Language and failures. If logging 200 million customers is too much, you could at least log any access to specific servers or files.

Yahoo Japan suspects 22 million IDs stolen

Last month, Yahoo! Japan disclosed that it had discovered that malware inserted in its system had extracted user data for 1.27 million users, but that the breach was stopped before it leaked any of the information outside of the company.

Now, in what appears to be an unrelated incident, the company reports that it suspects up to 22 million user IDs may have been stolen during an unauthorised attempt to access [Was it an attempt or did they actually access the data? Sounds like the latter... Bob] the administrative system of its portal.

The breach reportedly does not involve passwords.

Read more on Fox Business.

In related coverage, Phys.org reports:

“We don’t know if the file (of 22 million user IDs) was leaked or not, [No logs? Bob] but we can’t deny the possibility given the volume of traffic between our server and external” terminals, the company said in a statement late Friday.

Read more on Phys.org.

I once tried to identify and define the roles of those in legitimate contact with data, which would also apply to PII. Owner, guardian, custodian, user, and “those whose information is in the data” each had rights and responsibilities and each had their own little quirks and foibles.

Who – if anyone – is responsible for notifying victims of some breaches?

I’ve blogged a number of times about how although law enforcement may uncover breaches or data theft, the victims often do not get notified in a timely fashion – if at all. Here are just a few scenarios where no one may notify people whose data have been stolen:

• Law enforcement discovers a handwritten list of hundreds of individuals’ names, dates of birth, and Social Security numbers
• Paper records with sensitive information – sometimes including medical information – are discovered in a dumpster and traced back to a defunct business or practice.
• Law enforcement investigates stolen information available for sale on an underground market.

When credit card information is involved, people are more likely to get notified, as law enforcement may send a list of numbers to AmEx, Discover, or other card issuers who then take steps to protect and notify the consumer. But if there are no credit card numbers involved, it seems there are gaps in notification.

The recent controversy over the FERC/EDRM data set involving emails from Enron employees provides a useful example of the hole in our patchwork quilt on notification. The data set, available publicly, contained unredacted PII – including Social Security numbers – on thousands of people.  

The data were originally gathered by the Federal Energy Regulatory Commission, and when the issue of redaction came up in court, the court was sensitive to the issue. But did FERC and their contractor do a thorough enough job in removing documents? It seems that they didn’t if there was so much PII left in the data set, even though FERC and their contractor went through a number of reviews of the data set to delete personnel’s personal information that was not appropriate for public release, as detailed in in this document.

The data set has been available for download for years, and many people knew that it contained PII. Is this a situation that the individuals affected should have been informed about? As a privacy advocate, I would say, “definitely.” But who is responsible for notifying them? And even though EDRM and Nuix have released a newly washed data set, the other Enron email data set has not yet been re-released after new washing. More importantly, even when it is released, copies of the older data sets remain on numerous people’s hard drives and are still available for download on the Internet. As a result, those whose PII were exposed are still at risk.

I would bet that FERC takes the position that it gave Enron and others an opportunity to have PII removed and therefore, they are not responsible for any notification. EDRM may take the position that they merely distribute/make available the government’s records, and therefore they are not responsible.

So is no one responsible or liable for exposing thousands of individuals’ SSN to cybercriminals? Is no one responsible for notifying individuals that their SSN and details have been available for download on the Internet for years, and have been downloaded by people all over the world? Is no one responsible for contacting every site that hosts the problematic data sets to ask them to remove them?

And if you believe that either FERC or EDRM are responsible and should be held accountable in terms of notification to individuals, what existing law(s) are you basing that on?

In the meantime, the buck seems to stop… nowhere.

File this under “Tools for stalking and surveilance”

Family by Sygic: Know Where Your Family Members Are At All Times [iOS & Android]

A parent who does not know where their children are and cannot find out can quickly get very frustrated and worried. [Similar for a government that does not know the location of every terrorist or criminal (or anyone who might become a terrorist or criminal some day) at all times. Bob]

… For the app to work properly, all of your family members must have an iOS or Android device with this app installed on it. You can be the administrator on the app and mark out safe and unsafe regions on the map of your city. [Get a warning when a sex offender approaches a school? Bob]

www.sygic.com/family

• Similar tools: Space Time and Puntalo.

• Also read related articles: Top 8 Apps & Services For Tracing A Mobile Phone Location and Keep Your Family Safe With Life360.
  

Eventually every government seems to sacrifice promises for revenue.

For an extra paltry £140, private insurer can buy identifiable data on NHS patients

Randeep Ramesh reports:

Private health firms, including Bupa, can pay £140 to identify potentially millions of patients and then access their health records, detailing intimate medical histories, under a new national arrangement in the NHS, the Guardian can reveal.

The records, which include sensitive information about hospital visits, such as a mother’s history of still births, patients’ psychiatric treatment and critical care stays, allow individuals to be identified by use of postcode, gender and age as well as their socioeconomic status.

On Monday the government slipped out the news that private insurer Bupa was approved to access England’s “sensitive or identifiable” patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government’s vetting procedures.

Read more on The Guardian.

[From the Guardian:

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.

The prime minister has argued that companies such as Britain's key life sciences firms should be able to benefit from the NHS's vast collection of patient data. But critics argue that this amounts to putting the NHS "up for sale".

(Related) “Of course, nothing like that would never happen here. I promise!”

Utah to parents: Common Core will not invade your privacy

Caleb Warnock reports:

Parents opposed to the Common Core are protesting as the state is spending millions of dollars to collect student test data. They foresee Utah schools being forced to use the database to collect personal information, according to published federal guidelines, about students and families to share with researchers.

Not a chance, state officials say.

Well, that sounds good, but take a look at what the states are encouraged to ask school districts to collect:

Utah has spent millions in federal grant money to create a database for student information. The federal agencies that gave out that money — including the Institute of Education Science’s National Center for Education Statistics — have created a National Education Data Model that asks schools to collect data on students and parents including:

[“After all, without this information we don't know how to discriminate against you.” Bob]

• religious affiliation;
• salary;
• whether parents own or rent their home, or use public housing;
• “the family’s perception on the impact of the early intervention services of the child;”
• “the month, day and year of diagnosis, treatment or update of any health condition an individual may have experienced;”
• whether parents are registered to vote;
• more than 200 diseases and medical conditions, including “pregnancy with abortive outcome;”
• whether the family receives food stamps and WIC; and
• “the usual time a student spends in a vehicle when riding from his or her transfer point or bus stop to the school including the subsequent return trip,” along with hundreds of other questions.

Utah doesn’t collect all that, as you can read in Warnock’s article in The Daily Herald, but do any states actually collect all that information from districts?

Despite the state’s reassurances, many parents remain concerned. Warnock reports:

According to the state’s grant application documents, “procedures are in place for protecting the security, confidentiality and integrity of data, which includes ensuring that individually identifiable information about staff and students remains confidential in accordance with the Family Educational Rights and Privacy Act.”

This sentence in particular has set parents on edge because the loopholes for legally breaching confidentiality according to FERPA are numerous.

According to FERPA, “generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record.” However, FERPA allows schools to disclose those records “without consent”‘ in nine circumstances, once of which is when the data is requested by “organizations conducting certain studies for or on behalf of the school.”

Parents throughout the U.S. need to pay more attention to this issue and find out what their children’s state is doing. FERPA is getting to be like Swiss cheese in terms of allowing data to be shared without parental consent. Unless parents start fighting for their children’s privacy, this problem will only get worse.

(Related)

http://www.theatlantic.com/technology/archive/2013/05/will-digital-ethnic-cleansing-be-part-of-the-internets-future/276004/

Will 'Digital Ethnic Cleansing' Be Part of the Internet's Future?

[Why stop with the data? Bob]

Another tool to discuss with my Intro to IT students.

5 Ways to Take Advantage of Microsoft OneNote

Microsoft’s OneNote is arguably the best note-taking software out there. It can simply take care of all your note-taking needs, and there’s virtually nothing that comes close to it besides Evernote. While you can do some creative stuff with Evernote, OneNote can pack quite a punch as well in helping ease your life.

… If you use Windows 8, Android, iOS, or Windows Phone, did you know that you can use OneNote absolutely free? While it won’t be as fully functional as the version found in the Microsoft Office suite, there are official OneNote apps available for Windows 8, Android, iOS, and Windows Phone absolutely free from the respective app stores. You can even use the OneNote Web App.

These apps allow you to use the main features of OneNote that make it so great. The only limitation are the number of notes you can have, which won’t hurt you if you do some routine cleaning.

… Besides being great for a number of different usage scenarios, OneNote also has a few features that aren’t very well known. One of them is OneNote’s ability to take care of mathematical problems right in your notes.

… You can also check out some other great OneNote tips, or check out this comparison between OneNote and the infamous Evernote.

Free amusement eevry week – who could ask for more?

Hack Education Weekly News

… Udacity, Georgia Tech, and AT&T announced this week a partnership to offer an online Master’s Degree in Computer Science. The degree will cost less than $7000 (significantly cheaper than the MS that the university currently offers, in part because of the financial support for the program from AT&T), although anyone will be able to take the Udacity classes for free via its website. Udacity will take a 40% of the revenues, according to Inside Higher Ed, which also reports that Georgia Tech only plans to hire 8 or so more instructors to handle the new program, which is expected to have as many as 10,000 enrollees in the next 3 years.

… Earlier this year Yale said it didn’t plan to “rush” into a MOOC decision, but this week it made public its plans to offer four courses via Coursera. This brings the number of institutions using Coursera as a MOOC provider to 70.

… The University of Edinburgh has offered six classes via Coursera and released a report this week detailing its experiences. (PDF) Lots of details in the report about the university’s planning, course completion, and learners’ demographics (note: some 70.3% of those who responded to course surveys indicated they had completed a university degree.) According to the report, “It is probably reasonable to view these MOOC learners as more akin to lifelong learning students …than to students on degree programmes, which is a common comparison being made.”

… Although the state of Maine chose HP as its vendor-of-choice for its one-to-one laptop program a few weeks ago, public schools in Auburn are ditching laptops altogether and adopting iPads for kindergartners through high schoolers.

… The Saylor Foundation launched a new initiative this week, a suite of open online courses for K–12. Available courses include American Literature, Calculus, Algebra 1, Geometry, and Common Core 101. “Open” in this case means “open educational resources” for “open for business” which, let’s be honest, the “O” in MOOC certainly has become.

… Stanford math education professor Jo Boaler is teaching “How to Learn Math” online this summer. The free course doesn’t offer any Stanford credit (although educators might be able to count it as PD hours), but it’s a chance to work with a great professor who’s helping topple many of the myths about both teaching and learning math.

… Leigh Graves Wolf has poured through every State Department of Education website in her quest to see which states offer educators certifications in ed-tech. According to her research, State Department of Education websites suck — oh, and just 19 out of 50 states (plus DC) offer some sort of endorsement. You can see the full list here.