Friday, April 13, 2007

Remember, this is the same TJX who assured us the breach was smaller that initially reported and certainly “not millions”

http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/?page=1

Analysts: TJX case may cost over $1b

Insurance, tax credits could trim expenses for Framingham firm

By Ross Kerber, Globe Staff April 12, 2007

If the loss of millions of customer credit- and debit-card records from TJX Cos. plays out like previous data-breach cases, the final cost of the theft could add up to more than $1 billion, some technology analysts say.

The exact cost to TJX itself is unclear and may be lower. Insurance and tax credits [the government encourages security breaches? Bob] may offset the Framingham retailer's expenses, which could be spread over several years. Banks that issue the credit cards may also have to pick up part of the costs.

Regardless, the liability would be among the highest associated with lost or stolen data, say analysts.

... Because TJX's breach was so extensive, they say, regulators and business partners will be looking for hefty penalties. "When you hit a million or more records, then you get much more scrutiny," said Jon Oltsik, senior analyst for Milford consulting company Enterprise Strategy Group, who is among those who estimates that the TJX breach could cost more than $1 billion.

TJX, which operates stores such as TJ Maxx, Marshalls, and HomeGoods, has said it spent $5 million through the end of January on costs such as technical and legal fees and customer communications related to the breach. The company believes that hackers tapped into its computer system and compromised more than 45 million customer records going back as far as 2003, the largest data breach to date.

In a recent securities filing, TJX said it may incur unspecified losses due to claims by banks, customers, and shareholders, and from costs like technical and legal expenses, all of which "could be material to our results of operation and financial condition."

TJX spokeswoman Sherry Lang called the $1 billion cost estimates "pure speculation by people who are outside the company." She said it is hard to compare the cost of TJX's breach with previous cases since every example has "many variables and no two situations are the same, and no two companies are the same."

So far, investors and Wall Street analysts haven't reacted strongly. TJX's shares closed at $27.82 yesterday, compared to $29.85 on Jan. 16 the day before TJX disclosed the matter. One reason is that most investors don't expect the final costs to be so significant.

"The worst case here is that there's some financial penalty to them, and I don't see how it could be major in relation to their business," said Richard Pzena of Pzena Investment Management LLC in New York, one of TJX's largest shareholders.

... Forrester study author Khalid Kark said in an interview that $1.35 billion is a realistic minimum estimate of TJX's costs over several years, though he acknowledged it could be lower because of insurance and other factors. But Kark added that regulators and business partners like banks are primed to seek big payouts from TJX amid increasing concerns about protecting customer data and will be "looking for a scapegoat, basically. "

TJX already faces more than a dozen lawsuits seeking damages over the breach. One brought by AmeriFirst Bank of Alabama seeks to represent other institutions that will have to reissue credit cards at a cost of $20 each, money it seeks to recover from TJX.

... "They could handle it out of their cash flow over the next few years, if necessary, so it doesn't threaten their financial viability," Pzena said. For the 12 months ending Jan. 27, 2007, TJX reported a profit of $738 million on sales of $17.4 billion.

Pzena also noted TJX recently increased its dividend and authorized repurchasing more shares. "They don't seem to be worried that there is a significant cash drain coming in the near future," he said.


http://techdirt.com/articles/20070412/181810.shtml

Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?

from the somehow,-we-doubt-it dept

It's easy to get people to say what you want them to say concerning how they would act in a specific situation, but try watching how they actually act and you'll realize that actions definitely do speak a lot louder than words. Some researchers are reporting that approximately 77% of people say they would stop shopping at stores that suffer data breaches. Interesting timing, given the huge data breach by TJX, owners of stores chains like TJ Maxx and Marshalls. While it is likely that the publicity around this story (including the fact that some of the data has already been used in various scams) will have some people thinking twice about shopping at TJX stores -- somehow we doubt they're going to lose anywhere near 77% of their business. It's easy to say you won't shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits. Perhaps that's why companies don't seem to take these data breaches very seriously. Despite lots of anger, it doesn't seem like people actually follow through. Another study that came out today tries to quantify just how costly data breaches are, and finds that it tends to cost companies from $90 to $305 per lost record, suggesting TJX's breach will cost it $1.35 billion -- however, many people say that's probably a lot higher than what it will turn out to be in reality. TJX will get a slap on the wrist, people will keep shopping there and the company will probably be just as likely to lose your data in the future as it was in the past.


A good start, but you could adjust this as needed to reflect your environment.

http://www.bespacific.com/mt/archives/014534.html

April 11, 2007

Corporate Data Loss Cost Calculator

Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."


Numbers to plug into the calculator above...

http://www.idtheftcenter.org/breaches.shtml

Identity Theft Resource Center

SECURITY BREACHES & FREEZES

Click here for ITRC's 2007 breach list. To date, it appears that there are more breaches than before but a trend to password protect or encrypt information is finally being seen. Please check regularly as this list will be updated at least twice a month.



Pretty good indication that the problem is systemic...

http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_502354.html

UPMC apologizes for posting private patient informaton

By The Associated Press Thursday, April 12, 2007

The University of Pittsburgh Medical Center was trying to figure out how private information for about 80 patients, including names and Social Security numbers and even radiology images of their bodies, wound up on the Internet.

The information was first put on the Web inadvertently in 2005 then taken down. The information from a medical symposium held in 2002 was posted on an area of the Web site where the health system's faculty members are encouraged to share their work and other data, UPMC said in a statement Thursday.

Once the health network discovered patient names and other information were included, it was removed, but somehow it was posted again and remained on the Web site until UPMC was notified again on Tuesday, said Robert Cindrich, a former federal judge who now serves as UPMC's chief attorney.



If nobody cared (see last paragraph) why was the information online in the first place?

http://www.keloland.com/News/NewsDetail6374.cfm?Id=0,56215

BHSU Website Lists Personal Information

04/12/2007 7:32 AM

Several students at Black Hills State University in Spearfish were notified Wednesday that their Social Security numbers were mistakenly posted on the college's Web site.

A document announcing scholarship winners included the names and Social Security numbers for 56 students. It was placed online March 29th.

The document was immediately removed Tuesday after officials learned about the goof-up.

The affected students were also provided with information about identity theft and ways they could protect themselves if it should happen. There have been no reports so far of any problems, however.

Statistics indicate that the Black Hills State University scholarship document was accessed 12 times. [“Statistics” here probably means the network log... Bob]



Is the fact that they were dumped in someone else's dumpster an indication that someone other than the Elections Office had the cards?

http://www.theweekly.com/news/2007/April/11/voter_cards.html

Secretary of State Recovers Thousands of 'Active' Fulton County Voter Registration Cards

Voters' personal information exposed investigation initiated immediately

Atlanta, GA (April 11, 2007) - Secretary of State Karen Handel today initiated an investigation regarding the disposal of approximately 75,000 voter registration application cards. The investigation will be led by the Georgia Bureau of Investigation (GBI), in conjunction with the Fulton County Solicitor General's Office and the Secretary of State's Inspector General.

The seized voter registration cards contain the voter's full name, address and complete Social Security Number. A preliminary review of a random sampling of the cards by investigators in the Secretary of State's office revealed that many of the discarded cards and forms are for active voters.

... "Additionally, because this breach also creates serious concerns about the overall operations of the Fulton County Elections Office, we will conduct an independent audit of the office to examine its policies and procedures, particularly the maintenance and security of records and information," Secretary Handel said.
The Secretary of State's Inspector General's office,
acting on a call from a concerned citizen, recovered more than 30 boxes of voter registration application cards, voter precinct cards, and other forms and documents from a construction dumpster located in South Atlanta late Monday evening.

In a letter dated April 11, 2007, Secretary Handel asked Fulton County Chairman John Eaves and Fulton County to immediately begin contacting all Fulton County voters [Overreaction? Bob] of the potential exposure of their personal information.



This may be a follow-up

http://www.charlotteobserver.com/123/story/83747.html

Stolen laptop has BofA employee data

BofA notifies affected workers by letter, says no misuse detected

RICK ROTHACKER rrothacker@charlotteobserver.com Posted on Fri, Apr. 13, 2007

A stolen Bank of America Corp. laptop has resulted in lost personal information of current, former and retired employees, according to a letter sent this week to those affected.

The letter said a "limited" number of people were affected, but the Charlotte bank on Thursday would not provide a number. Employees at various levels of the company were affected, spokesman Scott Silvestri said.

... According to the letter, the laptop was stolen when an employee was a "victim of a recent break-in." Silvestri said he could not provide further information because the crime is under investigation.

... Bank of America's best known breach came in 2005 when it lost data tapes holding customer information for 1.2 million federal employees.

... In the letter, Bank of America said it was taking steps to "strengthen practices for the handling and storage of associate data to avoid future occurrences." Silvestri said the stolen laptop had "information protection features."



Interesting follow-up

http://www.sun-sentinel.com/news/local/southflorida/sfl-cchildnet12apr12,0,5437573.story?coll=sfla-home-headlines

Stolen ChildNet Laptop puts 12,000 at risk of ID theft

By Brian Haas and Bill Hirschman South Florida Sun-Sentinel April 12, 2007

FORT LAUDERDALE -- A laptop computer containing personal information on 12,000 ChildNet applicants has been stolen from the agency, the latest in a string of recent thefts at the nonprofit that runs Broward County's child welfare programs.

... Peter Balitsaris, president and CEO of ChildNet, acknowledged at a Wednesday afternoon press conference that the laptop contains financial and credit data, Social Security numbers, driver's license data and passport numbers for ChildNet program applicants. He said the computer doesn't have information about foster children and cannot be accessed without a password. He also said that there are no known full backups of the computer's hard drive, though his staff can work from paper copies of the information.

... Balitsaris said none of the 12,000 Broward residents affected had been notified of the theft as of Wednesday because ChildNet hadn't had time to mail letters out.

... Balitsaris said ChildNet has already corrected several problems. He said the agency's computer system will be backed up regularly and the laptop's contents will be deleted daily, the agency will hire a security consultant and at least 25 of the agency's first hires will have their criminal backgrounds re-examined.

... Police have named a 35-year-old Fort Lauderdale man who was employed as an assistant facility manager by ChildNet until Wednesday as a suspect in the laptop theft. They also said the man and his former ChildNet boss, a 47-year-old Coral Springs man who also had a criminal record, were suspects in the recent thefts of gift cards from the agency.

The agency fired both men Wednesday.



Debate all you want, this will happen.

http://www.pogowasright.org/article.php?story=20070412073847788

Biometrics in K-12: The Legal Conundrum

Thursday, April 12 2007 @ 07:38 AM CDT - Contributed by: PrivacyNews - Minors & Students

Biometrics are among the latest implementations for school security. There are many issues to consider, which have been voiced by parents, students, and civil liberties groups. It's an international issue. Just look at LeaveThemKidsAlone.com, and you will see the extent of the uproar raised in the United Kingdom regarding fingerprinting of children in schools. For the most part, questions are the same ones being posed in our own country. Blogs are in use to discuss the issue in the United States and abroad, such as Pippa King's Biometrics in Schools.

Source - The Journal via Biometrics in schools: Valid concerns from the USA



Who determines what speech can be free?

http://techdirt.com/articles/20070411/171341.shtml

MySpace Accused Of Trampling Man's Right To 'Use Site In Peace'

from the ooooooooooooookay... dept

MySpace is at the center of another free-speech case, only this time it's the one that's alleged to be doing the infringing. A Missouri man has sued MySpace (unsurprisingly, pro se) for infringing his freedom of speech by "arbitrarily deleting TWO profiles" established by the man and a host of other complaints, including violating his "freedom to use the social networking site in peace". We're still looking through our copy of the Constitution to find the part about the right to use social-networking services, but maybe we've got an old version. Never mind that we thought the part about freedom of speech really only applied to the government; we weren't aware that it also meant private companies had to provide anyone and everyone with a platform to speak, and ensure it conforms to that person's every wish. They guy's stolen a few pages out of MySpace founder Brad Greenspan's playbook, and his blog-comment threats to bankrupt MySpace, bulldoze its headquarters and turn the area into a housing estate -- and then to sway Fox News' coverage even further to the right -- would seem to suggest that this case will meet the same kind of response as Greenspan's



What's that crime worth?

http://www.pogowasright.org/article.php?story=20070412064633116

UK: Jail for unlawful computer access

Thursday, April 12 2007 @ 06:46 AM CDT - Contributed by: PrivacyNews - Non-U.S. News

Police officers had to realise that accessing the police national computer for an improper purpose was an offence that required an immediate prison sentence.

The Court of Appeal, Criminal Division, so stated in allowing an application by the Attorney-General under section 36 of the Criminal Justice Act 1988 to refer as unduly lenient a prison sentence of 28 weeks, suspended for two years, and 300 hours of unpaid work imposed on James Andrew Hardy by Judge Pugsley at Derby Crown Court on December 8, 2006 following his plea of guilty to misfeasance in a public office. A prison sentence of nine months was substituted. [NOTE: Three months per person? Bob]

... The offender had used the police national computer system to down-load information on three people. He gave that information to Jolley, a known criminal whose record included offences of violence, in order to enable Jolley to take the law into his own hands by dealing with those who had, so he believed, committed offences against himself or a close friend.

Source - Times Online



A computer is a computer, and a hacker is a hacker. (Bob's words of wisdom for today.)

http://it.slashdot.org/article.pl?sid=07/04/13/068222&from=rss

Sri Lankan Terrorists Hack Satellite

Posted by CowboyNeal on Friday April 13, @05:52AM from the can't-make-this-stuff-up dept. Security Television Wireless Networking IT

SorryTomato writes "The Tamil Tigers Liberation Front a separatist group in Sri Lanka, which has been classified as a terrorist group in 32 countries has moved up from routine sea piracy to a space-based one. They have been accused of illegally using Intelsat satellites to beam radio and television broadcasts internationally. Intelsat says that they will end the transmissions 'within days.' Intelsat has been accused of having business links with Hezbollah before, but claim that they are blameless this time and LTTE was using an empty transponder."



Is this how HP should have done it?

http://www.infoworld.com/article/07/04/12/HNmspressureonleak_1.html?source=rss&url=http://www.infoworld.com/article/07/04/12/HNmspressureonleak_1.html

Microsoft pressures testers after software leak

The company is cutting off a group of testers until it finds the identity of the one who leaked a preview of Windows Home Server

By Elizabeth Montalbano, IDG News Service April 12, 2007

Microsoft is taking tough measures to find out who leaked a CTP (Community Technology Preview) of Windows Home Server to The Hotfix.net blog after the software preview was posted on the site by a user named "Richard" soon after it was released to a small group of testers.

In a e-mail to testers obtained by the IDG News Service, Kevin Beares, the Windows Home Server community lead at Microsoft, wrote to MVPs (Most Valuable Professionals) whose name contain "Richard" [because no one could use an alias... Bob] that they will not have access to the beta until he finds out who leaked the software to The Hotfix.net site.



Google's plan to take over the world is starting to reveal itself. Note what you can offer when you have lots of cash laying around...

http://googleblog.blogspot.com/2007/04/google-checkout-open-in-uk.html

Google Checkout arrives in the UK!

Friday, April 13, 2007 at 12:36:00 AM Posted by Jerry Dischler, Senior Product Manager

We're excited to tell you that as of this morning the speed, security, and convenience of Google Checkout is available to online shops and shoppers in the United Kingdom. Here's Google Checkout UK.

From now until 2008, merchants that offer Checkout in the UK will receive free credit and debit card processing for all of their Checkout sales. And just so buyers don't feel left out, we're giving them £10 off all orders over £30.



Take a hike!”

http://googleblog.blogspot.com/2007/04/hikes-on-fly.html

Hikes on the fly

Thursday, April 12, 2007 at 3:19:00 PM Posted by Larry Fox, Business Development, Trimble Outdoors

Many of you reading this may already know that Trimble Outdoors has partnered with Google to provide Google Earth viewers with GPS-based interactive hiking information. We’re very excited about being able to share all the great GPS content we’ve developed over the years and through partnerships with magazines including Backpacker, Bicycling and Mountain Bike. It’s an outstanding resource for outdoors enthusiasts, or really, anyone who wants to do a little research before setting out on a hike.

... you can click one button, and the exact trail route is exported to your GPS-enabled phone.

No comments: