Monday, January 20, 2014
When you put all your eggs in one basket, you need to really, really protect that basket!
20 million people fall victim to South Korea data leak; FSS calls on financial institutions to improve protections against insider leaks
The personal data of at least 20 million bank and credit card users in South Korea has been leaked, state regulators said Sunday, one of the country’s biggest ever breaches.
Many major firms in the South have seen customers’ data leaked in recent years, either by hacking attacks or their own employees.
In the latest case, an employee from personal credit ratings firm Korea Credit Bureau (KCB) has been arrested and accused of stealing the data from customers of three credit card firms while working for them as a temporary consultant.
Seoul’s financial regulators on Sunday confirmed the total number of affected users as at least 20 million, in a country of 50 million.
The stolen data includes the customers’ names, social security numbers, phone numbers, credit card numbers and expiration dates, the Financial Supervisory Service (FSS) said in a statement.
The employee later sold the data to phone marketing companies, whose managers were also arrested earlier this month, prosecutors and the FSS said.
The information was taken from the internal servers of KB Kookmin Card, Lotte Card and NH Nonghyup Card.
Read more on AFP. There is no statement about today’s news on FSS’s website at this time. On January 13, however, the Financial Supervisory Service (FSS) had a meeting with financial company executives in charge of the safety and security of customer data. At the meeting, about 90 Chief Information Security Officers and Chief Privacy Officers were present (see press release).
The AFP report also mentions earlier incidents, including one from last month involving Citibank Korea that I was not previously aware of. In researching that one, I found this article that explains:
The South Korean prosecutors’ office said in a Dec. 11 statement it arrested an employee of “Bank C” for leaking information on 34,000 clients, including details of lending contracts.
Citibank Korea confirmed in an e-mail yesterday that it was “Bank C.” The Seoul-based unit conducted its own investigation at the FSS’ request following the arrest, it said, without elaborating on the results of the probe.
And Korea Times reported:
The employee at Citibank printed the data of 34,000 customers on 1,100 pieces of paper [Very unusual Bob] and gave them to private loan service providers in April, while the worker at SC’s subcontracted IT center accessed the computer files of the lender, transferred the personal data of about 104,000 customers onto a portable storage device between November 2011 and February 2012 and sold it to a broker.
The prosecution said the leaked information includes customers’ names, phone numbers, their employers and the amount of any outstanding loans, which are also suspected of being used in a voice-phishing scam.
Not many details, but they will come out eventually.
Even as security analysts are wading through the issues with the Target breach, new information is emerging about Neiman Marcus’ woes. According to the New York Times, hackers infiltrated the luxury retailing giant’s computer network as far back as July.
… “In mid-December, we were informed of potentially unauthorized payment card activity that occurred following customer purchases at our stores.
Replace credit and debit cards and all forms of ID?
CES 2014: Could a palm scanner make transactions safer?
A device called the Pulse Wallet could create a new and secure way to confirm financial transactions.
The technology, which is currently in use in cash machines in Brazil and Japan, uses an infrared camera to scan the vein pattern in a person's hand.
While signatures can be forged and pin codes cracked, vein patterns are thought to be unique and more difficult to copy.
Dang! I thought everyone was was protected. Sorry readers.
Eugene Volokh – Bloggers = Media for First Amendment Libel Law Purposes
by Sabrina I. Pacifici on January 19, 2014
“So holds today’s Obsidian Finance Group v. Cox (9th Cir. Jan. 17, 2014) (in which [Eugene Volokh] represented the defendant). To be precise, the Ninth Circuit concludes that all who speak to the public, whether or not they are members of the institutional press, are equally protected by the First Amendment. To quote the court,
The protections of the First Amendment do not turn on whether the defendant was a trained journalist, formally affiliated with traditional news entities, engaged in conflict-of-interest disclosure, went beyond just assembling others’ writings, or tried to get both sides of a story. As the Supreme Court has accurately warned, a First Amendment distinction between the institutional press and other speakers is unworkable: “With the advent of the Internet and the decline of print and broadcast media … the line between the media and others who wish to comment on political and social issues becomes far more blurred.” Citizens United, 558 U.S. at 352. In defamation cases, the public-figure status of a plaintiff and the public importance of the statement at issue — not the identity of the speaker — provide the First Amendment touchstones.”
Now you can be as secure as James Bond! Or at least as the British version of the NSA can make you.
UK – 10 Steps to Cyber Security
by Sabrina I. Pacifici on January 19, 2014
“The Government and intelligence agencies are directly targeting the most senior levels in the UK’s largest companies and providing them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property. The Cyber Security Guidance for Business, produced by CESG (the Information Security arm of GCHQ), the Department for Business Innovation and Skills (BIS) and the Centre for the Protection of National Infrastructure (CPNI), will help the private sector minimise the risks to company assets. The guidance includes:
You say FOIA compliance, I say thoughtless. Either way, I have no say. Government knows best?
Texas Farmer J Allen Carnes Blasts EPA for Privacy Breach Impacting Thousands of Family Farmers and Ranchers
Sometimes what we typically think of as non-sensitive information can be problematic in the wrong hands. This case is a useful reminder of that.
J Allen Carnes who owns about 4000 acres of farmland in Uvalde, Texas, 90 minutes from the Mexican border, today reacted to the Environmental Protection Agency’s weak apology for releasing private information on farmers and ranchers across the United States.
Carnes says he is outraged that the EPA gave farmers’ and ranchers’ personal information, from their home addresses, to email addresses, telephone numbers, personal notes and more, to environmental activists under the guise of the Freedom of Information Act putting the agriculture community at risk for agro-terrorism.
Read more on Fort Mill Times.
Coming soon to a Health Care database near you!
Randeep Ramesh reports:
Drug and insurance companies will from later this year be able to buy information on patients – including mental health conditions and diseases such as cancer, as well as smoking and drinking habits – once a single English database of medical data has been created.
Harvested from GP and hospital records, medical data covering the entire population will be uploaded to the repository controlled by a new arms-length NHS information centre, starting in March. Never before has the entire medical history of the nation been digitised and stored in one place.
Once live, organisations such as university research departments – but also insurers and drug companies – will be able to apply to the new Health and Social Care Information Centre (HSCIC) to gain access to the database, called care.data.
If an application is approved then firms will have to pay to extract this information, which will be scrubbed of some personal identifiers but not enough to make the information completely anonymous – a process known as “pseudonymisation”.
Read more on The Guardian.
Given the NHS’s repeated failures to adequately secure patient information, this just seems to be a privacy Chernobyl waiting to happen. And no, I’m not just talking about the risk of re-identification, which they identify as a “small, theoretical risk.” I’m thinking of hacks, insider breaches, and other sources of compromise, too.
Should I file this under “Humor” or “Branding?” My students thought McDonald should sell McJoints and McMunchies, but it looks like we were too slow to copyright our ideas.
Companies woo the weed crowd with artful, edgy ads
… Fast-food restaurants such as Jack in the Box have been delicately plying the pot pitch with ads such as "Jack's Munchie Meal."
… This month, playing off the approved use and sale of marijuana in the Rocky Mountain State, Spirit Airlines further nudged that content needle by dangling discounted fares in Colorado where, its ad informs, “the no smoking sign is off," beckoning flyers to "get mile high."
For my programming students.
Write Mobile Apps For Any Platform With Intel XDK
Not perfect, but useful. (Should be matched with a pronunciation site)
– is a Google Translate mashup where you can enter a phrase and then the phrase is automatically translated and placed over each country. Just remember, translations are generated automatically, and some may be inaccurate. Just one translation is provided for each word; watch out for words with multiple meanings, and if Google Translate cannot find a translation, it simply shows the English word.
For my nephew, and my students who appreciate the classics...
15 Free Classic Rock Music Downloads [Sound Sunday]
Rdio Goes Free After Spotify Drops Time Limits
It’s a good time to be a streaming music fan at the moment, as each of the big players tries to grab the headlines from the other. The news at the moment is that Rdio is now completely free to users, after Spotify dropped all remaining time limits with regards to usage.
There are two catches to the Rdio offer – one, it is only available to US residents, and secondly, you will have to listen to occasional adverts
… Speaking of Spotify, … Now you can listen to music for as long as you want for free – along with the adverts. Upgrading to a paid plan now will remove those adverts.