Information Security Incidents

This blog is now located at http://infosecincidents.blogspot.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://infosecincidents.blogspot.com/feeds/posts/default.

This blog is now located at http://infosecincidents.blogspot.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://infosecincidents.blogspot.com/feeds/posts/default.

Bank Worker Pleads Guilty to Hacking 100 ATMs

By Kim Zetter April 13, 2010 | 4:43 pm | Categories: Crime

A Bank of America worker pleaded guilty Tuesday to installing malware on more than 100 ATMs, and stealing $304,000 over a seven-month period.

Authorities were able to recover at least $167,000 in cash after the worker told U.S. Secret Service agents where they could find the money, according to a press release issued by the U.S. Attorney’s office in North Carolina, where the charges were filed.

Rodney Reed Caverly, 53, pleaded guilty to one count of unauthorized computer access for installing the malware.

Caverly’s attorney told Threat Level that his client wrote the code himself. It instructed the ATMs to dispense cash without creating a record of the transactions.


“I have seen some media speculation that this event is somehow related to an Eastern European computer virus from last year,” defense attorney Christopher Fialko said in an e-mail. “It is not.”

Fialko was referring to a Threat Level report that suggested Caverly’s code might have been related to malware found last year on ATMs in Russia and Ukraine, which also instructed the machines to dispense cash without leaving a record.

According to prosecutors, Caverly withdrew the cash over a seven-month period ending in October 2009. A Bank of America representative told Threat Level that the company discovered the theft internally.

A source familiar with the case said that Caverly specifically targeted at least 100 ATMs with his malware.

Caverly began working for Bank of America in 2007 writing application software and troubleshooting programs.

He was formerly the founder and CEO of Sovidian, a North Carolina software development company established in 1999. The company merged in April 2003 with Data On CD, a document-management and archiving firm. According to a news release on Sovidian’s website announcing the merger, the company has provided “tailored software and software integration solutions for the finance industry for over 10 years,” and counted Bank of America and two other major financial institutions as customers.

Caverly is out of jail on a $25,000 bond until his sentencing hearing later this summer. He faces up to five years in prison and a maximum fine of $250,000.



Read More http://www.wired.com/threatlevel/2010/04/malware-targeted-100-atms#ixzz0lIbTlqU0

Security Incidents Rise In Industrial Control Systems

Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems


By Kelly Jackson Higgins, DarkReading
April 14, 2010
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=224400280



While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports.

Nearly half of all security incidents were due to malware infections -- viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems," says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. "And you see USB keys bringing in malware" to the SCADA systems, for instance, or via an employee's infected laptop, he says.

Doug Preece, senior manager for smart energy services at Capgemini, says another entry point for malware are those process control system platforms that are based on Windows. "Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff," Preece says. "It's not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level."

That leaves unpatched, out-of-date software running on the systems, which leaves them prone to attacks. "Out-of-date patching [makes] a highly vulnerable platform," Preece says. And all it takes is an infected USB stick or floppy drive to be popped into one of these machines and it's infected, he says.

At the time the report was published late last month, the database contained 175 confirmed incidents in the database, and Security Incidents Organization's Cusimano says the database averaged three- to four new incident reports per month.

Security experts say attacks targeting the power grid are likely to rise and intensify during the next 12 months, as smart grid research and pilot projects advance. So far, the RISI database has only logged a single smart grid incident, but such incidents are likely to increase, experts say.

Cusimano says the sole smart grid incident basically involved an HVAC system that knocked out service to thousands of residents in one community. "With the [federal] stimulus money, there are a lot of smart grid projects going in this year," he says. "The good news is that security" has been part of the equation from the get-go with these next-generation power grid systems, so it's not an afterthought, he says.

Even so, there are concerns that smart grid projects are moving forward a bit too fast, without allowing time for properly securing them, he says. Cusimano, whose day job is working with an automation consulting firm, says his company is working on a U.S. Department of Energy-funded smart grid project that has a tight timeline. "We have a very short deadline to prepare the security model," he says.

Page 2: Industry remains skeptical that it's at risk Meanwhile, the RISI report's findings of a major drop in chemical and petroleum security incidents may be the result of consolidated facilities and closed refineries, for instance, Capgemini's Preece says.

Water plant and wastewater plant incidents may be higher because they are typically required to issue press releases of incidents to their communities, notes Cusimano.

Overall, 25 percent of the security incidents in process control systems were intentional, directed attacks, where an outside attacker or an insider breached the system, according to the report. Of the remaining 75 percent, half were malware-borne, and half where equipment breakdowns or failures of some sort. Insider attacks rose 30 percent over the last five years.

Cusimano noted that there was an improvement in the number of viruses infiltrating control systems: the number of malware incidents has dropped by 83 percent in the past five years. "Largely, companies are doing a better job at firewalling their control systems and using anti-virus protection," he says. And if companies were to address their accidental incidents, most of them would also be protected from most targeted attacks, he says.

The financial impact of these incidents on the organizations is rising: according to the report, over the past five years, twice as many incidents added up to $10,000 to $100,000 in losses. The majority of incidents occurred in the U.S.

But the industrial process control sector remains largely unconvinced that they face major cybersecurity threats, he says. "There's a lot of skepticism that there's a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up," Cusimano says.

And like the IT versus security dynamic in many enterprises, there's often a disconnect between the IT department and the SCADA group in process control, according to Cusimano. "The control system engineering department in control of the control systems and the plant's IT department have yet to find a way to work well together," he says. While the IT department looks at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. "But the control systems department's priorities are reversed: availability is paramount, then integrity and confidentiality"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. http://metasploit.com/users/hdm/tools/axman




Copyright © 2007 CMP Media LLC

Apache project server hacked, passwords compromised
Robert McMillan
April 14, 2010 (IDG News Service) Hackers broke into a server used by the Apache Software Foundation to keep track of software bugs.

The attack did not compromise the open-source Web server's source code repository, but it did give hackers access to a server used by the project to keep track of bugs, and they also obtained low-privilege accounts on another server used to maintain the people.apache.org Web site, according to Philip Gollucci, vice president of Apache infrastructure. "None of the source code was affected in any way," he said.

By taking advantage of a common Web programming error known as a cross-site scripting bug, and then using another password-guessing attack, hackers were able to break into the Atlassian JIRA software used by Apache. They then installed a password stealing program on that software, ultimately seizing full control of the machine. That gave them access to two other programs hosted by Apache on the same server, the Confluence wiki program and Bugzilla.

The intruders stole three cached login credentials from the compromised server to get access to the Minotaur.apache.org server that runs People.apache.org and provides shell accounts for Apache developers, but were unable to do much with these low-level accounts, Gollucci said. Even the data on its bugtracking systems is not sensitive, as Apache does not store information about security flaws on any of these servers, he said.

The unidentified attackers broke into Apache's JIRA server on April 6 and had begun stealing user passwords by the time Apache administrators noticed the issue on April 9.

In an attack launched at the same time, intruders were also able to break into Atlassian's own servers and gain access to customer user names and passwords. Atlassian employes several Apache developers, and attackers could have used the information from the Apache attack to try to break into accounts at Atlassian. "It's hard to say whether it was directed at Apache or at Atlassian," Gollucci said.

These passwords may prove to be valuable if Apache or Atlassian developers happen to use the same passwords on their source control systems. Then the attackers could make changes to the source code -- adding back door access to Apache projects, for example, said Chris Wysopal, chief technology officer with Veracode, via a text message.

Atlassian sells software development tracking and collaboration products, including the JIRA and Confluence software used by Apache.

According to a Atlassian blog post, hackers were able to access an unencrypted database of usernames and passwords used to login to customer accounts. "The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008," Atlassian CEO Mike Cannon-Brookes said in a blog post. "We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability."

Atlassian could not be reached immediately for comment.

This is not the first time the Apache Software Foundation has been hit by hackers. Last August intruders were able to break into the Minotaur server and run their owns scripts on Apache's Web site.

Company says 3.3M student loan records stolen
Jeremy Kirk
March 29, 2010 (IDG News Service) Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.

The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.

The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.

Law enforcement has been notified. "ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation," it said in a statement.

ECMC will send a written notification to affected borrowers "as soon as possible" and offer them free services from Experian, a credit monitoring agency.

Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn't say whether the data taken was encrypted.

The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.

ECMC's data loss is significant but far short of some of the largest incidents.

More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a U.S. Department of Veterans Affairs employee.

SAN FRANCISCO — Computer-security researchers say new “smart” meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.

At the very least, the vulnerabilities open the door for attackers to jack up strangers’ power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else’s power on and off.

The attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters’ resistance to attack.

These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press. There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.

Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.

Unlike traditional electric meters that merely record power use — and then must be read in person once a month by a meter reader — smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.

But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.

There are few public studies on the meters’ resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.

Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright’s work with InGuardians, said it proved that hacking smart meters is a serious concern. “We weren’t sure it was possible,” Paller said. “He actually verified it’s possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh’s work is really important.”

SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other “critical infrastructure.”

Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.

“We know that automation will bring new vulnerabilities, and our task — which we tackle on a daily basis — is making sure the system is secure,” said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.

But many security researchers say the technology is being deployed without enough security probing. Wright said his firm found “egregious” errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. “Even though these protocols were designed recently, they exhibit security failures we’ve known about for the past 10 years,” Wright said.

He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.

One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities’ computers. Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone’s power. Or someone could impersonate meters to the power company, to inflate victims’ bills or lower his own. A criminal could even sneak into the utilities’ computer networks to steal data or stage bigger attacks on the grid.

Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.

For instance, the meters encrypt their data — scrambling the information to hide it from outsiders. But the digital “keys” needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities’ networks, where they would be safer.

“That lesson seems to be lost on these meter vendors,” he said. That speaks to the “relative immaturity” of the meter technology, Wright added.


© 2010 syracuse.com. All rights reserved.

Gonzalez sentenced to 20 years for Heartland break-in
Update: Term to run concurrently with 20-year terms from two other cases Thursday
Nancy Weil
March 26, 2010 (Computerworld) Hacker Albert Gonzalez, who participated in a cybercrime ring that stole tens of millions of credit and debit card numbers, was sentenced Friday in U.S. District Court to 20 years in prison.

The sentence, imposed by U.S. District Court Judge Douglas P. Woodlock, was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express, Hannaford Supermarkets and 7-Eleven.

The sentence is actually 20 years and one day, owing to the need to deal with peculiarities in sentencing statutes, because Woodlock had to take into account that Gonzalez was on pretrial release for an unrelated crime when he took up with the international network of hackers responsible for the security breaches.

He was at the time supposed to be serving as an informant for the U.S. Secret Service, but he double-crossed the agency, supplying a co-conspirator with information obtained as part of those investigations.

"I am guilty of these crimes ... I accept full responsibility for these actions," Gonzalez said at the sentencing, reiterating what he said Thursday about "exploiting" his relationship with a government agency, though he did not name it.

He also referred to the "dishonor" he brought to his parents and their home, where he buried more than $1 million in the backyard. He forfeited that money, as well as other goods, when he was arrested.

"I plead for leniency," he said. "I understand that the road to redemption is going to be long for me," adding that it was his hope, however, that he would be able to be on that road someday.

The sentence will run concurrently with two other 20-year concurrent sentences meted out Thursday, also in the U.S. District Court for the District of Massachusetts, by a different federal judge, Patti B. Saris.

Gonzalez pleaded guilty in all three cases last December, with the U.S. Department of Justice agreeing to seek no more than 25 years in prison in each case, all to run concurrently.

Gonzalez, 28, was living in Miami at the time of the crimes in the three cases, which occurred over almost two years before he was arrested in May of 2008 and subsequently indicted in New York, New Jersey and Massachusetts, with the cases eventually being moved to the same federal court jurisdiction.

Besides the companies targeted in the case heard Friday, a ring that Gonzalez led hacked into computer networks of major retailers including TJX, DSW, Barnes & Noble, Office Max and Dave & Buster's.

They stole tens of millions of credit and debit card numbers, using some to make withdrawals at ATM machines and selling millions of the numbers to other criminals, in what prosecutors termed "unparalleled" online theft.

The case before Judge Woodlock differed from those heard by Judge Saris in a number of substantive ways, according to both Assistant U.S. Attorney Stephen Heymann and defense attorney Martin Weinberg. First, Gonzalez was not the leader of the international network of hackers, as he was with the cybercrime group that hacked the retailers and the Dave & Buster's restaurant network.

In the group where he was the mastermind, the criminals knew each other personally, in some instances having gone to school together and socialized together. Most of their hacking was done in cars or when the criminals were physically near a location, breaching networks wirelessly to steal information.

In contrast, the international ring came together through connections made only in cyberspace, with no real hierarchical structure. They were a group of "elite international hackers ... moving seamlessly over international borders," Heymann said.

The international group used more sophisticated SQL injection attacks and had advanced from hacking into retailers' systems to attacking the financial system itself, Heymann said to answer questions from Judge Woodlock, who sought an explanation for differences between the cases.

"It acts like a tremor," rippling through the system and shaking the faith of people in credit and debit card transactions and companies. Customers can choose to not shop with a retailer whose system has been proven vulnerable to hackers, but that's not so easy to do when the companies under attack are those that process payments.

That international aspect and the way in which the cyberthieves connected made the case before Judge Woodlock particularly "dangerous" and part of an increasingly sophisticated approach to cybercrime that is particularly troubling to law enforcement agencies, Heymann noted.

While Judge Woodlock took all of that in, he also said that he believed that Judge Saris' sentences were reasonable and that it would be appropriate for him to impose the same number of years. After doing so, he offered advice to Gonzalez, whose intelligence and "gifts" the judge recognized.

"People with your gifts often find themselves dealing obsessively with computers," he said, adding that Gonzalez misapplied his abilities, and that while "the perception is that there's no harm if you don't see the people," the judge had heard from some of those affected in victim impact statements.

He was especially taken by an elderly couple whose lives were badly disrupted when their private information was obtained through hacking into the Hannaford system. And so it was his duty, Judge Woodlock said, to address the issue of deterrence and to impose a sentence that would send a message to other cybercriminals and would-be cybercriminals.

"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."

That wasn't the only message the judge delivered. In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007.

Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.

The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.

Judge Woodlock clearly was not buying that argument from the get-go, declaring outright that in his view companies have no such right even though such notions are "in the air these days."

He made obvious references to a recent controversial U.S. Supreme Court ruling that said otherwise when it comes to corporate rights. But at least in Judge Woodlock's courtroom, such rights will not be conferred -- he intends to unseal the court documents and therefore publicly name the two companies because shareholders and customers have a right to know that their security systems were, even if they are not now, vulnerable.

He also was not moved by the argument that the breaches occurred long enough ago that it's no longer relevant to let customers know that they occurred. "They've had three years to alert their shareholding public -- they've chosen not to, improvidently," he said.

The two companies will not be part of whatever restitution agreement is reached in the case because they did not suffer financial losses. The matter of restitution was not taken up by Judge Woodlock and will be combined with restitution in the cases before Judge Saris.

Exactly how much financial damage was done may never be fully known, but the effects on companies involved were severe enough to warrant filings with the U.S. Securities and Exchange Commission.

And Heartland, for instance, says it lost nearly $130 million because of the security breaches. Heartland agreed to multimillion-dollar settlements with Visa and American Express for damages incurred by those companies in the thefts, which set off a reappraisal of corporate network security overall and prompted widespread changes as businesses sought to shore up security.

As Heymann noted, the efforts of Gonzalez's hacking ring also led the companies involved on a wild chase to close back doors and other entry points that the hackers exploited to access systems, which cost them yet more money.

A restitution hearing was set by Judge Saris for June 25.

And while the companies involved will be engaged in figuring out what to tell the court about how much they lost financially, the loss for Gonzalez's family was evident in the courtroom Thursday and Friday. His parents and sister attended the hearings -- he sought them out when he entered the courtoom to offer them a smile, and Friday as he was led out, as they wiped tears away, he mouthed a "good-bye" to them.

Cybersecurity bill passes first hurdle
Senate Commerce Committee approves closely watched Cybersecurity Act
Jaikumar Vijayan
March 24, 2010 (Computerworld) A closely watched bill that promises to introduce some major changes on the federal cybersecurity front was approved by the Senate Commerce Committee today just days after it was introduced by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine).

The proposed legislation is called the Cybersecurity Act (S.773) and is a revised version of a bill that was originally introduced by the two Senators last year.

It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and private sector companies, which own a vast portion of the country's critical infrastructure.

The bill would require the President to work with owners of critical infrastructure systems to identify and properly classify IT systems whose disruption would threaten strategic national interests.

It would also require federal agencies that are involved in cybersecurity, to share information with private sector operators of critical infrastructure networks.

The bill contains several provisions designed to encourage the growth of a trained and certified cybersecurity workforce, promote public awareness of cybersecurity issues and to foster and fund research leading to the development of new security technologies.

If passed, the bill would require agency heads to provide information on their cybersecurity workforce plans including recruitment, hiring and training details.

But s controversial provision in the original bill that would have given the president near complete authority to disconnect private and government networks from the Internet in the event of a cyber emergency has been removed in the new version of the bill.

Instead, the revised bill calls for the President to work with key executive in critical infrastructure industries to formulate an appropriate response in a cyber crisis.

The smooth passage of the bill through the Senate Commerce Committee is a sign of the broad bi-partisan support that the bill has garnered so far. Many see the legislation as vital to building the capabilities needed to respond to the array of cyber threats facing government, critical infrastructure and private industry these days.

In a statement, Mike Bregman, Symantec Corp.'s chief technology officer, lauded the passage of the bill out of committee. "The bill recognizes cybersecurity as a share, public/private collaboration, led by private sector innovation and based on market-driven incentives," Bregman said.

The bill comes amid heightened concern in Washington over the recent attacks against Google and dozens of other high-tech companies apparently by operatives based in China.

The attacks have prompted calls for the U.S. to develop a formal cybersecurity strategy that is focused on shoring up defenses while building out a cyber offensive capabilities.

The Rockerfeller-Snowe legislation is one of two major bills that have been proposed in Congress recently. The other bill is called the International Cybercrime Reporting and Cooperation Act, and is sponsored by Sens. Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT).

The bill, introduced in the Senate earlier this week, seeks to curtail aid, financial help and trade programs with countries that are seen as havens for cybercriminals. It has already garnered industry support from the likes of American Express, Mastercard, Visa , eBay, Facebook, Microsoft and Cisco, Gillibrand's office said.

Meanwhile, a separate proposal is being floated among lawmakers and the U.S. State Department for the creation of an ambassador-level position for negotiating cyber-security matters at the United Nations and for ensuring the country has a consistent international policy on the issue.

Data theft targets 3.3 million with student loans
Social security numbers, addresses taken, but not financial information
By Steve Karnowski
The Associated Press
updated 8:39 p.m. CT, Fri., March. 26, 2010
MINNEAPOLIS - A company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.

Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.

The data was on "portable media" that was stolen sometime last weekend, ECMC said in a statement. Company spokesman Paul Kelash wouldn't specify what was taken, citing the ongoing investigation, but said there were no indications of any misuse of the data.

The St. Paul-based nonprofit said it discovered the theft last Sunday and immediately contacted law enforcement, and made the theft public when it received permission from authorities. The Minnesota Bureau of Criminal Apprehension is leading the investigation.

ECMC said it has arranged with credit protection agency Experian to provide affected borrowers with free credit monitoring and protection services. Borrowers will be receiving letters from ECMC soon on how to sign up, gain access to fraud resolution representatives, and be provided with identity theft insurance coverage.

"We deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information," Richard Boyle, president and CEO of ECMC, said in the statement.

ECMC is a contractor for the U.S. Department of Education to provide collection and document management services. It guarantees student loans through the Federal Family Education Loan program, and provides support services for student loans that are in default or bankruptcy. The company can act as the guarantor, loan holder or loan servicer.

Department of Education spokesman Justin Hamilton said protecting student privacy is a top priority.

"We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide with them with identity theft insurance," Hamilton said protecting student privacy is a top priority for the agency.


Those who believe they may be affected were encouraged to visit ECMC's Web site, or call 1-877-449-3568 beginning Saturday.

According to the Privacy Rights Clearinghouse, more than 347 million individuals have been affected by data privacy breaches at hundreds of government agencies, universities and businesses since 2005.

Associated Press writer Dorrie Turner contributed to this story from Atlanta.

Former TSA Worker Charged With Hacking

The Department of Justice indictment alleges that a former TSA employee tampered with servers containing data from the Terrorist Screening Database.


By Elizabeth Montalbano, InformationWeek
March 11, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=223500107



The Department of Justice has charged a Colorado man and former Transportation Security Administration (TSA) employee with trying to inject malicious code into TSA databases.

A federal jury indicted Douglas James Duchak, 46, of Colorado Springs, Colo., late Tuesday on two counts of intentionally attempting to damage a protected computer, according to a DoJ press release.

Duchak was an employee at the TSA's Colorado Springs Operations Center (CSOC) from August 2004 through Oct. 23, 2009. He worked as a data analyst in charge of updating TSA computers with information received from the federal government's Terrorist Screening Database and the U.S. Marshal's Service Warrant Information Network.

On. 22, 2009, seven days after he was told his employment would be terminated on Oct. 30, Duchak injected unauthorized code into the CSOC server containing data from the U.S. Marshal's Service Warrant Information Network, the DoJ alleges. That action comprises the first count of the indictment.

The next day he allegedly tried to load malicious code onto a server that contained the Terrorist Screening Database, the action comprising the second count.

If convicted, Duchak faces up to 10 years in federal prison, and a fine of up to $500,000 -- $250,000 per count.

Duchak surrendered to U.S. Marshals Wednesday morning and appeared in court in the U.S. District Court in Denver that afternoon. He pleaded not guilty and was released on a $25,000 bond, according to the court.

The TSA has been tightening the belt on security lately after TSA screeners failed to catch a man who attempted to blow up a U.S. flight from Amsterdam to Detroit on Christmas day.

The TSA Office of Inspection, the Department of Homeland Security (DHS) Office of the Inspector General, and the FBI investigated the case, which is being prosecuted by Assistant U.S. Attorney Patricia Davies.

Bob Maley, Pennsylvania's CISO since 2005, is out of a job, days after he joined a group of other state IT security chiefs on an RSA Conference panel and reportedly offered candid remarks about a recent data breach.

Gary Tuma, a spokesman for Gov. Ed Rendell, told SCMagazineUS.com on Thursday, that Maley was no longer employed by the state. He would not say whether he was fired.

"Beyond that, it's a personnel issue and we don't discuss it," he said.

Maley's final day in his $90,661-a-year post was Monday.

A call placed to Maley's cell phone went directly to voicemail.

During the panel at the RSA Conference last week in San Francisco, titled "The Front Lines: Cyber Security in the States," Maley was scheduled to join CISOs from California, Colorado and Nevada.

According to the conference agenda, the discussion was to center "on the challenges they face, the evolving nature of their state cybersecurity programs, and how government and industry are working together to make a difference. This session is very interactive featuring earnest discussion about how state CISOs manage their crucial role in cybersecurity."

But Maley may have gotten too earnest, according to reports. According to "The Public Eye with Eric Chabow" blog, Maley offered frank details on a recent intrusion of the Pennsylvania Department of Transportation site where residents can schedule driver's license tests.

"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams," he said during the panel, according to Chabow's blog. "It was encrypted traffic, and we were trying to figure out what the heck was going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."

Maley told the audience that the hacker, who owned a driving school in Philadelphia, used a proxy server in Russia to mask his identity and then exploited a system bug so he could schedule exams for his students. Normally, the waiting list for available slots is up to six weeks.

Tuma said Maley's duties would be handled by other members of the security team. No replacement has been announced.

Maley, who was 53 last July when he spoke to SC Magazine for a cover story on data breach response, was instrumental in developing a statewide strategy for preventing data-leakage incidents after some 500,000 state records were compromised in 2007.

He and his team analyzed the threat landscape to determine what posed the most risk to the state's confidential records, Maley said in the story. The undertaking included encrypting any computers not housed in a secure facility, mainly laptops. But given Pennsylvania's investment in electronic government services, the main thrust of the project was testing web applications for vulnerabilities to hackers.

Maley, a former police officer in Harrisburg, Pa., was a finalist for this year's SC Magazine CSO of the Year award, which was won by his RSA panel-mate, Mark Weatherford of the state of California.

HSBC says thousands of customers were affected by data theft
Former IT employee tried to sell stolen customer details for more than £2m

Angelica Mari, Computing 11 Mar 2010
A former HSBC employee stole client data from the bank affecting up to 24,000 customers in Switzerland, it emerged today.

“The theft, which was perpetrated by a former IT employee about three years ago, involves approximately 15,000 existing clients who had accounts with the bank in Switzerland before October 2006,” HSBC said in a statement.

However, reports suggest that an additional 9,000 accounts were also affected.

Ex-staffer Herve Falciani copied the data onto a personal computer and left for France while under investigation. He was allegedly trying to sell the data for more than £2m.

Back in December, HSBC said that fewer than 10 clients were affected by the thefts, which took place in 2006 and 2007.

HSBC has been in touch with the customers concerned. The bank believes the stolen data will not allow unauthorised people to access those accounts, despite the fact that the incident could mean that some of the account holders affected could be risking prosecution by tax authorities.

"We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of the Swiss subsidiary.

Threat Level Privacy, Crime and Security Online Lifelock Dinged $12 Million for Deceptive Business Practices
By Kim Zetter March 9, 2010 | 3:34 pm | Categories: Crime, Cybersecurity

The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.

The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.

But the Federal Trade Commission said Tuesday that the claims were bogus (.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement.

The FTC said that Lifelock, which advertises itself as “#1 In Identity Theft Protection,” engaged in false advertising by promising customers that if they signed up with its service their personal information would become useless to thieves.

“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” said FTC Chairman Jon Leibowitz, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.

The company, he said, used scare tactics to convince potential customers they would be unprotected from identity theft without its service, and of warning them in letters that they were at a high risk of identity theft.

“I was a recipient of one letter,” Illinois Attorney General Lisa Madigan said.

For the annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies. As a result, the company said, thieves would not be able to open unauthorized credit or bank accounts in their name.

But Leibowitz said the promises were deceptive because thieves could still rack up unauthorized charges on existing accounts — the most common type of identity theft. It also couldn’t protect thieves from obtaining a loan in a Lifelock customer’s name.

In fact, Lifelock CEO Davis was the victim of identity theft in 2007 when a thief used his widely advertised Social Security number to obtain a $500 loan in Davis’ name.

Lifelock also promised customers that sensitive data they provided the company to perform its protection services — such as their Social Security number, name and address and bank card information — would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.

“Your documents, while in our care, will be treated as if they were cash,” the company promised.

In truth, the FTC said, until at least September 2007, the company failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network” either in transit through the network, stored in a database or transmitted over the internet.

None of the data was encrypted, said the FTC, either in storage or in transit. The company also had poor password management practices for employees and vendors who accessed the information. Lifelock also failed to limit access to sensitive data to only those people who needed access.

What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the complaint said.

The latter is particularly ironic. Lifelock often promoted its services to companies that experienced data breaches, convincing them to offer a complimentary Lifelock subscription to people whose data was compromised in a breach. All the while, the FTC claims, Lifelock was making its own customer information vulnerable to a breach.

“As a result of these practices, an unauthorized person could obtain access to personal information stored on defendants’ corporate network, in transit through defendants’ corporate network or over the internet, or maintained in defendants’ offices,” according to the complaint.

According to the terms of an FTC settlement agreement with Lifelock to settle the allegations, the company must inform consumers about the limitations of its service. The company will also have to implement a data security program to protect the customer data it handles.

“As long as the company is honest and up front and lets consumers know what they’re getting and has adequate security safeguards for customer information, we wish them well,” said Leibowitz.

Lifelock said in a statement that, in October, it “rolled out the next generation of identity theft protection services that provide even better and broader protection to its valued members.” The company added that its new-and-improved service, which was not the subject of the FCC inquiry, has prevented more than 5,000 fraudulent credit applications.

The company and its owners have been at the center of controversy for a number of years. According to an investigative report by the Phoenix New Times in 2007, Lifelock co-founder Robert Maynard Jr., was suspected at one time of being an identity thief himself and stealing his father’s identity to obtain an American Express card. He had also been the target of another FTC investigation involving a previous business venture unrelated to Lifelock. Maynard resigned from the company after news of his past was published, but he continued to work for the firm as a contractor.



Read More http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation/#ixzz0jZsUUwDd

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False
LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.

According to the FTC’s complaint, LifeLock has claimed:

“By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
“Please know that we are the first company to prevent identity theft from occurring.”
“Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.

The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.

In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:

“Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
“All stored personal data is electronically encrypted.”
“LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.

The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.

In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.

The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. Stipulated judgements are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

In addition to announcing the LifeLock case, the FTC’s Northeast Regional Office sponsored an event to kick off National Consumer Protection week. The goal was to alert consumers to the top complaint categories in the Northeast Region and to arm consumers with the tools to recognize and protect themselves against all types of fraud. Also participating were the Better Business Bureau serving Metropolitan New York, the New York Attorney General’s Office, the New York City Department of Consumer Affairs, and AARP.

The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

Wyndham Hotel group hacked over three-month period to leave customer credit card data compromised
Dan RaywoodMarch 01 2010Guests of Wyndham Hotels may have had their card details compromised following intervention by a hacker in late January.


In an open letter posted on its website senior vice president of enterprise compliance and employment counsel at Wyndham Worldwide, Kirsten Hotchkiss, said that it ‘discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centres over a three-month period'.


She confirmed that guest names and card numbers, expiration dates and other data from the card's magnetic stripe were compromised. However because only payment card information was compromised, at this time, she said she could not confirm the individuals whose card information may have been acquired, although no criminal identity theft related to the use of the consumer data had been identified at the time of posting.


She said: “By going through the centralised network connections, the hacker was able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system.”


Wyndham said that the data was moved off-site between late October, 2009 and January 2010, when the incident was discovered. It said that it became aware of the incident after guests reported that their cards had been stolen and used fraudulently after staying at one of the WHR hotels.


It responded by shutting down the impacted server and terminating all traffic to the offsite URL. A PCI (Payment Card Industry) assessment firm has been retained to perform a forensic investigation of the incident, which includes a review of certain hotel property servers, while the Secret Service and payment card companies have been notified.


It said that the full investigation is expected to take more than eight weeks, and it is expected to identify those guests affected by the end of March. “Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand,” said Hotchkiss.


Commenting, Steve Moyle, co-founder and CTO at Secerno, said that this incident, and the response, creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.


He said: “In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach.


“In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.

“What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required.


“The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his/her data has been stolen.



“As for the hotel's mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.”

Wyndham hotels hacked again
Robert McMillan
February 26, 2010 (IDG News Service) Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.

The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.

"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."

Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."

Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.

This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008.

In that case, criminals hacked into a Wyndham franchisee and then stole data from a central company server.

Wyndham, which operates Days Inn, Ramada and Super 8 motels, warned customers of a second breach in August 2009.

The company has not yet notified victims of this latest incident, but expects to begin doing so by the end of March, when it has concluded the investigation.

--HHS Posts List of Reported Health Data Breaches (February 23, 2010) The US Department of Health and Human Services (HHS) has posted a list of organizations that have suffered breaches of unsecured protected health information affecting 500 or more individuals. The posting of the list is required under the HITECH Act. HHS breach notification rules require that organizations report such breaches to HHS and the media within 60 days. Breaches affecting fewer than 500 people must be reported annually. The list includes 36 separate breaches and affects more than 1 million individuals; the majority of the breaches involved computer theft, unauthorized access and missing or stolen data storage devices.

--Intel Acknowledges January Breach
(February 23, 2010)
Intel has acknowledged in a Securities and Exchange Commission (SEC) filing that it was targeted by a "sophisticated" attack in January. The disclosure was made in a section of the filing that describes incidents and circumstances that could potentially have adverse effects on the company's bottom line. An Intel spokesperson says that while the attack occurred around the same time as the attacks against Google and other US companies, there is no hard evidence linking the Intel attack to the others. He also said that attackers attempt to gain access to Intel's systems on a "very regular" basis.

Top 9 Breaches of 2009
Linda McGlasson, Managing Editor
December 14, 2009


The top breaches of 2009 can be described in many ways, but the first word that comes to mind is "big."
With the announcement in January of the breach that surpassed the 2005 TJX breach, Heartland Payment Systems leads all of the hacks that hit or affected the financial services industry in 2009.

Here's the chronological list of the biggest breaches of 2009, and updates in the various cases since they were first announced:

1. Heartland Payment Systems
Princeton, NJ
Date: January 20
Records Taken: 130 million credit and debit card account numbers

Heartland Payment Systems announced on Jan. 20 that its network had been breached. The payment processor handles transactions for 250,000 merchants. Subsequently, it was revealed through indictments that 130 million credit/debit cards were compromised by the breach. While the outcome of several class action lawsuits has not been decided yet, the criminal accused of perpetrating the hack, Alberto Gonzalez, of Miami, FL, was indicted in August and is prepared to plead guilty. Financial institutions will watch closely the developments in the class action suits as they move through the courts in 2010.

2. RBS WorldPay
Atlanta, GA
Date: November 2008/February 4, 2009
Records Taken: 1.5 million credit and debit cards

In February 2009 the FBI continued to search for suspects in what was being called a well-orchestrated ATM card scam, when the true extent of RBS WorldPay's hack was revealed. In a news report on February 4, FBI law enforcement said that a network of thieves withdrew $9 million from 130 ATMs in 49 cities around the world just after midnight on November 8 with cloned cards created from stolen data taken in the RBS WorldPay hack. Eight men from Eastern Europe were indicted for the crime in November 2009 and face stiff fines and lengthy jail sentences if convicted.

3. Countrywide Financial
Fort Worth, TX
Date: May 4, 2009
Records Taken: 4,000 account numbers

A man posing as an Air Force reservist seems to have gotten thousands of account numbers from Countrywide Financial in Forth Worth, TX. The investigators tracked the case to his accomplice, a customer service rep. The Air Force impostor stole $500,000.

4. Chase Bank
New York, NY
Date: May 18, 2009
Records Taken: Unknown

Four Romanian men were arrested in Florida after being accused of skimming a Central New York Chase Bank ATMs. Police say several customers who used the ATM at a Chase Bank in Cicero later found cash had been withdrawn from their accounts from ATMs in New York City, totaling about $40,000. A skimmer was found in the card slot of the machine.

5. Network Solutions
Herndon, VA
Date: June 8, 2009
Records Taken: 573,000 credit and debit cardholders information

A data breach at Internet domain administrator and host Network Solutions compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.

The breach was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers.

6. American Express
Phoenix, AZ
Date: July 7, 2009
Records Taken: Thousands of card numbers

Two Phoenix men are accused of stealing thousands of American Express card numbers and swindling more than $1 million dollars from customers. Police discovered during their investigation that a former employee had not only worked as a computer database analyst for American Express; he was one of the few who could have possibly downloaded all of their account holders information, including the PIN numbers used to access money from ATM machines at the different banks, according to court records.

7. Capitol One Bank
Minneapolis, MN
Date: September 6, 2009
Records taken: Unknown number of bank customer accounts

Prosecutors in Minneapolis say between July 2008 and April 2009 a crime ring purchased the personal information of Capitol One Bank customers from an online source in the Ukraine. It says the group then used the information to create counterfeit credit card accounts, withdrawing more than $652,205.49 from more than 170 ATMs throughout the Twin Cities. Eleven people have been charged in the counterfeit credit card scheme, eight of them are in custody.

8. PayChoice
Moorestown, NJ
Date: October 15, 2009
Records Taken: Unknown

PayChoice, a New Jersey-based payroll processor, alerted its online customers on October 15 that its network had been breached for a second time in less than a month. The payroll processing company warned its customers by email about the new breach after some clients reported "phantom" employees showing up on their payrolls.

9. Bank of New York Mellon
New York, NY
Date: October 28, 2009
Records Taken: 150 identities of employees

A computer technician was indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.

Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. He is accused of stealing the identities of dozens of employees and using them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia and Washington Mutual.

Heartland Pays $3.6 Million to American Express
First Settlement to Result from Landmark Data Breach
Linda McGlasson, Managing Editor
December 18, 2009


Heartland Payment Systems will pay $3.6 million to American Express to settle charges relating to Heartland's landmark data breach.
The payment, Heartland says in a press release announcing the settlement, resolves "all intrusion-related issues between the two parties" regarding the breach of an estimated 130 million credit and debit cards.

"We are pleased to have reached an equitable settlement with American Express," says Bob Carr, Heartland's chairman and chief executive officer. "This settlement marks the first agreement with a card brand related to the intrusion."

The U.S. Department of Justice has charged Albert Gonzalez and other accomplices with the Heartland attack, and says that it was only one of several other companies that Gonzalez and the other hackers targeted with SQL injection attacks.


The other companies hacked include 7-Eleven and Hannaford Brothers. Credit card companies, including American Express, Visa and MasterCard, were forced to cancel and reissue credit cards because of the Heartland data breach. Banks and credit unions have also sued the payments processor to recoup the costs of reissuing cards and to cover the cost of fraud that resulted from the breach.

Earlier this year, Heartland said it had put aside more than $12 million to cover the charges related to the breach. Heartland is expected to be fined by other brands, including Visa and MasterCard.

Flagstar Bank Warns Customers of Potential Breach
Vendor Lost Laptop Holding Social Security Numbers
Linda McGlasson, Managing Editor
December 8, 2009


A missing laptop may have caused a security breach at Flagstar Bank in Grand Rapids, MI, according to a letter the bank sent to some of its customers on Nov. 25.
The bank's letter tells customers that a laptop owned by an unidentified bank vendor was stolen and held an undisclosed number of customer social security numbers.

"We have no reason to believe that the files with this information will be accessed or used inappropriately," says the letter. "However, in the interest of caution, we felt it was important to inform you of this incident. We also have taken steps to place an alert on your home equity checking account and other deposit accounts in our system."

Letters were sent only to customers who may have been affected. According to a bank official, the vendor is a company that helps Flagstar with bank services.

Flagstar Bank, based in Troy, MI, has 180 branches in Michigan, Indiana and Georgia and assets of more than $16 billion.

HSBC Reports Accidental Exposure of Customer Bankruptcy Info
Software 'Bug' Revealed Personal Data Online
Linda McGlasson, Managing Editor
December 9, 2009


An undisclosed number of HSBC customers had personal data exposed online about their bankruptcy proceedings, according to a data breach notification letter dated November 20 and sent to the New Hampshire attorney general's office. The letter was made public last week.
The bank says a bug in its imaging software - which should have redacted sensitive data about customers going through Chapter 13 bankruptcy proceedings -- ended up exposing the proof of claim forms that were filed electronically. The "bug" was discovered by HSBC Taxpayer Financial Services, Inc. on July 9, 2009. The notification letter says the information turned out to be viewable "as a result of the deficiency in the software used to save imaged documents." The exposed data included claim forms filed between May 1, 2007 and October 17, 2009.

HSBC did not say what the problem was with the imaging software, but says a limited number of customers were affected. The company sent letters to affected customers in October and is offering them one year of free credit monitoring.

Some customers of the following HSBC companies are affected: HSBC Taxpayer Financial Services, Beneficial New Hampshire and Household Finance Corporation. The exposed data may include HSBC credit card, line-of-credit or mortgage information, the company says.

Based in London, HSBC is one of the largest banking and financial services companies in the world. HSBC lists assets of more than $390 billion, according to the Federal Reserve's list of top 50 Bank Holding Companies.

Analysis of Breach
If the exposed data was truly due to a "bug" in the software, then there isn't much HSBC could have done technically, says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm. "In most cases, these 'bugs' are actually misconfigurations of the software," Davis says.

Often, Davis adds, vendors are required to provide a technical implementation guide that says how to install software properly. "When doing PCI DSS audits, it's one of the first things I look for with clients using commercial software -- to see if they have that guide and followed it," he says. "Unlike electronics manuals, in these cases, you definitely need to read the instructions."

What HSBC should have done, he says, is some sort of audit or assessment of the application to ensure the effectiveness of the encryption/redact controls. "It's the old 'trust but verify.' If you think about it, the testing necessary was simply sampling the records. It's a bit sad really, as it looks like they were trying to do the right thing."

Phishing Scam Expands to Three More States
Bank, Credit Union Customers Fooled by Bogus Text Messages
Linda McGlasson, Managing Editor
December 7, 2009


Banking customers in three additional states have received bogus text messages purporting to be from their institutions.
As part a growing wave of similar phishing attempts throughout the nation, customers in Cincinnati, Ohio, St. Louis, Missouri and Lewiston, Idaho last week reported receiving text messages stating their bank accounts had been frozen.

These attacks mirror those against bank customers in October in Pennsylvania, Nebraska and New York, and are part of a continuing wave of phishing attacks that have shot up 600 percent over last year, according to the Anti-Phishing Working Group.

In Ohio, one Cincinnati US Bank customer told law enforcement about receiving the text message, calling the phone number listed and then giving out an account number, expiration date and PIN. The next day, the customer became suspicious and called the number again and heard the following message: "This is a message from the Federal Trade Commission. The telephone number you've just called has been disconnected because it may be involved in a scam."

The customer called US Bank, had the card replaced and didn't lose any money. Law enforcement reported a number of banks had been targeted in the scam.

Similar reports come in from Bridgeton, MO-based Vantage Credit Union customers who reported to the credit union they received the text message phishing scam.

According to Eric Acree, executive vice president at Vantage, the phishers began sending fake text messages over the weekend. Phishing scammers have posed as the credit union before, and Vantage is trying to educate customers about its security procedures, Acree says. When the number in the text message was checked early last week, the recording states it also has been disconnected by the FTC.

The Idaho Credit Union League (ICUL) also warned its membership about the text message scam. According to news release from the group, early last week several credit unions reported that their members and non-members had received text messages requesting them to send their account information because "restrictions have been discovered/placed on your account."

The credit union league says these text messages appear to have originated from the credit union's phone number and web address, but in fact are fraudulent. Potlatch No. 1 Federal Credit Union was reportedly one of the credit unions targeted by the scam.

ATM Fraud: New Skimming Scheme Spreads
MD, IL, GA Banks, Customers Targeted by Fraudsters
Linda McGlasson, Managing Editor
December 7, 2009


Three ATM skimming operations in Maryland, Illinois and Georgia have netted thieves more than $120,000, according to law enforcement agencies investigating the crimes. These discoveries follow several recent incidents of ATM skimming in other states.
Maryland State Police report that an ATM skimmer was placed on a Bank of America ATM in Eldersburg, MD, and that possibly $30,000 was taken last week. Police have removed the skimmer, but say there could be more. State police have reported other incidents at various other banks in Northern Virginia and Maryland. Two men reportedly were photographed installing the skimming device, which collected card information from customers. The men then come back, removed the device, made counterfeit ATM cards with their stolen information and withdrew money.

In Illinois, thieves used a Bank of America ATM to steal $20,000. Police report the criminals installed a skimming device on a drive-up ATM in Mt. Prospect. The skimmer reportedly was used on Oct. 11, 12, 24, and 25, as well as Nov. 26-29 to steal $20,192 from 316 debit card accounts. The criminals removed the skimmer before employees could find it. Several bank customers complained Monday, Nov. 30, about unauthorized withdrawals.

That report came a week after a similar ploy in Buffalo Grove, where more than $70,000 was taken from an ATM at a Chase Bank branch. Chase Bank officials told police that security video recorded two suspects placing a camera and recording device on the ATM inside the lobby of the bank on November 14. The two then returned on Nov. 16 and used account information that was recorded to withdraw funds from multiple accounts.

The Savannah-Chatham, GA. Metro Police report they were tipped off to two skimming incidents.

Detective Ray Woodberry of the Savannah-Chatham Metro Police says they have seen three reports of skimming over the past few months, including the most recent one at a Bank of America ATM on Victory Drive in Savannah.

Woodberry reports an ATM technician discovered the skimming devices at the Bank of America and reported it to police. There is no word yet how many customers may have been victimized by thieves.

Hancock Fabrics Linked to Fraud in 3 States
CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions
Linda McGlasson, Managing Editor
November 23, 2009


Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.

At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.

And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.

Hancock Fabrics (HFKI) is a Baldwyn, MS-based fabrics and sewing supplies retailer, operating 264 retail stores in 37 states. Hancock so far as not responded to repeated calls inquiring about these breaches and their possible link to the retailer.

California Crimes
Charter Oak Bank in California had four customers report money missing from their accounts, says Tom Ragusa, vice president and compliance officer.

Losses from the four customers are under $10,000, Ragusa says, and the bank has issued the new cards to the customers. The bank has also contracted with its core service provider, Jack Henry, to put in new measures on transactions, including IP address restrictions. The bank also will hold a fraud presentation for its cash management customers to educate them about these threats and other types of fraud.

"We're monitoring our customers' accounts, and time will tell how many more will be affected," he says. "Some customers don't look at their statements, so we don't know until they come forward."

The Napa Police Department has also received information from the Sacramento County Sheriff's Department of tampering in at least five card swipe machines at other Hancock Fabric locations, McGovern says.

Wisconsin Spree
In Wisconsin, the cash withdrawals came over several days from the Milwaukee area in mid-October from customers who made purchases at Hancock Fabrics stores in August and September, says Portage Sheriff's Department Detective Gary Koehmstedt.

He estimates the total loss is in the $40,000 range. It appears that the thefts are related to ones that occurred in Napa and in Sacramento over the same weekend, Koehmstedt notes.

Missouri Thefts
In Missouri, local news reports say theft cases are being investigated in O'Fallon, Chesterfield, Richmond Heights, Des Peres, Town and Country, St. Charles, St. Peters, and St. Louis. All the customers who reported money missing shopped at Hancock Fabrics, according to reports.

Local law enforcement agents say the common denominator in all of these reported scams is Hancock Fabrics. Investigators believe the previous credit card readers at the stores may have been capturing account and pin numbers. At least $3,000 was taken from two of the customers' bank accounts, according to police reports.

Another in a Line of Breaches
This year's most noted breach is Heartland Payment Systems, which reportedly involves 130 million compromised accounts.

Other companies have been breached and credit card and debit card information taken, such as this summer's announcement by the Radisson hotel chain that a breach had occurred, and an undetermined amount of data was taken.

The Payment Card Industry Security Standards Council released a resource this past summer to help merchants and other companies to better recognize and understand the inherent vulnerabilities in the use of point of sale terminals and terminal infrastructure.

ATM Fraud: 7 Growing Threats to Financial Institutions
Skimming, Ram Raids Target Consumers and Their Cash
Linda McGlasson, Managing Editor
June 8, 2009


The Heartland Payment Systems (HPY) data breach may be the fraud story of year (so far), but ATM and debit card thefts are growing steadily and frighteningly at financial institutions.
Witness the recent announcement by law enforcement in New York City that a criminal gang had stolen $500,000 from hundreds of customers' bank accounts via skimming devices that read and stored account information at Sovereign Bank branches in Staten Island. The gang installed cameras onto the machines, catching victims typing in their PIN numbers. They also used the information to clone the card information, according to police.

A recent survey by security vendor Actimize shows that almost 70 percent of financial institutions experienced an increase in ATM/debit card fraud claims in 2008 compared to 2007. Twenty-three percent of respondents say those claims jumped by 5 to 9 percent, while the rest noted growth of anywhere between 10 and 74 percent. These numbers are only expected to grow in 2009, as a result of the recession.

Half of the institutions surveyed say they were hit with fraud complaints that came out of some of the major data breaches, with more than 30 percent saying they had seen fraud incidents as a result of the TJX hack, and 30 percent cited the Heartland hack.

Approximately 80 percent of the survey respondents say the big data breaches can decrease consumer confidence in ATM/debit card use. About 15 percent say they have reissued cards to more than 20 percent of their cardholder customers. In 2008, the financial institutions surveyed lost an average of $744,321 -- with some as high as $12 million -- to ATM fraud alone, and an average of $145,560, or as high as $1 million, to data breaches.

ATM Fraud Trends
The reason that criminals target ATMs is simple. "Criminals like cards and PINs. It is much easier to cash them out, rather than to hire a mule or repackager with stolen credit cards," says fraud expert Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. If the magnetic stripe data and pin is available, it is easy money for the criminal to get the cash out of the ATM. "There is no fence, no making an authentic card to use at a retailer," he says. While this crime is much harder to perpetrate, criminals prefer this over other types of credit card fraud, such as signature-based fraud.

Here are the top ATM/debit card fraud trends:

#1. Skimming -- The upswing in skimming at institutions has caught fraud experts' attention. "A higher percentage of criminals are going straight to a bank and installing a PIN pad overlay and card reader," Urban says. "This is where the transaction goes through, and the customer doesn't realize that their ATM card or debit card has been compromised. I've seen a steady increase over the last couple years on this type of fraud."

#2. Ghost ATMs -- There are also the "Ghost ATMs," where the entire ATM card reader is blocked off and customers can't perform a transaction. "The customer swipes their card, enters their PIN, and then the fake ATM says it can't complete the transaction," Urban explains. There were several of these types of ghost ATMs that popped up on the east coast back four years ago. One arrest was made in those cases, he notes.

#3. Ram Raids -- Criminals continue to target ATMs in various ways, with "ram" raids happening more often in the US. Ram raids are perpetrated when criminals physically break out ATMs from the wall at the institution. In Texas, the number of ram raids has spurred institutions to partner with law enforcement, and a task force has been formed to fight the raiders. "The opportunity that some non-hardened criminals see is an exterior ATM that can be pulled out, loaded with thousands of dollars," Urban says. "So in terms of crimes of opportunity, people feeling desperate will attempt this crime."

#4. PIN ID's -- One of the other trends Urban sees happening is where criminals are testing systems to identify PINs. One particular technique is where the criminal captures the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.

#5. Automated PIN Changes -- Another trend Urban sees is criminals go through the financial institution's telephone banking service to change PIN numbers. "They will use the ANI to change the information on the phone they're calling out from to appear like they are calling from the consumer's phone," Urban notes. If they can find the basic information on the card holder, name, card account number, last four digits of the social security number, then they're trying to take that info and go to the call center and change the PIN number over the phone. "Thus, while more time-consuming, the overhead cost is cut to near nothing other than their own work to deceive the bank call center," Urban says. Then with the changed PIN, the criminals drain the account. "The easier it is for the consumer to change their account, those are the financial institutions that will be targeted," Urban says.

#6. SMS attacks -- "Smishing" is the attack that comes through the Short Message Service (SMS) or text venue, onto a smart phone or a cell phone. Urban has personally seen three examples come through in the last month from institutions that he has no affiliation with, asking him for his account number and pin. Where the criminals are able to get the information from the customer, they then turn and clone the ATM or debit card and use it to withdraw cash.

The bank or credit union, if it is not checking for the CVV value, or the full name or expiration date, and just accepts the card transaction, will be hit with counterfeit cards made from data taken in this type of attack. These "smishing" attacks hit several midwest institutions in 2008.

#7. Malware -- Security researchers say they have found malware code that lets a criminal take control over ATMs. SpiderLabs, the forensics and research arm of TrustWave, found a Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers warn that the malware may be headed toward US banks and credit unions, as well as other parts of the world. The malware lets criminals take over the ATM to steal data, PINs and cash.

That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.

ATM Fraud: New Skimming Scheme Hits Banks
Tenn. Incidents Part of Growing International Wave
Linda McGlasson, Managing Editor
November 16, 2009


A series of skimming crimes that hit the Nashville, TN area recently is but one of many ATM fraud schemes preying upon financial institutions and their customers.
Nashville police reported last week that they were investigating an ATM card skimming scheme where at least 600 individuals were potential victims. Investigators say five Bank of America ATMs were hit, as well as an unknown number of US Bank machines. A total of 60 people had fraudulent withdrawals from their accounts for anywhere between $100 to $5,000 dollars. Investigators suspect that the skimming schemers have now moved on to other cities.

The problem is not isolated to Nashville, says Terrie Ipson, fraud expert at Diebold, an ATM manufacturer. "No one vendor or ATM type is more susceptible over another," Ipson says, "so everyone needs to be aware of this threat."

Ipson notes that a report from the ATM Industry Association (ATMIA) earlier this summer shows the growing nature of the international threat of card skimming. Among recent incidents:

•In Las Vegas, 75 skimming attacks were reported over a three-month period, as compared to previous rates of 2-3 incidents per year.
•In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman saying the devices used are "becoming smaller, more sophisticated and capable of storing more data."
•In California, investigators reported that skimmers and card duplicators could be bought from overseas sellers on the Internet for a few thousand dollars.
Card skimming is not new. Early forms of skimming device and even dummy ATMs installed in empty shop fronts were used to capture card information in the 1990s. What has changed are the scale and geographical spread of such attacks, Ipson says.

The ATMIA recommends these steps to help prevent ATM fraud:

•Build awareness among customers, branch employees and ATM service teams to help detect devices added to ATM exteriors. Visual clues include tape residue near or on a card reader that would show a skimming device had been placed on the ATM.


•Chip-based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce.


•Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions.


•Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.
"There is no single silver bullet that will solve ATM skimming," Ipson says. "Skimming continues to be an emerging threat. The criminals are investing lots of money to develop these devices, [and] consumers can be fooled into thinking they are legitimate."

FTC warns firms, organizations of widespread data breach
Mon Feb 22, 4:35 PM


WASHINGTON (AFP) - The US Federal Trade Commission (FTC) said Monday it has notified nearly 100 companies and organizations of data breaches involving personal information about customers or employees.


The FTC declined to identify the companies or organizations involved, but said they were both "private and public entities, including schools and local governments."


The companies and organizations ranged in size from "businesses with as few as eight employees to publicly held corporations employing tens of thousands," the FTC said in a statement.


It said sensitive data about customers and employees had been shared from the computer networks of the companies and organizations and made available on Internet peer-to-peer (P2P) file-sharing networks.


The information was accessible to "any users of those networks, who could use it to commit identity theft or fraud," the FTC said.


"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC chairman Jon Leibowitz said.


"For example, we found health-related information, financial records, and drivers' license and social security numbers -- the kind of information that could lead to identity theft," Leibowitz said.


"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," he said.


"Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing," he added.


P2P file-sharing software is used in a variety of ways including for playing games, making online telephone calls or sharing music, video and documents.


The FTC, in the notification letters to the companies and organizations, urged them to review their security practices "to ensure that they are reasonable, appropriate, and in compliance with the law.


"It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers," the letters stated.