Information Security Incidents

SEC relaxes portions of SOX Section 404

Jim Carr May 30 2007 15:36
The U.S. Securities and Exchange Commission (SEC) has passed new interpretive guidelines that relax portions of Section 404 of The Sarbanes-Oxley Act of 2002.


The new rules, which apply to businesses with a market value of less than $75 million, focus on areas more prone to fraud while lowering the costs of SOX compliance for many businesses.

Section 404 of the SOX law requires publicly traded companies to continually reassess their internal controls, including technology tools that monitor access to financial systems to guarantee that external auditors can deliver accurate financial reports to investors.

The new guidelines should take some of SOX’s burden from the shoulders of businesses, SEC Chairman Christopher Cox said in a news release.

"Congress never intended that the 404 process should become inflexible, burdensome and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems without creating unnecessary compliance burdens or wasting shareholder resources," he said. "With the commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances. And investors will benefit from reduced compliance costs."

While SOX has been the source of much griping since it’s passage five years ago, the new guidelines are good news for IT personnel, said Patrick Taylor, CEO and founder of Oversight, a vendor of intrusion-detection software. For instance, they no longer must document the regular updating of their anti-virus protection, he said.

"It's a long shot that a failure in an anti-virus system will lead to a fraudulent financial report," he said. "So, now it doesn't need to be a part of a SOX regime."

Small companies benefit most from the new guidelines, said Taylor.

"They will not have to do some of the more bureaucratic things, and many haven't even started," he said. "Every software and hardware vendor for SOX compliance has an angle 'critical' to SOX, and a lot of those stories will come off the plate," he said.

Labels: SEC Guidelines- The Sarbanes-Oxley Act

Phishing scam targets Better Business Bureau

Jim Carr May 30 2007 17:13
For the second time this year, the Better Business Bureau (BBB) is at the center of spam campaign. The spoofed emails, claiming to be about complaints made to the BBB by unhappy customers, attempt to entice recipients into downloading malware that can collect personal information from unwary consumers.


The spam email, which appears to be from the BBB, contains a Microsoft Word attachment. Although the email claims the attachment contains additional information about the alleged complaint to the BBB, it is a trojan downloader that installs a keylogger on the recipient’s PC.

In this scam, the spoofed email's subject line refers to a "complaint case number," according to Websense. The message body says, "You have received a complaint in regards to your business services. The complaint was filled by Mr. Mark Williams on 5/21/2007. Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email."

Once opened, the attachment downloads the trojan and the keylogger, which can steal personal information such as bank, PayPal or eBay login information as well as all interactive data sent to every site the recipient visits, and sends the data to an IP address in Malaysia.

"The BBB ensures that despite the alarming amount of spoof emails that have been received, BBB database information has not been compromised," the organization said on its website. "The BBB is currently working with the Electronic Crimes Task Force to track down the spoofers."

Although phishers continually change their tactics, the scammed addresses include complaints@bbb.org, compl-srv@bbb.org, complains-serv@bbb.org, consumercomplaints@bbb.org, and operations@bbb.org.

"This could be the work of the highly sophisticated loosely organized crime groups who basically wake up every morning trying to think of new creative ways to scam American consumers," said Avivah Litan, a vice president and research director in Gartner Research. "They could very well be the same folks that launch highly technical attacks against retailers, like TJX.

"In our last consumer survey, we spotted a trend in which the scammers are using less conventional methods for phishing attacks that do not use well-known brands like banks, brokerages or PayPal," added Litan. "This is due to the fact that the large known brands spend considerable resources identifying phishing sites and taking them down before they can do much damage."

Labels: BBB

After myriad data breaches, feds to cut use of Social Security numbers
Dan Kaplan May 24 2007 17:19
Amid an avalanche of federal data breaches, agencies have been ordered to eliminate the unnecessary collection of personal information, including Social Security numbers.


Clay Johnson, deputy director of the Office of Management and Budget, issued the new mandates on Wednesday in a memo that also required agencies to develop training programs and breach notification policies.

"Safeguarding personally identifiable information in the possession of government and preventing its breach are essential to ensure that government retains the trust of the American public," Johnson wrote in the memo.

Asking agencies to be proactive, the memo ordered them to store the minimum number of personal records and to devise a plan to end the unnecessary use of Social Security numbers. That plan must be developed within four months and acted on within 18 months thereafter.

The memo comes almost a year to the day after thieves stole the laptop of a Department of Veterans Affairs employee, which contained the personal information of roughly 26.5 million veterans and current military personnel.

Since then, data exposures have affected a number of federal agencies. Most recently, the Transportation Security Administration announced an external hard drive containing the sensitive data of about 100,000 employees was either lost or stolen.

In April, federal agencies scored an average information security grade of C-minus under the Federal Information Security Management Act, a slight improvement from the prior year.

Allan Paller, director of research for the SANS Institute, told SCMagazine.com that he applauds the initiative but eliminating the use of personal information is only one piece of the information security puzzle.

He said the federal government should employ the Payment Card Industry (PCI) audit guide when examining the security posture of an agency. Paller said PCI metrics contain more validity and reliability than the FISMA audit guide when trying to determine how well an agency can defend itself against an attack.

The 22-page memo from OMB also required agencies to institute a data breach-notification policy within four months, using existing FISMA guidelines and other privacy legislation built on National Institute of Standards and Technology (NIST) standards.

The memo also outlined training requirements for federal employees, including remote workers.

Hackers exploit unpatched flaw, disabled firewall to access personal info of 45,000 University of Colorado students
Dan Kaplan May 23 2007 19:04
A disabled firewall and an unapplied patch allowed hackers to infiltrate a server at the University of Colorado, Boulder, exposing the personal information of nearly 45,000 students, the university said Tuesday.


Attackers exploited a Symantec Norton AntiVirus vulnerability to launch a worm into the server of the College of Arts and Sciences’ Academic Advising Center, the university said in a statement. The suspects made off with the names and Social Security numbers of 44,998 students enrolled at the college since 2002. The university discovered the attack on May 12.

"The server’s security settings were not properly configured and its sensitive data had not been fully protected," Bobby Schnabel, the school’s vice provost for technology, said in the statement. "Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted."

Schnabel told SCMagazine.com today that he blamed the event on the fact that the compromised server was overseen by a smaller IT staff "with more general sets of responsibilities" than the university's central IT department.

"Sometimes you don’t get the attention to security you get in a big, central organization," he said.

IT officials believe the attackers were not trying to purge sensitive information, but instead gain control of the machine for use as a botnet. Had the firewall been enabled, the worm would have been stopped, Schnabel told SC.

Chandler Hall, vice president of marketing and a co-founder of network security firm Arxceo, told SCMagazine.com today that the college should have had a network-layered defense to stop both signature-based and zero-day attacks.

"I think bottom line — there’s always going to be a human factor," he said. "I would never point a finger at a large LAN environment and say that it was poor practice."

As a result of the incident, the college is ordering the IT operations at the Arts and Sciences Advising Center to come under the control of the central IT department at the university, Schnabel said.

In addition, the college has instituted a plan to stop using Social Security numbers as identifiers, according to the statement.

Technology-wise, the university plans to implement new host-based intrusion detection (HIDS) software, which monitors systems for suspicious activity. Last fall, the school deployed a "restrictive network firewall" that has helped cut down on vulnerabilities.

The university also conducts a security awareness program, in addition to conducting regular risk assessments.

Symantec, in an email statement sent to SCMagazine Wednesday night, said it was reaching out to the university to get more information on the incident. The company recommends regularly applying vendor patches as a way to protect against system threats.

Labels: Univ. of Colorado

I-SPY Act passes House, but anti-spyware legislation faces tough hurdle in Senate
Frank Washkuch Jr. May 23 2007 17:42
The Internet Spyware Prevention Act of 2007 was approved by the U.S. House of Representatives this week, but the bill still faces a significant test in the prospect of Senate affirmation.


Also known as the I-SPY Act, the bill would make it illegal to access a PC without authorization or to exceed authorized access by copying software or code to further another criminal act, impair security procedures or steal the personal or financial information of another end-user.

The bill was sponsored by Rep. Zoe Lofgren, D-Calif., who introduced the legislation on March 14. It was co-sponsored by Virginia Republicans J. Randy Forbes and Bob Goodlatte, as well as Reps. Sheila Jackson-Lee, D-Texas, Linda T. Sanchez, D-Calif., and Lamar Smith, R-Texas.

Approved by the House Judiciary Committee on May 1, the bill follows anti-spyware legislation from 2004 and 2005 that were never acted upon by the Senate. Other legislation, called the Spy Act, has been approved by the House Energy and Commerce Committee, but has not seen a vote by the full House.

David McGuire, spokesman for the Center for Democracy and Technology, told SCMagazine.com today that his organization supports the bill but would like to see increased attention paid to penalties for spyware distribution.

"A real focus with anti-spyware legislation should be on the enforcement side, because enforcement has improved a great deal over the past couple of years, and the FTC [Federal Trade Commission] has been very aggressive in tracking [spyware distributors] down," he said.

Rob Haralson, spokesman for StopBadware.org, told SCMagazine.com today that the bill is more focused on the criminal aspects of spyware than other legislation.

"It’s a good thing that this focuses solely on the criminal provisions that were included," he said. "There’s never going to be one magic bill that will kill spyware. It takes a multi-level approach."

Labels: I-Spy Act

Lost Alcatel-Lucent disk holds personal info of undisclosed number of employees, retirees


Frank Washkuch Jr. May 21 2007 17:02
Telecommunications service provider Alcatel-Lucent has sent notifications to employees and retirees about a May 3 data breach.


The company said it was informed by a third-party vendor on May 7 that a disk containing the personal information of an unknown number of current and former employees had been lost or stolen.

Data on the disk included names, addresses, Social Security numbers, birth dates and salary data of Lucent employees and their dependents.

In a statement posted Thursday on its website, the company revealed that credit card, bank or password information was not included on the missing disk.

Alcatel-Lucent reported that the disk was either lost or stolen between April 5 and May 3 after being prepared by Hewitt Associates for delivery by UPS to another vendor, Aon Corporation.

The Murray Hill, N.J.-based firm said it had received no indication that the personal information has been misused, but informed state and local authorities and the U.S. Secret Service about the incident.

The company will also provide affected individuals with a year of identity theft protection and credit monitoring.

Affected personnel can also call 1-866-795-8756 for more information on the incident.

Alcatel-Lucent spokeswoman Mary Ward told SCMagazine.com today that the firm is not disclosing the number of affected employees for security reasons. A Friday report in the Newark Star-Ledger said the number could be as high as 200,000.

In a statement, Alcatel-Lucent apologized for the data loss.

"We recognize that we have a responsibility to carefully protect this type of information and deeply regret this loss," said Frank D’Amelio, Alcatel-Lucent chief administrative officer. "We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimize any potential risk this incident could create for them."

Bill Bartow, vice president of product management at Tizor, told SCMagazine.com today that corporations should ensure that outside vendors have acceptable data protection policies in place.

"First you have to have good, solid data security policies within your company, and then you have to extend it to other parties, including outsourcers. Then you have to ensure that they follow that policy," he said. "Certainly you can audit your business partners to ensure that they have best practices in place for data protection. One of the first things many people do is to classify their data and realize that there are certain types of data that should be treated differently."

Labels: Alcatel-Lucent

Los Alamos beefs up security in wake of data breach

Jim Carr May 22 2007 19:39
The theft of classified information by a contractor's former employee has forced the Los Alamos National Laboratory to implement a variety of tactical and strategic security policies commonly found in a private enterprise.


The lab has disabled all ports, including USB ports, on classified computers — some via physically gluing the port shut, others with locking devices or software — and has begun encrypting personal information on laptop hard drives.

Meanwhile, Jessica Lynn Quintana pleaded guilty in U.S. District Court in Albuquerque, N.M., last week. Hired by the northern New Mexico laboratory to archive classified information, Quintana faces up to one year in jail, five years of probation and a $100,000 fine.

Quintana admitted in her plea that when she was working in a secure area at the lab on July 27, 2006, she printed pages of classified documents and downloaded other classified data onto a USB drive, then carried the data home in a backpack, according to the U.S. Department of Justice. The government didn't say why she took the information.

In addition to disabling USB ports and encrypting laptop hard drives, the lab has "significantly reduced risks in both cyber- and physical security [by] reducing and consolidating classified holdings" since the theft, according to a lab spokeswoman reached by SCMagazine.com, and who requested anonymity. "All of our classified systems have been inspected and found to be compliant, and we have reduced the number of standalone classified systems by 28 percent."

The lab also began construction on what it calls "a super vault-type room, the first of its kind," according to the spokeswoman. The vault, or data center, will allow the lab to "consolidate and uniformly control classified information managed by security professionals. By constructing additional super vault-type rooms, we'll reduce the number of classified vaults to an absolute minimum."

In addition, the lab has instituted searches "of all belongings carried by those escorted both in and out of the vaults."

In the area of policy and social engineering, the lab has "uniformly trained our information systems security officers, our ISSOs, and is hiring senior ISSOs in all key organizations to provide consistency across the laboratory," according to the spokeswoman.

Labels: Los Alamos National Laboratory

Congressmen want explanation on possible nuclear power plant cybersecurity incident
Jim Carr May 21 2007 21:05
Two Democratic congressmen want to know whether America's nuclear power plants are at risk to a cybersecurity attack.


U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, have asked Dale E. Klein, chairman of the U.S. Nuclear Regulatory Commission (NRC), to investigate the nation's nuclear cybersecurity infrastructure.

They said a cybersecurity "incident" resembling a DoS attack on Aug. 19, 2006 left the Browns Ferry Unit 3 nuclear power facility in northern Alabama at risk.

According to a letter from Thompson and Langevin, Brown's Ferry personnel said "excessive traffic" led to the loss of the plant's water recirculating pumps.

The plant's licensee, the Tennessee Valley Authority (TVA), notified the NRC of the incident on Aug. 26 of last year. The TVA said it took "corrective actions," such as installing a firewall on the plant's network.

"In accord with current regulations," Thompson and Langevin wrote, "NRC staff decided against investigating the failure as a ‘cybersecurity incident’ because the failing system was a 'non-safety' system rather than a 'safety' system. Also, it was determined by the licensee that the incident did not involve an external cyberattack on the system."

The congressmen later wrote, "We have deep reservations about the NRC's hesitation to conduct a special investigation into this incident."

The letter from Thompson and Langevin, dated May 18, asked that Klein institute comprehensive cybersecurity policies and procedures on safety and non-safety systems for U.S. nuclear power plant licensees.

"Conversations between the Homeland Security Committee staff and NRC representatives suggest that it is possible that this incident could have come from outside the plant. Unless and until the cause of the excessive network load can be explained, there is no way for either the licensee or the NRC to know that this was not an external [DDoS] attack," the congressmen wrote. "Without a thorough, independent review of the logs and associated data, the assumption that this incident is not an outside attack is unjustifiable."

Thompson and Langevin's letter also asked the regulatory committee whether it has determined the source of what they called the "data storm," and whether it is planning an investigation. They also asked for the NRC to submit a written response to their letter by June 14.

Labels: U.S. Nuclear Regulatory Commission

Federal ID theft task force recommends national breach identification law, tougher standards
Dan Kaplan Apr 24 2007 15:11
A White House-sanctioned commission on identity theft backed the creation of a national breach notification law this week.


The President’s Identity Theft Task Force on Monday unveiled an ambitious blueprint to curtail the nation’s fastest growing crime.

The task force, co-chaired by Federal Trade Commission (FTC) Chairwoman Deborah Platt Majoras and U.S. Attorney General Alberto Gonzales, announced ideas that will help criminal prosecutions, educate consumers and limit the possibility of data theft.

The recommendations include:

· Reducing the unnecessary use by federal agencies of Social Security numbers as identifiers;

· Creating new standards, such as a national breach notification law;

· Establishing a security awareness campaign to educate consumers and employees on ID theft;

· Founding a national ID theft law enforcement center so authorities can coordinate during investigations.

The task force also proposed harsher penalties for identity thieves and tougher laws, such as making ID theft a crime, even if information is not stolen through "interstate communications."

"Identity theft is a blight on America’s privacy and security landscape," Majoras said in a FTC statement. "Identity thieves steal consumers’ time, money and security, just as sure as they steal their identifying information."

According to Gartner, 15 million Americans fell victim to identity theft-related fraud from mid-2005 to mid-2006. The average loss jumped from $1,408 to $3,257 during that time.

The Business Software Alliance, a trade group representing the world’s leading software makers, today praised the recommendations, calling them a "critical step in the federal government’s role to protect consumers from identity theft."

Particularly, the BSA said, it supported legislation that would update current laws and increase resources for law enforcement.

Phishing scheme dupes bank customers into forwarding phone calls
Frank Washkuch Jr. Apr 27 2007 18:41
A phishing scheme attempted this week to capture both victims' personal information and their phone calls, according to researchers at SecureWorks.


The scam email asked recipients to verify their phone number with their bank, but the number they were asked to dial call forwards calls to a foreign number. The email threatened to suspend the account if the number wasn't verified.

In the scheme captured by SecureWorks, the calls were forwarded to a line in Germany.

If the recipient is duped, the scammer gains access to all incoming phone calls until the victim realizes phone service has been suspended. The scammers can also call victims to say the account information has been "verified."

Don Jackson, SecureWorks researcher, told SCMagazine.com today that the scam was, so far, unique.

"This is the first time (phishers) actually requested call forwarding. I’ve seen other phone-phishing schemes, but nothing to actually forward phone calls," he said. "The bank that was the victim of this, they said they were going to call people personally to verify accounts. On some of the phishing forums, there was a challenge to see if someone could develop a way to counter that, and I think this is a response to that."

The scam emails also contained a fill-in section where victims were urged to type their personal information, Social Security, bank account and credit card numbers.

If the customer cooperates, the scam artist has all the information he or she needs to carry out fraudulent purchases, according to SecureWorks, as well as to verify them over the phone.

The phishing email also contained security advice and password and username tips for increased security – just like many authentic bank pages, said Jackson.

"The page looks very convincing because it pulls the template from the targeted bank," he said.

Past phishing schemes have urged users to call a compromised phone number and leave account information, but without a call-forwarding technique.

A scam unearthed by Sophos last year found emails urging recipients to call a phone number and type in a 16-digit card number.

Personal information of 160,000 Neiman Marcus employees breached
Frank Washkuch Jr. Apr 25 2007 19:12
The latest retailer to suffer a data breach: Neiman Marcus.


A third-party consultant on April 5 discovered the computer equipment containing the personal information of 160,000 current and former employees was stolen, according to an announcement from the Dallas-based parent chain Neiman Marcus group.

A smorgasbord of personal information is available on the stolen hardware, including names, addresses, Social Security numbers, dates of birth, periods of employment, salary information and some pension information, according to statements from Neiman Marcus.

The information may have been unencrypted, and could be used in phishing schemes, according to company officials.

The employee information was current as of Aug. 30, 2005, according to a company news release, and includes data describing employees of Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call, Chef’s Catalog and Contempo Casuals, according to the statement.

Chairman and CEO Burt Tansky noted in a letter to employees that the company has no indication that the personal information has been accessed.

Local law enforcement have been notified of the incident, according to Tansky, who urged affected employees to closely monitor their credit.

The company is offering affected employees a year's worth of Equifax credit monitoring service.

"Like you, the Neiman Marcus group takes this matter very seriously," he said. "We are presently reviewing the facts and circumstances leading to this potential loss of privacy of your information, and if appropriate, will take steps to enhance security protocols regarding the handling of our employees’ information by third-party vendors. We will do everything we can to prevent a recurrence."

Ginger Reeder, a Neiman Marcus spokeswoman, told SCMagazine.com today that the company is assuming the third party did not encrypt the data, despite Neiman Marcus policy to encrypt and password protect all data.

Tansky also warned employees that they may be targeted by phishing scams.

"Please note that people falsely identifying themselves as Neiman Marcus Group representatives could contact you and offer ‘assistance,’" he said. "I urge you not to release personal information in response to contacts of this nature."

Melissa Ngo, staff counsel at the Electronic Privacy Information Center, told SCMagazine.com today that firms must ensure protection of customer and employee information, even in the hands of third-party firms.

"It’s basically the same as it’s always been. When the data isn’t protected, there is no internal control for the information, or for the third parties who have the information. This is your data, and no matter who you give it to, you’re still supposed to protect it," she said. "Another problem is that some people keep saying that there shouldn’t be breach notifications because breaches have become so common. But if it’s my information, I want to know what happened and if I’m at risk."

Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, told SCMagazine.com today that companies must go beyond policy, and train employees to properly encrypt data in accordance with those policies.

"There are two issues here: There are corporate policies, and there is compliance with corporate policies. Some companies have good intentions, but they don’t train their employees to work in compliance with the policies," he said. "And this is a point we keep raising to the media, that there needs to be awareness of the proper encryption of data."

Labels: Neiman Marcus

Banks file suit against TJX over breach costs
Dan Kaplan Apr 25 2007 17:22
Three state banking associations announced Tuesday that they have filed a joint lawsuit against TJX Companies over "dramatic costs" their 300 members have incurred since the discount retailer announced that hackers infiltrated its processing systems, exposing some 45 million credit card numbers.


The Massachusetts Bankers Association (MBA), the Maine Association of Community Banks, and the Connecticut Bankers Association are co-plaintiffs in the lawsuit against Framingham, Mass.-based TJX.

The company, which operates about 2,500 stores including Marshalls and T.J. Maxx outlets, revealed late last month that hackers stole 45.7 million pieces of data when they illegally accessed TJX databases during 2005 and 2006.

Merchant banks have been forced to cover replacement cards — up to $25 each — as well as any costs associated with fraudulent purchases, the MBA said in a statement. The organization has previously said the stolen data was used for purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden.

"Cases of fraud due to the TJX breach have been reported all over the world," the statement said. "At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of ‘hot' cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed the problem."

Daniel Forte, president and CEO of the MBA, said the three banking associations are seeking the recovery of "tens of millions of dollars" in damages.

The lawsuit could have merit if TJX acted with negligence, Forrester vice president and research director Jonathan Penn told SCMagazine.com today.

"That's the burden they're going to face in this suit," he said.

Andy Serwin, a San Diego lawyer specializing in data privacy and security, told SCMagazine.com that in his experience, many lawsuits similar to this one get tossed out in court. He said it is difficult for plaintiffs to make a case because many of the laws governing electronic privacy allegations have yet to be fully understood.

"The states are all over the place," he said. "You're applying old law to situations that were never anticipated. Where the line is going to get drawn ultimately, it's not that clear yet."

He said some states will let retailers off the hook if a criminal act caused the data exposure.

"Ultimately, we're going to see new insurance products out there to deal with risk," Serwin said.

A legal debate such as this may soon be unnecessary in Massachusetts. State lawmakers have proposed a bill that makes retailers responsible for data losses.

A TJX spokesperson could not immediately be reached for comment.

Labels: TJX Companies Inc.

Hackers, laptop thieves compromise personal information of 17,500 at Ohio State in separate incidents
Frank Washkuch Jr. Apr 18 2007 18:39
Two separate incidents — both resulting in data breaches — have left the personal information of 17,500 Ohio State University students, faculty members and staff compromised.


On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement.

The university sent letters to affected personnel, who were offered a year of free credit protection.

Of the victims, nearly 7,000 are current staff members, while more than 7,100 are former university employees.

The university, on discovering the breach on April 2, blocked access to the exposed database and informed state and federal law enforcement authorities.

University spokesman Jim Lynch told SCMagazine.com today that experts from Cybertrust have been hired to investigate the hacking.

In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24.

The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch.

Records stored in the laptops contained names, Social Security numbers and grades, according to the university.

Lynch said it’s likely the laptops may have been stolen by thieves not interested in or aware of the personal information contained on them. He was unsure whether the data was encrypted.

Ennio Carboni, director of product management at Ipswitch, told SCMagazine.com today that college students are an alluring target for attackers because their credit is often flawless.

"I think it’s very tactical by the hackers. We’re talking about a university with thousands and thousands of Social Security numbers with not a lot of established credit, so they can get those and other information to open up lines of credit," he said. "When hackers steal information from a large population of adults, it can be good credit and it can be bad credit. With college students, it’s fresh; they haven’t defaulted on home loans or anything like that."

Ohio State is the last in a growing line of education institutions to suffer a data breach.

Late last month, hackers compromised a server to access the personal information of 46,000 students, faculty members and staff of the University of California, San Francisco.

Its sister school, the University of California, Los Angeles, discovered in December of last year that a hacker had been exploiting an undetected security hole in a school database for more than a year. The network contained the personal information of 800,000 people, including current and former students, faculty, staff and applicants.

Last month, Texas A&M University alerted nearly 100,000 network users to change passwords after hackers attempted to access university accounts.

Ohio University sent out more than 300,000 notices in May 2006 after a server breach.

The University of Arizona and the University of Texas at Austin are other high-profile college breach victims.

Labels: Ohio State Univ.

Disk with personal information of 2.9 million Georgia residents lost while in possession of breach-prone Affiliated Computer Services
Ericka Chickowski Apr 10 2007 22:11
Georgia health officials reported today that a vendor working with the Georgia Department of Community Health is missing a disk containing the names, birth dates and Social Security numbers of 2.9 million Georgia health services recipients.


The breach was initially reported by the vendor, Affiliated Computer Services, which is contracted to maintain health care claims for the state. The company said that the CD was lost in transit between Georgia and Maryland.

A number of breaches have been suffered by Affiliated Computer Services over the past year. In August 2006, the vendor exposed more than 32,000 student loan recipients' records held by the U.S. Department of Education when it botched a routine software upgrade for the agency, causing these names to be made publicly available on the department’s website.

And in November 2006, more than 1.4 million health care recipients in the state of Colorado were left exposed to ID theft when a company laptop was stolen from an employee of the state's Department of Human Services.

According to Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, the loss of the Georgia CD emphasizes the need for encryption technology to protect data when it does go missing.

"Things do get lost," said Stephens. "I think the key here is that the data on the CD, presumably, was not encrypted. That is the real issue."

While many corporations have a financial motivation to protect data through encryption, government organizations may need more regulatory oversight to protect valuable information handled by agencies and their vendors.

"I think with respect to government data, I think you are going to find that at some level there may be a requirement for encryption of data that is contained on storage media that can be lost," Stephens said.

Labels: Georgia Department of Community Health

Report: TJX breach began in Minnesota Marshalls parking lot
Dan Kaplan May 4 2007 17:00
The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.


According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.

What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.

Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.

TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.

Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.

"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."

According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.

He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."

The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.

"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."

The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com today.

He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.

"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.

A TJX spokeswoman could not be reached for comment today.

Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.

However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.

Labels: TJX Companies Inc.

Davis reintroduces federal breach-reporting act to House
Dan Kaplan May 3 2007 23:17
Rep. Tom Davis, R.-Va., reintroduced the Federal Agency Data Breach Protection Act today, which would require victims of federal data breaches to be notified in a timely manner and mandates agencies have practices and standards in place to do that.


The bill was originally introduced on Sept. 26, 2006 in the previous session of Congress, but the Senate never acted on it.

The legislation was devised following the theft last year of the Department of Veterans Affairs laptop, which contained the personal information of some 26 million veterans.

Tim Bennett, the newly appointed president of the Cyber Security Industry Alliance, said in a statement today that he was pleased the bill was reintroduced and that he hopes this will clear the way for a national breach notification law.

Such a goal seems inevitable.

Meanwhile, two national breach alert bills were approved by the Senate Judiciary Committee, although they differ in what threshold would require reporting to authorities and customers.

The Personal Data Privacy and Security Act of 2007 requires companies to report if the lost or stolen data posed "significant" risk to customers, while the Notification of Risk to Personal Data Act of 2007, introduced by Sen. Dianne Feinstein, D-Calif., names "reasonable risk" of harm as the threshold, according to a report in the Washington Post.

The former bill, sponsored by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., also requires data brokers to inform the public about what information they have on file about them – and then let these individuals correct any mistakes.

Labels: Federal Agency Data Breach Protection Act

Anti-phishing, financial groups to hold e-crime summit this month
Fiona Raisbeck May 3 2007 16:24
The Anti-Phishing Working Group (APWG) announced today that it will join representatives from the financial services and law enforcement communities to host the Counter eCrime Operations Summit later this month.


The web crime conference will take place May 30 and 31 at the State Bar of California in San Francisco and will be co-hosted by the APWG, the American Bankers Association and the Financial Services Technology Consortium.

Other partners include the U.K.'s Association for Payment Clearing Services (APACS), the FBI’s Infragard group and the Financial Services Information Sharing and Analysis Center.

The APWG agenda includes cybercrime, crimeware mutations and protecting e-commerce against online threats and phishing attacks.

New York State settles with breach notification law violator
Dan Kaplan Apr 30 2007 21:49
A claims management company that violated New York's breach notification law for taking seven weeks to report a missing laptop containing personal information of more than a half-million injured workers has settled with the state.


Under the agreement, Chicago-based CS STARS, contracted to manage the personal data of some 540,000 injured workers receiving compensation from the New York Special Funds Conservation Committee, has been ordered to comply with the state’s Information Security Breach and Notification Law.

In addition, the company agreed to implement new data security solutions and will pay the state $60,000 in fines related to the cost of the investigation.

According to a statement released late last week by the Attorney General Andrew Cuomo, a CS STARS employee noticed the laptop missing ON May 9, 2006, but the company did not report the incident to the state until June 29.

The FBI, which was also notified, requested notifications not be immediately sent due to an ongoing investigation, the statement said. Letters notifying victims were sent on July 18.

A week later, the FBI determined the laptop was stolen by a cleaning contractor and that the private data was not accessed.

Still, the company should have reported the incident "immediately following discovery," as prescribed under law, the statement said.

"This company had sufficient cause to believe that the private information contained in the missing computer had been acquired by a person without valid authorization," Cuomo said. "Had the sensitive personal information fallen into the hands of criminals with the intent of identity theft, there would have been ample time to victimize hundreds of thousands of customers."

A CS STARS representative was not immediately available to comment.

But company spokesman Al Modugno told SCMagazine.com last year that the employee responsible for the laptop never notified senior management about the incident. Once officials were notified, however, they immediately "took the necessary steps to address the matter."

Labels: CS STARS

Union discovers sensitive documents in Chase bank garbage, posts findings on YouTube
Dan Kaplan May 1 2007 16:26
A new YouTube video shows a group of union protesters scouring through trash outside several Chase bank branches in New York, discovering documents with customer information that could be used for identity theft.


The Service Employees International Union, said to be protesting low wages of Chase bank security guards, are recorded searching plastic trash bags and discovering a number of documents, including bank statements, loan applications and transaction reports, that contain sensitive data such as Social Security numbers.

The "dumpster divers" blurred out the confidential data on the YouTube clip, which has received more than 5,000 views since being posted on Monday.

"We're going through the trash here to make sure they properly dispose of their customer information," one of the protesters said on the video.

The incident emphasizes the need for financial institutions to not only invest in technology, but also to ensure employees are complying with policies, Avivah Litan, a Gartner analyst, told SCMagazine.com today. She said Chase has led the pack in online banking security but appears to have made a major mistake here.

"That's amazing that in this day and age, they would allow these kinds of documents to go into the garbage," Litan said. "That's really a bad slip-up."

Tom Kelly, a Chase spokesman, told SCMagazine.com today the bank is waiting for the union to report which customers were identified in the documents, at which time the bank will send notices to the victims. He expected the number of affected individuals to be in the dozens, or hundreds at most; all will be offered a free year of credit monitoring.

Kelly said he has no reason to believe any of the data will be misused.

He said established protocols call for such documents to be locked in bins, then shredded.

All New York branch managers were told on Monday to revisit their security policies to ensure this does not happen again, he said.

Gartner reported in March that about 15 million Americans were victimized by identity theft fraud during a 12-month period ending in the middle of 2006. Litan said paper document theft, such as dumpster diving, is responsible for a majority of new account fraud and check forgery.

Companies must do a better job at information lifecycle management, ensuring data is protected from creation to destruction, Jared Pfost, vice product of product management for biometrics authentication provider BioPassword, told SCMagazine.com.

"Identity theft can come at any stage in that lifecycle, whether (the data) is in electronic or physical format," he said.

Kelly said he was upset the union posted its findings on the internet instead of first notifying Chase. A union spokesman could not be reached for comment today.

Labels: Chase Bank

TSA loses hard drive with personal information of 100,000 employees
Dan Kaplan May 7 2007 18:05
The Transportation Security Administration (TSA) said today that it is investigating a missing external hard drive containing sensitive information of about 100,000 employees.


The hard drive, discovered missing from a controlled area at the federal agency on Thursday, contained the names, Social Security numbers, birth dates, bank account and routing data and payroll information of employees who worked for the agency between January 2002 and August 2005, TSA administrator Kip Hawley said in a notification letter to victims. Authorities are unsure whether the data was lost or stolen.

Hawley apologized to employees whose identity was exposed, but said the TSA has no reason to believe any of the information has been misused. Still, the agency promised to provide affected individuals with one year of free credit monitoring service.

"We are notifying you out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device," Hawley said. "We apologize that your information may be subject to unauthorized access, and I deeply regret this incident."

The FBI and U.S. Secret Service have opened criminal investigations, according to a separate statement.

The TSA said it has comprehensive data security policies in place and violators face "swift disciplinary action," including firing.

This is the second time in less than a year that the agency responsible for securing the nation’s airports was involved in a data breach.

Last September, a contractor accidentally mailed about 1,200 documents containing Social Security numbers of former TSA employees to incorrect addresses.

"It’s kind of ironic that the government agency charged with maintaining the security of our nation’s transportation system can’t manage the security of its own employees’ files," said Paul Stephens, policy analyst at the nonprofit Privacy Rights Clearinghouse. "It’s a matter of having the proper protocols in place and enforcing them. A lot of times the protocols exist, and you don’t have the compliance. Typically, the failure is employee compliance."

The latest incident occurred just days after Rep. Tom Davis, R.-Va., reintroduced a bill that would require federal agencies who suffered a data breach to promptly notify victims, and have proper policies in place.

Labels: Transportation Security Admin.

Hackers steal 22,000 Social Security numbers from University of Missouri database
Dan Kaplan May 9 2007 17:05
The University of Missouri is the latest university to fall victim to cybercrime, after hackers breached a database and lifted more than 20,000 Social Security numbers (SSNs).


The attackers, using IP addresses from China and Australia, stole 22,396 SSNs associated with anyone who worked in the university's system in 2004 who were also current or former students.

The university has campuses in Columbia, Kansas City, Rolla and St. Louis.

The school's IT security personnel on Thursday first noticed suspicious activity on a computer help-desk application, and by Friday morning they identified a large series of query errors being made to that application and its associated database, according to a university statement.

Soon after, technicians disabled the account used by the two malicious IP addresses, but by then hackers had already made off with the sensitive data. They retrieved the information "through a webpage used to make queries about the status of trouble reports" to the IT help desk on the Columbia campus, according to the university statement.

"The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," according to the statement.

School spokesman Scott Charton told SCMagazine.com today that the intruders accessed the data in a report that "probably should have been expunged but was not." It did not, however, contain any financial information, and there is no evidence that any of the data has been misused.

The university has already answered 1,800 calls and 400 emails from victims, and it plans to send out 13,000 notification letters via regular mail today, Charton said.

Ironically, SC Magazine recently spoke with Becky Thurmond Fowler, systems security analyst of IT at the University of Missouri in Columbia, for a story about the SANS Institute’s new push to educate application developers on security.

Fowler coordinates a college initiative called SafeWeb, which seeks to raise campus awareness about the need to implement security in applications.

Reached today, she deferred questions about the hacking incident to Charton.

David Larson, director of product management at Maynard, Mass.-based data security firm Tizor Systems, told SCMagazine.com today that universities should deploy software that monitors back-end databases in real time.

"You're like a bank," he said. "You should view your data like a vault. And there is no vault that doesn't have cameras in it."

This is the latest in a series of computer intrusions affecting major universities. Ohio State, University of California, Los Angeles, and Texas A&M have lost hundreds of thousands of records to hackers in recent months.

Experts have said colleges are frequent targets of hackers because some schools employ sub-par security, while other industry professionals think cybercrooks prefer stealing identity information about students, who likely have better credit than older Americans.

Labels: Univ. of Missouri

Federal cybercrime bill introduced in House
Dan Kaplan May 15 2007 18:13
Two congressmen on Monday introduced a bipartisan cybersecurity bill that proponents say will modernize regulations while providing law enforcement with more resources to investigate and prosecute criminals.


Reps. Adam Schiff, D-Calif., and Steve Chabot, R-Ohio, introduced the Cyber Security Enhancement Act, which would update criminal code to include new age attacks, such as botnets and other electronic data theft. The revisions would make it easier for authorities to catch violators employing modern technology to launch their attacks, according to a statement from Chabot’s office.

In addition, the legislation would increase penalties for offenders while offering additional funding and tools for investigators and prosecutors, according to the statement, which did not specify what resources would be made available.

"Cybercrime is a lucrative operation for high-tech criminals that can bring severe hardship and financial loss to victims," Chabot said. "We must modernize our laws to better protect consumers and business owners from cybercriminals who hijack computers to steal personal information or disrupt critical business functions."

The security vendor community praised the legislation as a step in the right direction.

"It really puts the spotlight on the criminal, (instead of) the victim," Shannon Kellogg, director of information security policy at EMC, told SCMagazine.com today. "We're talking about 21st century crimes, so we need 21st century laws. I think we need to look at the legal code every several years."

Robert Holleyman, president and CEO of the Business Software Alliance, told SCMagazine.com today that he was pleased to see the bill supported by both sides of the aisle.

"It's a strong bipartisan bill at a time when there's a partisan angle (in Congress)," said Holleyman, whose organization represents 24 major hardware and software companies, including Symantec, McAfee and EMC. "It's great to see these sorts of gems that rise to the surface, where there is broad agreement from the interested leaders in both parties to try to act."

Kellogg said the bill shows lawmakers are taking IT security seriously.

"This, combined with the fact that you have a number of data security and breach bills that are starting to move their way through Congress...I think it's absolutely signaling that Congress is putting more emphasis on these issues," he said, adding that it was also positive to see the legislation introduced after the President's Identity Theft Task Force last month recommended many of the bill's components.

IBM loses tapes with employee personal info
Dan Kaplan May 16 2007 19:00
IBM, which invented magnetic tape storage more than 50 years ago and has since emerged as a leading provider of data encryption, has lost an undisclosed number of backup tapes containing the personal information of employees.


The tapes were "inadvertently" lost Feb. 23 while a third-party vendor was transporting them from an IBM location in Westchester County, N.Y. to a permanent storage facility, company spokesman Fred McNeese told SCMagazine.com today.

He said some of the tapes, depending on what information they were carrying, were encrypted, while others were not. IBM would not reveal how many tapes were lost or how many employees – many of them retirees – were affected, but McNeese said the tapes cannot be accessed on a PC and none of the data has been misused.

"It’s a plural number (of affected people)," McNeese said. "We don’t know if anybody’s got them (the tapes), but if someone’s got them, we don’t want to give them additional information."

IBM began notifying victims in early April, telling them the tapes contained "employment information," such as names, Social Security numbers, birth dates and work history, he said.

IBM is best known in the security space for its $1.3 billion purchase last year of Internet Security Systems, a network security management provider. But IBM also is entrenched in the identity management space with its Tivoli solutions, in addition to its product offerings for mainframe security and tape encryption.

McNeese said that despite IBM’s investment in the security marketplace, all companies responsible for securing private data are susceptible to breaches.

"I think what it shows is the vulnerabilities that information is subject to, and it shows the need for constant vigilance," he said. "We’re taking this seriously. We’re looking at all aspects of this incident."

The company also is planning to review its data transport procedures, but McNeese said the vendor that lost the tapes is still an IBM client.

Labels: IBM

Virus compromises 200,000 records at Community College of Southern Nevada
Jim Carr May 17 2007 20:50
The personal records of nearly 200,000 students were compromised when a virus attacked a Microsoft Windows 2003 Server at the Community College of Southern Nevada.


The attack, which occurred in February, potentially exposed the personal information — names, Social Security numbers and birth dates — of 197,518 former and current students stored in a Microsoft SQL database, said Rand Key, the North Las Vegas, Nev. school’s executive vice president.

Key said members of the school's IT staff were re-configuring the network to render it more secure when the [unidentified] perpetrator found a way into the server via a virus. Four days after the attack occurred, the IT staff members pulled the server offline and examined each of the 197,518 files to see if they had been downloaded, he added.

An investigation by the school and a subsequent forensics examination of the computer by a consultancy, SunGard Availability Services, did "not conclusively determine whether any information had been accessed and/or acquired," Key said.

The school mailed letters to individually notify the affected students, he said. "We also established a web site to provide information on the situation and resources to help prevent identity theft," he said.


The revelation of attack on the Nevada community college came just two days after the disclosure of a separate data breach at another educational institution. On May 11, a hacker accessed a computer at Goshen College that contained the names, addresses, birth dates, Social Security and phone numbers of 7,300 students, as well as information on some parents with the suspected motivation of using the system to send spam.

Labels: Community College of Southern Nevada

Secunia: Nearly one in three corporate applications missing critical patches

Jim Carr May 17 2007 23:28
Nearly a third of all applications on corporate networks are missing critical security patches and are at risk to security breaches, according to a new report from Secunia.


The Danish provider of vulnerability assessment software pointed the finger at weaknesses in commercial vulnerability-scanning tools as the culprit.

Those products focus on vulnerabilities in network services, weak passwords and open shares in only the 20 to 50 most used applications deployed in corporate environments, the report said.

The typical network environment contains a wide range of applications, including home-grown ones, not covered by the commercial products that are left open to vulnerabilities, the report said.

Beta tests of Secunia's new Network Software Inspector by 1,600 IT administrators indicated that 28 percent of the applications on the corporate systems scanned during the beta program were vulnerable to exploits. Secunia has said its new product can detect potential security problems — most notably, critical security patches — in more than 4,000 applications.

Microsoft products in corporate environments "appear to be updated fairly regularly," due mostly to widespread awareness of the monthly Patch Tuesday round of security fixes from Microsoft, Secunia reported.

The picture is even more grim at the end-user desktop, the report said. In the five months since its free online Secunia Software Inspector desktop application scanning tool has been available, the company found that 1.4 million of the 4.9 million applications on end-user PCs scanned were missing critical security patches from vendors.

An official from the security vendor could not be reached for comment today.

Among the major offending applications: 33 percent of all QuickTime 7 and 27 percent of all Winamp 5 installations are missing important security updates and are vulnerable to exploits, the report said.

On the positive side, Secunia reported that users of the Firefox and Opera browsers remember to keep their software updated more than Internet Explorer users. Only five percent of Firefox 2 and 13 percent of Opera 9.x installations miss security updates; the corresponding numbers for Internet Explorer 6/7 are 10 percent and five percent, respectively.

Jakob Balle, Secunia IT development manager, said on the Secunia Security Watchdog Blog on Wednesday that most end-users seem unaware of the dangers or unwilling to find the time to fix flaws.

"While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don’t know that their systems are vulnerable to significant issues or that they simply don’t want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues," he said.

Computer with sensitive Neiman Marcus employee information reported stolen
Pension data about 160,000 individuals could be at risk
By Cara Garretson, Network World, 04/24/07

Neiman Marcus Group of Dallas announced Tuesday computer equipment containing sensitive employee information was stolen earlier this month from a third-party pension benefits plan consultant.

The company, which operates high-end retailers such as Neiman Marcus and Bergdorf Goodman, says it has no reason to believe the data stored on the computer was the target of the theft, or that the information has been misused.

Among the information stored on the stolen equipment are names, addresses, birthdates, Social Security numbers and salary information about 160,000 current and former Neiman Marcus Group employees and individuals participating in the group’s pension plan. The information was current as of August 2005.

Local law enforcement is working with Neiman Marcus’ security group to investigate the theft, officials say. The theft occurred on April 5, according to a company letter, but law enforcement just this week allowed Neiman Marcus to make the theft public, as officials no longer believe doing so would impede the investigation.

The company is contacting individuals whose information may have been stored on the stolen computer, recommending they monitor their credit reports, and will report updates to the situation here.

This latest incident of exposing individuals to identity theft caused by lost or stolen computer equipment follows a number of high-profile examples, including Johns Hopkins University and Johns Hopkins Hospital’s loss of nine back-up tapes containing sensitive information about 135,000 individuals; a laptop stolen from a Boeing employee’s car with sensitive data about 382,000 current and former workers, and the theft of a laptop and storage device from a U.S. Department of Veteran Affairs employee’s home, potentially exposing 26 million active and reserve service members.

Labels: Neiman Marcus

FEMA's 'Unfortunate' Privacy Disaster

By Al Kamen
Monday, April 23, 2007; A15



Sometimes when they are not busy dealing with natural disasters, FEMA folks just make up their own. We got this letter the other day from Glenn M. Cannon, assistant administrator in the Disaster Operations Directorate.

"Dear Disaster Generalist," he wrote to about 2,300 people on April 16, "an unfortunate administrative processing error at FEMA . . . has resulted in the printing of Social Security numbers on the outside address labels of Disaster Assistance Employee (DAE) . . . reappointment letters."

The mail distribution center mishandled the letters, he said, creating this "unintentional release of Privacy Act information."

Once it figured out what happened, FEMA sprang into action. Everyone affected will get "identity theft protection for one year free of charge," Cannon said.

But wait! That's not all! "Each affected [employee] will receive a personal telephone call to apologize and explain the actions FEMA will take to minimize the impact," he said. And from now on employees will be given personal identification numbers so the agency won't need to use Social Security numbers.

Employees who've already lost their homes to identity thieves can avail themselves of some fine used and not-used trailers . . . (Okay, we made that up.)

Labels: FEMA

Fraudsters hijack SEB credit cards
Published: 9th May 2007 08:10 CET
Online: http://www.thelocal.se/7245/

Credit and debit card numbers belonging to at least 10,000 SEB customers could have been hijacked by fraudsters, the bank has admitted.

"Other banks are hit by this too," bank spokeswoman Kerstin Ottosson said.



Eurocard announced on Tuesday that 1,000 customers were hit by a similar fraud attempt.

SEB received the first indications that something was amiss about ten days ago. The bank says that hackers broke into a national computer system handling card payments for shops, hotels and other retailers.

Ottosson said that card information should never be stored by payment systems, but said in this case it had been.

"That's a criminal act, pure and simple," she said.

The card numbers allowed the frausters to buy goods over the internet and to forge new cards.

"We've seen customers already hit by such thefts. A normal customer can't protect themselves against this. But our customers will not lose out financially," she said.

All SEB customers whose card numbers might have come into the wrong hands will receive a letter from the bank asking them to block the card and order a new one.

TT/The Local (news@thelocal.se/08 656 6518)

Labels: SEB

Three Million Identities Missing
Susanna Avery | savery@wrbl.com
News 3 On Your Side
Tuesday, May 8, 2007


A computer disc containing the personal information of millions of Georgians is missing. If you were enrolled in Medicaid or PeachCare for Kids between June 2002 and June of 2006, then you could be a victim.

The CD has been missing for a month, but many of the 2.9 million Georgians are just now finding out.? Even if your personal information isn't on the missing CD, we're on your side, with reminders on how to lessen your chances of being a victim of identity theft.

"The statistics show that one out of 11 people will be a victim of identity fraud," said Sgt. Karen Gaskins, with the Columbus Police. Ironically, Sgt. Gaskins, the head of the fraud division, has been a victim.? "I got a medical bill from one of our local hospitals, about treatment," said Gaskins.?

However, Sgt. Gaskins' never received the treatment. Someone had hacked into her family records.

With millions of people's personal information on the loose, Sgt. Gaskins says it's so important to be proactive instead of reactive. ?? "Really stay on top of your finances. Limit the amount of credit cards you have, even if there's zero balance. Close them. Use maybe one or two," she said.

Also, ask your credit card company for free fraud alerts, every six months. "When they call you and you say I didn't open this account, then that stops the process. If they don't get you on the phone, sometimes they mail you a letter," said Sgt. Gaskins

Identity theft is on the rise, and sometimes can't be avoided.? "If I were to tell someone, if you do these 10 things, it won't happen to you, then I would be telling an untruth," said Sgt. Gaskins.

If you were enrolled in PeachCare or Medicaid from June 2002 to June 2006, you should call 1-877-382-4357.

Labels: Medicaid, PeachCare for Kids

Inmate May Have Compromised Grantsville Employees' Personal Information
May 8th, 2007 @ 10:15pm
Amanda Butterfield Reporting

Grantsville City employees have been notified that prison inmates may have their personal information. Everyone who has ever worked for the city in the past 45 years has been advised that they may want to close their bank accounts and cancel their credit cards.

Grantsville City contracts out with the prison. About 65 inmates are paid to input former and current employee information in a new format. About three weeks ago, one of those inmates notified the city that all that information had been compromised.



To save Grantsville residents some money, the city contracted out inmates with the Utah State Prison to update their records. "They transcribe our paper, and older records into CDs," Grantsville City Mayor Byron Anderson explains.

The inmates worked with social security numbers, birth dates, addresses, and even bank account numbers. They were paid 40 cents an hour, and Grantsville was pleased. "The cost to do it with them was half than a private industry, and the service, they would come and get our records," the mayor says.

But about three weeks ago, the city got a letter from an inmate. "What it said was our city records had been compromised," the mayor told KSL.



So Grantsville sent out a letter to every one of its employees--over 500 letters, including public officials from as far back as 1960, explaining what happened, with suggestions on what to do if they're a victim of identity theft.

Prison officials shut down the data entry program when they heard what happened and started investigating. Tom Patterson, the executive director of corrections, says, "We are right now temporarily suspending the program…We did not find anything to substantiate the claim of the inmate."

They say the inmate who made the threat lost his privileges with computers and that his threat was likely a hoax. "It's not uncommon for an inmate who was disciplined, to want to retaliate in some sort of way," Patterson says.



But it caused enough of a scare that the prison is reviewing its security measures with the Data Entry program and may cancel it altogether.

That's not what the mayor of Grantsville wants to hear because he still wants to contract with the prison. He says of all 500 letters sent out, not one has come forward as a victim.

Patterson also said no victims have come forward, "We haven't heard any."

The biggest client of the prison for data entry is the Utah Department of Health. Inmates have been working with those records for almost 20 years.

Labels: Grantsville City

One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri
Gregg Keizer
May 09, 2007 (Computerworld) A hacker grabbed the Social Security numbers of more than 22,300 current and former students at the University of Missouri, the school said yesterday. It was the institution's second data break-in of the year.

According to university officials, the attack was launched from IP addresses in China and Australia and used a Web form for tracking the status of queries to the school's IT help desk. The hacker accessed the names and Social Security numbers of school employees during 2004 who were also current or onetime students; those records had been compiled for a report, but were overlooked rather than deleted.

IT staffers noticed unusual activity that began around 5:30 a.m. CDT last Thursday, then tied a large number of database query errors to the problem on Friday. Logs showed that the attacks ended at 9:34 a.m. Friday. That day, technicians disabled the account used to access the database from one IP address in Chinaand another in Australia. The FBI was alerted on Monday.

"The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," the university reported.

A Web page and toll-free telephone line have been set up to take questions from students, the school said. Officials are also contacting as many of the affected people as possible.

Yesterday, the toll-free line was overwhelmed, a school spokeswoman said today, and some callers heard a recording that said the desk was closed. That problem has been solved by boosting the number of staffers answering the phones. Computerworld confirmed that the hot line was working today, with wait times of approximately three minutes.

This is the second incident at the University of Missouri in recent months. In February, the school acknowledged that a server attack in January might have exposed the identities of 1,220 researchers on its four campuses. The spokeswoman declined to comment on whether there could be any connection between the two events.

In its message to potential identity theft victims, the university said that it "takes this matter very seriously" and noted that it wasn't the only organization to be attacked. "All companies or organizations using the Internet to serve their customers face this challenge." Last year, reported the Columbia Missourian, then-university President Elson Floyd ordered that employee Social Security numbers information be deleted from online databases.

Universities are a frequent target of identity thieves, according to the data breach chronology compiled by the Privacy Rights Clearinghouse. Since Jan. 1, 27 colleges or universities have been victimized by attackers. The list includes well-known institutions such as the University of Notre Dame, Ohio State University, Purdue University and Rutgers. Several, in fact, have been hit multiple times: Notre Dame, the University of Idaho and the University of New Mexico each suffered two attacks in the first four months of 2007.

Labels: Univ. of Missouri

"Bill Passed To Protect Against Identity Theft"
State lawmakers took the final steps in what they call a first step in fighting identity theft Monday night.

It’s a bill to prevent people from becoming victims in the country's fastest growing crime.

A new identity theft law passed by Tennessee lawmakers should help victims like Melinda Williams.

She talked earlier this year about how someone got her credit card number

Williams said, “There were three charges for gas in Orlando Florida, and I haven’t been to Orlando in six years.”

The bill that passed its final legislative hurdle Monday in the house restricts access to consumers' credit reports and limits the use of social security numbers by businesses and non-profits.

The measure also makes it easier for fraud victims to get their money back.

Patrick Willard said the AARP did much of the heavy lifting for the bill.

Willard said, “Part of what the AARP is going to do now that we have taken this first step is go further to educate consumers and educate the public about what they need to do to protect their own identity.”

A key aspect of the bill allows consumers to freeze and unfreeze the release of their credit reports.

Tennessee lawmakers are hoping to slow identity theft down.

The bill now goes to Governor Phil Bredesen who is expected to sign it.

The AARP promises a lot more ways to help people avoid identity theft.

Sex Lube Maker's 250K Customer List Slides Onto Net -- Updated With Astroglide Comment
More than 250,000 people's names and addresses are now naked on the web after the maker of a popular sexual lubricant called Astroglide accidentally exposed lists of people who bought or requested free samples of its products, proving that there's no such thing as a free lubricant. BioFilm, a privately-held California company specializing in sexual lubricants, exposed customer data files dating from 2003 to 2007 to Google's search engine in early April. Google then indexed the pages and made local cache copies. A search on an individual's name now reveals that person's home address and the product they requested or ordered.

AstroGlide, a once niche product that is now stocked by major drugstore chains and Walmart, took down its free sample page

on Monday in the last few days (cached copy). The page promised users that "All information will be used for mailing purposes only and will not be distributed to any outside organizations. Except maybe the paramedics if your free trial gets out of hand."
The company's privacy policy also promises that:

We take reasonable steps to protect your personally identifiable information as you transmit your information from your computer to our site and to protect such information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. [...]

Other than as disclosed in this Privacy Policy, we will not contact you with marketing material or share your PII [personally identifiable information] with outside parties unless such use or disclosure is clearly identified at the time you provide your PII or we provide you the opportunity to consent or prohibit such use or disclosure.

The files indexed by Google contain a total of 263,822 listings, each of which included a name and mailing addresses. No financial information was exposed. A random sampling included privacy conscious entries such as Current Resident and clearly fake entries for President George W. Bush and former Republican Senator Rick Santorum. Possibly less humorous are the tens of thousands of entries from people who used their real names. These included included doctors, programmers, students and a vice chancellor for a prestigious American university.

The vice-chancellor reached by phone said he wasn't particularly disturbed by the disclosure. "Obviously I would be disappointed [by the company breaking its privacy policy], but I'm not worried about that information getting out. I think I just gave them my name, address and phone number. I can see how other people would be concerned about it, though."

BioFilm is closed on Mondays and multiple attempts to reach the company were unsuccessful.

Anyone searching Google on the affected names would be able to find links to Astroglide customer files that Google indexed on April 3. The links no longer work, but Google cached copies of more than 500 files, which are still available for any internet user to view. Michael Hampton, a blogger who runs Homeland Stupidity, reported on Saturday that the company learned of the security lapse last week and took technical measures to prevent the files from being indexed or read directly.

The company's website makes no mention of the data security lapse, and it's unclear if the company has asked Google to remove the files. THREAT LEVEL reported the cached files to Google before publication.

Google doesn't treat the files as highly important, so the results are not extremely visible for those who have more than a handful of internet citations or have a common name. But for those with only one or two search results for their names and an unusual name, any searcher can easily see that person once requested or bought lubricant online.

UPDATE 6:00 pm PST: A Google spokeswoman writes in:

Google's cached links were developed to provide users with a back-up in case the original page they seek is unavailable. In addition, cached pages benefit users by loading quickly and highlighting search keywords on the page. The feedback from users and webmaster, who find benefit in the feature as an emergency back-up copy of their pages, has been positive. At Google we recognize that privacy is important, which is why we offer a simple process to tag pages so that they are not cached. In addition, Google provides webmasters with an automatic URL removal system, which enables webmasters to quickly remove their pages, including cached copies, from the Google index in the event that information has been mistakenly published.

Update 2 10:30 a.m. 4/24 : Reader Danielle, who says she was the first to find and spread the news of the spill, writes in to say that Google isn't as fast as they claim to be:

I'm the person who originally spotted this breach and alerted other about this; I submitted my request to Google to remove the cached copy of my file on Friday night - it's Tuesday and it is still up. The tool said that it would take 3-5 days for removal. They refused to expedite it on grounds that it doesn't really contain personal information, like an SSN or CC#. So no, Google, that is not quick removal. In internet time, that is forever.

Danielle wasn't the person who tipped us to the story. We heard about it from tipster DS. Thanks, DS

Update 3 2:15 p.m. PST 4/24: Astroglide's PR rep contacted us to make clear that the files were first indexed early this month. The company learned of the files on April 12, and says it's been jumping through hoops since then to get Google to remove the cached files. The company was "horrified" by the release and is so privacy-protective that it never even used these names and addresses for follow-up marketing, the spokeswoman added.

Full Statement:

Biofilm, Inc., manufacturer of Astroglide and other personal lubricants is taking immediate action to protect the identity of consumers requesting samples from the company’s website.

According to Lisa O’Carroll, Vice President of Sales and Marketing for Astroglide, became aware of the problem on April 12. “We received a call from someone who had looked up his own name on Google and found, among other entries, his request for an Astroglide sample. We immediately investigated and discovered that this was limited to Google. Text files were not available on Yahoo or other search engines. Although this was clearly a Google issue, Astroglide didn’t want to waste any time in fixing the problem in order to protect the security of our customer files. We have never sold nor shared any of our database information, and we don’t even recontact people. Although what transpired was beyond our control, Astroglide has always made the security of our internet customers our top priority and we deeply regret this unique and unfortunate occurrence."

Google began aggressively indexing a limited portion of the sample requests in mid-April. Most affected were the records were for the period August 2003 to January 2004. Matthew Eckmann, webmaster for the site, personally investigated approximately one dozen consumer queries about the leak and discovered that the site’s text files were appearing as search results. “The first step was to remove all the compromised files from the Astroglide website, so if someone clicked on the link it would take them to the “page not found” standard browser error. We then moved all files containing any consumer data on the webserver to a new secure location. We also wanted to remove cached files. Removing the content provides a dead link, and Google has processed our requests and removed their cached text files.

“Everything was all done using Google’s recommended protocols,” Eckmann adds. “The difficulty is, there is no live Google support for their free services. Their search and webmaster tools are considered a free service, all phone trees end with recordings. In the absence of someone at Google to give us an estimate of how many files were affected, we had to figure it out unilaterally. Fortunately, we were able to do so quickly and have put the Google correction procedures into place. We’ve handled more than 500 files already, and should be finished in another day or two.”

In addition to the individual page requests, Eckmann followed Google’s online instructions to create and install Google-specific index parameters in both text and XML, which tells the search engine which pages are indexable and which are off limits, and which will cause any previously found pages to be removed from the Google index. “We’ve updated long- and short-term protections in order to prevent a recurrence of this situation,” he points out. “This meant changing the file structure of the web server, changing the data access protocols and the Google bot access files, as well as making specific requests for the removal of every data file that may have been indexed. We have also taken down the sample request form until further notice. It’s unnerving when something like this happens, but with all the activity on the internet, these glitches are unavoidable. Fortunately, we were able to respond quickly and get it handled without delay.”

Calling it a Google issue is more than a bit self-serving. These files never should have been stored on a webserver. They never should have been anywhere a google spider could find them. And if the company never planned to do anything with the data, the files shouldn't even have existed. They should have just been destroyed.

UPDATE 11:00am PST 4/25: A reader writes in to make the excellent point that for some people, such as those being stalked or victims of domestic violence, having their address in the Google index puts them at risk of bodily harm:

I don't care who knows that I use this product. It's the fact that someone that I know may find my home address because of this. That someone is a stalker. My family and myself could be in danger,again. I did a search on this topic and it's all over the net. That's not good, for me or my family.


Posted by Ryan Singel 4:20:00 PM in Breaches
Reddit It | Digg This | Add to del.icio.us

Labels: Astroglide

M&S staff at risk in laptop theft
By Chris A'Court
BBC Radio 4's Money Box



Staff at Marks and Spencer have been warned they may be at risk of identity crime after the theft of a laptop.
Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm.

M&S has told BBC Radio 4's Money Box that 26,000 present employees in its final salary pension scheme are at risk if the data is accessed by criminals.

It is offering free credit checks to the people affected.

Password protected

The laptop was stolen in a burglary on 18 April from a printing firm that had been given the personal information so that it could write to M&S employees about pension changes.

It is believed it was an opportunist theft rather than a planned burglary, and that the laptop was taken for its own value rather than the data on it.

Two days later M&S wrote to all the staff whose names and details were on the laptop, warning them they were at risk and reassuring them that their account and card details had not been compromised.

The firm revealed the exact nature of the personal details on the stolen laptop only at internal meetings or if staff made further enquiries to a helpline.

The firm told Money Box it felt this was a responsible way to deal with the matter, and that the laptop was also password protected.

M&S believes no-one has yet become a victim of identity crime as a direct result of the security breach, but the laptop has still not been recovered.

Action call

Ed Mayo, chief executive of the National Consumer Council (NCC) has expressed concern over the security breach.

He told Money Box it illustrates how not enough is being done to keep personal information safe.

"Here we've got Marks and Spencers - which is a relatively trusted brand - losing data for their own staff, therefore every company in Britain is, surely, vulnerable to this," he said.

"Every company really now should take action to ensure they've got the systems and processes in place to minimise this risk."

He said the NCC planned to campaign for legislation at UK or EU level for companies to take faster action on this issue.

Labels: Marks and Spencer

Data breach bill sets notification requirements
By Michael Posner CongressDaily May 4, 2007

A bill requiring federal agencies and businesses collecting personal information to divulge security breaches or face penalties of up to $1 million won approval Thursday in the Senate Judiciary Committee.
The measure (S. 239) by Sen. Dianne Feinstein, D-Calif., was approved by voice vote. It was a companion bill to legislation (S. 495) passed earlier Thursday to place controls over data brokers and agencies in an effort to curb the growing problem of consumer identity theft.
The Feinstein bill, which did not attract any dissent or debate, meshes with many details with S. 495, which overall is more sweeping. The Feinstein measure, a substitute she offered completely rewriting her earlier version to conform to sections of S. 495, requires agencies or businesses to notify consumers if their information is believed to have been accessed improperly.
The bill requires any agency or business that engages in interstate commerce and which collects, stores or use personal information to notify its clients or consumers in the event of a security breach. Companies found in violation could be subject to civil penalties of up to $1 million.
The bill defines the timeliness which those agencies or businesses should notify consumers their personal information has been compromised. The bill states that notifications should be made "without unreasonable delay" following a breach, and defines "reasonable delay" as "anytime necessary to determine the scope of the breach, prevent further disclosures and restore the integrity of the data system and provide notice to law enforcement when required."
It will fall to those companies to prove they made timely notification, the bill states. The bill makes an exception in the event of a criminal investigation.
The measure also specifies that notification can be made in writing, via telephone or e-mail, if the permission has been given in advance. It also allows for notice via media outlets if more than 5,000 people have been affected.

Social Insecurity Numbers
Federal agencies need to do a better job of protecting private information.
Monday, May 7, 2007; Page A18


LATE ON FRIDAY, the Transportation Security Administration announced that an external computer hard drive loaded with sensitive and private information on 100,000 current and former staffers was missing, possibly stolen, from a secure area in the human resources department. This is getting ridiculous. When it comes to safeguarding private information from the growing identity theft industry, Uncle Sam's track record is horrendous.

Up until the TSA's major breach, the Census Bureau, the Agriculture Department and the Federal Emergency Management Agency were the latest agencies to blunder by revealing Social Security numbers. Tooling around on an Internet site maintained by the Census Bureau, a bored Illinois farmer did a search of her farm's name and found references to a loan application she filed with the USDA. There for all the world to see was her Social Security number. A review by the USDA found that the numbers of 38,700 farmers had been exposed on the site. Over at FEMA, the fumble was printing Social Security numbers on the outside address labels for 2,300 agency personnel who were being reappointed as disaster assistance employees. To its credit, FEMA moved quickly to correct the problem, apologize to the individuals affected and offer them credit-monitoring protection.



The TSA also has apologized to its employees and offered them credit-monitoring protection. But because this is the TSA -- the agency that employs airport screeners and air marshals -- this is not your run-of-the-mill identity theft worry. There are security issues here, which is why the TSA was right to call in the FBI and the Secret Service to investigate. This episode reminds us of last year's theft of the Department of Veterans Affairs laptop with information on 26.5 million people nestled in it. It was later returned with the information untouched. We can only hope for a similar outcome at the TSA.

Running for IP Cover
May 7, 2007

By Lisa Vaas
In the wake of incidents such as the TJX Companies' massive data breach, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.


The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.

One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.

Top priorities

Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.

"We asked upfront, 'What do you consider to be intellectual property?'" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."

Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases and patent documents.


What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).

"If you think e-mail is your only issue, you're only solving 20 percent of the problem," Ogren said.

Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.

"[This] is a major investment of time and resources," Ogren said. "It's in many different forms, in many different places, communicated with many different protocols."

As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.

Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but don't understand the risk of IP stored on their laptops, for example.

Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).

The ESG report puts forth four best practices for leakage protection.


First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.

It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.

ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.

Finally, ESG recommends network-based solutions over distributed endpoint software. "I don't think endpoint software is going to solve it—it can't reside in all the places IP resides," Ogren said.

Labels: TJX Companies Inc.

ID theft bill would require prompt notification

--------------------------------------------------------------------------------

By Jim O'Sullivan/State House News Service
State House News Service
Mon May 07, 2007, 05:09 PM EDT

--------------------------------------------------------------------------------

BOSTON - Legislation requiring companies to notify consumers whose private information has been breached immediately, and expanding state officials' power, is expected to come to the House floor Wednesday with the backing of House Speaker Salvatore DiMasi.

The bill would allow consumers to freeze their credit proactively, for a $10 fee, which lawmakers said could go lower. Ceding authority to the Executive Branch, and in a nod to the pace of technology, the measure would also empower the state's Office of Consumer Affairs to promulgate regulations.

"Things are going to change faster than the legislative process, and as technology changes we want to be able to quickly respond to these technological changes," said Rep. Michael Rodrigues, House chair of the Committee on Consumer Protection and Professional Licensure, who will lead the floor debate in favor of the bill.

While the committee endorsed one version of the bill Monday, Rodrigues (D-Quincy) said "a substitute bill" would go forward Wednesday, when the House meets after an expectedly short Constitutional Convention. The Senate could act as quickly as Thursday, with differences worked out between the two versions either through amendments or in a conference committee, said Senate chair Michael Morrisey.

"We're going to make some changes," Morrissey said, later adding, "We'll see how far apart we are."

Rodrigues said the bill defines a breach of privacy as when an inappropriate third party has received a person's name in combination with date of birth, Social Security number, credit card number, passport identification number, or other personal data.

Businesses have opposed recent efforts to curb identity theft because they said reporting could become onerous, and that excessive reporting would frustrate customers.

Kevin Kiley of the Massachusetts Bankers Association said he hasn't seen the final draft of the bill emerging from committee but believes it will take "positive" steps in the area of breach disclosure while falling short in another area, liability, that the association is concerned about.

While consumers are protected from financial liability in cases where identity theft is involved, Kiley said, the association is pushing liability measures making the entities responsible for breaches accountable for expenses that are now borne by financial institutions.

"We continue to pursue the aspects around liability," Kiley said.

A string of identity theft bills died last year in the Legislature, but DiMasi's appointment of Rodrigues signaled to some on Beacon Hill that the issue had taken on fresh urgency. A spokesman said DiMasi supports the plan which Rodrigues plans to produce Wednesday.

"The speaker believes strongly that we need to pass legislation to help combat the growing problem of identity theft," said DiMasi spokesman David Guarino. "He thinks this is a bold step forward."

Defining when to report security breaches challenged the bill's authors, Rodrigues said. "It can't be so loose that you're going to get a notice a week, because then you won't take it seriously."

The legislation would also apply to paper data, Rodrigues said, an expansion Morrissey opposes.

"If you are the custodian of personal data, and are going to dispose of that data, you have to do so responsibly," meaning shredding, burning, pulverizing, or rendering illegible, Rodrigues said.

Morrissey said enforcement of the paper data requirement would be difficult, and would complicate notification efforts. "If you're trying to pass a bill and get it on the books as quickly as possible, I don't want to muddy the waters," he said.

In testimony submitted to the committee in letter form April 10, the American Insurance Association argued that any legislation should link notification to "a belief that the breach will cause or is reasonably believed will cause identity theft or some other fraud."

Probe launched into missing TSA hard drive


By Thomas Frank, USA TODAY
WASHINGTON — Federal authorities have launched a "full-blown criminal investigation" into the disappearance of a computer drive holding personal and banking records of 100,000 Transportation Security Administration employees, agency Administrator Kip Hawley said Monday.
"We're doing a full-court press on this," Hawley told TSA employees in a conference call that USA TODAY was able to listen to.

Hawley's comments downplayed the possibility that the portable hard drive had been lost from TSA headquarters in Arlington, Va., on Thursday. The TSA had said Friday that it was "unclear" whether the device was "still within headquarters or was stolen."

Agency spokeswoman Ellen Howe acknowledged Hawley's comments and added that "nothing has been ruled out," including the possibility the hard drive was lost.

On Monday, TSA employees questioned how the drive went missing and whether it would expose the identities of the thousands of armed air marshals, who ride undercover on airplanes to thwart terrorists. Air marshals, who are TSA employees, fear what someone could do with their names, birth dates and Social Security numbers — data that were on the hard drive.

FIND MORE STORIES IN: Transportation Security Administration | Probe | TSA | Law Enforcement Officers | Cris Soulia | External hard drives
"If that information is out there, it's very easy to find out who they are," said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

Hawley said air marshals' security "was one of our first concerns" but downplayed the risk to them. The TSA said on its website that "without extensive knowledge of TSA's human resource system, it is extremely difficult to determine what positions employees on the missing hard drive have."

The TSA has not ruled out the possibility that an insider took the drive.

Aviation-security consultant Rich Roth said the data theft "shouldn't affect the air marshals at all." Terrorists who are determined to spot air marshals can simply watch passengers boarding planes early, he said.

The FBI and Secret Service have joined the investigation, which began Thursday after employees in the TSA personnel office who frequently use the hard drive found it missing.

Howe, the TSA spokeswoman, said the drive is about the size of a desk telephone.

Paul Stephens, a policy analyst at the Privacy Rights Clearinghouse, a consumer advocacy group, questioned why a federal security agency would store sensitive information on "something that could be carried away in a briefcase" and not on a larger, less-portable device. External hard drives store data such as text files and photographs and are plugged into a computer.

Cris Soulia, a TSA screener in San Diego and a former Navy computer technician, said he was "dumbfounded" that the agency would store personnel records on a portable device.

"That's really irresponsible," Soulia said.

Howe declined to address why the records were stored on an external hard drive, saying it is "an element of an ongoing investigation."

Stephens said stealing hard drives "is a bit unusual" and usually indicates that "the purpose of the theft was to obtain the data." Many data breaches are the unintentional result of someone stealing a computer to sell it and the computer happens to hold personnel information, he said.

The clearinghouse has tracked hundreds of security breaches that exposed 154 million data records.

Labels: Transportation Security Admin.