All their FAQ says is
that the data was collected in “the normal course of business.”
What reasons would they have to collect customer data? Shipping
info, contact information for “special orders,” job applications,
credit card applications, etc. Also:
Up
to 70 million individuals may be affected.
I read that as 70
million MORE that the 40 (or 46) million due to use of credit cards.
Or am I being too picky?
From their press
release of today:
MINNEAPOLIS
— January 10, 2014
Target
today announced updates on its continuing investigation into the
recent data breach and its expected fourth quarter financial
performance.
As
part of Target’s ongoing forensic investigation, it has been
determined that certain guest information —
separate from the payment card data previously disclosed — was
taken during the data breach.
This
theft is not a new breach, but was uncovered as part of the ongoing
investigation. At this time, the investigation has determined that
the stolen information includes names, mailing addresses, phone
numbers or email addresses for up to 70 million individuals.
Much
of this data is partial in nature, but in cases where Target has an
email address, the Company will attempt to contact affected guests.
This communication will be informational, including tips to guard
against consumer scams. Target will not ask those guests to provide
any personal information as part of that communication. In addition,
guests can find the tips on our website.
…
To learn more, please go to target.com/databreach.
You can read the full
press release, with Fourth Quarter outlook and other investor-related
information here.
(Related) That moves
Target into First Place! Congratulations!
2013
Top 20 Breaches
… you’d better
browse the following chart.
It collects the most
devastating breaches in terms of number of records affected, and has
been drawn based on the data collected by Hackmageddon.com during
this endless infosec year.
A most amusing rant.
If you leave the barn door unlocked, will your insurance company
refuse to reimburse you for stolen tractors? (Just updating a
metaphor) If not, would the insurance company's stockholders take
action?
To
what extent is an organisation liable when they get security wrong?
I was amused (and
frankly a little bewildered) the other day to see this
bloke in the paper:
What he’s holding
there is a fine… for leaving his car windows down a little. You
see, the police down here took a view that in doing so he was
inviting criminals to break into his car by very clearly leaving his
security in a compromised state. This, in turn, deserved a $44 fine.
… Which brings me
to Snapchat and more specifically, their
defence following last
week’s breach of 4.6 million accounts:
In
an interview last week, a top company executive blamed abuse by
hackers — not the company’s own software.
Ah, so not their fault
at all, it was those pesky hackers! Obviously they weren’t aware
that they’d proverbially left their windows down, right? Well
that’s the interesting bit because after the risks were
well-documented
publicly in August, Snapchat
responded… four months later. So they knew about the risks.
Then the
risks were further detailed just before Xmas and Snapchat
responded again:
Theoretically,
if someone were able to upload a huge set of phone numbers, like
every number in an area code, or every possible number in the U.S.,
they could create a database of the results and match usernames to
phone numbers that way.
“Theoretically”, if
you were able to stick your arm through an open window you could open
a car door. That’s just theoretical, of course.
Anyway, next thing you
know we have 4.6 million phone numbers and usernames out in the wild
yet somehow, Snapchat is not to blame. This isn’t just leaving
your windows down a bit on one occasion, this is leaving them down
and the keys in the ignition for months on end and being warned
multiple times about the risk and still thinking you’re
not to blame.
(Related) Perhaps this
is the year of “Pointing out the obvious!”
Paul Rubens reports:
“The
solution to government surveillance is to encrypt everything.”
So
said Eric Schmidt, Google’s chairman, in response to revelations
about the activities of the US National Security Agency (NSA) made by
whistle-blower Edward Snowden.
Schmidt’s
advice appears to have been heeded by companies that provide
internet-based services. [But not until Snowden kick
started a public flap. Bob]
I especially
appreciated the following statements in light of a conversation I had
recently with a Henry Schein representative about the level of
“encryption” their dental software provides:
Using
a longer encryption key makes it harder for hackers or governments to
crack the encryption, but it also requires more computing power.
But
Robert Former, senior security consultant for Neohapsis, an
Illinois-based security services company, says many companies are
overestimating the computational complexity of encryption.
“If
you have an Apple Mac, your processor spends far more time making OS
X looks pretty than it does doing crypto work.”
He
therefore recommends using encryption keys that are two or even four
times longer than the ones many companies are currently using.
“I
say use the strongest cryptography that your hardware and software
can support. I guarantee you that the cost of using
your available processing power is less than the cost of losing your
data because you were too cheap to make the crypto strong enough,”
he says.
“No-one
ever got fired for having encryption that was too strong.”
Read more on BBC.
How about this
objective metric instead: If the new technology allows surveillance
of a type not possible by an normal human (e.g. infrared search for
marijuana 'grow lights') it violates a reasonable expectation of
privacy.
Ashkan Soltani writes:
The
Yale
Law Journal Online (YLJO) just published an article that I
co-authored with Kevin
Bankston (first workshopped at the Privacy
Law Scholars Conference last year) entitled “Tiny
Constables and the Cost of Surveillance: Making Cents Out of United
States v. Jones.” In it, we discuss the drastic reduction in
the cost of tracking an individual’s location and show how
technology has greatly reduced the barriers to performing
surveillance. We estimate the hourly cost of location tracking
techniques used in landmark Supreme Court cases Jones,
Karo,
and Knotts
and use the opinions issued in those cases to propose
an objective metric: if the cost of the surveillance
using the new technique is an order of magnitude (ten times) less
than the cost of the surveillance without using the new technique,
then the new technique violates a reasonable expectation of privacy.
For example, the graph above shows that tracking a suspect using a
GPS device is 28 times cheaper than assigning officers to follow him.
Read more on Ashkan
Soltani.
You can read the full
article on Yale Law Journal Online or download the PDF.
(Related)
With
Great Computing Power Comes Great Surveillance
… We have yet to
fully grasp the implications of cheap surveillance. The only thing
that is certain is that we will be seeing a great deal more
surveillance—of ordinary citizens, potential terrorists, and heads
of state—and that it will have major consequences.
… To my mind, there
are two broad classes of automated surveillance— participatory and
involuntary, and the line that separates them is fuzzy.
Participatory surveillance arrived with the widespread use of the
Internet. During this period users were actively involved in
exposing their information over the Internet when they provided
personal information in the course of purchasing products, searching
for information, or interacting on social networking sites.
People were voluntary
participants in the surveillance process even if they did not fully
understand its implications. When they granted companies the right
to use their information, they got services of great value in return.
… Involuntary
surveillance on a large scale—driven by Moore’s Law—arrived
shortly thereafter. Its primary instruments are cellphones,
smartphones, GPS, and inexpensive cameras. When these devices
are employed, there is no need for users to be actively involved in
creating information about their activities. They get little or
nothing in return for involuntarily providing valuable information
about themselves.
Complete this sentence
in 25 words or less: This data must be available to anyone because...
Kaimipono D. Wenger
writes:
Did
you ever want to know Donny
Osmond’s birthday, along with his voter registration status?
Now you can find out, through a simple website which has posted
the entire Utah state voting roll to the internet in easily
searchable form. What if you’re looking in Colorado,
Connecticut, or a half dozen other states? Their voter rolls are
online too, sometimes with additional information like addresses.
Read more on Concurring
Opinions.
[I can check
individual voter registration here:
https://www.sos.state.co.us/voter-classic/secuVoterSearch.do?transactionType=voterSearch
[Everyone here:
http://coloradovoters.info/
For my Students (at the
risk of being redundant)
Employers the world
over tell us that what truly counts in hiring decisions is not the
rote knowledge that helps college students answer examination
questions, but skills and competencies that are essential for, and
often developed at, work. To be useful, the bricks of modern
education need the straw of experience-based skills.
… McKinsey’s
reports on education-for-employment initiatives drew the same
linkages. And research by Ithaka
for Innovate+Educate confirms that prior job performance is twice
as effective a predictor of future performance as an academic degree;
a job tryout is four times as effective; and a cognitive skills
assessment, five times as effective as a paper degree.
Because Google bought
them!
First things first:
Timely made
quite a splash when it launched, and now it got bought up by
Google. We know where the story is likely to go from here (i.e,
assimilation into some other Google product), but for now, it means
that all of the features that used to require in-app purchase are
completely free!
No comments:
Post a Comment