Thursday, December 24, 2009

You might want to read the Wikipedia page. http://en.wikipedia.org/wiki/MBNA MNBA is listed as the world's largest independent issuer of credit cards. All the usual questions apply: Why was the data on a laptop? Why wasn't the data encrypted?

http://www.databreaches.net/?p=9029

UK: Credit card provider suffers breach, personal data lost

December 23, 2009 by admin Filed under Financial Sector, Non-U.S., Of Note, Subcontractor, Theft

MBNA, the UK¹s largest credit card provider, has confirmed that a laptop containing the personal details of its customers [All of them? Bob] has been stolen from one of its third party contractors NCO Europe Ltd earlier this month. The information is said to include personal details, however, no PIN numbers were reported to be contained in the stolen data.

Although the exact details have yet to be confirmed, it is expected that thousands of customers will be affected by this incident. Whilst the situation is monitored, MBNA has provided affected customers with free access to CreditExpert from Experian over the next 12 months.

Read more on HelpNet Security.

Thanks to Sharon Polsky, President of Amina Consulting Corp. for sending this link.


(Related) Which of these stories hurts the banks reputation more?

http://www.irishtimes.com/newspaper/finance/2009/1215/1224260712119.html

MBNA to refund €18m as interest error comes to light

CIARA O'BRIEN The Irish Times - Tuesday, December 15, 2009

MBNA IS to refund about €18 million to customers after it discovered an error had been made in how interest was calculated.



Merry Christmas from your Alma Mater, oh, by the way...

http://www.databreaches.net/?p=9042

Update on Penn State’s malware breaches

December 23, 2009 by admin Filed under Education Sector, Malware, U.S.

From their newsroom:

Although most offices are winding down for the holidays, Penn State’s privacy office remains active. The University currently is working to notify nearly 30,000 individuals about privacy breaches that may have exposed their personally identifying information.

Malware infections to University computers caused all of the breaches, which occurred in the Eberly College of Science ( 7,758 records ), the College of Health and Human Development ( 6,827 records ) and one of Penn State’s campuses outside of University Park ( roughly 15,000 records ). Malware is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it’s a virus, spyware, worm or other destructive program.

Letters are going out today ( Dec. 23 ) to those affected by the breaches in the two colleges. Work still is being done to identify those whose information is involved in the campus breach. Once that work is completed, letters will be sent to those affected in that incident as well. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.

Read more on Media Newswire.

[From the article:

The mailing also includes a brochure detailing how to prevent identity theft. [“We didn't bother to implement minimal levels of security, so you're going to need this!” Bob]



You get pro-business decisions like this only in the most liberal states...

http://www.databreaches.net/?p=9040

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

December 23, 2009 by admin Filed under Commentaries and Analyses

David Navetta of InformationLawGroup has an analysis of the recent court decision in Cumis Insurance Society, Inc. v. B.J. Wholesale Club decision, reported here earlier this month.

This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.

Read more on InformationLawGroup.



Strange as it may seem, in this case I side with the Conde Nast.

http://www.pogowasright.org/?p=6556

Condé Nast Makes Strong Case To Unmask Blogger Who Posted Leaked Content

December 23, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, Internet

Wendy Davis reports:

Condé Nast has filed a copyright infringement lawsuit against unknown users who allegedly hacked into the company’s computer system, downloaded unpublished photos and articles, and then published them online.

In papers filed in federal district court in New York, Condé Nast alleges that a host of material — including a big chunk of GQ’s December issue — surfaced last month on the blog FashionZag. The lawsuit alleges that the material appeared on FashionZag around two months after an unknown user obtained access to Condé Nast’s computer system and copied more than 1,100 files. [Sounds like a security flaw to me. Bob]

Initially, FashionZag posted five alternate covers of the December GQ, according to the lawsuit. Condé Nast says it successfully sent a takedown notice to ImageBam.com, which hosted the photos, but that FashionZag then uploaded material to bayimg.com — an image hosting site created by the founders of The Pirate Bay.

By Nov. 14, FashionZag allegedly posted almost all editorial content and photos from the December issue.

[...]

On Monday, U.S. District Court Judge John G. Koeltl allowed Condé Nast to immediately subpoena Google and AT&T to discover the identities of the bloggers and alleged hackers. Google hosts the FashionZag blog, and the IP address of the alleged hacker resolves to AT&T, according to the legal papers.

Read more on MediaPost.

A copy of the lawsuit can be found on scribd.

Reading the lawsuit is a bit of an eye-opener. It claims that the IP associated with the unauthorized access is 75.22.113.131, which does appear to be an AT&T IP. But what’s somewhat mindboggling is that the lawsuit alleges that the intruder obtained the login details from a third party and downloaded 1100 files from the company in September, and — as of the date the lawsuit was filed in December — the company hasn’t stopped the leak!? The lawsuit alleges:

Upon information and belief, Defendants continue to obtain unauthorized access to Condé Nast’s computers and to reproduce, distribute, and display the Condé Nast Content to this day. (emphasis added by Dissent)

Huh? They haven’t figured out how to stop the unauthorized access after all these months? While it appears that they have a legitimate and strong case in terms of unmasking those behind FashionZag, I cannot help but wonder what is up with their security.



Yesterday I blogged about a website that let you put your child's name in stories to encourage them to read. Think of the results putting your law school student's name into this story as lead counsel.

http://money.cnn.com/2009/12/23/smallbusiness/i4i_microsoft_lawsuit/

How to sue Microsoft - and win

By Cindy Waxer, contributing writerDecember 23, 2009: 3:51 PM ET

… i4i's legal victory is being touted as a modern-day tale of David and Goliath. So how does a tiny software outfit in Canada defeat one of the world's best-known corporate behemoths?

Underdogs, take note. Here's a road map for waging war against a giant -- and winning.



Obviously he has thought more deeply that I have.

http://www.llrx.com/feature/ebooks.htm

Understanding the Limitations - and Maximizing the Value - of eBooks

By Conrad J. Jacoby, Published on December 23, 2009

… Publishers and distributors of electronic books, however, are using an entirely different model for the distribution of their eBooks. Consumers purchasing eBooks receive only a license, not a full bundle of ownership rights in a tangible object. As a consequence, this considerably limits what consumers can do with their new digital files. For example, few bookstores permit the return of eBooks, since there's no reliable way to tell whether the book has actually been read or not (download records do not indicate whether the file was subsequently opened). Perhaps equally important, under the terms of most current eBook licenses, consumers are generally not permitted to resell eBooks that they have purchased; like computer operating system licenses, the license is personal to them—and often limited to the specific piece of hardware on which the digital file has been installed.

No comments: