Paul Pinkham reports on Jacksonville.com that former computer consultant Paul Jason Clifton was ordered to reimburse Blue Cross and Blue Shield of Florida for costs related to a data breach.

Yesterday a judge ordered Paul Jason Clifton to pay $580,000 for expenses related to the data breach of 27,000 employee names and Social Security numbers. In addition, Clifton will be on probation for 3 years. Prosecutors did not press for prison time, as they felt Clifton did not misuse the information that he breached.

The data breach occurred when Paul Jason Clifton emailed the data of 27,000 employees to his home in Texas last year. Clifton was a consultant for Blue Cross responsible for electronic storage. Clifton claims he accessed the data in order to compare his consultant salary to the salaries of others.

Not knowing whether the data breach was part of an identity theft scam or not, Blue Cross and Blue Shield of Florida incurred expenses for credit protection. They took the most responsible course of action. The ruling confirms that the actions taken by Blue Cross were the safest and most reasonable given the threat, and that restitution was due as a result of the breach.

Clifton will be required to pay $250/month in restitution, with the balance to be recouped after the 3-year probation period.

Hat tip to Flying Hamster ; Tags: blue cross, data breach, data breach case, paul jason clifton, identity theft, credit monitoring, blue cross and blue shield

There are two important notices that have just come out about the potential security risks in QuickTime and Norton’s Firewall.

Apple’s QuickTime poses a much greater risk than Internet Explorer or Firefox due to inadequate patching by users. An analysis conducted by vulnerability tracker Secunia found that 33.1% of QuickTime 7 installs were not up to date with security patches. The same pattern found on consumer machines is thought to exist on business computers implying that many businesses may be at risk.

The disparity in security risk stems from our assumptions of what is a bigger security threat.

Users know browsers often have security holes, and updating them – particularly Microsoft products – is often a well-established habit that takes place on a known schedule. But Secunia’s data shows that outside of operating systems and browsers, users neglect regular patching. [Macworld]

Norton’s Personal Firewall has a serious vulnerability that gives hackers a means to inject hostile code into vulnerable systems.

Users of Norton Firewall products have been urged to update their software following the discovery of a serious vulnerability in the security package. The bug affects Norton Internet Security 2004, Norton Internet Security 2004 Professional and Norton Personal Firewall 2004 - later versions of the software are not affected by the flaw. Users of the 2004 editions should check the LiveUpdates for security fixes. Norton Antivirus is registering some false positives at the moment – a full update can be found here.

Via Macworld and The Register ; Tags: norton, quicktime, security flaws, software security flaws, security issues, security, norton firewall

Another edition of links of what’s going on in the security world this week:

• Michael Overly of CSO Online: Poor security practices can lead to loss of trade secret protection
• The Associated Press: 140,000 affected by data breach related to medical information
• Paul Mayne of Western News writes that Classroom Clickers improve learning
• Fiona Raisbeck of SC Magazine UK writes Pirated software leaves companies open to attack
• The Star Ledger reports that a Disc of data on 200,000 from Lucent is missing putting many at risk for identity theft
• WSAV.com reports that ID Thieves don’t respect the dead

Tags: identity theft, security, laptop security, business security, security links, data breach

Think you’re safe from identity theft? Take the Identity Fraud Safety Quiz to find out.

Questions include:

• Do you receive statements containing sensitive financial information (such as bank statements, credit card statements, checks or other notices) in an unlocked mail box
• How often do you update your anti-virus, anti-spyware, and browser security software on the computer that you use to conduct financial transactions?
• How often do you monitor your current account balances and recent account activity at your financial institutions in a typical month?

I scored better than average, but not perfectly. My biggest at-home security flaw is the fact that my archived bank statements and other sensitive documents are not in a locked box.

Survey created by Javelin Strategy & Research ; Tags: identity fraud, identity theft, identity safety, confidential information, secure information, privacy

Marks and Spencer (M&S), a high-end retail chain in the UK, has suffered a breach of personal information for 26,000 of its employees after a laptop was stolen.

This single laptop contained employee dates of birth, addresses, national insurance numbers, phone numbers, and salaries for 26,000 employees. The information was in the care of a printing company assigned to print a letter to employees regarding their pensions. The laptop was stolen from their care on April 18, 2007.

Employees were notified of the breach 2 days later. However, they did not disclose in the letter the type of information breached. No law exists in the UK which would require companies to disclose the details of the breach, nor how quickly they must disclose the breach.

Although police believe the theft to be opportunistic rather than planned, the risk for identity theft still exists. M&S is offering employees free credit checks.

Ed Mayo, chief executive of the National Consumer Council (NCC) is concerned about the breach. He notes that every company now is vulnerable to data breaches, and something needs to be done about it.

"Every company really now should take action to ensure they’ve got the systems and processes in place to minimize this risk."

He said the NCC planned to campaign for legislation at UK or EU level for companies to take faster action on this issue. [BBC]

Via out-law & BBC ; Tags: data breach, marks and spencer, m&s, identity theft, uk legislation, security legislation

There are actually very basic steps you can take to encrypt your laptop or desktop computer.

On the Mac, you go to System Preferences > Security > turn on FileVault

On the PC, you can encrypt any file or folder by right clicking > Properties > General Tab > Advanced > check the “Encrypt contents to secure data” box

This is only very basic level encryption. If you have sensitive information on your laptop, you’ll want additional encryption software.

Thanks to CrunchGear for the tips.

Tags: encryption, encrypt data, laptop encryption, computer encryption, how to encrypt a computer, security, laptop security

If you are in the market for a computer, it’s buyer beware. You need to watch out for stolen computers.

Here are some resources to avoid stolen computers:

• Don’t buy your computer on the street
• Get a purchase receipt
• If you buy online or from a pawnbroker, get the serial number and confirm with law enforcement it’s not stolen
• If it’s a used computer, ask for original documentation
• Pay with credit card, as a form of payment that can be verified
• Make sure the power cord is included
• Run the computer to make sure the specs match your expectations
• Is it a fair-market price? Avoid computers that seam like "a steal".
• Avoid heavily discounted computers on auction sites such as eBay
• Ask why the computer is being sold
• Does the seller seem nervous or rushed?

Take your time with a computer purchase. Do your research and feel comfortable that you are getting what you pay for. Remember, it’s not just used computers that get stolen from homes or cars; it’s also new computers stolen from warehouses.

Tags: stolen computer, stolen laptop, buying a computer, computer purchase, buyer beware, consumer tips

The news source This is London & the BBC report that victims of identity theft in the UK were falsely accused of being pedophiles. It is an extreme example of the destruction that identity theft can cause to people’s lives.

7,250 people were accused of downloading child pornography from the Internet in one of the UK’s biggest child pornography investigations (’Operation Ore‘). There have been, thus far, 1,451 convictions. And 39 suicides.

Now, it’s coming to light that hundreds of those accused were victims of identity theft from credit card fraud. Pete Townshend of The Who was one of those wrongly accused.

Since 2003 Operation Ore has come under closer scrutiny, and the police forces in the UK have been criticized for their poor handling of the operation. The most common criticism is that they failed to determine whether or not the owners of credit cards in Landslide’s database actually accessed any sites containing child porn, unlike in the U.S. where it was determined in advance whether or not credit card subscribers had purchased child porn. Investigative journalist Duncan Campbell exposed these flaws in a series of articles in 2005 and 2007.

This was a serious error, because many of the people making charges at child porn sites were using stolen credit card information (and the police arrested the real owners of the credit cards, not the actual viewers). Plus, thousands of credit card charges were made where there was no access to a site, or access to only a dummy site. When the police finally checked, they found 54,348 occurrences of stolen credit card information in the Landslide database. The British police failed to provide this information to the defendants, and some implied that they had checked and found no evidence of credit card fraud when no such check had been done. As verified by later tracing of details, Pete Townshend of The Who and Robert Del Naja of Massive Attack were among those falsely accused. [Wikipedia]

Unfortunately, for those wrongly accused, much damage has been done to their reputations - some were placed on the sex offenders’ registrar. This is an extreme example of identity theft. It serves as a caution to investigative forces; as the incidence of fraud continues, we must all be diligent to uncover cases of identity theft.

If you are interested in Operation Ore and the fallout, visit Operation Ore Exposed

Tags: operation ore, identity theft, fraud, credit card fraud, due diligence

The Data Privacy And Security Bill that we mentioned previously has now been passed by the Senate Judiciary Panel. The Federal Bill is supported by Senate Judiciary Committee Chairman Patrick Leahy, and the Panel’s ranking member, Arlen Specter.

On May 3, Leahy announced that The Personal Data Privacy and Security Act (S. 495) had passed the Panel by voice vote and would now move to the full Senate for consideration.

The proposed legislation would give consumers more protection from identity theft and its devastating effects. The bill would provide protections against security breaches and the misuse of personal information; it would also give consumers access to correct their own personal information.

The legislation would require that large companies use security programs & encryption technology, that they investigate their contractors more closely, and that they notify consumers, law enforcement & credit agencies of a data breach.

“This is a bill that deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place and also addresses the need to provide Americans with better notice of breaches that may affect their personal information,” Leahy said during the panel’s debate on the bill. “Passing this comprehensive privacy legislation is a legislative priority.”

It is expected that some provisions of the proposed bill will meet stiff resistance by the Senate and House of Representatives. One of the most debated issues is the definition of data breach - determining when it is ’significant enough’ to trigger a notification.

Security legislation has been very active in the past few weeks:

• The Notification of Risk to Personal Data Act, sponsored by Senator Dianne Feinstein, also passed through the Judiciary Panel. This act, unlike the Leahy-Specter act, would require disclosure only if the breach posed ‘reasonable risk’ of harm, which could be more lenient to businesses.
• The Identity Theft Prevention Act of 2007, passed last week, also takes this approach. The latter bill is the only to propose that consumers have the right to freeze their credit file.
• Representative Tom Davis introduced, on May 3, the Federal Agency Data Breach Protection Act, to require federal agencies to notify consumers of a breach.

The number of legislative bills currently addressing data security and privacy issues reflects the growing public concern about identity theft as a result of data breaches. The Leahy-Specter & Feinstein bills were passed separately and, although they are similar in scope, were both passed in order to improve the chances of at least one getting through.

Via Washington Post & ZDNet Asia ; Tags: data privacy, data breach, data security, security legislation, security bill, leahy, specter, feinstein, identity theft

The University of Missouri’s computers have been hacked, for the second time this year. The hacker accessed 22,000 names and Social Security numbers of campus employees and alumni from 2004.

In January, 3,720 people were victims of a data breach in the online grant application system. This month’s breach affects a specific group of people who worked at one of the four University of Missouri campuses in 2004 and were also current or past students of the University. Letters have been sent to 929 people so far.

The hackers were identified as being from China and Australia. The University and FBI are investigating the crimes.

Mizzou spokesperson Scott Charton had this to say:

"This is critical private information. The university is working hard and has been since last year, with an executive order from our president to move away from Social Security numbers in data bases."

The University has set up a website for those affected.

Via KSDK NewsChannel 5 ; Tags: social security numbers, data breach, education data, university of missouri, identity theft, privacy breach