Monday, January 04, 2010

...and we can look forward to more of the same.

http://www.databreaches.net/?p=9097

Looking back on 2009

January 3, 2010 by admin Filed under Commentaries and Analyses, Of Note

The breach of Heartland Payment Systems grabbed the headlines for much of the year and the entire population of Belize had their birth details stolen when a government employee left a laptop in a car, but what else went on?

Your details, my friend, were blowing in the wind

Although the number of breaches involving paper records does not appear to have increased from 2008 to 2009, by the end of the third quarter, paper breaches comprised more than one quarter of U.S. breaches reported in the media this year. The federal government sent a strong message when it fined CVS $2.25 million for violating HIPAA by improperly disposing of pharmacy records, but was anyone else listening?

Doctor, doctor, give me the news

Almost a year after it first reported receiving an extortion attempt with evidence that the extortionist had acquired members’ prescription records, pharmacy benefit management firm Express Scripts reported that the extortionist had acquired much more data than they originally believed. In April, the Virginia Prescription Monitoring Program database was hacked and they, too, received an extortion demand.

As in past years, we saw some large breaches involving health insurers. Blue Cross Blue Shield reported two major breaches – one involving a stolen laptop and one involving stolen hard drives. To the irritation of a number of states attorney general, Health Net belatedly reported the loss of a hard drive with many members’ insurance or health-related information.

Over in the U.K., it seemed that every month we were reading about yet another NHS unit that had breached the Data Protection Act and was now required to sign an “Undertaking” with the Information Commissioner’s Office. We also learned that an outsource transcription service in India was selling patient information.

If the healthcare sector doesn’t make you ill, the malware will

2009’s “new math” was that hacking + malware = big trouble. The Heartland Payment Systems breach grabbed the spotlight on that in January, only ceding it temporarily when a 2008 RBS WorldPay resulted in a coordinated attack on over 2000 ATMs to the tune of $9 million in a few hours. Protesting their PCI-DSS compliance, the two processors were banished from card brands’ approved list, but within months, were restored to approved status.

Malware also started rearing its head more in social media networks and online banking, and a number of small businesses found themselves taking their banks to court over funds that were stolen from their accounts. And of course, despite all of the scam alerts, some people fell for phishing attempts. That would be bad enough, but when you read that 46% of all Brits use the same login/pass for all of their accounts, the problems are magnified.

On a positive note, several master cybercriminals such as Ehud Tenenbaum and Albert Gonzalez pleaded guilty to involvement in numerous large breaches, but not all of their accomplices have been apprehended and we have not been told about other payment processors that were under attack. In October, we started getting reports about a major breach in Spain that is affecting cardholders in Europe and beyond, but we have not yet been told whether it is a card processor or other entity that is the source of the breach and whether or not it involved malware.

And as we struggled to learn names from Russia, Estonia, Romania, and Latvia, each week seemed to bring new headlines of ID theft rings that had been broken up by law enforcement. Many of the local rings did not involve malware, however, but used much more low tech approaches.

2009 was a “fine year”

Among the most publicized fines for inadequate security or breaches: TJX paid almost $9 million to settle with 41 states attorney general, Heartland Payment Systems paid American Express $3.6M over its 2008 data breach and claimed that it is fighting MasterCard’s more than $6 million fine. Over in the U.K., the Financial Services Authority (FSA) fined HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers more than £3m. The FSA also fined UBS £8 million.

The U.S. Commodity Futures Trading Commission fined Interbank FX, LLC (Interbank) $200,000, the Financial Industry Regulatory Authority (FINRA) fined Centaurus Financial (CFI) $175,000, and the Securities and Exchange Commission fined Commonwealth Financial Network $100,000.

It was also a busy year for states attorney general. In addition to the TJX settlement, CVS and Walgreens settled with Indiana’s Attorney General, while Payment Resources International paid a fine to the Vermont Attorney General. BNY Mellon was fined by the Connecticut Attorney General and Blue Cross was fined by the Delaware Insurance Commissioner. Kaiser Permanente was also socked with a few fines by California over employees snooping in celebrity patients’ files.

That settles that!

In 2009, the FTC settled charges against ChoicePoint, James B. Nutter, Comp Geeks/Genica (Compgeeks), and Rental Research Services, while the Texas Attorney General settled charges against Cornerstone Fitness and the Florida Attorney General settled charges against VICI Marketing.

Class-action lawsuits in response to breaches generally continue to disappoint irate consumers, who seem to keep trying anyway. In 2009, most of the Hannaford Bros. breach lawsuit was dismissed, and an attempt to file a class-action lawsuit against Express Scripts was dismissed. Among the breach-related lawsuits that settled during the year were the 2006 stolen V.A. laptop lawsuit, D.A. Davidson lawsuit, a Heartland Payment Systems class action suit by consumers, and TJX settlements with some banks and 41 states attorney general. Other lawsuit settlements either received preliminary approval or were rejected: Countrywide Financial (approved), TD Ameritrade (rejected), and the Olive Garden FACTA lawsuit (approved). But consumers weren’t the only ones disappointed by lawsuit outcomes in 2009. Cumis was dealt a blow when the Massachusetts Supreme Court ruled that BJ’s Wholesalers and Fifth Third Bank were not liable to Cumis for the costs it incurred after the BJ’s breach.

Also new in 2009: two groups of restauranteurs filed lawsuits against Radiant Systems, alleging that the vendor’s software was not compliant and was responsible for the hacks they suffered in 2007 and 2008.

New laws delayed, watered down, nonexistent

This year, the FTC introduced new Red Flag Rules in the hope of reducing identity theft. The effective date was delayed and delayed…. and groups successfully sued to be exempt from the rules. Similarly, Massachusetts’ new data security regulations were amended and are now slated to go into effect in March 2010, but I’m not holding my breath on that. Of course, we still have no federal data breach notification law, and some of the proposed laws don’t even include mandatory notification of paper breaches. The new HITECH Act which sounded pretty good when Congress passed it got watered down by HHS to include a “harm” threshold that Congress had rejected. The law has been in effect since September, and to date, the public web page where reported breaches are to be posted is…. empty.

And to add further insult to injury, Governor Schwarzenegger vetoed a privacy protection bill that would have made California’s protections even stronger.



“Someone leaked our secret rules, so we created a new set of double secret rules. This has nothing to do with the fact that the old rules were a bizarre overreaction. We just want to make certain that no one knows the rules.”

http://www.bespacific.com/mt/archives/023162.html

January 03, 2010

TSA: New Security Measures for International Flights to the U.S.

News release: "...the Transportation Security Administration issued new security directives to all United States and international air carriers with inbound flights to the U.S. effective January 4, 2010. The new directive includes long-term, sustainable security measures developed in consultation with law enforcement officials and our domestic and international partners. [Something they didn't bother to do last time. Bob] Because effective aviation security must begin beyond our borders, and as a result of extraordinary cooperation from our global aviation partners, TSA is mandating that every individual flying into the U.S. from anywhere in the world traveling from or through nations that are state sponsors of terrorism or other countries of interest will be required to go through enhanced screening. The directive also increases the use of enhanced screening technologies and mandates threat-based and random screening for passengers on U.S. bound international flights."

  • AP: "The State Department lists Cuba, Iran, Sudan and Syria as state sponsors of terrorism. The other countries whose passengers will face enhanced screening include Afghanistan, Algeria, Iraq, Lebanon, Libya, Nigeria, Pakistan, Saudi Arabia, Somalia and Yemen."



For those who think they can eliminate file sharing by “blocking” one avenue.

http://torrentfreak.com/six-ways-file-sharers-will-neutralize-3-strikes-100102/

Six Ways File-Sharers Will Neutralize 3 Strikes

Written by enigmax on January 02, 2010

After some epic legal wrangling, vote after vote, and protest upon protest, the French government finally got their way. In 2010, those caught sharing files illegally in France will be subjected to the much-touted “3 strikes” regime.

When ‘caught’ uploading copyright works for the first time, the owner of the Internet connection used for the alleged infringement will receive an email warning. On allegations of a second offense, a physical letter will drop through the door. On the the third, the account holder will be summoned to appear before a judge who will have the power to fine, or even disconnect them from the Internet.



Looks like a simple way to “illustrate” website features

http://www.makeuseof.com/dir/snippage-create-a-desktop-widget/

Snippage: Create a Desktop Widget From Any Website

By Israel Nicolas on Dec. 26th, 2009

… After installing Snippage, a window will appear on your desktop where you can navigate to a webpage, choose a specific part, and “snip” it so only that part shows on your desktop.

Snippage is in early development and it won’t catch Flash and other advanced HTML components. Still, this is a simple and powerful tool for creating your very own widgets on the fly.

http://snippage.gabocorp.com



For those visual types out there, this could replace your bookmarks/favorites list, and since it's online you have access to it from any computer.

http://tizmos.com/

Tizmos

Tizmos lets you see thumbnails of your favorite sites and access them anywhere!

No comments: