Information Security Incidents

By Linda Rosencrance at ComputerWorld

Hackers broke into the official Rhode Island state government Web site, www.ri.gov late last month and stole 4,117 credit card numbers, according to New England Interactive Inc. (NEI), the company that manages the site. NEI is a subsidiary of Olathe, Kan.-based e-government provider NIC Inc.
“We discovered the breach on Dec. 28,” said NIC spokesman Chris Neff. “It was due to an error in a line of software code that our local office in Rhode Island that manages the state’s portal [NEI] had written. So we immediately closed that breach, fixed that error and initiated a deeper investigation, including a follow-up security scan of the entire site.”

According to Neff, NEI at first thought that only eight credit cards had been compromised. “We immediately contacted the Rhode Island CIO and the Secret Service and the credit card-issuing companies to flag those accounts so they could be monitored for possible fraudulent activity,” Neff said.

After further analysis, however, NEI discovered that 4,117 credit card numbers were actually involved. “At that point, we went through the notification process again with the Rhode Island CIO, Secret Service [and the] credit card companies,” he said. “Now we’re collaborating with the state, the credit card companies [and] the Secret Service working on several solutions. We’re working toward contacting those card holders and working toward providing some additional services to them [like] credit monitoring and credit rehabilitation for people who were harmed ... as a result of this. And we’re working with the state on the security – they’ve hired an external security firm, we have done the same, to assess the state’s security measures and ensure that everything is up to par going forward.”

According to a statement from NIC today, the stolen credit card numbers were used in transactions with government agencies between Dec. 31, 2004, and March 8, 2005. NIC recommended that anyone who used credit card information on the Rhode Island Web site contact their credit card companies and request that their accounts be monitored for fraudulent activity.

A check of the state site indicates that consumers can conduct a variety of transactions online using a credit card, including renewing fishing and boating licenses, obtaining driving records and renewing vehicle registrations that have been temporarily suspended.

NIC realized that more than eight credit cards might have been compromised last week, when it learned of information on a Russian-language Web site that appeared to discuss the hacking. NEI worked to cross-reference details on the Russian site against information it already had and on Thursday notified NIC, the state CIO, law enforcement officials and credit card companies that additional credit cards were involved in the hacking. That’s when the company found that 4,117 credit card numbers had been stolen.

“NIC takes security matters very seriously,” Harry Herington, chief operating officer of NIC, said in the statement. “We take responsibility for this incident and acted immediately to correct the breach upon discovering it. We will continue to work with Rhode Island state officials, law enforcement and the credit card companies to resolve this issue.”

But in a letter to Augusta, Maine-based NEI, attorneys for the state indicated that Rhode Island officials learned of the breach only last week.

“[NEI] has so far provided incomplete and conflicting responses to the state’s efforts to obtain accurate information regarding the size, nature and reason [of the breach]. This is unacceptable and has unnecessarily led to confusion and concern among users of the RI.gov Web site,” said James DeGraw, an attorney at Boston-based Ropes & Gray LLP.

The state called on NEI to do the following:

Immediately stop processing credit card transactions through the RI.gov Web site until state officials are sure the site is secure.

Hire an outside security consultant to determine whether there are any other vulnerabilities in the site or in NEI’s data-handling procedures and immediately correct them.

Identify all consumers whose credit card or other personal data may have been compromised.

Establish a way for those consumers to find out whether their data was compromised and provide a comprehensive credit card replacement, credit monitoring and credit rehabilitation program to anyone affected.

Neff said NIC is now drafting a written response to the state’s demands and plans to comply with all of the demands.

A spokesman for Rhode Island’s governor could not be reached for comment.

Labels: www.ri.com

Data Breach Table

Date Organization Breach Type Users Affected
01.26.2006 Providence Home Services Media Loss 365,000
01.26.2006 Ameriprise Financial Inc. Laptop 226,000
01.11.2006 People's Bank Media Loss 90,000
01.10.2006 Atlantis Resort Data Breach 55,000
01.01.2006 Squirrel Hill Family Medicine Data Brach 700
12.28.2005 Marriott International Inc. Media Loss 206,000
12.26.2005 BancorpSouth Data Breach 6,500
12.23.2005 Ford Motor Co. Media Loss 70,000
12.19.2005 Guidance Software Data Breach 3,800
12.16.2005 LaSalle Bank Media Loss 2,000,000
12.14.2005 Sam's Club Data Breach 600
12.03.2005 University of San Diego Data Breach 7,800
12.02.2005 Cornell University Data Breach 900
11.28.2005 Scottrade Data Breach 1,300,000
11.21.2005 Boeing Laptop 161,000
11.16.2005 Dept of Defense Anaheim Data Breach N-A
11.09.2005 TransUnion LLC Data Breach 3,000
11.07.2005 National Institutes of Health Data Breach 140
11.05.2005 Safeway Inc Laptop N-A
11.04.2005 Oregon DMV Laptop 500,000
11.01.2005 UT Medical Center Laptop 3,800
10.26.2005 Wisconsin's Child Prot Services Media Loss 45
10.21.2005 Georgia State Gov. Data Breach 465,000
10.15.2005 Montclair State Univ. Data Breach 9,100
09.29.2005 Univ. of Georgia Data Breach 1,600+
09.28.2005 RBC Dain Rauscher Data Breach 100+
09.23.2005 Bank of America Laptop N-A
09.22.2005 City University of New York Data Breach 350
09.19.2005 Children's Health, San Jose, CA Media Loss 5,000+
09.17.2005 North Fork Bank, NY Laptop 9,000
09.16.2005 ChoicePoint Data Breach 9,903
09.15.2005 Miami Univ. Data Breach 21,762
09.10.2005 Kent State Univ. Media Loss 100,000
08.30.2005 CSU, Chancellor's Office Data Breach 154
08.30.2005 J.P. Morgan, Dallas Laptop N-A
08.27.2005 UF, Health Sciences-ChartOne Laptop 3,851
08.22.2005 Air Force Data Breach 33,300
08.19.2005 Univ. of Colorado Data Breach 49,000
08.17.2005 CSU, Stanislaus Data Breach 900
08.10.2005 Univ. of North Texas Data Breach 39,000
08.09.2005 Univ. of Utah Data Breach 100,000
08.09.2005 Sonoma State Univ. Data Breach 61,709
08.02.2005 Univ. of Colorado Data Breach 36,000
07.31.2005 Cal Poly-Pomona Data Breach 31,077
07.30.2005 CSU, Dominguez Hills Data Breach 9,613
07.30.2005 San Diego Co Retirement Assc Data Breach 33,000
07.21.2005 Univ. of Colorado-Boulder Data Breach 42,000
07.19.2005 Univ. of Southern Calif. Data Breach 270,000
07.07.2005 Mich. State Univ. Data Breach 27,000
07.06.2005 City National Bank Media Loss N-A
07.01.2005 Univ. of CA, San Diego Data Breach 33,00
06.30.2005 Ohio State Univ. Med. Ctr. Laptop 15,000
06.29.2005 Bank of America Laptop 18,000
06.28.2005 Lucas City Children Svs (OH) Data Breach 900
06.25.2005 Univ. of CT (UCONN) Data Breach 72,000
06.22.2005 East Carolina Univ. Data Breach 250
06.22.2005 Eastman Kodak Laptop 5,800
06.18.2005 Univ. of Hawaii Data Breach 150,000
06.17.2005 Kent State Univ. Laptop 1,400
06.16.2005 CardSystems Data Breach 40,000,000
06.10.2005 Fed. Deposit Insurance Corp. Not disclosed 6,000
06.06.2005 CitiFinancial Media Loss 3,900,000
05.30.2005 Motorola Media Loss N-A
05.28.2005 Merlin Data Services Data Breach 9,000
05.27.2005 Cleveland State Univ. Laptop 44,420
05.26.2005 Duke Univ. Data Breach 5,500
05.20.2005 Purdue Univ. Data Breach 11,000
05.19.2005 Valdosta State Univ., GA Data Breach 40,000
05.18.2005 Univ. of Iowa Data Breach 30,000
05.18.2005 Jackson Comm. College, MI Data Breach 8,000
05.16.2005 Westborough Bank Data Breach 750
05.12.2005 Hinsdale Central High School Data Breach 2,400
05.11.2005 Stanford Univ. Data Breach 9,900
05.07.2005 Dept. of Justice Laptop 80,000
05.05.2005 Purdue Univ. Data Breach 11,360
05.04.2005 Colorado Health Dept. Laptop 1,600+
05.02.2005 Time Warner Media Loss 600,000
04.29.2005 Oklahoma State Univ. Laptop 37,000
04.28.2005 Wachovia, Bank of America, Data Breach 676,000
PNC Financial Services Group
and Commerce Bancorp
04.28.2005 Georgia Southern Univ. Data Breach 10,000's
04.26.2005 Christus St. Joseph's Hospital Media Loss 19,000
04.26.2005 MSU Wharton Center Data Breach 40,000
04.21.2005 Carnegie Mellon Univ. Data Breach 19,000
04.20.2005 Ameritrade Media Loss 200,000
04.18.2005 DSW- Retail Ventures Data Breach 1,300,000
04.15.2005 CA Dept. of Health Services Laptop 21,600
04.14.2005 Calif. Fastrack Data Breach 4,500
04.14.2005 Polo Ralph Lauren-HSBC Data Breach 180,000
04.12.2005 LexisNexis Data Breach 280,000
04.11.2005 Tufts University Data Breach 106,000
04.08.2005 San Jose Med. Group Media Loss 185,000
04.08.2005 Eastern National Data Breach 15,000
04.05.2005 MCI Laptop 16,500
04.05.2005 Georgia DMV Data Breach 100,000's
03.28.2005 Univ. of Chicago Hospital Data Breach N-A
03.23.2005 Univ. of CA, San Francisco Data Breach 7,000
03.22.2005 Calif. State Univ., Chico Data Breach 59,000
03.20.2005 Northwestern Univ. Data Breach 21,000
03.20.2005 Univ. of NV, Las Vegas Data Breach 5,000
03.12.2005 NV Dept. of Motor Vehicle Media Loss 8,900
03.11.2005 Boston College Data Breach 120,000
03.11.2005 Univ. of CA, Berkeley Laptop 98,400
03.10.2005 LexisNexis Data Breach 32,000
03.08.2005 DSW-Retail Ventures Data Breach 100,000
02.25.2005 PayMaxx Data Breach 25,000
02.25.2005 Bank of America Media Loss 1,200,000
02.15.2005 ChoicePoint Data Breach 145,000

By Jaikumar Vijayan with ComputerWorld

The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").

In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.

As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.

"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."

ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to process loans, leases and other contracts. In a statement today (download PDF), Derek V. Smith, the company's chairman and CEO, said the incident "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal.

"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have for the past several months been in the process of implementing nearly all the changes reflected into today's settlement," Smith said.

ChoicePoint publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."

It also said later that it was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts" as well as changes including masking or truncating sensitive personal identifier information such as Social Security numbers and driver's license numbers.

The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers, and bank and credit card information -- the company failed to implement reasonable procedures for protecting the data, she said.

In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.

According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated to 2001.

The agency also charged that ChoicePoint violated the FCRA by making false and misleading statements about its privacy policies.

Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies that cannot demonstrate a legitimate need for that information, Majoras said. To ensure compliance with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how the consumer information will be used, Majoras said.

ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers use consumer information in the manner they attest to in their applications, she said.

Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anticompetitive practices.

Labels: ChoicePoint

By Jaikumar Vijayan with ComputerWorld

The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.
And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added.

“There has been a definite change in the FTC’s handling and analysis of security breaches,” said Christopher Pierson, an attorney at Phoenix-based law firm Lewis and Roca LLP. “It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws.”

“This is a seminal reaction regarding information security” by the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft are going to be able to point to this settlement and say, “Look, you owe me something,” Ford said. “I think it’s a pretty significant precedent that’s been set here.”

The FTC this morning announced that it has reached an agreement with Alpharetta, Ga.-based ChoicePoint in a data theft case that took place in the fall of 2004 (see ”FTC imposes $10M fine against ChoicePoint for data breach”). At the time it made the breach public in February 2005, ChoicePoint said the theft happened when “a small number of very-well-organized criminals posed as legitimate companies to gain access to personal information about consumers.”

The breach resulted in the compromise of the financial records of more than 163,000 consumers in its databases, over 800 of whom have since become victims of identity theft.

“This is an important victory for consumers,” FTC Chairman Deborah Platt Majoras said today in announcing the fine.

Under the settlement announced today, ChoicePoint will pay a fine of $10 million for violating the Fair Credit Reporting Act (FCRA). That law requires companies that furnish credit histories to maintain reasonable procedures for authenticating the identities of those who receive data. The FCRA also requires companies to ensure that the data is used properly.

In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach. ChoicePoint will also have to submit to comprehensive security audits every two years through 2026.

ChoicePoint, in documents posted on its Web site today, listed a series of privacy enhancements it has implemented since news of the data breach broke last February. In an effort to restrict customer access to sensitive consumer data, the company discontinued selling products that contain personally identifiable information (PII) such as Social Security numbers and driver’s license numbers, the company said (download PDF).

ChoicePoint said it no longer shares such information with customers, except in certain specific cases, such as when it provides authentication for another company’s data. ChoicePoint also established a centralized corporate credentialing center and strengthened credential procedures via multiple external verification sources. As of today, ChoicePoint has recredentialed over 80% of customers receiving sensitive PII, and it said it successfully completed 43 third-party security audits in 2005.

The FTC’s action continues a trend that began last year with similar settlements involving two other companies. In December 2005, the agency announced that Columbus, Ohio-based shoe retailer DSW Inc. had agreed to beef up its computer security to settle charges that it had not adequately protected sensitive customer data. As part of that agreement, DSW will have to submit to security audits every two years for the next 20 years.

In June 2005, Natick, Mass.-based BJ’s Wholesale Club Inc. reached a near identical consent decree with the FTC in a case involving the theft and fraudulent use of customers’ credit and debit cards.

The FTC appears to be willing to escalate enforcement action against such companies, said Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles. “We knew something big was going to happen” after the DSW and BJ’s settlements, he said. “The agreement with ChoicePoint shows [FTC officials] have every intent of continuing with even more force this year.”

The important take-away for every company that handles personally identifiable information is that it is not just breaches alone that can trigger FTC action, Overly said. In the future, a failure to demonstrate adequate data safeguards could also make a company a target for FTC action.

For instance, companies that claim to provide adequate protection for consumer information in their privacy notices could get hit by the FTC for deceptive trade practices if they are unable to demonstrate such protections, Overly said.

One such case, according to Overly, is a 2003 incident involving online book retailer Barnes & Noble and New York State Attorney General Eliot Spitzer. In that case, Barnes & Noble agreed to pay a $60,000 fine and to set up a comprehensive security program with periodic audits to settle charges that the company was not adequately protecting consumer information -- even though no actual breach ever took place.

By Todd R. Weiss at ComputerWorld

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records.
In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system.

The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters. That practice, which was only used by the home health care division of the hospital system, has since been stopped, said health system spokesman Gary Walker.

"This was only done in one area of the company," Walker said. "It did not involve the hospital’s database [of patients]....That one part of the company was sending data home off-site. But we should have reviewed the policy."

Walker said Thursday that the data on the tapes was encrypted, but today he corrected that information. Instead, some of the data on the tapes was password-protected at the application level, he said, while the rest of the data was stored in proprietary file formats without password-protection. "Our IT person and I ... miscommunicated about what is being done and what was being done."

The data on the disks, meanwhile, was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it," he said.

From now on, all data will be made secure using additional technologies, according to Walker. "We are encrypting all the material we can encrypt now," as the health care system reviews all of its procedures and security, he said. "We are sorry that this happened and we don't want it to happen again."

Providence officials said there have been no reports that any of the stolen information has been used improperly since the incident.

Providence is notifying affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.

Rick Cagen, CEO of Providence's Portland service area, said new backup procedures are being implemented using more traditional IT means, including secure sites in remote locations for safety and redundancy. "We do have alternate practices now," Cagen said.

The four-week delay in publicly announcing the theft was needed so Providence officials could recreate the stolen data and identify the patients who needed to be contacted, he said. The delay was also caused in part by the large number of records that had to be processed, he said.


"We realize this is a major inconvenience and cause for real concern, and we deeply apologize to everyone affected by this incident," Cagen said. "Even though we have no indication that the thief has accessed the data, we are doing all we can to help our patients and employees protect their information."

The incident is the second data theft from a motor vehicle announced this week. Yesterday, Minneapolis-based financial services company Ameriprise Financial Inc. said it is notifying some 158,000 customers and 68,000 financial advisers that a laptop containing personal information about them -- including names, account numbers or Social Security numbers -- was stolen from a parked car late last month

Labels: Providence Home Services

By ERIC DASH @ New York Times

Ameriprise Financial, the investment advisory unit spun off from American Express last year, said today that lists with the personal information of about 230,000 customers and financial advisers were potentially exposed to fraud.

The breach occurred in late December after a company laptop was stolen from an employee's car. It contained lists of reassigned customer accounts that were being stored unencrypted on a computer in violation of Ameriprise's rules.

The information on the laptop included the names and Social Security numbers of more than 70,000 current and former financial advisers and the names and internal account numbers of about 158,000 customers. The data was being stored in separate lists, but it is possible that there could be some overlap between the two.

Andy MacMillan, an Ameriprise spokesman, said that it was unlikely the thief knew that the customer and employee data were being stored on the laptop and the risk of "any data being used or discovered is very low." He said no other personal information was exposed.

Ameriprise is the latest company to acknowledge a security breach in a wave of incidents that have rocked the financial services industry. Some have occurred when cyberthieves broke into unprotected computer networks, like the one last June at CardSystems Solutions, a tiny credit card processing company, that left the personal account information of 40 million consumers exposed to fraud. Other breaches, like those at Citigroup and Bank of America, have occurred the companies lost data tapes or they fell off shipping company trucks.

Mr. MacMillan said that the laptop was protected by a password but that the data was being stored unencrypted in violation of company rules.

"This information should not have been removed from the corporate office without the security measures in place," he said. "This individual violated a few written company policies."

Ameriprise is taking steps to make sure its data protection policies and procedures are secure; the employee has been fired.

By Jaikumar Vijayan at ComputerWorld

Effective communication can help companies limit the damage to their reputations and the loss of business that can result from security breaches in which customers' personal data is exposed.

That was one of the findings from an e-mail survey of more than 1,100 individuals who identified themselves as being victims of security breaches. The survey was conducted during the summer by the Tucson, Ariz.-based Ponemon Institute, and the results were released last week.

Nearly 20% of the respondents said they had terminated their relationships with the companies that lost their data, while another 40% said they might do so, according to Larry Ponemon, the institute's founder. But the fact that almost 12% of the respondents said that their confidence in the companies had actually increased after they were notified of security breaches points to the value of good communication, he added.

Trust Better
Survey respondents who said a security breach had decreased their trust and confidence in the affected organization.
Base: 1,109 U.S. residents

Companies that are straightforward in disclosing what they know about breaches are likely to see far fewer customer defections than businesses that are evasive about the details, Ponemon said.

The form that the notification takes also appears to influence customers. For instance, standard form letters and e-mail messages are viewed far more skeptically than personalized letters and phone calls, Ponemon said.

David Bender, co-chairman of the privacy practice at New York-based law firm White & Case LLC, the sponsor of the survey, said that although it's reasonable to expect some customers to give up on a company after it suffers a well-publicized breach, the percentages in the survey were a surprise to him.

"No one expects the consequences will be good," Bender said. But, he added, it is unclear "just how serious the ramifications can be."

The extent of the fallout also depends on the type of organization that loses the data, said Christopher Pierson, a lawyer at Lewis & Roca LLC in Phoenix. Bank customers, for example, can take their business elsewhere. But the same isn't always true for, say, college students or patients of health care providers, he said.

By Douglas Schweitzer at ComputerWorld

So, you have the best firewall, intrusion-detection and antivirus systems technology has to offer. Yet, despite your Fort Knox approach, you're still hit with security breaches and the occasional malware du jour. One reason for this may be the lack of motivation by your workers. Unlike owners, they don't have a direct interest in the success of the company. Or do they? How far are they willing to go to ensure corporate success?

Usually, not very. In fact, in most cases, they don't put much additional effort into executing their duties -- just enough to get the work done and retain their jobs. According to Ken Shaurette, information security solutions manager at MPC Technology Solutions, however, "a too-often overlooked way to improve these attitudes is to include information security in the job descriptions of employees." When your organization makes security awareness and policy compliance mandatory, the apathetic trend can be reversed.

When management requires security policy compliance to be a key part of an employee's job, interest is generated. An added benefit is that security becomes part of the corporate culture. With performance reviews (hence, possible raises) looming periodically, employees are more apt to fit compliance into their daily routine. Knowing that they're being graded encourages employees to comply with policies.

Shaurette encourages employers to include a wider cross section of employees in the interview portion of security assessment and in compliance reviews. These additional personnel will automatically gain a better awareness of security issues simply as a result of their exposure to security professionals. Not only will they add their input as to what data should be gathered for analysis, but they'll also come away with a better appreciation of the need for assessments. When they're a part of the compliance review, employees "will get a sense of ownership of the final results from the assessment," says Shaurette.

Inclusion alone won't always solve employee-apathy problems, however. Here are some other ways to reduce security risks created by employees who just don't care.

Monitoring. One solution that maybe isn't palatable but certainly is effective is employee usage monitoring. Tracking employee PC use can result in negative repercussions for the company, but it's one sure way to establish control over the network. Monitoring needs to be carried out in such a way that employee dignity is protected -- a daunting task because few tools are available to automate the process. "Doing the monitoring can become a very heavy administrative burden or require many application modifications that are often not even possible because applications are vendor-maintained," says Shaurette.

Restricted access. Limiting or retracting network access can also reduce (if not prevent) the impact of employee apathy, according to Simon Heron, managing director of Network Box. With the IT manager in control, "signatures for antivirus and antispam can be pushed to the gateway and to the desktop from central company servers," says Heron. The manager is in control of downloading the signatures, and the manufacturer can push software updates onto the gateway to ensure that it's up to date. "This means that the apathetic employee can't get in the way of updating their systems; it takes them out of the equation," says Heron.

Unified threat management. Heron points out, however, that limiting access may not prevent infections altogether. Therefore, many organizations are turning to unified threat management systems. Deploying this type of technology restricts employee access to the Internet for browsing and using e-mail and instant messaging applications.

Endpoint security. It's important to realize that careless use of endpoint devices like laptops and handhelds is one of the biggest causes of compromised security. Recent surveys have found that -- because of outright ignorance of or, even worse, apathy toward security -- roughly a third of users don't even bother using password protection on their devices. This, of course, leaves data vulnerable to hackers and other opportunists, especially if the devices are lost or stolen. Moreover, remote users and mobile workers have been known to pick up viruses and worms on the road, then infect the corporate network when they return to the office.

It's imperative that endpoint devices be checked for compliance with your network security policy. Mandate that all endpoint devices have the latest patches and antivirus software. In addition, your policy should restrict the use of file-sharing and peer-to-peer applications and require certain operating system, browser and application security settings.

By James Niccolai with IDG News Service

Travelers who stayed at the upmarket Atlantis Resort in the Bahamas should keep a close eye on their bank statements in the months ahead. The hotel has acknowledged an apparent database break-in in which personal information for 55,000 guests may have been stolen, including credit card and bank account numbers.

The resort said it is notifying affected customers in writing so that they can "take steps to protect themselves from possible identity fraud."

Kerzner International Ltd., which operates the 2,000-room "ocean-themed" resort on Paradise Island, reported the theft last week in a U.S. regulatory filing. An internal investigation revealed that the information had been stolen from a database of Atlantis customers.

The company said it couldn't discuss the matter further because the break-in is the subject of a criminal investigation.

The information stolen includes names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers. Approximately 55,000 customers may have been affected, the resort company said.

Kerzner is offering affected customers a free credit-monitoring service for one year. It hired an outside security company to help resolve the incident and has notified law enforcement officials in the Bahamas and the U.S., who are helping investigate.

As of today, the resort had no evidence that the stolen information had been used for fraud or identity theft, said Kerzner spokeswoman Lauren Snyder.

The authorities investigating the matter include the FBI and the U.S. Department of Justice, she said.

Labels: The Atlantis Resort

By Stephen Lawson at IDG News Service

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today.

People's Bank, based in Bridgeport, Conn., is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. It was bound for the TransUnion LLC credit reporting bureau, based in Woodlyn, Pa., via United Parcel Service of America Inc., the bank said.

UPS is investigating the incident along with all involved parties, said UPS spokeswoman Heather Robinson. She would not disclose when the package was lost.

The bank has not received any reports of unauthorized activity on the affected accounts and has no reason to believe the data has been improperly used, according to People's statement. The bank considers misuse of the data "highly unlikely." UPS also has no evidence that the package was compromised, stolen or received by an unauthorized person, according to Robinson.

Loss and theft of personal data has taken on a high profile since the theft of data on 145,000 consumers from credit and personal information vendor ChoicePoint Inc. in February 2005. Since that time, there have been dozens of reported cases of loss or theft of personal information involving more than 52 million people, according to a chronology compiled by the Privacy Rights Clearinghouse in San Diego. Among them was the loss of a computer backup tape from Bank of America Corp. containing information on 1.2 million customers, according to the privacy rights group.

There isn't enough information on the People's Bank tape to allow anyone to get into a customer's account, according to the bank. It does not contain checking account balances, debit card numbers, personal identification numbers or birth dates, the statement said. In addition, the tape can't be read without a mainframe and software, according to the bank.

The data on the tape involves customers that have a People's Bank personal credit line, an overdraft protection mechanism for checking accounts. As a safeguard, the bank will provide affected customers with a credit monitoring service for one year, at the bank's expense, to quickly alert customers to possible fraud involving their personal information.

Labels: People's Bank

By Jaikumar Vijayan at ComputerWorld

TransUnion LLC, one of the three major credit reporting companies in the U.S., today confirmed that a desktop computer containing the Social Security numbers and other sensitive information belonging to more than 3,600 consumers was stolen from one of its facilities in October.

The theft prompted the company to notify them of the breach on Oct. 21 and offer free credit monitoring services for a year.

In a statement, TransUnion said that a “small” TransUnion sales office in California was burglarized in early October. “One of the items stolen during the incident was a password-protected desktop computer, which may have contained some personal [credit] information on approximately 3,600 consumers,” the company said.

TransUnion notified local law enforcement authorities of the break-in and has assembled its own team to investigate the incident.

Since then, the credit reporting agency has been monitoring the credit reports of the affected consumers. “At this point, we do not believe there is any indication of any fraudulent activity,” it said.

However, the implications of the reported breach could go beyond the customers whose data was stolen if information stored on the missing desktop enables access to databases holding information on other consumers, said Prat Moghe, CEO of Tizor Systems Inc., a Maynard, Mass.-based vendor of activity auditing tools.

TransUnion, along with Experian North America Inc. and Equifax Credit Information Services Inc., maintains credit histories on U.S. consumers that are used by lenders and other businesses for a variety of purposes.

The TransUnion breach is the latest in a series of high-profile data compromises this year involving companies such as ChoicePoint Inc., Bank of America Corp., DSW Inc., Reed Elsevier Inc.’s LexisNexis unit, Card Systems Inc. and several universities.

The rash of disclosures has raised consumer concerns about identity theft and prompted federal lawmakers to propose several new regulations.

Just last week, for instance. a subcommittee of the House Energy and Commerce Committee approved a bill that would require companies to notify consumers when their information is stolen. It would also require information brokers to tell the Federal Trade Commission about their plans for safeguarding private data for monitoring and periodic review.

If approved, the bill would override state laws such as California’s much-touted SB 1386 Database Breach Notification Act and would serve as a national breach notification law. The proposed measure, however, requires companies to inform consumers of data breaches only if there is a “significant risk” of fraud.

That clause could provide a big loophole for companies and possibly result in incidents such as the one involving TransUnion to go unreported in the future, warned Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.

“I believe that 98% of the time companies are not going to disclose breaches” if the law goes into effect, Paller said. “Only 2% are going to be good citizens and report breaches” even if there is nothing to suggest imminent fraud, he added.

Labels: Transunion LLC

By Jaikumar Vijayan at ComputerWorld

Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as a result of new security-breach notification laws that went into effect in Illinois, Louisiana and New Jersey on Jan. 1.

Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers.

For instance, New Jersey's Identity Theft Prevention Act requires businesses to destroy all customer data that's no longer needed and to notify consumers when sensitive data about them has been accessed by an unauthorized person. The law also limits the use of Social Security numbers on all items that are sent via postal mail.

Louisiana's Database Security Breach Notification Law requires entities that collect information on the state's residents to notify affected individuals of security breaches involving their confidential data. Government officials also need to be notified, according to the law. Illinois' Personal Information Protection Act is similar, although it doesn't require companies to inform the state government when breaches occur.

For companies that do business nationally or in various states, the smorgasbord of state laws poses a growing problem, because the measures often specify different triggers for notifications and set varying requirements on what needs to be disclosed, to whom and when, said Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.
In addition, some states require companies to provide credit-monitoring services to affected customers, whereas others don't, Herath said. And not all of the states offer safe-harbor provisions that exempt companies that encrypt data from their laws, he said.

Seeking Consistency

"What I would prefer to see is something that would be uniform and preemptive [of state laws]," Herath said. "Otherwise, you have a very inconsistent application of the law, with some states requiring you to do nothing [and] some hammering you to the point of being unfair."

"We're hoping a federal law will help clarify the situation," said the director of information security at a specialty retail chain based in California.

Until that comes to pass, the retailer plans to continue to use the SB 1386 breach-disclosure law that went into effect in California more than two years ago as a "baseline" for developing its security incident response and notification strategy, said the director, who asked not to be identified.

The retail chain also plans to develop an information grid that will help it quickly go through a checklist of requirements for each state in case it triggers a notification statute. Nationwide already has such a grid, according to Herath.

"What the situation is crying out for is a federal version of the state laws," said Arshad Noor, CEO of StrongAuth Inc., a compliance and identity management services firm in Sunnyvale, Calif. But such a law would have to be at least as strong as the existing state regulations are for it to win approval from federal legislators, Noor said.

By Jaikumar Vijayan at ComputerWorld

Growing privacy concerns and emerging laws governing the use of sensitive personal information are increasing the pressure on retailers to make sure that their data security practices are rock-solid, according to IT managers at a conference here last week.

They added that an inability to demonstrate due diligence on security could expose companies to serious reputational damage, financial losses and increased customer churn.

Brian Kilcourse, a former retail industry CIO who is now a consultant at Retail Systems Alert Group Inc. in Newton, Mass., said a survey of 71 retailers conducted by the firm last summer showed that companies are increasingly associating demographic information and transaction-level data with customer profiles.

Kilcourse said that while many retailers have assigned responsibility for ensuring the security and integrity of that data, the information often isn't encrypted, and queries aren't well controlled. Similarly, companies aren't always capturing forensic data about the creation of customer information and its retrieval by end users, added Kilcourse, whose firm organized last week's Retail Data Security Forum.

Demand for ROI

Within information security organizations, there's a broad understanding of what needs to be done to fix such issues, said the IT security director at a major franchise chain based in the Midwest.

"The problem is the executive sponsorship," said the security director, who requested anonymity. Although the series of high-profile data compromises that have come to light this year have raised overall awareness of the stakes involved, there still is an unwillingness to invest in security projects "without a clear, demonstrable ROI," he said.

Even so, retailers overall have done a relatively decent job of protecting consumer data, said Bob Belair, a partner at Washington-based law firm Oldaker, Biden & Belair LLP. Going forward, the key is for companies to be able to prove that they have invested an appropriate amount of time and resources in securing their data, he said.

That means having a formal information security plan spelling out protections that are commensurate with the sensitivity of the data at risk, according to Belair. He advised that such a plan also has to be dynamic so companies can respond to changing security threats. In addition, it should include processes for periodic security reviews and audits, and for training workers who handle consumer data, he said.

"If you do all these things and a hacker still breaks in, chances are you aren't liable, because you've acted in a reasonable manner that met the relevant metrics," Belair said.

The director of information security at a California-based specialty retailer with about 400 stores said that distinguishing between sensitive information that's covered by regulatory requirements and confidential data, such as information about intellectual property, is critical to the process of identifying the key data assets that need to be protected.

The security director, who asked not to be identified, said his company is working to encrypt all of the regulated data on its networks via a system that's based on public-key infrastructure technology.

Michele DeMaree, president of DeMaree Consulting Inc. in Colorado Springs, said it's also important to form cross-functional teams, develop a process for assessing risks by measuring the frequency of policy violations against customer data and other information, and educate business managers about the risks to their data.

By Mark Hall at ComputerWorld

...reaches nearly $14 million per incident. That's according to a study conducted by Ponemon Institute LLC for PGP Corp., a security software vendor in Palo Alto, Calif. Just another vendor-sponsored report slanted to back up breathless marketing claims? Perhaps. But Larry Ponemon, chairman of his namesake institute, got a firsthand look at 14 companies that made the news this year for losing customer data. Ponemon did individual audits to learn the direct costs borne by the affected companies (such as attorneys' fees and the cost of mailings and calls to affected customers), plus indirect expenses like lost productivity and opportunity costs (such as the long-term revenue hit from customers taking their business elsewhere). Andrew Krcik, PGP's marketing vice president, says he understands that people may quibble about the details of the indirect expenses, but he adds that the $69.8 million in direct costs paid by the 14 surveyed companies ought to be a wake-up call. As a marketer, Krcik thinks the most worrisome finding from the study was that the participating companies lost 2.6% of their customers on average after suffering data breaches. "Do you know how expensive it is to acquire new customers?" he asks. "A lot."

By Jaikumar Vijayan at ComputerWorld

Recent data compromises, such as one involving the Sam's Club wholesale chain, highlight the challenges that credit card companies face in enforcing the security standards that went into effect last July for all businesses processing credit transactions.

Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.

Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.

But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.

Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.

Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.

"This is in direct violation of card association rules," Davidson said. "I would love to know why merchants are doing this." She added that CUNA Mutual has had several meetings with MasterCard and Visa to discuss the data storage issue.

In April, the insurer filed a lawsuit against BJ's Wholesale Club Inc. seeking to recover losses incurred as a result of a security breach that compromised 40,000 credit and debit cards. The lawsuit, which BJ's is contesting, alleges that the retailer stored account and customer information in violation of MasterCard's and Visa's regulations.

Many of the problems stem from the older point-of-sale systems that some merchants use to process card transactions, said Michael Petitti, a senior vice president at Ambiron TrustWave, a Chicago-based provider of security and PCI compliance services to the credit card industry. The POS systems often capture information that the merchants operating them don't even know about, Petitti said.

Under the PCI standards, all companies that accept credit cards must comply with 12 security requirements, such as encrypting transmissions of cardholder data, periodically running network scans, using logical and physical access controls, and doing activity monitoring and logging.

But there continues to be a lot of confusion about the steps needed to fulfill the requirements, the validation processes and the consequences for failing to meet the mandates, said Avivah Litan, an analyst at Gartner Inc.

"None of it is very clear at all, and it's proving to be very frustrating for the merchants," Litan said. "The card associations are just not set up to deal with what they have started." But she added that based on information from some of Gartner's clients, there are indications that the card associations and the banks that authorize merchants to process card transactions will start cracking down next year.

Incidents such as the one at Sam's Club are also a test of just how far Visa and MasterCard are willing to go to enforce the penalties associated with noncompliance, particularly when dealing with large merchants, said an internal financial analyst at a New York-based insurer.

"This opens up some questions on how objectively they will deal with this issue," said the analyst, who requested anonymity. "Will they pay favorable attention to large retailers like Wal-Mart but be willing in a split second to cut off the mom-and-pop liquor store?"

MasterCard and Visa didn't respond to numerous requests for comment last week.

Labels: Sam's Club

By Tony Kontzer at Information Week

The oft-forgotten element of the endless procession of consumer data breaches is how companies manage the aftermath. It's an undertaking that can be summed by two words: Damage control. And one company that found itself on the wrong end of a breach last month--Marriott Corp.--is only getting half of the effort right.

In the case of customers whose data is known to have been compromised, the choices are relatively simple. The companies in question have to do everything in their power to communicate with those customers, keeping them in the loop about efforts to plug the wholes and find the data, and helping them deal with the consequences. Where things are a bit more complicated is with customers whose data appear to have been unaffected.

Marriott's timeshare unit--which lost backup tapes containing customer records late last month--has handled the first group adequately by doing things such as offering free credit-monitoring services for a year. But when it comes to the second group, Marriott is providing exhibit A of how not to put that segment at ease.

InformationWeek's cover story on this topic last week, "Sad State of Data Security," included some input from a Marriott Vacation Club International customer, Vic Christensen, owner of a Marriott timeshare unit, who said he'd have a hard time trusting the company again, even if it proclaimed his data safe. The fact that the company had said on its Web site that only customers directly impacted by the loss of the tapes would be extended a year's worth of free credit monitoring services only braced Christensen to be doubly disappointed.

Lo and behold, he got an email from Marriott over the New Year weekend, affirming that his name, Social Security number and credit card information were not on the lost tapes, and that he'd be receiving an "unaffected owner" letter to that affect shortly. In other words, as far as Marriott was concerned, there was no reason for Christensen--and thousands of other "unaffected" customers--to give the matter another thought.

The problem is, Christensen is most definitely giving it another thought (and so are a lot of other customers, no doubt). In a subsequent E-mail echange I had with him, Christensen made it clear that Marriott's declaration that his data was safe didn't make him feel any better. "My first two thoughts after reading this were, 'Yeah, right' and, 'And I should believe you because...?'" he wrote. "Maybe they're hoping people will just take their word for it and not cause any trouble."

That's certainly how it appears. And even if Marriott really does know definitively whose data was or wasn't on the tapes, and is right that a lot of "unaffected" customers won't cause any trouble, it's still the wrong approach.

I don't mean to be picking on Marriott. Certainly they're not the first company to handle a data breach in this manner, and they won't be the last. But Christensen's response speaks volumes about why companies that are compromised should reach out to all of their customers. It doesn't matter who's data is safe after the fact. What matters is that customer confidence is eroded, and that's what a company in Marriott's situation should be trying to repair above all else.

By Jaikumar Vijayan at ComputerWorld

A victim of the recent Sam's Club security breach suggested that fraudsters may have stolen credit card information by using illegal "card-skimming" devices attached to the pumps at the company's gas stations. The fraudulent activity may also have been going on for a longer period than that suggested by the wholesale giant, and it may affect thousands of people (see "Update: Security breach at Sam's Club exposes credit card data").
Sam's Club, a division of Bentonville, Ark.-based Wal-Mart Stores Inc., said in a brief Dec. 2 statement that it was investigating a security breach that had exposed the credit card data of an unspecified number of customers who bought fuel at its gas stations between Sept. 21 and Oct. 2. The company said it was alerted to the problem by credit card issuers whose customers were complaining of fraudulent charges on their statements.

Apart from saying that "electronic systems and databases used inside its stores" were not involved, Sam's Club officials have refused to disclose what happened. They have not returned repeated telephone calls for comment.

The breach prompted the Alabama Credit Union (ACU) to block and reissue debit cards to about 500 of its customers after it learned of the problem last week. The ACU was alerted to the breach by Credit Union National Association Inc., according to Kayce Bell, chief operating officer at the Tuscaloosa, Ala.-based credit union.

The fact that one institution alone had to block so many cards suggests that the breach may have affected a lot more than the 600 or so victims Sam's Club said it knows about, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.

In fact, ACU President Steve Swofford, in comments posted on the credit union's Web site, said that the breach affects "many, many cardholders, card issuers and financial institutions.

"We are certain, in the coming days, more card issuers and financial institutions will be contacting their cardholders to take similar action to prevent fraudulent transactions from occurring," Swofford said. "We're aware of at least one large financial institution in Alabama that has more than 4,000 cards affected, but they have made no public announcement yet.

Dan Zerkle, an employee at a large California software company who was a victim of the breach, told Computerworld via e-mail today that he believes thieves got his data by placing their own counterfeit card reader over the regular credit card reader on the gas pump. "I remember the credit card reader looking different," he said. "Unfortunately, I realized what this meant after I discovered the fraudulent charges."

Zerkle said he suspects his card information was stolen from the gas station at a Sam's Club store in Roseville, Calif., on either Nov. 2 or Nov. 17 -- more than a month after Sam's Club said the breaches took place -- and was used to make fraudulent purchases on Nov. 21. "[The] thieves bought some jewelry at a shop in Sweden with a fake card that had my number on it," he said.

Although the activity drained his checking account, Zerkle said he has since been reimbursed for the fraudulent charges by his bank, Wells Fargo & Co. After realizing that the theft had occurred, Zerkle said he spoke filed a report with local police, and spoke with U.S. Secret Service agents and an automated teller machine fraud investigator at Wells Fargo.

If card skimmers were used to steal credit card data, Sam's Club is only the latest victim of an increasingly prevalent form of credit card fraud. "Gas-pump skimming has become the largest fraud problem for a lot of card issuers," Litan said.

Illegal card-reading devices are increasingly being used to intercept and record data stored on magnetic strips on credit cards when people use the cards to buy gas, Litan said. The skimming devices, which have very small footprints, are sometimes linked to the internal wiring of gas pumps; at other times, they are placed externally on top of the regular card readers, where they are hard to notice, she said.

Getting internal access to multiple gas pumps is often not hard because one key can sometimes be used to open numerous pumps made by the same manufacturer, Litan said. "All you need is one disgruntled employee" to compromise a number of systems, she said.

Labels: Sam's Club

By Gary H. Anthes at ComputerWorld

Moving magnetic tapes in and out of storage would seem to be the most mundane of IT functions. Indeed, companies have traditionally seen the transportation and storage of backup media as so routine that they have relegated it to non-IT personnel such as couriers or outsourced the job entirely. But that's changing now, following a rash of high-profile horror stories involving lost data that have been compounded by legislatures and courts that no longer buy the "the dog ate my tapes" excuses.

In February, Bank of America Corp. lost a tape with credit card information on 1.2 million customers. In April, Ameritrade Holding Corp. told 200,000 current and past customers that a tape containing confidential account information had been lost or destroyed in transit. Time Warner Inc. reported in May that 40 tapes containing personal data on 600,000 current and former employees had been lost en route to a storage facility. In June, Citigroup Inc. said that a box of tapes holding personal information on 3.9 million customers had disappeared on the way to a credit bureau.

And sometimes tapes go missing inside a company's four walls. In March, a Florida judge hearing a $2.7 billion lawsuit by financier Ronald Perelman against Morgan Stanley issued an "adverse inference order" against the company for "willful and gross abuse of its discovery obligations."

The judge cited Morgan Stanley for repeatedly finding misplaced tapes of e-mail messages long after the company had claimed that it had turned over all such tapes to the court.

In theory, there are straightforward ways to avoid these costly and embarrassing mishaps. But those measures, such as data encryption and backing up to remote sites via secure networks, have serious drawbacks, so it's likely that trucks full of tapes holding sensitive information will be roaming the roads for years to come.

Risk Is Never Zero

Driven in part by regulatory requirements, Xcel Energy Inc. in Minneapolis backs up data to tape "in terabytes per week," according to Mike Carlson, vice president of business transfer and customer value. The tapes are taken off-site and stored by Iron Mountain Inc., a Boston-based records management and storage company.

Asked if his company is taking any special steps as a result of the recent highly publicized tape mishaps -- Iron Mountain acknowledged that it lost the Time Warner tapes -- Carlson says, "We are actively working with them to ensure that it's not a systematic glitch that puts us at risk." Nevertheless, there will always be some risk of human error, he says.

Iron Mountain performs at a 99.999% level of reliability in its media transportation and storage operations, says Ken Rubin, executive vice president for marketing. "Over the past 50 years, we have honed a chain of custody and inventory control process," he says. "We have basically automated out of the process nearly all of the exposure to human error, but not 100% of it."
A tape goes through several distinct phases as it moves between Iron Mountain and a customer, and each step is recorded via bar-code scans, Rubin says. There are other protections as well, such as special security systems and alarms in the company's trucks. Iron Mountain recently completed an audit of all its facilities and processes and pulled from service a few trucks that failed inspection, Rubin says.

Iron Mountain offers service-level agreements, such as one that guarantees times for returning a tape requested by a customer. But the company follows the standard industry practice of limiting its liability to the value of the physical media in its possession, not the content of the media. "The fees that Iron Mountain and all the vendors charge -- basically pennies per tape per month -- are nowhere near what would be required to take on any more liability than just for the media," Rubin says. Customers could buy separate insurance for content, but few do, he adds.

Rubin says the "best and most practical" way to protect confidentiality is to encrypt sensitive data before it's written to tape. And, he advises, "make sure that your methodology for moving tapes off-site has the best chain-of-custody processes imaginable."

Carlson says he has looked into Iron Mountain's Electronic Vaulting service, by which backup data is automatically encrypted and sent over a network to Iron Mountain. But the service isn't cost-effective for the very large amounts of data Xcel Energy backs up, he says. Iron Mountain agrees that the service isn't practical for large backup needs.

Carlson says it's faster and cheaper to ship large amounts of data on tape via air or truck than it is to transmit it electronically. IBM runs a disaster recovery center on the East Coast for Xcel that would require eight hours to bring online. That's easily enough time to fly tapes there from Xcel's Colorado data center or from Iron Mountain, Carlson says.

Last year, nearly three quarters of 388 companies polled by Enterprise Strategy Group Inc. (ESG) in Milford, Mass., said they infrequently or never encrypt backup data written to tape.

In a report, ESG said it was surprised to learn that government agencies and big financial services companies are among the organizations least likely to employ backup encryption. "Bank of America did not encrypt its backup tapes and thus suffered an operations and public relations debacle, the costs of which may ultimately far exceed the cost and operational overhead of encrypting its backups," the research firm said.

Neglecting Storage Security

According to ESG, companies spend far more on network perimeter security than on storage security. But the report said that "the onslaught of publicly reported security breaches and impending legislation will cause a profound change in security investment priorities."

According to Steve Kenniston, vice president for corporate strategy at Iron Mountain, encrypting backup data takes time, and with an explosion in data at most companies, the time windows for backups are already squeezed. Although encryption offers better data security, he says, it may adversely affect data protection -- that is, making sure backup data is available quickly and easily for recovery purposes.

Kenniston urges his customers to consider classifying data according to its function and sensitivity. For example, the most sensitive data, such as payroll records, might be encrypted and/or electronically vaulted, whereas other data might not justify the cost of those measures. But this kind of data discrimination isn't something IT shops have typically done as part of their backup processes, he says.

Rent-A-Center Inc., a Plano, Texas-based chain of 3,000 consumer-goods rental stores, produces 30 to 40 unencrypted backup tapes every day and turns them over to Iron Mountain. The company is now implementing a "stem-to-stern encryption process" based on 128-bit keys and hash signatures, which can be used to reveal whether the contents have been altered, says K.C. Condit, director of technical services.

"There is some overhead with encryption," which is why the company hasn't done it until now, says Condit. "There have been some technology concerns and some people concerns as well. But we are getting to the point that you really can't afford not to do it."

Meanwhile, Prince William County in Virginia is scrapping its tape backup system in favor of backing up data to disk over a secure network to a remote site owned by the county. CIO Masood Noorbakhsh says the goals are to decrease the time it takes to run backups and restores and to increase security. Because it's a private network, it won't be necessary to encrypt the data in transit, he says.

Church Mutual Insurance Co. in Merrill, Wis., produces about 10 backup tapes per day, and its employees move them to the basement of a bank two miles away. Using a company such as Iron Mountain would offer some advantages, says CIO Christopher Graham, but it would cost more.

Church Mutual typifies the many companies that have yet to join the embarrassed ranks of Bank of America, Time Warner, Ameritrade and Citigroup. "Management right now thinks that what we have in place is adequate," Graham says. "Nothing bad has happened yet, so why spend more money?"

By Robert McMillan at IDG News Service

New York has joined the growing list of states requiring that companies notify their customers whenever private information has been compromised. The state's Information Security Breach and Notification Act went into effect December 7th, according to a spokeswoman for the state's attorney general, Eliot Spitzer.

The law, which is similar to California's SB-1386 notification law, requires businesses and state agencies to inform New York residents "whose unencrpyted personal information may have been acquired by an unauthorized person," according to the text of the legislation.

New York's law is one of a growing number of legislative and regulatory efforts that are forcing executives to pay more attention to security, said Dan Aiken, compliance director at New York's Hospital for Special Surgery. "Now, like in California, if your information is compromised, or if you have reason to believe it may have been compromised, you have to report it," he said, speaking at the Infosecurity conference in New York Wednesday. "There's a real risk to brand name, to your public reputation."

According to a recent survey of security breach victims in the U.S., 20% of respondents said they had terminated their relationship with the company in charge of the data. Another 40% said they would consider doing so, according to the study, which was conducted this year by Ponemon Institute LLC, a privacy think tank in Tucson, Ariz.

Since California's notification law was passed, it has brought dozens of information security breaches to light and put computer security and privacy in the public spotlight. One of the most prominent disclosures was by ChoicePoint Inc., which recently took a $6 million charge for legal expenses and fees related to the theft of personal information belonging to 145,000 consumers that had been stored in its database.

The California law has had a far-reaching effect, said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit advocacy organization. "Ever since the ChoicePoint breach happened ... companies have essentially taken the California law and adopted it as a best practice," she said.

Ponemon estimates that just over 30% of U.S. companies have now adopted such a policy.

While it is unclear how much of an effect the New York law will have, given the level of disclosure already required by the 20 other states, Givens believes that it will be good for consumers.

The law will also put pressure on the federal government to adopt similar notification legislation, Givens said. Observers expect some form of federal legislation to be passed next year.

One security vendor agreed that the New York law was important.

"New York is one of the most populous states in the country," said Marv Goldschmitt, vice president of business development at Tizor Systems, a vendor of data monitoring appliances. "It matters significantly. Eliot Spitzer is a loud voice of consumer and public consciousness, so it's clearly a statement that will be heard."

By Mary Brandel at ComputerWorld

A data scandal roll call would include big names in nearly every industry. Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley, to name a few, have recently experienced data security breaches. And some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised.

"There's the hospital that unwittingly exposes a couple of AIDS patients, or the bank that inadvertently discloses to a creditor someone's complete financial background," says Diana McKenzie, who chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law firm. "There are tons and tons of examples like that."

For CIOs, this trend means two things: It may not be a case of whether your company will experience a data security breach but when it will experience such a breach. And, particularly if you're one of the unlucky 10% or less who find their stories blasted throughout the national news media, you'd better know beforehand how you're going to respond when a breach occurs.

A New Reality

"In days gone by, you could have thrown up your hands and said, 'Geez, this was an accident,'" says Scott Sobel, vice president at Levick Strategic Communications in Washington. "But now people are more familiar with IT processes, and they may believe that if controls weren't in place, someone was negligent or malicious."

That's why your immediate response to a security breach is all-important. And it's not enough to lean on processes you've put in place to respond to more traditional threats such as viruses and hacker infiltration. Today, threats can emanate from sources as varied as fraudulent businesses or tape thieves.

"The failures in the business processes that have occurred this year are causing organizations to redesign the way they respond to future incidents or anomalies," says Rich Baich, managing director at PricewaterhouseCoopers and former chief information security officer at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was revealed that ChoicePoint had released consumers' personal financial information to data thieves posing as legitimate businesses.

One important change worth considering, Baich says, is to create and publicize a central mechanism for employees or the general public to report possible breaches, including incidents involving low-tech actions such as fraud or tape theft. There should be a response team that follows an established set of protocols, not unlike those of customer service hot lines, where a trained group follows a decision tree and escalates its response depending on the nature of the problem.

The exact response protocol will be unique to each organization. Some may want to report directly to the general counsel, others to the CISO, and others to the president of the company. However you choose to do it, the escalation procedure should be defined and agreed upon in advance.

"It needs to be something that says, 'During Christmas time, from this hour to this day, John Brown is head of the team, and he'll have access to this attorney and this PR person and this decision-maker and this representative of the union, instantly,'" Sobel says.

Having a central point of contact would also help avoid the common problem of not taking incident reports seriously, McKenzie says. "If a busy executive gets a call from a person outside the company who doesn't sound sophisticated, or from someone lower in the organization who thinks something odd is happening, there's a tendency to dismiss it," she says. "I can't tell you the number of times I've had a person forget to get the phone number or even the name of the person who called."

Teamwork

The word team can't be overemphasized, McKenzie says. The days are gone when IT worked in isolation on security incidents. The public relations and legal departments need to be involved as soon as possible, even as you're still figuring out the depth and breadth of the problem. "While you're starting to fix, document and understand the problem, you want to start the lawyers mitigating risk and the PR folks preparing communications," McKenzie says.

"The IT guy keeping it to himself is a really bad idea," she adds. Not only are there disclosure requirements, but your public relations people will also need some lead time to fully understand the problem and prepare a response.

At Vanguard Managed Solutions LLC, IT works hand in hand with the legal and marketing departments during times of crisis. In the 300-employee managed services provider in Mansfield, Mass., security incidents are escalated to management-level employees in the network operations center, says Eric Welz, senior solutions architect. If the incident is determined to be severe enough, marketing, legal and IT work together to determine how it should be communicated to clients.

Now more than ever, lawyers are crucial for correctly interpreting and responding to federal and state privacy laws. For example, California's Senate Bill 1386 requires organizations to disclose security breaches that involve private information about California residents. California Assembly Bill 1950 requires "reasonable security" controls for California residents' data. The Washington state government also recently enacted several bills addressing security breaches, and other states may soon follow.

Your legal department might decide to involve local law enforcement, which could affect whether your company is allowed to disclose any information about the breach. If the police ask you to keep mum because they've determined that public disclosure would inhibit the investigation, be sure to get a letter documenting that request to avoid conflicts later, Baich says.

Some experts suggest that companies develop boilerplate language to enable a faster response. "Disclosures are sometimes required to happen quickly, and that's not the time to start with a blank piece of paper," says Peter Gregory, chief security strategist at VantagePoint Security LLC in Bellevue, Wash.

But don't rush. "You don't want to wait two days, but you can wait 20 minutes," says Gregory. "You need to follow the emergency procedures so that when the PR person is in front of the microphone, the information has flowed properly from the point of discovery, through IT management and sideways to PR and legal."
Or, as McKenzie puts it, "respond with cautious speed. On the one hand, a delay in responding can be fatal, but on the other, you need to have a reasoned response, because this could be broadcast all over the country."

To avoid accusations that you didn't work quickly enough to solve a problem, McKenzie suggests calling in an IT forensics consultant -- even if you think your IT staff is talented enough to analyze Web logs and other records effectively. "It shows you're taking it seriously: 'We hired this gunslinger to help solve the problem expeditiously,'" she says. "If someone sues you for damages, it looks good from a PR standpoint that you hired someone immediately."

You should keep a fact-finding log to record any actions that the security team takes and any people it contacts, and that log should include the precise timing of every action. "When that's all logged, it's easier when someone asks what happened," Baich says.

Finally, when it comes time to communicate with customers or the general public, "be understanding and reassuring," says McKenzie. "There's a tendency for people harmed by these incidents to sense a lack of empathy for their situation." A kind and caring attitude on your part may lessen the chance of lawsuits and other litigious behavior, she says.

"A security disaster will cause many to doubt the company's ability to continue operating," Gregory says, "so you need to respond with well-thought-out statements that give the media and customers confidence that you're in control and are dealing with it."

By Jay Cline at ComputerWorld

With information security breaches in the U.S. now reported at a rate of one every three days, corporate privacy and security officers need to take stock about what's happening and what they can do about it.

So what's going on? According to the Privacy Rights Clearinghouse (PRC), 61 U.S. organizations have reported exposures of personal information in the past 180 days. PRC keeps the best list of breaches reported since February's watershed incident at ChoicePoint, where criminals obtained 145,000 customer accounts and sparked a series of congressional hearings on the subject of data security.

What's at the root of these breaches? The PRC reports that the leading cause is external hackers, accounting for half of the incidents. A quarter resulted from stolen laptops and computers. Dishonest insiders, lost backup tapes and negligent employees and business processes accounted for the remaining quarter.

And I think we've seen only the beginning of this phenomenon. Why's that? Two reasons. Nineteen states have now joined California in requiring organizations to notify individuals if their Social Security numbers, driver's license numbers, financial account numbers or other sensitive information is exposed to unauthorized people (see table 2). Companies effectively must now notify all U.S. residents of breaches affecting their sensitive information, so this notification phenomenon is here to stay.
The second reason is that companies are still learning how to detect and report these breaches. A 2005 Ponemon Institute survey of corporate privacy practices found that only a third of companies use a formal process to monitor and report security breaches. As companies improve these procedures, they'll be reporting more incidents.

What'll be the impact of a continuing stream of publicized security breaches? It won't do anything good for customer confidence. A Conference Board survey released in June reported that 41% of customers are purchasing less online than a year ago because of security fears. Trends like this affect all companies, even those with solid security.

But the impact will be greatest on those companies experiencing major publicized breaches. For its part, ChoicePoint has registered $11.4 million in charges related to its security breach (see ChoicePoint says data theft cost it $6M) and endured a sustained, $6 drop in its share price. CardSystems International, which suffered an external hack that exposed 40 million customer accounts, is facing financial ruin following the loss of its Visa and American Express clients.

So what projects need to be at the top of your organization's agenda for the next 12 months?

Adopt a comprehensive information security program based on the ISO 17799 and Payment Card Industry standards.

Require any sensitive information stored on laptops to be encrypted.

Formalize a process where employees can contact a central phone number or e-mail to report suspicious activity with company information.

Validate the security of suppliers that handle your sensitive information, including backup tapes and documents.

Train employees on your security policies and procedures and performing periodic spot checks to measure compliance.
Completing these types of projects is no guarantee of avoiding a publicized security breach. But they'll go a long way in properly allocating your limited budgets toward the areas of greatest risk.

by Associated Press at Pittsburgh Post Gazette

A medical office has warned about 700 patients that their personal data may have been compromised by the theft of six computers.

Authorities said the office of Squirrel Hill Family Medicine, which is owned by the University of Pittsburgh Medical Center, was broken into over the Dec. 17-18 weekend.

One of the six computers taken contained a file with names, Social Security numbers and dates of birth for patients, but not their medical conditions, UPMC spokeswoman Jane Duffield said.

"While we don't know whether the thieves will use this information, we at UPMC believe that it is our obligation to inform you that the theft occurred and to address next steps to help to prevent identity theft," the medical center said in a letter sent to patients last week.

UPMC said it will cover the cost of credit monitoring services for one year.

Labels: Squirrel Hill Family Medicine