Tuesday, September 11, 2007

Screwing up by the numbers... No doubt this will hurt in those Class Action suits...

http://techdirt.com/articles/20070910/012931.shtml

Did TJX Know About Massive Security Breach Long Before It Revealed It?

from the dates-not-adding-up dept

We've already seen that, as with just about every other data leak, the massive data leak from clothing retailer TJX was a lot worse than originally reported. However, some are now asking whether the company also hasn't come entirely clean about when the breach occurred and when the company knew about it. The official statements from TJX suggest that the company became aware that its own horrible security was breached on December 18th, 2006, and informed the FBI by December 22nd. However, as the article above notes, there's evidence suggesting that TJX was familiar with the breach well before that. Remember that a bunch of folks had been arrested in Florida for using the TJX data in scams. The police in that case have filed some reports, noting that TJX had alerted them to a breach back in March of 2006 -- and, in fact, the Florida investigators filed reports on their investigation in November 2006... well before TJX even claims that it knew of the breach. It certainly raises some questions about when TJX really became aware of the breach, and when the company finally alerted people that their data may have been compromised.


Another slam at TJX...

http://www.infoworld.com/article/07/09/11/dos-and-donts-for-dealing-with-data-breaches_1.html?source=rss&url=http://www.infoworld.com/article/07/09/11/dos-and-donts-for-dealing-with-data-breaches_1.html

Expert do's and don'ts for dealing with data breaches

A data breach victim shares his advice for addressing leakage incidents, while another expert highlights the missteps taken by TJX in dealing with its information theft

By Matt Hines September 11, 2007

Organizations that experience data breaches must move quickly to assuage the fears of their constituents and go beyond expectations to address the situations effectively, according to those most familiar with the incidents.

Speaking at the ongoing Security Standard Conference in Chicago, a pair of experts offered advice for handling situations where sensitive user or customer data is lost or stolen, and examined the missteps taken by retailer TJX Companies in handling its now-notorious credit card information theft.

... Less than two weeks after BC discovered the breach, the school had assembled a comprehensive incident response plan [I teach my students to have this plan in place BEFORE things go bad... Bob] and had mailed out 100,000 warning letters to anyone whose data may have been stored in the system.

... At the same time, it was crucial to establish separation of duties early in the game, Escalante said.

"It's good to keep your upper management separate from your response team because they can get in the way. You want management involved, but you don't want them focusing on every little issue," said Escalante.

... In addition to seeking legal help from its attorneys, the school was able to communicate effectively with law enforcement officials investigating the incident since BC had already familiarized itself with those people before the breach.

... Handling sensitive data in such a careless way was the first mistake TJX made, and it had plenty of warning that such attacks could be carried out on point-of-sale systems, the expert contends.

Among the additional mistakes made by TJX was not reporting the incident for months, or even years, after it first discovered the hack, he said, as well as failing to address the situation in public and apologize sufficiently to its customers.

TJX has also refused to share information about the attack publicly to help other companies avoid such incidents, Stiennon said.

"There's been a significant lack of core with TJX's response. They didn't overreact as they probably should have, unlike BC," Stiennon said. "As a result they've become the poster child for data breaches and how not to communicate risk to the rest of the security industry."



I told you we weren't done with this one.

http://www.pogowasright.org/article.php?story=20070910163034605

(follow-up) OH: Almost 67,000 more names on stolen tape

Monday, September 10 2007 @ 04:30 PM CDT Contributed by: PrivacyNews News Section: Breaches

The names and Social Security numbers of more than 66,600 more individuals, including former state workers, were on a computer backup tape stolen from a state intern's car in June, officials said today.

The revelation brings to more than 1.3 million the number of individuals, businesses and other entities whose sensitive information is on the tape. The new names evidently were missed in an extensive state review of a duplicate of the missing device. [Oh, that inspires confidence... Bob]

Source - Columbus Dispatch



At first glance, they seem to be handling this fairly well...

http://www.pogowasright.org/article.php?story=20070910172425646

Gander Mountain Announces Possible Theft of Pennsylvania Store Computer; Customers of the PA Store Could Be Affected

Monday, September 10 2007 @ 05:24 PM CDT Contributed by: PrivacyNews News Section: Breaches

Gander Mountain Company today announced that computer equipment, containing certain customer transaction information relating to a single store in Pennsylvania, is missing and may have been stolen. The transaction data relates only to customers who conducted business with the Gander Mountain store located in Greensburg, PA, during the period from July 2002 through June 2007.

The stored transaction information may have included:
-- Approximately 112,000 credit card numbers with expiration date but without any other associated information.
-- Approximately 10,000 transaction records may have included the credit card number, expiration date and customer name.
-- For the approximately 5,100 credit card customers who returned merchandise or did a lay-away purchase at the store during this period, the information also may have included an address.
-- For the approximately 650 customers who purchased by check and returned merchandise without a receipt or put merchandise on lay-away by check payment, the information may have contained a name, address, driver's license number and date of birth.

Source - CNN


...and they aren't

http://www.pogowasright.org/article.php?story=20070910183646754

Hewlett-Packard exec loses laptop, puts former Mercury Interactive employees at risk of ID theft

Monday, September 10 2007 @ 06:44 PM CDT Contributed by: PrivacyNews News Section: Breaches

While on a business trip to Atlanta, a Hewlett-Packard executive lost a laptop containing the names, addresses, dates of birth, Social Security numbers, compensation information and citizenship information of 1,425 former Mercury Interactive employees.

The loss occurred at the end of July, and HP notified those affected by letter on August 17th.

The laptop's security consisted of user/pass login. (Note from Dissent: do you folks realize how difficult it is to type that with a straight face?)

Source - Notification to New Hampshire and Letter to Former Employees (pdf)



No encryption? Fire that manager immediately!

http://www.pogowasright.org/article.php?story=20070910232822658

TennCare provider offers loses patient information on thousands

Tuesday, September 11 2007 @ 12:38 AM CDT Contributed by: PrivacyNews News Section: Breaches

A TennCare provider is offering free identity protection after a courier service lost the personal information of nearly 70,000 enrollees.

According to TennCare officials Americhoice Inc. hired a courier to transport a CD from Nashville to Knoxville.

The CD contained identifying information of 67,000 TennCare enrollees.

Source - WATE


Ditto

http://www.pogowasright.org/article.php?story=20070910234619571

PA: Computers stolen from welfare office

Tuesday, September 11 2007 @ 12:39 AM CDT Contributed by: PrivacyNews News Section: Breaches

Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen from a state Public Welfare Department office last month, a spokesman for Gov. Ed Rendell confirmed Monday.

The computer work stations were taken Aug. 22 during an overnight break-in at an office in the former Harrisburg State Hospital, said Rendell spokesman Chuck Ardo.

The mental health information on the computers identified people by codes and not by name... but full names and Social Security numbers of nearly 2,000 people were also on the computers.

Source - PennLive



A good source of bad examples...

http://www.pogowasright.org/article.php?story=20070910080243795

Hard times on the HIPAA front

Monday, September 10 2007 @ 08:02 AM CDT Contributed by: PrivacyNews News Section: Medical Privacy

It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. A community health care provider hacked by a disgruntled employee may be dragged into a compliance quagmire because it's not clear that the organization took basic steps to revoke his access. And to top it off, the U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.

Source - Computerworld



Nutty as a fruitcake?

http://www.wired.com/politics/law/news/2007/09/mcbride

Inside the Mind of the Man Who Tried to Milk Linux

By David Kravets Email 09.10.07 | 2:00 AM

Darl McBride has the unenviable reputation as the man who tried to milk Linux.

As CEO and president of SCO Group, McBride has spent the last few years trying to collect billions in licensing fees from companies using the Linux operating system, earning the wrath of the world's open-source geeks. For scores of programmers, here was a lawyered-up copyright troll trying to shake down Linux -- the free, open-source operating system built by idealistic hackers working for the common good.

But McBride insists he's just misunderstood.



Not only are they early adopters, they tend to actually solve tech problems! Look for great things!

http://torrentfreak.com/porn-industry-to-take-on-bittorrent-sites-070910/

Porn Industry to Take on BitTorrent Sites

Written by Ernesto on September 10, 2007

Porn industry representatives gathered at an anti-piracy conference last week to discuss solutions to the ever growing amount of pirated porn that’s traded on BitTorrent sites and other P2P-networks.



RIAA has bad lawyers? I'm shocked!

http://techdirt.com/articles/20070910/015200.shtml

Judge Tosses Out RIAA Suit For Being Based On Nothing More Than Speculation

from the here-in-the-court-system,-we-rely-on-these-things-called-facts dept

Recently, we've seen the courts getting less and less willing to accept the RIAA's flimsy evidence as being enough to convict someone of breaking the law with file sharing applications. The latest such case is along those lines, as a judge dismissed a case noting that it was just a "boilerplate listing," lacking enough substance to make a case. Specifically, the judge found that: "Plaintiffs have presented no facts that would indicate that this allegation is anything more than speculation. The complaint is simply a boilerplate listing of the elements of copyright infringement without any facts pertaining specifically to the instant Defendant." It's about time that courts realized that the RIAA shouldn't be able to run around accusing all sorts of people without any real evidence.



I'll have ti think about this one... Should I trust someone else with my Identity?

http://www.killerstartups.com/Web-App-Tools/spyshakers--Keep-Your-Info-Safe/

SpyShakers.com - Keep Your Info Safe

Security is on everyone’s mind; if you want to keep your info safe, take a look at SpyShakers. SpyShakers is an Identity Management System (IMS), which lets you access your favorites and passwords securely from any computer. All your personal info—bookmarks, passwords, log-ins, favorites, etc. can be stored safely in your SpyShakers account. For extra protection users can set up a Shaker List which contains the names of websites which that must be selected in order to gain full access; it also protects against keyloggers and phishing. Passwords and log-in ID’s can be dragged and dropped directly into sites, for increased use and safety. SpyShakers is free for everyone.

http://www.spyshakers.com/joomla/



Lady Bird lives!

http://www.researchbuzz.org/wp/2007/09/10/database-of-native-plants-from-ut-austin/

Database of Native Plants from UT-Austin

10th September 2007

The Lady Bird Johnson Wildflower Center, at the University of Texas at Austin, has a database of native plants with some really nice searching options. It’s available at http://www.wildflower.org/plants/.



Free is good! (Think this kind of promotion will catch on?)

http://www.wral.com/business/blogpost/1799397/

Walgreens Doing Free Ink Cartridge Refills Wednesday

Posted: Sep. 10 7:43 p.m.

Drug store chain Walgreens has announced that on Wednesday (Sept 12), over 3,000 of its locations will be offering free inkjet printer cartridge refills for free. Customers can bring one empty b&w or color cartridge to the Walgreens photo counter and get it filled for free.

Note there are MANY Walgreens offering this service, but not ALL Walgreens. You can search for Walgreens near you that offer ink cart refills at http://www.walgreens.com/storelocator/find.jsp. Be sure to tick the box that reads "Printer cartridge refills".

No comments: