Small, but so easily
preventable. Again.
Ed Beeson reports:
Nearly
840,000 members of Horizon Blue Cross Blue Shield are being notified
that their personal information may have been contained on a pair of
laptops that were stolen from the insurer’s Newark headquarters
last month.
The
stolen laptops were password-protected, [Absolutely
worthless for securing data Bob] but had
unencrypted data, [“What we have here,
is a failure to communicate!” Bob] Horizon said in a
statement today. A subsequent investigation determined that the
computers may have contained files with member information, including
names, addresses, dates of birth and, in some instances, Social
Security numbers and limited clinical information, the insurer said.
Read more on NJ.com.
[More...]
Is there a “Center
for Helping Lawyers Deal with Breaches” that provides victims with
alternative strategies and a clear picture of the legal risks of
each? I often get the impression that lawyers are treating each
breach as the first one ever.
The JPMorgan Chase
Ucard breach reported
previously on this blog affects residents of numerous states. As
such, not only do I expect to see lawsuits filed, but state
attorneys general will likely jump into the act to protect their
respective residents. Did JPMorgan Chase promptly notify
their residents and are they offering enough remediation and support?
Some may argue that they haven’t in light of media reports that
affected cards are not being replaced, and states will be
negotiating/posturing to get more for their residents.
Here’s a statement
from Connecticut’s State Treasurer. Some snippets that show which
way the wind may be blowing:
My
office has been advised by JPMorgan Chase that during the two-month
period between July and September, certain information entered by
cardholders on the UCard website — particularly during the process
of activating cards and of transferring balances — was subject to
unauthorized access. Such information that could have been exposed
includes: name, social security number, bank account number, card
number, date of birth, security answer, password, address, phone
number and e-mail address.
[...]
While
JPMorgan Chase represents that it has found no evidence of improper
activity on these accounts since September, as a precaution – and
at our direction – the company is notifying all affected
cardholders that it will provide them two years of credit monitoring
free of charge. Nonetheless, I am dismayed that
JPMorgan Chase delayed informing my Office of this security breach
for two and a half months — from mid-September, when they first
learned of it, until this week. They should have picked up the phone
immediately and called us. That the company failed to communicate
this security breach in a timely manner raises concerns over its
culture of compliance and broader governance issues.
Upon
learning of this data breach on Tuesday, my Office promptly informed
all state agencies affected, and we are now working with JPMorgan
Chase to ensure that all affected cardholders are notified
immediately. The company will explain to cardholders what specific
personal information may have been compromised. My office also has
been in contact with Attorney General Jepsen’s office, and has been
advised that his office’s privacy task force was recently notified
of the breach and will be looking into it.
Note the text I
emphasized above. Connecticut insisted JPMorgan Chase offer two
years of free credit monitoring. When Louisiana disclosed the breach
(they were the first state to issue a statement), they said their
residents will be getting one year of free credit monitoring. Will
Louisiana now go back to JPMorgan Chase and insist on two years?
Will other states? And will some state attorneys general attempt to
impose monetary penalties on Chase for failing to notify more
promptly?
Oh yeah, this is going
to be an expensive breach for JPMorgan Chase….
Update:
Here’s the the template for JPMorgan Chase’s notification
letter to those affected (pdf). If the hacker accessed passwords
& JPMorgan Chase isn’t re-issuing Ucards, it’s odd that they
just “recommend” people change their passwords.
“It's for health
reasons. We don't want to raise anyone's blood pressure!”
Eric Boehm writes:
Americans
who buy health insurance through the federal Obamacare
exchange website could have their personal information stolen by
hackers and never even know it.
Most
of the state-run health exchange websites will be covered by state
laws that require notification when government databases are breached
by hackers. But there is no law requiring notification when
databases run by the federal government are breached, and even though
the Department of Health and Human Services was
asked to include a notification provision in the rules being drawn up
for the new federal exchange, it declined to do so.
Read more on Before
It’s News.
E-cubed intelligence
gathering. Everyone, Everything, Every day. (Because you expect us
to keep you safe.)
Philip Dorling reports:
Australia’s
leading telecommunications company, Telstra, has installed highly
advanced surveillance systems to “vacuum” the telephone calls,
texts, social media messages and internet metadata of millions of
Australians so that information can be filtered and given to
intelligence and law enforcement agencies.
The
Australian government’s electronic espionage agency, the Australian
Signals Directorate, is using the same technology to harvest data
flows carried by undersea fibre-optic cables in and out of Australia.
Read more on The
Age.
Sounds like they have
better lawyers than the FTC...
The creator of one of
the most popular apps for Android mobile devices has agreed to settle
Federal
Trade Commission charges that the free app, which allows a device to
be used as a flashlight, deceived consumers about how their
geolocation information would be shared with advertising networks and
other third parties.
Goldenshores
Technologies, LLC, managed by Erik M. Geidl, is the company behind
the “Brightest Flashlight Free” app, which has
been downloaded tens of millions of times by users of the Android
operating system. The FTC’s complaint alleges that the company’s
privacy policy deceptively failed to disclose that the app
transmitted users’ precise location and unique device identifier to
third parties, including advertising networks. In addition, the
complaint alleges that the company deceived consumers by presenting
them with an option to not share their information, even though it
was shared automatically rendering the option meaningless.
… The
settlement with the FTC prohibits the defendants from misrepresenting
how consumers’ information is collected and shared and how
much control consumers have over the way their information is used.
The settlement also requires the defendants to provide a just-in-time
disclosure that fully informs consumers when, how, and why their
geolocation information is being collected, used and shared, and
requires defendants to obtain consumers’ affirmative express
consent before doing so.
The defendants also
will be required to delete any personal information
collected from consumers through the Brightest Flashlight app.
[“Including data we already sold to our
many customers?” Bob]
… The
FTC will publish a description of the consent agreement package in
the Federal Register shortly. The agreement will be
subject to public comment for 30 days, beginning today and continuing
through Jan. 6, 2014,
“I believe that you
might have done something in Seattle that violated my Privacy here in
London. Maybe. Possibly.” Somehow, I don't see this working...
Fiona O’Cleirigh
reports:
A
British citizen’s UK court action will test the legal right of
Microsoft to disclose private data on UK citizens to the US
electronic spying organisation, the National Security Agency (NSA).
The
case will shine a light on the legality of top secret US court orders
which require US technology companies to disclose details of foreign
users’ private communications.
Kevin
Cahill, a British journalist, has brought the case in the Lord
Mayor’s and City of London County Court. The case centres on
Cahill’s belief that Microsoft breached the security of his email
account.
Read more on
ComputerWeekly.com.
Another tool for my
Intro to Computer Security students...
Telepathwords
from Microsoft Research Shows You the Weakness of Your Password
Telepathwords
from Microsoft Research is a simple site designed to show you the
strength or weakness of your passwords. As you type a password
(either one you actually use or one you're thinking of using)
into Telepathwords it tries to predict the next character that you
will type. Telepathwords shows you the three most common
characters that follow that character you typed. When you're done
typing you'll see green check marks and red "Xs" above your
password's characters. Green means that character is easy to predict
and red means it is not easy to predict.
Telepathwords
could be a good resource to use with students of all ages when you're
trying to illustrate the qualities that go into a strong password.
The following videos
offer some good advice about crafting passwords.