consumer-education efforts may be another factor,
Van Dyke said.
Shadowing the good news in the Javelin report were two not-so-good details.
The average out-of-pocket expense for victims increased 63 percent
from, $387 per incident in 2009 to $631 in 2010.
Generally, consumers are not held liable for fraudulent debt, but many
victims still end up having to shell out money to clear their names.
Van Dyke said some consumers, who get tired of the creditor calls,
just pay the bills. Others end up with legal fees. A victim of
identity theft may have to hire a lawyer if the criminal's actions
under the stolen name lead law enforcement officials to come after the
wrong person.
Javelin also found that "friendly fraud" grew 7 percent. That's the
term for identity theft committed by someone known to the victim.
People 25 to 34 years old are most likely to be victims of this type
of fraud.
If you want to decrease your chances of becoming a victim of identity
theft, follow these tips from Javelin:
l Protect your personal data. Shred documents that contain personal
and financial data. I know you've heard it before, but one slip and
your information is compromised. My husband and I nearly slipped
recently. I was going through the recycling bin to double-check that
we hadn't tossed any revealing paperwork. To my dismay, my husband had
accidentally dropped in several old checkbooks. It was the kind where
you have duplicate copies of your checks. For added security, the
duplicates don't reveal our name, address or bank account number, but
at the back of a couple of the books were a few unused deposit slips
that did contain our names, address and full account number.
l Don't share so much on social networks. People using social
networking for five or more years are twice as likely as those newer
to these sites to suffer identity fraud.
l Monitor your bank and credit card accounts more than once a month.
Javelin found that 48 percent of all reported identity-fraud cases
were caught by consumers.
l Pay attention to official notices that your personal information has
been lost or stolen. If you get such a letter, regularly monitor your
credit reports or any affected accounts. Take advantage of free credit
monitoring if it's offered.
"A lot of individuals will get a data-breach notice and do absolutely
nothing," Van Dyke said. "They feel the letter itself is an indication
that someone is looking out for them." Identity theft is a crime that
may not seem so serious until it happens to you and your life becomes
filled with frustration for days and weeks as you try to persuade
creditors or even law enforcement officials that you've been a victim.
Identity-theft statistics look better, but you still don't want to be one
The good news is that last year the number of people victimized
decreased 28 percent, to 8.1 million, according to a report by Javelin
Strategy & Research. Although that's still a huge number, it's 3
million fewer victims than in 2009. Overall losses from identity fraud
also fell last year, to $37 billion, from $56 billion in 2009.
Using stolen Social Security numbers or credit cards and other
financial information, identity thieves, among other crimes, buy cars,
get cellphones and open new credit card accounts.
For eight years, Javelin has been tracking trends in identity theft,
helping to keep a national focus on this category of crime. Last year,
the plummet in the crime was the largest annual decrease since Javelin
started tracking it in 2003.
So, what's different?
For one thing, there has been a significant drop in data breaches, or
situations in which batches of personal information have become
vulnerable to identity thieves. The number of breaches last year was
down by almost one-third, to 407 incidents, or 26 million records
exposed, according to the DataLossDB project. Again, still a huge
number, but at least it's down - from 604 breaches, or 221 million
records exposed, in 2009.
"We definitely see evidence that the banks and other institutions are
taking stronger precautions to prevent data breaches," said James Van
Dyke, president and founder of Javelin. "Data breaches are a big deal.
You are eight times more likely to be a victim of fraud if you get a
data-breach notice." Consumer-education efforts may be another factor,
Van Dyke said.
Shadowing the good news in the Javelin report were two not-so-good details.
The average out-of-pocket expense for victims increased 63 percent
from, $387 per incident in 2009 to $631 in 2010.
Generally, consumers are not held liable for fraudulent debt, but many
victims still end up having to shell out money to clear their names.
Van Dyke said some consumers, who get tired of the creditor calls,
just pay the bills. Others end up with legal fees. A victim of
identity theft may have to hire a lawyer if the criminal's actions
under the stolen name lead law enforcement officials to come after the
wrong person.
Javelin also found that "friendly fraud" grew 7 percent. That's the
term for identity theft committed by someone known to the victim.
People 25 to 34 years old are most likely to be victims of this type
of fraud.
If you want to decrease your chances of becoming a victim of identity
theft, follow these tips from Javelin:
l Protect your personal data. Shred documents that contain personal
and financial data. I know you've heard it before, but one slip and
your information is compromised. My husband and I nearly slipped
recently. I was going through the recycling bin to double-check that
we hadn't tossed any revealing paperwork. To my dismay, my husband had
accidentally dropped in several old checkbooks. It was the kind where
you have duplicate copies of your checks. For added security, the
duplicates don't reveal our name, address or bank account number, but
at the back of a couple of the books were a few unused deposit slips
that did contain our names, address and full account number.
l Don't share so much on social networks. People using social
networking for five or more years are twice as likely as those newer
to these sites to suffer identity fraud.
l Monitor your bank and credit card accounts more than once a month.
Javelin found that 48 percent of all reported identity-fraud cases
were caught by consumers.
l Pay attention to official notices that your personal information has
been lost or stolen. If you get such a letter, regularly monitor your
credit reports or any affected accounts. Take advantage of free credit
monitoring if it's offered.
"A lot of individuals will get a data-breach notice and do absolutely
nothing," Van Dyke said. "They feel the letter itself is an indication
that someone is looking out for them." Identity theft is a crime that
may not seem so serious until it happens to you and your life becomes
filled with frustration for days and weeks as you try to persuade
creditors or even law enforcement officials that you've been a victim.
Russian hacker pleads guilty over $9m RBS WorldPay heist
A Russian man has pleaded guilty to his part in a 2008 cyber-attack on
RBS WorldPay's computer network, which led to the theft of over $9.4
million, according to press reports.
Yevgeny Anikin was part of a gang behind the attack on WorldPay's
systems, which compromised the encryption used by the processor to
protect customer data on payroll debit cards.
This allowed the criminals to raise the limits on accounts before
handing over 44 counterfeit payroll debit cards to a network of
"cashers" who withdrew over $9 million in less than 12 hours from more
than 2100 ATMs in at least 280 cities worldwide, including in the US,
Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.
According to local press reports, Anikin used proceeds from the con to
buy two apartments in the Siberian city of Novosibirsk as well as a
luxury car.
The crook - who has been under house arrest since 2009 - reportedly
told a court "I want to say that I repent and fully admit my guilt"
before receiving a five year suspended sentence, says RIA News.
Last year, one of the masterminds behind the attack, Viktor Pleshchuk,
escaped with a six year suspended sentence from a Russian court. His
fellow ringleader, Estonian Sergei Tsurikov has been less fortunate;
he was extradited to the US to face charges which, if found guilty
could see him jailed for up to 35 years.
RBS WorldPay's computer network, which led to the theft of over $9.4
million, according to press reports.
Yevgeny Anikin was part of a gang behind the attack on WorldPay's
systems, which compromised the encryption used by the processor to
protect customer data on payroll debit cards.
This allowed the criminals to raise the limits on accounts before
handing over 44 counterfeit payroll debit cards to a network of
"cashers" who withdrew over $9 million in less than 12 hours from more
than 2100 ATMs in at least 280 cities worldwide, including in the US,
Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.
According to local press reports, Anikin used proceeds from the con to
buy two apartments in the Siberian city of Novosibirsk as well as a
luxury car.
The crook - who has been under house arrest since 2009 - reportedly
told a court "I want to say that I repent and fully admit my guilt"
before receiving a five year suspended sentence, says RIA News.
Last year, one of the masterminds behind the attack, Viktor Pleshchuk,
escaped with a six year suspended sentence from a Russian court. His
fellow ringleader, Estonian Sergei Tsurikov has been less fortunate;
he was extradited to the US to face charges which, if found guilty
could see him jailed for up to 35 years.
Nasdaq Hack Brings Security Issues Into The Boardroom
Have you been having trouble getting your board of directors to care
about information security? This weekend’s news that Nasdaq’s
Directors Desk web application was compromised by hackers may help to
improve your situation.
Details have been elusive thus far, but reports indicate that multiple
breaches occurred, resulting in “suspicious files” on the company’s
servers. A statement released by Nasdaq assures us that its trading
systems and customer data were not compromised, and those in the know
tend to agree that infiltrating the trading systems would be
substantially more difficult than breaking into the web environment
and leaving a few files behind. As the investigation continues,
hopefully we'll learn more, but what can we take away from this story
so far?
The list of attractive hacker targets continues to grow. Whoever
perpetrated this breach chose not to go after traditionally lucrative
targets like customer/employee data or a more difficult and
devastating attempt to dismantle one of the world’s biggest exchanges.
Instead the target was a more accessible set of extremely sensitive
corporate data – details about mergers, acquisitions, dividends, and
earnings. Without much sophistication, criminals could use this
information to execute rather impressive “insider trading”
transactions or simply find an outlet like WikiLeaks for some of the
more embarrassing tidbits.
Normal monitoring should have caught this breach sooner. A federal
official told the Associated Press that the attacks took place over
the course of a year, while Nasdaq’s statement said the files were
found through the company’s “normal monitoring systems.” It would
appear that the monitoring functions were not as frequent or effective
as they should have been.
The government will get even more involved if there’s a perceived lack
of control. While we still don’t know if hackers gained any useful
information from this attack, the potential implications touched many
of today’s most buzz-worthy topics... investor confidence, corporate
oversight, and financial market stability. Legislators on both sides
of the house were quick to press Nasdaq and other exchanges, as well
as regulators, for more information about what’s being done “to ensure
the ongoing integrity and security of exchange trading systems and
clearinghouses.” If they don't like the answers, expect more rules and
oversight to follow.
It’s a good time for a heart-to-heart with your board about security.
You don’t have to build a horrific awareness campaign about the
hackers lurking around every corner... but it’s important for the
board of directors to know that their mobile devices, email accounts,
and online communications may very likely be a target of attack.
Directors and top executives who often expect policy exceptions should
understand the potential risks those exceptions expose. Also, it
wouldn’t hurt to look into the way your board members communicate to
make sure top-level secrets are appropriately protected.
about information security? This weekend’s news that Nasdaq’s
Directors Desk web application was compromised by hackers may help to
improve your situation.
Details have been elusive thus far, but reports indicate that multiple
breaches occurred, resulting in “suspicious files” on the company’s
servers. A statement released by Nasdaq assures us that its trading
systems and customer data were not compromised, and those in the know
tend to agree that infiltrating the trading systems would be
substantially more difficult than breaking into the web environment
and leaving a few files behind. As the investigation continues,
hopefully we'll learn more, but what can we take away from this story
so far?
The list of attractive hacker targets continues to grow. Whoever
perpetrated this breach chose not to go after traditionally lucrative
targets like customer/employee data or a more difficult and
devastating attempt to dismantle one of the world’s biggest exchanges.
Instead the target was a more accessible set of extremely sensitive
corporate data – details about mergers, acquisitions, dividends, and
earnings. Without much sophistication, criminals could use this
information to execute rather impressive “insider trading”
transactions or simply find an outlet like WikiLeaks for some of the
more embarrassing tidbits.
Normal monitoring should have caught this breach sooner. A federal
official told the Associated Press that the attacks took place over
the course of a year, while Nasdaq’s statement said the files were
found through the company’s “normal monitoring systems.” It would
appear that the monitoring functions were not as frequent or effective
as they should have been.
The government will get even more involved if there’s a perceived lack
of control. While we still don’t know if hackers gained any useful
information from this attack, the potential implications touched many
of today’s most buzz-worthy topics... investor confidence, corporate
oversight, and financial market stability. Legislators on both sides
of the house were quick to press Nasdaq and other exchanges, as well
as regulators, for more information about what’s being done “to ensure
the ongoing integrity and security of exchange trading systems and
clearinghouses.” If they don't like the answers, expect more rules and
oversight to follow.
It’s a good time for a heart-to-heart with your board about security.
You don’t have to build a horrific awareness campaign about the
hackers lurking around every corner... but it’s important for the
board of directors to know that their mobile devices, email accounts,
and online communications may very likely be a target of attack.
Directors and top executives who often expect policy exceptions should
understand the potential risks those exceptions expose. Also, it
wouldn’t hurt to look into the way your board members communicate to
make sure top-level secrets are appropriately protected.
Is the Protection of Personal Information Bill (POPI) a necessary evil or opportunity for value add?
The corporate world is currently debating the Protection of Personal
Information Bill (POPI) which will soon be promulgated. Much of this
debate centres on how onerous the minimum requirements for compliance
will be, how long organisations will be given to comply and what the
cost implications are likely to be.
Many companies have chosen to take a ‘wait and see’ approach. “Our
experience has shown that those companies that see regulatory changes
as an opportunity for increasing business value adopt a more positive,
proactive approach and also spend considerably less in achieving
compliance over the long term,” comments Dean Chivers,
Director Tax & Legal, at Deloitte. “They are able to link compliance
requirements to the entire value chain of the business so that each
functional area buys into its importance, realises the value that can
be delivered to the business and collectively bring about change to
realise this value.”
Chivers cautions that companies should implement POPI compliance as
prudently as possible. “Be realistic – your organisation will not be
completely compliant by the time the Act is promulgated in September.
POPI is not exclusively a IT or legal or a process or a security
issue, it’s a combination of all of these. Create the framework within
which POPI will be managed within your organisation, and then build
awareness amongst staff around both POPI and your entities POPI
compliance framework. This will start to drive POPI issues into your
framework, thereby facilitating a proactive, self regulating model.
”Kris Budnik, Director of Risk Advisory, at Deloitte, recommends that
a response strategy be established, with the responsible person being
one who understands what the law requires.
“Decide on your corporate ethics policy and define and communicate
it, teaching your organisation to look out for problems,” says Budnik.
“Take the approach that you have done the best you possibly could
have. When a problem arises, react quickly and correctly to deal with
it and close the loophole. Look for triggers that indicate your
processes are not working properly.
” According to Chivers, the POPI Bill will be the catalyst for
companies to add value while achieving compliance. They should engage
with their customers in the process and use it as an opportunity to
build customer trust in the company by highlighting the company’s
efforts to treat customer’s personal information with respect and
confidentiality.
The following are just some of many opportunities:
-There is tremendous advantage to be gained from proactively engaging
customers ahead of promulgation, for example:
-Positive customer approvals are more likely to be obtained prior to
promulgation and prior to the market being flooded with requests;
-Valuable insights can be obtained from a company’s existing customer
database now, ahead of customer requests for data deletion;
-Customers will become aware of the fact that POPI will result in the
protection of their personal information, something most people will
appreciate. Company’s who lead the market in becoming POPI compliant
will gain customer respect and loyalty;
POPI can also deliver many potential positives within a company, to name a few:
-Technology gets the budget go-ahead for middleware and data
warehouses, new SAP modules, data security upgrades, etc, which add
value when linked to the overall business strategy
-Data analysis of personal information for purposes of POPI compliance
can yield significant useful information around customers and markets
-Provides positive motivation to interface with customers, alumni,
potential employees, personal networks
-Employee files get updated and remain up-to-date
-Contracts are reviewed and updated and may even be better than before
Budnik recommends that the initial step should be a quick start
process prior to promulgation, followed by detailed design and
implementation of value-adding initiatives. This will allow the
company to gain momentum and build a platform for future
opportunities. Firstly, understand the extent of POPI impact on
customer and channel strategy, brand positioning and employee
proposition; determine possible impacts on people, processes,
technology and systems; and define key data requirements for business
sustainability.
Thereafter, look at the following opportunities:
-Identify value-adds beyond minimum compliance
-Design customer interactions to increase market share
-Realign processes for a more customer focused organisation
-Link to other initiatives such as process streamlining, productivity
improvement and employee communication
-Select technology to support more than just data integration, e.g.
non-intrusive technology options ranging from cloud technology, to
separate software and simple upgrades
-Build the customer focused organisation by digging deeper into
existing customer data
-Use an approach that first establishes the organisational needs and
gaps before moving to an ‘all ends at once’ implementation
-Adopt a ‘build to last’ approach for ongoing organisational sustainability
In summary, organisations can gain measurable business performance
improvements by approaching the Protection of Personal Information
Bill as a strategic opportunity rather than an onerous compliance
cost. Realising this potential value from the Bill, however, requires
a shift in organisational mindset.
“Don’t be limited or restricted by your existing database,” says
Chivers. “Use it as a contact list and first cut segmentation, design
a meaningful database for future strategy and populate it by means of
an automated permission campaign; don’t be restricted to a single tool
or methodology – select those which are most appropriate for your
needs; ensure your approach is strategic. Include change management in
your implementation; don’t be purely focused on data analytics, ensure
that your approach is aligned to your business priorities as well as
people, process, technology and system enablers.
” Chivers goes on to say “Every article or advertisement I have ever
read on POPI compliance states that POPI compliance needs to start
with an analysis of data. This is complex, expensive, takes time and
not necessarily effective. Understand your IT, legal, process and
security options before jumping on the analysis bandwagon. Ask
yourself whether an analysis of data gets you closer to compliance.
POPI compliance will require a level of data analysis at some point in
the process, but rarely at the outset. Analyse the options and
consider the best process for your company. There are a number of
options, so give yourself the best chance of adopting the most
appropriate one for your company.”
Information Bill (POPI) which will soon be promulgated. Much of this
debate centres on how onerous the minimum requirements for compliance
will be, how long organisations will be given to comply and what the
cost implications are likely to be.
Many companies have chosen to take a ‘wait and see’ approach. “Our
experience has shown that those companies that see regulatory changes
as an opportunity for increasing business value adopt a more positive,
proactive approach and also spend considerably less in achieving
compliance over the long term,” comments Dean Chivers,
Director Tax & Legal, at Deloitte. “They are able to link compliance
requirements to the entire value chain of the business so that each
functional area buys into its importance, realises the value that can
be delivered to the business and collectively bring about change to
realise this value.”
Chivers cautions that companies should implement POPI compliance as
prudently as possible. “Be realistic – your organisation will not be
completely compliant by the time the Act is promulgated in September.
POPI is not exclusively a IT or legal or a process or a security
issue, it’s a combination of all of these. Create the framework within
which POPI will be managed within your organisation, and then build
awareness amongst staff around both POPI and your entities POPI
compliance framework. This will start to drive POPI issues into your
framework, thereby facilitating a proactive, self regulating model.
”Kris Budnik, Director of Risk Advisory, at Deloitte, recommends that
a response strategy be established, with the responsible person being
one who understands what the law requires.
“Decide on your corporate ethics policy and define and communicate
it, teaching your organisation to look out for problems,” says Budnik.
“Take the approach that you have done the best you possibly could
have. When a problem arises, react quickly and correctly to deal with
it and close the loophole. Look for triggers that indicate your
processes are not working properly.
” According to Chivers, the POPI Bill will be the catalyst for
companies to add value while achieving compliance. They should engage
with their customers in the process and use it as an opportunity to
build customer trust in the company by highlighting the company’s
efforts to treat customer’s personal information with respect and
confidentiality.
The following are just some of many opportunities:
-There is tremendous advantage to be gained from proactively engaging
customers ahead of promulgation, for example:
-Positive customer approvals are more likely to be obtained prior to
promulgation and prior to the market being flooded with requests;
-Valuable insights can be obtained from a company’s existing customer
database now, ahead of customer requests for data deletion;
-Customers will become aware of the fact that POPI will result in the
protection of their personal information, something most people will
appreciate. Company’s who lead the market in becoming POPI compliant
will gain customer respect and loyalty;
POPI can also deliver many potential positives within a company, to name a few:
-Technology gets the budget go-ahead for middleware and data
warehouses, new SAP modules, data security upgrades, etc, which add
value when linked to the overall business strategy
-Data analysis of personal information for purposes of POPI compliance
can yield significant useful information around customers and markets
-Provides positive motivation to interface with customers, alumni,
potential employees, personal networks
-Employee files get updated and remain up-to-date
-Contracts are reviewed and updated and may even be better than before
Budnik recommends that the initial step should be a quick start
process prior to promulgation, followed by detailed design and
implementation of value-adding initiatives. This will allow the
company to gain momentum and build a platform for future
opportunities. Firstly, understand the extent of POPI impact on
customer and channel strategy, brand positioning and employee
proposition; determine possible impacts on people, processes,
technology and systems; and define key data requirements for business
sustainability.
Thereafter, look at the following opportunities:
-Identify value-adds beyond minimum compliance
-Design customer interactions to increase market share
-Realign processes for a more customer focused organisation
-Link to other initiatives such as process streamlining, productivity
improvement and employee communication
-Select technology to support more than just data integration, e.g.
non-intrusive technology options ranging from cloud technology, to
separate software and simple upgrades
-Build the customer focused organisation by digging deeper into
existing customer data
-Use an approach that first establishes the organisational needs and
gaps before moving to an ‘all ends at once’ implementation
-Adopt a ‘build to last’ approach for ongoing organisational sustainability
In summary, organisations can gain measurable business performance
improvements by approaching the Protection of Personal Information
Bill as a strategic opportunity rather than an onerous compliance
cost. Realising this potential value from the Bill, however, requires
a shift in organisational mindset.
“Don’t be limited or restricted by your existing database,” says
Chivers. “Use it as a contact list and first cut segmentation, design
a meaningful database for future strategy and populate it by means of
an automated permission campaign; don’t be restricted to a single tool
or methodology – select those which are most appropriate for your
needs; ensure your approach is strategic. Include change management in
your implementation; don’t be purely focused on data analytics, ensure
that your approach is aligned to your business priorities as well as
people, process, technology and system enablers.
” Chivers goes on to say “Every article or advertisement I have ever
read on POPI compliance states that POPI compliance needs to start
with an analysis of data. This is complex, expensive, takes time and
not necessarily effective. Understand your IT, legal, process and
security options before jumping on the analysis bandwagon. Ask
yourself whether an analysis of data gets you closer to compliance.
POPI compliance will require a level of data analysis at some point in
the process, but rarely at the outset. Analyse the options and
consider the best process for your company. There are a number of
options, so give yourself the best chance of adopting the most
appropriate one for your company.”
Friday, February 4, 2011
Researchers pry open Waledac, find 500, 000 email passwords
Researchers have taken a peek inside the recently refurbished Waledac
botnet, and what they've found isn't pretty.
Waledac, a successor to the once-formidable Storm botnet, has passwords
for almost 500,000 Pop3 email accounts, allowing spam to be sent through
SMTP servers, according to findings published on Tuesday by security firm
Last Line. By hijacking legitimate email servers, the Waledac gang is able
to evade IP-based blacklisting techniques that many spam filters use to
weed out junk messages.
What's more, Waledac controllers are in possession of almost 124,000 FTP
credentials. The passwords let them run programs that automatically infect
the websites with scripts that redirect users to sites that install
malware and promote fake pharmaceuticals. Last month, the researchers
identified almost 9,500 webpages from 222 sites that carried poisoned
links injected by Waledac.
The discovery comes a month after a new malware-seeded spam run was
spotted. This had all the hallmarks of the storm botnet. Storm was all the
rage in 2007 and 2008 but the botnet then turned largely silent, most
likely as a result of the prolific amounts of spam it generated. Among the
sleeping giants stirred by that success was Microsoft, which last year
successfully sued to obtain 276 internet addresses used to control
Waledac.
botnet, and what they've found isn't pretty.
Waledac, a successor to the once-formidable Storm botnet, has passwords
for almost 500,000 Pop3 email accounts, allowing spam to be sent through
SMTP servers, according to findings published on Tuesday by security firm
Last Line. By hijacking legitimate email servers, the Waledac gang is able
to evade IP-based blacklisting techniques that many spam filters use to
weed out junk messages.
What's more, Waledac controllers are in possession of almost 124,000 FTP
credentials. The passwords let them run programs that automatically infect
the websites with scripts that redirect users to sites that install
malware and promote fake pharmaceuticals. Last month, the researchers
identified almost 9,500 webpages from 222 sites that carried poisoned
links injected by Waledac.
The discovery comes a month after a new malware-seeded spam run was
spotted. This had all the hallmarks of the storm botnet. Storm was all the
rage in 2007 and 2008 but the botnet then turned largely silent, most
likely as a result of the prolific amounts of spam it generated. Among the
sleeping giants stirred by that success was Microsoft, which last year
successfully sued to obtain 276 internet addresses used to control
Waledac.
Hackers steal Co-op patrons' personal information
Falling victim to digital maliciousness, HuskyDirect.com was hacked early
last week, leaving credit card numbers and other customer information up
for the hacker's grabs.
HuskyDirect.com is an official vendor of UConn sports goods that works in
cooperation with the UConn Co-op. The site has been taken down, citing on
its homepage that it is "undergoing crucial maintenance." The page is not
expected to be operational until Co-op officials have confidence the
vendor has fixed any problems that left the site vulnerable in the first
place. According to the HuskyDirect homepage, it will be at least "a few
days" before confidence is restored and the site is resurrected.
While it has been reported that only those who have made purchases through
HuskyDirect were affected (Co-op customers need not worry unless they
purchased goods from Huskydirect.com) the tally of victims is not slight.
UConn informed 18,000 online shoppers of the breach, and suggested they
make efforts to protect their information and, subsequently, themselves.
"To help guard against any fraudulent use of your personal information, we
are offering you credit monitoring services," an email issued to all
HuskyDirect customers read. "If you detect any suspicious activity on your
account, you should promptly notify the institution with which the account
is maintained and also contact your local law enforcement."
last week, leaving credit card numbers and other customer information up
for the hacker's grabs.
HuskyDirect.com is an official vendor of UConn sports goods that works in
cooperation with the UConn Co-op. The site has been taken down, citing on
its homepage that it is "undergoing crucial maintenance." The page is not
expected to be operational until Co-op officials have confidence the
vendor has fixed any problems that left the site vulnerable in the first
place. According to the HuskyDirect homepage, it will be at least "a few
days" before confidence is restored and the site is resurrected.
While it has been reported that only those who have made purchases through
HuskyDirect were affected (Co-op customers need not worry unless they
purchased goods from Huskydirect.com) the tally of victims is not slight.
UConn informed 18,000 online shoppers of the breach, and suggested they
make efforts to protect their information and, subsequently, themselves.
"To help guard against any fraudulent use of your personal information, we
are offering you credit monitoring services," an email issued to all
HuskyDirect customers read. "If you detect any suspicious activity on your
account, you should promptly notify the institution with which the account
is maintained and also contact your local law enforcement."
Bruyere health centre reports data breach
Patients at Bruyere Family Medicine Centre in Ottawa are being warned that
some of their personal information may have been on two computers that
were recently stolen.
Bruyere Continuing Care said in a statement that neither of the computers
contained any medical information, but said data for patients seen at the
clinic between 1971 and July 1, 2006 may be on the computers.
Personal data may include name, date of birth, street address, telephone
number or health card number. The data breach could affect up to 60,000
patients.
some of their personal information may have been on two computers that
were recently stolen.
Bruyere Continuing Care said in a statement that neither of the computers
contained any medical information, but said data for patients seen at the
clinic between 1971 and July 1, 2006 may be on the computers.
Personal data may include name, date of birth, street address, telephone
number or health card number. The data breach could affect up to 60,000
patients.
Subscribe to:
Posts (Atom)