Tuesday, May 20, 2008

Today does not look like a good day for the new Privacy Officer.

http://www.pogowasright.org/article.php?story=20080519123314347

LPL Financial hacked in 2007 for "pump and dump" stock scheme; over 10,000 customer accounts exposed

Monday, May 19 2008 @ 01:12 PM EDT Contributed by: PrivacyNews News Section: Breaches

Almost a year after becoming aware that hackers had compromised the login passwords of 14 financial advisors and four financial assistants in 9 states over the course of several months, LPL Financial has notified [pdf] the Maryland Attorney General's office of the incident.

In a detailed notification letter dated May 6th from Keith H. Fine, Senior Vice-President and Associate Counsel, the company described how after they first became aware of the hack on July 16, 2007, they notified law enforcement, FIRA, and affected individuals. The company estimates that personal information on 10,219 customers was exposed, including the unencrypted names, addresses, phone numbers, dates of birth, account numbers, and Social Security numbers of customers and non-customer beneficiaries.

Investigation of the incident determined that access to customer accounts was used to engage in a "pump and dump" scheme involving penny stocks, but all attempted transactions were reportedly either intercepted or reversed. No customer suffered any financial loss from the attempted transactions, and the company reports that there is no indication that customer information was used for any other purpose.

In August 2007, LPL retained Kroll Inc. to provide various services, including notification of affected individuals and free credit monitoring services for individuals. A series of communications was sent to affected individuals commencing on September 21, 2007, and most recently in May 2008.

Following this incident, LPL Financial reportedly initiated steps to improve its security on its advisor facing trading and operations systems. As part of enhancing security, they created a new position of Chief Security/Privacy Officer in March 2008, and other new security policies have been implemented this month. The company anticipates that their other security improvements will be completed in December 2008.


...and then after that one...

http://www.pogowasright.org/article.php?story=20080519131659904

Burglary of LPL Financial employee's home affects 1,397 employees

Monday, May 19 2008 @ 01:16 PM EDT Contributed by: PrivacyNews News Section: Breaches

While still dealing with the hacking incident that affected over 10,000 customer accounts, LPL Financial learned in September 12, 2007 that a laptop containing employee data had been stolen from an employee's home in San Diego.

The password-protected computer contained unencrypted names, addresses, fingerprints, and Social Security numbers of registered representatives and office employees, most of who were from Massachusetts.

Affected individuals were first notified on November 30, 2007 and were offered free credit monitoring and identity restoration services from Kroll, Inc.

And once again, the notification to individuals did not say that there was a theft, but talked about the incident as "unauthorized person(s) obtained access to the system...."


...and after that...

http://www.pogowasright.org/article.php?story=20080519130551172

Five computers stolen from LPL Financial office in December contained customer data

Monday, May 19 2008 @ 01:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial has notified [pdf] the Maryland Attorney General's Office that on December 11, 2007, a burglary at one of their offices in Diamond Bar, California, resulted in the theft of 5 computers that contained personal information on 444 customers.

The stolen computers were password-protected, but contained unencrypted personal information: names, addresses, dates of birth, Social Security numbers, and account numbers. Affected individuals were first notified on February 11, 2008 and were offered free credit monitoring through Kroll.

Somewhat curiously, perhaps, although LPL reports this as a burglary, all of their appended notifications to individuals say "unauthorized person(s) obtained access to the system...." which sounds more like a hack than a burglary.


...and let's not forget this one...

http://www.pogowasright.org/article.php?story=20080519125724971

LPL Financial laptop stolen from employee's car had data on 2800 employees

Monday, May 19 2008 @ 01:14 PM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial has notified the Maryland Attorney General's office that on April 10, 2008, a laptop containing data on 2800 employees of LPL or its affiliated companies was from an employee's car in North Carolina

The personal information on the laptop contained names, Social Security numbers, employee ID numbers, and other employee financial compensation information.

In describing its plans to improve data security and steps it had already taken, the company indicated that it "had begun" a project to encrypt data on laptops [Translation: Nothing has actually been encrypted yet... Bob] used by employees and representatives.

Once again, the company used Kroll to provide services to affected individuals, including free credit monitoring.



Questions: 1) Is it reasonable to extrapolate the total number of compromised customers by taking the ratio of Maryland's population to the total US population? 2) Why do so many employees have social security numbers on their laptops?

http://www.pogowasright.org/article.php?story=20080519121639862

Stolen laptop contained employee data from Bearing Point Management & Technology Consultants

Monday, May 19 2008 @ 01:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

Bearing Point Management & Technology Consultants reports that a laptop stolen from an employee's vehicle on April 11 contained personal information on some of its employees, 26 of whom are Maryland residents.

Personal information on the laptop included first and last names and Social Security numbers.

According to the letter sent to employees by Joseph T. Van Thuyne, HR Director, Administration, Policies and Systems, the laptop required two passwords and two forms of authentication and at the time of the theft, was inside a case in the trunk of the employee's vehicle. [Translation: No encryption Bob]

The company has offered those affected 12 months of free credit monitoring.



So who (if anyone) would assert they are in control of (you know, actually managing) the users with the laptops? Another reason to encrypt EVERYTHING on EVERY laptop.

http://www.pogowasright.org/article.php?story=20080519122543129

Sodexo laptop stolen but company not sure whether employee data was on it or not

Monday, May 19 2008 @ 01:10 PM EDT Contributed by: PrivacyNews News Section: Breaches

Sodexo, Inc., a provider of integrated food and facilities management services, reports that a laptop stolen from an employee's vehicle in Montgomery County may have contained names and Social Security numbers on 919 residents of Maryland employed by the company.

In a letter [pdf] to the Maryland Attorney General's office dated May 9, Robert A. Stern, Senior Vice-President and General Counsel for Sodexo, writes that the company "has not been able to confirm definitively that the file was on the laptop."

The company set up a hot line for employees to call, but did not offer free credit monitoring.



The damage from the Hannaford breach continues...

http://www.pogowasright.org/article.php?story=20080520063131461

Bank: Breach affected accounts

Tuesday, May 20 2008 @ 06:31 AM EDT Contributed by: PrivacyNews News Section: Breaches

TD Banknorth said yesterday a group of New Hampshire customers was notified last week that their Visa debit or credit cards have been compromised, most likely because of the Hannaford Brothers Supermarkets security breach.

"We do closely monitor those cards for suspicious activity, and it was because of our fraud-detection activity that we noticed the cases of fraud," spokesman bank Jennifer Carlson said yesterday,

Carlson declined to release the specific number of customers affected or their location, citing privacy policy.

Source - Union Leader



Looks like the Phishers missed one. Or did they?

http://it.slashdot.org/article.pl?sid=08/05/19/1325214&from=rss

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on Monday May 19, @10:00AM from the i-don't-think-i-am-who-you-think-i-am dept. Security The Internet IT

aos101 writes

"The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"



One to watch? At least until I find out how they can substitute their machine for the ATM card reader without anyone noticing!

http://www.pogowasright.org/article.php?story=20080519163803504

Secret Service joins Lunardi's ATM theft case; 234 victims now identified

Monday, May 19 2008 @ 04:38 PM EDT Contributed by: PrivacyNews News Section: Breaches

The Secret Service has joined the investigation into the Los Gatos Lunardi's Supermarket ATM identity theft case as the number of victims continues to climb.

Most recent figures show that 234 Lunardi's shoppers reported they are victims of the scam. Approximately $251,000 has been stolen since police discovered an ATM machine at the store had been tampered with to obtain customers' account information.

Source - Mercury News



Perhaps we'll get a better look at how these Phishing crimes work too?

http://www.pogowasright.org/article.php?story=20080519162213833

5 People Arrested in Connection with International Online Phishing Scheme (update 1)

Monday, May 19 2008 @ 04:22 PM EDT Contributed by: PrivacyNews News Section: Breaches

Five people were arrested Monday in Los Angeles and others were being sought in connection with an international online "phishing" scheme that defrauded thousands of victims and hundreds of financial institutions, federal authorities said.

A total of 33 people, U.S. citizens and foreign nationals alike, were named in a 65-count indictment charging them with participating in the Internet-based fraud, prosecutors said. The indictment, unsealed today, was returned by a federal grand jury in Los Angeles.

Source - Fox6News

Related - DOJ Press Release

Related - an article in InformationWeek lists affected institutions as:

Allegheny Federal Credit Union, American National Bank of Texas, Arizona Federal Credit Union, Banker's Bank & Trust, Bank of the West, Boeing Employees' Credit Union, Bowdoinham Federal Credit Union, Capital One Bank, Citibank, Downey Savings & Loan, Credit Union One, E-Trade, Desert Schools Federal Credit Union, Flagstar Bank, First Merit Bank, Iowa League Corporate Central Credit Union, Jeffco Schools Credit Union, Langley Federal Credit Union, Mountain America Credit Union, Orange County Teacher's Credit Union, Pointbank, NASA Federal Credit Union, North Island Credit Union, Premier Credit Union, PSCU Financial Services, Regions Bank, School Financial Credit Union, Southwest Corporate Federal Credit Union, Teacher's Credit Union, Telco Credit Union & Affiliates, Valley National Bank, VISA, Washington State Employees Credit Union, and Waterbury Teachers' Federal Credit Union.

Update 1: The Hartford Courant indicates that Bridgeport-based People's Bank, Brattleboro Savings and Loan Association in Vermont, Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal were also targeted.



An ethical Catch 22 In theory, lawyers aren't supposed to look at this information. In theory, lawyers aren't supposed to claim the data is classified when it is not. So do you sanction both sides?

http://blog.wired.com/27bstroke6/2008/05/secret-data-in.html

Secret Data in FBI Wiretapping Audit Revealed With Ctrl+C

By Ryan Singel May 16, 2008 | 7:51:59 PM

Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys -- and that information turns out to be not very sensitive after all.

This time around, University of Pennsylvania professor Matt Blaze discovered that the Justice Department's Inspector General's office had failed to adequately obfuscate data in a March report (.pdf) about FBI payments to telecoms to make their legacy phone switches comply with 1995 wiretapping rules. That report detailed how the FBI had finished spending its allotted $500 million to help telephone companies retrofit their old switches to make them compliant with the Communications Assistance to Law Enforcement Act or Calea-- even as federal wiretaps target cellphones more than 90 percent of the time.

This isn't the first time the Justice Department has made such an error.



“Screwing our customers, one sale at a time.” Hard to blame this one on an untrained new employee...

http://www.news.com/8301-10784_3-9947410-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Best Buy challenges FCC over analog TV sales penalty

Posted by Erica Ogg May 19, 2008 3:43 PM PDT

The Federal Communications Commission says Best Buy and other retailers must pay more than $3 million in fines for selling analog TVs without labels that explain the sets won't work after the digital TV switchover next February.

In a 41-page legal document filed last week (and dug up by Ars Technica), Best Buy essentially says, "Oh yeah? Make us."



Won't the RIAA have fits over this service?

http://www.killerstartups.com/Web20/iRadeocom---Stream-Your-Music/

iRadeo.com - Stream Your Music

Want to share your music with others? iRadeo is a free streaming radio platform. Installing iRadeo on your website is easy. First download and unzip the iRadeo package. Open the file and update your settings and preferences. Upload files and folders to your server and place the given code where every you please on your website and you are done. You can start uploading your MP3/WAV files to your folder and iRadeo will stream the file.

... Other listeners can easily embed your player on their sites by coping and pasting code. Sharing music with others couldn’t be easier than at iRadeo.com.

http://www.iradeo.com/



Interesting resource...

http://www.bespacific.com/mt/archives/018382.html

May 19, 2008

Online Tool Provides Victims' Rights Law Information

"VictimLaw has been designed as a comprehensive, user-friendly online database of victims’ rights statutes, tribal laws, constitutional amendments, court rules, administrative code provisions, and case summaries of related court decisions that meets the needs of a wide variety of users with different levels of substantive and technological expertise. VictimLaw also offers brief victims' rights and justice system overviews. Such ready access to information can advance the cause of crime victims’ rights by facilitating the exercise, implementation, and enforcement of those rights. This resource was developed by the National Center for Victims of Crime with funding from the Office for Victims of Crime (OVC), the Office of Justice Programs (OJP), and the U.S. Department of Justice (DOJ)."



More disciplines should do this. Who knows what is being lost...

http://www.bespacific.com/mt/archives/018392.html

May 19, 2008

Preserving Legal Information: The Chesapeake Project's First-Year Evaluation

"The Chesapeake Project began as a two-year (2007-2008) pilot digital preservation program established to preserve and ensure permanent access to vital legal information currently available in digital formats on the World Wide Web. The purpose of The Chesapeake Project is to successfully develop and implement a program to stabilize, preserve, and ensure permanent access to critical born-digital legal materials. The goal is to establish the beginnings of a strong regional digital archive collection of U.S. legal materials as well as a sound set of standards, policies, and best practices that have the potential to serve as a model for the future realization of a nationwide digital preservation program . See Legal Information Archive: The Chesapeake Project, First Year Evaluation." [via Sarah J. Rhodes]



and since we're discussing legal resources, I'll toss this one in too

http://www.bespacific.com/mt/archives/018383.html

May 19, 2008

New on LLRX.com

Keeping Up with Class Actions: Reports, Legal Sites and Blogs of Note - "Staying current on the latest cases and news in the area of class actions can be challenging, but Russell Scott's guide to reliable subscription based publications, free legal sites and blogs that offer timely news, analysis and selected copies of court filings, is a valuable resource. — Published May 19, 2008"



Another example of tools to make the transition from Windows to Linux easier. Start training your employees now, the death of Windows is inevitable!

http://tech.slashdot.org/article.pl?sid=08/05/19/2223258&from=rss

A Virtualized Linux System For Windows

Posted by kdawson on Monday May 19, @07:01PM from the bill-in-the-middle dept. Operating Systems Windows Linux

getupstandup1 writes

"Ulteo today unveiled their Virtual Desktop (screenshots, download) which is a free, full Linux desktop that runs seamlessly on Windows. It's interesting because it's not running under Xen or VMWare, but instead uses the coLinux patch, which they claim allows the system to achieve 'great performance, close to a native installation on the PC.' No need to reboot the system anymore to switch from Windows to Linux."

We discussed Ulteo when the Ubuntu-derived distro was announced a year back.

No comments: