Friday, January 18, 2008

Is this the “major retailer” stories have been hinting at? Looks too small to me...

http://www.pogowasright.org/article.php?story=20080118065423687

Data Lost on 650,000 Credit Card Holders

Friday, January 18 2008 @ 06:54 AM EST Contributed by: PrivacyNews News Section: Breaches

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

Source - Newsday

PogoWasRight.org editor's note: we had reported this incident on January 7, based on GE Money's report to the NH Dept. of Justice. At the time, we noted that nationwide totals had not been provided in the disclosure notice. New York State's new reporting form does require entities to provide total numbers. Hopefully, NYS will consider publishing the reports on a public web site.



Similar to earlier identity theft – bad guys put their own card reader on top of the ATM's, and record all the data from your card.

http://www.pogowasright.org/article.php?story=20080117071133678

CA: Costco customers, staff hit by ID theft

Thursday, January 17 2008 @ 07:11 AM EST Contributed by: PrivacyNews News Section: Breaches

At least 20 Costco employees and customers have told police their banking account information and personal identification numbers have been stolen by thieves who emptied their bank accounts, city spokesman Matt Robinson said.

Investigators suspect the thieves may have used a skimming device

Source - Recordnet.com

[From the article:

Investigators suspect the thieves may have used a skimming device, which would have copied debit card information from an ATM, possibly inside the Grant Line Road store, when a card was swiped, Robinson said.



Does this remind you of TJX?

http://www.pogowasright.org/article.php?story=20080117141346539

(follow-up) Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information

Thursday, January 17 2008 @ 02:13 PM EST Contributed by: PrivacyNews News Section: Breaches

An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

... According to the FTC’s complaint, through its Web site, Life is good has collected sensitive consumer information, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. Its privacy policy claimed, “We are committed to maintaining our customers' privacy. We collect and store information you share with us - name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network. Specifically, the FTC charged that the company:

* unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes;
* failed to assess adequately the vulnerability of its Web site and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
* failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks; failed to use readily available security measures to monitor and control connections from the network to the Internet; and
* failed to employ reasonable measures to detect unauthorized access to credit card information.

The FTC alleges that, as a result of these failures, a hacker was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.

Source - FTC Press Release
Related - FTC files
Related - AP: Apparel firm settles security charges



“When we authorized them to sell the information we never thought they would actually sell the information!”

http://www.pogowasright.org/article.php?story=20080117114910374

UK: DVLA's 5m driver details giveaway

Thursday, January 17 2008 @ 11:49 AM EST Contributed by: PrivacyNews News Section: Non-U.S. News

The DVLA's sale of driver details to anyone with £2.50 to spare must stop, says the Scottish National Party, having uncovered just how many peoples' records have been sold by the department.

Christine Grahame, an SNP Member of the Scottish Parliament, accused the agency of recklessly handing out driver and vehicle requests to private companies.

Grahame used a Freedom of Information request to discover the DVLA has sold 5.3m driver records since 2002/2003 when it was first allowed to sell the data.

Source - The Register



Long look at the future?

http://www.pogowasright.org/article.php?story=20080117074646324

Institutionalized Spying on Americans

Thursday, January 17 2008 @ 07:46 AM EST Contributed by: PrivacyNews News Section: Surveillance

This article reviews two police state tools (among many in use) in America. One is new, undiscussed and largely unknown to the public. The other was covered in a December article by this writer called Police State America. Here it is updated with new information.

The National Applications Office (NAO)

The Department of Homeland Security (DHS) established a new domestic spying operation in 2007 called the National Applications Office (NOA) and described it as "the executive agent to facilitate the use of intelligence community technological assets for civil, homeland security and law enforcement purposes within the United States." The office was to begin operating last fall to "build on the long-standing work of the Civil Applications Committee (CAC), which was created in 1974 to facilitate the use of the capabilities of the intelligence community for civil, non-defense uses in the United States."

With or without congressional authorization or oversight, the executive branch is in charge and will let NAO use state-of-the-art technology, including military satellite imagery, to spy on Americans without their knowledge. Implementation is delayed, however, after Committee on Homeland Security Chairman, Bennie Thompson, and other committee members raised questions of "very serious privacy and civil liberties concerns." In response, DHS agreed to delay operating (officially) until all matters are addressed and resolved.

Source - GlobalResearcher.ca



If nothing else, something to point to and say “You messed up!”

http://www.pogowasright.org/article.php?story=20080117105852159

EPIC Proposes Privacy Conditions for Video Surveillance

Thursday, January 17 2008 @ 10:58 AM EST Contributed by: PrivacyNews News Section: Surveillance

In comments (pdf) filed today with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices must govern any use of video surveillance; (5) there must be a privacy and civil liberties assessment; and (6) there needs to be room to create enhanced safeguards for any enhanced surveillance. EPIC's framework is based on Fair Information Practices, the Privacy Act of 1974, the 1980 OECD Privacy Guidelines, and the Video Voyeurism Act. See EPIC's page on Video Surveillance.

Source - EPIC.org



What are the implications of the Class Action? If someone gets notice from the RIAA and immediately joins the Class, does that stop progress of the lawsuit?

http://arstechnica.com/news.ars/post/20080117-exonerated-riaa-defendant-scores-double-victory-in-court.html

Exonerated RIAA defendant scores double victory in court

By Eric Bangeman Published: January 17, 2008 - 10:36AM CT

A US District Court judge in Oregon has reaffirmed a magistrate's award of attorneys' fees and the dismissal of exonerated RIAA defendant Tanya Andersen's counterclaims against the RIAA without prejudice so that her class-action lawsuit against the record labels can move ahead.

Andersen, a disabled single mother who resides in Oregon, was sued by the RIAA in February 2005 for distributing gangster rap over KaZaA using the handle "gotenkito." She denied all of the RIAA's allegations and filed the now-dismissed counterclaims in October of that year. After over two years of contentious filings and allegations of misconduct by the RIAA's investigators, Atlantic v. Andersen was dismissed with prejudice after the record labels decided to drop the case.

Andersen was awarded attorneys' fees by the magistrate overseeing the case in September of last year, a decision that was quickly appealed by the RIAA. In a ruling noticed this morning by copyright attorney Ray Beckerman, Judge James A. Redden agreed with the magistrate's findings, writing that "the court's order dismissing Andersen's claims without prejudice provide a sufficient 'judicial imprimatur' on the 'alteration of the legal relationship of the parties' to justify conferring prevailing party status on Andersen."

Judge Redden also upheld the magistrate's decision to dismiss her counterclaims without prejudice so that they could be heard as part of a malicious prosecution lawsuit filed by Andersen last June after the RIAA's case was dismissed, citing the "interests of judicial economy and comprehensive litigation."

Andersen's malicious prosecution lawsuit accuses the RIAA of invasion of privacy, deceptive business practices, libel, slander, and a host of other misdeeds, saying that the RIAA has "engaged in a coordinated enterprise to pursue a scheme of threatening and intimidating litigation in an attempt to maintain its music distribution monopoly." Her complaint contains some very disturbing allegations, including one that labels attempted to contact her then eight-year-old daughter under false pretenses without Andersen's permission.

Andersen is seeking class-action status for her lawsuit, which would allow anyone who was "sued or were threatened with sued by Defendants for file-sharing, downloading or other similar activities, who have not actually engaged in actual copyright infringement" to join the lawsuit. The RIAA has denied any wrongdoing and has moved for dismissal of the lawsuit.

No comments: