Friday, March 10, 2006
PIN Scandal "Worst Hack Ever"
By Gregg Keizer, TechWeb News
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
Labels: Citibank
Debit card fraud outbreak raises questions about data breach
by Jaikumar Vijayan
MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.
It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).
In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.
Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.
In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.
In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.
MasterCard did not respond to requests for comment.
According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.
“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.
"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.
Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.
“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.
Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.
MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.
It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).
In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.
Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.
In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.
In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.
MasterCard did not respond to requests for comment.
According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.
“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.
"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.
Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.
“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.
Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.
Labels: Citibank
Citibank probes US retailer breach
by Jaikumar Vijayan
MARCH 07, 2006 (COMPUTERWORLD) - Citibank has put a transaction block on an unspecified number of Citi-branded MasterCard debit and credit cards used in three countries because of fraudulent automated teller machine (ATM) cash-withdrawal activity, the company said in a statement yesterday.
The statement was issued after Boing Boing, a popular online blog site, carried a story detailing the problems a Citibank customer had while trying to access his account from Canadian ATM machines. The story suggested that the individual may have been the victim of ATM fraud involving Citibank cards in Canada, Russia and the U.K.
Apparently in response to widespread publicity about the blog posting, Citibank issued a brief statement confirming the ATM fraud without disclosing any details. “Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in three countries on customer accounts that had been possibly compromised in previous retailer breaches in the U.S.,” the company said. “To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN-based transactions.”
The statement went on to add that Citibank is currently reissuing cards to affected customers. “Protecting our customers’ accounts and personal information is one of our highest priorities,” the statement said.
The fact that the fraud involves ATM cash withdrawals using personal identification numbers (PIN) suggests that it may be the result of massive "card-skimming" activity, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.
“What seems to be happening at Citibank is that they are stopping ATM cash withdrawals, which means somebody got their PINs,” Litan said. “There are two general ways you can steal a PIN. One is through card skimming; the other is through phishing,”
Given the apparent scope of the fraud, Litan pointed to card skimming as a likely cause.
Card skimming involves the use of illegal card-reading devices that intercept and record data stored on magnetic strips on credit and debit cards which are then later used to create counterfeit cards. Such devices, which have long been used to steal card information in places such as restaurants, have been proliferating widely and have made skimming one of the most prevalent forms of credit card fraud these days.
In fact, skimmers were believed to have been behind a massive credit card theft in December involving wholesaler Sam’s Club, a division of Wal-Mart Stores Inc.
In that incident, card skimmers were thought to have used skimming devices at Sam’s Club gas stations to steal debit card information from potentially thousands of consumers. At that time, Sam’s Club acknowledged that a breach had taken place, but did not disclose what exactly transpired saying only that “electronic systems and databases used inside its stores” were not involved.
Litan said it is likely that Citibank’s current ATM fraud problems are related to the Sam’s Club breach.
MARCH 07, 2006 (COMPUTERWORLD) - Citibank has put a transaction block on an unspecified number of Citi-branded MasterCard debit and credit cards used in three countries because of fraudulent automated teller machine (ATM) cash-withdrawal activity, the company said in a statement yesterday.
The statement was issued after Boing Boing, a popular online blog site, carried a story detailing the problems a Citibank customer had while trying to access his account from Canadian ATM machines. The story suggested that the individual may have been the victim of ATM fraud involving Citibank cards in Canada, Russia and the U.K.
Apparently in response to widespread publicity about the blog posting, Citibank issued a brief statement confirming the ATM fraud without disclosing any details. “Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in three countries on customer accounts that had been possibly compromised in previous retailer breaches in the U.S.,” the company said. “To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN-based transactions.”
The statement went on to add that Citibank is currently reissuing cards to affected customers. “Protecting our customers’ accounts and personal information is one of our highest priorities,” the statement said.
The fact that the fraud involves ATM cash withdrawals using personal identification numbers (PIN) suggests that it may be the result of massive "card-skimming" activity, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.
“What seems to be happening at Citibank is that they are stopping ATM cash withdrawals, which means somebody got their PINs,” Litan said. “There are two general ways you can steal a PIN. One is through card skimming; the other is through phishing,”
Given the apparent scope of the fraud, Litan pointed to card skimming as a likely cause.
Card skimming involves the use of illegal card-reading devices that intercept and record data stored on magnetic strips on credit and debit cards which are then later used to create counterfeit cards. Such devices, which have long been used to steal card information in places such as restaurants, have been proliferating widely and have made skimming one of the most prevalent forms of credit card fraud these days.
In fact, skimmers were believed to have been behind a massive credit card theft in December involving wholesaler Sam’s Club, a division of Wal-Mart Stores Inc.
In that incident, card skimmers were thought to have used skimming devices at Sam’s Club gas stations to steal debit card information from potentially thousands of consumers. At that time, Sam’s Club acknowledged that a breach had taken place, but did not disclose what exactly transpired saying only that “electronic systems and databases used inside its stores” were not involved.
Litan said it is likely that Citibank’s current ATM fraud problems are related to the Sam’s Club breach.
Labels: Citibank
Wednesday, March 08, 2006
'Computer Terrorist' teaches anti-hacking skills
JOHANNESBURG, South Africa (Reuters) -- He can find George Bush senior's social security number and Leonardo DiCaprio's mother's maiden name in under 15 seconds, and led the FBI on a three-year manhunt as he hacked his way into the world's biggest firms.
"Computer terrorist" Kevin Mitnick is one of the world's most famous computer hackers and became a cause celebre after breaking into networks and stealing software at companies including Sun Microsystems and Motorola.
Now Mitnick, from the United States, travels the world teaching companies how to guard against people just like him.
He argues that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company's employees into handing over passwords by posing, for example, as colleagues.
"Hackers find the hole in the human firewall," Mitnick told an information technology security conference on Wednesday in Johannesburg, South Africa. "What's the biggest hole? It's the illusion of invulnerability."
"Social engineering" -- as hackers call tricking people -- formed the main thrust of his career, in which he penetrated some of the world's most sophisticated systems often by persuading unwitting staff to hand over top-secret information.
Mitnick, now in his early 40s, started hacking phone systems in his teens before moving on to computers, but says he never stole money or caused deliberate damage and hacked just for the thrill of it.
The hobby earned him a place on the FBI's most wanted list and an almost five-year stint in U.S. jail in the 1990s.
On his release he was initially banned from surfing the Web, and has since written two books about hacking and started an IT security consulting firm.
Now the companies he once stole secrets from pay him to hack into their systems and show them how to improve security.
Mitnick said hackers conduct meticulous research into companies and their staff, even swotting up on the hobbies of target employees to better win their trust.
And firms underestimate how easily hackers can get hold of personal information -- like driver's licence numbers, social security numbers and mothers' maiden names -- which are often used by banks or other companies to screen customers.
To prove it at the conference, he found former U.S. President George Bush's social security number, driver's licence number and the maiden name of Hollywood actor DiCaprio's mother within 15 seconds.
"The problem is that it is a good human quality to give people the benefit of the doubt, and unless you've been burned, or you're paranoid, then you will probably trust them," he said.
Companies must guard against smooth-talking hackers by making their staff aware of the risks, developing simple company policies on data protection, and getting the best technology, which will at least "raise the bar" for hackers.
"It's not about being paranoid, but it's about being very aware, and very alert," he said.
"Computer terrorist" Kevin Mitnick is one of the world's most famous computer hackers and became a cause celebre after breaking into networks and stealing software at companies including Sun Microsystems and Motorola.
Now Mitnick, from the United States, travels the world teaching companies how to guard against people just like him.
He argues that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company's employees into handing over passwords by posing, for example, as colleagues.
"Hackers find the hole in the human firewall," Mitnick told an information technology security conference on Wednesday in Johannesburg, South Africa. "What's the biggest hole? It's the illusion of invulnerability."
"Social engineering" -- as hackers call tricking people -- formed the main thrust of his career, in which he penetrated some of the world's most sophisticated systems often by persuading unwitting staff to hand over top-secret information.
Mitnick, now in his early 40s, started hacking phone systems in his teens before moving on to computers, but says he never stole money or caused deliberate damage and hacked just for the thrill of it.
The hobby earned him a place on the FBI's most wanted list and an almost five-year stint in U.S. jail in the 1990s.
On his release he was initially banned from surfing the Web, and has since written two books about hacking and started an IT security consulting firm.
Now the companies he once stole secrets from pay him to hack into their systems and show them how to improve security.
Mitnick said hackers conduct meticulous research into companies and their staff, even swotting up on the hobbies of target employees to better win their trust.
And firms underestimate how easily hackers can get hold of personal information -- like driver's licence numbers, social security numbers and mothers' maiden names -- which are often used by banks or other companies to screen customers.
To prove it at the conference, he found former U.S. President George Bush's social security number, driver's licence number and the maiden name of Hollywood actor DiCaprio's mother within 15 seconds.
"The problem is that it is a good human quality to give people the benefit of the doubt, and unless you've been burned, or you're paranoid, then you will probably trust them," he said.
Companies must guard against smooth-talking hackers by making their staff aware of the risks, developing simple company policies on data protection, and getting the best technology, which will at least "raise the bar" for hackers.
"It's not about being paranoid, but it's about being very aware, and very alert," he said.
Friday, March 03, 2006
Deloitte & Touche loses McAfee employee data
Thousands of McAfee employees, both American and Canadian are at risk this week as unencrypted data about them was lost by an external auditor.
The announcement was made yesterday, although the actual loss occurred December 15th when a Deloitte & Touche employee left an unencrypted backup CD in an airline seat pocket. The CD held personal information about 6,000 former McAfee employees as well as all of the current staff in the US and Canadian regions.
Information that may have been on the disc includes names, Social Security numbers and details on any McAfee stock the individual may have. Credit reporting services have been arranged for those affected, and no reports of the information being used have been received.
This comes after a court decision earlier this week that a financial institution has no duty to encrypt a customer database, even when that database resides on a laptop which could easily be stolen or misplaced.
The announcement was made yesterday, although the actual loss occurred December 15th when a Deloitte & Touche employee left an unencrypted backup CD in an airline seat pocket. The CD held personal information about 6,000 former McAfee employees as well as all of the current staff in the US and Canadian regions.
Information that may have been on the disc includes names, Social Security numbers and details on any McAfee stock the individual may have. Credit reporting services have been arranged for those affected, and no reports of the information being used have been received.
This comes after a court decision earlier this week that a financial institution has no duty to encrypt a customer database, even when that database resides on a laptop which could easily be stolen or misplaced.
Labels: Deloitte and Touche
Keyloggers on the rise
Keylogger use is on the rise, with millions of dollars at stake in stolen money and ties to organized crime.
While the use of keyloggers is nothing new to SecurityFocus readers, their use for illegal activity is continuing to rise. The New York Times has an article discussing the growing trend of keyloggers used by criminals to steal banking information from unwary users. As the news coverage of keyloggers becomes more mainstream, the magnitude of the growing problem becomes more apparent. The article reports that Brazilian police recently broke up a fraud ring that stole $4.7 million USD from 200 different accounts using keyloggers. And earlier this month, Russian authorities broke up a similar ring which had stolen over $1.1 million from personal bank accounts in France.
Keyloggers can be surreptitiously installed in a myriad of ways, from spyware drive-by Web downloads, hidden within peer-to-peer applications or downloads, inside Trojan horses and other viruses, files shared through IM, email, and more. Most of the time keyloggers are installed without the user's knowledge, and it is believed that no current anti-virus technology will identify 100% of current keylogger threats.
While the use of keyloggers is nothing new to SecurityFocus readers, their use for illegal activity is continuing to rise. The New York Times has an article discussing the growing trend of keyloggers used by criminals to steal banking information from unwary users. As the news coverage of keyloggers becomes more mainstream, the magnitude of the growing problem becomes more apparent. The article reports that Brazilian police recently broke up a fraud ring that stole $4.7 million USD from 200 different accounts using keyloggers. And earlier this month, Russian authorities broke up a similar ring which had stolen over $1.1 million from personal bank accounts in France.
Keyloggers can be surreptitiously installed in a myriad of ways, from spyware drive-by Web downloads, hidden within peer-to-peer applications or downloads, inside Trojan horses and other viruses, files shared through IM, email, and more. Most of the time keyloggers are installed without the user's knowledge, and it is believed that no current anti-virus technology will identify 100% of current keylogger threats.
Competitive and retaliatory DDOS attacks
Empirical Film, which sells box-set DVDs online, missed nearly two weeks of holiday sales because of a DDOS attack it believes came from an overseas competitor. More than 10,000 Web servers were used in a bot net controlled from Asia, according to Prolexic Technologies, which offers anti-DDOS attack products.
As many as 1,000 other websites temporarily experienced slower service or were inaccessible because of the attack, says Jeff Posluns, chief information officer at SecuritySage Overdrive, which handles technology for Empirical, including its Web and security services.
At the same time, a U.S.-based drug firm's website was disrupted for 24 hours in what appeared to be an attack from the same source in Asia, says Prolexic.
The large attack was one of 10 observed in recent months by Rackspace Managed Hosting, which hosts the website of the drug company and 9,000 other firms. The FBI is probing the December attacks.
When online payment-processor StormPay booted some customers for allegedly operating a Ponzi scheme, it quickly became the target of a virulent DDOS attack that temporarily knocked it off line this month.
About 120,000 machines were used in the attack, which hit websites in the Southeastern USA, as well as major telecom carriers, according to ISDN-Net, an Internet service provider in Tennessee that was affected.
StormPay did not return phone calls. It acknowledged the DDOS attacks in a note to customers on its website earlier this month
As many as 1,000 other websites temporarily experienced slower service or were inaccessible because of the attack, says Jeff Posluns, chief information officer at SecuritySage Overdrive, which handles technology for Empirical, including its Web and security services.
At the same time, a U.S.-based drug firm's website was disrupted for 24 hours in what appeared to be an attack from the same source in Asia, says Prolexic.
The large attack was one of 10 observed in recent months by Rackspace Managed Hosting, which hosts the website of the drug company and 9,000 other firms. The FBI is probing the December attacks.
When online payment-processor StormPay booted some customers for allegedly operating a Ponzi scheme, it quickly became the target of a virulent DDOS attack that temporarily knocked it off line this month.
About 120,000 machines were used in the attack, which hit websites in the Southeastern USA, as well as major telecom carriers, according to ISDN-Net, an Internet service provider in Tennessee that was affected.
StormPay did not return phone calls. It acknowledged the DDOS attacks in a note to customers on its website earlier this month
Labels: Empirical Film
When should companies notify about a breach?
While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs.
Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.
“We clearly have a responsibility to safeguard customer information,” said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. “If we lose information, it’s our responsibility to inform consumers because that’s the only way they can protect themselves.”
However, many existing state laws have “hair-triggers” when it comes to disclosure requirements, he said. “I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.”
But others argue that allowing companies to decide when to disclose a breach is unworkable.
“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”
The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.
California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t.
Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
“The good news with these laws is that security incidents are more public and more visible -- and that’s really motivating companies to do a better job of protecting data,” said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.
But while there’s value in telling consumers about security breaches that pose a real risk of identity theft or fraud, little is gained by overnotification, said Nahra, who is also a partner at Wiley Rein & Fielding LLP, a Washington-based law firm. “There are some laws that if you read them would require notice in ridiculous situations.”
The random theft or loss of a laptop or tape containing confidential data, for instance, is likely to pose less of a risk than a more targeted attack against a system containing terabytes of customer data, Herath said. So applying the same disclosure standards in both cases may not be appropriate, he said.
Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath.
Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University in Atlanta, argued that a more targeted notification standard is required because only about 2% of breach victims actually become victims of fraud and ID theft. In the vast majority of cases, there’s no evidence to show that breached information is being misused, he said.
With that in mind, indiscriminate disclosures will only worry consumers, who may be induced to place fraud alerts on their accounts or close them entirely, with little real reason for doing so, he said. “I think all that these notices are doing is scaring people.”
They also expose companies to lawsuits from consumers who may not fully understand the true extent of the risk from security breaches, argued an analyst at a financial services firm who requested anonymity. “I personally believe that giving as much notice as possible is good behavior. But this is a litigious society we live in.”
That may be true, said Arshad Noor, CEO of StrongAuth Inc. a compliance management firm in Sunnyvale, Calif. But allowing breached companies to make judgments on whether data might be misused will never work in favor of consumers “because the statute of limitations on thieves using stolen data does not expire,” he said. “For more than four decades, IT organizations have operated in the shadows. Now for the first time, they’re being forced to shine the spotlight on their deficiencies.”
Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.
“We clearly have a responsibility to safeguard customer information,” said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. “If we lose information, it’s our responsibility to inform consumers because that’s the only way they can protect themselves.”
However, many existing state laws have “hair-triggers” when it comes to disclosure requirements, he said. “I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.”
But others argue that allowing companies to decide when to disclose a breach is unworkable.
“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”
The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.
California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t.
Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
“The good news with these laws is that security incidents are more public and more visible -- and that’s really motivating companies to do a better job of protecting data,” said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.
But while there’s value in telling consumers about security breaches that pose a real risk of identity theft or fraud, little is gained by overnotification, said Nahra, who is also a partner at Wiley Rein & Fielding LLP, a Washington-based law firm. “There are some laws that if you read them would require notice in ridiculous situations.”
The random theft or loss of a laptop or tape containing confidential data, for instance, is likely to pose less of a risk than a more targeted attack against a system containing terabytes of customer data, Herath said. So applying the same disclosure standards in both cases may not be appropriate, he said.
Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath.
Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University in Atlanta, argued that a more targeted notification standard is required because only about 2% of breach victims actually become victims of fraud and ID theft. In the vast majority of cases, there’s no evidence to show that breached information is being misused, he said.
With that in mind, indiscriminate disclosures will only worry consumers, who may be induced to place fraud alerts on their accounts or close them entirely, with little real reason for doing so, he said. “I think all that these notices are doing is scaring people.”
They also expose companies to lawsuits from consumers who may not fully understand the true extent of the risk from security breaches, argued an analyst at a financial services firm who requested anonymity. “I personally believe that giving as much notice as possible is good behavior. But this is a litigious society we live in.”
That may be true, said Arshad Noor, CEO of StrongAuth Inc. a compliance management firm in Sunnyvale, Calif. But allowing breached companies to make judgments on whether data might be misused will never work in favor of consumers “because the statute of limitations on thieves using stolen data does not expire,” he said. “For more than four decades, IT organizations have operated in the shadows. Now for the first time, they’re being forced to shine the spotlight on their deficiencies.”
Thursday, March 02, 2006
Vendor waited six weeks to notify Ohio officials of data breach
The Ohio state attorney general’s office is investigating the terms of a contract between the state Department of Administrative Services and a New Jersey-based prescription drug benefits provider after a laptop computer containing the unencrypted Social Security numbers and birth dates of about 4,300 state workers and 300 of their dependents was stolen in late December.
The theft wasn’t reported to the state until last month.
Ben Piscitelli, a spokesman for the Ohio Department of Administrative Services (DAS), said the laptop was stolen Dec. 28 from the home of an employee of Medco Health Solutions Inc., which handles prescription drug benefits for state employees. Medco officials waited until Feb. 8 to inform the state about the theft.
“We told them that delay was unacceptable,” Piscitelli said. Officials of the Franklin Lakes, N.J.-based company met with state DAS officials on Feb. 16 and agreed to provide free credit- and fraud-monitoring services to the affected workers for one year to help them watch their credit records for potential illegal activity, he said. The DAS announced the incident and its aftermath in a statement last week .
The DAS has also asked Attorney General Jim Petro to review the two-year, $4 million drug benefits management contract DAS has with Medco through July 2007.
Kim Norris, a spokeswoman for the attorney general’s office, said the contract is being reviewed for any violations that may have occurred in terms of data security. “If they promised to protect the information in a certain manner, those are the kinds of issues we’ll look at,” she said. “We’re working on that right now.”
If related violations of specific agreements are found, the state could sue Medco, Norris said.
Piscitelli said the Medco employee had possession of a laptop computer owned by Medco that contained the prescription benefits membership numbers -- which are the same as employee Social Security numbers -- of the state employees and dependents. Birth dates and details about the drugs the patients were taking were also in the data records. But the data, which is from 2003 and 2004, did not include names or addresses of the affected persons.
The Medco employee was using the data for a routine audit of the prescription benefits records of the patients, Piscitelli said.
“Our concern is that the state can’t gamble” with such data losses, he said. “We hope that this was just a theft, that someone was interested in the laptop and not the information on it.”
The agency has received no reports of identity theft or credit fraud from any of the persons affected by the incident, Piscitelli said.
Soraya Balzac, a Medco spokeswoman, today confirmed that the data on the laptop was not encrypted but said that the laptop itself required a password for user log-on. The company has since changed its procedures and is now encrypting such data for state workers, she said. “Whether this specific incident prompted that, I couldn’t confirm that,” Balzac said. “We have moved to [encryption] in transit since then.”
Balzac said the Medco worker had permission to have the data and the laptop off-site, but she would not describe where the laptop was when it was stolen. The six-week delay in notifying the state of the theft was necessary because the incident was under investigation by local police in New Jersey and a complete log of the stolen data had to be created so it could be reported, she said.
“It did take time,” Balzac said. “Medco takes this extremely seriously.”
Balzac said the company is reviewing its response procedures for the future. “You’re as efficient as the lessons learned in the last scenario,” she said.
The theft wasn’t reported to the state until last month.
Ben Piscitelli, a spokesman for the Ohio Department of Administrative Services (DAS), said the laptop was stolen Dec. 28 from the home of an employee of Medco Health Solutions Inc., which handles prescription drug benefits for state employees. Medco officials waited until Feb. 8 to inform the state about the theft.
“We told them that delay was unacceptable,” Piscitelli said. Officials of the Franklin Lakes, N.J.-based company met with state DAS officials on Feb. 16 and agreed to provide free credit- and fraud-monitoring services to the affected workers for one year to help them watch their credit records for potential illegal activity, he said. The DAS announced the incident and its aftermath in a statement last week .
The DAS has also asked Attorney General Jim Petro to review the two-year, $4 million drug benefits management contract DAS has with Medco through July 2007.
Kim Norris, a spokeswoman for the attorney general’s office, said the contract is being reviewed for any violations that may have occurred in terms of data security. “If they promised to protect the information in a certain manner, those are the kinds of issues we’ll look at,” she said. “We’re working on that right now.”
If related violations of specific agreements are found, the state could sue Medco, Norris said.
Piscitelli said the Medco employee had possession of a laptop computer owned by Medco that contained the prescription benefits membership numbers -- which are the same as employee Social Security numbers -- of the state employees and dependents. Birth dates and details about the drugs the patients were taking were also in the data records. But the data, which is from 2003 and 2004, did not include names or addresses of the affected persons.
The Medco employee was using the data for a routine audit of the prescription benefits records of the patients, Piscitelli said.
“Our concern is that the state can’t gamble” with such data losses, he said. “We hope that this was just a theft, that someone was interested in the laptop and not the information on it.”
The agency has received no reports of identity theft or credit fraud from any of the persons affected by the incident, Piscitelli said.
Soraya Balzac, a Medco spokeswoman, today confirmed that the data on the laptop was not encrypted but said that the laptop itself required a password for user log-on. The company has since changed its procedures and is now encrypting such data for state workers, she said. “Whether this specific incident prompted that, I couldn’t confirm that,” Balzac said. “We have moved to [encryption] in transit since then.”
Balzac said the Medco worker had permission to have the data and the laptop off-site, but she would not describe where the laptop was when it was stolen. The six-week delay in notifying the state of the theft was necessary because the incident was under investigation by local police in New Jersey and a complete log of the stolen data had to be created so it could be reported, she said.
“It did take time,” Balzac said. “Medco takes this extremely seriously.”
Balzac said the company is reviewing its response procedures for the future. “You’re as efficient as the lessons learned in the last scenario,” she said.
Labels: Medco Health Solutions Inc.
Legislation won't end data breaches, says former FTC member
As one of the five commissioners on the Federal Trade Commission between 1997 and 2005, Orson Swindle was involved in the launch of the agency’s National Do Not Call Registry and participated in policy deliberations about information security and privacy. He was also involved in efforts to revise the Organization for Economic Cooperation and Development’s Information Security Guidelines in 2002 and 2003.
Now the senior policy adviser and chairman at the Center for Information Policy Leadership -- a privacy think tank whose members include The Proctor & Gamble Co., Eli Lilly & Co. and Microsoft Corp. -- Swindle talked with Computerworld about some of the privacy challenges facing corporate America.
What’s driving the privacy agenda these days? In the past year, we’ve heard about some hundred-plus disclosed security breaches, about hacking, lost laptops, lost files, disclosures of account numbers and even computers falling off the back of delivery trucks. Each one of these represents a potential disclosure of very sensitive information. The reports we’ve read very likely exaggerated the nature of the harm done in some cases. But that’s not to say we don’t have a problem. We darn sure do have one. And this inadequate protection of sensitive data is just unacceptable. We have got to collectively do a much better job at it. And I say ‘we’ collectively because it’s going to take everyone, including consumers. There’s no security initiative, there’s no new law, there’s no new technology that’s going to solve this problem altogether.
What does this mean for businesses? The biggest concern for business is just being aware that if you handle information, you’ve got an obligation to protect it. The Federal Trade Commission with a couple of decisions last year plainly stated that. Those two cases specifically involved BJ’s Wholesale Club and DSW Inc. Both of the cases were brought against companies not for a promise not kept but for simply being in the business of collecting and using information that is sensitive and not taking sufficient precautions to protect that information. The important thing to note with these two cases is that BJ’s Wholesale and DSW were not [regulated entities such as] medical institutions; they were not financial institutions. But what they encountered was a de facto extension of the Gramm-Leach-Bliley requirement under the unfair and deceptive practices aspect of the FTC Act Section 5. In other words, what the FTC said to those two firms is that your conduct in not protecting this information is unfair in that you didn’t do what you ought to have done.
Do you see the FTC being more proactive in taking action against companies, even if no actual breach may have taken place? This, in effect, has already happened. There are a couple of cases on record. It would be impossible for me to say which ones they are. But there is at least one case where the FTC, again under Section 5, brought a case against a company -- not for a breach but for making a promise of having certain safeguards that really weren’t there. They were making a promise of things they couldn’t keep because they didn’t have the mechanisms in place to provide that kind of security.
ChoicePoint was fined $15 million by the FTC recently. What sort of precedent does that set? That case is quite a bit different from BJ’s Wholesale and DSW. In the ChoicePoint case, there were lots of things that were violated there -- in particular, the Fair Credit Reporting Act .That carries with it monetary penalties that can be substantial and, in this case, obviously were. If nothing else, it certainly should be getting people’s attention. Talk about a two-by-four between the eyes getting your attention.
What impact are all of these breaches having ? Let’s talk about the individual first. We know that millions of people have had their information exposed, bank accounts depleted and have had to go through the trauma of getting their credit ratings squared away. Then there’s the firm that failed to provide adequate security through negligence or inadequate measures. They suffer a number of losses. Ask ChoicePoint how much it cost them not having it done adequately. There’s the loss of reputation, brand denigration, the [impact on] stock prices. Then there’s the peripheral things that become awful big. The lawsuits and the litigation costs become enormous. It’s causing consumers to lose confidence in using the medium of information technology. That may be the biggest loss of all.
How is all of this steering the privacy debate in Congress? There’s the emotional hue and cry of all of this affecting members of Congress and members of state legislatures to ‘do something.’ Unfortunately, we will see some onerous legislation that might allow some political figure to declare victory and walk away. But it will not be a victory, unfortunately. Legislation alone is not going to solve this problem.
So, what do companies need to be doing differently? We think of information and protecting it as protecting our stuff. Our corporate secrets, the Coca-Cola formula and things like that. But today, information security is about protecting all that other stuff. It’s the information we use. We gather it, we store it, we manipulate it, we use it, we sell it, we transfer it. All those things are points of vulnerability that the company that owns the information is responsible for. To do this right, businesses have to start thinking more holistically about how they manage, how they function, how they use their processes. You know right now, I hear it frequently [when I'm] talking to CIOs and chief privacy officers and the majority of them lament they are just third tier in their organizations and they are viewed as overhead, nobody pays attention to them and so forth. Well, it’s time for management, the CEOs, the senior VPs [to see] that information is the lifeblood of their organizations.
Is a national privacy law a good thing to have, considering the patchwork of state laws that companies have to currently deal with? Well, you know sometimes a good thing to have is the least worst of all the other alternatives. Right now, I think there are 23 state laws concerning security breaches. I think there are another 19 or 20 states well along the path. I think it’s just one of those situations that begs for some national standard. When you have this many laws, what you really get is a de facto national standard that happens to be the most onerous of all those laws.
Will privacy concerns push the industry to an opt-in standard? I don’t know. I’ve been leery of opt-in notices. [A company’s] opt-out policy might tell you that we are XYZ credit card company and that we collect this information and here’s how we use it and here’s how we share it with affiliates and if you don’t want us to do this, tell us. The last I heard about how many people opt out, it certainly was in the single-digit percentages. It’s very low compared to the gazillion people who get these notices. Suppose that was opt-in and the company says if you want us to continue to do this please let us know and the response was say 50% we’d still lose 50% of the members moving their information around. Think about what that would do to the economy, how disruptive it would be. It just seems that opt-in, while in some cases [is] definitely appropriate, just making everything opt-in might create more harm that good. We have to be rational about what we do and above all we've got to avoid legislating in response to emotional reactions.
Now the senior policy adviser and chairman at the Center for Information Policy Leadership -- a privacy think tank whose members include The Proctor & Gamble Co., Eli Lilly & Co. and Microsoft Corp. -- Swindle talked with Computerworld about some of the privacy challenges facing corporate America.
What’s driving the privacy agenda these days? In the past year, we’ve heard about some hundred-plus disclosed security breaches, about hacking, lost laptops, lost files, disclosures of account numbers and even computers falling off the back of delivery trucks. Each one of these represents a potential disclosure of very sensitive information. The reports we’ve read very likely exaggerated the nature of the harm done in some cases. But that’s not to say we don’t have a problem. We darn sure do have one. And this inadequate protection of sensitive data is just unacceptable. We have got to collectively do a much better job at it. And I say ‘we’ collectively because it’s going to take everyone, including consumers. There’s no security initiative, there’s no new law, there’s no new technology that’s going to solve this problem altogether.
What does this mean for businesses? The biggest concern for business is just being aware that if you handle information, you’ve got an obligation to protect it. The Federal Trade Commission with a couple of decisions last year plainly stated that. Those two cases specifically involved BJ’s Wholesale Club and DSW Inc. Both of the cases were brought against companies not for a promise not kept but for simply being in the business of collecting and using information that is sensitive and not taking sufficient precautions to protect that information. The important thing to note with these two cases is that BJ’s Wholesale and DSW were not [regulated entities such as] medical institutions; they were not financial institutions. But what they encountered was a de facto extension of the Gramm-Leach-Bliley requirement under the unfair and deceptive practices aspect of the FTC Act Section 5. In other words, what the FTC said to those two firms is that your conduct in not protecting this information is unfair in that you didn’t do what you ought to have done.
Do you see the FTC being more proactive in taking action against companies, even if no actual breach may have taken place? This, in effect, has already happened. There are a couple of cases on record. It would be impossible for me to say which ones they are. But there is at least one case where the FTC, again under Section 5, brought a case against a company -- not for a breach but for making a promise of having certain safeguards that really weren’t there. They were making a promise of things they couldn’t keep because they didn’t have the mechanisms in place to provide that kind of security.
ChoicePoint was fined $15 million by the FTC recently. What sort of precedent does that set? That case is quite a bit different from BJ’s Wholesale and DSW. In the ChoicePoint case, there were lots of things that were violated there -- in particular, the Fair Credit Reporting Act .That carries with it monetary penalties that can be substantial and, in this case, obviously were. If nothing else, it certainly should be getting people’s attention. Talk about a two-by-four between the eyes getting your attention.
What impact are all of these breaches having ? Let’s talk about the individual first. We know that millions of people have had their information exposed, bank accounts depleted and have had to go through the trauma of getting their credit ratings squared away. Then there’s the firm that failed to provide adequate security through negligence or inadequate measures. They suffer a number of losses. Ask ChoicePoint how much it cost them not having it done adequately. There’s the loss of reputation, brand denigration, the [impact on] stock prices. Then there’s the peripheral things that become awful big. The lawsuits and the litigation costs become enormous. It’s causing consumers to lose confidence in using the medium of information technology. That may be the biggest loss of all.
How is all of this steering the privacy debate in Congress? There’s the emotional hue and cry of all of this affecting members of Congress and members of state legislatures to ‘do something.’ Unfortunately, we will see some onerous legislation that might allow some political figure to declare victory and walk away. But it will not be a victory, unfortunately. Legislation alone is not going to solve this problem.
So, what do companies need to be doing differently? We think of information and protecting it as protecting our stuff. Our corporate secrets, the Coca-Cola formula and things like that. But today, information security is about protecting all that other stuff. It’s the information we use. We gather it, we store it, we manipulate it, we use it, we sell it, we transfer it. All those things are points of vulnerability that the company that owns the information is responsible for. To do this right, businesses have to start thinking more holistically about how they manage, how they function, how they use their processes. You know right now, I hear it frequently [when I'm] talking to CIOs and chief privacy officers and the majority of them lament they are just third tier in their organizations and they are viewed as overhead, nobody pays attention to them and so forth. Well, it’s time for management, the CEOs, the senior VPs [to see] that information is the lifeblood of their organizations.
Is a national privacy law a good thing to have, considering the patchwork of state laws that companies have to currently deal with? Well, you know sometimes a good thing to have is the least worst of all the other alternatives. Right now, I think there are 23 state laws concerning security breaches. I think there are another 19 or 20 states well along the path. I think it’s just one of those situations that begs for some national standard. When you have this many laws, what you really get is a de facto national standard that happens to be the most onerous of all those laws.
Will privacy concerns push the industry to an opt-in standard? I don’t know. I’ve been leery of opt-in notices. [A company’s] opt-out policy might tell you that we are XYZ credit card company and that we collect this information and here’s how we use it and here’s how we share it with affiliates and if you don’t want us to do this, tell us. The last I heard about how many people opt out, it certainly was in the single-digit percentages. It’s very low compared to the gazillion people who get these notices. Suppose that was opt-in and the company says if you want us to continue to do this please let us know and the response was say 50% we’d still lose 50% of the members moving their information around. Think about what that would do to the economy, how disruptive it would be. It just seems that opt-in, while in some cases [is] definitely appropriate, just making everything opt-in might create more harm that good. We have to be rational about what we do and above all we've got to avoid legislating in response to emotional reactions.
Four lose jobs after data breach at Oregon Health Care Facility
One employee was fired and three others resigned in connection with the theft in late December of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients from a parked car in Portland, Ore.
In an announcement late last week, Providence Home Services, a division of Seattle-based Providence Health System, said the four workers left the company after “a confidential and thorough internal review process of the data storage procedures that led to the theft.” A Providence spokesman confirmed that three of the workers resigned, while one was fired. The spokesman could not confirm the job titles of the workers, but said that all four had jobs related to the data-theft incident.
The theft took place Dec. 31, when a Providence Home Services IT department worker took backup tapes and disks home in his car as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight (see ”Update: Thief nabs backup data on 365,000 patients”). The division has since discontinued that backup procedure and brought in more traditional means of protecting data.
Some of the data on the tapes was password-protected at the application level, while the rest of the data was stored in proprietary file formats without password protection. After the incident, the company decided to make all of its data more secure by using additional technologies, including encryption.
Providence notified all affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the company. Some of the records also included patient financial information.
Providence said it has received no verified reports that the stolen data has been used illegally.
The health care group has also reached a deal with security vendor Kroll Inc. to provide Kroll’s ID TheftSmart credit monitoring and restoration services for free to those affected by the theft. ID TheftSmart allows individuals to continuously monitor their credit files, investigates potential identity theft cases and can help identity theft victims restore their identity if data theft occurs.
Starting next week, affected patients will get a letter from Kroll detailing how to sign up for the program.
“We think this will help address the concerns of our patients and their families and help put their minds at ease,” Rick Cagen, CEO of Providence Health System’s Portland Service Area, said in a statement. “We have heard from patients that the process to notify the credit agencies can be difficult, and we appreciate the time they have spent as a result of the theft.”
The data theft incident is under investigation by the Oregon attorney general’s office. A spokesman for the attorney general’s office could not be reached for comment.
In an announcement late last week, Providence Home Services, a division of Seattle-based Providence Health System, said the four workers left the company after “a confidential and thorough internal review process of the data storage procedures that led to the theft.” A Providence spokesman confirmed that three of the workers resigned, while one was fired. The spokesman could not confirm the job titles of the workers, but said that all four had jobs related to the data-theft incident.
The theft took place Dec. 31, when a Providence Home Services IT department worker took backup tapes and disks home in his car as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight (see ”Update: Thief nabs backup data on 365,000 patients”). The division has since discontinued that backup procedure and brought in more traditional means of protecting data.
Some of the data on the tapes was password-protected at the application level, while the rest of the data was stored in proprietary file formats without password protection. After the incident, the company decided to make all of its data more secure by using additional technologies, including encryption.
Providence notified all affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the company. Some of the records also included patient financial information.
Providence said it has received no verified reports that the stolen data has been used illegally.
The health care group has also reached a deal with security vendor Kroll Inc. to provide Kroll’s ID TheftSmart credit monitoring and restoration services for free to those affected by the theft. ID TheftSmart allows individuals to continuously monitor their credit files, investigates potential identity theft cases and can help identity theft victims restore their identity if data theft occurs.
Starting next week, affected patients will get a letter from Kroll detailing how to sign up for the program.
“We think this will help address the concerns of our patients and their families and help put their minds at ease,” Rick Cagen, CEO of Providence Health System’s Portland Service Area, said in a statement. “We have heard from patients that the process to notify the credit agencies can be difficult, and we appreciate the time they have spent as a result of the theft.”
The data theft incident is under investigation by the Oregon attorney general’s office. A spokesman for the attorney general’s office could not be reached for comment.
Labels: Providence Home Services
UCI Psychiatrist Bilked by Nigerian E-Mails
By William Lobdell, Times Staff Writer
A renowned psychiatrist from UC Irvine was duped into squandering at least $1.3 million of his family's fortune on a Nigeria Internet scam, according to a lawsuit recently filed by his son.
The son, also an Orange County doctor, said his father — Dr. Louis A. Gottschalk — gave as much as $3 million over a 10-year period in response to an Internet plea that promised the doctor a generous cut of a huge sum of cash trapped in African bank accounts in exchange for money advances.
The court documents, filed last month in Orange County Superior Court, allege Gottschalk even traveled to Africa to meet a shadowy figure known as "The General."
Gottschalk — who at 89 still works at the UCI campus medical plaza that bears his name — said in court papers that the losses were caused by "some bad investments."
Guy Gottschalk is asking a judge to remove his father as administrator of the $8-million family partnership that was set up for tax purposes after the death of his mother in 1993. A hearing is set for March 14.
The suit alleges that Louis Gottschalk destroyed bank records to cover up the amount of his losses.
"While it seems unlikely, even ludicrous, that a highly educated doctor like [Gottschalk] would fall prey to such an obvious con, that is exactly what happened," wrote Guy Gottschalk's attorney in court papers.
Louis Gottschalk and his attorney declined to comment, but they accuse Guy Gottschalk in court documents of carrying out an unspecified "vendetta" against his father. The son lost an earlier court effort to have a conservator oversee the family partnership.
Fred W. Anderson, a Santa Ana lawyer who represents Guy Gottschalk, said neither he nor his client would comment except to say, "This is an unfortunate and sad situation."
In court papers, Guy Gottschalk said his only motive was "to prevent Louis Gottschalk from continuing to be victimized by these devious Nigerian scams."
The Nigerian Internet scam — known in some circles as 419 after the Nigerian statute that outlaws fraud — is a long-running con that preys on people with e-mail accounts. Though there are scores of variations, the con begins with an unsolicited message from Nigeria or other African nation — usually from an alleged government official, banker or businessman who needs to find a way to get millions of dollars out of his country.
If the target of the sting agrees to set up a United States bank account and pay transfer fees and other charges, he's told that he'll get a substantial portion of the money once it is freed up.
Though many of the alleged Nigerian e-mails originate in other countries, Nigerian government officials said more than $700 million relating to 419 crimes had been seized in the last two years. Twelve people have been convicted in connection with the scam during that time, officials said.
While Nigerian solicitation e-mails are ubiquitous in cyberspace, the number of people in the United States who fall for the con is small, according to National White Collar Crime Center figures.
In 2005, 290 cases involving the Nigerian scam made up only 0.3% of the total complaints of Internet fraud lodged with the government. The median reported loss was $5,000.
But John Kane, research manager for the National White Collar Crime Center, said people blinded by greed continue to wire their money overseas.
"Although this scam has been around for years," he said, "you continue to see some people who forget the adage, 'If it's too good to be true, it probably is,' and fall prey to a get-rich-quick mentality."
Anthony Pratkanis, a UC Santa Cruz scholar and author of "Weapons of Fraud," said his studies show that cyberspace scam artists are adept at exploiting a victim's weakness, whether it's diminished mental capacity, greed or compassion.
"Then there's a line that gets crossed when they send in the money and then they're caught in a rationalization trap," Pratkanis said. "One way to convince yourself the scam is for real is to send more money, ironically enough."
In the Gottschalk case, both the amount of the alleged losses and the reputation of the victim set it apart.
According to Guy Gottschalk's account contained in court papers, his father began responding to the solicitations from Nigeria in 1995. A year later, Louis Gottschalk traveled to Africa to meet "The General" and other Nigerians "to show them that he was sincere so he would get the money." Another court document said he also traveled to Amsterdam to meet the Nigerians.
Soon afterward, his son said Gottschalk admitted to him that he had lost $300,000 and that FBI agents concluded that he had been a victim of an Internet scam.
Several family members said that Louis Gottschalk promised to never again give money to Internet solicitors.
According to Louis Gottschalk's declaration, he had lost about $900,000 in "bad investments" by 1999. "I now realize that I was taken advantage of," he said.
But his son said his father kept clandestinely wiring money to the Nigerians at least until last fall.
Guy Gottschalk said that when he confronted his father in October, Louis Gottschalk said, "Don't worry, everything will be all right on Thursday because I will be getting $20 million."
The son said his father also told him he'd get the money this time because these were "different Nigerians."
A few days later, a judge rejected Guy Gottschalk's attempt to put a conservator over the family partnership. His father was evaluated by a court-appointed investigator and determined to be competent, legal documents show.
Gottschalk's attorneys argue that the lawsuit is unnecessary because the family partnership agreement allows for him to be removed by a majority vote of the limited partners.
In a deposition, Guy Gottschalk said the person who held the swing vote refused to take sides. It's unclear how many voting members there are.
A renowned psychiatrist from UC Irvine was duped into squandering at least $1.3 million of his family's fortune on a Nigeria Internet scam, according to a lawsuit recently filed by his son.
The son, also an Orange County doctor, said his father — Dr. Louis A. Gottschalk — gave as much as $3 million over a 10-year period in response to an Internet plea that promised the doctor a generous cut of a huge sum of cash trapped in African bank accounts in exchange for money advances.
The court documents, filed last month in Orange County Superior Court, allege Gottschalk even traveled to Africa to meet a shadowy figure known as "The General."
Gottschalk — who at 89 still works at the UCI campus medical plaza that bears his name — said in court papers that the losses were caused by "some bad investments."
Guy Gottschalk is asking a judge to remove his father as administrator of the $8-million family partnership that was set up for tax purposes after the death of his mother in 1993. A hearing is set for March 14.
The suit alleges that Louis Gottschalk destroyed bank records to cover up the amount of his losses.
"While it seems unlikely, even ludicrous, that a highly educated doctor like [Gottschalk] would fall prey to such an obvious con, that is exactly what happened," wrote Guy Gottschalk's attorney in court papers.
Louis Gottschalk and his attorney declined to comment, but they accuse Guy Gottschalk in court documents of carrying out an unspecified "vendetta" against his father. The son lost an earlier court effort to have a conservator oversee the family partnership.
Fred W. Anderson, a Santa Ana lawyer who represents Guy Gottschalk, said neither he nor his client would comment except to say, "This is an unfortunate and sad situation."
In court papers, Guy Gottschalk said his only motive was "to prevent Louis Gottschalk from continuing to be victimized by these devious Nigerian scams."
The Nigerian Internet scam — known in some circles as 419 after the Nigerian statute that outlaws fraud — is a long-running con that preys on people with e-mail accounts. Though there are scores of variations, the con begins with an unsolicited message from Nigeria or other African nation — usually from an alleged government official, banker or businessman who needs to find a way to get millions of dollars out of his country.
If the target of the sting agrees to set up a United States bank account and pay transfer fees and other charges, he's told that he'll get a substantial portion of the money once it is freed up.
Though many of the alleged Nigerian e-mails originate in other countries, Nigerian government officials said more than $700 million relating to 419 crimes had been seized in the last two years. Twelve people have been convicted in connection with the scam during that time, officials said.
While Nigerian solicitation e-mails are ubiquitous in cyberspace, the number of people in the United States who fall for the con is small, according to National White Collar Crime Center figures.
In 2005, 290 cases involving the Nigerian scam made up only 0.3% of the total complaints of Internet fraud lodged with the government. The median reported loss was $5,000.
But John Kane, research manager for the National White Collar Crime Center, said people blinded by greed continue to wire their money overseas.
"Although this scam has been around for years," he said, "you continue to see some people who forget the adage, 'If it's too good to be true, it probably is,' and fall prey to a get-rich-quick mentality."
Anthony Pratkanis, a UC Santa Cruz scholar and author of "Weapons of Fraud," said his studies show that cyberspace scam artists are adept at exploiting a victim's weakness, whether it's diminished mental capacity, greed or compassion.
"Then there's a line that gets crossed when they send in the money and then they're caught in a rationalization trap," Pratkanis said. "One way to convince yourself the scam is for real is to send more money, ironically enough."
In the Gottschalk case, both the amount of the alleged losses and the reputation of the victim set it apart.
According to Guy Gottschalk's account contained in court papers, his father began responding to the solicitations from Nigeria in 1995. A year later, Louis Gottschalk traveled to Africa to meet "The General" and other Nigerians "to show them that he was sincere so he would get the money." Another court document said he also traveled to Amsterdam to meet the Nigerians.
Soon afterward, his son said Gottschalk admitted to him that he had lost $300,000 and that FBI agents concluded that he had been a victim of an Internet scam.
Several family members said that Louis Gottschalk promised to never again give money to Internet solicitors.
According to Louis Gottschalk's declaration, he had lost about $900,000 in "bad investments" by 1999. "I now realize that I was taken advantage of," he said.
But his son said his father kept clandestinely wiring money to the Nigerians at least until last fall.
Guy Gottschalk said that when he confronted his father in October, Louis Gottschalk said, "Don't worry, everything will be all right on Thursday because I will be getting $20 million."
The son said his father also told him he'd get the money this time because these were "different Nigerians."
A few days later, a judge rejected Guy Gottschalk's attempt to put a conservator over the family partnership. His father was evaluated by a court-appointed investigator and determined to be competent, legal documents show.
Gottschalk's attorneys argue that the lawsuit is unnecessary because the family partnership agreement allows for him to be removed by a majority vote of the limited partners.
In a deposition, Guy Gottschalk said the person who held the swing vote refused to take sides. It's unclear how many voting members there are.
Labels: UC Irvine
