Friday, January 19, 2007

It is probably reasonable to expect a physician to have 150 patients at one time. It's the guys with hundreds of thousands that I find hard to credit...

http://www.securitypronews.com/insiderreports/insider/spn-49-20070118TokyoDocLosesPatientInformation.html

Tokyo Doc Loses Patient Information

David Utter Staff Writer 2007-01-18

A physician with the University of Tokyo Hospital placed personal information about 150 patients on his home computer, only to have that data leaked online.

Private information and personal computers are not chocolate and peanut butter; they don't go together. But people keep thinking they won't be the ones to make the kind of mistakes other people have in inadvertently putting that data at risk.

The report in question said the doctor had a backup file containing patient information from about 10 years ago. [This is not reasonable for two reasons. 1) backups should be stored in a safe, environmentally controlled space – not on a home computer. 2) Even backup files should be deleted after they are no longer required for business purposes. Bob] He had treated the patients at the University and three other hospitals.

That file probably sat dormant all those years until someone placed file-sharing software on the computer.

After that, the data could be viewed for around a five hour period.

The information included names and birth dates, and medical records.

Details are not clear about the whole issue. On a ten-year old computer, it is difficult to imagine modern file-sharing software running on it, although ftp could be an option.

It seems more likely the patient information was ten years old, but placed on a newer computer.

No accounts of misuse of the data have emerged yet, according to the University hospital. They claimed that they "prohibit in principle" [Is this the same as “We may have suggested it once upon a time?” Bob] the practice of taking personal information out of the hospital.

Principles are good to have, but in an age where a little personal information can lead to a big identity theft, clearly defined policies against that usage need to be in place too. Maybe the doctor just didn't think about, or even forgot, the backup.

Security pros do need to think about these things. It may be a good idea to check with employees to find out if sensitive information has been removed from an enterprise.

Well-meaning workers who want to do a good job probably don't see the harm in doing so.

They should not be prohibited from working effectively. If there is a need for access to such data, the implementation of a managed solution like VPN should be used.

Control of the information needs to rest with the company, and not an individual employee. [...and there needs to be consequences! Bob]

In the United States, trends on identity thefts have indicated they will continue to spiral upward. A 250 percent rise in keyloggers and an ever-increasing number of phishing attempts figured prominently in 2006.



Will this impact their ability to buy the homes KB sells?

http://www.thestate.com/mld/thestate/business/16485189.htm

KB Home warns of ID theft risk

Home builder issues alert to customers after computer is stolen from company’s Charleston sales office

By KRISTY EPPLEY RUPON

krupon@thestate.com Posted on Thu, Jan. 18, 2007

Thousands of KB Home customers are being warned of the risk of identity theft after one of the home builder’s computers was stolen from a Charleston sales office.

The company sent letters to 2,700 people Friday advising them to put a fraud alert on their credit reports and to monitor their credit for the next couple of years.

Ken Fenchel, who bought his Lexington home from KB Home in May, is irritated the company is not offering to do more to help the customers avoid identity theft.

At a minimum they should (pay for) one year of fraud protection” for those customers, Fenchel said. “I’m not sure what else you can do.”

As a precautionary measure, KB Home officials say, they sent the letter to more people than they believe were affected.

The stolen computer likely had names, addresses and Social Security numbers only of people who had visited the sales office for Foxbank Plantation, a new home community in Berkeley County near Charleston, said Jeff Meyer, division president for KB Home South Carolina.

KB Home, which has a financing program for potential buyers, collects Social Security numbers from people who want to pre-qualify for a loan.

I don’t really expect that anybody from Columbia was on that computer, but we figure better safe than sorry,” Meyer said. “We think the action we took is a reasonable response.”

The computer was in a locked sales office with an alarm system when the wire to the alarm was cut and the computer was stolen Dec. 30, Meyer said. Nothing else of value was taken, he said.

The letter was sent Friday to anyone who had visited a KB Home sales office in South Carolina during a certain time period last year.

There is a risk to you of potential identity theft or misuse of information,” the letter states. “Nonetheless, our research reveals that computer thieves generally want only the hardware and customarily erase all data from the disk prior to illegal resale of the hardware.”

The personal information that was on the computer was password protected, according to the letter.

... Still, Meyer said, the risk “is fairly small.” KB Home recently decided to eliminate all Social Security numbers from their files to protect their clients. [Before or after? Bob]



Should have used Registered Mail? Are there “secure” shipping alternatives? Must be....

http://www.theglobeandmail.com/servlet/story/RTGAM.20070118.wcibc0118/BNStory/Business/home

CIBC loses info on 470,000 Canadians

SINCLAIR STEWART Globe and Mail Update

The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and inciting an investigation from Canada's federal privacy commissioner.

A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release Thursday.

The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Insurance Numbers. Officials at CIBC Asset Management Inc., a division of the Canadian Imperial Bank of Commerce, said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive.

Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC following a faxing snafu two years ago, said she has determined there are grounds for another investigation in the Talvest matter, even though the bank brought the problem to her attention.

Although I appreciate that the bank notified us of this incident and that it is working cooperatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians,” said Ms. Stoddart. “My office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not reoccur.”

The bank said it has taken immediate steps to rectify the problem, and has written letters to affected customers. The vast majority of these are clients of Talvest, rather than CIBC, which bought the mutual fund company in 2001.

The bank has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.

... This is the second major security issue for Canadians in as many days. Wednesday, the U.S. retailer that owns discount chains Winners and HomeSense revealed it had been the victim of a massive computer hacking effort.

Sources told The Globe and Mail that the network break-in at TJX Cos. may have affected as many as 20-million Visa cards worldwide, and some estimates suggest as many as 2-million of these cards are Canadian. It's unclear how big that number will be for other card providers, like MasterCard, but the numbers suggest it could be one of the largest such breaches the country has ever seen, according to one person in the financial community. The RCMP is assisting U.S. authorities with that investigation.



Follow-up... Note the 20 Million (Visa alone) figure in the previous article!

http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070118005947&newsLang=en

January 18, 2007 05:25 PM Eastern Time

Massachusetts Bankers Association Responds to TJX Companies Data Breach

BOSTON--(BUSINESS WIRE)--The Massachusetts Bankers Association:

* MasterCard now Reporting Data Breaches to Banks

* Thus far, 28 Massachusetts Banks Report Compromised Cards

* Work of MBA Task Force is Underscored

* Has TJX been “Victimized?”

* Advice for Cardholders

The Massachusetts Bankers Association (MBA) said today that in addition to VISA USA, now MasterCard is contacting Massachusetts banks to report that some of their customers’ personal banking information may have been compromised due to the data breach reported by TJX Companies yesterday. Bay State banks are acting quickly to protect customers who have been red-flagged by the two card associations after doing business with TJX stores including TJMaxx, Marshalls, Winners, HomeGoods, TKMaxx, AJWright, and HomeSense.

After surveying its banks, the MBA is reporting that thus far 28 banks have been contacted by the card associations indicating that some of their card holders have had personal information that may have been exposed due to the TJX data breach. The MBA is cautioning, however, that the number is likely to grow higher as, thus far, only 48 out of 205 banks in Massachusetts have reported in to the Association.

In addition, the MBA is questioning the TJX’s self-characterization as being “victimized” by the intrusion in a news release issued yesterday by the retailer.

Daniel J. Forte, CEO and president of the MBA said, “We think it’s a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary.”

Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”

TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”

... Forte added, “Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”

... Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”



Another resource...

http://www.pogowasright.org/article.php?story=20070118083758564

Friday, January 19 2007 @ 06:44 AM CST

The Buzz: Podcast on Privacy Issues

Thursday, January 18 2007 @ 08:37 AM CST - Contributed by: PrivacyNews - State/Local Govt.

Today's podcast on privacy issues (9 minutes, 13 seconds) focuses on public concerns over identity theft, the loss of personal information through private and public incidents of neglect, adults destroying the credit rating of children, protecting minors using the Internet and even "black boxes" that may be a part of your new car.

NCSL's Heather Morton and Pam Greenberg team up to provide the latest analysis on how legislatures are trying to address the wide-ranging complexities of privacy issues that seemingly get more complicated every day. Even though at least 35 states have enacted legislation to require disclosure when private records are lost, stolen or their whereabouts unknown when a laptop containing that information is missing, our experts say states will again be taking the lead in looking at stronger protection and disclosure laws.

Source - The Thicket at State Legislatures



Does this suggest the case is weak?

http://www.eweek.com/article2/0,1759,2085407,00.asp?kc=EWRSS03119TX1K0000594

CNBC: Prosecutors Offer Plea Deal to Ex-HP Chairman

January 18, 2007 By Reuters

SAN FRANCISCO (Reuters)—California state prosecutors have offered to drop felony charges as part of a plea deal with former Hewlett-Packard Co. Chairman Patricia Dunn and three other defendants in a boardroom leak scandal, CNBC reported Thursday.

The authorities were seeking a single guilty plea on one misdemeanor charge in the case, CNBC said.

A spokesman for the California Attorney General's office declined to comment. "We don't have anything to say on that (the reported plea deal) because we don't discuss plea negotiations publicly," said Nathan Barankin. Dunn's lawyer could not immediately be reached for comment.

The board-room leak scandal emerged in September 2006 when Palo Alto, California-based HP initially disclosed that it had undertaken an investigation to ferret out the source of board room leaks to the media.



Is denial of free speech a Democratic platform plank? Perhaps we need to watch the 43 in favor more closely?

http://yro.slashdot.org/article.pl?sid=07/01/19/0553211&from=rss

Bill to Treat Bloggers as Lobbyists Defeated

Posted by CowboyNeal on Friday January 19, @01:20AM from the common-sense-prevails dept. The Internet Censorship Politics

Lawrence Person writes "The attempt to require political bloggers to register as lobbyists previously reported by Slashdot has been stripped out of the lobbying reform bill. The vote was 55 to 43 to defeat the provision. All 48 Republicans, as well as 7 Democrats, voted against requiring bloggers to register; all 43 votes in favor of keeping the registration provision were by Democrats."


...there are enough pressures on bloggers as it is!

http://techdirt.com/articles/20070118/160351.shtml

The Importance Of Protecting Anonymous Speech Online

from the it-may-not-be-pretty,-but-it's-worth-it dept

There tends to be this feeling of entitlement that anything someone doesn't like must somehow be "illegal." This is especially true when it comes to anonymous speech -- even more so when it's anonymous speech that's "critical" of someone or some organization. The EFF is discussing an interesting case where the publisher of a newspaper is trying to uncover the identity of an anonymous blogger who runs a blog that has had several critical posts of the newspaper's strategy to stop its employees from unionizing. According to the EFF report, this publisher has taken a hard line against any critic, suing two newspapers for their coverage and threatening suits against people for daring to put pro-union signs in their windows. In particular, the publisher is apparently annoyed that an anonymous third party commented on the anonymous blog, suggesting "acts of cybersabotage" against the newspaper's management. The blogger quickly removed this comment, but the publisher claims that the comment itself influenced the union vote (the employees voted to unionize) and has sent a subpoena requesting information about the anonymous blogger. From the description, this sounds very much like an attempt at intimidation. The blogger in question wasn't even the person who put up the comment, and the comment itself was removed. Trying to figure out the identity serves no reasonable purpose. In fact, as the EFF points out, the only place that information might have been useful was at the hearing to see whether the comment unfairly influenced the union vote -- and that hearing already passed without the issue being mentioned. Anonymity can be messy, but that doesn't mean it shouldn't be protected.



I wonder how many people will be dedicated to watching the videos?

http://techdirt.com/articles/20070118/183551.shtml

Now You Too Can Be A Surveillance Camera!

from the digg-for-law-enforcement. dept

We've had plenty of stories in the past about the concept of "sousveillance" and David Brin's idea of the transparent society where everyone watches everyone else, and it seems like the world keeps moving in that direction. The latest is in New York City, where Mayor Bloomberg is apparently working on a plan where anyone can take camera phone photos or videos of suspicious activity and immediately send them off to the police. Of course, that only works if the police aren't flooded with bogus reports. Maybe this doesn't go far enough. The next step should be for them to make all the images and video publicly available somewhere, so that crowds of web surfers can vote on which images and videos are actually crimes, and which aren't worth bothering with. Think of it as a Digg for law enforcement.



Will this become commonplace in the “Bricks & mortar” world? Is it legal to deny the customer the right to ask questions or purchase a 'loss leader?'

http://www.sixwise.com/newsletters/05/03/01/the_unethical_but_mostly_legal_retail_shopping_tactics_of_devil_consumers.htm

The Unethical but (Mostly) Legal Retail Shopping Tactics of Devil Consumers

by www.SixWise.com

The age-old saying that "the customer is always right" may soon be put out to pasture. Why? Increasing numbers of stores are cracking down on what they call "devil" shoppers -- customers whose buying and returning practices, some legit, may actually cause the store to lose money -- and the stores believe they're better off without them.

Best Buy stores have gotten so fed up with their "devil" shoppers -- a group they say makes up 20 percent of their customer base -- that they're actively trying to eliminate them from their stores. These shoppers (see below for a description of some of their tactics) account for as many as one-fifth of Best Buy's 500 million customer visits each year, and according to Best Buy CEO Brad Anderson, "They can wreak enormous economic havoc."

So now Best Buy is fighting back. They've started training their employees to identify "angel" shoppers -- the ones who buy highly priced items like HDTVs or just-released DVDs without waiting for a markdown -- and cater to them while "blacklisting" the devil shoppers. The staff uses a quick interview of sorts to identify the different types, which they internally call:

* Barrys: High-income men who like action movies and cameras

* Jills: Suburban moms who want to help their families

* Buzzes: Male technology fans who want the latest high-tech gadgets

Other practices Best Buy has put into play include adding a 15 percent restocking fee and selling restocked items over the Internet as opposed to in stores.

But Best Buy is not alone. Some stores will go so far as to remove "bad" customers from their promotions mailing list or put them on long holds if they call stores with too many questions and no intent to buy. And stores like Express, KB Toys, the Sports Authority, Staples and Guess have all adopted a new technology called the Return Exchange to monitor customers' buying habits.

When a purchase is made, the device records the consumer's name, address, age and transaction details and sends it to The Return Exchange's database. The company says the device is meant to stop shoplifters and other fraud-doers, but it doesn't stop there. Each store inputs certain criteria, such as a high number of returns or a dollar amount on returns, after which a customer's return can be denied.

Said retail consultant King Rogers, retail stores lose some $16 billion a year because of fraud. "Consumers are going to find more stores with tighter, more restrictive return policies than they found last year. When you look at the economics of it, $16 billion a year in losses, they have to tighten up," he said.

... Already the Federal Trade Commission has been asked to investigate the legality of stores monitoring and denying customers' returns, and Sen. Charles Schumer (D-N.Y.) proposed legislation to require stores that do limit returns to warn shoppers of the practice.



There is a clear lack of something here. Perhaps because the strategy has noting to do with the stated intend of the suit?

http://linux.slashdot.org/article.pl?sid=07/01/18/2231200&from=rss

Judge Rules That IBM Did Not Destroy Evidence

Posted by Zonk on Thursday January 18, @06:26PM from the good-for-them dept. Caldera IBM The Courts Linux

UnknowingFool writes "From the latest in the SCO saga, Judge Wells ruled today that IBM did not destroy evidence as SCO claims. During discovery, SCO claims it found an IBM executive memo that ordered its programmers to delete source code, and so it filed a motion to prevent IBM from destroying more evidence. The actuality of the memo was less nefarious. An IBM executive wanted to ensure that the Linux developers were sandboxed from AIX/Dynix. So he ordered them to remove local copies of any AIX code from their workstations so that there would not be a hint of taint. The source code still existed in CVMC and was not touched. Since the source code was still in CMVC, Judge Wells ruled IBM did not destroy it. Incredulously, SCO's Mark James requested that IBM tell SCO how to obtain the information. IBM's Todd Shaughnessy responded that all during discovery (when IBM gave SCO a server with their CMVC database) SCO never once said that they were unable to find that information from CMVC. Judge Wells asked IBM to help SCO out in any way he could."

No comments: