Monday, February 23, 2009

Is this normal or is NY setting the stage for legal action?

http://www.databreaches.net/?p=1704

NYS Consumer Protection says “Action Needed in Heartland Breach”

February 22, 2009 by admin

The following was sent to me by the NYS Consumer Protection Board:

DATE: February 22, 2009

NYS CONSUMER PROTECTION BOARD CALLS FOR ACTION TO PROTECT CONSUMERS WHO MAY BE AFFECTED BY HEARTLAND BREACH

The New York State Consumer Protection Board (CPB) today called on financial institutions and corporations with knowledge of customer data compromised by the Heartland Payment Systems (Heartland) security breach disclosed to the public on January 20, 2009, to immediately take action to protect their consumers.

A breach of this enormity necessitates action on behalf of consumers who, to date, probably don’t even know that their personal and private information may have been affected,” said Mindy A. Bockstein, Chairperson and Executive Director of the CPB. “After careful scrutiny of the actions taken and current law, financial institutions should not sit idly by and do nothing to inform or protect the consumers who rely on them.”



Just suppose it isn't one more large processor – suppose it's all of them. Would that justify withholding notification? Avoiding panic in the financial world?

http://www.databreaches.net/?p=1711

Banks starting to report breach at unnamed processor

February 22, 2009 by admin

In an earlier post, I questioned whether banks were just sitting on the breach at the as-yet-unnamed processor. According to a spokesperson from the New York State Consumer Protection Board:

While some banks have reported this breach, the CPB awaits formal notification pursuant to New York State law. Until such time as we can review the filing, we do not know the full extent of its affect on New York consumers. Meanwhile, we understand that some banks and financial institutions have already begun to issue new credit cards to those affected, and the CPB applauds this action. As with all data breaches, the CPB encourages full transparency on behalf of consumers to protect their personal identifiable information and avoid the prospect of identity theft. We continue to watch this breach and review all notifications sent to us in accordance with the law.

If banks are beginning to notify consumers and replace cards, that’s good news, indeed, for consumers, although they may understandably feel battle-weary if they also received notification due to the Heartland breach.


Related

http://www.databreaches.net/?p=1697

Another small detail or two on as-yet-unnamed processor breach

February 22, 2009 by admin

Still no real facts, but more hints of impact. This from the Community Bankers Association of Illinois (emphasis added by me):

(February 11,2009) Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation. According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach. VISA officials have indicated that the Account Data Compromise Recovery (ADCR) procedure will not apply to this event. The ADCR process is used exclusively for magnetic-strip data compromise events. An increase in card-not-present fraud suggests some BIN number have been targeted by criminals. CAMS reports were sent to banks beginning on Monday, February 9, 2009, and are expected to conclude by Friday, February 13, 2009. We have already heard from Illinois bankers that have been affected. VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, [New factoid! Bob] officials reiterated that no personal information was taken in this most recent event. The status of the processor’s PCI compliance is unknown at this time. Bankers are encouraged to read their daily CAMS reports and monitor CVV responses.


Issuers have chargeback rights. MORE TO COME….

So far, I haven’t found any updates subsequent to Feb. 13, but if any site visitor finds any, please let me know.

I freely admit my ignorance on the way things are done, but if banks were already reporting being affected by this breach by this February 11 posting, has anyone contacted the customers whose accounts were affected or is everyone just going to sit on this breach until the processor is ready to issue a public statement?



Very interesting. Includes discussion of the legal requirements under HIPAA and other Privacy laws

http://www.pogowasright.org/article.php?story=2009022305100723

World Privacy Forum Report Tackles The Privacy and Confidentiality Issues of Cloud Computing

Monday, February 23 2009 @ 05:10 AM EST Contributed by: PrivacyNews

... The report includes a detailed analysis of current law as it intersects with various aspects of cloud computing, detailed findings, and a discussion of responses to the privacy and confidentiality risks of cloud computing. Those responses include better policies and practices by cloud providers, changes to laws, and more vigilance by users.

Source - World Privacy Forum Press Release Full Report (pdf)



It's not just pencils and paper clips any more...

http://www.pogowasright.org/article.php?story=20090223064630248

More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study

Monday, February 23 2009 @ 06:46 AM EST Contributed by: PrivacyNews

Symantec Corp. (NASDAQ: SYMC) and the Ponemon Institute, a leading privacy and information management research firm, today announced the findings of a joint survey of employees who lost or left a job in 2008, which revealed 59 percent of ex-employees admit to stealing confidential company information, such as customer contact lists. The results also show that if respondents' companies had implemented better data loss prevention policies and technologies, many of those instances of data theft could have been prevented.

Source - CNN

[Form the article:

The results also show that if respondents' companies had implemented better data loss prevention policies and technologies, many of those instances of data theft could have been prevented.



Somehow the numbers don't seem right...

http://www.pogowasright.org/article.php?story=20090222192536429

AU: Arrests soar after new wiretap law

Sunday, February 22 2009 @ 07:25 PM EST Contributed by: PrivacyNews

Criminal arrests made under more powerful wiretapping laws have increase by 96 percent following reforms that make it easier for police to intercept and access telecommunications.

In a report tabled in parliament, Attorney General Robert McClelland said 45 arrests were made during the year ending June 2008, thanks to amendments to the Telecommunications (Interceptions) Act that allow police to access stored intercepted telecommunications data.

Source - Computerworld (AU)


Related? If they can't tap them, how do they know criminals are using them? (Perhaps they are suspicious of all Skype users?)

http://yro.slashdot.org/article.pl?sid=09/02/23/0332207&from=rss

European Crackdown On Skype "Loophole"

Posted by timothy on Monday February 23, @07:36AM from the only-the-suspicious-ones-of-course dept. Privacy Communications Security

angry tapir writes

"Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."



No one asked me!

http://www.bespacific.com/mt/archives/020642.html

February 22, 2009

Declassified Oral History Interviews Posted by National Security Agency

"The National Security Agency (NSA) has recently declassified and posted lengthy, formerly Top Secret oral history interviews with four of its most prominent personnel: Arthur J. Levenson, Dr. Solomon Kullback, Oliver R. Kirby, and Benson K. Buffham." [The Memory Hole]

Note: "the NSA The National Security Agency/Central Security Service launched its newly redesigned public web site - www.nsa.gov. Visitors to the site, "NSA/CSS - Defending our Nation. Securing the Future" will discover many new features including:

  • A video overview of the NSA/CSS mission, a virtual tour of the National Cryptologic Museum and an NSA/CSS photo gallery;

  • "Latest News" showcasing NSA/CSS-generated press releases and features of interest as well as media coverage of NSA initiatives;

  • A "Doing Business with NSA" section to guide businesses through the contracting process;

  • An area dedicated to NSA's commitments - to the country, the community, and the environment; and,

  • A video message from LTG Keith B. Alexander, Director, National Security Agency / Chief, Central Security Service.



Apparently it takes an entire operating system to browse securely. Perhaps Microsoft should make a secure operating system its next goal? (Or perhaps this indicates that each device/function should have its own operating system?)

http://tech.slashdot.org/article.pl?sid=09/02/22/1724244&from=rss

MS Publishes Papers For a Modern, Secure Browser

Posted by Soulskill on Sunday February 22, @01:11PM from the new-and-different dept. The Internet Microsoft Technology

V!NCENT writes with an excerpt from a new publication by Microsoft:

"As web sites evolved into dynamic web applications composing content from various web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal operating system construction that gives a browser-based OS the exclusive control to manage the protection of all system resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals."

Here's the full research paper (PDF).



How to market yourself? After some geek humor, there are some serious comments here.

http://ask.slashdot.org/article.pl?sid=09/02/22/2053258&from=rss

Linked In Or Out?

Posted by timothy on Sunday February 22, @04:30PM from the won't-you-be-my-neighbor-today dept. Privacy Social Networks

Mr_Whoopass writes

"I am the IT Administrator for a regional restaurant chain, and as of late I am noticing more and more people sending me invitations to sites like LinkedIn, FaceBook, etc. Mother always taught me to be a skeptic, and, knowing more than the average Joe about how information can be used in this digital era, I am reticent to say the least about posting such personal details as my full name and where I work on the net for all to see. I have thus far managed to stay completely below the radar, and a search on Google has nothing on my real persona. However, now times are tough, and I see sales dropping in the industry I work in as it is a discretionary spending market to be sure. I wonder if I should loosen up on the paranoia a bit and start networking with some of these folks in case of the all too common layoff scenario that seems to be happening lately. What do other folks here think about this? I am specifically interested in what people who work in IT think (since I know that just about every moron who has 'Vice President' or sits on the 'Executive Team' is already on LinkedIn and has no clue about why they should be trying to protect their identity)."

No comments: