Wednesday, April 23, 2008

Remember, you hire your worst security threat.

http://www.pogowasright.org/article.php?story=20080422112536737

LendingTree discloses insider data breach

Tuesday, April 22 2008 @ 11:25 AM EDT Contributed by: PrivacyNews News Section: Breaches

Web-based lending exchange LendingTree, which generates leads in the mortgage business by accepting online customer information, yesterday disclosed that it believes several former employees illicitly helped a handful of mortgage lenders gain access to customer data.

"Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders," LendingTree stated in a letter sent April 21 to its customers. "When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system-security changes. We also brought lawsuits against those involved." [Bravo Bob]

Source - Network World

Related - Charlotte.com: LendingTree tells clients of breach

[From the Network World article:

LendingTree believes the lenders gained illicit entry to its data systems to access LendingTree’s loan-request forms between October 2006 and early 2008. [Boo Bob]



Do you notify people or customers?

http://www.pogowasright.org/article.php?story=20080422153358504

Bank customers urged to take precautions because of security breach

Tuesday, April 22 2008 @ 03:33 PM EDT Contributed by: PrivacyNews News Section: Breaches

A Laguna Woods Village resident was informed by letter from his bank this week that his "non-public private account" [as opposed to his public private account Bob] information might be at risk.

The Villager is not the only customer getting such letters, nor was his bank the only financial institute impacted by a security breach that occurred in a banking systems provider last month.

In the letter sent to the Villager from First Federal Bank of California it states that "a large number of financial institutions [This could be huge Bob] including First Federal Bank of California, was accessed."

First Federal Bank of California Counsel Greg Josephson and Chief Operating Officer Jim Giraldin explained that the breach in security occurred Easter Saturday, March 22, in a "subsystem of a financial data processor," Fiserv, Inc. of Wisconsin.

Fiserv, a Fortune 500 company, is one of the largest providers of electronic information technology to financial institutions and insurance industries worldwide.

Source - OCRegister.com Thanks to Wilma Burt of the Identity Theft Resource Center for this link..

[From the article:

Fiserv Company Corporate Communications Vice President Melanie Tolley said... ...that it was "company policy" not to reveal any details about the breach including the number of banks involved, how many customers were impacted, the depth of information breached, how extensive the breach was geographically even which federal agencies were involved in the investigation.

She said releasing such information would hamper the investigation...

... She said ultimately the banks, not Fiserv, are responsible to their clients.



Looks like at least one news organization is beginning to see the obvious...

http://www.pogowasright.org/article.php?story=20080423003815333

(follow-up) BoI kept quiet about stolen client details since February

Wednesday, April 23 2008 @ 12:38 AM EDT Contributed by: PrivacyNews News Section: Breaches

Bank of Ireland managers knew in early February that thieves had stolen personal data on 10,000 customers, but decided not to tell the authorities.

And even after the security breach was uncovered internally, the bank took no steps -- until yesterday -- to begin encrypting its laptop computers.

Despite making a profit of €1.7bn last year, Bank of Ireland's failure to spend an estimated €200,000 on encryption technology to protect its customers' data has caused shock.

Source - Independent.ie

[From the article:

The technology is used by all of its major banking rivals but Bank of Ireland's lack of investment in such a key area of basic security is a source of deep concern, experts said.

... The bank said there was no evidence of fraud so far, but yesterday a clearly embarrassed governor Richard Burrows said he could not guarantee the data would not be used by the thieves.

The Irish Independent learned the thefts -- between June and October 2007 -- were reported to gardai within hours but senior managers at the bank were not told.

... The Data Protection Commissioner wants to know why medical data was being stored at all.



Confusion or cover-up?

http://www.pogowasright.org/article.php?story=20080422222032702

Hackers Breach System At UMass

Tuesday, April 22 2008 @ 10:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records.

More than half of the student population at UMass Amherst are patients on record at the University Health Services.

Source - CBS

[From the article:

Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable.

... A fact that's even more unsettling for patients who were unaware of the breach more than a week after it occurred. The University did post a notice on the Health Services website, and say they are notifying patients when they enter the clinic.

... "If it's that easy for someone who just wanted to get music who knows what would happen for someone who was trying to get confidential information."

Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers.



Save for college (because your credit history will be so screwed up you'll never get a loan!

http://www.pogowasright.org/article.php?story=20080422155529893

CollegeInvest loses hard drive, customers' personal data

Tuesday, April 22 2008 @ 03:55 PM EDT Contributed by: PrivacyNews News Section: Breaches

CollegeInvest this week is sending letters to roughly 200,000 customers who had personal information stored on a computer hard drive that disappeared during a recent move.

CollegeInvest believes there is little risk of customers’ personal information being compromised because the data is in a format that would be difficult to access and also was password protected.

Personal data from some but not all CollegeInvest customers was on the hard drive.

... CollegeInvest moved to a new office space recently using an international relocation firm that offered specialists in moving computer equipment. CollegeInvest discovered while unpacking at the new location that a hard drive was missing.

.... CollegeInvest is a not-for-profit division of the Colorado Department of Higher Education. CollegeInvest helps families break down the financial barriers to college by providing expert information, simple planning tools, scholarships, college savings plans, and low-cost student and parent loans.

Source - North Denver News



http://www.pogowasright.org/article.php?story=2008042307131558

Infosec: Reputation driving information security

Wednesday, April 23 2008 @ 07:13 AM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Concerns over reputation and brand protection are key drivers of information security for nearly three-quarters of companies worldwide.

The findings come from the latest Global Information Security Workforce Study from ISC2 published at Infosec Europe 2008.

'Corporate image' topped the list of top priorities for motivating information security governance, but the privacy of customer data, identity theft and breach of laws and regulations are also key factors.

The fourth edition of the study was conducted by Frost & Sullivan and surveyed 7,548 information security professionals from companies and public sector organisations in more than 100 countries.

Source - IT Week

Global Information Security Workforce Study (PDF)



A step in the right direction? More likely: “The Scapegoat Minister has acknowledged his responsibility, and will immediately retire to his villa in the south of France.”

http://www.pogowasright.org/article.php?story=2008042211170366

UK: Top officials to be held to account for data losses

Tuesday, April 22 2008 @ 11:17 AM EDT Contributed by: PrivacyNews News Section: Breaches

Senior Whitehall figures are to be held personally responsible if their department loses or mishandles personal information, under a range of measures designed to increase data security.

Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection "much more seriously" under proposals due to be laid out by Gus O'Donnell, the Cabinet Secretary.

In the coming weeks Mr O'Donnell is expected to present the findings of a report on data security.

Source - TimesOnline

[From the article:

...the heads of departments would be personally responsible in the event of serious data breaches.

"It has to be the likes of chief executives (of NHS trusts) and permanent secretaries who are held accountable when things go wrong," Mr Thomas told a security conference in London. "They can't simply make assumptions that everything is in the hands of the 'techies'".

... "There are going to be new requirements for Whitehall departments and new guidance for the public sector at large," Mr Thomas said. "It's not just about data security. We need to ask a whole range of questions, such as why so much information is being collected. Why is it being retained for so long? Why are laptops which hold the information not being encrypted? And why are such laptops being left in the backs of cars?" [Noble words. Let's check back in six months. Bob]


Mentioned in the article above...

http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_2008.html

BERR Information Security Breaches Survey 2008

April 2008


Another “We're gonna fix everything” promise.

http://www.pogowasright.org/article.php?story=20080422112017169

Hannaford details upgrades prompted by security breach

Tuesday, April 22 2008 @ 11:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford Bros. Co. says it's taking steps to enhance the security of its data network following a massive breach that compromised up to 4.2 million credit and debit card numbers.

Company officials announced Tuesday that the new measures include encryption of all card numbers during the entire time they are within the supermarket chain's data network. The company says it's also introducing a "24/7 monitoring system" to detect intrusions.

Source - WPRI

[From the article:

Hannaford President and CEO Ron Hodge apologized again Tuesday and said there has been no drop in sales since the breach was announced five weeks ago. [Maybe TJX was right, customers don't care. Bob]



...because cameras aren't enough? Will every prisoner get a Bluetooth device surgically implanted? (If not, won't they simply swap them randomly?)

http://yro.slashdot.org/article.pl?sid=08/04/22/1754242&from=rss

Bluetooth Surveillance Tested In the UK

Posted by kdawson on Tuesday April 22, @02:37PM from the turn-the-darn-thing-off dept. Privacy Wireless Networking

KentuckyFC writes

"If you live in the city of Bath in the UK and carry a Bluetooth-enabled device, your movements may have been secretly monitored in an experiment designed to test surveillance techniques in prisons. Researchers from Bath University recorded the movements of 10,000 Bluetooth-enabled devices during their 6-month trial. They say the experiment was a test of a technique for monitoring the interactions between prisoners in jail that could be used to work out which inmates have become closely associated. The work was prompted by revelations that the Madrid train bombers who devastated the city in 2004 first met in a Spanish prison (abstract)."

No comments: