From the article, this seems to be a
case of “similar vulnerabilities” rather than a central (third
party) victim. If so, it's the first I've seen. Perhaps a common
vendor opened the door into the various companies?
Stephen Betts reports:
The Port
Clyde General Store was one of hundreds of companies
across the country that had data from its customers’ credit cards
breached by hackers recently.
Attorney Stephen
Hayes of Augusta, who represents the store, confirmed that the market
was notified by police on May 21 that its system for
processing credit card payments “had been compromised by a
sophisticated group of criminal hackers.”
Read more on Bangor
Daily News. The article also notes other breach reports recently
received by the Maine Attorney General’s Office recently, including
Vendini,
Beachbody LLC,
YourTel,
the Edgemont Centre,
Piedmont Healthcare
P.A., Green
Fun Store (operated
by AHW LLC),
and TD Bank.
The following statement was posted on
the Port Clyde General’s Store web
site:
… The data
breach was discovered during an investigation of data security
breaches that impacted dozens of Maine businesses and hundreds of
companies across the United States.
… Port Clyde
General Store uses an outside professional firm to install and manage
the hardware and software for its credit card processing. The
measures employed to protect customer data complied with all state
and federal requirements, including encryption of customer data
and daily erasure of customer information following transmission to
the card processing company. The servers are protected by firewalls
and are regularly scanned with updated antivirus and anti-malware
software. The security breach was caused by malware that was designed
to avoid industry- standard precautions.
… Many
of our employees also encountered problems. [Does that suggest more
than that they used their cred cards in the store? Bob]
Deans are not Gods? That's not what
they tell me!
Actions have consequences.
The Atlantic Wire reports that the
Harvard Dean involved in the controversial search of some faculty’s
emails is stepping
down, presumably because of the incident.
What do they teach “Education”
majors?
Susan Sarkauskas reports on a case in
Batavia, New York that raises some important questions:
A Batavia High
School teacher’s fans are rallying to support him as he faces
possible discipline for advising students of their Constitutional
rights before taking a school survey on their behavior.
They’ve been
collecting signatures on an online petition, passing the word on
Facebook, sending letters to the school board, and planning to speak
at Tuesday’s school board meeting.
Students and
parents have praised his ability to interest reluctant students in
history and current affairs.
But John Dryden
said he’s not the point. He wants people to focus on the issue he
raised: Whether school officials considered that
students could incriminate themselves with their answers to the
survey that included questions about drug and alcohol use.
Read more on Daily
Herald.
We need more details on what, exactly,
the parents were told about the contents of the survey – including
whether they were told that their children’s responses would be
stored for future use and comparison. And in those states who
might be sharing data with entities designated as “school
officials,” were parents told specifically who would have access to
their children’s sensitive information? Were they told if data
would be stored only locally or in the cloud?
Although the teacher used it as a
moment to teach the 5th Amendment right against self-incrimination,
what privacy rights do students have if their parents have
not opted them out of a district or school survey? Does a student
have the right to say, “This is too personal. I decline to answer?”
And if you don’t know whether your
children have the right to (safely) refuse, whom will you ask?
“We said, 'self regulating' not 'if
you feel like it.'”
Brent Kendall reports:
The Federal Trade
Commission is offering a strong defense of its powers to police
cybersecurity practices against a challenge by Wyndham Worldwide
Corp.
We wrote about
Wyndham’s challenge earlier this month in
a case involving attacks by hackers on the hotel chain’s
computer systems between 2008 and 2010. The FTC sued Wyndham last
year for allegedly lax data security that let hundreds of thousands
of credit-card numbers get stolen. The company said the government
was unfairly seeking to punish the victim of the crime instead of the
hackers who perpetrated it.
Now
the FTC is firing back, arguing in a new court filing that
corporations that collect consumer data bear responsibility for
protecting it. [What a concept! Bob]
“The FTC is not
suing Wyndham for the fact that it was hacked, it is suing Wyndham
for mishandling consumers’ information such that hackers were able
to steal it,” the agency said in a court filing this week.
In a
battle of analogies, Wyndham argued the FTC suit was “the
Internet equivalent of punishing the local furniture store because it
was robbed and its files raided.”
The FTC’s new
filing offered a different picture. “A more accurate analogy would
be that Wyndham was a local furniture store that left copies of its
customers’ credit and debit card information lying on the counter,
failed to lock the doors of the store at night, and was shocked to
find in the morning that someone had stolen the information.”
Read more on WSJ.
This is a case I’ve been following since the hacks were first
disclosed, and represents the first time a data
breach complaint by the FTC will be adjudicated by a court instead of
reaching a settlement. The Chamber of Commerce and
others, including TechFreedom, have jumped in on Wyndham’s side.
Their argument emphasizes the point that the FTC has
never promulgated clear rules that would provide fair
notice to businesses as to what actions constitute “unfair or
deceptive” practices under the FTC Act. Of course, in many cases,
the FTC draws upon other statutes, e.g., if it would be violative of
the GLBA or other statutes to do something, that makes it an unfair
or deceptive practice for purposes of the FTC. Similarly, the FTC
often looks to “industry standards” in determining whether an
entity failed to provide adequate security. It also looks to
statements made in an entity’s privacy policy or Terms &
Conditions to determine what representations the entity made about
data security and whether they lived up to those representations.
One criticism that has been lodged
against the FTC’s data security actions is that in many cases,
there really is no showing of harm or injury to the consumers, who
may be protected by their banks for any fraudulent charges on their
credit cards. Because most court cases involving data breaches
result in dismissal for lack of standing due to absence of
demonstrable harm, some (like Michael D. Scott) argue that the FTC
should not be able to apply or enforce its powers in cases where you
cannot demonstrate that consumers were objectively harmed.
To be clear: I’m hoping the FTC
prevails. And if Congress doesn’t like the outcome, then let them
get off their asses and introduce legislation that protects consumers
from inadequate data security. Congress wanted to avoid legislation
and let industry regulate itself, so as not to stifle innovation.
All well and good, but with almost every entity suffering data
breaches, someone’s got to protect consumers from inadequate
security, and the FTC stepped up to the plate. This is no time to go
backwards.
The Wyndham case does not strike me as
unusual in terms of the grounds the FTC cited for its action. What
makes it unusual is that Wyndham didn’t settle and is fighting
this. If Wyndham is successful in getting the case dismissed, that
will be a serious setback for the FTC. If the FTC
wins, I expect we’ll see many businesses paying even more attention
to data security.
(Related)
You can read their brief here.
Their brief incorporates some of the issues I discussed in my
previous blog entry on this case earlier today, and I’m glad to see
it.
Sometimes you don't ned a second court
to get a reversal... What happens if the decrypted files are not
what the government told the court they were?
Cyrus Farivar reports:
A federal judge
who had previously
declined to force a Wisconsin suspect to decrypt several hard drives
believed to contain child pornography has now changed his mind.
After considering new evidence, the judge wrote in an order last
week (PDF) that the Milwaukee-area man now
must either enter the passwords for the drives without being
observed by law enforcement or government counsel or must provide an
unencrypted copy of the data.
Read more on Ars
Technica.
Were they able to sieze any of that
money?
Liberty
Reserve Founder Indicted on $6 Billion Money-Laundering Charges
The founder of digital currency system
Liberty Reserve has been indicted in the United States along with six
other people in a $6 billion money-laundering scheme, in what
authorities are calling the largest international money-laundering
case ever prosecuted, according to documents unsealed today.
Dubbed the “financial hub of the
cyber-crime world,” authorities say Liberty Reserve had more
than 1 million users worldwide and processed more than 12 million
transactions annually as the favored money-laundering service for
carders, hackers and other cybercriminals in the digital
underground who used it to transfer money around the world
effortlessly and anonymously.
According to
the indictment (.pdf), Liberty Reserve was used to launder more
than $6 billion in criminal proceeds.
… Liberty Reserve required only a
valid email address to open an account and initiate transactions. It
charged a 1 percent fee for each transaction and, for an additional
75 cents, offered to hide a user’s account number in transactions.
Online research tool
Scrible
- Bookmark, Annotate, and Create Bibliographies
Scrible
is a free service offering a nice set of tools for highlighting,
annotating, and bookmarking webpages. Scrible offers browser
bookmarklets for Firefox, Chrome, Safari, and Internet Explorer.
With the Scrible bookmarklet installed, anytime you're on a page just
click the bookmarklet to launch a menu of bookmarking tools. The
Scrible tool set includes highlighters, sticky notes, and font change
tools. When you annotate and bookmark a page in Scrible it is saved
as it appeared to you when you were done altering it. And as you
would expect from a web-based bookmarking tool, you can share your
bookmarked pages with others. Students can get a free Scrible
account that has double the storage capacity of the standard free
account.
Scrible
recently added an options for formatting bibliographies as you
bookmark. Scrible also has a new feature that allows
you to compile your article clippings into one package.
… The benefit of using a tool like
Scrible is that students can take notes on their bookmarks and
bookmark only the parts of a website that they need to reference in
their reports. Saving bookmarks in this manner saves time when you
go back to visit a site because you'll immediately see what it was
that promoted you to bookmark it in the first place.
No comments:
Post a Comment