This looks like a Cloud Computing application. Apparently the customer had no control over the data and didn't even know that inappropriate data (card security codes) were being kept. The vendor, like many “assumed” that access by their people was always authorized and appropriate.
http://www.databreaches.net/?p=16849
(update) Hacker accessed HuskyDirect.com database by using vendor’s administrative password
February 19, 2011 by admin
On January 31, lawyers for the University of Connecticut Cooperative Corporation notified the New Hampshire Attorney General’s Office of a breach mentioned previously on this blog. Their letter revealed some previously unreported details, including the fact that the HuskyDirect.com web site was hosted and managed by Fuss & O’Neill Technologies LLC in Connecticut, a firm that does business as Fandotech.
According to the Co-ops lawyers, the breach was first discovered by customers who reported it to the Co-op. On December 28, the Co-op contacted Fandotech and asked them to investigate. Fandotech investigated but informed the Co-op that it found no evidence of a breach.
The Co-op called a few more times over the next days, each time asking Fandotech to investigate again.
On January 5, Fandotech reportedly found evidence that a breach had occurred on December 26 – two days before the Co-op started calling them to investigate a possible breach. It appears that whoever accessed the database started using the data immediately as by December 28, people were already reporting card fraud to the Co-op.
Significantly, the breach involved an unauthorized person accessing the database by using a Fandotech administrative password. [Unknown is not unauthorized. Perhaps the person was authorized but the actions were not. Bob]
“Fandotech has sole access, authority, and control over that administrative password,” Aaron Bayer of Wiggin and Dana wrote to the New Hampshire Attorney General.
The database contained information on 18,059 people, 286 of whom were New Hampshire residents. Information in the database included customers’ names, addresses, telephone numbers, email addresses, credit card numbers, card expiration dates, and card security codes. At the time of the breach, the Co-op
“understood from Fandotech that it employed a firewall, antivirus software, encryption, and a secure, administrative password to safeguard this data, and believed that Fandotech was PCI compliant.”
Under the PCI standards, however, the 3- or 4-digit card security codes may not be stored – even if encrypted.
The HuskyDirect.com web site, which was taken down the first week in January, is still not online.
In their correspondence of January 31, the Co-op’s attorneys describe the steps the Co-op has taken and note that despite the commercial cost in terms of lost revenues, the Co-op had not returned the site to operation. Their detailed response to the discovery of the breach included retaining Trustwave to perform an audit to determine the cause and a cure for the problem. Lawyers for the Co-op say that it does not intend to re-open the old HuskyDirect.com web site, but plans to open a new web site for UConn merchandise after it is assured that the web site will be in a secure environment.
(Related) Something like this will become much more desirable as everything moves into the Cloud...
Industry IT Security Certification Proposed
"The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"
“We trust our employees. It's their relatives and friends we don't trust.” What happens on your own time determines your grade at school and now, your continued employment.
http://www.pogowasright.org/?p=20961
Should Govt. Employers Be Allowed to Require Your Facebook Login?
February 19, 2011 by Dissent
Meredith Curtis of the ACLU of Maryland describes a case that should concern us all:
Maryland corrections officer Robert Collins approached the ACLU of Maryland late last year, disturbed that he was required to provide his Facebook login and password to the Maryland Division of Corrections (DOC) during a recertification interview. He had to sit there while the interviewer logged on to his account and read not only his postings, but those of his family and friends too.
[...]
On January 25, the ACLU of Maryland sent a letter (PDF) to Public Safety Secretary Gary Maynard on behalf of Officer Collins, concerning the Division of Correction’s blanket requirement that applicants for employment with the division, as well as current employees undergoing recertification, provide the government with their social media account usernames and personal passwords for use in employee background checks.
[...]
The demand for Facebook login information is not only a gross breach of privacy for Officer Collins and his friends, it raises significant legal concerns under the Federal Stored Communications Act and Maryland state law, which protect privacy rights and extend protections to electronic communications.
Read more about the case on the ACLU of Maryland’s blog. h/t, The Atlantic
What does it tell them? Where their clients should commit their crimes?
http://www.bespacific.com/mt/archives/026561.html
February 19, 2011
Comparative Criminal Procedure
Via the terrific law librarians at University of Chicago at the D'Angelo Law Library, Comparative Criminal Procedure: "This research guide prepared for Professors Ginsburg and McAdams' Comparative Criminal Procedure Seminar (LAWS 41702) lists selected English-language resources on comparative criminal procedure. It focuses on journal articles, book chapters, and treatises covering comparative criminal procedure generally, criminal procedure in multiple jurisdictions, and specialized research topics in comparative criminal procedure such as: arrest, pre-trial detention, interrogation, right to counsel, legal assistance for indigent defendants, discovery, plea bargaining, trial by jury, the privilege against self-incrimination, inquisitorial versus accusatorial systems, role of prosecutors, judges and defense attorneys, cross-examination, exclusionary rules, sentencing, death penalty, criminal appeals, and double jeopardy."
Interesting video. Some “opt outs” require lots of effort...
http://cnettv.cnet.com/8301-13415_53-20033968-11.html
How To: Take Back Your Privacy from Data Brokers
Data brokers, data harvesters, people finders: Whatever you call them, they roll up a huge amount or real and deduced information about you to create a dossier on your life that anyone can buy or even browse for free. While the nuggets of information about you are already out there, the way these sites aggregate it makes a lot of people feel very invaded. Watch this video to see how you can opt out, to a degree, then use the links below to start taking back your privacy.
Opt out tools: Spokeo PeopleSmart Pipl Peek You (email link): Include the PeekYou.com address of you profile to have it suppressed. ZabaSearch
No comments:
Post a Comment