Information Security Incidents

from lockergnome.com

According to a report released by Symantec last week, the average laptop contains a whopping $1M worth of information. The AVERAGE laptop. Some executive notebooks are valued as high as US$8.8 million based on the client data, intellectual property and confidential information they contain. The news comes about 10 years after the industry noted that laptops are the most valuable target of corporate theft. Today, according to the recent FBI computer crime survey, 50% of organizations reported the theft of laptops in 2005.

All theft aside, according to Silicon.com, in the UK as many as 10,000 laptops are simply lost or forgotten in public places each year. That adds up to a lot of valuable data. In the US, according to the FBI study, 2.8 million organizations experienced losses totaling $67.2 million as a result of security incidents. That number was found to be 3 to 4 times HIGHER than in previous years.

According to SecurityFocus: "Among the [FBI Study] findings, nearly nine out of ten organizations experienced security incidents in the past year. Over 64% of respondents incurred a financial loss as a result of computer crime - yet only 9% reported these incidents to law enforcement. The United States and China top of the list as by far the worst offenders, together accounting as the source of more than half of all external intrusion attempts. However, not surprisingly the survey also reports that 44% of all reported intrusions were sourced as internal to the organization affected."

Although we can assume that researchers are getting better at quantifying losses and calculating the impact of security incidents, it is clear that after decades of Internet use, e-business innovation and progress, organizations are still way behind in terms of security preparedness and respect for the vast problems that define information asset protection.

To be clear, the only thing that we should take away from the statistic that 9 out of 10 companies have experienced a breach is the fact that 1 out of 10 hasn't bothered to find or report its security breaches. The biggest issue is the fact that the same breaches are occurring year after year, with the simplest and most expensive ones leading the pack.

According to my rough calculation, 30 large companies made the Wall of Shame last year. 30 that should have known better because they pretend to be the consumer's best friend, keeping our private data and trading it for cash. According to the Privacy Rights Clearinghouse, these affected millions of people. Here are the top ten offenders:

CardSystems Solutions: 40 million consumer accounts
Citigroup: 3.9 million
DSW Shoe Warehouse: 1.4 million
Bank of America: 1.2 million
Time Warner: 600,000
LexisNexis: 310,000
Ameritrade: 200,000
Polo Ralph Lauren: 180,000
ChoicePoint: 145,000
Boston College: 120,000

Don't be impressed by the big numbers. They're important, but they don't tell the whole story. A closer look at the facts tells us that most of these security breaches were not caused by high-tech whiz kids (those probably go undetected). No, these failures occurred because of simple things like lost backup tapes, stolen passwords, smash & grab robberies and in the case of Citibank, the tapes were simply lost in the mail.

Granted, DSW Shoe Warehouse, Polo Ralph Lauren and LexisNexis did manage to get hit hard by by hackers, but that's just the problem, coverage has been inconsistent or non-existent either because the general media, the ones who have all the eyeballs, have no idea how to represent the magnitude of the problem to the average reader without covering the story in the "Oddly Enough" column or risking it seem as if the sky was falling.

Perhaps that's why 75% of all new prospects that I meet have developed a well-rehearsed mantra: "We have no security problems, everything's taken care of". That same group is later forced to react to security breaches instead of preventing them, a much more expensive and less effective proposition.

Aside from uninformed people working with incomplete data in an attempt to bring us pre-digested news while carefully avoiding apocalyptic scenarios, what else do you believe is the cause of this blatantly false sense of security? Here are my other 7 contenders:

1. Coasting on momentum - it's not just about apathy and ignorance, or is it? Is past performance an indicator of future security? Not in this business! What we don't know can't hurt us, but what about the aforementioned infamous 30 organizations? They had all the money in the world, they just lacked the budgets. And so it goes for the other 75% of international (mostly small and mid-size) companies that felt the sting of security inadequacy last year.

2. Security suites - are you seeing all-in-one security products flying off the shelves? Let them. Your security protection - whether on a home system or an enterprise network - should be made up of specialized layers, of best-of-breed tools, not one big bloated magic pill. Note, the latter is different from the concept of centralized security management, an often effective strategy for increasing visibility and control across the enterprise.

3. Automated, online security tools - have you come across e-commerce Web sites that proudly proclaim that they are "hacker-free" "security-protected", "impermeable to breaches" or otherwise invulnerable based on the fact that they are 'checked daily' by an automated scan? Rest assured, hackers couldn't care less about such claims and the only thing that it should mean to you when presented with the typical 'shield' logo, is that the company in question is deluded about their own level of protection.

4. Computer vendors and retail stores - why does out-of-the-box ease-of-use plug-and-play have to mean "bogged down with obsolete demo versions of software that are a pain to remove"? Computer stores and vendors are now basing all their marketing on how quickly you can be 'online' once you've stepped away from the cash register. What people should be asking is how much time do I have before my new computer gets infected . The answer? about 20 minutes.

5. Security vendors - why is it that every time a new security product is introduced, it paints such a rosy picture of the world that you literally feel like you will never have another care in the world. Alternatively, it makes such a huge deal out of threats that you didn't know existed that you're either compelled to ignore it, or get a trial copy (just in case) and never end up using it (probably because it interferes with every other security tool you have).

6. Telcos and ISPs - ah the telecommunications industry. When it works, it's a cash cow. Millions of homes and businesses providing reliable, monthly cash flow earmarked for expansion and diversification. Due to roughly gazillions of complaints from Internet subscribers, companies have finally found a way to provide solutions they can actually profit from, while fitting neatly into their guaranteed monthly revenue model. From subscription-based software firewall service to monthly virus/spyware protection, it's all available in byte-sized chunks. Unfortunately, its relative value is measured in crumbs. Convenience and security don't always go together.

7. Oblivious and desensitized IT managers - the least guilty people of the lot. They were hired to make sure systems and networks support business functions, then were told that not only are they responsible for 'security around here' but also for every single network user's infected PC, the company's security and privacy compliance and all the new threats that crop up on a daily basis. Can you really blame them for saying "nah, we're fine. Security is completely under control here". Unfortunately top level management most often believes them and fails to create a mature, actionable security plan that would minimize the damage from incidents occur.

by David Lazarus at San Francisco Chronicle

The FBI and the California attorney general's office said Friday that they're investigating a far-reaching case of fraud in which debit card numbers belonging to as many as 200,000 consumers were stolen by an international counterfeiting ring.

The investigations focus on a hacker who apparently gained access to a Northern California retailer's computer system. The stolen account data were used to create counterfeit debit cards, which subsequently were sold on the black market worldwide.

"We have an open investigation regarding fraudulent use of debit cards involving numerous banks in California," said Special Agent John Cauthen of the FBI's Sacramento office.

He said the Secret Service also is involved in the case. A spokesman for the Secret Service was unable to say what role the agency is playing, although it does investigate fraud against financial institutions.

The attorney general's office said it had opened an investigation to determine if state laws regarding data security have been violated.

"We will be contacting all business entities involved in this incident," said Tom Dresslar, a spokesman for Attorney General Bill Lockyer.

Word of the investigations follows reports in The Chronicle that various banks have been replacing customers' debit cards in recent days due to fears of a major security breach involving a prominent retailer.

Four well-placed sources in the financial-services industry said the retailer is a leading office-supply business but declined to name it for fear of jeopardizing investigators' efforts.

Banks that have mailed out replacement debit cards include Bank of America, Wells Fargo and Washington Mutual.

The FBI's Cauthen declined to disclose details of the case or the status of the investigation.

"We don't want to say anything that would compromise things," he said.

But banking-industry sources with direct knowledge of the incident said a Sacramento-area outlet belonging to a national office-supply chain was hit by a computer hacker in December.

Data accessed at that outlet could have been received from throughout the West Coast, they said.

The sources said this apparently wasn't an inside job. They said a hacker apparently penetrated the retailer's computer system and accessed the personal information of thousands of consumers.

The information accessed was everything on the magnetic strip of a debit card -- the account holder's name, the card number and a secret code used to validate transactions.

As many as 200,000 people were endangered by the security breach, sources said.

Fraudulent charges related to the theft have been reported in Britain, France, Spain, Russia, China and elsewhere, representatives of affected banks acknowledged.

In most cases, the true account holders won't be held liable for the bogus charges as long as they report any suspect transactions within 60 days, the banks said.

San Jose resident Helen Jackson, 74, said she learned that her debit card number had gone astray when she was blocked last month from accessing a Bank of America ATM.

A bank official looked into her situation and found that Jackson's debit card -- or a piece of plastic bearing her card's number -- had been used for a string of transactions in Russia. The total amount in fraudulent charges was about $1,200.

"I was absolutely stunned," Jackson said. "I was beside myself when I learned this."

San Francisco resident Don Cotton, 53, similarly found himself frozen out of a BofA ATM while visiting Sacramento in late December. He said a bank official told him that about $800 in transactions had been rung up on his card from someone in Ukraine.

"It was a shock," he said.

Representatives of banks affected by the security breach said that, in some cases, debit cards were replaced even though no fraud had been detected or even if there was no link to the suspected retailer.

"We wanted to be extra safe," said Michael Chee, a spokesman for BofA.

Investigators from the attorney general's office are checking to see if the office-supply company violated a state law requiring that consumers be notified if their personal information is "acquired by an unauthorized person."

In this case, the company has remained silent, leaving it to banks to ambiguously warn customers of a potential risk of fraud.

State investigators also will attempt to discern whether the company has complied with strict California regulations for the safeguarding of electronic data.

Chris Hoofnagle, who runs the San Francisco office of the Electronic Privacy Information Center, said his reading of California's notification law is that the burden in this case is on the office-supply company.

"Whoever the custodian of the information was at the time of the breach should be responsible for the notification," he said.

Hoofnagle said it defeats a key intent of the law for a company to avoid the negative publicity that typically comes with news of a data theft.

"Half of the point of notification is to put pressure on companies to improve their security," he said.

by David Lazarus at San Franciso Chronicle

A data-security breach that resulted in numerous people having their debit cards canceled this week is actually much larger than first indicated.

As first reported in my Thursday column, an unspecified number of Bank of America customers have received letters warning that accounts may have been compromised "at a third-party location unrelated to Bank of America."

BofA has said only that the unnamed company is not a bank affiliate.

But well-placed sources within the banking and credit card industries now tell me that the company in question is a leading retailer in the office-supply business.

Those sources also place the total number of consumers affected by the security breach at nearly 200,000.

Washington Mutual confirmed Thursday that it too was involved in the breach and is replacing customers' debit cards.

Wells Fargo reiterated only that the bank protects customers "if we discover they are at risk for unauthorized transactions." However, multiple Wells Fargo customers told me they've received new debit cards from the bank via FedEx.

It's unclear at this point whether the retailer violated state law by not directly notifying customers of the breach, instead allowing customers to be ambiguously alerted by their banks.

State Sen. Jackie Speier, D-Hillsborough, a leading privacy advocate in Sacramento, said the spirit, if not the letter, of the law appears to have been violated.

"The intention of the law was not to create anonymous notifications," she told me. "It was to link the consumer with the company being breached."

Banking industry sources said they were notified last month by Visa and MasterCard that the computer system of a prominent merchant had been penetrated by a computer hacker, and that account information for thousands of customers had been endangered.

Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that the incident involved a U.S. merchant that "may have experienced a data security breach resulting in the compromise of Visa card account information."

"Upon learning of the compromise," she said, "Visa quickly alerted the affected financial institutions to protect consumers through independent fraud monitoring and, if needed, reissuing cards."

Sharon Gamsin, a spokeswoman for MasterCard International, said the credit card company had been informed of "a potential security breach at a U.S.-based retailer."

"We have notified the banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders," she said, adding that MasterCard "will continue to monitor this event."

In any case, a serious issue raised by the incident is whether a business can avoid compliance with a California law requiring that customers be notified in the event of a security breach

State law requires that any company "that owns or licenses computerized data" must notify consumers if any personal info is "acquired by an unauthorized person."

The law defines ownership of data as being "part of the business' internal customer account or for the purpose of using that information in transactions with the person to whom the information relates."

Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said the retailer whose security was recently breached would be liable for notifying customers only if it was maintaining a database of account info and that database was compromised.

"Merchants clearly have notification requirements under the statute," he said. "The responsibility of this retailer is unclear based on the known facts."

But Ray Everett-Church, who runs a San Jose privacy consulting firm called PrivacyClue, said this position undermines the intent of the law, which took effect in 2003.

"Part of the intent of the law is for companies with lax practices to be held accountable," he said. "If they can hide behind card issuers, it calls into question whether merchants have a real incentive to improve their practices."

The law, Everett-Church said, "is intended to increase the risk for companies so they are encouraged to fix problems before they become bigger problems."

Speier agreed with this interpretation, observing that if the merchant in the latest case remains unidentified, its consequences for a serious security breach have been minimized.

"You're insulating that company from any downside or loss of business that might occur as a result of the breach," she said.

By TED BRIDIS, Associated Press Writer

The government concluded its "Cyber Storm" wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.

Bloggers?

Participants confirmed parts of the worldwide simulation challenged government officials and industry executives to respond to deliberate misinformation campaigns and activist calls by Internet bloggers, online diarists whose "Web logs" include political rantings and musings about current events.

The Internet survived, even against fictional abuses against the world's computers on a scale typical for Fox's popular "24" television series. Experts depicted hackers who shut down electricity in 10 states, failures in vital systems for online banking and retail sales, infected discs mistakenly distributed by commercial software companies and critical flaws discovered in core Internet technology.

Some mock attacks were aimed at causing a "significant cyber disruption" that could seriously damage energy, transportation and health care industries and undermine public confidence, said George Foresman, an undersecretary at the Homeland Security Department.

There was no impact on the real Internet during the weeklong exercise. Government officials from the United States, Canada, Australia and England and executives from Microsoft, Cisco, Verisign and others said they were careful to simulate attacks only using isolated computers, working from basement offices at the Secret Services headquarters in downtown Washington.

The Homeland Security Department promised a full report on results from the exercise by summer.

Foresman likened his agency's role during any Internet attack to an orchestra conductor, coordinating responses from law enforcement, intelligence agencies, the military and private firms. The government's goal is a "symphony of preparedness," Foresman said.

Homeland Security coordinated the exercise. More than 115 government agencies, companies and organizations participated. They included the White House National Security Council, Justice Department, Defense Department, State Department, National Security Agency and CIA, which conducted its own cybersecurity exercise called "Silent Horizon" last May.

An earlier cyberterrorism exercise called "Livewire" for Homeland Security and other federal agencies concluded there were serious questions over government's role during a cyberattack depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.

by Deloitte & Touche

Internal attacks on information technology systems are surpassing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT).

Thirty-five (35) percent of respondents confirmed encountering attacks from inside their organization within the last 12 months (up from 14 percent in 2004) compared to 26 percent from external sources (up from 23 percent in 2004).

The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of IT security in the financial sector and consisted of interviews with senior security officers from the world’s top 100 global financial institutions.

Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) are two new additions to the top security threats financial institutions faced in the past year, underscoring the human factor as a new and growing weakness in the security chain.

The trend shift from external to internal attacks and tactics that exploit human behavior vs. technological loopholes is explained by the improved utilization of IT security technologies, mainly by the increased use of anti-virus solutions (98 percent vs. 87 percent in 2004), Virtual Private Networks (79 percent vs. 75 percent) and content filtering and monitoring (76 percent vs. 60 percent in 2004).

“Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks that target customers, and internal attacks, indicate that there are new threats that have to be addressed,” says Adel Melek, a partner in the Canadian member firm of Deloitte Touche Tohmatsu and Global Leader of IT Risk Management & Security Services within Deloitte’s Global Financial Services Industry practice.

“Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap.”

However, as survey results show, security training and awareness have yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46 percent) of respondents have training and awareness initiatives scheduled for the next 12 months.

Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 percent) and reporting and measurement (61 percent).

These findings also align with financial institutions’ future investment plans in security, with the most money targeted for security tools (64 percent), compared to only 15 percent for employee awareness and training. There are very few financial institutions that have any plans for customer security awareness.

“In an attempt to minimize the human risk factor, financial institutions have been focusing on enterprise-wide solutions.” says Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP.

“With threats such as identity theft, phishing and pharming on the rise, organizations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management.

These solutions should be augmented by security training and awareness if organizations are to minimize the number of human behavioural threats.”

“In the U.S.,” continues DeZabala, “the incidents of security breaches increased slightly over last year. Clearly, continued vigilance is needed to meet and exceed the requirements and truly protect corporate data from security threats.”

Regional Differences
Europe, Middle East and Africa (EMEA) According to the survey, EMEA has the highest number of financial institutions that have formulated an information security strategy (89 percent), greater than any other region. EMEA has also the highest rate (83 percent) of adoption of security standards such as ISO 17799.

Asia Pacific (APAC)
APAC has the highest number of respondents (42 percent) indicating that security is recognized at the C-suite and board level as being critical to the business. For the second year, the region also maintained its lead with almost three quarters (72 percent) of respondents having their employees receive awareness and training on security and privacy.

Latin America and the Caribbean
Eighty-six (86) percent of respondents from this region have not implemented a program for managing privacy compliance. Additionally, close to 100 percent did not perform an inventory of personal information and only slightly more than half (57 percent) tracked loss of data.

Canada
Half of Canadian respondents acknowledged that they have experienced some form of information security breach – the highest rate of all regions. On the flip side, with privacy and Sarbanes-Oxley compliance driving regulatory initiatives in Canada, the majority of respondents (78 percent) indicated they have both the commitment of management and the adequate funding to address these requirements.

United States
Eighty-three (83) percent of U.S. CISOs interviewed confirmed they have adequate funding and commitment to meet regulatory requirements, the highest rate among all regions. Financial institutions in the U.S. also lead the pack with the highest percentage of organizations (76 percent) who delivered at least one security awareness and training session to employees in the past 12 months.

Additional Key Findings of the Survey:

• While close to half (48 percent) of respondents perceive lack of employee awareness as one of their top challenges, security training and awareness measurements implemented in the past 12 months declined from 77 percent in the previous survey to 65 percent this year.

• Almost three-quarters (74 percent) of respondents outsource at least one IT function, but (27 percent) do not conduct regular assessments of the security outsourcer’s compliance with security requirements.

• While 86 percent of organizations with a CISO indicated that this function reports directly to the board or to the C-suite, only about one-third of the organizations interviewed feel that security has been similarly recognized as a critical area of business.

• Unrealistic timelines and budgets (56 percent) topped respondents’ list of common reasons for security project failures, followed by integration problems due to poor up-front design and architecture (48 percent) and lack of buy-in from business owners (34 percent).

The survey, conducted through face-to-face interviews and on-line questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team, etc.) of many of the top 100 global financial services organizations.

By Barney Beal, SearchCRM.com

As the reports of companies losing customer data continue to pile up, privacy protection is becoming a top-of-mind issue, both for customers, who naturally don't want their personal information falling into the wrong hands, and companies, who are suffering real damage to their brand, customer loyalty and bottom line.

Recent research is starting to put a number to the costs associated with lost customer data. A benchmarking study conducted last October by the Ponemon Institute in Tucson, Ariz. found that average additional spending resulting from a single data breach reached $5 million and ranged as high as $50 million for one insurance company. The average total recovery costs were $140 per lost customer record.

The Ponemon Institute examined about 135 companies in the Fortune 500 to benchmark their experiences, gathering some of its information from publicity surrounding data breaches.

"What was really interesting was some of the breaches were not a major public event," said Larry Ponemon, chairman and founder of the institute. "It's getting to be such a boring story. Really small breaches, ones that are less than 20,000 names, are not getting into the press at all."

However, small breaches still cost companies. Ponemon groups the costs into four core buckets: discovery, escalation, notification and ex-post response. The costs include mailing fees for notifications, follow up support such as providing credit monitoring services and free or discounted services, such as a 10% off coupon. Additionally, Ponemon identified "opportunity costs," which include turnover of existing customers and diminished new customer acquisition.

"Then there's lost business -- this is probably the hardest to estimate," Ponemon said. "Churn actually varies quite a bit. The lowest churn rates were banks and the highest were retail. The banking relationship is such a tough relationship to break."

In a separate study in September, Ponemon also found that a majority of customers who received data breach notifications were unsatisfied with the quality of the notification and communication process. The results of the study demonstrated that companies must take care in communicating breaches. While he has yet to find that people who have been the victim of a data breach are more likely to have their identity stolen, people still believe a breach will have a negative affect upon them, Ponemon said.

The method of communicating with customers can go a long way toward maintaining customer loyalty. For example, companies that report a breach are more than four times as likely to experience customer churn if they fail to communicate to the victim in a clean, consistent and timely fashion, according to the report. Companies that deploy e-mails or form letters to communicate a breach are more than three times more likely to experience churn than companies that use the telephone or personalized letters.

In fact, in rare cases a data breach can offer a chance to reinforce customer loyalty. Ponemon was surprised to find that 12% of respondents said the incident increased their confidence and trust in the company. When he went to double check the surprising figure, Ponemon spoke with one woman who said she was so impressed with the way her bank dealt with her after the breach she was less likely to leave. The bank sent her a letter, followed up with a phone call and gave her an hour of time explaining ways she could protect herself from identity theft.

All this comes at a time when the Internet is making customer loyalty increasingly fleeting. A survey of 1,000 U.S. consumers, conducted by Accenture Ltd., a Bermuda-based consulting firm, found that a majority believed the Internet makes it easier for change service providers.

"Consumers have much more knowledge today about their purchase options than they ever have in the past in large part to the information they have on the Internet," said Alton Adams, managing partner of the customer insight program at Accenture. "The whole concept of loyalty is a function of how well a company serves your needs in addition to your knowledge of available options. Now, there is a wealth of knowledge about available options. Companies need to work harder and harder to maintain loyalty because of Internet."

The biggest reason more than 50% of consumers in the survey switched companies was because the same offerings could be found elsewhere at a lower price but that was followed closely by having a bad experience, according to Accenture.

Customer privacy and respect are becoming issues companies are taking a much closer look at.

"This was a dream like eight or nine years ago," Ponemon said. "I used to say some day privacy is going to be a competitive advantage. Now companies like eBay and PayPal -- they're whole business model is around trust."

PRESS RELEASE
ID Analytics, Inc., the Identity Risk Management company, today announced findings from its analysis of
publicly-available information on 70 data breaches that occurred in 2005. The
company also announced that a white paper detailing its analysis of four
actual data breaches is now available. Announced in December, the detailed
analysis showed that few of the breached identities appeared to be misused for
criminal financial gain.

In the recent analysis of public information on 70 breaches, the most
interesting findings included:

* The largest volume of data breach incidents occurred in the education
sector (46 percent)

* Fifty-seven percent of the identities breached were in the financial
services sector

* Almost 70 percent of the breached occurrences were because someone
targeted the organization through hacking or some other method to steal
information about consumers

* Of the publicly-reported data breaches during the study period,
77 percent were "identity-level," meaning personal identifiers such as
names and Social Security numbers were breached

* The majority of the identity-level breaches, 38 out of 54, were
intentional, meaning the breach appeared to be the result of a
deliberate theft of identity information from an electronic database

"This high proportion of identity-level breaches suggests that criminals
know exactly what they are targeting since identity-level information is most
profitable for committing identity theft," said Mike Cook, ID Analytics'
co-founder and vice president of product. "Based on the analysis, we believe
that fraudsters determined to steal identity information to perpetrate their
crimes are systematic and deliberate in their attempts."
However, not all of the breaches in the study were intentional. For the
purposes of the analysis, ID Analytics excluded the June 2005 breach of
40 million account numbers from CardSystems due to its large size. Excluding
this breach, more than half (58 percent) of the breached identities in the
study were actually lost, seemingly through human error, rather than because
someone targeted the organization to steal the information.
As part of this study, ID Analytics also analyzed the potential costs of
these data breaches by estimating such losses as operational costs, consumer
notification, card re-issuance, credit monitoring services and anticipated
fraud losses. The analysis showed that during the period of the study
approximately $210 million were lost by the affected organizations as a result
of these breaches.
"Breaches differ, and the risk to consumers and organizations varies
considerably based on the type and scope of the data breach," said Bruce
Hansen, chairman and CEO of ID Analytics. "What's really most important for
both consumers and breached businesses is assessing the degree of risk for a
given breach in order to determine the best next steps to protecting
consumers, protecting the organization, and stemming financial and
reputational losses."

National Data Breach Analysis White Paper Now Available

ID Analytics also announced that its National Data Breach Analysis report
is now available. This 36-page paper examines actual data breach files from
four separate incidents representing approximately 500,000 breached consumer
identities, providing a first-hand glimpse of how real fraudsters are actually
using, or not using, breached data to commit fraud. As announced previously,
the results reveal that few of the breached identities from the analysis
appear to be misused for criminal financial gain. The paper also discusses
how patent-pending technology can help organizations detect data breaches
sooner, determine the best next steps following a breach, and ultimately limit
the harm caused by criminal abuse of breached consumer data. To request a
copy of the paper or find out more about ID Analytics Breach Analysis
Services, email marketing@idanalytics.com.

By Jaikumar Vijayan at ComputerWorld

A "human error" at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan.
The mistake affected patients who had applied for a new health savings account insurance plan, said Gayle Tuttle, a spokeswoman for the Chapel Hill, N.C.-based insurer. “The mailing label on a welcome letter that we sent out to 629 people enrolled in one of our individual insurance plans contained an 11-digit tracking number, nine of which were the members’ Social Security numbers,” Tuttle said. “The release of this information is the result of a regrettable human error.”

As part of a broader bid to enhance privacy, Blue Cross has been using a new subscriber number instead of Social Security numbers to identify patients, Tuttle said. Even so, there is still a “linking” that goes on internally between the subscriber IDs and Social Security numbers that may have contributed to the error, she said.

The problem was discovered on Jan. 30, and letters were sent to the affected individuals on Feb. 1 informing them of the breach and instructing them to check for fraudulent activity with the major credit reporting bureaus. “We are taking this very seriously,” Tuttle said. “But this affects only a very tiny percentage of our members.”

Following the incident, Blue Cross is looking at its internal processes and procedures to see how such mistakes can be avoided in future, Tuttle said.

The incident at Blue Cross is similar to one involving The Boston Globe last week and another case involving tax preparer H&R Block Inc. in Kansas City, Mo.

In the Globe incident (see ” Newspapers’ Exposure of Data Points Out Hidden Risks”), confidential information belonging to more than 200,000 subscribers was inadvertently exposed when the Worcester Telegram & Gazette, a sister publication in Worcester, Mass., reused paper containing their names, credit card numbers and bank account information to print routing labels that were attached to bundles of newspapers.

In the H&R Block case, the company accidentally embedded Social Security numbers in a 47-digit tracking number on packages used to mail free copies of the company’s TaxCut tax preparation software in mid-December. The problem was reported to the company by an affected individual shortly thereafter, and letters were sent to all affected persons on Dec. 22, said H&R Block spokeswoman Denise Sposato.

The problem was the result of an “inadvertent human error” and affected only a small percentage of former H&R Block clients, she said.

“The Social Security numbers were embedded within this 47-digit string. They were not broken out in any way shape or form,” making it extremely difficult for anyone to even notice the error, Sposato said. In fact, less than 10 of the affected individuals detected the problem on their own, she said.

“We’ve been around for over 50 years, so if anybody knows about the sensitivity and confidentiality of financial data, it is H&R Block,” Sposato said. “This was totally contrary to H&R Block’s policies and procedures.”

Since the incident, H&R Block has completed an investigation into what happened and has fixed the problem. She did not offer further details.

Labels: Blue Cross Blue Shield of NC

By CHRISTINA ALMEIDA The Associated Press

Celebrity private eye Anthony Pellicano was charged Monday with wiretapping such stars as Sylvester Stallone and Keith Carradine and bribing a police officer for dirt on Hollywood figures.

Pellicano, 61, pleaded not guilty to racketeering, interception of electronic communications and other offenses. He was charged along with a Los Angeles police officer and a telephone company employee in an indictment unsealed Monday.

"These charges allege a disturbing pattern of criminal conduct in which money flowed freely to encourage sworn law enforcement officers to violate their oath to uphold the law," acting U.S. Attorney George Cardona said.

The indictment said the information gathered was used for threats, blackmail and in some cases to secure "tactical advantage in litigation." Prosecutors would not elaborate. In some cases, Pellicano was hired by clients to collect the material, according to the indictment.

Mark Arneson, a veteran police sergeant, is said to have received at least $189,000 from Pellicano to search law enforcement databases for "confidential, embarrassing or incriminating" information. More than 60 people were run through police databases, including comedians Garry Shandling and Kevin Nealon, the indictment states.

According to the indictment, Rayford Earl Turner, an employee of SBC and Pacific Bell at the time, received at least $36,655 from Pellicano "for the purpose of obtaining proprietary telephone company information and facilitating illegal wiretaps." Turner retired in 2001.

Gangs of pro-Muslim computer hackers have unleashed a withering cyber attack on Danish and Western websites in the past week, escalating their defacement barrage to coincide with dozens of violent street-level demonstrations across the Arab world in protest at the publication of a cartoon depiction of the Prophet Mohammed.

The number of Danish websites alone - those carrying a '.dk' suffix - knocked offline in the past week numbered 578 between 30 January and 6 February, according to Zone-H.org, a cyber-crime observatory that tracks website defacements. Hundreds more websites of European, Israeli and American companies and private citizens have also been defaced during that period, with the vast majority occurring after the re-publication last week of the cartoons in European newspapers.

'The number is nearly doubling every day,' said Roberto Preatoni, the founder of Zone-H.org. A team of Zone-H technicians collect and verify reports of sabotaged Web sites from both victims and hackers. The number of attacked Web servers has been at record levels since the controversy reignited last week, Preatoni said.

'This is the largest ever attack directed against a single country, bigger than the Intifada, the Chinese-U.S. spy plane incident, and even the war in Iraq.'

It has been common practice for spirited young hackers and defacers to express their anger with foreign governments or multi-national corporations by hijacking their Web sites and scrawling some political message, often in the form of an expletive-filled rant, across a series of Web pages.

This current hack attack, the most intense ever recorded by Zone-H.org, is occurring as fierce anger erupted across the Arab and Islamic world over the weekend. Protesters set fire to the Danish Embassy in Beirut and at least five protesters died in violent demonstrations in Afghanistan. Muslims around the world have condemned a Danish newspaper for first publishing the satirical images of the Prophet Mohammed in September. As a show of support for press freedoms, the cartoons were re-printed last week in Italian, French and German newspapers, a move that has added to furore.

The victims of the cyber attacks ran the gamut of large and small websites, from estate agents in Essex to a Danish online gamer community called the 47th Royal Marines. As of Tuesday morning, the latter's site was still defaced to read 'Hacked by RedHackeR" with the following statement: "IM SORRY, STOP WAR, DON'T TOUCH ALL ISLAM COUNTRY! F[***] DENMARK, F[***] YOUR GOVERMENT!!!'

It was not immediately apparent if the hackers had successfully taken down any government or large corporate websites. A common message scrawled on the sites called for a boycott of Danish products, Preatoni said.

A worrying distinction of this attack is that it appears to be not just the work of angry script kiddies trying to earn respect among the hacker and defacer underground. 'You have intelligent people who suspended defacing maybe a year ago who have taken it up again just to voice their opinion for this occasion,' he added.

By Frank Hayes at ComputerWorld

The Boston Globe managed to expose as many as 240,000 subscribers to identity theft last week -- no hackers or viruses required. Here's how: The Globe shares a computer system with a sister newspaper in suburban Worcester, Mass., the Telegram & Gazette. On Jan. 29, the Telegram & Gazette sent 9,000 bundles of Sunday papers to retailers and delivery people wrapped in recycled office paper. But some of that recycled paper happened to be printouts that included subscribers' credit card numbers and checking account information.
Is that a creative way of violating customer privacy, or what?

The Globe/Telegram & Gazette snafu followed two incidents in which other companies' customer information was stolen from employees' cars. A thief broke into a car in a suburb of Portland, Ore., and stole backup disks containing information on 365,000 patients of Providence Health System, a West Coast medical group. Another smash-and-grab thief stole a laptop belonging to an employee of Ameriprise Financial that contained unencrypted data on 158,000 customers.

Here's the scary part: In each case except the Ameriprise incident, the information was handled according to standard operating procedures. The recycling was approved. The home-stored backups were SOP. Even the Ameriprise employee was allowed to have the data on a laptop as long as it was encrypted, but the employee failed to follow encryption procedures and was fired for it.

And here's the scarier part: Even though data security is IT's job, this isn't a problem that IT can solve.

Why not? Because non-IT employees really are creative. They're always looking for better, faster, cheaper ways of doing their jobs. That includes reusing paper from discarded printouts. And storing backups off-site at employees' homes. And, of course, taking work home on laptops.

They'll always come up with new ways of exposing data that we haven't thought of. Not on purpose; they're not trying to put customers or the business at risk. But data security and customer privacy just aren't top-of-mind for them. The gap between what concerns us (protecting data) and what they worry about (doing business) is just too great.

What can IT do? We could try to lock down all that data: restrict access, prevent printing, block local storage. Within limits, that's a good approach. After all, how many employees really need long lists of customers' Social Security and credit card numbers? Tagging such information as need-to-know and blocking its use in routine reports is good security practice.

But that's not enough. We also need to get creative. We need to find ways to get employees thinking about data security -- and make it easier for them to keep data secure.

Ask yourself: How easy do you make it for employees to get just the data they need in reports? How easily can they encrypt that data and keep it encrypted every second it's not in immediate use? Is sensitive data clearly marked so confidential reports won't be mistaken for safe-to-recycle office paper? Are outdated practices like employees carrying home backups still being used in some departments?

How often do you talk with employees about data security? Not send e-mail -- talk. And not in general terms, but about how it directly applies to their work processes. How much of that security-talk time is for them to ask questions and make suggestions? How quickly do you follow up so they see results?

In short, how well are you harnessing that non-IT-employee creativity to make data more secure instead of putting it further at risk?

IT can't solve all data security problems. Not today, when so much data is in the hands of employees who need it to do their jobs.

But by getting those employees to make data security a priority -- and then helping them to make it a reality -- we can close that security gap. Our employees will be on our side. Our customers' privacy will be protected.

And we'll be a lot less likely to read about our troubles in the Sunday paper.

By Jaikumar Vijayan at ComputerWorld

Incidents such as the data security breach disclosed last week by The Boston Globe and the Worcester Telegram & Gazette—which inadvertently attached the credit card numbers of more than 200,000 subscribers to newspaper bundles—highlight the unexpected ways in which sensitive information can leak out of companies.

The data exposure by the two newspapers hammered home yet again the need for businesses to implement comprehensive policies for securing their information assets and then apply the appropriate controls to mitigate the risk of accidental compromises, according to security analysts. Ways to Lose Data

"Given the infinite number of ways business processes are implemented in firms, there are potentially an infinite number of ways in which data can be lost," said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif.

As a result, IT and security managers need to start thinking beyond network and system defenses, Noor said. "We have to go back to the core of our systems where the data sits and start securing it outward from there," he said.

The Globe and the Telegram & Gazette, a sister publication in Worcester, Mass., announced that discarded internal reports containing the full credit card numbers of as many as 240,000 subscribers were reused to produce more than 9,000 routing slips for bundles of the Jan. 29 Worcester Sunday Telegram. The bank-routing information of about 1,100 Telegram & Gazette subscribers who pay by check may also have been exposed when the newspaper bundles were sent to retailers and carriers.

The two newspapers are owned by The New York Times Co. and use a shared computer system. According to officials at the Globe, customer data was mistakenly printed out twice in recent weeks by business office workers at the Telegram & Gazette. The reports were then put aside so that the clean side of the paper could be used for other purposes, leading to the security gaffe.

The Globe managed to recover about 1,000 of the routing slips after it was alerted to the problem by a store employee, said Alfred Larkin, the newspaper's senior vice president of general administration and external affairs. Most of the other slips are believed to have been discarded, he said.

After the breach was discovered, the newspapers modified their business system so it prints only the last four digits of credit and debit card numbers. In addition, the Telegram & Gazette stopped its practice of reusing internal reports as routing slips, Larkin said, adding that the Globe hadn't done that to begin with.

The breach at the newspapers came just one week after companies in Seattle and Minneapolis disclosed separate data compromises potentially affecting hundreds of thousands of people. Both resulted from the theft of IT gear from employees' cars.

Other common snafus mentioned by analysts include failing to properly destroy storage devices, leaving confidential reports in conference rooms, subways or taxis, storing corporate documents on home PCs, and donating or auctioning systems that still contain data. In one case last April, a disk drive containing confidential data from the police department in Brandenburg, Germany, was auctioned off on eBay Inc.'s Web site for the equivalent of about $25.

It's impossible to implement controls for every eventuality. But Roberta Witty, an analyst at Gartner Inc., said companies should set up programs for classifying data and then apply mitigation controls based on the information's sensitivity and the perceived level of risk. "Just because it's not in electronic form doesn't mean you don't put controls over it," she said.
Also vital is training employees on the safe handling of data, said Prat Moghe, CEO of security vendor Tizor Systems Inc. in Maynard, Mass. "Companies often fail to see themselves as data brokers, though in a sense they are," Moghe said.

By Robert McMillan at IDG News Service

Honeywell International Inc. says a former employee has disclosed sensitive information relating to 19,000 of the company's U.S. employees.

Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said company spokesman Robert Ferris.

In court filings dated Jan. 30, the company accused former employee Howard Nugent of Arizona of accessing the information on a Honeywell computer and then causing "the transmission of that information."

Nugent has since been ordered not to disclose any information about Honeywell, including "information about Honeywell's employees (payroll data, Social Security numbers, personal information, etc.)," according to a Jan. 31 order signed by Judge Neil Wake of the U.S. District Court for the District of Arizona.

The precise method Nugent is alleged to have used to gain access to the information, and why he may have disclosed it, is not clear.

In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell's computer systems was not compromised, Ferris said.

"Nobody hacked into systems," he said, without disclosing further details on the data breach.

Honeywell employees were notified of the breach via e-mail on Jan. 23, just days after it was discovered, and the company has since mailed notices about the compromise to all affected employees, Ferris said.

The company is working with federal and local authorities on the case, but Ferris declined to comment on whether criminal charges were expected to be filed.

Nugent could not be reached to comment for this story.

Labels: Honeywell International Inc.

By Jaikumar Vijayan @ ComputerWorld

A small Lockport, Manitoba-based distributor of herbal remedies has for the past 15 months been mistakenly receiving faxes containing confidential information belonging to hundreds of patients with Prudential Financial Inc.’s insurance group. The data exposed in the breach -- and faxed to the company by doctors and clinics across the U.S. -- included the patients’ Social Security numbers, bank details and health care information.

So far, at least, efforts to deal with the issue appear to have failed, said Jody Baxmeyer, vice president of marketing at North Regent RX, the company that’s been receiving the faxes.

The situation has been caused by North Regent’s toll-free fax number, which is nearly identical to one used by Prudential to receive medical claims-related information from doctors, Baxmeyer said. In fact, the two numbers differ by only one digit, Baxmeyer said.

As a result, North Regent’s Lockport office has mistakenly received thousands of documents sent to the wrong fax number that involve more than 1,000 claims. The documents contain detailed patient medical histories, Social Security numbers and bank information meant for Prudential’s insurance division.

Baxmeyer said his company contacted Prudential about the problem in October 2004 -- when North Regent first began operations -- and then followed up again in April 2005 when it had not heard back from the company. “Prudential’s point of view was that, ‘We are not the ones faxing the information,’ which is ridiculous,” Baxmeyer said. “They are the ones that solicited the business from doctors and clinics, and they are the ones setting up the protocols for receiving the information.”

In a statement today, Prudential officials disagreed, saying the company cannot be held responsible for third parties who are sending the information to the wrong fax number.

“Prudential Financial’s fax number is accurately listed on all of our forms and communications,” the company said in an e-mailed statement. “Effective immediately, North Regent RX will forward to Prudential Financial all faxes it has received, as well as any it may receive in the future.”

Initially, North Regent contacted the doctors’ offices, clinics and even patients directly when it received a fax meant for Prudential. But the company doesn’t have the resources to continue doing that, Baxmeyer said. “What happened was it became a point of distraction for us. It would have taken an effort that we were not capable of.”

According to Baxmeyer, North Regent in April offered to sell its toll-free number to Prudential for a fee that included the costs of acquiring and publicizing a new toll-free fax number for North Regent. Another option it suggested was for Prudential to give North Regent some sort of legal protection for receiving the unsolicited confidential information, he said.

Both requests were turned down by Prudential, which instead asked North Regent to simply forward all of the faxes it received back to Prudential via prepaid mail, Baxmeyer said. Prudential also informed North Regent that it had sent out a memo urging doctors offices and clinics to use extra caution when sending claims via fax.

John Pescatore, an analyst at Gartner Inc., said that Prudential cannot be held responsible for mistakes made by others. “In this case, the person who is sending out the information is the one that’s responsible. Prudential did not give them the wrong number.”

Faxes containing sensitive information often have disclaimers instructing recipients to either destroy the faxes or contact the sender in case they are sent to the wrong person. It is the responsibility of the recipient to destroy the faxes or follow any other instructions, Pescatore said.

Said Baxmeyer: “Our point of view is that it’s ridiculous to be sharing information that is sensitive in nature, whether financial or medical, by the use of faxes,” he said. “We want Prudential to realize that their technology is out of date, and they are not paying attention.”

Labels: North Regent RX

By Jaikumar Vijayan at ComputerWorld

An apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and the Worcester Telegram & Gazette.
The snafu occurred when the account information of Globe and T&G subscribers who pay for their home delivery subscriptions by credit card was disclosed on the back of more than 9,000 individual routing slips used to label bundles of the Worcester Sunday Telegram, the Globe said in a statement today. The bank routing information of some T&G subscribers who do not pay by credit card may have also been inadvertently disclosed, the paper said.

Both newspapers are owned by The New York Times Co. and share a computer system.

According to the Globe, discarded reports were recycled as paper used to print the routing slips. The newspaper was alerted to the compromise by an employee at a store that sells copies of the newspaper, said Alfred Larkin, senior vice president of general administration and external affairs at The Boston Globe. “As soon as senior management became aware of the situation, we dispatched a significant portion of our delivery force and attempted to recover as many of the routing slips as possible,” he said.

So far, about 1,000 of the routing slips have been recovered, Larkin said. “Most of the others we believe have been discarded,” he said.

According to the Globe’s account of the incident, data was printed out twice in recent weeks by business office workers at the T&G and then thrown away to be recycled. In one case, an employee started to print a report, stopped the printing before it was done and discarded the paper. In the second, a different employee began printing out a report, realized it was the wrong one, aborted that job and threw the report out.

A majority of the affected individuals are subscribers to The Boston Globe, Larkin said. The company has already contacted the four major credit card companies and also some of the banks involved in the compromise. Later today, it will send letters to the affected individuals informing them of the compromise and any follow-up action they need to take to mitigate exposure to fraud.

“We hope to be able to offer some way of assuring their safety going forward,” Larkin said, adding that no decision has been made on what exactly that might be.

Larkin said he does not know how long recycled internal reports have been used to print routing slips at the T&G, but he said the practice was immediately stopped. It was not a practice followed by the Globe.

The paper also set up a hot line, (888) 665-2644, that subscribers can call to verify whether their information was compromised, he said.

In a statement, publisher Richard Gilman said he regrets the “inconvenience” the incident may cause subscribers. “We deeply value the trust our subscribers place in us and are working diligently to remedy this situation. Immediate steps have been taken internally at The Globe and the Telegram & Gazette to increase security measures for protecting customers’ confidential information,” he said.

Such incidents highlight the need for companies to have a holistic data security and data classification strategy that includes controls for information stored in backup tapes, storage devices and on paper, said Roberta Witty, an analyst at Stamford, Conn.-based Gartner Inc. “Just because it’s not in electronic form doesn’t mean you don’t put controls over it,” she said. “At the end of the day, it is the responsibility of the information security group with the records management group” to ensure that proper controls are in place for sensitive information.

The incident is only the latest in a constantly growing list of major data compromises over the past year or so. Only last week, for instance, Providence Home Services in Seattle and Ameriprise Financial Inc. in Minneapolis disclosed separate security breaches involving the compromise of confidential customer data. Providence said it was notifying 365,000 hospice and home health care patients about a theft of backup tapes containing confidential information. Ameriprise said it was notifying 158,000 customers and 68,000 financial advisers about a possible compromise of their confidential information after a company laptop was stolen.

Similar breaches have hit a variety of companies in recent months, including Bank of America, LexisNexus and ChoicePoint Inc. The compromises have fueled congressional and federal concerns about data privacy and security. Only last week, the Federal Trade Commission imposed penalties totalling $15 million on ChoicePoint for its alleged failure to meet its data protection obligations.

Labels: The Boston Globe