Saturday, January 27, 2007

Probably not targeted identity theft...

http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149192869390&path=!news!localnews

Anthem Blue Cross Blue Shield customer information stolen

WSLS NewsChannel 10 Friday, January 26, 2007

Anthem Blue Cross Blue Shield says information for about 50,000 of its Virginia customers was stolen.

That information includes social security numbers and names.

Anthem says the information was on cassette tapes, being stored in a lock box, at one of its vendors.

The company doesn't think whoever took that lock box knew what was inside, or was after the information.



Another “We have no clue” story

http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.txt

Computers stolen from college financial aid office

Thousands of Vanguard University students are at risk for identity theft and fraud.

By Michael Alexander

Two computers stolen from Vanguard University earlier this month have put more than 5,000 financial aid applicants at risk for identity theft, authorities said today.

On Jan. 16, school employees discovered someone had taken the computers from the school’s financial aid office over the Martin Luther King weekend. Initially university officials had no idea the computers contained sensitive data, [Didn't the Financial Aid bit give you a clue? Bob said Ed Westbrook, the school’s vice president of student affairs.

At first we thought it was just computer theft,” he said. “But when we had the IT [information technology] people there trying to get logged in and determine what was lost, they said we had a problem.”

University officials did not believe the computers kept financial aid data on their hard drives, [Against school policy? Bob] Westbrook said. But last Friday they learned apparently the machines stored that information, including social security numbers, dates of birth, phone numbers, driver’s license numbers and lists of assets.

When it was passing through that computer it remained on that computer even though we couldn’t see [Huh? Bob] it on the hard drive,” he said. “If they’re sophisticated they might be able to hack into this thing.”



Listen to what you are saying, people...

http://www.fortwayne.com/mld/newssentinel/16554895.htm

INDOT employee info posted on internal computer drive

MIKE SMITH Associated Press

INDIANAPOLIS - The names and Social Security numbers of about 4,000 employees of the Indiana Department of Transportation were inadvertently posted on an internal network computer drive, the agency said Friday.

In a letter sent to the workers Friday, INDOT Commissioner Karl Browning said the file was available to any employee with computer access and could have been viewed by a limited number of third-party contractors with access to the drive. The file was posted on the drive sometime between Sept. 6 and Dec. 4 last year. [“We don't keep no stinking audit trails...” Bob]

"The file was removed from all computer systems and our Information Technology staff is performing an extensive search of all other hard drives for any lists containing this type of information," [The only way they can tell? Bob] Browning said in the letter.

The letter asked employees to contact an agency official if they knew of electronic or print files containing personal information that was not secured.

... INDOT spokesman Andy Dietrick said the agency learned of the problem from an employee who was using the computer system.

... "Please be assured that all appropriate steps are being taken [I don't think we would agree on the definition of “appropriate.” Bob] to prevent any further security lapses involving your personal information," he said.



Are they just hinting at big trouble? Why no details?

http://www.680news.com/news/local/article.jsp?content=20070126_075904_4236

Another possible security breach in Canada's retail sector

Friday, January 26, 2007 - 07:59 AM By: Jennifer MacDonald and Mike Eppel

Toronto - The popular clothing retailer, Club Monaco, has brought in the RCMP to investigate a possible security breach involving customers' credit cards.

The security issue pertains to the retailer's 28 stores across Canada.

This comes just a week after the parent company of Winners and Homesense, revealed its system was hacked into.

According to the Globe and Mail, Club Monaco says it was alerted to the problem by a credit card processor late last year, and a forensic accounting firm was brought in to help the RCMP with their investigation.

The Globe and Mail reports that banks and other card issuers have been notified of the problem, and have been going through their client records for any signs of fraud.

A spokeswoman for the company says investigators have so far found no evidence to suggest a breach occurred, and the data under investigation does not include the personal information of customers.

Club Monaco, now owned by Polo Ralph Lauren, was spearheaded by Canadian designer, Joe Mimram, who sold the stores in 1999.

It currently has 67 stores across North America.



These quotes intrigue me...

http://www.canada.com/nationalpost/story.html?id=35e332e2-c9f2-4321-836c-be2dbb804370

Banks find no fraud from hackers

Emily Mathieu Financial Post, with files Friday, January 26, 2007

Four out of five of the major Canadian banks have said there's not a single confirmed case of fraud reported from customers of Winners and Home Sense stores after hackers broke into computers belonging to the parent U.S.- based discount chain company.

... VISA Canada spokesperson Tania Freedman said it's too early to connect any reports of fraud with TJX, the parent company of Home Sense and Winners. Master Card was unavailable for comment.

"It's really difficult to link fraud back to a specific breach," she said.

TJX, based in Framingham, Mass., reported last week the sales and credit information of millions of customers was accessed through, and in some cases removed from, company databases. [First I've heard that... Makes me wonder if they could detect changes to their database? Would they be required to report changes or deletions? Bob]

... On Wednesday, the Massachusetts Bankers Association, which represents 205 commercial savings and loans institutions in Massachusetts and New England, said U.S. customer information from TJX stores is being used fraudulently in Hong Kong, Sweden, Florida, Georgia and Louisiana. Spokesperson Bruce Spitzer said only a "handful" of U.S. cards have been used for fraud, but that number is likely to rise.


Ditto

http://www.boston.com/news/local/rhode_island/articles/2007/01/26/nh_credit_and_debit_card_data_stolen_in_tjx_hacking/

N.H. credit and debit card data stolen in TJX hacking

January 26, 2007

... Meanwhile, bankers in New Hampshire are considering going to court over the breach, which was reported last week by TJX, the owner of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States, as well as chains in Canada and England.

Jerry Little, president of the New Hampshire Bankers Association, said he estimates as many as 20 to 30 percent of people in New England could have had data stolen and that he and other banking industry leaders in the region are considering legal action.

"Our big question is, why was TJX storing the data to begin with, and are they willing to assume liability and responsibility for the problem they've created," [Can they avoid liability? Bob] he said.

... "This is already large, and growing," Little said. "We're not sure why the information is coming out in drips and drabs ... but it is."

... "Some customers get very, very upset when we reissue their card," said Rebecca Lougee, vice president of marketing. "Because by reissuing their card, we have to suppress their existing card. Then they get caught on vacation, or on the weekend, and their card is not active. Then they find themselves in an awkward position."



We all know that disclosure of “lost personal data” was mandated by law here in the US. 9Okay, some states...) But apparently not everyone thinks that way...

http://www.canada.com/nationalpost/financialpost/story.html?id=15bc386e-28ba-4ee2-a72a-68e9e5115d8a&k=89839

Watchdog pushed CIBC on lost file

Duncan Mavin Financial Post, with files from Paul Vieira Friday, January 26, 2007

Canada's privacy watchdog said yesterday that it forced Canadian Imperial Bank of Commerce to go public last week with the announcement it lost a file containing private data on half a million mutual fund customer accounts.

"We were very concerned about the direction they were planning to take with respect to notifying the public, and we encouraged them to be as open and transparent as possible," said Anne-Marie Hayden, spokesperson for the Office of the Privacy Commission of Canada.

... NDP Finance critic Judy Wasylycia- Leis also weighed in, expressing dismay that CIBC may not have gone public on the data gaffe without external pressure.

"That makes this even more horrific," Ms. Wasylycia-Leis said. "If Canadians think the banks will only comply with certain standards of decency under duress from Parliament, then we've got a serious problem on our hands."


...but sometimes we don't do such a great job either...

http://www.nj.com/business/ledger/index.ssf?/base/business-5/1169532666221410.xml&coll=1

Garden State Business Briefs

Tuesday, January 23, 2007

Personal information about an unspecified number of current and former Prudential Financial employees was on a handful of laptop computers stolen from a consulting firm's New York offices, Prudential told employees last week.

Towers Perrin, which provides actuarial services for Prudential's pension program, said the information included employees' names and Social Security numbers. Prudential, based in Newark, said a percentage of its 23,000 domestic workers, some former employees and a small number of retirees are affected.

Spokesman Bob DeFillippo declined to provide more specifics.

The five laptops were stolen Nov. 27 by a Towers Perrin employee, according to a complaint filed by the Manhattan District At torney. Prudential wasn't notified until Jan. 3 at the request of authorities, [What purpose does this serve? Bob] who arrested the Towers Perrin employee Dec. 28.

DeFillippo said Prudential didn't get a complete list of affected employees until Jan. 9 and a formal letter to those workers was sent last week.



What, you couldn't find it oh Google Maps? Sounds like a great opportunity for a smart lawyer...

http://games.slashdot.org/games/07/01/26/2026257.shtml

eBay Delisting All Auctions for Virtual Property

Posted by Zonk on Friday January 26, @03:39PM from the definition-of-what-is-real dept.

The growing popularity of Massively Multiplayer games has brought the issue of ownership rights in virtual worlds, and the appropriateness of what is called 'real money transfer' (RMT) into an increasingly public light.

... Following up on a rumour that's been going around I spoke today with a media representative for the company, who confirmed that eBay is now delisting all auctions for 'virtual artifacts' from the site. This includes currency, items, and accounts/characters; not even the 'neopoints' used in the popular Neopets service is exempt from this decision.

... Mr. Hani Durzy, speaking for eBay, explained that the decision to pull these items was due to the 'legal complexities' surrounding virtual property.



Not everyone would agree on the ranking, but if a company is not doing all of these are they negligent? There is much more detail in the article...

http://www.csoonline.com.au/index.php?id=1327256501&rid=-302

The best practices for network security in 2007

Gary S. Miliefsky, CSO Online 23/01/2007 16:25:34

... Here's my best practice list, in order of importance:

1. Roll out corporate security policies

2. Deliver corporate security awareness and training

3. Run frequent information security self-assessments

4. Perform regulatory compliance self-assessments

5. Deploy corporate-wide encryption

6. Value, protect, track and manage all corporate assets

7. Test business continuity and disaster recovery planning



http://www.law.com/jsp/article.jsp?id=1169719347007

Employers Winning Blog Suits -- So Far

Suits over work-related blogs sure to grow over defamation, trade secrets

Pamela A. MacLean The National Law Journal January 26, 2007

Litigation over employees blogging negatively about their jobs or bosses has been sparse, but most cases so far have come down on the side of the employer.

Yet observers predict that a pro-employer trend in litigation won't stop the growth of legal fights over blogs. The spontaneity and immediacy of computer blogging makes it as appealing as water cooler gossip only with a bigger watering hole, prompting companies to pony up policies controlling the practice.

"This is a challenge that has never before been confronted by the corporate environment," said Jerome Coleman, labor and employment litigator at Nixon Peabody's New York office.

The potential is there to disclose trade secrets, defame the company or create problems with co-workers and discrimination, he said. "But you can't put an outright ban on blogging," Coleman added.

Blogs, short for Web logs, have exploded in popularity in recent years because they allow anyone to publish pet peeves, gossip or anything from the serious to the mundane in a running commentary that can be updated easily.

Although the law is developing in the area, the few court rulings that have come down have been almost exclusively favorable to employers, according to Michael Fox in Ogletree, Deakins, Nash, Smoak & Stewart's Austin, Texas, office, who has had his own employment law blog for several years, "Employerslawyer."

"There are definitely people getting fired out there," he said, but added that there has not been much case law yet. One of the most famous concerns a Delta Airlines stewardess who posted photos of herself while posing in her uniform on her "Diary of a Flight Attendant" blog. Delta fired her and she sued for sex discrimination, Simonetti v. Delta Airlines Inc., No. 5-cv-2321 (N.D. Ga. 2005). The case is still pending.

... A few states protect private employee political speech, but even where there is no such protection, she envisions employers confronting the Railway Labor Act if they interfere with people gathering, through blogs, to critique such things as company benefits, wages and working hours.

... Another is the potential for a company to be dragged into a defamation action as a deep pocket if its resources were used for a blog that posts libelous material, she said. Disputes about employee blog posts will continue to show up in unfair termination cases, she said.

No comments: