Are we seeing only a small part of this breach?
http://news.cnet.com/8301-27080_3-20051038-245.html
Who is Epsilon and why does it have my data?
Epsilon is one of a growing number of companies that offer outsourced services for helping companies attract and keep customers. In addition to offering e-mail marketing services and managing customer e-mail databases for clients, Epsilon monitors social networking and other sites to see what people are saying about a company, advises on markets to target, helps develop and maintain customer loyalty programs, and offers Abacus, "the world's largest cooperative database with over 8.6 billion consumer transactions and 4.8 billion business transactions" used for creating lists of prospective customers. The different data Epsilon sells includes age, profession, residence, ethnic information and political affiliation, according to a list published on the site of security firm Magmatic.
"The e-mail component of Epsilon is a small part of the company," Dave Frankland, vice president and principal analyst at Forrester Research, told CNET. "They are in the business of managing customer data and helping companies integrate that data and communicate more effectively with customers. So they have a lot more information than just e-mail addresses and names."
… Breaches at third-party providers aren't new. After McDonald's and other companies' customers were informed of a breach at their e-mail database provider late last year, Silverpop acknowledged that it was one of "several technology providers targeted as part of a broader cyberattack."
… The Epsilon breach appears to be truly shaking the industry, said Frankland who is at the Forrester Marketing Forum this week and wrote this blog post on the incident.
"Epsilon, as well its competitors are here. They're all saying 'it could have been us,'" he said. "There is a lot of talk about legislation in the industry. This is going to increase the spotlight."
… Epsilon also has information and links for opting out of its e-mail and marketing services on its Web site here. [But, they will keep your information on the database, even if their clients no longer use their services... Bob]
No surprise. Data on the Internet is kept for geological time...
http://www.pogowasright.org/?p=22239
Why unsubscribing might not have protected you from the Epsilon breach
April 5, 2011 by Dissent
Back in December 2010, when Walgreens sent out its first breach notifications, one of the troubling aspects was that despite the fact that consumers had unsubscribed from their mailings, their data had been retained. The December 2010 notification email read, in part:
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue. As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.
So why did they retain his data when the customers had clearly unsubscribed? How does it inspire trust if you keep data that you are no longer supposed to use when hanging on to it increases the risk that it will be acquired by cybercriminals? How is that a relationship built on trust?
Fast forward and it appears that it has happened again. The latest round of Walgreens notifications reads, in part:
[...]
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Walgreens Customer Service Team
So why were those data still on Epsilon’s servers? Was that a function of Walgreens’ policies about data retention even for unsubscribers? [Either a deliberate policy choice to keep the data, or a failure of management to consider it in their record retention policy Bob]
Shouldn’t “unsubscribe” mean “Pretend you never met me and I never gave you my email address. Delete it.” And do most customers believe that when they unsubscribe, their data are being deleted? [Probably, but your assumption is not my mandate. (Your wish is NOT my command) Bob]
Don’t tell me to read the privacy policies as we all know most people don’t really read them.
Why isn’t there a popup next to the “subscribe” button that tells you that your name and email address will be sent to a third party and will never be deleted even if you unsubscribe? How about:
By subscribing, your name and email address will go to a vendor that we trust, even if you don’t know who they are. And your data will remain with that vendor even after you die, barring any act of Congress or the FTC.
Wouldn’t that at least be more transparent if you’re not going to delete the data when the customer unsubscribes?
Walgreens has not (yet) responded to an inquiry I sent them about this issue earlier today.
What can you do with a mere email address?
http://news.cnet.com/8301-27080_3-20051071-245.html
Attack on RSA used zero-day Flash exploit in Excel
The breach at RSA that could compromise the effectiveness of the firm's two-factor authentication SecurID tokens was accomplished via phishing e-mails and an exploit for a previously unpatched Adobe Flash hole, RSA has revealed.
Small, but some interesting twists (and lots of common themes)
http://www.phiprivacy.net/?p=6389
CT: MidState Medical Center informs 93,500 patients of data breach
By Dissent, April 5, 2011
Greg Bordonaro reports:
MidState Medical Center has begun sending letters to 93,500 patients whose personal information may have been compromised following the accidental loss of a computer hard drive, [unencrypted, of course Bob] the hospital said in a letter to employees Tuesday.
The misplaced hard drive, which has not yet been recovered, contains patient’s names, addresses, birthdates, social security numbers and medical record numbers, hospital spokeswoman Pamela Cretella said.
The hospital learned of the misplaced hard drive, which was lost by a Hartford Hospital employee, Feb. 15, Cretella said. The hospital conducted an investigation into the matter and began notifying patients in a letter sent today.
Cretella said the hospital has no reason to believe that any personal information found on the lost hard drive has been misused. But MidState is offering those who have been affected two years of identity protection with Debix Identity Protection Network.
A statement on the medical center’s web site dated April 5 says:
Important Notice to Patients Regarding Misplaced Personal Information
By MidState Staff
MERIDEN – On February 15, 2011, we learned that a hard drive containing personal information of some patients of MidState Medical Center had been misplaced. The information contained on the device consisted of names, addresses, dates of birth, marital status, Social Security numbers and medical record numbers. Not all of the patients being notified of the incident had Social Security numbers on the missing hard drive. We promptly began an investigation of the incident and subsequently reported the event to law enforcement authorities.
… MidState Medical Center and other affiliates of Hartford HealthCare are in the process of reviewing their policies and are taking steps to help ensure that this type of incident does not happen in the future [Encryption? Bob]
A companion FAQ on the breach, also on the medical center’s web site, has some interesting details (emphasis added by me):
… We promptly began an investigation and subsequently reported the event to law enforcement authorities. The individual is no longer employed by our business associate, Hartford Hospital, or any other Hartford HealthCare affiliate.
… We also retained a private investigator to search for the hard drive, but it has not been found. [What prompted this? Bob]
More of the same, with a few new tricks...
http://www.bespacific.com/mt/archives/026931.html
April 05, 2011
Symantec Internet Security Threat Report: Trends for 2010
Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011
"Spam and phishing data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; as well as other Symantec technologies. Data is collected in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests are processed per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future."
"Symantec recorded over 3 billion malware attacks in 2010 and yet one stands out more than the rest - Stuxnet. This attack captured the attention of many and led to wild speculation on the target of the attacks and who was behind them...."
[From the report:
The ability to research a target online has enabled hackers to create powerful social engineering attacks that easily fool even sophisticated users.
… All these types of attacks are moving to mobile devices, limited only by attackers getting a return on their investment.
… Polymorphism and new delivery mechanisms such as Web-attack toolkits continued to drive up the number of malware variants in common circulation. In 2010, Symantec encountered more than 286 million unique variants of malware. [Security can not be done “manually.” Bob]
Italy again. Are they now the leading edge of “Luddite legislation?”
Google Loses Autocomplete Defamation Case
"Google has been found liable in an Italian court for defamatory comments made against an anonymous plaintiff — the complainant's name, when googled, elicited autocomplete suggestions that translate as 'con man' and 'fraud.' Google was found not to qualify for EU 'safe harbour' protection because the autocomplete suggestions were deemed to be Google's own creation, and not something merely passing through its systems."
(Related) Not to be left out of the “Luddite Legion”...
Street View slapped by Swiss court on privacy issue
According to the Federal Administrative Court’s ruling of March 30, Google is not currently utilising sufficient protective processes to fully safeguard the identities of people (and the number plates of vehicles) inadvertently snapped by the fleet of Street View camera cars.
… As things stand, Google uses special algorithms to apply pixel blurring to the faces of any people (and vehicle number plates) caught by the multi-directional lenses of its Street View cameras. According to Google, its automatic blurring system is successful 99 percent of the time.
It’s also worth noting that any Swiss citizen that finds their face has slipped through the Street View security net can always have blurring applied upon request.
However, that clearly isn’t good enough for the Swiss court, which wants Google to manually seek out and blur the identifying features of anyone and everyone photographed by Street View—placing particular focus around “sensitive” locations such as courts, hospitals, prisons, retirement homes, schools and women’s shelters.
I may be only ¼ Dutch, but I can understand why they gave this the finger... After all, a leak is a leak.
http://www.phiprivacy.net/?p=6380
Dutch Senate rejects electronic patients’ records
By Dissent, April 5, 2011
Radio Netherlands Worldwide reports:
The Dutch Senate has unanimously rejected Health Minister Edith Schippers’ plan to introduce the Electronic Patient Dossier (EPD) nationwide.
Under the scheme, people’s medical records would have been available to doctors and other health professionals throughout the country. However, the senators decided that the planned system’s security was not good enough and that patients’ privacy and rights were not adequately safeguarded.
The EPD has been planned by successive governments over the last 14 years and has so far cost 300 million euros. [You would think that in 14 years, someone would have considered Security? Bob] Official figures show nearly 60 percent of healthcare professionals such as family doctors and pharmacies have voluntarily joined the scheme, which already holds the medical records of nearly 8.5 million Dutch residents.
So what’s the security like on those 8.5 million residents’ records? I wonder if people will be concerned enough by the Senate’s action to ask that their files not be part of the scheme any more.
Interesting, but I want to see it work.
http://www.pogowasright.org/?p=22245
Digital Agenda: new guidelines to address privacy concerns over use of smart tags
April 6, 2011 by Dissent
Today the European Commission has signed a voluntary agreement with industry, civil society, ENISA (European Network and Information Security Agency) and privacy and data protection watchdogs in Europe to establish guidelines for all companies in Europe to address the data protection implications of smart tags (Radio Frequency Identification Devices – RFID) prior to placing them on the market. The use of such smart tags is expanding enormously (around 1 billion in Europe in 2011) [so this is not really “ahead of the curve” Bob] but there are widespread concerns about their privacy implications. RFIDs can be found in many objects from bus passes to smart cards that pay motorway tolls. Microelectronic devices can process data automatically from RFID tags when brought close to ‘readers’ that activate them, pick up their radio signal and exchange data with them. Today’s agreement forms part of the implementation of a Commission Recommendation adopted in 2009 (see IP/09/740) that inter alia indicates that when consumers buy products with smart tags, they should be deactivated automatically, immediately and free-of-charge unless the consumer agrees explicitly that they are not.
Neelie Kroes, European Commission Vice-President for the Digital Agenda said “I warmly welcome today’s milestone agreement to put consumers’ privacy at the centre of smart tag technology and to make sure privacy concerns are addressed before products are placed on the market. I’m pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way.”
The agreement signed today, “Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications”, aims to ensure consumers’ privacy before RFID tags are introduced on a massive scale (see IP/09/952). Around 2.8 billion smart tags are predicted to be sold in 2011, with about one third of these in Europe. But industry estimates that there could be up to 50 billion connected electronic devices by 2020.
RFID tags in devices such as mobile phones, computers, fridges, e-books and cars bring many potential advantages for businesses, public services and consumer products. Examples include improving product reliability, energy efficiency and recycling processes, paying road tolls without having to stop at toll booths, cutting time spent waiting for luggage at the airport and lowering the environmental footprint of products and services.
However RFID tags also raise potential privacy, security and data protection risks. This includes the possibility of a third party accessing your personal data (e.g. concerning your location) without your permission.
For example, many drivers pay tolls electronically to use roads, airport and car parks based on data collected through RFID tags on their car windscreens. Unless preventative action is taken, RFID readers found outside those specific locations could unwittingly lead to privacy leaks revealing the location of the vehicle. Many hospitals use RFID tags to track inventory and identify patients. While this technology can improve the overall quality of healthcare, the benefits must be balanced with privacy and security concerns.
Comprehensive assessment of privacy risks
Under the agreement, companies will carry out a comprehensive assessment of privacy risks [sure they will Bob] and take measures to address the risks identified before a new smart tag application is introduced onto the market. This will include the potential impact on privacy of links between the data collected and transmitted and other data. This is particularly important in the case of sensitive personal data such as biometric, health or identity data.
The PIA Framework establishes for the first time in Europe a clear methodology to assess and mitigate the privacy risks of smart tags that can be applied by all industry sectors that use smart tags (for example, transport, logistics, the retail trade, ticketing, security and health care).
In particular, the PIA framework will not only give companies legal certainty that the use of their tags is compatible with European privacy legislation but also offer better protection for European citizens and consumers.
Background
In May 2009 all interested stakeholders from industry, standardisation bodies, consumers’ organisations, civil society groups, and trade unions, agreed to respect a Recommendation from the European Commission laying out principles for privacy and data protection in the use of smart tags (see IP/09/740). Today’s PIA Framework is part of the implementation of the 2009 Recommendation. Information gathered during the PIA framework drafting process will also make a valuable contribution to discussions on the revision of EU rules on Data Protection (see IP/10/1462 and MEMO/10/542) and on how to address the new challenges for personal data protection brought by technological developments.
For more information:
SPEECH/11/236 Link to the PIA framework Digital Agenda website: http://ec.europa.eu/information_society/digital-agenda/index_en.htm
Neelie Kroes’ website: http://ec.europa.eu/commission_2010-2014/kroes/
Source: Press Release from Europa.eu
So, delegate already!
House Votes To Overturn FCC On Net Neutrality
"House Republicans voted unanimously today to block controversial Net neutrality regulations from taking effect, a move that is likely to invite a confrontation with President Obama. By a vote of 241 to 178, the House of Representatives adopted a one-page resolution that says, simply, the regulations adopted by the Federal Communications Commission on December 21 'shall have no force or effect.' 'Congress did not authorize the FCC to regulate in this area,' Rep. Rob Woodall (R-Ga.), said during this morning's floor debate. 'We must reject any rules that it promulgates in this area... It is Congress' responsibility to delegate that authority.'"
This is nothing new, surely?
Key Music Industry Lawyer Named EU Copyright Chief
"The European Union's new point person on copyright policy won't take up her post until mid-April, but she's already stirring up controversy. That's because Maria Martin-Prat spent years directing 'global legal policy' for IFPI, the global recording industry's London-based trade group, before moving back into government. The appointment raises new questions about the past private-sector work of government officials, especially those crafting policy or issuing legal judgments on the same issues they once lobbied for."
This fits with our increasing “work from home” (online and hybrid classes) at the university.
Ask Slashdot: Would You Take a Pay Cut To Telecommute?
"IT pros want to telecommute — so much so that more than one-third of those surveyed by Dice.com said they would take a pay cut for the chance to work full time from home. In a survey conducted by the careers site, 35% of technology professionals said they would sacrifice up to 10% of their salaries for full-time telecommuting. The average tech pro was paid $79,384 last year, according to Dice's annual salary survey, which means a 10% pay cut is equivalent to $7,900 on average."
It's a geek thing, we're not really going to carry our PC around to make phone calls...
Want To Run Android Apps On Your Windows PC? You Can With BlueStacks.
There’s nothing new about virtualization software, per se, but BlueStacks might be worth checking out. It brings the Android operating system to Windows-based computers via a virtualization layer, much like how you can run Windows “inside” your Mac using Parallels. Why, exactly, you’d want to run Android “inside” your Windows PC, I’m not exactly sure, but there’s nothing inherently wrong with giving it a go.
No comments:
Post a Comment