http://www.databreaches.net/?p=6655
Heartland CEO on Data Breach: QSAs Let Us Down
August 12, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Financial Sector
For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.
In January, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services was forced to acknowledge it had been the target of a data breach — in hindsight, possibly the largest to date with 100 million credit and debit cards exposed to fraud.
In the following Q&A, Carr opens up about his company’s data security breach. He explains how, in his opinion, PCI compliance auditors failed the company, how informing customers of the breach before the media had a chance to was the best response, and how other companies can avoid the pain Heartland has experienced.
Read more on Computerworld.
[From the article:
What have you learned in recent months regarding how exactly the burglars were able to get in? have investigators flagged in terms of the big security holes that were exploited?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."
How did the QSAs respond when you expressed this view?
Carr: "In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions."
(Related) On the other hand...
http://www.databreaches.net/?p=6670
Opinion: Heartland CEO Must Accept Responsibility
August 13, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Financial Sector
I just read Bill Brenner’s interview with Heartland Payment Systems’ CEO Bob Carr [Heartland CEO on Data breach: QSAs Let Us Down] and truthfully, my blood is boiling.
Basically, he’s throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn’t find anything, therefore he should be off the hook.
I say that’s a load of crap. It’s about time organizations suffering from a data breach owned up to the fact that they made a mistake. You see, the fine folks at Johnson and Johnson didn’t throw the pharmacy under the bus when Tylenol got poisoned in 1982, did they? NO! They accepted responsibility (even though it wasn’t their fault) and re-established trust with their customers.
This kind of response from Mr. Carr basically proves that organization has learned NOTHING from the data breach, which means inevitably it will happen again.
Read more of Mike Rothman’s commentary on CSO.
(Related) In that UPS also began encrypting after a breach. I wonder if they do it in the US too?
http://www.databreaches.net/?p=6657
UPS encrypts laptops and smartphones after data breach
August 12, 2009 by admin Filed under Breach Incidents, Business Sector, Non-U.S., Theft
Parcel service UPS has encrypted all its UK laptops and smartphones, following a breach of the Data Protection Act last year.
The firm has also signed an undertaking to assure the Information Commissioner’s Office that personal information will be kept securely in future.
An unencrypted, password-protected laptop was stolen from a UPS employees while on business abroad in October 2008.
The laptop, which was never recovered, contained the payroll data of 9,150 UK based employees, including personal, salary and bank details.
Read more on computing.co.uk
[From the article:
‘Password-protected laptops are not secure. [Interesting that (post-breach) organizations are recognizing the obvious. Bob]
It could mean that companies have figured out how to manage their way through the minefield.
How Much Does a Reputation For Security Matter Anymore?
Posted by Soulskill on Wednesday August 12, @11:49AM from the eh-i'm-sure-they'll-patch-it-soon dept.
dasButcher writes
"We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"
How much does a reputation for customer surveillance matter? Another target for the e-Discovery folks?
http://www.mobilecrunch.com/2009/08/12/oh-by-the-way-the-palm-pre-phones-home-with-your-location/
Oh, By the way: The Palm Pre phones home with your location [Updated]
by Greg Kumparak on August 12, 2009
… When Debian developer Joey Hess started tinkering with webOS, he noticed that it was sending something to Palm once a day. Surely, Palm wasn’t sending anything too potentially incriminating without making it blatantly obvious to the user, right? Wrong.
Joey tore apart the data the Pre was transmitting, and there it was, smack dab at the top of the page:
{ “errorCode”: 0, “timestamp”: 1249855555954.000000, “latitude”: 36.594108, “longitude”: -82.183260, “horizAccuracy”: 2523, “heading”: 0, “velocity”: 0, “altitude”: 0, “vertAccuracy”: 0 }
That was Joey’s position at the time the data was sent, accurate to the same degree that the Google Maps application was.
Also included was a list of every application Joey used, along with how long they were used for (as measured by “launch” and “close” parameters), along with crashlogs.
Peer-to-peer systems don't just share music
Man Jailed After Using LimeWire For ID Theft
Posted by Soulskill on Wednesday August 12, @12:31PM from the guess-his-making-available-defense-didn't-work-either dept.
angry tapir sends along this excerpt from PC World:
"A Seattle man has been sentenced to more than three years in prison for using the LimeWire file-sharing service to lift personal information from computers across the US. The man, Frederick Wood, typed words like 'tax return' and 'account' into the LimeWire search box. That allowed him to find and access computers on the LimeWire network with shared folders that contained tax returns and bank account information. ... He used the information to open accounts, create identification cards and make purchases. 'Many of the victims are parents who don't realize that LimeWire is on their home computer,' [said Kathryn Warma of the US Attorney's Office]."
...because there is absolutely, positively no way using technology is harmless.
Illinois Bans Social Network Use By Sex Offenders
Posted by timothy on Wednesday August 12, @02:52PM from the good-feel-measure-vs.-bad-feel-felons dept.
RobotsDinner writes
"Illinois Governor Pat Quinn has signed into law a bill that bans all registered sex offenders from using social networks. '"Obviously, the Internet has been more and more a mechanism for predators to reach out," said Sen. Bill Brady (R-Bloomington), a sponsor of the measure and a governor candidate. "The idea was, if the predator is supposed to be a registered sex offender, they should keep their Internet distance as well as their physical distance." [Whatever we do in the real world, we should also do in the virtual world? Bob]
Undue reliance? It's so if the computer says it's so. Now we know where TSA got the idea for the no-fly list!
Database Error Costs Social Security Victims $500M
Posted by timothy on Wednesday August 12, @05:18PM from the drop-in-the-bucket dept.
Hugh Pickens writes
"The Washington Posts reports that the Social Security Administration has agreed to pay more than $500 million in back benefits to more than 80,000 recipients whose benefits were unfairly denied after they were flagged by a federal computer program designed to catch serious criminals. At issue is a 1996 law, which contained language later nicknamed the 'fleeing felon' provision, that said fugitives were ineligible to receive federal benefits. As part of its enforcement, the administration began searching computer databases to weed out people who were collecting benefits and had outstanding warrants. The searches captured dozens of criminals, including some wanted for homicide, but they also ensnared countless elderly and disabled people accused of relatively minor offenses such as shoplifting or writing bad checks and in some cases, the victims simply shared a name and a birth date with an offender."
(Read more, below.)
Kerfuffle is us? We're a University – why would we think before we open our mouth?
U.S. Colleges Say Hiring U.S. Students a Bad Deal
Posted by CmdrTaco on Thursday August 13, @09:27AM from the talking-to-you-cliff dept.
theodp writes
"Many U.S. colleges and universities have notices posted on their websites informing U.S. companies that they're tax chumps if they hire students who are U.S. citizens. "In fact, a company may save money by hiring international students because the majority of them are exempt from Social Security (FICA) and Medicare tax requirements," advises the taxpayer-supported University of Pittsburgh (pdf) as it makes the case against hiring its own U.S. students. You'll find identical pitches made by the University of Delaware, the University of Cincinnati, Kansas State University, the University of Southern California, the University of Wisconsin, Iowa State University, and other public colleges and universities. The same messsage is also echoed by private schools, such as John Hopkins University, Brown University, Rollins College and Loyola University Chicago."
Basil says this is a service worth look at, so is it worth investing in too?
http://www.techcrunch.com/2009/08/12/full-details-on-mints-14-million-series-c-round/
Full Details On Mint’s $14 Million Series C Round
by Jason Kincaid on August 12, 2009
Mint, the popular personal finance site that won 2007’s TechCrunch40 conference, has closed a new $14 million Series C funding round. Silicon Alley Insider discovered the round in an SEC filing this morning, and we’ve just gotten off the phone with CEO Aaron Patzer, who confirmed the deal and filled us in on the details.
Increasingly important, even for individuals...
http://lifehacker.com/5335553/free-tools-to-back-up-your-online-accounts
Free Tools to Back Up Your Online Accounts
By Gina Trapani, 9:00 AM on Wed Aug 12 2009
Humor or fact? Watch and decide!
http://www.techcrunch.com/2009/08/12/google-privacy-opt-out-announced-via-the-onion/
Google Privacy Opt Out Announced Via The Onion
by Michael Arrington on August 12, 2009
The Onion strikes again, announcing Google Opt Out today, a product that lets people opt out of Google’s information gathering activities by having their home destroyed and moving to a covered villiage complex at an undisclosed location. As always, they nail it. Video is below.
No comments:
Post a Comment