http://www.databreaches.net/?p=1337
More Heartland Details Leak Out (And Some May Be Trying To Leak Back In)
Posted February 6th, 2009 by admin
Evan Schuman reports:
Details surrounding the Heartland data breach continue to dribble out, with one respected payment systems newsletter reporting that the forensic investigators Heartland brought in were Cybertrust and Neohapsis.
Heartland had tried keeping those names confidential, an effort that was succeeding prior to the Wednesday, Feb. 4 issue of The Nilson Report. That newsletter also quoted from a MasterCard alert, which provided new details about what was taken and when.
“According to a MasterCard alert, this sniffer program stole card numbers and expiration dates from credit and debit cards processed by Heartland from May 14, 2008, through Aug. 19, 2008, as the information entered Heartland’s payment switch,” the Nilson story said. “Only an estimated 5 percent of the stolen card numbers also included names. [100 million per month times 3 months times .05 = 15 million. That makes me feel so much better! Bob] The malware was likely deactivated when Heartland conducted regular system upgrades as part of its PCI Data Security Standards (PCI DSS) compliance program, although it’s possible that the hackers shut it down to try and avoid being traced.”
Read more on StorefrontBacktalk
Related There is a risk in being too quick to respond when you are not positive you know the source of the breach has been identified and closed! NOTE: At the time of the first letter, HPS had no idea its data was being stolen in wholesale quantities.
http://www.databreaches.net/?p=1354
Add Dime Savings Bank of Williamsburgh to list….
Posted February 7th, 2009 by admin
Kid #1 came in last night and threw the letter down on my desk in disgust. For the second time since June, Dime Savings Bank of Williamsburgh had notified him that his debit card was being replaced due to a breach and that he would have to personally come in to the bank to activate the new card.
The bank’s notification letter was even less helpful than the uninformative one he had received in June. At least that one had a phone number on the letterhead if anyone actually wanted to call. This letter was the June letter verbatim with only the dates replaced, and had no phone number on it all.
Looking back at that June letter, I see that I had wondered at the time what breach it might be connected to, but never heard anything more. Now that we know that the Heartland breach seems to have occurred as early as May, is it possible that the June letter was actually a result of Heartland, too? Do we actually know how early misuse of debit cards or credit cards started in the Heartland breach?
Somebody probably knows, but we’re not being told much.
Related
http://www.databreaches.net/?p=1351
Huge bank card scam hits Bermuda
Posted February 7th, 2009 by admin
How curious…. Canadian Tire had told me that 2% of their customers’s cards had been misused as a result of the Heartland Payment Systems breach. Now another non-US entity mentions 2%. Have we gotten reports from any UK banks yet?
Hundreds of debit and credit card customers in Bermuda have been dragged into one of the world’s biggest security breaches.
Bank of Bermuda and Butterfield Bank are warning customers to be on guard after cyber-crooks hacked into the computer system of an overseas payment company.
Individuals and businesses with Visa and MasterCard cards are said to be at risk from the data breach at Heartland Payment Services.
[...]
The widespread security breach has affected fewer than two per cent of Bank of Bermuda’s card users and “a small number” of Butterfield Bank customers.
Read more on BDA Sun
Related
http://www.databreaches.net/?p=1334
Quick Poll: Many Smaller Banks Hit By Heartland Breach
Posted February 6th, 2009 by admin
Brian Krebs reports:
In another sign that the recently disclosed data breach at credit card processing giant Heartland Payment Systems may indeed be one for the record books, a quick survey of community banks indicates that a majority of institutions have been notified that at least some of their debit or credit cards were compromised in the breach.
Read more in The Washington Post
[From the article:
The Independent Community Bankers of America, a trade group that includes some 5,000 banks representing 18,000 locations nationwide, took an informal poll of its members recently to find out how many were contacted by Heartland. According to the ICBA, 83 percent of the 512 member banks that responded said they had credit and/or debit cards affected by the Heartland breach. Thirteen percent said they didn't know yet.
… So far, most of the information we have about the size of the breach has come from the Open Security Foundation. OSF maintains datalossdb.org, which has collected a list of news stories about specific banks that have acknowledged receiving notice from Heartland about compromised accounts. According to OSF, as of this writing, 79 banks have reported being affected by the Heartland breach, with a known total of 276,066 cards affected.
Small, but another amazed group of managers...
http://www.databreaches.net/?p=1339
CA: Personal Info On 1,000s Of Kaiser Employees Stolen
Posted February 6th, 2009 by admin
CBS reports:
Thousands of northern California Kaiser employees are being notified that their personal information including social security numbers was stolen from the company.
Kaiser has set-up a Employee Security Support Line for the 29,500 employees whose information was stolen to handle the situation. A recorded message on the line says that the stolen information was found in the possession of a criminal [So, 1) their security didn't detect it and 2) they have no idea how he got the data Bob] who has since been arrested. The information included employee names, social security numbers and birthdates. And that so far, only a ‘few employees had been impacted’.
Kaiser says it is working with law enforcement to discover how their computer system was breached. But it does not say when the information was actually stolen or recovered.
[...]
This is Kaiser’s second known breach in the past six months. In August, Kaiser Foundation Health Plan of Mid-Atlantic States notified (pdf) the Virginia Attorney General’s Office that an employee had stolen and misused patient information from patients at the Kaiser Permanente Falls Church Medical Center. Kaiser notified 5,200 members in that breach, which was never reported in the media. [like this Blog, 5200 is too trivial to bother reporting... Bob] In the most recent incident, no patient data was reportedly involved.
Related An editorial sparked by the HPS breach. If even the media is noticing the “breach situation” is it possible we'll start seeing stronger laws?
http://www.baltimoresun.com/news/opinion/editorial/bal-ed.scam06feb06,0,1229378.story
Once the information is exposed on the Internet, are all future efforts at confidentiality now worthless? It will certainly be difficult to say, “I don't have that information,” when everyone in the audience does.
http://www.databreaches.net/?p=1349
Confidential LAPD misconduct files mistakenly posted on Internet
Posted February 7th, 2009 by admin
Joel Rubin reports:
The Los Angeles Police Commission violated its own strict privacy policy — and perhaps state law — on Friday, releasing a confidential report on the Internet that contained the names of hundreds of officers accused of racial profiling and other misconduct.
The blunder, which police officials attributed to a clerical error, marks an embarrassing misstep for a police department that has staunchly rebuffed efforts by the public to learn the identities of accused officers and gain greater access to the discipline process.
Read more in The Los Angeles Times
[From the article:
The commission and department staff had reviewed a paper copy of the report that did not contain the confidential information and assumed the electronic version would be the same, Tefank said. [“We reviewed a picture of the Titanic and thought it was only six inches long.” “The map is not the territory,” Alfred Korzybski Bob]
ATTABOY! A school that did not automatically assume their students were terrorists! Bravo. (However, they seems to assume that parents are somehow not worthy...)
http://www.databreaches.net/?p=1341
WA: Student finds ‘back door’ in YCS program
Posted February 6th, 2009 by admin
Megan Hansen reports:
Yelm Community Schools shut down its computer account system Skyward after a student discovered a potential security breach.
“A student showed us a back door,” said Director of Technology Dennis Wallace. “We immediately shut down access to Skyward.”
Skyward is a computer account system that the school, students and parents can access which contains the students’ personal information, schedule, grades and lunch balance.
Wallace said the student found a way to gain access into the account system and immediately informed his teacher.
The district’s technology department called the student in to question the breach. [How are you feeling today, Mr Breach? Bob]
They then fixed it and had the student try and gain access again. He did and the school had to go back in and fix it again. [Perhaps they don't understand the definition of “fixed it” Bob]
Read more in Nisqually Valley News
[From the article:
He also said he did not feel the situation required notification to parents.
“We went in and fixed the problem,” Wallace said. “We weren’t even sure there had been a breach.”
[There's a lot they don't seem to know. Bob]
Sometimes I ponder what the world would be like if Darwin's observations applied to the Internet. Survival of the fittest can also be stated as “Death to dummies!” If this was a “real” danger, it would quickly kill off all of its customers and be abandoned as an evolutionary dead end. (Perhaps I should write an e-Darwin manifesto!)
http://tech.slashdot.org/article.pl?sid=09/02/07/0014204&from=rss
Privacy Group Calls Google Latitude a Real 'Danger'
Posted by Soulskill on Friday February 06, @07:58PM from the no-latitude-for-latitude dept. Google Privacy
CWmike writes
"Privacy International is calling Google's new mapping application an 'unnecessary danger' to users' security and privacy. The criticism follows the unveiling this week of Google Latitude, an upgrade to Google Maps that allows people to track the exact location of friends or family through their mobile devices. Google Latitude not only shows the location of friends, but it can also be used to contact them via SMS, Google Talk or Gmail. 'Many people will see Latitude as a cool product, but the reality is that Google has yet again failed to deliver strong privacy and security,' said Simon Davies, director of London-based Privacy International, in a statement. The group's chief concern is that Google Latitude lacks sufficient safeguards to keep someone from surreptitiously opting into the tracking feature on someone else's device."
Political advantage (this includes appearing cool) outweighs security every time. (On the other hand, it might be a clever play on the part of the Secret Service to see if anyone has developed a Blackberry targeting missile – before they let the President use his.)
http://news.cnet.com/8301-17939_109-10159054-2.html?part=rss&subj=news&tag=2547-1_3-0-5
Congressman Twitters secret trip to Iraq
Posted by Rafe Needleman February 6, 2009 8:11 PM PST
For security reasons, the congressional delegation led by House Minority Leader John Boehner to Iraq today was supposed to be secret. Everything had been going fine in that regard. Even media outlets which knew of the trip, like the Congressional Quarterly, kept a lid on the news.
That was, until Representative Peter Hoekstra Twittered his arrival into Baghdad. "Just landed in Baghdad. I believe it may be first time I've had bb service in Iraq. 11 th trip here," he sent from his Blackberry.
Strategy: Isn't this crazy? I already have a problem with cable “monopolies” and this suggests the same thought(less) process is coming to the Internet.
http://blog.wired.com/business/2009/02/espn-stands-fir.html
ESPN to ISPs: Pay for Your Customers to Play Video
By Eliot Van Buskirk February 05, 2009 8:18:06 PM
Not much detail here, but I suspect some of my website students might like to add a chat room to their sites. Behind a “sign in” wall, this could be useful.
http://www.killerstartups.com/Comm/99chats-com-create-your-own-chat-room
99Chats.Com - Create Your Own Chat Room
Are chat rooms still relevant? Well, apparently, yes, according to 99chats.com. With the site, you’ll be able to create your own chat room, to which you’ll be able to invite your friends
… You can add chat rooms to your MySpace, Orkut, Friendster, Hi5, Tagged, WordPress, and Blogger profiles.
What’s that good for? Well, that’s up to you. You can use it to have your blog readers interact, to have your friends write on your profile (like they do through Facebook’s wall), or any other thing you can think of.
Tools & Techniques: This is interesting and a little spooky. Note that if you click on their link, the URL changes to indicate they are ready to track you!
http://www.killerstartups.com/Marketing/meteorsolutions-com-measuring-digital-word-of-mouth
MeteorSolutions.com - Measuring Digital Word Of Mouth
http://www.meteorsolutions.com/
Born out of the merging of Reach Machines and Fyreball, Meteor Solutions is a company that provides a concise service, specially suited to the digital times we live in. In essence, it enables any publisher, marketer or agency to track digital content as it traverses the web. Think of it as a solution for tracking word of mouth in the online channels we all are familiar with.
This system is implemented through tracking scripts that are added to the site itself, like identifying tags for monitoring the path it trails through the web. Some of the events that are monitored include links on web pages, e-mails, bookmarks and instant messaging
Furthermore, a graph is generated for identifying each unique visitor and visualizing each single source and the role it plays in the process as a whole. Meteor Tracker is also capable of tracking individual actions, and this is very useful for webmasters that aim to drive visitors to click on specific portions of their sites.
By way of conclusion, the provided service stands as a thorough option when it comes to gauging the impact that digital content is having on the Net at large. If you want to ensure that you are reaching the right public, this solution might be just what you need.