Saturday, December 07, 2013

Small, but so easily preventable. Again.
Ed Beeson reports:
Nearly 840,000 members of Horizon Blue Cross Blue Shield are being notified that their personal information may have been contained on a pair of laptops that were stolen from the insurer’s Newark headquarters last month.
The stolen laptops were password-protected, [Absolutely worthless for securing data Bob] but had unencrypted data, [“What we have here, is a failure to communicate!” Bob] Horizon said in a statement today. A subsequent investigation determined that the computers may have contained files with member information, including names, addresses, dates of birth and, in some instances, Social Security numbers and limited clinical information, the insurer said.

Is there a “Center for Helping Lawyers Deal with Breaches” that provides victims with alternative strategies and a clear picture of the legal risks of each? I often get the impression that lawyers are treating each breach as the first one ever.
The JPMorgan Chase Ucard breach reported previously on this blog affects residents of numerous states. As such, not only do I expect to see lawsuits filed, but state attorneys general will likely jump into the act to protect their respective residents. Did JPMorgan Chase promptly notify their residents and are they offering enough remediation and support? Some may argue that they haven’t in light of media reports that affected cards are not being replaced, and states will be negotiating/posturing to get more for their residents.
Here’s a statement from Connecticut’s State Treasurer. Some snippets that show which way the wind may be blowing:
My office has been advised by JPMorgan Chase that during the two-month period between July and September, certain information entered by cardholders on the UCard website — particularly during the process of activating cards and of transferring balances — was subject to unauthorized access. Such information that could have been exposed includes: name, social security number, bank account number, card number, date of birth, security answer, password, address, phone number and e-mail address.
While JPMorgan Chase represents that it has found no evidence of improper activity on these accounts since September, as a precaution – and at our direction – the company is notifying all affected cardholders that it will provide them two years of credit monitoring free of charge. Nonetheless, I am dismayed that JPMorgan Chase delayed informing my Office of this security breach for two and a half months — from mid-September, when they first learned of it, until this week. They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues.
Upon learning of this data breach on Tuesday, my Office promptly informed all state agencies affected, and we are now working with JPMorgan Chase to ensure that all affected cardholders are notified immediately. The company will explain to cardholders what specific personal information may have been compromised. My office also has been in contact with Attorney General Jepsen’s office, and has been advised that his office’s privacy task force was recently notified of the breach and will be looking into it.
Note the text I emphasized above. Connecticut insisted JPMorgan Chase offer two years of free credit monitoring. When Louisiana disclosed the breach (they were the first state to issue a statement), they said their residents will be getting one year of free credit monitoring. Will Louisiana now go back to JPMorgan Chase and insist on two years? Will other states? And will some state attorneys general attempt to impose monetary penalties on Chase for failing to notify more promptly?
Oh yeah, this is going to be an expensive breach for JPMorgan Chase….
Update: Here’s the the template for JPMorgan Chase’s notification letter to those affected (pdf). If the hacker accessed passwords & JPMorgan Chase isn’t re-issuing Ucards, it’s odd that they just “recommend” people change their passwords.

“It's for health reasons. We don't want to raise anyone's blood pressure!”
Eric Boehm writes:
Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.
Read more on Before It’s News.

E-cubed intelligence gathering. Everyone, Everything, Every day. (Because you expect us to keep you safe.)
Philip Dorling reports:
Australia’s leading telecommunications company, Telstra, has installed highly advanced surveillance systems to “vacuum” the telephone calls, texts, social media messages and internet metadata of millions of Australians so that information can be filtered and given to intelligence and law enforcement agencies.
The Australian government’s electronic espionage agency, the Australian Signals Directorate, is using the same technology to harvest data flows carried by undersea fibre-optic cables in and out of Australia.
Read more on The Age.

Sounds like they have better lawyers than the FTC...
The creator of one of the most popular apps for Android mobile devices has agreed to settle Federal Trade Commission charges that the free app, which allows a device to be used as a flashlight, deceived consumers about how their geolocation information would be shared with advertising networks and other third parties.
Goldenshores Technologies, LLC, managed by Erik M. Geidl, is the company behind the “Brightest Flashlight Free” app, which has been downloaded tens of millions of times by users of the Android operating system. The FTC’s complaint alleges that the company’s privacy policy deceptively failed to disclose that the app transmitted users’ precise location and unique device identifier to third parties, including advertising networks. In addition, the complaint alleges that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.
The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.
The defendants also will be required to delete any personal information collected from consumers through the Brightest Flashlight app. [“Including data we already sold to our many customers?” Bob]
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 6, 2014,

“I believe that you might have done something in Seattle that violated my Privacy here in London. Maybe. Possibly.” Somehow, I don't see this working...
Fiona O’Cleirigh reports:
A British citizen’s UK court action will test the legal right of Microsoft to disclose private data on UK citizens to the US electronic spying organisation, the National Security Agency (NSA).
The case will shine a light on the legality of top secret US court orders which require US technology companies to disclose details of foreign users’ private communications.
Kevin Cahill, a British journalist, has brought the case in the Lord Mayor’s and City of London County Court. The case centres on Cahill’s belief that Microsoft breached the security of his email account.

Another tool for my Intro to Computer Security students...
Telepathwords from Microsoft Research Shows You the Weakness of Your Password
Telepathwords from Microsoft Research is a simple site designed to show you the strength or weakness of your passwords. As you type a password (either one you actually use or one you're thinking of using) into Telepathwords it tries to predict the next character that you will type. Telepathwords shows you the three most common characters that follow that character you typed. When you're done typing you'll see green check marks and red "Xs" above your password's characters. Green means that character is easy to predict and red means it is not easy to predict.
Telepathwords could be a good resource to use with students of all ages when you're trying to illustrate the qualities that go into a strong password.
The following videos offer some good advice about crafting passwords.

No comments: