Better safe than sorry: Express Scripts should notify everyone
Almost a year after it was contacted by an extortionist, pharmacy benefits management company Express Scripts first learned that the extortionist was in possession of at least 700,000 more members’ personal information than they originally knew about. The company has now notified those individuals, but how many other members may also be affected? It’s time for the company to notify everyone.
Earlier this week, while reporting new details on the Express Scripts breach, I commented on a statement made by Express Scripts on their web site that the company was “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.” I noted that the statement struck me as somewhat preposterous because the company was already aware of actual misuse of the information — the extortion demand itself was actual misuse of the information.
Yesterday, a site reader alerted me to the fact that Express Scripts subsequently changed that portion of their support web site to now read:
At this time, Express Scripts has not confirmed any fraudulent misuse of member information as a result of this incident.
While I appreciate that they are no longer suggesting that there’s been no misuse, their new wording is still somewhat problematic. What does “has not confirmed any fraudulent misuse” mean? Does it mean that they have now actually received some reports of fraud or ID theft that have been attributed to the breach but that they have not confirmed as being due to the breach, or does it mean something else?
Express Scripts has not replied to an inquiry I sent them yesterday asking them to clarify what this new wording actually means. If they do, I will update this entry, but in the meantime, nagging questions remain, such as:
1. Why has Express Scripts been unable to determine how many — and whose — records were acquired by the extortionist? After diligent investigation on their part, they never discovered that 700,000 members’ records had been accessed; and
2. How many other members’ records does the extortionist also possess?
Express Scripts is certainly not the first entity to be unable to determine the full scope of a breach, but in this case, where we already have evidence of some malicious purpose, identifying all of those affected takes on added import.
We have often seen the phrase “in an abundance of caution” used in notification letters. In this case, an abundance of caution would mean notifying everyone whose data were potentially acquired. Express Scripts has not taken that approach, however. As a result, 700,000 people whose data were acquired almost a year ago are first learning that they are at risk, and we do not know how many others may also be at risk of ID theft.
In its summary of this incident, the Wisconsin Office of Privacy Protection described who’s affected as “Millions of member records to include a number of Wisconsin residents.” Based on Express Scripts’ notifications to states, that description appears to be erroneous. But then again, maybe it’s just prescient.
Given that the company is dealing with a situation in which they already have evidence that the individual is willing to misuse member data, and given the market for Social Security numbers with dates of birth and other personal information, this blogger believes that a “when in doubt, notify” approach is warranted. While I give credit to Express Scripts for not paying the extortion demands, they must certainly realize that if the extortionist cannot get money from them, it is quite possible that the data will be put up for sale. Express Scripts’ members need to know that so that they can be vigilant about their credit reports, but that will not happen if the company does not notify them that they may be at risk. Saying that they have notified those whose data they know to have been acquired strikes me as not prudent enough given their inability to determine the scope of this breach. I urge them to notify everyone whose records may have been in the database that they suspect was accessed. If ever an “abundance of caution” was in order, this is such a situation.
Another “Gee, we have no idea how to secure our data” story.
Soldiers’ Data Still Being Downloaded Overseas, Firm Says
Ellen Nakashima reports:
The personal data of tens of thousands of U.S. soldiers — including those in the Special Forces — continue to be downloaded by unauthorized computer users in countries such as China and Pakistan, despite Army assurances that it would try to fix the problem, according to a private firm that monitors cybersecurity.
Tiversa, which scours the Internet for sensitive data, discovered the data breaches while conducting research for private clients. The company found, as recently as this week, documents containing Social Security numbers, blood types, cellphone numbers, e-mail addresses, and the names of soldiers’ spouses and children.
Of particular concern to security experts is Tiversa’s discovery of personal information about soldiers in the 3rd Special Forces Group (Airborne), whose mission area is Africa.
“These guys are operating behind lines, and they are absolutely in the deepest part of the fight,” said James Mulvenon, vice president of the intelligence division at Defense Group, a security consulting firm. “The fact that the documents have the names and addresses of the families and all the pressures that could be put to bear on them, it’s a nightmare.”
Carol Darby, a spokeswoman for the Army Special Operations Command, confirmed the data breach but described it as an isolated incident. [How does the fact that it's an “isolated incident” have any bearing on the issue? Sounds like PR BS to me. Bob] She said those involved in the breach had been punished, but she did not provide details.
Read the full article on The Washington Post.
[From the article:
The company found the sensitive documents by using "peer to peer" file-sharing software, which can be easily downloaded on the Internet and which allows computer users to share music or other files
… Towns, who is drafting legislation to address the problems raised by peer-to-peer technology, said: "What is striking about these file-sharing leaks is that these aren't one-time events. Once this software is installed and files are leaked, the leaking is continuous."
How expensive is incompetence?
Computer crime case dropped
Here’s a case where it sounds like sloppy security may have led to unwarranted criminal charges. Annmarie Timmins reports:
The authorities have dropped their theft and computer crime case against a former Local Government Center employee because the center’s “careless” and “sloppy” security practices would undermine any charges, according to letters obtained from the Merrimack County Attorney’s Office.
The news was a “huge relief” for Ruthanne Bradley, 47, of Concord, who was arrested just over a year ago and charged with concealing backup tapes at the center and manipulating the information on them.
The Local Government Center administers benefits plans for public employees, and its databases hold personal information about thousands of workers throughout the state. Bradley worked for the center’s information technology office.
The backup tapes, which were immediately found, unharmed and mislabeled at the center, did not contain medical or pharmacy claim information, center staff said at the time of Bradley’s arrest. Staff also said there had been no security breach.
“It’s important for me to let people know I didn’t have anything to do with this tape issue,” Bradley said yesterday. “I want everyone who read the story (a year ago) and may have judged me. . . . I want it to be known that it wasn’t me that had anything to do with this.”
[From the article:
In both letters, Waldron identified what he considered nine security problems, including the fact that secure areas were not locked, sensitive data was accessible by more people than necessary and that the center's software system had no way of tracking which user or computer was manipulating data
Ah, I feel so much more secure now... Too bad that travel is no longer a right...
Time to implement = (Importance + pork + political posturing) / competence
Secure Flight Comes to Southwest Airlines, Six Years Later
By Ryan Singel Email Author October 2, 2009 4:02 pm
Six years ago the federal government proposed taking over the job of comparing passenger names against the terrorist watch lists. Just this week, Southwest Airlines frequent fliers are being asked to update their profiles with name, gender and date of birth information in order to let the feds try that system out.
… Passengers who have no identification, lost it or prefer not to show it may still be able to fly after getting extra screening, but they have to be nice to airport screeners or else they won’t be allowed through the metal detectors, according to TSA policy.
(Related) One country's security is another country's pain in the neck. (One man's tourist is another man's terrorist?)
Did Chicago Lose Olympic Bid Due To US Passport Control?
Posted by Soulskill on Saturday October 03, @09:18AM from the otherwise-the-terrists-win dept.
An anonymous reader writes
"Yesterday, Chicago lost its bid for the 2016 Olympics (which went to Rio de Janiero instead), and it's looking very likely that US border procedures were one of the main factors which knocked Chicago out of the race: 'Among the toughest questions posed to the Chicago bid team this week in Copenhagen was one that raised the issue of what kind of welcome foreigners would get from airport officials when they arrived in this country to attend the Games. Syed Shahid Ali, an I.O.C. member from Pakistan, in the question-and-answer session following Chicago's official presentation, pointed out that entering the United States can be "a rather harrowing experience." ... The exchange underscores what tourism officials here have been saying for years about the sometimes rigorous entry process for foreigners, which they see as a deterrent to tourism.'"
The next headache for your Security Manager
Fighting "Snowshoe" Spam
Posted by Soulskill on Friday October 02, @10:13PM from the involves-neither-scissors-nor-hungry-wolves dept.
Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."—
I didn't know that “Enquiring minds want to know” was a legal argument...
Judge: Reveal who posted comment about Buffalo Grove official
Jamie Sotonoff reports:
It’s a decision that might make people think twice about what they post in online “reader comments” sections.
Cook County Circuit Court Judge Jeffrey Lawrence ruled the Daily Herald and Comcast must reveal the identity of a person who posted a comment on dailyherald.com directed toward the teenage son of Buffalo Grove Village Trustee Lisa Stone.
Comcast is slated to turn the person’s name over to the judge Monday, Oct. 5. Attorneys for everyone involved will then argue whether the information should be turned over to Stone.
Read the full story on Daily Herald. Apparently, when Comcast was ordered to turn over customer information, they did contact their customer:
On Sept. 25, the judge ruled that Comcast must reveal the person’s name to him. Comcast spokesman Rich Ruggiero said the company contacted the customer to notify him of the court order. He retained an attorney and filed a motion to quash Stone’s subpoena. Judge Lawrence denied the motion.
So… is it permissible to tie up the courts simply to obtain the name of an individual if you do not intend to pursue litigation for defamation? In this case, it seems that Stone may be using the legal process solely to identify the individual:
What Stone would do with the information, if she gets it, has not yet been decided, said her attorney, Bill O’Connor. She could do nothing, or she could file a lawsuit.
Image credit: Shadow of a Person by Jeremy Brooks/Flickr, used under Creative Commons License
[From the article:
The Buffalo Grove police reviewed the comments made to Stone's son along with the state's attorney's office but concluded no crime had been committed.
In May, Stone filed a petition for pre-suit discovery -- a precursor to a lawsuit -- against Paddock Publications, owner of the Daily Herald. It was shortly after Stone, a first-time political candidate, won a hotly contested village trustee election in Buffalo Grove.
In a pre-election story about a questionable campaign flier that appeared online, some negative comments about Stone were posted on the "reader comments" page. Stone's son, who was a freshman in high school at the time, went online to defend his mother. As is common practice, the commenters identified themselves only by made up "user names" rather than their real names.
After some back-and-forth bickering between Stone's son and one specific poster, Stone claims the person made "defamatory and injurious statements" toward her son. The exact comments were not part of the court record. On the advice of her attorneys, Stone declined to elaborate on what was written.
Now this would be interesting... Using technology to make the law comprehensible! What a concept!
Legal Code In a Version Control System?
Posted by Soulskill on Saturday October 03, @05:10AM from the they-might-actually-know-what-they're-voting-on dept.
"Sen. Thomas Carper (D-Del.) is on the Senate Finance Committee, which just finished work on the health care bill. The committee recently rejected an amendment which would have required them to post the legislation for public viewing for 72 hours before it went to final vote. Several senators felt that the actual legal code would be too cryptic and complicated to be useful. Carper himself said, 'I don't expect to actually read the legislative language because reading the legislative language is among the more confusing things I've ever read in my life.' So, why don't they put it in SVN (or some similar version control system) where people can tkdiff the changes (i.e. new legislation is in a branch) or output a patchset? If a bill is passed, it's merged into the trunk. It just seems so logical to me, yet I can't find any mention of doing this on the web. What do you think?"
[Best comment: “If you can't convince them, confuse them.” -- Harry Truman
How not to compete? Often you can learn a lot, if they are honest.
Postmortem for a Dead Newspaper
Posted by ScuttleMonkey on Friday October 02, @02:00PM from the what-not-to-do dept.
Techdirt points out a great postmortem for the Rocky Mountain News, a newspaper that ended up shutting down because they couldn't adapt to a world beyond print. While long, the talk (in both video and print) is incredibly candid coming from someone who lived through it and shares at least some portion of the blame.
"It seems like pretty much everything was based on looking backwards, not forward. There was little effort to figure out how to better enable a community, or any recognition that the community of people who read the paper were the organizations true main asset. ... The same game is playing out not just in newspapers, but in a number of other businesses as well. Like the Rocky Mountain News, those businesses are looking backwards and defining themselves on the wrong terms, while newer startups don't have such legacy issues to deal with."
Will eventually be an interesting saga. Chasing (harassing?) a company across boarders in order to make them an example. (Yet another judge was removed from this case for bias)
The Pirate Bay Sails To a New Home
Posted by Soulskill on Saturday October 03, @12:09AM from the wonder-if-they-considered-arrrrrgentina dept.
the monolith writes
"Back in August, the company supplying bandwidth to The Pirate Bay was forced to disconnect them. Quoting TorrentFreak: '"It took just 20 minutes before the Hollywood companies telephoned the new host who took over operation of The Pirate Bay," commented Patrik from the ISP which had been indirectly supplying bandwidth to TPB. Despite initially putting on a brave face and standing strong, Patrik's company continued to feel the heat. It is not a large outfit and doesn't have the resources to fight the entertainment industry and its threats. Last night, Patrik could hold off no longer after receiving mounting threats from the entertainment industries, which culminated in threats of a court summons. Having come this far, there is little doubt that IFPI and the MPAA would litigate if necessary. ... On the heels of several rumors today, Patrik said he could confirm news of the move, saying that he believes The Pirate Bay is now hosted in Ukraine.'"
(Related) Expending resources in a futile effort to cut the “evil doer” off from the rest of the world?
Google expunges The Pirate Bay from search results
Posted on 2 Oct 2009 at 13:42
Google has removed links to notorious file-sharing site The Pirate Bay in its search results.
The move is a reaction to a takedown notice issued under the United States Digital Millennium Copyright Act (DMCA). Although searches for "The Pirate Bay" still return results, all direct links to the website have been removed, including The Pirate Bay homepage.
A footnote at the bottom of the search page explains that: "In response to a complaint we received under the US Digital Millennium Copyright Act, we have removed 8 result(s) from this page."
… It's currently unclear who filed the complaint. Google's website claims complaints are published on the Chilling Effects website, but we couldn't locate the relevant notice.
Google users searching for the Pirate Bay won't have to work too hard to find the site. The top result is now The Pirate Bay's Wikipedia entry, which provides a prominent link to the site's homepage.
It's also possible to search The Pirate Bay itself using Google, by typing "site:http://thepiratebay.org" into the search bar.
Update 12pm 3 October 2009: Searches for "The Pirate Bay" are now once again linking to the site.
A Google statement given to CNet.com claims the site was removed by mistake.
For my website students
Clipfinder HD Finds Plays & Converts Internet Video Files
Oct. 2nd, 2009 By Simon Slangen
There are some video portal aggregators that allow you to search multiple sites at once. Likewise, there are various sites that allow you to download videos, convert those video files and play them offline and on your computer.
ClipFinder HD combines these functions under one roof. It’s a stunningly beautiful and innovating desktop application by Ashampoo that does everything you’ve ever dreamed of, and so much more.
… What’s out of the ordinary here is that Ashampoo normally charges for their software.
… If you want to ‘unlock’ Clipfinder HD beyond the 10 day trial you initially get, just give your email address and you’ll be mailed a working serial code. You won’t need your registration ‘afterwards’, so you might want to use a disposable email account to avoid any unwanted mails.
'cause I love lists like this...
95 websites you should totally bookmark today
Best sites for fun, learning, creating and much more
By PC Plus magazine