Portion of TripAdvisor Member Email List Hacked, Stolen

Travel site TripAdvisor on Thursday said that a portion of its member
e-mail list had been stolen, though member passwords were not
compromised.

"We've confirmed the source of the vulnerability and shut it down,"
Steve Kaufer, co-founder and CEO of TripAdvisor, said in an e-mail to
users. "We're taking this incident very seriously and are actively
pursuing the matter with law enforcement."

Kaufer said only a "portion" of its e-mail addresses were taken, and
most users will not be affected. "You may receive some unsolicited
emails (spam) as a result of this incident," he wrote.

Kaufer said he is reaching out to users because "we think it's the
right thing to do." He said that the site does not collect credit card
or financial information, or sell or rent its member list.

"We will continue to take all appropriate measures to keep your
personal information secure at TripAdvisor," he wrote. "I sincerely
apologize for this incident and appreciate your membership in our
travel community."

The news comes the same day that potential TripAdvisor rival Gogobot
announced plans to integrate with Expedia, Kayak, Hotels.com, Orbitz,
and Priceline so that users can directly book flights and hotels on
the site.

In September, TripAdvisor launched SniqueAway.com, a site that
combines the company's highly-reviewed hotels with special deals on
those properties.

Tax season: The IRS is the least of your concerns

Would you be surprised if I told you that nearly 40 percent of all
data leaks within the past three years have happened between January
and April? According to the Open Security Foundation's DataLossDB,
there have been 2,402 data loss incidents reported between 2007 and
2010 and 916 of them happened during tax season,
Coincidence? Maybe…

There is no question that businesses are already transferring
increased amounts of sensitive financial and company information among
partners, customers and third-party consultants to meet the April 15
deadline. But during tax season, there is a question that needs to be
front of mind for every IT and security professional: Who is
transferring what, to whom, when and why?

That is more than one question, but you get the idea.

The stats tell us that data leakage in the first third of the year is
a noteworthy concern and let's face it, security isn't top-of-mind for
the employees in your finance, audit and operations departments.

They know the deadline is around the corner and are going to do
whatever it takes to get their job done – which usually includes using
personal webmail to transfer large, sensitive files and using USB
flash drives to bring balance sheets, customer lists and intellectual
property home with them for after-hours work or to quickly and easily
share the data with an outside consultant.

Security professionals need to be on the lookout for risky file
transfer activity – especially between January and April.

Here are a few tips to help ensure that sensitive information isn't
walking out the door:

Gain visibility and insight: It is impossible to control what you
can't see. Security staff needs complete visibility and context into
all file transfer activity, internal and external, to understand
patterns, identify risks and prevent malicious or accidental leakage.
This visibility needs to extend beyond just employees – including
third-party consultants or auditors that are plugging into your
network, accessing your data and handling business-critical
information.

Create and enforce security policies: Set parameters that meet your
security and compliance initiatives and won't disrupt business and
workflow. Use file-expiration rules to reduce the risk of tax-related
documents being inappropriately accessed – even after they've left
your network.

Use encryption to ensure privacy and confidentiality: Data is most
vulnerable when it is in motion. Make the integrity of all file
transfers non-reputable by using end-to-end encryption that ensures
that the file has not been tampered with while in transit, and ensure
that it reaches its intended recipient without corruption.

Tax season is stressful enough without having to deal with the pain
and cost of a data breach.

Take control and manage the sensitive, tax-related files moving within
and beyond your network and ensure that each transfer is reaching only
the intended recipient.

If you don't have the visibility, it is only a matter of time before
you find out the hard way that an employee in your company sent
something to someone that they were not supposed to. And there is no
refund for the fines associated with a data breach…

Wary Customers Shun Businesses After Data Breaches

Data breaches cost UK businesses more than ever last year, with most
of the financial hit resulting from lost business in the aftermath of
an incident, a Ponemon Institute survey for Symantec has found.

The average cost of a data breach for the 38 large businesses surveyed
in 2010 Annual Study: UK Cost of a Data Breach was £1.9 million ($3.1
million), a 13 percent rise from 2009, equivalent to about £71 per
lost record.

Of this sum, 48 percent can be attributed to 'abnormal customer churn'
- customers that go elsewhere after hearing of the problem - while
communicating with customers and resetting records is another 23
percent. Non-commercial organisations such as those in the public
sector were found to suffer lower customer costs.

The most expensive breach uncovered by the survey cost a company £6.2
million to recover from, while the smallest costing £336,000, with the
number of records lost or stolen ranging from 6,900 to 72,000.

However representative a snapshot, Symantec and Ponemon describe the
breach cost numbers as giving a good idea of what it costs a typical
company to deal with large data breaches, defined as between 1,000 and
100,000 records.

The report presents the deeper causes of data breaches in a rather
convoluted manner (some causes can be related to more than one
category), although 'system breaches' (security failures inside a
company) are named as the top cause with a frequency of 37 percent of
incidents, with third parties and negligence accounting for 34 percent
each.

Malicious and criminal attacks account for 29 percent, but these are
not surprisingly the most expensive to clear up at £80 per record.

"We continue to see an increase in the costs to businesses suffering a
data breach," said Ponemon Institute founder, Dr. Larry Ponemon.
"Regulators are cracking down to ensure organisations implement
required data security controls or face harsher penalties. Confronted
with both malicious and non-malicious threats from inside and outside
the organisation, companies must proactively implement policies and
technologies to mitigate the risk of costly breaches."

follow-up: Texas hospital hacker sentenced to nine years

A former Dallas hospital guard was sentenced late last week to nine years
in federal prison for breaking into hospital computers, planting malicious
software and planning a distributed-denial-of-service (DDoS) attack.

Jesse William McGraw, 26, of Arlington, Texas, worked the night shift in
2009 at the Carrell Clinic hospital in Dallas, where he broke into more
than 14 computers, including one that controlled the hospital's heating,
ventilation and air conditioning (HVAC) system, and a nurses' station PC
containing confidential patient information, according to a news release
from the U.S. Department of Justice.

McGraw uninstalled anti-virus programs on the computers and installed
malware that allowed unauthorized individuals to remotely access and take
control of them.

fringe: Pirate Bay User Database Compromised and Exploited, Again

In recent weeks many Pirate Bay users have received an email, allegedly
sent by The Pirate Bay team, encouraging them to download a course on how
to make money from the site. The email is clearly sent by spammers, but
since this is not the first time the Pirate Bay user database has been
exploited, users are starting to worry how it?s possible that their
personal info is leaking out again.

Last summer a group of Argentinian hackers gained access to The Pirate
Bay?s admin panel through a security breach. At the time, the hackers
stated that they didn?t want to exploit the vulnerability, and merely
wanted to show that the system was vulnerable.

The Pirate Bay team informed TorrentFreak that they were doing all they
could to patch the vulnerability, and later said that the site was fully
secure again. Two month later, however, it became apparent that The Pirate
Bay backend had been exploited, this time by spammers.

RSA security breach leaves data for 40M employees vulnerable

The servers of RSA, the security division of information storage giant
EMC, have been breached and sensitive information from more than 40
million employees may have been compromised.

The information at risk is the two-factor authentication tokens used
by employees to access corporate and government networks.

The RSA authentication security system uses these tokens to create a
time sensitive number for an employee to enter along with his or her
password.

This additional security measure is important because it prevents
attempts from hackers who may have uncovered an employee’s password.
If the hackers were able to access information from a particular
company, they might be able to generate the password for one of its
tokens.

Says RSA Executive Chairman Art Coviello, “While at this time we are
confident that the information extracted does not enable a successful
direct attack on any of our RSA SecurID customers, this information
could potentially be used to reduce the effectiveness of a current
two-factor authentication implementation as part of a broader attack.”

RSA’s system is currently used by approximately 25,000 organizations,
including banks and the US military.

RSA contacted customers asking them to follow a number of cautionary
practices. The company says it is examining the breach and is working
with the authorities; there is no doubt more information will be
announced shortly.

Wolverhampton Council rapped over private information found dumped in skip

A MIDLAND council has been rapped for letting confidential documents
containing names, dates of birth and bank details get dumped in a
skip.

Hundreds of Wolverhampton City Council documents, most of which had
not been shredded, were fly-tipped at Ettingshall’s Spring Road
industrial estate in October last year.

The Information Commissioner’s Office (ICO) launched an investigation
when it emerged the waste included highly confidential information,
such as employment records and medical information.

The ICO ruled the blunder amounted to a breach of the Data Protection
Act and ordered council chief executive Simon Warren to promise staff
were better trained in the management of confidential waste.

A council spokesman said the documents were put into a skip that was
then stolen from behind locked gates outside Graiseley Healthy Living
Centre.

However, the ICO’s enquiries revealed council employees failed to
recognise the confidential nature of the information.

ICO director of operations Simon Entwisle said: “This breach
demonstrates how important it is that staff who handle personal data
have a good understanding of the need to keep it safe at all times.
The thought of people’s personal details being dumped on the street is
worrying enough, not to mention what could have happened if it had
fallen into the wrong hands.

“I’m pleased that the council has taken the necessary steps to ensure
that this type of breach does not happen again.”

Mr Warren said: “Following the theft of a skip containing confidential
waste we apologised to the members of the public concerned and I
immediately ordered an investigation. As a result, we have now
launched a confidential waste management policy.”

Credit Card Numbers Stolen From 200 Nation's Customers

VACAVILLE, Calif. -- Nearly 200 people who used their credit cards at
a Nation's Giant Hamburgers restaurant in Vacaville have had their
identities stolen, police said Wednesday.

Police said the restaurant, located at 100 Browns Valley Parkway, has
been identified as the "point of compromise" where credit card numbers
were accessed between December and early this month.

The restaurant's credit card machines were somehow compromised, but
the problem has been fixed, Sgt. Jeff King said. He would not disclose
how the identity thefts occurred.

He said Nation's representatives were cooperating with police in the
investigation into the security breach.

Monica Sullivan, human resources manager at Nation's El Cerrito
office, said the restaurant learned of the problem Thursday and
replaced the computers and server on Friday.

She said none of the restaurant's employees have been questioned.

King confirmed that no Nation's workers are suspected in the case.

The fraudulent transactions made with the customers' stolen credit
card numbers occurred in places including New York, New Jersey, New
Mexico, Arizona and Mexico, King said Wednesday morning.

Ten financial institutions have identified their customers as being
victims in the case, King said.

King said some of customers may not be aware that their credit cards
have been used fraudulently. Anyone who used a credit card at Nation's
in Vacaville in the past three months should review their bank
statements for irregularities, King said.

Victims should file a report with their local law enforcement agency
and notify their banks, King said.

Similar scams in which card users' data is captured at ATMs and gas
station pumps have been reported in the Bay Area.

Walnut Township school payroll records hacked

Someone had gained access into the payroll records between 1:15 p.m.
Monday and 10 a.m. Tuesday, according to a Fairfield County Sheriff’s
Office report.

Ron Thornton, superintendent of Walnut Township Local Schools, said
the district discovered someone had hacked into the payroll files and
school staff was notified.

“There is an ongoing investigation into the security breach,” Thornton
said. “But I can’t really comment on the investigation.”

The Sheriff’s Office report indicated the hackers had been able to
access the 2008 payroll records and started to access the updated
payroll records before being detected.

“This is the first time I can remember of someone hacking into the
payroll accounts of an organization in the county,” Fairfield County
Sheriff Dave Phalen said.

Thornton said the district began notifying approximately 80 school
personnel affected by the breach immediately after it was detected.

“We are advising all the staff to watch their credit history and to
change accounts,” Thornton said.

The district also is looking into credit reporting monitoring agencies
about providing the service to the employees.

“We are looking at the different services and costs,” Thornton said.
“But we haven’t made any decisions on it yet.”

Phalen said investigators would be working with federal authorities to
look into breach.

“The federal authorities are more equipped to deal with this type of
crime,” Phalen said. “But it is really difficult to find out who is
behind this type of crime. If any of the Walnut Township employees
detect anyone trying to access their banking accounts, they need to
notify the school and us as soon as possible.”

BP employee loses laptop containing data on 13, 000 oil spill claimants

The personal information of 13,000 individuals who had filed compensation
claims with BP after last year's disastrous oil spill may have been
potentially compromised after a laptop containing the data was lost by a
BP employee.

The information, which had been stored in an unencrypted fashion on the
missing computer, included the names, Social Security numbers, addresses,
phone numbers, and dates of birth of those who filed claims related to the
Deepwater Horizon accident.

BP said in a statment that the personal information had been stored in a
spreadsheet maintained by the company for the purposes of tracking claims
arising from the accident. "The lost laptop was immediately reported to
law enforcement authorities and BP security, but has not been located
despite a thorough search," BP said on Tuesday.

The information was part of a claims process that was implemented before
BP had established its Gulf Coast Claims Facility.

Chain Reaction Plugs Exploited Security Hole

Popular UK-based biking site ChainReactionCycles.com has confirmed that a
security breach on its systems led to fraud against its customers.

Some of the cyclists who shopped with the site earlier this month noticed
fraud against their credit cards days later, normally fraudulent purchases
of mobile phone top-ups costing around £30. The common factor behind these
fraudulent transactions quickly emerged, largely via discussions on bike
enthusiast forums, as recent purchases at the North Ireland-based cycle

Porn Star HIV Test Database Leaked

Adrian Chen - Porn Star HIV Test Database LeakedThe patient database of
the private health clinic that conducts STD tests for California's porn
industry has been breached, exposing test results and personal details
about thousands of current and former porn performers, some of which have
been published on a Wikileaks-style website.

Earlier this year, a website called Porn Wikileaks posted a list of what
it claimed were the real names of more than 15,000 current and former porn
performers, alongside their stage names and date of birth. This
essentially "outed" them to any passing Googler, which caused an uproar in
the industry since many porn performers try to keep their real name
secret, for obvious reasons. That 15,000 names were on the list was
significant, especially considering only about 1,200-1,500 performers are
currently working in California's Porn Valley.

It turns out that many of the names came from a database belonging to the
Adult Industry Medical Healthcare Foundation (AIM), which conducts the
majority of STD tests for the porn industry. (Working straight performers
get tested at least once every 28 days.) The porn gossip blogger Mike
South was the first to report the breach after he was contacted by a
number of porn performers who said the information posted about them on
Porn Wikileaks must have come from AIM's database. Their proof: They had
only used the stage names that were posted on Porn Wikileaks once, when
registering for testing at AIM.

The DataLossDB project welcomes Dissent!

The Open Security Foundation is pleased to announce that Dissent, the
publisher and maintainer of DataBreaches.net and PHIprivacy.net has
now joined DataLossDB as a curator for the project.

OSF has worked with Dissent over the years and she is already known to
us a DataLoss Archaeologist, as she took third place in our “Oldest
Incident” contest. She found the 1984 TRW incident, where computer
hackers gained access to a system holding credit histories of some 90
million people which happens to be the 3rd largest breaches of all
time in DataLossDB. Her more active involvement with the project on a
day-to-day basis will help us remain the most complete archive of
dataloss incidents world-wide and will enhance our ability to keep
current on more breaches in a timely manner. Dissent will continue to
maintain her own web sites as a resource on breach news and issues.

For those who do not know Dissent, she's a practicing health care
professional with a special concern for health care sector breaches,
and we expect to see increased coverage of medical sector breaches in
the database in months to come. As Dissent notes, "With recent changes
to federal laws making more information available to us about health
care sector breaches, we are now beginning to get some sense of how
common these breaches are and the common breach types. Including these
incidents in the database will enable analyses that would not have
been possible or meaningful just a few years ago."

Open Security Foundation’s CEO, Jake Kouns says, “Dissent has been a
supporter of DataLossDB from the very beginning and is an extremely
dedicated and thorough researcher.” “We are extremely fortunate to
have her as part of the DataLossDB team and look forward to working
more closely with her.”

Welcome Dissent, our newest curator and resident research queen!

Saskatchewan privacy commissioner dumpster dives to recover medical files

REGINA - Dumpster diving isn't something Saskatchewan's privacy
commissioner makes a habit of, but this time Gary Dickson says he was left
with little choice.

Dickson and two assistants had to wade through a massive recycling
dumpster this week to recover medical files. They sorted through paper
more than 1 1/2 metres deep after getting a tip directing them to the
container behind the Golden Mile Shopping Centre in Regina.

"People would have every right to be concerned, to think that their most
personal information is in a large recycling bin for anybody (to read),"
Dickson said Thursday.

"In this case, you could stick your hand in through one of the small
windows and pull out a file and look at your neighbour's hysterectomy
report or whatever.

Bank Of America Accounts Hacked

ROYAL OAK, Mich. -- Thousands of Bank of America customers' account
information could be in jeopardy after a major security breach.

Christy Clark went to a Royal Oak drug store Friday, but when her debit
card was declined, she knew something was wrong. ?I was very embarrassed,?
Clark said.

She went straight to the Bank of America branch near 12 Mile Road near
Woodward Avenue in Royal Oak to report the problem.

When she arrived, she was surprised to see the lobby packed with customers
who experienced the same issue. ?When I entered the branch, that?s when I
realized this was a bigger problem,? Clark told Local 4.

Computer files lost at Maryville

A Des Plaines-based social service agency that serves abused children
announced today that computer files containing personal and medical
information on almost 4,000 children who lived at agency facilities dating
back to 1992 are missing.

Maryville Academy, which last year worked with about 1,600 children in
residential, shelter and hospital programs, lost three files with
information on about 3,900 people, the agency said in an email this
afternoon. The files were either stolen or misplaced.

The files were in a locked storage room in Maryville?s facility in Des
Plaines. The agency is investigating how they may have disappeared, Sister
Catherine F. Ryan, Maryville?s executive director, said in the statement.

Data in the files may include birth dates, relatives? names, Social
Security numbers, medical treatment and other information.

Taiwan Introduces Enforceable Data Breach Notification Requirements

Taiwan's revised Data Protection Act, which is not yet formally
effective, is the first privacy-specific statute in the APAC region to
contain an enforceable requirement to notify individuals of a data
breach incident. To date, no other privacy legislation in the Asia
region has imposed an enforceable legislative requirement to
communicate a data breach incident to individuals.

A few notable aspects of the legal obligations are as follows:

The relevant provision requires that, where a public or private sector
agency "violates any provision" of the Act, "such that personal data
is stolen, disclosed, altered or otherwise impaired," then "the
agency, after investigating shall notify the subjects by appropriate
means."

The requirement does not extend to every breach occurrence, only those
that constitute an actual violation of the Data Protection Act.

Certain aspects of the data breach provision remain unclear, such as
the extent to which organizations may delay the issuance of notices
while investigating an incident.

There does not appear to be any requirement to notify any supervisory
body of the breach incident. Indeed, the Data Protection Act does not
name any a single body with oversight over or enforcement
responsibility for the Data Protection Act. It appears that
enforcement has been left to individual industry ministries, as is the
case in Japan.

“Small” Data Breaches Top 9,100 in First Year of Reporting

Reports of large-scale data breaches are commonly in the news—a watch
list of sorts has begun over the Health and Human Services Web site
that tracks them.

HHS, however, also receives reports of breaches involving fewer than
500 individuals. The department is not required to report these data
publicly, but a glimpse of the totals occurred in paperwork related to
the federal 2012 budget.

In a written justification of its 2012 budget request, the Office for
Civil Rights reports that as of September 30, 2010, it had received
9,109 reports of breaches affecting fewer than 500 individuals. That
represents one complete year of reports—an average of 25 reports per
day.

The Back Story on Breach Reporting
Breach reporting is a provision of the HITECH Act, which modified
HIPAA to require that covered entities report breaches of unsecured
protected health information to HHS. Breaches involving 500 or more
people must be reported within 60 days of their discovery. HITECH
directs HHS to publish these reports on its Web site. (It also
requires covered entities to notify the affected individuals and the
major media in the region.)

Covered entities must report breaches affecting fewer than 500
individuals annually, within 60 days of the end of the calendar year
in which the breaches occurred. HHS is not required to publish these
reports; HITECH only stipulates that the department compile them for
annual reporting to several Congressional committees.

OCR mentions the reports only in connection with its 2012 budget
request. The office, which is responsible for enforcing the HIPAA
privacy rule, is requesting additional money for investigations. A
current lack of resources has prevented it from investigating reports
of breaches affecting fewer than 500 individuals. These reports “are
treated as discretionary,” OCR writes, “and only investigated as
resources permit.”

In sheer number, the reports of “small” breaches swamp those of the
much-publicized large breaches. As of September 30, 2010, covered
entities had reported fewer than 200 breaches affecting 500 or more
individuals. However, OCR does not mention how many individuals were
affected in the small breaches, so it is not possible to compare the
impact.

The 9,109 reports also dwarf the expected number of breaches that OCR
put forth in its 2009 interim final rule enacting the HITECH
modifications. Using information from datalossdb.org, OCR had
projected 106 breach reports annually (50 involving fewer than 500
individuals), a number it admitted was a best-guess estimate given the
lack of comprehensive historical information.

Health Net Security Breach Could Affect 1.9M Enrollees

RANCHO CORDOVA, Calif. -- Health Net Inc. announced a major security
breach that could affect the personal information of 1.9 million
current and past enrollees nationwide.

Health Net said several information server drives from it's Rancho
Cordova data center that holds the personal information are
unaccounted for.

The company would not directly say if they were stolen or just missing.

“After a forensic analysis, Health Net has determined that personal
information of some former and current Health Net members, employees
and health care providers is on the drives, and may include names,
addresses, health information, Social Security numbers and/or
financial information,” said Health Net in a news release.

The California Department of Managed Health Care says the breach is so
concerning they have launched their own investigation into this
breach.

Enrollees past and present are concerned about their personal information.

“Its scary cause you think these insurance companies are very careful
with that kind of information,” said Louie Nava, a former Health Net
enrollee.

Hackers Just Released What They Say Is A Damning Trove Of Emails About Bank Of America And Its Mortgage Practice

Hacker group Anonymous (aka OperationLeaks on Twitter) just released
what they say is a trove of damning documents on Bank of America.

You can find them here: bankofamericasuck.com

Remember, at this point, we can't verify whether they are legitimate
or not, but Gawker's Adrien Chen, who has sources within Anonymous,
suggest there's something real to the leaks.

Anonymous says the emails deal with BofA's mortgage practices, but the
source is not an employee of Bank of America proper -- the source is a
former employee from Balboa Insurance, a firm which used to be owned
by BofA.

As you will see below, we believe that the evidence that is supposed
to be so damning is a series of emails showing that employees of
Balboa asked for certain loan identifying numbers to be deleted, and
they were.

Anonymous said late Sunday evening, however, "this is part 1 of the
Emails." So perhaps more incriminating correspondence is to come. And
to be honest, these messages could be incredibly damaging, but we're
not mortgage specialists and don't know if this is or isn't common in
the field. The beauty is, you can see and decide for yourself at
bankofamericasuck.com.

But for those who want a simple explanation, here's a summary of the content.

The Source

The ex-Balboa employee tells Anonymous that what he/she sends will be
enough to, crack [BofA's] armor, and put a bad light on a $700 mil
cash deal they need to pay back the government while ruining their
already strained relationship with GMAC, one of their largest clients.
Trust me... it'll piss them off plenty.

The source then sends over a paystub, an unemployment form, a letter
from HR upon dismissal and his/her last paystub and an ID badge.
He/she also describes his/herself:

My name is (Anonymous). For the last 7 years, I worked in the
Insurance/Mortgage industry for a company called Balboa Insurance.
Many of you do not know who Balboa Insurance Group is, but if you’ve
ever had a loan for an automobile, farm equipment, mobile home, or
residential or commercial property, we knew you. In fact, we probably
charged you money…a lot of money…for insurance you didn’t even need.

Balboa Insurance Group, and it’s largest competitor, the market leader
Assurant, is in the business of insurance tracking and Force Placed
Insurance... What this means is that when you sign your name on the
dotted line for your loan, the lienholder has certain insurance
requirements that must be met for the life of the lien. Your lender
(including, amongst others, GMAC... IndyMac... HSBC... Wells
Fargo/Wachovia... Bank of America) then outsources the tracking of
your loan with them to a company like Balboa Insurance.

HBGary Federal Dataloss

appears more than embarassing emails were harvested.

"... [Greg] Hoglund, the HBGary CEO, said that as part of their [the
Anonymous hacker group] attack on his corporate affiliate HBGary
Federal, Anonymous members collected personal information on company
employees, including Social Security numbers, home addresses and the
names of their children...."

Stolen laptop creates concern for OrthoMontana patients

OrthoMontana is scrambling to warn current and past patients that their
personal information may be on a laptop computer that was recently stolen
from the company.

The Billings orthopedic and sports medicine practice has sent letters
across the city to those who may have been impacted.

"We ... have no reason to believe that your personal information was
accessed or used inappropriately," the letter stated.

Roy Strong, CEO of OrthoMontana, said Thursday that the letter contains
just about all the information the company knows about the theft.

The laptop was heavily encrypted -- two sets of user names and passwords
plus a "biometric finger scan" was required to access its files, he said.

Security Breach Unsettling for Thousands of MSU Students

(Springfield, MO) - More than 6,000 Missouri State University students
have had their social security numbers compromised.

School officials said Thursday that the university learned of an
internal security breach on February 22. The breach affects 6,030
College of Education students, who were notified of the incident.

According to MSU, in October and November of last year, the College of
Education prepared nine lists of students, which included social
security numbers. Those lists were meant to be posted on a secure
server for personnel preparing the students' accreditation.

It wasn't meant to be seen by anyone outside the school and people
involved in that process. However, the school says the lists were
accessible to the general public and ended up on Google.

The exposed documents include information about students from nine
semesters between 2005 and 2009.

The university says since it discovered the breach, it has worked with
Google to pull the lists so there are minimal "hits."

Investigators don't think the people looking at the data were trying
to get those social security numbers -- based on what they accessed.

Google stores information, so the school had to work all the way until
last weekend to get rid of those copies.

The university says those pages had less than a couple dozen hits. It
says out of all the students, it's still searching for contact
information for only 6 of them.

Calls have been pouring in to the school.

"Out of 6,030 we are down to six that we have not been able to contact
with an address a phone number of e-mail," says spokesman Jeff
Morrissey. "Twenty-three hits and another thing that's important about
that is out of the files that were hit, everyone of these hits were
from residential type areas that we could determine."

The students KOLR/KSFX talked to were shocked that the university they
trusted so much with their personal information could accidentally
leak it to the web.

"That's a lot of trust in the university to have all of my
information, keep it secure," says junior Courtney Beets. She planned
to see what she could find out from her college counselor Thursday.

"Well I thought I trusted them a lot, but now I'm not so sure," says
Allison Hiegel, who's majoring in elementary education. "It worries
me, especially because I haven't gotten an email yet saying anything
about it That's a little scary to me."

The university says it's offering to pay for a year of consumer
identify theft protection insurance for all involved. At a negotiated
rate of $7 per person, the total cost will be about $42,210.

"That does make me feel a little bit safer," says Hiegl.

Missouri's Attorney General was also notified, and the school has put
into place a disciplinary action against the employee who posted the
lists to the unsecured server.

German Government Adopts Security Breach Notification Requirement in Telecommunications Act

On March 2, 2011, the German Federal government adopted a draft law
revising certain sector-specific data protection provisions in the
German Telecommunications Act. The draft law addresses the
implementation of data breach notification requirements in the
European e-Privacy Directive by introducing a breach notification
obligation for telecommunications companies.

According to the proposal, telecommunications companies must report
data breaches to the Federal Network Agency (the Bundesnetzagentur or
“BNetzA”), and the Federal Commissioner for Data Protection and
Freedom of Information. In the event the rights or protected
interests of subscribers or other persons are affected by the data
breach, such individuals also must be notified without undue delay.
Notification is not necessary, however, if the telecommunications
provider can demonstrate that it had in place a security plan to
protect the potentially-affected personal data by appropriate
technical means, such as encryption. Notwithstanding this exception,
the BNetzA will have the authority to require any telecommunications
company to provide notification to individuals regardless of
information security protections in place at the time of the breach.

The law also contains detailed content requirements for the
notifications that must be sent to data subjects and the two
authorities. In addition, telecommunications companies will be
required to maintain records of data breaches in accordance with
specific provisions set forth in the law.

The revised data protection provisions also require providers of
location-based telecommunications services to send text messages
informing users whenever their mobile devices are being tracked based
on location.

Cybercriminals Targeting Point-of-Sale Devices

Point-of-sale payment processing devices for credit and debit cards
are proving to be rich targets for cybercriminals due to lax security
controls, particularly among small businesses, according to a report
from Trustwave.

Trustwave, which investigates payment card breaches for companies such
as American Express, Visa and MasterCard, conducted 220 investigations
worldwide involving data breaches in 2010. The vast majority of those
cases came down to weaknesses in POS devices.

"Representing many targets and due to well-known vulnerabilities, POS
systems continue to be the easiest method for criminals to obtain the
data necessary to commit payment card fraud," according to Trustwave's
Global Security Report 2011.

POS devices read the magnetic stripe on the back of a card that
contains account information, which is then transmitted for payment
processing.

Although there are rules for security controls that developers should
use for the devices, such as the Payment Application Data Security
standard (PA-DSS), Trustwave said that "these controls are rarely
implemented properly."

Further, many small businesses rely on third-party integrators to
support the POS devices. But those integrators often have poor
security practices. In 87 percent of the breach cases it studied, the
integrators make mistakes such as using default credentials in
operating systems or with remote access systems, Trustwave said.

"In our experience, many POS integrators are often not skilled in
security best practices, leaving their clients open for attack," the
report said. "For instance, our investigations often uncover
deficiencies in regards to basic security controls, such as the use of
default passwords and single-factor remote access solutions."

POS devices are an attractive target for cybercriminals since the data
they access from the cards is more complete, Trustwave said. For
example, an attack against an e-commerce website may yield a credit
card number and the card's expiration date -- information that can
only be used in so-called card-not-present fraud, such as buying goods
on a website that never sees the physical card or its magnetic strip.

But POS devices collect the full magnetic strip, which makes it
possible, for example, to encode that information on a dummy card for
use at an ATM machine or a retailer.

Retailers have been increasing their compliance with the Payment Card
Industry Data Security Standard (PCI-DSS), a code of best practices
created by the card industry. It forbids, for example, the storing of
magnetic strip data on POS terminal and mandates the use of
encryption.

But in 2010 Trustwave discovered new malware targeted at POS
applications, one of which was capable of extracting that encrypted
data.

"The POS-specific malware is the most sophisticated malware we have
seen, and similar to the ATM malware we saw in 2009, as it requires
deep knowledge about the workings of the POS application," Trustwave
wrote.

Even though PCI-DSS is well established in North America and Europe,
"these mandates are just beginning to take hold in other regions,"
Trustwave wrote. "For example, Latin America and Asia Pacific still
lag behind other areas of the world in the identification and
acknowledgement of a data breach, which adversely affects the global
effort to combat attacker behavior."

Bill would help youth identity theft victims

CARSON CITY, Nev. (AP) — By the time Carlos Hernandez turned 18,
little did he know his credit was trashed. Since the age of 9, he had
obtained a mortgage, bought cars, obtained credit cards — and racked
up loads debt. He had a criminal record, too — not his own — which
kept him out of the Navy.

But since the crimes against his identity were committed years before
he even knew what identity theft was, prosecution was out of the
question because the statute of limitations had lapsed.

That would change under a bill heard Wednesday by the Assembly
Judiciary Committee.

AB83, sponsored by Assembly Speaker John Oceguera, D-Las Vegas, would
extend the prosecution period for victims under 18 and allow charges
to be filed within four years of when they discover the crime.
Existing law limits prosecution to three years from when the crime
occurs.

Hernandez, of Las Vegas, told legislators he had no idea of his
troubles until he tried to buy a car last year, two days after his
18th birthday. He was denied a loan.

"They gave me records as far back as when I was 9 years old," he said.
The reports showed cars purchased under his name had been repossessed,
a home had been foreclosed upon, and thousands of dollars in credit
card bills were unpaid.

Hernandez said he was in ROTC through four years of high school and
wanted to join the Navy. But the military wouldn't have him after his
record showed arrests for drunken driving and domestic violence.

Trying to regain his own identity — and proving the records false —
has been frustrating, he said.

He's been working with credit reporting agencies, and the IRS is investigating.

"I have to wait and get a letter from the IRS that their investigation
is completed and it's not me," he said.

Sgt. Anthony Aguillard of the Las Vegas Police Department said
identity thieves look for dormant Social Security numbers — generally
indicating children — and sell them to brokers who sell them to people
who rack up debt.

"They will run up credit cards, then discard them," he said.

Aguillard said another witness who was scheduled to testify spent time
in jail because her ex-roommate's brother had used her Social Security
number when he was arrested for possession of a stolen vehicle. When
he didn't appear in court, a warrant was issued and the woman was
arrested.

Authorities said stealing children's identities is attractive to
thieves because the crime often goes undetected until the victim
becomes an adult and applies for credit.

According to the Federal Trade Commission, as many as 400,000 children
were victims of identity theft in 2007, with parents reporting victims
as young as 11 months.

Police agencies say children are now the fastest growing segment of
identity theft victims.

There was no opposition to the bill.

Healthcare Provider Prescribes Major Data-Loss Prevention Program

New Jersey's single largest healthcare provider, Saint Barnabas Health
Care System, is rolling out a major data-loss prevention (DLP)
initiative that will enforce new content-control restrictions on over
10,000 laptops, tablets and desktop PCs used by its medical staff.

March 02, 2011 — Network World — New Jersey's single largest
healthcare provider, Saint Barnabas Health Care System, is rolling out
a major data-loss prevention (DLP) initiative that will enforce new
content-control restrictions on over 10,000 laptops, tablets and
desktop PCs used by its medical staff.

More on data loss efforts: Data-loss prevention comes of age

Like all hospitals, Saint Barnabas, which has six main healthcare
locations in the state, must abide by state and federal
privacy-protection rules, such as HIPAA and the HITECH Act, to protect
sensitive patient personal health information or face possible
penalties. However, the Saint Barnabas effort, which will put
Symantec's DLP host-based software on over 10,000 devices, is intended
not to make it harder for physicians and support staff to share
information, but easier, because the DLP software will recognize
what's sensitive and what's not.

"The agent on every desktop and laptop enables policies on what type
of data they collect or what they e-mail," says Hussein Syed, director
of information-technology security at Saint Barnabas Health Care
System about the host-based DLP software.

On its computers, Saint Barnabas has long made use of self-encrypting
hard drives supported by Wave Systems. Current policies require
hospital data taken from hospital computers to be encrypted, such as
with encryption-capable USB drives. But with DLP deployed, Syed
anticipates there will be more flexibility for medical staff because
the DLP on the endpoints will recognize what's patient-health
information data vs. what's "just a medical document," he points out.

The DLP project is getting underway in the next few weeks, and there
are concerns. There's the need to make sure that the thousands of
physicians and staff who will see the effects of DLP's blocking and
warnings, and understand what needs to be done. Physicians are being
kept up to date on the project and so far are largely supportive, Syed
says. But now that it's going into deployment, it will be a matter of
making sure DLP works right for all, especially as the problem of
false positives can occur. "Sometimes there are false positives, so
we're working with IT staff to slowly roll it in," he says.

Penn Mutual Says Employee Might Have Disclosed Customer Data

An employee of the Penn Mutual Insurance company gained unauthorized
access to customer information and might have disclosed it to others,
according to a breach disclosure notice filed with the state of New
Hampshire last month.

"When Penn Mutual learned that the former employee had, during the course
of her employment, unlawfully accessed personal information of Penn Mutual
customers, it immediately fired the employee," the breach disclosure
states.

"Although we have not been able to determine definitively what customer
accounts and what personal information were unlawfully accessed by the
former employee, it appears that the former employee accessed and may have
improperly disclosed the names, addresses, dates of birth, Social Security
numbers, and bank account information associated with a number of our
customer accounts," the disclosure says.

The notification letter filed with the state of New Hampshire does not say
how many customers might have been affected by the data breach. Five of
the customers are residents of New Hampshire.

How not to handle a data breach

Press the panic button as soon as you find evidence customer data has
been compromised, and you'll pay the price

Once a data breach is discovered, the best response is to spring into
action and notify customers as fast as humanly possible, right? Well,
not really.

A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds
that data breach victims often move too quickly, wasting lots of money
and losing customers unnecessarily.

According to Ponemon's "Annual Study: U.S. Costs of a Data Breach,"
companies that respond to data breaches by immediately notifying their
users end up spending 54 percent more per record than companies that
move more slowly. Forty-three percent of surveyed companies notified
customers within one month of discovering the breach, but these
companies ended up with per record costs of $268, up 22 percent from
2009. Companies that took longer than a month spent only $174 per
record, down 11 percent from 2009.

What's the explanation? It turns out that many companies tend to panic
when they find a data breach, thanks to fears about lawsuits,
regulatory fines, and bad publicity, and thus are not as prepared with
the forensic tools and strategies as they should be. Their gut
reaction is to get notification over with as fast as possible, so they
end up notifying an excess of customers, including many of those who
are unaffected by the breach. As a result, they end up shooting
themselves in the foot. The biggest cost of data breaches is customer
churn, according to the study, and many of these companies end up
losing lots of customers that they didn't need to notify.

According to Ponemon, companies that take a more surgical approach and
spend the time on forensics to detect which customers are actually at
risk and require notification ultimately spend less on data breaches.

The study reported other findings on the state of network security:

Malicious or criminal attacks are the most expensive and are on the
rise. In this year's study, 31 percent of all cases involved a
malicious or criminal act, up seven points from 2009, and averaged
$318 per record, up 43 percent from 2009.

In addition:

The cost of breaches by third-party outsourcers rose significantly, up
$85 (39 percent) to $302 per record. These figures may indicate that
compliance with government and commercial regulations for data
protection are dramatically raising breach costs involving outsourced
data.

The moral, as always, is be prepared. Have a strategy and tools in
place to do the proper forensics, know your exact compliance
requirements, and move quickly but cautiously to notify only those
customers that are affected directly. In other words: Don't panic!

Employee incompetence is a hacker's best friend

Tech stories of data vulnerabilities caused by incompetence and
overlooked details by executives, IT managers, or admins

Security breaches -- they're an IT issue that's difficult to prevent
completely, but even harder when the threats develop from the inside,
whether it's hardware stolen by dishonest employees or data loss
caused by oversight within the ranks.

How does a techie deal with security issues effectively when
executives, IT managers, or fellow admins don't take the necessary
precautions? Bureaucracy and incompetence make for tricky situations.

Here are a handful of stories from the Off the Record archives that
are written by tech pros about their memorable experiences dealing
with security vulnerabilities that could have been prevented. Security
technology and procedures may change, but handling users' security
misunderstandings or oversights does not.

"Steal my data, please." A university's server gets hacked, all
because the boss was too scared to install a firewall.

"An IT contractor discovers too much company information." Just days
into a short-term contracting job, a techie unearths a surprising
security risk -- and exposes the network admin's misplaced priorities.

Take an open network, add file sharing, and you have a security hole
big enough for a battleship -- and a reminder of why it's important to
let technical people set technical policies.

"My unnatural disaster." Who needs malicious hackers when you have
admins like this?

"Danger inside the firewall." That nice, new wireless router the
auditors brought in might as well have been a ticking bomb.

"Why trouble employees with passwords?" Job title: Manager of network
security. Instructions: Could not require anyone to have passwords,
because it was asking too much to make people remember them. What
could go wrong?

French ministry targeted by cyber attack that aims to steal G20 information

The French budget minister has confirmed that the ministry of economy,
finances and industry has been the victim of a ‘spectacular' cyber
attack since the end of last year.

François Baroin said that the attacks came from addresses located
outside of France. Patrick Pailloux, director general of the French
National Agency for IT Security, said that it was the first attack to
have targeted the French state on such a scale.

According to reports, hackers used a Trojan to infiltrate systems
having used spear phishing messages that were sent to French
government workers. The news of this attack followed reports that
South Korean government and private sector websites had come under
attack from distributed denial-of-service (DDoS) attacks.

Mark Darvill, director of AEP Networks, said that it was no surprise
that a G20 member has become the target of cyber attack, as attackers
are often professionals seeking access to specific pieces of
information.

“All government departments and every private contractor that protects
high profile events or infrastructure must be made to adhere to the
highest levels of security. Without a scaled-up approach to cyber
defence, national security is left open to compromise and sensitive
information is at the mercy of those who have the technical knowledge
to launch these targeted attacks,” he said.

Ross Brewer, vice president and managing director of international
markets at LogRhythm, said: “As hackers become more sophisticated in
their attempts to steal data, government bodies and indeed entire
states are increasingly at risk.

“Traditional methods such as anti-virus solutions and firewalls are
not infallible and they simply are not enough to ensure network
security. Nation states therefore need to accept the inevitability of
data breaches and take new courses of action to prevent similar
incidents, which are both dangerous and embarrassing for the afflicted
organisation.

“Since the attacks began in December and have only just been blocked,
the hackers have enjoyed a substantial holiday period during which to
obtain confidential information. This delay in identifying and putting
a stop to the breach is unacceptable and the provisions taken to
ensure the security of the French systems are quite clearly
insufficient.”

No. 1 consumer complaint: Identity theft

NEW YORK (CNNMoney) -- The government received more than a million
consumer complaints last year, with identity theft enraging the most
people.

The Federal Trade Commission counted 250,854 complaints about identity
theft in 2010, according to a report issued Tuesday. That was 19% of
the 1.3 million total complaints the agency received, putting it at
the top of the consumer complaint list for the 11th year in a row.

The most common form of identity theft was through fraudulent
government documents. Credit card fraud garnered the second highest
number of identity theft complaints, followed by phone and utilities
fraud. Overall, Florida residents reported the highest per capita rate
of identity thefts.

After identity theft, debt collection racked up the second highest
number of complaints, making up 11% of overall complaints. Internet
services and prizes, sweepstakes and lotteries each accounted for 5%
of complaints, followed by shop-at-home and catalog sales, which made
up 4%.

Fraud-related complaints accounted for 54% of total complaints, with
consumers reporting that they were scammed into paying more than $1.7
billion -- or a median of $594 per person -- last year.

About 45% of consumers reporting fraud said that transactions were
initiated by e-mail; 11% said they were lured through a website.

For the first time, imposter scams -- where scammers pose as friends,
family, government agencies or companies to trick consumers into
sending them money -- were also among the top 10 complaints.

Internet auctions, foreign money offers and counterfeit check scams,
telephone and mobile services and credit cards rounded off the list of
top ten things consumers complained about last year.

Midlands Tech warns employees of security breach

Midlands Technical College warned employees last month that a flash
drive containing some of their personal information was taken from a
human resources office at the college.

The flash drive, since returned — without the personal data it
previously held — could compromise the personal information of some of
the college’s 500 employees. But Midlands Tech spokesman Todd Gavin
said no problems have been reported by employees so far.

“There’s no reason to believe that anybody’s information was
compromised,” Gavin said. “The college is already working on an
internal audit of its security to make sure this doesn’t happen
again.”

The security breach at Midlands Tech is the second acknowledged by an
area college or university in the last week. The University of South
Carolina warned employees earlier this month that a breach of
computers at its Sumter campus exposed the personal information of
31,000 faculty, staff, retirees and students system-wide.

USC officials, like those at Midlands Tech, said there is no evidence
that anyone’s personal information was used improperly.

Gavin said no student information was compromised in the Midlands Tech
breach, which occurred at the college’s Airport campus.

In an e-mail dated Feb. 18, Crystal Rookard, human resource director
and legal counsel at Midlands Tech, told employees: “We take this
situation very seriously and recognize our responsibility to maintain
your confidence in our ability to protect confidential information.”

A painter who was working near the human resources office where the
flash drive was located has been questioned by law enforcement, Gavin
said, adding he does not know if or when charges might be filed.

“We don’t know how it got blank,” Gavin said of the flash drive. “We
don’t think it was blank to begin with.”

Rookard told employees, “The individual responsible for removing the
flash drive has indicated that the flash drive was not accessed or
viewed at any point.”

In addition to the internal review of security procedures, Gavin said
Midlands Tech is offering employees free credit monitoring. “To date,
nobody’s reported anything out of the ordinary on their credit.”

WikiLeaks cables are America's worst security breach, says John McCain

THE leaking of secret cables to the WikiLeaks website run by
Australian Julian Assange was the most damaging breach of US security
ever, senior American political figure Senator John McCain says.

Security issues featured in talks between Prime Minister Julia Gillard
and the former Republican presidential candidate and ranking member on
the US Senate's armed services committee during her visit to
Washington.

The US Government is considering its legal options in relation to Mr
Assange, which could include a treason charge, and the alleged
instigators of the leaking of 250,000 diplomatic cables.

Intelligence analyst Private First Class Bradley Manning is being held
in the Marine Corps brig in Quantico, Virginia, pending his appearance
on a raft of charges over the alleged leaking of the Government files
to WikiLeaks a year ago.

Senator McCain said after the meeting with the Prime Minister the
WikiLeaks issue had serious implications for all aspects of global
security.

"It is the greatest, most damaging security breach in the history of
this country," he said.

What was most concerning were the revelations of people in places such
as Iraq and Afghanistan who were cooperating with intelligence
services, he said.

"It literally puts their lives in danger," Senator McCain said.

He said those responsible for giving Private Manning access to such
high-security documents also needed to be brought to account.

"He couldn't have done all of that by himself," he said.

Asked whether Australia would help in any future extradition of Mr
Assange, the Prime Minister said she would not speculate.

"The only legal matter affecting Mr Assange are matters stemming out
of proceedings in Sweden," she said, referring to the sex charge
against the internet whistleblower.

"At every stage Mr Assange has received consular assistance, just as
any other Australian would receive." Mr Assange is appealing against
his extradition to Sweden.

Corporate data breach average cost hits $7.2 million

Corporate data breach average cost hits $7.2 million

March 8, 2011 by admin
Filed under Commentaries and Analyses


The cost of a data breach went up to $7.2 million last year up from
$6.8 million in 2009 with the average cost per compromised record in
2010 reaching $214, up 5% from 2009.

The Ponemon Institute.s annual study of data loss costs this year
looked at 51 organizations who agreed to discuss the impact of losing
anywhere between 4,000 to 105,000 customer records. The private-sector
firms participating in the Ponemon Institute.s .2010 Annual Study:
U.S. Cost of a Data Breach. hail from across various industries,
including financial services, retail, pharmaceutical technology and
transportation.

Fringe: ISTEP breach may lead to 80, 000 test scores thrown out

The Indiana Department of Education has reason to believe security was
breached during this week's ISTEP testing.

That means tens of thousands of scores may have to be thrown away.

The DEA says an essay question for the test was leaked.

Officials think a test coordinator copied the question and shared it
with others. One eventually posted it on a Facebook page connected
with a teachers group.

The question apparently asked students their opinion on school vouchers.

The test results of about 80,000 8th graders may have to be invalidated.