Monday, March 29, 2010
Gonzalez sentenced to 20 years for Heartland break-in
Gonzalez sentenced to 20 years for Heartland break-in
Update: Term to run concurrently with 20-year terms from two other cases Thursday
Nancy Weil
March 26, 2010 (Computerworld) Hacker Albert Gonzalez, who participated in a cybercrime ring that stole tens of millions of credit and debit card numbers, was sentenced Friday in U.S. District Court to 20 years in prison.
The sentence, imposed by U.S. District Court Judge Douglas P. Woodlock, was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express, Hannaford Supermarkets and 7-Eleven.
The sentence is actually 20 years and one day, owing to the need to deal with peculiarities in sentencing statutes, because Woodlock had to take into account that Gonzalez was on pretrial release for an unrelated crime when he took up with the international network of hackers responsible for the security breaches.
He was at the time supposed to be serving as an informant for the U.S. Secret Service, but he double-crossed the agency, supplying a co-conspirator with information obtained as part of those investigations.
"I am guilty of these crimes ... I accept full responsibility for these actions," Gonzalez said at the sentencing, reiterating what he said Thursday about "exploiting" his relationship with a government agency, though he did not name it.
He also referred to the "dishonor" he brought to his parents and their home, where he buried more than $1 million in the backyard. He forfeited that money, as well as other goods, when he was arrested.
"I plead for leniency," he said. "I understand that the road to redemption is going to be long for me," adding that it was his hope, however, that he would be able to be on that road someday.
The sentence will run concurrently with two other 20-year concurrent sentences meted out Thursday, also in the U.S. District Court for the District of Massachusetts, by a different federal judge, Patti B. Saris.
Gonzalez pleaded guilty in all three cases last December, with the U.S. Department of Justice agreeing to seek no more than 25 years in prison in each case, all to run concurrently.
Gonzalez, 28, was living in Miami at the time of the crimes in the three cases, which occurred over almost two years before he was arrested in May of 2008 and subsequently indicted in New York, New Jersey and Massachusetts, with the cases eventually being moved to the same federal court jurisdiction.
Besides the companies targeted in the case heard Friday, a ring that Gonzalez led hacked into computer networks of major retailers including TJX, DSW, Barnes & Noble, Office Max and Dave & Buster's.
They stole tens of millions of credit and debit card numbers, using some to make withdrawals at ATM machines and selling millions of the numbers to other criminals, in what prosecutors termed "unparalleled" online theft.
The case before Judge Woodlock differed from those heard by Judge Saris in a number of substantive ways, according to both Assistant U.S. Attorney Stephen Heymann and defense attorney Martin Weinberg. First, Gonzalez was not the leader of the international network of hackers, as he was with the cybercrime group that hacked the retailers and the Dave & Buster's restaurant network.
In the group where he was the mastermind, the criminals knew each other personally, in some instances having gone to school together and socialized together. Most of their hacking was done in cars or when the criminals were physically near a location, breaching networks wirelessly to steal information.
In contrast, the international ring came together through connections made only in cyberspace, with no real hierarchical structure. They were a group of "elite international hackers ... moving seamlessly over international borders," Heymann said.
The international group used more sophisticated SQL injection attacks and had advanced from hacking into retailers' systems to attacking the financial system itself, Heymann said to answer questions from Judge Woodlock, who sought an explanation for differences between the cases.
"It acts like a tremor," rippling through the system and shaking the faith of people in credit and debit card transactions and companies. Customers can choose to not shop with a retailer whose system has been proven vulnerable to hackers, but that's not so easy to do when the companies under attack are those that process payments.
That international aspect and the way in which the cyberthieves connected made the case before Judge Woodlock particularly "dangerous" and part of an increasingly sophisticated approach to cybercrime that is particularly troubling to law enforcement agencies, Heymann noted.
While Judge Woodlock took all of that in, he also said that he believed that Judge Saris' sentences were reasonable and that it would be appropriate for him to impose the same number of years. After doing so, he offered advice to Gonzalez, whose intelligence and "gifts" the judge recognized.
"People with your gifts often find themselves dealing obsessively with computers," he said, adding that Gonzalez misapplied his abilities, and that while "the perception is that there's no harm if you don't see the people," the judge had heard from some of those affected in victim impact statements.
He was especially taken by an elderly couple whose lives were badly disrupted when their private information was obtained through hacking into the Hannaford system. And so it was his duty, Judge Woodlock said, to address the issue of deterrence and to impose a sentence that would send a message to other cybercriminals and would-be cybercriminals.
"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."
That wasn't the only message the judge delivered. In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007.
Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.
The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.
Judge Woodlock clearly was not buying that argument from the get-go, declaring outright that in his view companies have no such right even though such notions are "in the air these days."
He made obvious references to a recent controversial U.S. Supreme Court ruling that said otherwise when it comes to corporate rights. But at least in Judge Woodlock's courtroom, such rights will not be conferred -- he intends to unseal the court documents and therefore publicly name the two companies because shareholders and customers have a right to know that their security systems were, even if they are not now, vulnerable.
He also was not moved by the argument that the breaches occurred long enough ago that it's no longer relevant to let customers know that they occurred. "They've had three years to alert their shareholding public -- they've chosen not to, improvidently," he said.
The two companies will not be part of whatever restitution agreement is reached in the case because they did not suffer financial losses. The matter of restitution was not taken up by Judge Woodlock and will be combined with restitution in the cases before Judge Saris.
Exactly how much financial damage was done may never be fully known, but the effects on companies involved were severe enough to warrant filings with the U.S. Securities and Exchange Commission.
And Heartland, for instance, says it lost nearly $130 million because of the security breaches. Heartland agreed to multimillion-dollar settlements with Visa and American Express for damages incurred by those companies in the thefts, which set off a reappraisal of corporate network security overall and prompted widespread changes as businesses sought to shore up security.
As Heymann noted, the efforts of Gonzalez's hacking ring also led the companies involved on a wild chase to close back doors and other entry points that the hackers exploited to access systems, which cost them yet more money.
A restitution hearing was set by Judge Saris for June 25.
And while the companies involved will be engaged in figuring out what to tell the court about how much they lost financially, the loss for Gonzalez's family was evident in the courtroom Thursday and Friday. His parents and sister attended the hearings -- he sought them out when he entered the courtoom to offer them a smile, and Friday as he was led out, as they wiped tears away, he mouthed a "good-bye" to them.
Update: Term to run concurrently with 20-year terms from two other cases Thursday
Nancy Weil
March 26, 2010 (Computerworld) Hacker Albert Gonzalez, who participated in a cybercrime ring that stole tens of millions of credit and debit card numbers, was sentenced Friday in U.S. District Court to 20 years in prison.
The sentence, imposed by U.S. District Court Judge Douglas P. Woodlock, was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express, Hannaford Supermarkets and 7-Eleven.
The sentence is actually 20 years and one day, owing to the need to deal with peculiarities in sentencing statutes, because Woodlock had to take into account that Gonzalez was on pretrial release for an unrelated crime when he took up with the international network of hackers responsible for the security breaches.
He was at the time supposed to be serving as an informant for the U.S. Secret Service, but he double-crossed the agency, supplying a co-conspirator with information obtained as part of those investigations.
"I am guilty of these crimes ... I accept full responsibility for these actions," Gonzalez said at the sentencing, reiterating what he said Thursday about "exploiting" his relationship with a government agency, though he did not name it.
He also referred to the "dishonor" he brought to his parents and their home, where he buried more than $1 million in the backyard. He forfeited that money, as well as other goods, when he was arrested.
"I plead for leniency," he said. "I understand that the road to redemption is going to be long for me," adding that it was his hope, however, that he would be able to be on that road someday.
The sentence will run concurrently with two other 20-year concurrent sentences meted out Thursday, also in the U.S. District Court for the District of Massachusetts, by a different federal judge, Patti B. Saris.
Gonzalez pleaded guilty in all three cases last December, with the U.S. Department of Justice agreeing to seek no more than 25 years in prison in each case, all to run concurrently.
Gonzalez, 28, was living in Miami at the time of the crimes in the three cases, which occurred over almost two years before he was arrested in May of 2008 and subsequently indicted in New York, New Jersey and Massachusetts, with the cases eventually being moved to the same federal court jurisdiction.
Besides the companies targeted in the case heard Friday, a ring that Gonzalez led hacked into computer networks of major retailers including TJX, DSW, Barnes & Noble, Office Max and Dave & Buster's.
They stole tens of millions of credit and debit card numbers, using some to make withdrawals at ATM machines and selling millions of the numbers to other criminals, in what prosecutors termed "unparalleled" online theft.
The case before Judge Woodlock differed from those heard by Judge Saris in a number of substantive ways, according to both Assistant U.S. Attorney Stephen Heymann and defense attorney Martin Weinberg. First, Gonzalez was not the leader of the international network of hackers, as he was with the cybercrime group that hacked the retailers and the Dave & Buster's restaurant network.
In the group where he was the mastermind, the criminals knew each other personally, in some instances having gone to school together and socialized together. Most of their hacking was done in cars or when the criminals were physically near a location, breaching networks wirelessly to steal information.
In contrast, the international ring came together through connections made only in cyberspace, with no real hierarchical structure. They were a group of "elite international hackers ... moving seamlessly over international borders," Heymann said.
The international group used more sophisticated SQL injection attacks and had advanced from hacking into retailers' systems to attacking the financial system itself, Heymann said to answer questions from Judge Woodlock, who sought an explanation for differences between the cases.
"It acts like a tremor," rippling through the system and shaking the faith of people in credit and debit card transactions and companies. Customers can choose to not shop with a retailer whose system has been proven vulnerable to hackers, but that's not so easy to do when the companies under attack are those that process payments.
That international aspect and the way in which the cyberthieves connected made the case before Judge Woodlock particularly "dangerous" and part of an increasingly sophisticated approach to cybercrime that is particularly troubling to law enforcement agencies, Heymann noted.
While Judge Woodlock took all of that in, he also said that he believed that Judge Saris' sentences were reasonable and that it would be appropriate for him to impose the same number of years. After doing so, he offered advice to Gonzalez, whose intelligence and "gifts" the judge recognized.
"People with your gifts often find themselves dealing obsessively with computers," he said, adding that Gonzalez misapplied his abilities, and that while "the perception is that there's no harm if you don't see the people," the judge had heard from some of those affected in victim impact statements.
He was especially taken by an elderly couple whose lives were badly disrupted when their private information was obtained through hacking into the Hannaford system. And so it was his duty, Judge Woodlock said, to address the issue of deterrence and to impose a sentence that would send a message to other cybercriminals and would-be cybercriminals.
"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."
That wasn't the only message the judge delivered. In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007.
Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.
The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.
Judge Woodlock clearly was not buying that argument from the get-go, declaring outright that in his view companies have no such right even though such notions are "in the air these days."
He made obvious references to a recent controversial U.S. Supreme Court ruling that said otherwise when it comes to corporate rights. But at least in Judge Woodlock's courtroom, such rights will not be conferred -- he intends to unseal the court documents and therefore publicly name the two companies because shareholders and customers have a right to know that their security systems were, even if they are not now, vulnerable.
He also was not moved by the argument that the breaches occurred long enough ago that it's no longer relevant to let customers know that they occurred. "They've had three years to alert their shareholding public -- they've chosen not to, improvidently," he said.
The two companies will not be part of whatever restitution agreement is reached in the case because they did not suffer financial losses. The matter of restitution was not taken up by Judge Woodlock and will be combined with restitution in the cases before Judge Saris.
Exactly how much financial damage was done may never be fully known, but the effects on companies involved were severe enough to warrant filings with the U.S. Securities and Exchange Commission.
And Heartland, for instance, says it lost nearly $130 million because of the security breaches. Heartland agreed to multimillion-dollar settlements with Visa and American Express for damages incurred by those companies in the thefts, which set off a reappraisal of corporate network security overall and prompted widespread changes as businesses sought to shore up security.
As Heymann noted, the efforts of Gonzalez's hacking ring also led the companies involved on a wild chase to close back doors and other entry points that the hackers exploited to access systems, which cost them yet more money.
A restitution hearing was set by Judge Saris for June 25.
And while the companies involved will be engaged in figuring out what to tell the court about how much they lost financially, the loss for Gonzalez's family was evident in the courtroom Thursday and Friday. His parents and sister attended the hearings -- he sought them out when he entered the courtoom to offer them a smile, and Friday as he was led out, as they wiped tears away, he mouthed a "good-bye" to them.
Cybersecurity bill passes first hurdle
Cybersecurity bill passes first hurdle
Senate Commerce Committee approves closely watched Cybersecurity Act
Jaikumar Vijayan
March 24, 2010 (Computerworld) A closely watched bill that promises to introduce some major changes on the federal cybersecurity front was approved by the Senate Commerce Committee today just days after it was introduced by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine).
The proposed legislation is called the Cybersecurity Act (S.773) and is a revised version of a bill that was originally introduced by the two Senators last year.
It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and private sector companies, which own a vast portion of the country's critical infrastructure.
The bill would require the President to work with owners of critical infrastructure systems to identify and properly classify IT systems whose disruption would threaten strategic national interests.
It would also require federal agencies that are involved in cybersecurity, to share information with private sector operators of critical infrastructure networks.
The bill contains several provisions designed to encourage the growth of a trained and certified cybersecurity workforce, promote public awareness of cybersecurity issues and to foster and fund research leading to the development of new security technologies.
If passed, the bill would require agency heads to provide information on their cybersecurity workforce plans including recruitment, hiring and training details.
But s controversial provision in the original bill that would have given the president near complete authority to disconnect private and government networks from the Internet in the event of a cyber emergency has been removed in the new version of the bill.
Instead, the revised bill calls for the President to work with key executive in critical infrastructure industries to formulate an appropriate response in a cyber crisis.
The smooth passage of the bill through the Senate Commerce Committee is a sign of the broad bi-partisan support that the bill has garnered so far. Many see the legislation as vital to building the capabilities needed to respond to the array of cyber threats facing government, critical infrastructure and private industry these days.
In a statement, Mike Bregman, Symantec Corp.'s chief technology officer, lauded the passage of the bill out of committee. "The bill recognizes cybersecurity as a share, public/private collaboration, led by private sector innovation and based on market-driven incentives," Bregman said.
The bill comes amid heightened concern in Washington over the recent attacks against Google and dozens of other high-tech companies apparently by operatives based in China.
The attacks have prompted calls for the U.S. to develop a formal cybersecurity strategy that is focused on shoring up defenses while building out a cyber offensive capabilities.
The Rockerfeller-Snowe legislation is one of two major bills that have been proposed in Congress recently. The other bill is called the International Cybercrime Reporting and Cooperation Act, and is sponsored by Sens. Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT).
The bill, introduced in the Senate earlier this week, seeks to curtail aid, financial help and trade programs with countries that are seen as havens for cybercriminals. It has already garnered industry support from the likes of American Express, Mastercard, Visa , eBay, Facebook, Microsoft and Cisco, Gillibrand's office said.
Meanwhile, a separate proposal is being floated among lawmakers and the U.S. State Department for the creation of an ambassador-level position for negotiating cyber-security matters at the United Nations and for ensuring the country has a consistent international policy on the issue.
Senate Commerce Committee approves closely watched Cybersecurity Act
Jaikumar Vijayan
March 24, 2010 (Computerworld) A closely watched bill that promises to introduce some major changes on the federal cybersecurity front was approved by the Senate Commerce Committee today just days after it was introduced by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine).
The proposed legislation is called the Cybersecurity Act (S.773) and is a revised version of a bill that was originally introduced by the two Senators last year.
It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and private sector companies, which own a vast portion of the country's critical infrastructure.
The bill would require the President to work with owners of critical infrastructure systems to identify and properly classify IT systems whose disruption would threaten strategic national interests.
It would also require federal agencies that are involved in cybersecurity, to share information with private sector operators of critical infrastructure networks.
The bill contains several provisions designed to encourage the growth of a trained and certified cybersecurity workforce, promote public awareness of cybersecurity issues and to foster and fund research leading to the development of new security technologies.
If passed, the bill would require agency heads to provide information on their cybersecurity workforce plans including recruitment, hiring and training details.
But s controversial provision in the original bill that would have given the president near complete authority to disconnect private and government networks from the Internet in the event of a cyber emergency has been removed in the new version of the bill.
Instead, the revised bill calls for the President to work with key executive in critical infrastructure industries to formulate an appropriate response in a cyber crisis.
The smooth passage of the bill through the Senate Commerce Committee is a sign of the broad bi-partisan support that the bill has garnered so far. Many see the legislation as vital to building the capabilities needed to respond to the array of cyber threats facing government, critical infrastructure and private industry these days.
In a statement, Mike Bregman, Symantec Corp.'s chief technology officer, lauded the passage of the bill out of committee. "The bill recognizes cybersecurity as a share, public/private collaboration, led by private sector innovation and based on market-driven incentives," Bregman said.
The bill comes amid heightened concern in Washington over the recent attacks against Google and dozens of other high-tech companies apparently by operatives based in China.
The attacks have prompted calls for the U.S. to develop a formal cybersecurity strategy that is focused on shoring up defenses while building out a cyber offensive capabilities.
The Rockerfeller-Snowe legislation is one of two major bills that have been proposed in Congress recently. The other bill is called the International Cybercrime Reporting and Cooperation Act, and is sponsored by Sens. Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT).
The bill, introduced in the Senate earlier this week, seeks to curtail aid, financial help and trade programs with countries that are seen as havens for cybercriminals. It has already garnered industry support from the likes of American Express, Mastercard, Visa , eBay, Facebook, Microsoft and Cisco, Gillibrand's office said.
Meanwhile, a separate proposal is being floated among lawmakers and the U.S. State Department for the creation of an ambassador-level position for negotiating cyber-security matters at the United Nations and for ensuring the country has a consistent international policy on the issue.
Data theft targets 3.3 million with student loans
Data theft targets 3.3 million with student loans
Social security numbers, addresses taken, but not financial information
By Steve Karnowski
The Associated Press
updated 8:39 p.m. CT, Fri., March. 26, 2010
MINNEAPOLIS - A company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.
Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.
The data was on "portable media" that was stolen sometime last weekend, ECMC said in a statement. Company spokesman Paul Kelash wouldn't specify what was taken, citing the ongoing investigation, but said there were no indications of any misuse of the data.
The St. Paul-based nonprofit said it discovered the theft last Sunday and immediately contacted law enforcement, and made the theft public when it received permission from authorities. The Minnesota Bureau of Criminal Apprehension is leading the investigation.
ECMC said it has arranged with credit protection agency Experian to provide affected borrowers with free credit monitoring and protection services. Borrowers will be receiving letters from ECMC soon on how to sign up, gain access to fraud resolution representatives, and be provided with identity theft insurance coverage.
"We deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information," Richard Boyle, president and CEO of ECMC, said in the statement.
ECMC is a contractor for the U.S. Department of Education to provide collection and document management services. It guarantees student loans through the Federal Family Education Loan program, and provides support services for student loans that are in default or bankruptcy. The company can act as the guarantor, loan holder or loan servicer.
Department of Education spokesman Justin Hamilton said protecting student privacy is a top priority.
"We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide with them with identity theft insurance," Hamilton said protecting student privacy is a top priority for the agency.
Those who believe they may be affected were encouraged to visit ECMC's Web site, or call 1-877-449-3568 beginning Saturday.
According to the Privacy Rights Clearinghouse, more than 347 million individuals have been affected by data privacy breaches at hundreds of government agencies, universities and businesses since 2005.
Associated Press writer Dorrie Turner contributed to this story from Atlanta.
Social security numbers, addresses taken, but not financial information
By Steve Karnowski
The Associated Press
updated 8:39 p.m. CT, Fri., March. 26, 2010
MINNEAPOLIS - A company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.
Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.
The data was on "portable media" that was stolen sometime last weekend, ECMC said in a statement. Company spokesman Paul Kelash wouldn't specify what was taken, citing the ongoing investigation, but said there were no indications of any misuse of the data.
The St. Paul-based nonprofit said it discovered the theft last Sunday and immediately contacted law enforcement, and made the theft public when it received permission from authorities. The Minnesota Bureau of Criminal Apprehension is leading the investigation.
ECMC said it has arranged with credit protection agency Experian to provide affected borrowers with free credit monitoring and protection services. Borrowers will be receiving letters from ECMC soon on how to sign up, gain access to fraud resolution representatives, and be provided with identity theft insurance coverage.
"We deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information," Richard Boyle, president and CEO of ECMC, said in the statement.
ECMC is a contractor for the U.S. Department of Education to provide collection and document management services. It guarantees student loans through the Federal Family Education Loan program, and provides support services for student loans that are in default or bankruptcy. The company can act as the guarantor, loan holder or loan servicer.
Department of Education spokesman Justin Hamilton said protecting student privacy is a top priority.
"We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide with them with identity theft insurance," Hamilton said protecting student privacy is a top priority for the agency.
Those who believe they may be affected were encouraged to visit ECMC's Web site, or call 1-877-449-3568 beginning Saturday.
According to the Privacy Rights Clearinghouse, more than 347 million individuals have been affected by data privacy breaches at hundreds of government agencies, universities and businesses since 2005.
Associated Press writer Dorrie Turner contributed to this story from Atlanta.
Former TSA Worker Charged With Hacking
Former TSA Worker Charged With Hacking
The Department of Justice indictment alleges that a former TSA employee tampered with servers containing data from the Terrorist Screening Database.
By Elizabeth Montalbano, InformationWeek
March 11, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=223500107
The Department of Justice has charged a Colorado man and former Transportation Security Administration (TSA) employee with trying to inject malicious code into TSA databases.
A federal jury indicted Douglas James Duchak, 46, of Colorado Springs, Colo., late Tuesday on two counts of intentionally attempting to damage a protected computer, according to a DoJ press release.
Duchak was an employee at the TSA's Colorado Springs Operations Center (CSOC) from August 2004 through Oct. 23, 2009. He worked as a data analyst in charge of updating TSA computers with information received from the federal government's Terrorist Screening Database and the U.S. Marshal's Service Warrant Information Network.
On. 22, 2009, seven days after he was told his employment would be terminated on Oct. 30, Duchak injected unauthorized code into the CSOC server containing data from the U.S. Marshal's Service Warrant Information Network, the DoJ alleges. That action comprises the first count of the indictment.
The next day he allegedly tried to load malicious code onto a server that contained the Terrorist Screening Database, the action comprising the second count.
If convicted, Duchak faces up to 10 years in federal prison, and a fine of up to $500,000 -- $250,000 per count.
Duchak surrendered to U.S. Marshals Wednesday morning and appeared in court in the U.S. District Court in Denver that afternoon. He pleaded not guilty and was released on a $25,000 bond, according to the court.
The TSA has been tightening the belt on security lately after TSA screeners failed to catch a man who attempted to blow up a U.S. flight from Amsterdam to Detroit on Christmas day.
The TSA Office of Inspection, the Department of Homeland Security (DHS) Office of the Inspector General, and the FBI investigated the case, which is being prosecuted by Assistant U.S. Attorney Patricia Davies.
The Department of Justice indictment alleges that a former TSA employee tampered with servers containing data from the Terrorist Screening Database.
By Elizabeth Montalbano, InformationWeek
March 11, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=223500107
The Department of Justice has charged a Colorado man and former Transportation Security Administration (TSA) employee with trying to inject malicious code into TSA databases.
A federal jury indicted Douglas James Duchak, 46, of Colorado Springs, Colo., late Tuesday on two counts of intentionally attempting to damage a protected computer, according to a DoJ press release.
Duchak was an employee at the TSA's Colorado Springs Operations Center (CSOC) from August 2004 through Oct. 23, 2009. He worked as a data analyst in charge of updating TSA computers with information received from the federal government's Terrorist Screening Database and the U.S. Marshal's Service Warrant Information Network.
On. 22, 2009, seven days after he was told his employment would be terminated on Oct. 30, Duchak injected unauthorized code into the CSOC server containing data from the U.S. Marshal's Service Warrant Information Network, the DoJ alleges. That action comprises the first count of the indictment.
The next day he allegedly tried to load malicious code onto a server that contained the Terrorist Screening Database, the action comprising the second count.
If convicted, Duchak faces up to 10 years in federal prison, and a fine of up to $500,000 -- $250,000 per count.
Duchak surrendered to U.S. Marshals Wednesday morning and appeared in court in the U.S. District Court in Denver that afternoon. He pleaded not guilty and was released on a $25,000 bond, according to the court.
The TSA has been tightening the belt on security lately after TSA screeners failed to catch a man who attempted to blow up a U.S. flight from Amsterdam to Detroit on Christmas day.
The TSA Office of Inspection, the Department of Homeland Security (DHS) Office of the Inspector General, and the FBI investigated the case, which is being prosecuted by Assistant U.S. Attorney Patricia Davies.
Pennsylvania CISO out of a job following RSA Conference appearance
Bob Maley, Pennsylvania's CISO since 2005, is out of a job, days after he joined a group of other state IT security chiefs on an RSA Conference panel and reportedly offered candid remarks about a recent data breach.
Gary Tuma, a spokesman for Gov. Ed Rendell, told SCMagazineUS.com on Thursday, that Maley was no longer employed by the state. He would not say whether he was fired.
"Beyond that, it's a personnel issue and we don't discuss it," he said.
Maley's final day in his $90,661-a-year post was Monday.
A call placed to Maley's cell phone went directly to voicemail.
During the panel at the RSA Conference last week in San Francisco, titled "The Front Lines: Cyber Security in the States," Maley was scheduled to join CISOs from California, Colorado and Nevada.
According to the conference agenda, the discussion was to center "on the challenges they face, the evolving nature of their state cybersecurity programs, and how government and industry are working together to make a difference. This session is very interactive featuring earnest discussion about how state CISOs manage their crucial role in cybersecurity."
But Maley may have gotten too earnest, according to reports. According to "The Public Eye with Eric Chabow" blog, Maley offered frank details on a recent intrusion of the Pennsylvania Department of Transportation site where residents can schedule driver's license tests.
"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams," he said during the panel, according to Chabow's blog. "It was encrypted traffic, and we were trying to figure out what the heck was going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."
Maley told the audience that the hacker, who owned a driving school in Philadelphia, used a proxy server in Russia to mask his identity and then exploited a system bug so he could schedule exams for his students. Normally, the waiting list for available slots is up to six weeks.
Tuma said Maley's duties would be handled by other members of the security team. No replacement has been announced.
Maley, who was 53 last July when he spoke to SC Magazine for a cover story on data breach response, was instrumental in developing a statewide strategy for preventing data-leakage incidents after some 500,000 state records were compromised in 2007.
He and his team analyzed the threat landscape to determine what posed the most risk to the state's confidential records, Maley said in the story. The undertaking included encrypting any computers not housed in a secure facility, mainly laptops. But given Pennsylvania's investment in electronic government services, the main thrust of the project was testing web applications for vulnerabilities to hackers.
Maley, a former police officer in Harrisburg, Pa., was a finalist for this year's SC Magazine CSO of the Year award, which was won by his RSA panel-mate, Mark Weatherford of the state of California.
Gary Tuma, a spokesman for Gov. Ed Rendell, told SCMagazineUS.com on Thursday, that Maley was no longer employed by the state. He would not say whether he was fired.
"Beyond that, it's a personnel issue and we don't discuss it," he said.
Maley's final day in his $90,661-a-year post was Monday.
A call placed to Maley's cell phone went directly to voicemail.
During the panel at the RSA Conference last week in San Francisco, titled "The Front Lines: Cyber Security in the States," Maley was scheduled to join CISOs from California, Colorado and Nevada.
According to the conference agenda, the discussion was to center "on the challenges they face, the evolving nature of their state cybersecurity programs, and how government and industry are working together to make a difference. This session is very interactive featuring earnest discussion about how state CISOs manage their crucial role in cybersecurity."
But Maley may have gotten too earnest, according to reports. According to "The Public Eye with Eric Chabow" blog, Maley offered frank details on a recent intrusion of the Pennsylvania Department of Transportation site where residents can schedule driver's license tests.
"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams," he said during the panel, according to Chabow's blog. "It was encrypted traffic, and we were trying to figure out what the heck was going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."
Maley told the audience that the hacker, who owned a driving school in Philadelphia, used a proxy server in Russia to mask his identity and then exploited a system bug so he could schedule exams for his students. Normally, the waiting list for available slots is up to six weeks.
Tuma said Maley's duties would be handled by other members of the security team. No replacement has been announced.
Maley, who was 53 last July when he spoke to SC Magazine for a cover story on data breach response, was instrumental in developing a statewide strategy for preventing data-leakage incidents after some 500,000 state records were compromised in 2007.
He and his team analyzed the threat landscape to determine what posed the most risk to the state's confidential records, Maley said in the story. The undertaking included encrypting any computers not housed in a secure facility, mainly laptops. But given Pennsylvania's investment in electronic government services, the main thrust of the project was testing web applications for vulnerabilities to hackers.
Maley, a former police officer in Harrisburg, Pa., was a finalist for this year's SC Magazine CSO of the Year award, which was won by his RSA panel-mate, Mark Weatherford of the state of California.
HSBC says thousands of customers were affected by data theft
HSBC says thousands of customers were affected by data theft
Former IT employee tried to sell stolen customer details for more than £2m
Angelica Mari, Computing 11 Mar 2010
A former HSBC employee stole client data from the bank affecting up to 24,000 customers in Switzerland, it emerged today.
“The theft, which was perpetrated by a former IT employee about three years ago, involves approximately 15,000 existing clients who had accounts with the bank in Switzerland before October 2006,” HSBC said in a statement.
However, reports suggest that an additional 9,000 accounts were also affected.
Ex-staffer Herve Falciani copied the data onto a personal computer and left for France while under investigation. He was allegedly trying to sell the data for more than £2m.
Back in December, HSBC said that fewer than 10 clients were affected by the thefts, which took place in 2006 and 2007.
HSBC has been in touch with the customers concerned. The bank believes the stolen data will not allow unauthorised people to access those accounts, despite the fact that the incident could mean that some of the account holders affected could be risking prosecution by tax authorities.
"We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of the Swiss subsidiary.
Former IT employee tried to sell stolen customer details for more than £2m
Angelica Mari, Computing 11 Mar 2010
A former HSBC employee stole client data from the bank affecting up to 24,000 customers in Switzerland, it emerged today.
“The theft, which was perpetrated by a former IT employee about three years ago, involves approximately 15,000 existing clients who had accounts with the bank in Switzerland before October 2006,” HSBC said in a statement.
However, reports suggest that an additional 9,000 accounts were also affected.
Ex-staffer Herve Falciani copied the data onto a personal computer and left for France while under investigation. He was allegedly trying to sell the data for more than £2m.
Back in December, HSBC said that fewer than 10 clients were affected by the thefts, which took place in 2006 and 2007.
HSBC has been in touch with the customers concerned. The bank believes the stolen data will not allow unauthorised people to access those accounts, despite the fact that the incident could mean that some of the account holders affected could be risking prosecution by tax authorities.
"We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of the Swiss subsidiary.
Threat Level Privacy, Crime and Security Online Lifelock Dinged $12 Million
Threat Level Privacy, Crime and Security Online Lifelock Dinged $12 Million for Deceptive Business Practices
By Kim Zetter March 9, 2010 | 3:34 pm | Categories: Crime, Cybersecurity
The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.
The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.
But the Federal Trade Commission said Tuesday that the claims were bogus (.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement.
The FTC said that Lifelock, which advertises itself as “#1 In Identity Theft Protection,” engaged in false advertising by promising customers that if they signed up with its service their personal information would become useless to thieves.
“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” said FTC Chairman Jon Leibowitz, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.
The company, he said, used scare tactics to convince potential customers they would be unprotected from identity theft without its service, and of warning them in letters that they were at a high risk of identity theft.
“I was a recipient of one letter,” Illinois Attorney General Lisa Madigan said.
For the annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies. As a result, the company said, thieves would not be able to open unauthorized credit or bank accounts in their name.
But Leibowitz said the promises were deceptive because thieves could still rack up unauthorized charges on existing accounts — the most common type of identity theft. It also couldn’t protect thieves from obtaining a loan in a Lifelock customer’s name.
In fact, Lifelock CEO Davis was the victim of identity theft in 2007 when a thief used his widely advertised Social Security number to obtain a $500 loan in Davis’ name.
Lifelock also promised customers that sensitive data they provided the company to perform its protection services — such as their Social Security number, name and address and bank card information — would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.
“Your documents, while in our care, will be treated as if they were cash,” the company promised.
In truth, the FTC said, until at least September 2007, the company failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network” either in transit through the network, stored in a database or transmitted over the internet.
None of the data was encrypted, said the FTC, either in storage or in transit. The company also had poor password management practices for employees and vendors who accessed the information. Lifelock also failed to limit access to sensitive data to only those people who needed access.
What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the complaint said.
The latter is particularly ironic. Lifelock often promoted its services to companies that experienced data breaches, convincing them to offer a complimentary Lifelock subscription to people whose data was compromised in a breach. All the while, the FTC claims, Lifelock was making its own customer information vulnerable to a breach.
“As a result of these practices, an unauthorized person could obtain access to personal information stored on defendants’ corporate network, in transit through defendants’ corporate network or over the internet, or maintained in defendants’ offices,” according to the complaint.
According to the terms of an FTC settlement agreement with Lifelock to settle the allegations, the company must inform consumers about the limitations of its service. The company will also have to implement a data security program to protect the customer data it handles.
“As long as the company is honest and up front and lets consumers know what they’re getting and has adequate security safeguards for customer information, we wish them well,” said Leibowitz.
Lifelock said in a statement that, in October, it “rolled out the next generation of identity theft protection services that provide even better and broader protection to its valued members.” The company added that its new-and-improved service, which was not the subject of the FCC inquiry, has prevented more than 5,000 fraudulent credit applications.
The company and its owners have been at the center of controversy for a number of years. According to an investigative report by the Phoenix New Times in 2007, Lifelock co-founder Robert Maynard Jr., was suspected at one time of being an identity thief himself and stealing his father’s identity to obtain an American Express card. He had also been the target of another FTC investigation involving a previous business venture unrelated to Lifelock. Maynard resigned from the company after news of his past was published, but he continued to work for the firm as a contractor.
Read More http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation/#ixzz0jZsUUwDd
By Kim Zetter March 9, 2010 | 3:34 pm | Categories: Crime, Cybersecurity
The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.
The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.
But the Federal Trade Commission said Tuesday that the claims were bogus (.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement.
The FTC said that Lifelock, which advertises itself as “#1 In Identity Theft Protection,” engaged in false advertising by promising customers that if they signed up with its service their personal information would become useless to thieves.
“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” said FTC Chairman Jon Leibowitz, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.
The company, he said, used scare tactics to convince potential customers they would be unprotected from identity theft without its service, and of warning them in letters that they were at a high risk of identity theft.
“I was a recipient of one letter,” Illinois Attorney General Lisa Madigan said.
For the annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies. As a result, the company said, thieves would not be able to open unauthorized credit or bank accounts in their name.
But Leibowitz said the promises were deceptive because thieves could still rack up unauthorized charges on existing accounts — the most common type of identity theft. It also couldn’t protect thieves from obtaining a loan in a Lifelock customer’s name.
In fact, Lifelock CEO Davis was the victim of identity theft in 2007 when a thief used his widely advertised Social Security number to obtain a $500 loan in Davis’ name.
Lifelock also promised customers that sensitive data they provided the company to perform its protection services — such as their Social Security number, name and address and bank card information — would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.
“Your documents, while in our care, will be treated as if they were cash,” the company promised.
In truth, the FTC said, until at least September 2007, the company failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network” either in transit through the network, stored in a database or transmitted over the internet.
None of the data was encrypted, said the FTC, either in storage or in transit. The company also had poor password management practices for employees and vendors who accessed the information. Lifelock also failed to limit access to sensitive data to only those people who needed access.
What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the complaint said.
The latter is particularly ironic. Lifelock often promoted its services to companies that experienced data breaches, convincing them to offer a complimentary Lifelock subscription to people whose data was compromised in a breach. All the while, the FTC claims, Lifelock was making its own customer information vulnerable to a breach.
“As a result of these practices, an unauthorized person could obtain access to personal information stored on defendants’ corporate network, in transit through defendants’ corporate network or over the internet, or maintained in defendants’ offices,” according to the complaint.
According to the terms of an FTC settlement agreement with Lifelock to settle the allegations, the company must inform consumers about the limitations of its service. The company will also have to implement a data security program to protect the customer data it handles.
“As long as the company is honest and up front and lets consumers know what they’re getting and has adequate security safeguards for customer information, we wish them well,” said Leibowitz.
Lifelock said in a statement that, in October, it “rolled out the next generation of identity theft protection services that provide even better and broader protection to its valued members.” The company added that its new-and-improved service, which was not the subject of the FCC inquiry, has prevented more than 5,000 fraudulent credit applications.
The company and its owners have been at the center of controversy for a number of years. According to an investigative report by the Phoenix New Times in 2007, Lifelock co-founder Robert Maynard Jr., was suspected at one time of being an identity thief himself and stealing his father’s identity to obtain an American Express card. He had also been the target of another FTC investigation involving a previous business venture unrelated to Lifelock. Maynard resigned from the company after news of his past was published, but he continued to work for the firm as a contractor.
Read More http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation/#ixzz0jZsUUwDd
LifeLock Will Pay $12 Million to Settle Charges by the FTC
LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False
LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.
In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.
“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”
Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.
According to the FTC’s complaint, LifeLock has claimed:
“By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
“Please know that we are the first company to prevent identity theft from occurring.”
“Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.
New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.
The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.
In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:
“Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
“All stored personal data is electronically encrypted.”
“LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.
The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.
The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.
In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.
The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.
The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.
NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. Stipulated judgements are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.
In addition to announcing the LifeLock case, the FTC’s Northeast Regional Office sponsored an event to kick off National Consumer Protection week. The goal was to alert consumers to the top complaint categories in the Northeast Region and to arm consumers with the tools to recognize and protect themselves against all types of fraud. Also participating were the Better Business Bureau serving Metropolitan New York, the New York Attorney General’s Office, the New York City Department of Consumer Affairs, and AARP.
The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.
LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.
In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.
“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”
Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.
According to the FTC’s complaint, LifeLock has claimed:
“By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
“Please know that we are the first company to prevent identity theft from occurring.”
“Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.
New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.
The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.
In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:
“Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
“All stored personal data is electronically encrypted.”
“LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.
The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.
The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.
In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.
The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.
The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.
NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. Stipulated judgements are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.
In addition to announcing the LifeLock case, the FTC’s Northeast Regional Office sponsored an event to kick off National Consumer Protection week. The goal was to alert consumers to the top complaint categories in the Northeast Region and to arm consumers with the tools to recognize and protect themselves against all types of fraud. Also participating were the Better Business Bureau serving Metropolitan New York, the New York Attorney General’s Office, the New York City Department of Consumer Affairs, and AARP.
The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.
Wyndham Hotel group hacked over three-month period
Wyndham Hotel group hacked over three-month period to leave customer credit card data compromised
Dan RaywoodMarch 01 2010Guests of Wyndham Hotels may have had their card details compromised following intervention by a hacker in late January.
In an open letter posted on its website senior vice president of enterprise compliance and employment counsel at Wyndham Worldwide, Kirsten Hotchkiss, said that it ‘discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centres over a three-month period'.
She confirmed that guest names and card numbers, expiration dates and other data from the card's magnetic stripe were compromised. However because only payment card information was compromised, at this time, she said she could not confirm the individuals whose card information may have been acquired, although no criminal identity theft related to the use of the consumer data had been identified at the time of posting.
She said: “By going through the centralised network connections, the hacker was able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system.”
Wyndham said that the data was moved off-site between late October, 2009 and January 2010, when the incident was discovered. It said that it became aware of the incident after guests reported that their cards had been stolen and used fraudulently after staying at one of the WHR hotels.
It responded by shutting down the impacted server and terminating all traffic to the offsite URL. A PCI (Payment Card Industry) assessment firm has been retained to perform a forensic investigation of the incident, which includes a review of certain hotel property servers, while the Secret Service and payment card companies have been notified.
It said that the full investigation is expected to take more than eight weeks, and it is expected to identify those guests affected by the end of March. “Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand,” said Hotchkiss.
Commenting, Steve Moyle, co-founder and CTO at Secerno, said that this incident, and the response, creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.
He said: “In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach.
“In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
“What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required.
“The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his/her data has been stolen.
“As for the hotel's mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.”
Dan RaywoodMarch 01 2010Guests of Wyndham Hotels may have had their card details compromised following intervention by a hacker in late January.
In an open letter posted on its website senior vice president of enterprise compliance and employment counsel at Wyndham Worldwide, Kirsten Hotchkiss, said that it ‘discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centres over a three-month period'.
She confirmed that guest names and card numbers, expiration dates and other data from the card's magnetic stripe were compromised. However because only payment card information was compromised, at this time, she said she could not confirm the individuals whose card information may have been acquired, although no criminal identity theft related to the use of the consumer data had been identified at the time of posting.
She said: “By going through the centralised network connections, the hacker was able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system.”
Wyndham said that the data was moved off-site between late October, 2009 and January 2010, when the incident was discovered. It said that it became aware of the incident after guests reported that their cards had been stolen and used fraudulently after staying at one of the WHR hotels.
It responded by shutting down the impacted server and terminating all traffic to the offsite URL. A PCI (Payment Card Industry) assessment firm has been retained to perform a forensic investigation of the incident, which includes a review of certain hotel property servers, while the Secret Service and payment card companies have been notified.
It said that the full investigation is expected to take more than eight weeks, and it is expected to identify those guests affected by the end of March. “Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand,” said Hotchkiss.
Commenting, Steve Moyle, co-founder and CTO at Secerno, said that this incident, and the response, creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.
He said: “In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach.
“In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
“What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required.
“The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his/her data has been stolen.
“As for the hotel's mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.”
Wyndham hotels hacked again
Wyndham hotels hacked again
Robert McMillan
February 26, 2010 (IDG News Service) Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.
The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.
"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."
Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."
Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.
This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008.
In that case, criminals hacked into a Wyndham franchisee and then stole data from a central company server.
Wyndham, which operates Days Inn, Ramada and Super 8 motels, warned customers of a second breach in August 2009.
The company has not yet notified victims of this latest incident, but expects to begin doing so by the end of March, when it has concluded the investigation.
Robert McMillan
February 26, 2010 (IDG News Service) Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.
The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.
"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."
Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."
Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.
This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008.
In that case, criminals hacked into a Wyndham franchisee and then stole data from a central company server.
Wyndham, which operates Days Inn, Ramada and Super 8 motels, warned customers of a second breach in August 2009.
The company has not yet notified victims of this latest incident, but expects to begin doing so by the end of March, when it has concluded the investigation.
HHS Posts List of Reported Health Data Breaches
--HHS Posts List of Reported Health Data Breaches (February 23, 2010) The US Department of Health and Human Services (HHS) has posted a list of organizations that have suffered breaches of unsecured protected health information affecting 500 or more individuals. The posting of the list is required under the HITECH Act. HHS breach notification rules require that organizations report such breaches to HHS and the media within 60 days. Breaches affecting fewer than 500 people must be reported annually. The list includes 36 separate breaches and affects more than 1 million individuals; the majority of the breaches involved computer theft, unauthorized access and missing or stolen data storage devices.
Intel Acknowledges January Breach
--Intel Acknowledges January Breach
(February 23, 2010)
Intel has acknowledged in a Securities and Exchange Commission (SEC) filing that it was targeted by a "sophisticated" attack in January. The disclosure was made in a section of the filing that describes incidents and circumstances that could potentially have adverse effects on the company's bottom line. An Intel spokesperson says that while the attack occurred around the same time as the attacks against Google and other US companies, there is no hard evidence linking the Intel attack to the others. He also said that attackers attempt to gain access to Intel's systems on a "very regular" basis.
(February 23, 2010)
Intel has acknowledged in a Securities and Exchange Commission (SEC) filing that it was targeted by a "sophisticated" attack in January. The disclosure was made in a section of the filing that describes incidents and circumstances that could potentially have adverse effects on the company's bottom line. An Intel spokesperson says that while the attack occurred around the same time as the attacks against Google and other US companies, there is no hard evidence linking the Intel attack to the others. He also said that attackers attempt to gain access to Intel's systems on a "very regular" basis.
