Thursday, April 02, 2009

Perhaps this could relate to the “no damages? Punitive damages are still possible.” case I posted Sunday? Still, it's another expense related to a data breach...

http://www.databreaches.net/?p=2753

Judge to decide if Hannaford data breach should go to trial

April 2, 2009 by admin Filed under: Business Sector, Hack, ID Theft, U.S.

Trevor Maxwell of the Portland Press Herald reports:

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.

Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial.

[From the article:

The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?

… Attorneys for the plaintiffs seek additional damages because Hannaford allegedly knew about the security breach at least three weeks before making a public announcement.

"Rather than lose sales, it allowed customers to continue making purchases by debit and credit card, knowing that its electronic payments system was not secure, and that it was exposing these customers' accounts to fraud," lawyers Peter Murray, Thomas Newman and Lewis Saul wrote in their opposition to Hannaford's motion to dismiss the case.



Interesting article about a potential breach caused when a vendor changed the functions of a program without notifying their customer. (Think Microsoft, Adobe, Java, etc.)

http://www.pogowasright.org/article.php?story=2009040110075534

Diary of a Data Breach Investigation

Wednesday, April 01 2009 @ 10:07 AM EDT Contributed by: PrivacyNews

When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic.

It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard.

Source - CIO



Shouldn't a health firm report generally to an employer? If your employees are getting cancer at a rate far above the local norm, wouldn't it be prudent to find out why? How secret would that information be if the organization had only 25 employees?

http://www.pogowasright.org/article.php?story=20090402061102253

NL: Occupational health firm criticised on privacy

Thursday, April 02 2009 @ 06:11 AM EDT Contributed by: PrivacyNews

Private occupational health advice firm Tredin has been strongly criticised for passing on confidential information about workers' health to employers, the Telegraaf reports on Thursday.

The privacy watchdog CBP says that despite previous warnings Tredin had not changed its procedures. The company now faces a €1,000 every time it breaks privacy laws, up to a maximum of €120,000. [If they can spread that among 1000 employers, the fine is a joke. Bob]

Source - DutchNews.nl



I try to stay away from future/proposed/let's-run-it-up-the-flagpole legislation. This one I expect will happen in some form – eventually. Comments are universally scornful. Looks like the Computer Security Major could get a bit more popular.

http://it.slashdot.org/article.pl?sid=09/04/02/0238233&from=rss

New Legislation Would Federalize Cybersecurity

Posted by samzenpus on Thursday April 02, @12:27AM from the big-brother-security dept. Security Politics

Hugh Pickens writes

"Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals, in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. "People say this is a military or intelligence concern, but it's a lot more than that," says Rockefeller, a former intelligence committee chairman. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity." The bill, containing many of the recommendations of the landmark study "Securing Cyberspace for the 44th Presidency" (pdf) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."


Related As Aesop once related, in the race between the tortoise and the TSA, the tortoise's grandchildren get to watch TSA approach the finish line. Meanwhile, has anyone actually looked into the effectiveness of this program? I didn't think so...

http://blog.wired.com/27bstroke6/2009/04/feds-begin-post.html

Feds Begin Post-9/11 Airline Watchlist Takeover

By Ryan Singel April 01, 2009 | 5:53:18 PM

The federal government is finally beginning to take over the job of comparing U.S. airline passengers against its terrorist watchlist, more than six years after it announced its post-9/11 plans to relieve airlines of that duty.

Now four unnamed small airlines are uploading passenger lists to the Transportation Security Administration for comparison against the approximately 16,000 names on the TSA's two watchlists, the agency announced this week.

The rest of the nation's airlines will continue to compare passenger names themselves using the lists provided to them by the feds, until they too switch to the new method in the coming months and years.



How embarrassing must it be to have your security breach rated “So easy, a caveman could do it!”

http://www.atthebreach.com/blog/hacker-difficulty-level/

April 01, 2009

Hacker Difficulty Level

In the 2008 Data Breach Investigation Report by the Verison Business Risk Team, they determined the attack difficulty for attackers to exploit the systems that resulted in the data breach.

The chart and commentary follows a “path of least resistance” philosophy subscribed to by most security professionals. As they specify in the report, hacking is really quite easy and the chart speaks to that. More than half of attacks had no difficulty or low difficulty. Only 17% were considered High Difficulty.

No comments: