http://news.cnet.com/8301-1023_3-10419316-93.html?part=rss&subj=news&tag=2547-1_3-0-20
Open house? Google has also been eying Trulia
by Kara Swisher, AllThingsD December 19, 2009 11:55 AM PST
...According to sources close to the situation, along with its pending bid for Yelp, Google has been in on-again, off-again acquisition talks with Trulia, the real-estate search engine.
Dribbles and drips, but eventually the information leaks.
http://www.databreaches.net/?p=8962
Gonzalez sentencing memo reveals some numbers on breaches
December 19, 2009 by admin Filed under Of Note
Apart from the fact that I don’t think we should be getting our news about breaches from court filings years after a breach occurs, it is still somewhat interesting when we finally get some numbers — even if they are are estimates or arguable.
In a court filing by Albert Gonzalez’s attorney yesterday, there are references to the pre-sentencing report (PSR):
The PSR states that of the 36 million card numbers obtained from TJX, at least 25 million — approximately 70% — were expired, PSR ¶35, and therefor unusable.
36 million? Not 45 million or 94 million? Hmmmm…
… the PSR states that defendants obtained account information for 5,132 cards through the Dave & Buster’s intrusion, but only 675 cards — about 13% — were ever used. PSR ¶26. The government also, with one exception, has not attempted to quantify the number of cards as to which the information was actually sold. The one exception is the statement in the PSR that codefendant Scott estimated that 300,000 to 400,000 credit card numbers obtained from BJ’s Wholesale Club were sold. PSR ¶31…. Gonzalez has testified the reliability of Scott’s estimate.
The PSR also provided estimates of losses due to breaches:
As for actual loss, the PSR lists the following: “TJX, more than $180.5 million in losses and associated expenses” (later changed to $171.5 million, itself a reflection of guesswork), DSW, $6.5 million to $9.5 million; BJ’s, $11 million to $13 million; Dave & Busters, $720,288.
I’ve uploaded the memorandum for those who wish to read more of the references to the government’s report, here. The numbers begin on page 11 of the memorandum.
(Related) Same hacker, different case. Looks like they're going for the “No one was concerned about security, so we weren't either.” defense.
http://www.databreaches.net/?p=8940
Apres le breach, yet another call for greater cooperation to fight data theft
December 19, 2009 by admin Filed under Commentaries and Analyses
And the year draws to a close as it opened: with a call for greater cooperation in preventing security breaches. At the beginning of the year, it was Heartland Payment Systems. Now, following lawsuits against it by restauranteurs in Louisiana who were hacked while using one of its POS applications, Radiant Systems is trying to sound its own clarion call for greater cooperation among those involved in processing transactions. In a press release issued yesterday, the company writes:
“Our vision is to encourage all involved in transaction processing to move from a mindset of independent compliance to one of collaborative security that will greatly reduce the risk of data theft,” said John Heyman, chief executive officer at Radiant Systems. “We believe the current data security blueprint in the payments industry is designed with many constraints in mind and therefore is not able to go far enough.”
[...]
“We have expanded the responsibilities of Jimmy Fortuna, vice president of product development for the hospitality division at Radiant Systems, to now include industry data security,” added Heyman. Fortuna brings 10 years of industry experience to this role. “Jimmy will work inside and outside the walls of our company to fight for increased levels of data security in the retail and restaurant industries.”
Radiant is investing in these activities to help define new standards across the payment process, educate businesses on how to reduce theft by meeting the current 12-step Payment Card Industry Data Security Standard (PCI DSS) requirement process, and build new technologies outside its POS software to combat theft.
To date, Radiant has declined to discuss any specifics involving the lawsuits against it, and details of the hacks have come only from the restauranteurs, leaving many questions unanswered.
What did Radiant do in 2007 when its earlier Aloha systems were declared noncompliant? Did it notify all distributors to stop selling those systems and did anyone contact customers to alert them and advise them? Following an August 2008 meeting between Visa, the Secret Service, and Louisiana restauranteurs, Radiant issued a security alert. But what had it done before then to ensure that customers who used their platform were aware of the problems? Yes, it is ultimately the merchant’s responsibility to remain compliant, but it’s unrealistic to expect small merchants to search for or read bulletins that may or may not apply to them. As Radiant looks to prevent future problems, what is Radiant suggesting be done going forward?
Will Radiant go so far as to recommend that vendors be required to commit to notifying customers of security alerts? If not, what will Radiant agree to support?
If a car has a safety defect, it is the car manufacturer’s responsibility to notify customers to bring their car in. We don’t expect car owners to check the manufacturer’s site or the Highway Safety web site to find out if their car poses a hazard to them. Why doesn’t the same notion of responsibility apply here? Or does it already?
Whether Radiant’s call is simply an attempt at PR in response to the bad press they have received over the lawsuits or a serious commitment that they will follow up on remains to be seen and I expect we’ll see some “lessons learned” as an outgrowth of this incident. But will it be enough to significantly reduce the likelihood of future breaches? As long as there continues to be intensive efforts to cover up breaches or to prevent the public from finding out the full scope of breaches, I doubt it.
Real suggestions for handling a breach? One: “There is no risk to dead people, so we don't need to notify?” Two: If someone changes the “all electronic” records we're heading towards, how will anyone detect it and what will they use as an “original” to restore the proper data?
http://www.databreaches.net/?p=8972
Attorney for doctors in WDH privacy breach disputes AG’s finding
December 19, 2009 by admin Filed under Breach Incidents
Adam D. Krauss continues to update us on this case:
An attorney for two doctors impacted by the privacy breach at Wentworth-Douglass Hospital says the Office of the Attorney General would have found WDH had to notify patients if the state knew a rogue employee accessed patients’ social security numbers and sensitive insurance policy data.
Charles Grau, a Concord attorney representing Drs. Cheryl Moore and Glenn Littell, said the state based its review on a summary of the audit conducted after the 13-month breach without considering images of computer screens showing the specific data fields viewed by the ex-WDH employee.
The employee accessed more than 1,100 patients records on file at the hospital’s pathology lab about 1,800 times from May 2006 to June 2007 after she was transferred from the lab, the doctors say.
James Boffetti, who leads the AG’s consumer protection and antitrust bureau, said on Thursday that there was “insufficient information” to conclude the breach fits the definition of a security breach as defined by RSA 359-C: 19.
Read more on Fosters.com.
This case is raising a number of questions and is making WDH “look bad” in terms of not contacting patients or families of deceased patients. Even if one gives WDH the full benefit of any doubt as to their motives and determinations, I think this case is a useful reminder that “when in any doubt, notify.” Insider breaches are one of the biggest challenges in security. In this case, where there was no financial fraud, I still think it would have been best for the hospital to notify everyone, reassure them that they were not at any known risk of fraud (if that is a reasonable belief), that their records are being reviewed and corrected, and any other steps the hospital is taking to reduce the risk of a similar breach in the future.
If you give people information, don’t try to minimize, give them a phone number to call if they are concerned or have questions, and are responsive, a breach doesn’t have to leave your reputation damaged. In fact, as I commented about Johns Hopkins on a few occasions, their forthright handling of breaches may actually instill more trust in patients who know that if something happens, the hospital will be “up front” with them.
Rigging an election is rigging an election. Perhaps you should spend some time considering the potential downside of these little marketing ploys. Probably the C-levels never heard of these charities until it looked like they might have to send them money.
Charities Upset Over Chase Facebook Contest
Posted by ScuttleMonkey on Saturday December 19, @08:29AM from the could-have-just-used-terms-and-conditions dept.
ssv03 writes
"The New York Times is reporting that Chase Community Giving of Chase Bank recently held a contest on Facebook in which users were encouraged to vote for their favorite charities. At the end of the contest, the 100 charities with the most votes would win $25,000 and advance to the next round to have a chance to win $1 million. Initially, the vote counts for each organization were made public, but two days before voting ended they were hidden, and the final totals have still not been released. While Chase had no official leader board during the voting, several organizations were keeping track of projected winners. Those projections were almost identical to the final results, yet several organizations including Students for Sensible Drug Policy (SSDP), Marijuana Policy Project and several anti-abortion groups were not finalists. They had been performing very well (some within the top 20) until the vote counters were removed. Chase Bank has so far refused to discuss the issue with the organizations. SSDP has spoken out in a press release (PDF) and is calling for a boycott."
Something to compare to ours, if we have any.
http://www.phiprivacy.net/?p=1667
AU: New privacy guidelines for health practitioners on disclosing genetic information
By Dissent, December 19, 2009 9:07 am
JOINT MEDIA RELEASE of the Office of the Privacy Commissioner and the National Health and Medical Research Council:
The National Health and Medical Research Council (NHMRC), in cooperation with the Office of the Privacy Commissioner (OPC), today released new guidelines to assist health practitioners in making decisions about disclosing genetic information to their patient’s genetic relatives.
… Dr Sandra Hacker AO, chair of the NHMRC’s Guidelines Working Party, said the guidelines specify the strict requirements that must be met by health practitioners if they are faced with the difficult decision of having to disclose genetic information without patient consent.
… “It is important to emphasise that doctors can not disclose information to non-genetic relatives, for example husbands or wives, or when there is no threat to the genetic relative.”
… The use and disclosure of genetic information to a patient’s genetic relative under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector’ are available for download at http://www.nhmrc.gov.au/publications/synopses/e96syn.htm
Office of the Privacy Commissioner: www.privacy.gov.au/law/act/genetic
(Related)
http://www.bespacific.com/mt/archives/023056.html
December 19, 2009
The eYouGuide now speaks 10 languages
The eYouGuide, Europe's first online tool giving consumers practical advice on their "digital rights" under EU law is now available in 10 languages. "The eYouGuide was launched in Strasbourg on 5 May 2009 (see IP/09/702). The guide provides information on a number of issues related to online activities, such as shopping online, networking, uploading and downloading content and making online payments, just to mention a few. It is meant as a tool to improve consumers' awareness and confidence in the digital environment. The website will be updated and extended to more EU languages at the beginning of 2010."
Be sure to tell your Security Manager about this. Should be part of any contract/license with security software providers!
http://www.bespacific.com/mt/archives/023051.html
December 19, 2009
NIST: Draft Technical Specification for the Security Content Automation Protocol
DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1, December 15, 2009: "NIST announces the public comment release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information. SCAP is a multi-purpose protocol that supports automated vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content."
With understanding comes wisdom investment opportunities! Ask yourself which of the Baby Bells recognized that they could use their infrastructure to win this game? Remember, with VOIP you no longer need a phone company, only Internet access.
Making Sense of the Cellphone Landscape
Posted by kdawson on Sunday December 20, @01:52AM from the handbags-at-dawn dept.
Charlie Stross has a blog post up that tries to make sense of the mobile phone market and where it's going: where Apple, Google, and the cellcos fit in, and what the point of Google's Nexus One may be.
"Becoming a pure bandwidth provider is every cellco's nightmare: it levels the playing field and puts them in direct competition with their peers, a competition that can only be won by throwing huge amounts of capital infrastructure at their backbone network. So for the past five years or more, they've been doing their best not to get dragged into a game of beggar-my-neighbor, by expedients such as exclusive handset deals... [Google intends] to turn 3G data service (and subsequently, LTE) into a commodity, like Wi-Fi hotspot service only more widespread and cheaper to get at. They want to get consumers to buy unlocked SIM-free handsets and pick cheap data SIMs. They'd love to move everyone to cheap data SIMs rather than the hideously convoluted legacy voice stacks maintained by the telcos; then they could piggyback Google Voice on it, and ultimately do the Google thing to all your voice messages as well as your email and web access. (This is, needless to say, going to bring them into conflict with Apple. ... Apple are an implicit threat to Google because Google can't slap their ads all over [the App and iTunes stores]. So it's going to end in handbags at dawn... eventually.)"
For all our spare time... Note: I've cut the abstracts, go to Pogo or directly to SSRN if you are interested.
http://www.pogowasright.org/?p=6442
For my reading list…
December 19, 2009 by Dissent Filed under Businesses, Featured Headlines, Surveillance, Workplace
Every so often, I try to spend a bit of time on SSRN to see what new articles are available that might be of interest. Here are seven recently posted abstracts, below. For most of them, the full-text version is also available as a free download:
Finkin, Matthew W., On Restating the Common Law of Employee Privacy (October 7, 2009).
Rubinstein, Ira, Privacy, Self-Regulation and Statutory Safe Harbors (November 6, 2009).
Goold, Benjamin J., Surveillance and the Political Value of Privacy (September 01, 2009). Amsterdam Law Forum, Vol. 1, No. 4, 2009.
Keele, Benjamin J., Privacy by Deletion: The Need for a Global Data Deletion Principle (November 17, 2009). Indiana Journal of Global Legal Studies, Vol. 16, No. 1, pp. 363-384.
Romanosky, Sasha and Acquisti, Alessandro, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives (December 12, 2009). Berkeley Technology Law Journal, Forthcoming.
Gelman, Lauren Amy, Privacy, Free Speech, and ‘Blurry-Edged’ Social Networks (November 1, 2009). Boston College Law Review, Vol. 50, No. 5, 2009.
Gidron , Dr. Tamar Gidron, Publication of Private Information: An Examination of the Right to Privacy from a Comparative Perspective (June 19, 2009).
(Related) ...and one to gorow on. What would happen if my email address was “I_refuse_to_accept_all_tracking(at)Hotmail.Com?
http://www.pogowasright.org/?p=6444
Levi’s tags: more than just your jeans
December 19, 2009 by Dissent Filed under Breaches, Businesses, Featured Headlines, Internet
I’m confident that Levis.com is not the only web site of concern, but this case study suggests that the public really often has no clue how their information is being tracked or used:
Dwyer, Catherine Ann, Behavioral Targeting: A Case Study of Consumer Tracking on Levis.com (August 6, 2009).
Abstract:
Behavioral targeting is an online marketing method that collects data on the browsing activities of consumers, in order to “target” more relevant online advertising. It places digital tags in the browsers of web site visitors, using these tags to track and aggregate consumer behavior. The vast majority of data is collected anonymously, i.e., not linked to a person's name. However, behavioral targeting does create digital dossiers on consumers with the aim of connecting browsing activity to a tagged individual. This tagging is largely invisible to consumers, who are not asked to explicitly give consent for this practice. By using data collected clandestinely, behavioral targeting undermines the autonomy of consumers in their online shopping and purchase decisions. In order to illustrate the nature of consumer tracking, a case study was conducted that examined behavioral targeting within Levis.com, the e-commerce site for the Levis clothing line. The results show the Levis web site loads a total of nine tracking tags that link to eight third party companies, none of which are acknowledged in the Levis privacy policy. Behavioral targeting, by camouflaging the tracking of consumers, can damage the perceived trustworthiness of an e-commerce site or the actor it represents. The risks behavioral targeting presents to trust within e-commerce are discussed, leading to recommendations to reestablish consumer control over behavioral targeting methods.
Although the full-text version of the article is not currently available on SSRN, the author’s contact information is given as cdwyer[at]pace.edu.
Is this the likely response to any project that was too big to complete BC (Before Computers)?
http://www.pogowasright.org/?p=6461
Library Groups Ask Justice Department To Supervise Institutional Pricing for Google Book Database
December 20, 2009 by Dissent Filed under Court, Featured Headlines, Internet
In a letter (PDF) to the Antitrust Division of the U.S. Department of Justice (DOJ), the American Library Association (ALA), the Association of College and Research Libraries, and the Association of Research Libraries, say “active supervision of the settlement by the court and the United States will protect the public interest far more than any additional restructuring of the settlement.”
They also ask for representation of academic authors on the Book Rights Registry and remind the DOJ that libraries would be primary consumers of institutional subscriptions and thus deserved to have their voices heard. A fairness hearing is scheduled for February 18, 2010.
Read more on LibraryJournal.com.
No comments:
Post a Comment