Tuesday, July 31, 2007
California finds three electronic voting systems vulnerable to hackers
California finds three electronic voting systems vulnerable to hackers
Frank Washkuch Jr. Jul 30 2007 18:41
Researchers from the University of California found IT and physical security vulnerabilities in three electronic voting systems as part of a study for the top election official of the nation's most populous state.
Teams using penetration testing techniques found that electronic voting systems from Diebold, Hart InterCivic and Sequoia are not secure enough to fend off hackers or physical tampering, according to a report penned by Matt Bishop, principal investigator based at the University of California, Davis.
"The [penetration testing] red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results," Bishop said in the report. "Given the importance of voting and elections in the governing of the state of California, one may safely say that these systems are ‘mission critical.’ Such systems need to be of the highest assurance in order to ensure they perform as required. Techniques for developing such systems are well know, but, sadly, not widely used. Vendors would do well to adopt them for electronic voting systems."
The tests were carried out as part of a "top-to-bottom review" of electronic voting for California Secretary of State Debra Bowen, a Democrat.
A testing team led by researcher Robert P. Abbot, based in Sacramento, tested the Diebold GEMS 1.18.24/AccuVote and the Hart InterCivic System 6.2.1. Another team, led by Giovanni Vigna and Richard Kemmerer, based at the University of California, Santa Barbara, tested the Sequoia WinEDS version 3.1.012.
Researchers found a number of information security issues in the Sequoia machine, including ways to overwrite the firmware and boot loader, detect when the machine is in election mode and access the Election Management System.
In the Diebold machine, researchers were able to penetrate the Election Management System and corrupt AccuVote TSx and security keys for cryptography.
Flaws in the Hart system were found in Election Management System, eScan firmware, JBC and eSlate.
Physical security issues were found while testing all three devices, according to the researchers.
Researchers would have found more flaws had they more time to test, according to Bishop.
"The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a ‘lower bound.’ All team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities," he said. "In particular, Abbott’s team reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. Vigna’s and Kemmerer’s team also reported that they were confident further testing would reveal additional security issues."
Hart released a statement on Friday defending its security practices.
"The Hart Voting System has a series of redundant and auditable measures in place to ensure accuracy and security. Once cast, three copies of the electronic ballot are saved. Each of the three records is verifiable and auditable for security and accuracy," read the company’s statement. "In addition to regulation by both the federal and state governments, the Hart Voting System has been independently audited by Symantec, an acknowledged leader in technology security, and has received internationally recognized security certification. Hart has implemented Symantec’s recommendations in order to enhance security."
Sequoia said Friday in a statement posted on its website that the methodology used in the penetration testing was not reflective of real-world hackings.
"This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks," read the company’s statement. "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation’s democracy that our customers — and all election officials — carry out every day in their very important jobs of conducting elections in California and throughout the United States."
Ted Julian, vice president of marketing and strategy at Application Security Inc., told SCMagazine.com today that electronic voting machine vendors should focus on data security.
"I don’t know that there’s anything revolutionary in [the report]. It’s more a confirmation of things that have been talked about for a long time," he said. "There’s no question that a lot of attention has been placed on the machines themselves, but the reality is that it’s the data that matters, and you don’t see as much conversation about where that is stored, how it is aggregated and how it is protected along the way."
John Fisher, Bharosa CEO, told SCMagazine.com today that electronic voting machines will need to provide interface-level security for citizens.
"It’s inevitable that these types of interfaces and approaches are here to stay and necessary, it’s just that they need to have something where a user is protected at the interface and at the web level," he said.
A Diebold representative could not be immediately reached for comment today.
Frank Washkuch Jr. Jul 30 2007 18:41
Researchers from the University of California found IT and physical security vulnerabilities in three electronic voting systems as part of a study for the top election official of the nation's most populous state.
Teams using penetration testing techniques found that electronic voting systems from Diebold, Hart InterCivic and Sequoia are not secure enough to fend off hackers or physical tampering, according to a report penned by Matt Bishop, principal investigator based at the University of California, Davis.
"The [penetration testing] red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results," Bishop said in the report. "Given the importance of voting and elections in the governing of the state of California, one may safely say that these systems are ‘mission critical.’ Such systems need to be of the highest assurance in order to ensure they perform as required. Techniques for developing such systems are well know, but, sadly, not widely used. Vendors would do well to adopt them for electronic voting systems."
The tests were carried out as part of a "top-to-bottom review" of electronic voting for California Secretary of State Debra Bowen, a Democrat.
A testing team led by researcher Robert P. Abbot, based in Sacramento, tested the Diebold GEMS 1.18.24/AccuVote and the Hart InterCivic System 6.2.1. Another team, led by Giovanni Vigna and Richard Kemmerer, based at the University of California, Santa Barbara, tested the Sequoia WinEDS version 3.1.012.
Researchers found a number of information security issues in the Sequoia machine, including ways to overwrite the firmware and boot loader, detect when the machine is in election mode and access the Election Management System.
In the Diebold machine, researchers were able to penetrate the Election Management System and corrupt AccuVote TSx and security keys for cryptography.
Flaws in the Hart system were found in Election Management System, eScan firmware, JBC and eSlate.
Physical security issues were found while testing all three devices, according to the researchers.
Researchers would have found more flaws had they more time to test, according to Bishop.
"The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a ‘lower bound.’ All team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities," he said. "In particular, Abbott’s team reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. Vigna’s and Kemmerer’s team also reported that they were confident further testing would reveal additional security issues."
Hart released a statement on Friday defending its security practices.
"The Hart Voting System has a series of redundant and auditable measures in place to ensure accuracy and security. Once cast, three copies of the electronic ballot are saved. Each of the three records is verifiable and auditable for security and accuracy," read the company’s statement. "In addition to regulation by both the federal and state governments, the Hart Voting System has been independently audited by Symantec, an acknowledged leader in technology security, and has received internationally recognized security certification. Hart has implemented Symantec’s recommendations in order to enhance security."
Sequoia said Friday in a statement posted on its website that the methodology used in the penetration testing was not reflective of real-world hackings.
"This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks," read the company’s statement. "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation’s democracy that our customers — and all election officials — carry out every day in their very important jobs of conducting elections in California and throughout the United States."
Ted Julian, vice president of marketing and strategy at Application Security Inc., told SCMagazine.com today that electronic voting machine vendors should focus on data security.
"I don’t know that there’s anything revolutionary in [the report]. It’s more a confirmation of things that have been talked about for a long time," he said. "There’s no question that a lot of attention has been placed on the machines themselves, but the reality is that it’s the data that matters, and you don’t see as much conversation about where that is stored, how it is aggregated and how it is protected along the way."
John Fisher, Bharosa CEO, told SCMagazine.com today that electronic voting machines will need to provide interface-level security for citizens.
"It’s inevitable that these types of interfaces and approaches are here to stay and necessary, it’s just that they need to have something where a user is protected at the interface and at the web level," he said.
A Diebold representative could not be immediately reached for comment today.
Labels: Diebold, Hart InterCivic, Sequoia
Certegy breach worse than reported
Certegy breach worse than reported
Dan Kaplan Jul 30 2007 21:17
The number of consumer records sold to a data broker by a former Certegy Check Services database administrator is actually 8.5 million, about 6 million more than originally reported.
In a filing with the U.S. Securities and Exchange Commission, Fidelity National Information Services, the parent of St. Petersburg, Fla.-based Certegy, reported some of the stolen records only contained names, addresses, telephone numbers and birth dates.
But, about 5.7 million contained checking account numbers and 1.5 million included credit card numbers, according to last week's filing. And the company conceded that more affected records may be identified as the investigation continues.
The former employee, whom Certegy has filed a civil lawsuit against, sold the records to a number of direct marketing firms, but so far, none of the data has been used fraudulently.
"As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data," Renz Nichols, Certegy president, said in a July 3 statement, which had then estimated the number of stolen records at 2.3 million.
The company continues to warn users on its home page that they must be wary of solicitations from people claiming to be Certegy employees who seek their personal information.
"Please be advised that Certegy’s call center is NOT making any outbound calls to consumers," the statement said. "In fact, the call center staff does not have access to individual consumer information. [Instead] they are available to help those impacted understand what steps can be taken to safeguard their information."
Adam Bosnian, vice president of products and strategies at identity and access management provider Cyber-Ark Software, told SCMagazine.com today that organizations often blindly trust their database administrators (DBAs).
"Organizations need to be aware that these insider incidents are often done by the people with privileged access," he said, adding that DBAs often do their jobs with little or no scrutiny.
Instead businesses must implement monitoring tools and protocols for approving database changes, he said.
Dan Kaplan Jul 30 2007 21:17
The number of consumer records sold to a data broker by a former Certegy Check Services database administrator is actually 8.5 million, about 6 million more than originally reported.
In a filing with the U.S. Securities and Exchange Commission, Fidelity National Information Services, the parent of St. Petersburg, Fla.-based Certegy, reported some of the stolen records only contained names, addresses, telephone numbers and birth dates.
But, about 5.7 million contained checking account numbers and 1.5 million included credit card numbers, according to last week's filing. And the company conceded that more affected records may be identified as the investigation continues.
The former employee, whom Certegy has filed a civil lawsuit against, sold the records to a number of direct marketing firms, but so far, none of the data has been used fraudulently.
"As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data," Renz Nichols, Certegy president, said in a July 3 statement, which had then estimated the number of stolen records at 2.3 million.
The company continues to warn users on its home page that they must be wary of solicitations from people claiming to be Certegy employees who seek their personal information.
"Please be advised that Certegy’s call center is NOT making any outbound calls to consumers," the statement said. "In fact, the call center staff does not have access to individual consumer information. [Instead] they are available to help those impacted understand what steps can be taken to safeguard their information."
Adam Bosnian, vice president of products and strategies at identity and access management provider Cyber-Ark Software, told SCMagazine.com today that organizations often blindly trust their database administrators (DBAs).
"Organizations need to be aware that these insider incidents are often done by the people with privileged access," he said, adding that DBAs often do their jobs with little or no scrutiny.
Instead businesses must implement monitoring tools and protocols for approving database changes, he said.
Labels: Certegy Check Services
Thursday, July 26, 2007
Military, families at risk to data exposure by SAIC
Military, families at risk to data exposure by SAIC
Jim Carr Jul 23 2007 22:18
A federal contractor has said it put hundreds of thousands of military households at risk for identity theft by sending their personal information, including Social Security numbers, over the internet through an unencrypted channel.
fSan Diego-based SAIC, which provides scientific, engineering, systems integration and technical services to military and federal government agencies, said that personal information of about 580,000 uniformed military personnel and their family members was placed online while being processed by SAIC under several health care data contracts, according to a statement.
The processing was part of TRICARE, the health benefits program for the uniformed military services, retirees and their families, according to SAIC.
"The security failure occurred as a result of clear violations of SAIC's internal IT security policies," SAIC chairman and CEO Ken Dahlberg said. "We did not live up to [what] our customers have learned to expect and demand from us."
The information exposed varies by individual, the company said. It includes combinations of names, addresses, Social Security numbers, birth dates or limited health information in the form of codes.
Among those impacted are personnel in the Army, Navy, Air Force and Homeland Security.
SAIC said it is working to reduce the potential impact of the security lapse. The company said that, while forensic analysis has not provided evidence that any personal information was compromised, "the possibility cannot be ruled out."
SAIC has developed an "incident response center" and hired Kroll, a risk consulting company, to provide services to military members whose information was exposed. The services include credit and identity restoration help for any victims of related identity theft.
SAIC revealed that it expects the cost of these services to range from $7 million to $9 million, excluding credit restoration services if any identity theft occurs as a result of the exposure.
The company has launched an internal investigation to determine how the security incident occurred and placed several employees on administrative leave. It has also initiated a risk-assessment program to uncover other possible vulnerabilities and to determine the kinds of changes in policy, methods, tools and monitoring required to avoid future security lapses.
Jim Carr Jul 23 2007 22:18
A federal contractor has said it put hundreds of thousands of military households at risk for identity theft by sending their personal information, including Social Security numbers, over the internet through an unencrypted channel.
fSan Diego-based SAIC, which provides scientific, engineering, systems integration and technical services to military and federal government agencies, said that personal information of about 580,000 uniformed military personnel and their family members was placed online while being processed by SAIC under several health care data contracts, according to a statement.
The processing was part of TRICARE, the health benefits program for the uniformed military services, retirees and their families, according to SAIC.
"The security failure occurred as a result of clear violations of SAIC's internal IT security policies," SAIC chairman and CEO Ken Dahlberg said. "We did not live up to [what] our customers have learned to expect and demand from us."
The information exposed varies by individual, the company said. It includes combinations of names, addresses, Social Security numbers, birth dates or limited health information in the form of codes.
Among those impacted are personnel in the Army, Navy, Air Force and Homeland Security.
SAIC said it is working to reduce the potential impact of the security lapse. The company said that, while forensic analysis has not provided evidence that any personal information was compromised, "the possibility cannot be ruled out."
SAIC has developed an "incident response center" and hired Kroll, a risk consulting company, to provide services to military members whose information was exposed. The services include credit and identity restoration help for any victims of related identity theft.
SAIC revealed that it expects the cost of these services to range from $7 million to $9 million, excluding credit restoration services if any identity theft occurs as a result of the exposure.
The company has launched an internal investigation to determine how the security incident occurred and placed several employees on administrative leave. It has also initiated a risk-assessment program to uncover other possible vulnerabilities and to determine the kinds of changes in policy, methods, tools and monitoring required to avoid future security lapses.
Labels: SAIC
Wednesday, July 25, 2007
USB encryption vendor suffers computer breach
USB encryption vendor suffers computer breach
Dan Kaplan Jul 19 2007 17:11
A technology firm that recently entered the data security market reported this week that thieves infiltrated a company computer nearly two years ago, illegally accessing some 27,000 customer credit card files.
None of the financial information belonging to customers of Kingston Technology has been misused, according to a statement from the Fountain Valley, Calif.-based company. The affected customers purchased Kingston products online.
The $3.7 billion company, which launched USB drives with hardware-based encryption in March 2006, specializes in memory products.
David Leong, a Kingston spokesman, told SCMagazine.com today that the compromised data was encrypted, "but that is no guarantee that it cannot be accessed." The breach was discovered after IT workers discovered "irregularities" in the computer system, he added. A forensic security firm investigation confirmed the incident.
Kingston is notifying customers and taking "aggressive steps to minimize any potential risk to those affected and to protect their personal information," the company said.
The firm has contracted Kroll, a New-York based risk consulting company, to offer free credit monitoring.
"Kingston has always made customer privacy a priority and deeply regrets this situation, which is the first of its kind in the nearly 20-year history of the company," the company said. "We are confident in the thorough response we have taken to ensure data security and maintain the faith and trust of our customers."
Paul Proctor, a research vice president at Gartner, told SCMagazine.com today that cybercriminals are not scared of by security vendors, nor do they necessarily target them.
"The outsiders that attack these guys go wherever they find a weakness," he said. "There are literally hundreds of ways of compromising computers, and nobody protects themselves from all of them."
This is at least the second time a security firm experienced a breach this year. In May, IBM, which invented magnetic tape storage and has emerged as a data encryption leader, lost an undisclosed number of backup tapes containing the personal information of employees.
Dan Kaplan Jul 19 2007 17:11
A technology firm that recently entered the data security market reported this week that thieves infiltrated a company computer nearly two years ago, illegally accessing some 27,000 customer credit card files.
None of the financial information belonging to customers of Kingston Technology has been misused, according to a statement from the Fountain Valley, Calif.-based company. The affected customers purchased Kingston products online.
The $3.7 billion company, which launched USB drives with hardware-based encryption in March 2006, specializes in memory products.
David Leong, a Kingston spokesman, told SCMagazine.com today that the compromised data was encrypted, "but that is no guarantee that it cannot be accessed." The breach was discovered after IT workers discovered "irregularities" in the computer system, he added. A forensic security firm investigation confirmed the incident.
Kingston is notifying customers and taking "aggressive steps to minimize any potential risk to those affected and to protect their personal information," the company said.
The firm has contracted Kroll, a New-York based risk consulting company, to offer free credit monitoring.
"Kingston has always made customer privacy a priority and deeply regrets this situation, which is the first of its kind in the nearly 20-year history of the company," the company said. "We are confident in the thorough response we have taken to ensure data security and maintain the faith and trust of our customers."
Paul Proctor, a research vice president at Gartner, told SCMagazine.com today that cybercriminals are not scared of by security vendors, nor do they necessarily target them.
"The outsiders that attack these guys go wherever they find a weakness," he said. "There are literally hundreds of ways of compromising computers, and nobody protects themselves from all of them."
This is at least the second time a security firm experienced a breach this year. In May, IBM, which invented magnetic tape storage and has emerged as a data encryption leader, lost an undisclosed number of backup tapes containing the personal information of employees.
Labels: USB Flash Drive
Department hits university with fine over Los Alamos breach
Department hits university with fine over Los Alamos breach
Dan Kaplan Jul 17 2007 23:35
The U.S. Department of Energy has imposed a $3.3 million fine against the current and former operators of the Los Alamos National Laboratory following an incident last year in which a subcontractor's employee stole classified documents by storing them on a USB stick.
The enforcement action penalizes the University of California (UC), which managed the nuclear weapons lab until May 2006, $3 million and fined the new manager, Los Alamos National Security, $300,000. The new operation and management contractor, which took over June 1, consists of UC, Bechtel National, BWX Technologies and the Washington Group International.
The October 2006 theft occurred months after the lab was supposed to include tighter security controls, the Energy Department contends.
Jessica Lynn Quintana, 22, pleaded guilty in May in U.S. District Court in Albuquerque, N.M. Hired to archive classified information, Quintana admitted that when she was working at the lab on July 27, 2006, she printed pages of classified documents and downloaded other classified data onto a USB device, then carried the data home in a backpack.
It is unknown why she took the documents, which were later discovered in an unrelated drug raid at a mobile home park. Quintana faces up to one year in prison, five years of probation and a $100,000 fine.
University spokesman Chris Harrington said the college was reviewing the Energy Department’s enforcement action, but noted that the incident occurred in October 2006, five months after its management contract of the laboratory expired. In addition, the culprit was not a university employee, he added.
Still, "the university remains outraged at the actions taken by the individual involved in this incident," he said. "We believe the type of behavior involved — a failure to follow clearly defined security protocols and a violation of the law — is completely unacceptable."
A lab spokeswoman has told SCMagazine.com that the lab has since reduced removable media in use, disabled USB ports and encrypted laptop hard drives. She said the lab also has enhanced training measures and policies.
This is not the first breach the lab has dealt with this year. In April, it warned employees that their identity may be at risk after the names and Social Security numbers of 550 lab workers was posted on a website operated by a subcontractor working on a security system.
Dan Kaplan Jul 17 2007 23:35
The U.S. Department of Energy has imposed a $3.3 million fine against the current and former operators of the Los Alamos National Laboratory following an incident last year in which a subcontractor's employee stole classified documents by storing them on a USB stick.
The enforcement action penalizes the University of California (UC), which managed the nuclear weapons lab until May 2006, $3 million and fined the new manager, Los Alamos National Security, $300,000. The new operation and management contractor, which took over June 1, consists of UC, Bechtel National, BWX Technologies and the Washington Group International.
The October 2006 theft occurred months after the lab was supposed to include tighter security controls, the Energy Department contends.
Jessica Lynn Quintana, 22, pleaded guilty in May in U.S. District Court in Albuquerque, N.M. Hired to archive classified information, Quintana admitted that when she was working at the lab on July 27, 2006, she printed pages of classified documents and downloaded other classified data onto a USB device, then carried the data home in a backpack.
It is unknown why she took the documents, which were later discovered in an unrelated drug raid at a mobile home park. Quintana faces up to one year in prison, five years of probation and a $100,000 fine.
University spokesman Chris Harrington said the college was reviewing the Energy Department’s enforcement action, but noted that the incident occurred in October 2006, five months after its management contract of the laboratory expired. In addition, the culprit was not a university employee, he added.
Still, "the university remains outraged at the actions taken by the individual involved in this incident," he said. "We believe the type of behavior involved — a failure to follow clearly defined security protocols and a violation of the law — is completely unacceptable."
A lab spokeswoman has told SCMagazine.com that the lab has since reduced removable media in use, disabled USB ports and encrypted laptop hard drives. She said the lab also has enhanced training measures and policies.
This is not the first breach the lab has dealt with this year. In April, it warned employees that their identity may be at risk after the names and Social Security numbers of 550 lab workers was posted on a website operated by a subcontractor working on a security system.
Labels: Los Alamos National Laboratory
Friday, July 13, 2007
former Boeing employee with 16 counts of computer trespass
Jim Carr Jul 12 2007 00:21
Seattle police have charged a former Boeing employee with 16 counts of computer trespass for the alleged theft of 320,000 files, as well as leaking them to a Seattle-area daily newspaper.
According to the case study released this week, Gerald Eastman, a former quality-assurance inspector at Boeing, copied the confidential company documents to a portable drive from Sept. 24, 2004 to April 9, 2006, violating corporate policies. He stored the files on his home computer, police allege.
Boeing estimated that the potential financial damage if some of the documents fell into the wrong hands could range between $5 billion and $15 billion.
Eastman, to be arraigned July 17, could spend up to 57 months in prison if convicted on all counts. The case summary said articles using information credited to "internal Boeing documents" associated with Eastman appeared in The Seattle Times newspaper.
Eastman told the Seattle Post-Intelligencer that he's "a whistle blower." He said he was attempting to "get crimes at Boeing, and the people at the FAA facilitating those crimes, brought to justice."
The police report alleged that Edward claims he collected the information to prove that there were flaws with the inspection process of one of Boeing's new planes.
Seattle police said they discovered password-cracking tools on Eastman's computers.
"Although the files Eastman took were not encrypted or password protected, Eastman had to exploit a weakness in Boeing's computer system to access them," according to the criminal complaint. It added that Eastman methodically searched Boeing systems for unprotected files and that he was routinely denied access to many of them.
This is the latest in a series of arrests of insiders. Last week, financial processing company Fidelity National Information Services revealed that a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information.
Many large companies simply fail to "verify what their [privileged] employees are doing," said Phil Neray, vice president of marketing at Guardium, a vendor of database-access monitoring products. "This was an employee with unfettered access to sensitive information as part of his job."
Had Boeing deployed automated activity-monitoring technology, Neray pointed out, "it would have immediately noticed that something that didn't fit inside of [Edwards'] normal patterns of activity was happening."
Traditional network-monitoring products don't uncover these kinds of malicious insider activity, said Michael Rothschild, senior director of product marketing at Orchestria, which develops policy-compliance software. Those products look at the [network] border rather than internal, and would have been blind to such insider actions, he added.
In December 2006, Boeing fired an employee for violating company policy by downloading personal information about 382,000 former and current Boeing employees onto a laptop without encrypting it. His laptop was subsequently stolen.
Boeing has "taken steps" to prevent similar breaches, such as the Edwards' theft, from occurring in the future, Tim Neale, a Boeing spokesman, told SCmagazine.com. "But we're not talking about them publicly."
Seattle police have charged a former Boeing employee with 16 counts of computer trespass for the alleged theft of 320,000 files, as well as leaking them to a Seattle-area daily newspaper.
According to the case study released this week, Gerald Eastman, a former quality-assurance inspector at Boeing, copied the confidential company documents to a portable drive from Sept. 24, 2004 to April 9, 2006, violating corporate policies. He stored the files on his home computer, police allege.
Boeing estimated that the potential financial damage if some of the documents fell into the wrong hands could range between $5 billion and $15 billion.
Eastman, to be arraigned July 17, could spend up to 57 months in prison if convicted on all counts. The case summary said articles using information credited to "internal Boeing documents" associated with Eastman appeared in The Seattle Times newspaper.
Eastman told the Seattle Post-Intelligencer that he's "a whistle blower." He said he was attempting to "get crimes at Boeing, and the people at the FAA facilitating those crimes, brought to justice."
The police report alleged that Edward claims he collected the information to prove that there were flaws with the inspection process of one of Boeing's new planes.
Seattle police said they discovered password-cracking tools on Eastman's computers.
"Although the files Eastman took were not encrypted or password protected, Eastman had to exploit a weakness in Boeing's computer system to access them," according to the criminal complaint. It added that Eastman methodically searched Boeing systems for unprotected files and that he was routinely denied access to many of them.
This is the latest in a series of arrests of insiders. Last week, financial processing company Fidelity National Information Services revealed that a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information.
Many large companies simply fail to "verify what their [privileged] employees are doing," said Phil Neray, vice president of marketing at Guardium, a vendor of database-access monitoring products. "This was an employee with unfettered access to sensitive information as part of his job."
Had Boeing deployed automated activity-monitoring technology, Neray pointed out, "it would have immediately noticed that something that didn't fit inside of [Edwards'] normal patterns of activity was happening."
Traditional network-monitoring products don't uncover these kinds of malicious insider activity, said Michael Rothschild, senior director of product marketing at Orchestria, which develops policy-compliance software. Those products look at the [network] border rather than internal, and would have been blind to such insider actions, he added.
In December 2006, Boeing fired an employee for violating company policy by downloading personal information about 382,000 former and current Boeing employees onto a laptop without encrypting it. His laptop was subsequently stolen.
Boeing has "taken steps" to prevent similar breaches, such as the Edwards' theft, from occurring in the future, Tim Neale, a Boeing spokesman, told SCmagazine.com. "But we're not talking about them publicly."
Labels: Boeing
Tuesday, July 10, 2007
Florida-based Fidelity National Information Services announced a “misappropriation of consumer data”
Data Loss Source: Florida-based Fidelity National Information Services announced a “misappropriation of consumer data” by a former employee of its Certegy Check Services subsidiary.
Date of Loss: July 2, 2007
Size of Loss: 2.3 million consumer records
Affected Individuals: Fidelity customers
Geographic Focus: U.S.
Data contained: The records contained information on 2.2 million bank accounts and 990,000 credit card accounts.
Additional Notes:: The former employee allegedly sold 2.3 million consumer records to a data broker who, in turn, sold the information to various marketing organizations., according to FIS.
Additional Information: CNET
This entry was posted on Thursday, July 5th, 2007 at 9:10 am
Date of Loss: July 2, 2007
Size of Loss: 2.3 million consumer records
Affected Individuals: Fidelity customers
Geographic Focus: U.S.
Data contained: The records contained information on 2.2 million bank accounts and 990,000 credit card accounts.
Additional Notes:: The former employee allegedly sold 2.3 million consumer records to a data broker who, in turn, sold the information to various marketing organizations., according to FIS.
Additional Information: CNET
This entry was posted on Thursday, July 5th, 2007 at 9:10 am
Labels: Fidelity National Info Services
Phishing scam targets top corporate brass
Phishing scam targets top corporate brass
Frank Washkuch Jr. Jul 6 2007 18:06
Cyberattackers are doing their homework when targeting corporate executives, according to a recent report from MessageLabs.
The messaging security vendor reported that it intercepted more than 500 phishing attacks in June using the correct name and title of corporate executives in the subject.
The scams included a Microsoft Word document that contained executable code, according to the report.
Thirty percent of the attacks targeted chief finance officers and 11 percent sought chief executives, according to the report.
Mark Sunner, MessageLabs chief security analyst, told SCMagazine.com today that his company has seen a "truly unprecedented" rise in phishing attacks targeting C-level executives, suggesting on online kit used to create email lures.
"The profile is like nothing we’ve ever seen before. It smacks of someone new on the scene," he said. "The fact that you can go and buy this attack right now means that, by casting a wide enough net, you may get back some very interesting corporate secrets."
While the attacks were spread equally across industry verticals, but an inordinate percentage targeted chief investment officers. Attacks targeting executives’ assistants suggest that cybercriminals gleaned some information from social networking websites, said Sunner.
"It begs the question of where they’re getting their information from, and that is social networking," he said. "These sites are brilliant for their good purposes, but they’re a gold mine for the bad guys."
June research from MessageLabs found that phishing attacks increased by 0.81 percent as a proportion of all email-borne threats.
The report is in line with recent warnings on targeted scam emails.
The U.S. Justice Department, the Internal Revenue Service and the Better Business Bureau have all warned of phishing scams targeting consumers.
Frank Washkuch Jr. Jul 6 2007 18:06
Cyberattackers are doing their homework when targeting corporate executives, according to a recent report from MessageLabs.
The messaging security vendor reported that it intercepted more than 500 phishing attacks in June using the correct name and title of corporate executives in the subject.
The scams included a Microsoft Word document that contained executable code, according to the report.
Thirty percent of the attacks targeted chief finance officers and 11 percent sought chief executives, according to the report.
Mark Sunner, MessageLabs chief security analyst, told SCMagazine.com today that his company has seen a "truly unprecedented" rise in phishing attacks targeting C-level executives, suggesting on online kit used to create email lures.
"The profile is like nothing we’ve ever seen before. It smacks of someone new on the scene," he said. "The fact that you can go and buy this attack right now means that, by casting a wide enough net, you may get back some very interesting corporate secrets."
While the attacks were spread equally across industry verticals, but an inordinate percentage targeted chief investment officers. Attacks targeting executives’ assistants suggest that cybercriminals gleaned some information from social networking websites, said Sunner.
"It begs the question of where they’re getting their information from, and that is social networking," he said. "These sites are brilliant for their good purposes, but they’re a gold mine for the bad guys."
June research from MessageLabs found that phishing attacks increased by 0.81 percent as a proportion of all email-borne threats.
The report is in line with recent warnings on targeted scam emails.
The U.S. Justice Department, the Internal Revenue Service and the Better Business Bureau have all warned of phishing scams targeting consumers.
Four charged in ID theft ring
Four charged in ID theft ring
Jim Carr Jul 10 2007 00:01
Federal authorities have busted a Florida identity theft ring that used hundreds of thousands of stolen credit card numbers to pile up millions in illegal charges.
After an investigation by the Secret Service and other law enforcement officials, Miguel Alegria, 46; Raynier Pupo, 22; Ariel Montero, 32; and Javier Padron-Bravo, 35, were charged with aggravated identity theft, counterfeit credit card trafficking and conspiracy, the agency announced today.
According to the Secret Service, the four Cuban nationals purchased tens of thousands of stolen credit card account numbers from known cybercriminals in Eastern Europe. The men sent their payments through online money transfer service, e-gold, which is heavily used in the criminal underground because transactions are fast, irreversible and seemingly anonymous. (Owners of e-gold are facing criminal charges).
The four men used the data they received to counterfeit credit cards in "plants" throughout southern Florida.
The arrests came as a result of an earlier investigation into the activities and arrest of Julio Lopez and his girlfriend, Anett Villar. The Secret Service said Lopez, who used the screen name "Blinky," trafficked in counterfeit credit cards and identifications for years over the internet.
The recent arrests led to the recovery of more than 200,000 credit card account numbers used in connection with the ring's activity, which was responsible for fraud losses of more than $75 million. Secret Service agents also seized two pick-up trucks, $10,000 in cash and one handgun.
Because such a large number of stolen credit card numbers could come only via a data breach, this case proves "there's a huge connection between data breaches and ID theft," said Mari Frank, an attorney who became a consumer-rights advocate after having her identity stolen. "How can consumers protect themselves when cases like this are so far beyond their control?"
The President’s Identity Theft Task Force recommended federal legislation permitting companies involved in data breaches to determine whether consumers are at risk before notification, according to Frank. Such a law would overturn California's much stricter law, which requires companies to notify everyone whose personally sensitive information was stolen or lost in an electronic breach.
A "significant risk for identity theft trigger for notification recognizes that excessive breach notification can overwhelm consumers, causing them to take costly actions when there is little risk, or conversely, to ignore the notices when the risks are real," according to the task force's April "Combatting Identity Theft" plan.
But, the task force recommends, a national notification law should cover data that can be used to orchestrate identity theft, such as names, addresses or telephone numbers that are paired with Social Security or driver's license numbers.
"The standards should not cover data, such as a name and address alone. That by itself typically would not cause harm," the report says.
As it stands now, the threshold for notification is left up to the discretion of each of the more than 35 states that have approved data-incident reporting measures.
Two national breach alert bills have been approved by the Senate Judiciary Committee, although they differ in what threshold would require reporting to authorities and customers.
The Personal Data Privacy and Security Act of 2007 requires companies to report if the lost or stolen data posed "significant" risk to customers, while the Notification of Risk to Personal Data Act of 2007, introduced by Sen. Dianne Feinstein, D-Calif., names "reasonable risk" of harm as the threshold, according to a May report in the Washington Post.
Frank said this pending legislation leaves "the fox minding the hen house. They say there should be no notification [of a data loss] until a company decides there's reasonable risk of harm."
Jim Carr Jul 10 2007 00:01
Federal authorities have busted a Florida identity theft ring that used hundreds of thousands of stolen credit card numbers to pile up millions in illegal charges.
After an investigation by the Secret Service and other law enforcement officials, Miguel Alegria, 46; Raynier Pupo, 22; Ariel Montero, 32; and Javier Padron-Bravo, 35, were charged with aggravated identity theft, counterfeit credit card trafficking and conspiracy, the agency announced today.
According to the Secret Service, the four Cuban nationals purchased tens of thousands of stolen credit card account numbers from known cybercriminals in Eastern Europe. The men sent their payments through online money transfer service, e-gold, which is heavily used in the criminal underground because transactions are fast, irreversible and seemingly anonymous. (Owners of e-gold are facing criminal charges).
The four men used the data they received to counterfeit credit cards in "plants" throughout southern Florida.
The arrests came as a result of an earlier investigation into the activities and arrest of Julio Lopez and his girlfriend, Anett Villar. The Secret Service said Lopez, who used the screen name "Blinky," trafficked in counterfeit credit cards and identifications for years over the internet.
The recent arrests led to the recovery of more than 200,000 credit card account numbers used in connection with the ring's activity, which was responsible for fraud losses of more than $75 million. Secret Service agents also seized two pick-up trucks, $10,000 in cash and one handgun.
Because such a large number of stolen credit card numbers could come only via a data breach, this case proves "there's a huge connection between data breaches and ID theft," said Mari Frank, an attorney who became a consumer-rights advocate after having her identity stolen. "How can consumers protect themselves when cases like this are so far beyond their control?"
The President’s Identity Theft Task Force recommended federal legislation permitting companies involved in data breaches to determine whether consumers are at risk before notification, according to Frank. Such a law would overturn California's much stricter law, which requires companies to notify everyone whose personally sensitive information was stolen or lost in an electronic breach.
A "significant risk for identity theft trigger for notification recognizes that excessive breach notification can overwhelm consumers, causing them to take costly actions when there is little risk, or conversely, to ignore the notices when the risks are real," according to the task force's April "Combatting Identity Theft" plan.
But, the task force recommends, a national notification law should cover data that can be used to orchestrate identity theft, such as names, addresses or telephone numbers that are paired with Social Security or driver's license numbers.
"The standards should not cover data, such as a name and address alone. That by itself typically would not cause harm," the report says.
As it stands now, the threshold for notification is left up to the discretion of each of the more than 35 states that have approved data-incident reporting measures.
Two national breach alert bills have been approved by the Senate Judiciary Committee, although they differ in what threshold would require reporting to authorities and customers.
The Personal Data Privacy and Security Act of 2007 requires companies to report if the lost or stolen data posed "significant" risk to customers, while the Notification of Risk to Personal Data Act of 2007, introduced by Sen. Dianne Feinstein, D-Calif., names "reasonable risk" of harm as the threshold, according to a May report in the Washington Post.
Frank said this pending legislation leaves "the fox minding the hen house. They say there should be no notification [of a data loss] until a company decides there's reasonable risk of harm."
Bag Full Of Job Applications Found In Parking Lot
Bag Full Of Job Applications Found In Parking Lot
POSTED: 4:00 pm EDT July 9, 2007
ORANGE COUNTY, Fla. -- A pile of job applications with social security numbers and other personal information, sought after by identity thieves and home burglars, was found at a parking lot in west Orange County. The applications are from Orlando Financial Services on Colonial and Hastings.
The job application Chantelle Taylor filled out in March was in a stack of other applications containing personal and confidential information found in a plastic bag under a tree at a McDonalds on West Colonial Drive, about a mile from Orlando Financial Services, a 24-hour check-cashing place the applications were once stored.
"It blows my mind that a big company like this would just throw out applications out and not shred them. Just throw them out for everyone to get," Taylor said.
Taylor worries someone could have used the information to steal her identity and ruin her credit.
Susan Regilus was surprised when Eyewitness News informed her that the application she turned in three months ago was also in the stack. She's been a victim of identity theft in the past.
"They had my signature, driver's license, copy of my driver's license, everything that you can imagine that you could go rent a car with, they had it," she said.
So how did it happen? Eyewitness News asked a shift manager for an explanation, but she couldn't come up with one.
"We're supposed to shred it. I don't know how. I don't know," the woman said and suggested contacting the corporate office in Lawrenville, Georgia.
Meanwhile, ChantelleTaylor, a 20-year-old single mom, may have her documents back, but she said she doesn't have the peace of mind she had before.
"They can track me down. I'm here by myself most of the time, you know. It upsets me so much. I'm almost speechless. I don't know what to say," Taylor said.
Calls made by Eyewitness News to Orlando Financial Services' corporate office in Georgia were not returned, Monday afternoon.
POSTED: 4:00 pm EDT July 9, 2007
ORANGE COUNTY, Fla. -- A pile of job applications with social security numbers and other personal information, sought after by identity thieves and home burglars, was found at a parking lot in west Orange County. The applications are from Orlando Financial Services on Colonial and Hastings.
The job application Chantelle Taylor filled out in March was in a stack of other applications containing personal and confidential information found in a plastic bag under a tree at a McDonalds on West Colonial Drive, about a mile from Orlando Financial Services, a 24-hour check-cashing place the applications were once stored.
"It blows my mind that a big company like this would just throw out applications out and not shred them. Just throw them out for everyone to get," Taylor said.
Taylor worries someone could have used the information to steal her identity and ruin her credit.
Susan Regilus was surprised when Eyewitness News informed her that the application she turned in three months ago was also in the stack. She's been a victim of identity theft in the past.
"They had my signature, driver's license, copy of my driver's license, everything that you can imagine that you could go rent a car with, they had it," she said.
So how did it happen? Eyewitness News asked a shift manager for an explanation, but she couldn't come up with one.
"We're supposed to shred it. I don't know how. I don't know," the woman said and suggested contacting the corporate office in Lawrenville, Georgia.
Meanwhile, ChantelleTaylor, a 20-year-old single mom, may have her documents back, but she said she doesn't have the peace of mind she had before.
"They can track me down. I'm here by myself most of the time, you know. It upsets me so much. I'm almost speechless. I don't know what to say," Taylor said.
Calls made by Eyewitness News to Orlando Financial Services' corporate office in Georgia were not returned, Monday afternoon.
Labels: Orlando Financial Services
Man To Face Charges
Man To Face Charges
POSTED: 5:45 pm EDT July 4, 2007
UPDATED: 6:21 pm EDT July 4, 2007
BOSTON -- A man has been accused by police of stealing customers' personal information from a Bay State car dealership.
NewsCenter 5's Rhondella Richardson reported that William and Nancy Medlock love their new Subaru Forester, but they're very disappointed in their Somerset Subaru dealership because 158 vehicle purchase contracts were stolen from the dealership -- including theirs.
The managers didn't know about the theft until after Gerado Rosario, 41, of New Bedford, was arrested. He was accused of doctoring fake driver licenses with customer information and his photos. Police said that he easily applied for and maxed out new credit cards in several customers' names.
"We received a fraudulent Sears charge plus a fraudulent Best Buy, fraudulent Best Buy, fraudulent Circuit City, fraudulent Wal-mart," Nancy Medlock said.
"We seized signature pads, computer towers, laser jet printers," Acushnet Police Department Detective James Costa said.
Police said they seized high-end electronic equipment used in the alleged crimes and some of the fraudulently purchased merchandise. Police said they found cocaine in the suspect's apartment.
Rosario was arrested last Tuesday after surveillance pictures from Sears showed the suspect in the stores, allegedly making purchases tone couple's name.
"Its an awful feeling knowing that someone out there is pretending to be you," William Medlock said.
The identity theft victims bought cars between 2002 and 2006 and are from North Attleboro, Dartmouth, Swansea and Rhode Island. Only a few of the customers have noticed the credit card charges.
"$4,500 on a couple of accounts," Nancy Medlock said.
Police said that the suspect had at least three accomplices likely still on the job. Officials urged customers to check credit card bills carefully.
Copyright 2007 by TheBostonChannel.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
POSTED: 5:45 pm EDT July 4, 2007
UPDATED: 6:21 pm EDT July 4, 2007
BOSTON -- A man has been accused by police of stealing customers' personal information from a Bay State car dealership.
NewsCenter 5's Rhondella Richardson reported that William and Nancy Medlock love their new Subaru Forester, but they're very disappointed in their Somerset Subaru dealership because 158 vehicle purchase contracts were stolen from the dealership -- including theirs.
The managers didn't know about the theft until after Gerado Rosario, 41, of New Bedford, was arrested. He was accused of doctoring fake driver licenses with customer information and his photos. Police said that he easily applied for and maxed out new credit cards in several customers' names.
"We received a fraudulent Sears charge plus a fraudulent Best Buy, fraudulent Best Buy, fraudulent Circuit City, fraudulent Wal-mart," Nancy Medlock said.
"We seized signature pads, computer towers, laser jet printers," Acushnet Police Department Detective James Costa said.
Police said they seized high-end electronic equipment used in the alleged crimes and some of the fraudulently purchased merchandise. Police said they found cocaine in the suspect's apartment.
Rosario was arrested last Tuesday after surveillance pictures from Sears showed the suspect in the stores, allegedly making purchases tone couple's name.
"Its an awful feeling knowing that someone out there is pretending to be you," William Medlock said.
The identity theft victims bought cars between 2002 and 2006 and are from North Attleboro, Dartmouth, Swansea and Rhode Island. Only a few of the customers have noticed the credit card charges.
"$4,500 on a couple of accounts," Nancy Medlock said.
Police said that the suspect had at least three accomplices likely still on the job. Officials urged customers to check credit card bills carefully.
Copyright 2007 by TheBostonChannel.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
Labels: Bay State Car Dealership
Security Breach Could Affect Check, Credit Card Users
ThePittsburghChannel.com
Call 4 Action: Security Breach Could Affect Check, Credit Card Users
POSTED: 3:38 pm EDT July 3, 2007
UPDATED: 3:56 pm EDT July 3, 2007
There's word Tuesday of a massive data breach that could affect anyone who has ever written a check or swiped a credit card to pay for something.
A major financial processing company revealed that one of its employees sold millions of consumer records to a private broker.
The records included everything from bank account numbers, to driver's license information, to whether you pay by check or credit card.
Every time you ring up at the store, something inside the register checks to see if your payment should be authorized.
Merchants across the country use a company called Certegy, a subsidiary of Fidelity National Information Services, which has all the goods on you.
According to its Web site, Certegy knows your credit history, past and present checking account numbers, any history of unpaid checks and driver's license numbers.
The company said an employee recently sold the information of 2.3 million people to an unidentified data broker and that the broker then sold it to marketing companies.
So far, it does not appear the data was used for identity theft. But many of the affected customers are reporting heavy solicitation by telemarketers and through the mail.
Certegy said it would notify all affected customers. They said they believe they will be able to get the information back to prevent its future use.
Certegy said they fired the employee allegedly involved in the breach. The company said they are also suing him.
If you're worried about an onslaught of telemarketing calls, make sure your number is included in the Do Not Call registry. You can do that by calling 888-382-1222.
Call 4 Action: Security Breach Could Affect Check, Credit Card Users
POSTED: 3:38 pm EDT July 3, 2007
UPDATED: 3:56 pm EDT July 3, 2007
There's word Tuesday of a massive data breach that could affect anyone who has ever written a check or swiped a credit card to pay for something.
A major financial processing company revealed that one of its employees sold millions of consumer records to a private broker.
The records included everything from bank account numbers, to driver's license information, to whether you pay by check or credit card.
Every time you ring up at the store, something inside the register checks to see if your payment should be authorized.
Merchants across the country use a company called Certegy, a subsidiary of Fidelity National Information Services, which has all the goods on you.
According to its Web site, Certegy knows your credit history, past and present checking account numbers, any history of unpaid checks and driver's license numbers.
The company said an employee recently sold the information of 2.3 million people to an unidentified data broker and that the broker then sold it to marketing companies.
So far, it does not appear the data was used for identity theft. But many of the affected customers are reporting heavy solicitation by telemarketers and through the mail.
Certegy said it would notify all affected customers. They said they believe they will be able to get the information back to prevent its future use.
Certegy said they fired the employee allegedly involved in the breach. The company said they are also suing him.
If you're worried about an onslaught of telemarketing calls, make sure your number is included in the Do Not Call registry. You can do that by calling 888-382-1222.
VA Investigator Blames IT Specialist, Lax Security For Major Data Loss
VA Investigator Blames IT Specialist, Lax Security For Major Data Loss
The VA's Office of Inspector General said the man who lost the missing hard drive also tried to hide the extent of the data loss from investigators.
By Sharon Gaudin
InformationWeek
July 3, 2007 03:37 PM
Investigators are saying the IT specialist who lost the external hard drive at the U.S. Department of Veterans Affairs failed to follow procedures that would have protected the data, and then he deleted and encrypted files to hide the extent of the data loss.
However, the VA's Office of Inspector General isn't stopping there with its criticism. James J. O'Neill, assistant inspector general for investigations, wrote in a report that managers did not follow security policies, failed to physically secure the building, gave the IT specialist too much access, and were not even physically present to oversee daily operations.
The VA, which has been plagued by lost computers in recent years, had earlier revealed that in late January an employee at the Birmingham, Ala., VA Medical Center reported an external hard drive missing. That drive, said the worker, may have contained veterans' personal files, some of which may have been stored on the drive in unencrypted form. The initial figures released to the public showed that 48,000 veterans' records were on the drive, and as many as 20,000 weren't encrypted.
Those numbers soon changed.
In February, The VA's Office of Inspector General announced it had determined that the lost data files may have included sensitive VA-related information on about 535,000 people. The investigation also has found that information on about 1.3 million non-VA physicians -- both living and dead -- could have been stored on the missing hard drive, as well. While VA officials say they believe most of the physician information is readily available to the public, some of the files may contain sensitive information.
The Inspector's report said the IT specialist, who was not named, delayed the investigation and accurate reporting of the extent of the loss.
The IT specialist encrypted and deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop computer, according to the report. "Initially, he denied deleting and encrypting files to criminal investigators," the report states. "However, after being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude, and impact of the missing data."
Leading up to the data loss, the IT specialist failed to password-protect files, and extracted identifiable patient information from records without authorization.
The report did not say how the hard drive was lost. It did, however, note that if policies had been followed in the VA's Birmingham, Ala. Office, where the breach occurred, the loss could have been avoided.
For instance, the inspector noted that a VA policy mandated that sensitive data stored on portable devices must be encrypted. However, the local administrator in Birmingham simply relied on workers not to remove the devices from the office and asked that they be locked in a safe when not in use.
"In fact, several employees elected not to store their external hard drives in the safe, and at least one employee took home an external hard drive that contained privacy protected information concerning VA employees," the report noted. "Also, there were no records of when the safe was accessed or whether its contents were inventoried and accounted for; access to the safe was not adequately limited; and once an employee opened the safe, that employee had access to all other employees' external hard drives."
The report also pointed out that administrators there gave the IT specialist access to more data than they should have. He also was given programmer-level access that allowed him to extract information from medical records. " In one instance, he inappropriately incorporated employee health records into a research database, compromising the privacy of VA employees and violating the terms of the protocol," the report stated.
The VA's Office of Inspector General said the man who lost the missing hard drive also tried to hide the extent of the data loss from investigators.
By Sharon Gaudin
InformationWeek
July 3, 2007 03:37 PM
Investigators are saying the IT specialist who lost the external hard drive at the U.S. Department of Veterans Affairs failed to follow procedures that would have protected the data, and then he deleted and encrypted files to hide the extent of the data loss.
However, the VA's Office of Inspector General isn't stopping there with its criticism. James J. O'Neill, assistant inspector general for investigations, wrote in a report that managers did not follow security policies, failed to physically secure the building, gave the IT specialist too much access, and were not even physically present to oversee daily operations.
The VA, which has been plagued by lost computers in recent years, had earlier revealed that in late January an employee at the Birmingham, Ala., VA Medical Center reported an external hard drive missing. That drive, said the worker, may have contained veterans' personal files, some of which may have been stored on the drive in unencrypted form. The initial figures released to the public showed that 48,000 veterans' records were on the drive, and as many as 20,000 weren't encrypted.
Those numbers soon changed.
In February, The VA's Office of Inspector General announced it had determined that the lost data files may have included sensitive VA-related information on about 535,000 people. The investigation also has found that information on about 1.3 million non-VA physicians -- both living and dead -- could have been stored on the missing hard drive, as well. While VA officials say they believe most of the physician information is readily available to the public, some of the files may contain sensitive information.
The Inspector's report said the IT specialist, who was not named, delayed the investigation and accurate reporting of the extent of the loss.
The IT specialist encrypted and deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop computer, according to the report. "Initially, he denied deleting and encrypting files to criminal investigators," the report states. "However, after being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude, and impact of the missing data."
Leading up to the data loss, the IT specialist failed to password-protect files, and extracted identifiable patient information from records without authorization.
The report did not say how the hard drive was lost. It did, however, note that if policies had been followed in the VA's Birmingham, Ala. Office, where the breach occurred, the loss could have been avoided.
For instance, the inspector noted that a VA policy mandated that sensitive data stored on portable devices must be encrypted. However, the local administrator in Birmingham simply relied on workers not to remove the devices from the office and asked that they be locked in a safe when not in use.
"In fact, several employees elected not to store their external hard drives in the safe, and at least one employee took home an external hard drive that contained privacy protected information concerning VA employees," the report noted. "Also, there were no records of when the safe was accessed or whether its contents were inventoried and accounted for; access to the safe was not adequately limited; and once an employee opened the safe, that employee had access to all other employees' external hard drives."
The report also pointed out that administrators there gave the IT specialist access to more data than they should have. He also was given programmer-level access that allowed him to extract information from medical records. " In one instance, he inappropriately incorporated employee health records into a research database, compromising the privacy of VA employees and violating the terms of the protocol," the report stated.
Labels: US Dept. of Vetrans Affairs
2.3 million consumer financial records stolen
2.3 million consumer financial records stolen
Former Fidelity National Information Services broker sold information
By Ron Word
The Associated Press
Updated: 1:33 p.m. CT July 3, 2007
JACKSONVILLE, Fla. - Fidelity National Information Services, a financial processing company, said Tuesday a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.
The employee sold the information to an unidentified data broker. The broker then sold it to several direct marketing companies, but the data was not used in identity theft or other fraudulent financial activity, officials from Fidelity subsidiary Certegy Check Services Inc. said in a conference call.
About 2.2 million records stolen from Certegy contained bank account information and 99,000 contained credit card information, company officials said.
“As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data,” said Renz Nichols, president of St. Petersburg-based Certegy.
“We believe that is the extent of any damage to the public,” he said.
The company has found no fraudulent use of the information. An investigation is continuing by the U.S. Secret Service and Pinellas County Sheriff’s Office. Those agencies didn’t return phone messages seeking comment.
Certegy has asked a court in St. Petersburg to get back all the information from the employee and the marketing companies as well as to stop its use.
Certegy officials said they had contacted the data broker and the marketing companies and believed it would be able to get the data back and prevent its future use. The broker and the companies did not know they were buying stolen information, officials said. Certegy did not release their names.
Certegy will notify all affected consumers of the theft and has contacted major credit agencies, Nichols said.
The employee, whose name was not released, was fired. He was identified as a senior level database administrator who had worked for the company for seven years.
Nichols characterized him as a “rogue and dishonest employee.” He said the company will seek civil penalties against the former worker and wants criminal charges filed against him.
The investigation began in May when Certegy learned that some of its customers were being solicited by telephone and mail. It launched an investigation and was unable to detect any breach of its security systems. It hired a forensic investigator to validate its findings and contacted the Secret Service, Nichols said.
The federal agency contacted the marketing companies to question the source of their information and determined it came from a company owned and operated by the Certegy employee. Nichols said he did not know how much money the employee received.
Shares in Jacksonville-based Fidelity National Services slipped 4 cents to $54.74 in morning trading. Certegy has about 1,000 employees.
© 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
URL: http://www.msnbc.msn.com/id/19582088/
Former Fidelity National Information Services broker sold information
By Ron Word
The Associated Press
Updated: 1:33 p.m. CT July 3, 2007
JACKSONVILLE, Fla. - Fidelity National Information Services, a financial processing company, said Tuesday a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.
The employee sold the information to an unidentified data broker. The broker then sold it to several direct marketing companies, but the data was not used in identity theft or other fraudulent financial activity, officials from Fidelity subsidiary Certegy Check Services Inc. said in a conference call.
About 2.2 million records stolen from Certegy contained bank account information and 99,000 contained credit card information, company officials said.
“As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data,” said Renz Nichols, president of St. Petersburg-based Certegy.
“We believe that is the extent of any damage to the public,” he said.
The company has found no fraudulent use of the information. An investigation is continuing by the U.S. Secret Service and Pinellas County Sheriff’s Office. Those agencies didn’t return phone messages seeking comment.
Certegy has asked a court in St. Petersburg to get back all the information from the employee and the marketing companies as well as to stop its use.
Certegy officials said they had contacted the data broker and the marketing companies and believed it would be able to get the data back and prevent its future use. The broker and the companies did not know they were buying stolen information, officials said. Certegy did not release their names.
Certegy will notify all affected consumers of the theft and has contacted major credit agencies, Nichols said.
The employee, whose name was not released, was fired. He was identified as a senior level database administrator who had worked for the company for seven years.
Nichols characterized him as a “rogue and dishonest employee.” He said the company will seek civil penalties against the former worker and wants criminal charges filed against him.
The investigation began in May when Certegy learned that some of its customers were being solicited by telephone and mail. It launched an investigation and was unable to detect any breach of its security systems. It hired a forensic investigator to validate its findings and contacted the Secret Service, Nichols said.
The federal agency contacted the marketing companies to question the source of their information and determined it came from a company owned and operated by the Certegy employee. Nichols said he did not know how much money the employee received.
Shares in Jacksonville-based Fidelity National Services slipped 4 cents to $54.74 in morning trading. Certegy has about 1,000 employees.
© 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
URL: http://www.msnbc.msn.com/id/19582088/
Labels: Fidelity National Info Services
