From the article, this seems to be a case of “similar vulnerabilities” rather than a central (third party) victim. If so, it's the first I've seen. Perhaps a common vendor opened the door into the various companies?

ME: Port Clyde General Store discloses breach due to malware

Stephen Betts reports:

The Port Clyde General Store was one of hundreds of companies across the country that had data from its customers’ credit cards breached by hackers recently.

Attorney Stephen Hayes of Augusta, who represents the store, confirmed that the market was notified by police on May 21 that its system for processing credit card payments “had been compromised by a sophisticated group of criminal hackers.”

Read more on Bangor Daily News. The article also notes other breach reports recently received by the Maine Attorney General’s Office recently, including Vendini, Beachbody LLC, YourTel, the Edgemont Centre, Piedmont Healthcare P.A., Green Fun Store (operated by AHW LLC), and TD Bank.

The following statement was posted on the Port Clyde General’s Store web site:

… The data breach was discovered during an investigation of data security breaches that impacted dozens of Maine businesses and hundreds of companies across the United States.

… Port Clyde General Store uses an outside professional firm to install and manage the hardware and software for its credit card processing. The measures employed to protect customer data complied with all state and federal requirements, including encryption of customer data and daily erasure of customer information following transmission to the card processing company. The servers are protected by firewalls and are regularly scanned with updated antivirus and anti-malware software. The security breach was caused by malware that was designed to avoid industry- standard precautions.

… Many of our employees also encountered problems. [Does that suggest more than that they used their cred cards in the store? Bob]

Deans are not Gods? That's not what they tell me!

Harvard Dean Steps Down Over Search of Faculty Email

Actions have consequences.

The Atlantic Wire reports that the Harvard Dean involved in the controversial search of some faculty’s emails is stepping down, presumably because of the incident.

What do they teach “Education” majors?

Warning lands Batavia teacher in hot water

Susan Sarkauskas reports on a case in Batavia, New York that raises some important questions:

A Batavia High School teacher’s fans are rallying to support him as he faces possible discipline for advising students of their Constitutional rights before taking a school survey on their behavior.

They’ve been collecting signatures on an online petition, passing the word on Facebook, sending letters to the school board, and planning to speak at Tuesday’s school board meeting.

Students and parents have praised his ability to interest reluctant students in history and current affairs.

But John Dryden said he’s not the point. He wants people to focus on the issue he raised: Whether school officials considered that students could incriminate themselves with their answers to the survey that included questions about drug and alcohol use.

Read more on Daily Herald.

We need more details on what, exactly, the parents were told about the contents of the survey – including whether they were told that their children’s responses would be stored for future use and comparison. And in those states who might be sharing data with entities designated as “school officials,” were parents told specifically who would have access to their children’s sensitive information? Were they told if data would be stored only locally or in the cloud?

Although the teacher used it as a moment to teach the 5th Amendment right against self-incrimination, what privacy rights do students have if their parents have not opted them out of a district or school survey? Does a student have the right to say, “This is too personal. I decline to answer?”

And if you don’t know whether your children have the right to (safely) refuse, whom will you ask?

“We said, 'self regulating' not 'if you feel like it.'”

FTC Fires Back In Lawsuit Against Wyndham

Brent Kendall reports:

The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.

We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.

Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it. [What a concept! Bob]

“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.

In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

The FTC’s new filing offered a different picture. “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”

Read more on WSJ. This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement. The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act. Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC. Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security. It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.

One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards. Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.

To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security. Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.

The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.

(Related)

Public Citizen and Chris Hoofnagle file amicus brief in FTC v. Wyndham

You can read their brief here. Their brief incorporates some of the issues I discussed in my previous blog entry on this case earlier today, and I’m glad to see it.

Sometimes you don't ned a second court to get a reversal... What happens if the decrypted files are not what the government told the court they were?

In reversal, judge orders child porn suspect to decrypt hard drives

Cyrus Farivar reports:

A federal judge who had previously declined to force a Wisconsin suspect to decrypt several hard drives believed to contain child pornography has now changed his mind. After considering new evidence, the judge wrote in an order last week (PDF) that the Milwaukee-area man now must either enter the passwords for the drives without being observed by law enforcement or government counsel or must provide an unencrypted copy of the data.

Read more on Ars Technica.

Were they able to sieze any of that money?

http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Top+Stories%29

Liberty Reserve Founder Indicted on $6 Billion Money-Laundering Charges

The founder of digital currency system Liberty Reserve has been indicted in the United States along with six other people in a $6 billion money-laundering scheme, in what authorities are calling the largest international money-laundering case ever prosecuted, according to documents unsealed today.

Dubbed the “financial hub of the cyber-crime world,” authorities say Liberty Reserve had more than 1 million users worldwide and processed more than 12 million transactions annually as the favored money-laundering service for carders, hackers and other cybercriminals in the digital underground who used it to transfer money around the world effortlessly and anonymously.

According to the indictment (.pdf), Liberty Reserve was used to launder more than $6 billion in criminal proceeds.

… Liberty Reserve required only a valid email address to open an account and initiate transactions. It charged a 1 percent fee for each transaction and, for an additional 75 cents, offered to hide a user’s account number in transactions.

Online research tool

http://www.freetech4teachers.com/2013/05/scrible-bookmark-annotate-and-create.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+freetech4teachers%2FcGEY+%28Free+Technology+for+Teachers%29#.UaX4KtgQOuQ

Scrible - Bookmark, Annotate, and Create Bibliographies

Scrible is a free service offering a nice set of tools for highlighting, annotating, and bookmarking webpages. Scrible offers browser bookmarklets for Firefox, Chrome, Safari, and Internet Explorer. With the Scrible bookmarklet installed, anytime you're on a page just click the bookmarklet to launch a menu of bookmarking tools. The Scrible tool set includes highlighters, sticky notes, and font change tools. When you annotate and bookmark a page in Scrible it is saved as it appeared to you when you were done altering it. And as you would expect from a web-based bookmarking tool, you can share your bookmarked pages with others. Students can get a free Scrible account that has double the storage capacity of the standard free account.

Scrible recently added an options for formatting bibliographies as you bookmark. Scrible also has a new feature that allows you to compile your article clippings into one package.

… The benefit of using a tool like Scrible is that students can take notes on their bookmarks and bookmark only the parts of a website that they need to reference in their reports. Saving bookmarks in this manner saves time when you go back to visit a site because you'll immediately see what it was that promoted you to bookmark it in the first place.