Archive for July, 2007

The Disney Movie Club, owned by Buena Vista Home Entertainment, has breached the data of an undisclosed number of its members. In this incident, credit card information was sold by a contractor to a federal agent as part of an undercover sting operation.

Disney Movie Club members received letters dated July 6 that their credit card information was breached sometime in May. Alta Resources, a Disney contractor for 10 years, is responsible for the breach. An Alta employee sold credit card information (along with other personal information) to undercover federal law enforcement agents conducting a sting operation. The employee responsible has been fired.

A representative of Buena Vista Home Entertainment says that specifics cannot be released due to an ongoing investigation by the Secret Service. For the same reason the breach notification that went out on July 6 was delayed.

Credit card companies have been informed of the breach, and members affected should call their credit card companies for further information. At this stage, no further fraudulent activity has been detected as the only known sale of the information was to the undercover agents.

Disney and Alta are both quite lucky in this particular case. Lucky that the damage will be minimal due to the low risk of fraud. Luckily the data was sold to an undercover agent, not an unknown third party. Both organizations will have a chance to learn from their mistakes and examine the flaws of their security and data breach notification policies.

Via networkworld Tags: disney, disney movie club, beuna vista, buena vista home entertainment, alta resources, data breach, undercover operation, sting

Cisco Systems, EMC and Microsoft announced the formation of a consortium yesterday to help the government develop ways to more efficiently and securely share information. The Secure Information Sharing Infrastructure (SISA) is the venture which will provide services and technology to the Federal government and, eventually, the private sector.

The Secure Information Sharing Architecture (SISA) breaks through information-sharing barriers with a COTS solution that allows agencies to communicate and collaborate while protecting sensitive internal content. It enables government to consolidate disparate systems and networks into a cost-effective infrastructure to help secure, govern, and accelerate the distribution of mission-critical knowledge.

SISA combines products from Cisco, EMC, and Microsoft with best-of-breed solutions from Liquid Machines, Swan Island Networks, and Titus Labs to address the urgent need for sharing sensitive materials across organizational, IT, and jurisdictional boundaries. With SISA, organizations can participate with confidence in communities of trust because they have the controls they need to precisely govern how their information is accessed and used.

SISA lets information owners determine how, when, where, and with whom they will share their materials – according to the requirements of the mission, not the constraints of technology or resources.

SISA was created in response to the need for sharing information – a need which is often at odds with security. Each of the vendors was hired separately by various agencies of the government to address the same repeated issues. SISA forms a more unified – and therefore more solid and cost effective – approach to the issues.

The three vendors teamed up in order to provide the best possible data sharing solution. SISA will provide the products, leaving agencies to security policy planning rather than implementation. The alliance already includes other partners; Liquid Machines, Swan Island Networks and Titus Labs, and the list of members is expected to grow.

Grace Mastalli, Homeland Security’s former director of information sharing and collaboration, told InformationWeek that SISA will provide infrastructure the government has been talking about for many years, but has been unable to create on their own.

SISA services will initially includes 4 areas:

1. Access protection – secure network connections and identity management
2. Content protection – controlling access to information
3. Data protection – securing information
4. “Watchdog” services – system performance and data flow

Visit the SISA site to read examples of how SISA works.

Via InterGovWorld & InformationWeek Tags: sisa, it, microsoft, cisco, emc, security, government security, data sharing, it, government it

A survey last month from Sigma Assitel and SOM (Survey, Opinion polls and Marketing) found that identity theft is a growing problem in Canada, and that the United States has pulled ahead of Canada in addressing the issue.

The survey of 1510 adults across Canada found that 7% of respondents have been victims of identity theft, and 16% know someone who has been a victim. SOM indicates that the data is a reflection of Canada as a whole, with a maximum 2.5% variance.

“Our phones, laptops and plastics act as gateways to huge amounts of personal data. Unfortunately these devices are not always adequately secured,” says Michelle Warren, analyst at consultancy firm Info-Tech Research Inc. in London, Ont.

The number of cases of identity theft are no longer just the result of isolated thefts, but of mass data breaches affecting hundreds or thousands of people at a time. Canadians can be affected by breaches across the border in the US as well, as many Canadians found out after the TJX data breach for retail store TJ Maxx.

The survey found that 60% of Canadians have taken some precautions to prevent identity theft. Shredders and safety deposit boxes are more commonly used, and 18% have made “serious efforts” to get information on how to prevent identity theft. However, that still leaves a lot of people at risk. The other respondents don’t feel the need to guard themselves against identity theft, don’t know how to guard themselves, or don’t think it’s possible to prevent the crime.

Experts indicate that the health and retail sectors are paying closer attention to safeguarding client data, although it is a growing concern in all sectors. Stronger breach notification laws have driven some of this change, but Canada still lags behind the US. For example, the US has a task force on identity theft, while Canada does not.

Via InterGovWorld Tags: identity theft, id theft, canada, legislature, business, security, computer security, data breaches

The Government Accountability Office (GAO) released a report last week on data breaches and resulting identity theft.

The GAO was asked to investigate the incidence of data breaches, the extent to which those breaches resulted in identity theft, and the potential costs & benefits associated with breach notification. This information will be used by Congress to help determine the outcome of National breach notification legislature.

The GAO studied the impact of the 24 largest data breaches from 2000 to 2005. The audit found that breaches of sensitive personal information have occurred frequently – 570 cases being reported between 2005 and 2006.

The audit states that it was hard determine if identity theft had resulted from a data breach, but that 4 of the 24 breaches investigated did lead to identity theft. In most cases, data breached is more likely to result in fraudulent use of bank or credit card information rather than the creation of new accounts (identity theft).

The report indicates that while National data breach notification could strengthen security practices and mitigate the outcome of a breach, it does come with its own costs and challenges. The circumstances of a breach (type of information breached and how it occurred) can greatly affect the potential risk of identity theft. Therefore, the GOA recommends that, should Congress adopt a Federal notification requirement, it should use a risk-based standard that requires notification only in cases where the level or risk warrants such action.

Via Lisa Hoffman Tags: government accountability office, gao, data breach, identity theft, legislature, breach legislature, data breach law, notification, breach notification

The Office of the National Counterintelligence Executive (ONCIX) has released a set of guidelines for agencies to identify insider threats to security.

The agency believes that being on alert for inappropriate activity by employees can help deter some potential security threats. According to research, 80% of American spies demonstrated one or more of the listed behaviors of security concern before engaging in espionage.

Patterns of behavior to watch for in employees are “suitability issues” related to problems outside work, “information mishandling”, and “computer misuse” including:

• drug or alcohol abuse
• Repeated irresponsibility
• An “above the rules” attitude
• Financial trouble
• Life or career crises
• Unauthorized contact with the media
• Unauthorized duplication of data
• Discussing classified information on a non-secure phone
• Accessing databases without authorization
• Destruction of information

Indicators of “potential espionage” include:

• Unexplained increase in wealth
• Unusual interest in information outside job scope
• Odd work hours
• Taking classified material home
• Unreported contact with foreign nationals
• Attempting to gain access to information

Employees with high security clearances need to be particularly overseen, and presentation of these behaviors should be taken more seriously.

Via Zero Day Tags: insider threats, espionage, data theft, employee security, security threat, data breach, spy

Absolute Software is now protecting even more laptops – signing two of its largest contracts to date.

These two contracts, totaling $1.2 million, support the corporate and education markets. One sale, to a U.S. school district, provides 5 years of protection with ComputraceComplete. This is the largest single customer order in Absolute Software’s history, and a milestone in protecting laptops in the education sector.

The second contract was an agreement to offer AbsoluteTrack, Absolute’s asset tracking solution to a company operating in the financial services sector.

John Livingston, Absolute’s Chairman and CEO, notes the significance of these contracts:

“We are particularly proud of these two milestone sales, as we believe they are indicative of an overall trend toward larger customer adoption of our solutions.”

Laptop thefts and data breaches have crippled many companies and sectors, and these two contracts show the growing recognition of the need for more stringent security measures.

Tags: absolute software, computrace, computrace complete, absolute track, laptop security, asset tracking

Fidelity National Information (FNI) subsidiary Certegy Check Services has had a data breach as a result of an employee misappropriating data. This was not an outside attack by data thieves, but rather the unlawful act of an employee.

A Certegy employee, who worked on consumer databases, physically removed 2.3 million consumer data records to resell. The former employee sold consumer information to a data broker, who then sold it to a number of direct marketing companies. The employee has now been terminated and is facing charges.

Certegy approached the situation as a possible security breach, knowing only that consumer data was correlating with direct marketing. When their investigations, followed by an outside audit, did not turn up any security breach, the US Secret Service was called in to investigate the matter.

“As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data,” said Renz Nichols, President of Certegy Check Services. “We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops.”

The data misappropriated included names, addresses and telephone numbers, along with (in some cases) bank information, for 2.3 million people. Investigations to date have not uncovered any fraudulent activity or identity theft as a result of the breach. Certegy will be notifying all 2.3 million customers to alert them to the breach and have alerted the credit reporting agencies of the incident.

Certegy has exposed one of the important areas of security policies – knowing who has access to what data. Although this employee had access to consumer data to do his job, it was not apparent that the data was being copied. Luckily for Certegy and for the 2.3 million customers, the data only went to direct marketing firms. It could have been much worse.

Via CNN Money ; Tags: certegy, data breach, employee betrayal, data misappropriation, database, consumer data, identity theft, fni

The Ohio State Government has been faced with increased scrutiny after two data breaches in recent weeks, and subsequent reports of loose laptop security. Now, steps are being taken to protect laptops with Absolute Software’s Computrace.

On June 10, the theft of a peripheral device put 64,467 employees and many other citizens at risk for identity theft. A later announcement indicated that a laptop reported missing on May 30 (reported on June 15) put another 439 people at risk for identity theft. Further investigations found that there have been 11 reports of missing or stolen laptops in 2007, and 26 in 2006 – placing even more citizen’s at risk for identity theft.

The state of Ohio auditor’s office announced yesterday that it will be installing Absolute Software’s Computrace to protect the sensitive information contained on State laptops.

“Those laptops are purchased with taxpayer dollars so we want to get that thousand dollar laptop back.” says Susan Raber of the Ohio auditor’s office.

“We’re responsible for the personal information we receive so we want to do everything possible to protect that personal information.” Raber says.

Computrace will allow the auditor’s office to remotely shut down any lost computer, and to track it down. The Computrace suite of software products provides a robust, multi-layered security solution to enable organizations to address issues of regulatory compliance, data protection, computer theft recovery and asset tracking.

Read more about multi-layered laptop security by Computrace here.

Via wsyx Tags: computrace, ohio, ohio state, ohio government, laptop theft, laptop security, identity theft, id theft, absolute, absolute software

Synthetic Identity Fraud is even more prevalent than true name ID Fraud. Specifically, it is more probable that your Social Security Number will be stolen and used with a different name than it is for your Social Security Number and name to be used together.

Synthetic identity components are personally identifying pieces of information used to create a new false (“synthetic”) identity. This type of identity theft, hardly seen 5 years ago, now accounts for 85-90% of all identity fraud.

This synthetic identity fraud is very insidious – thieves can create new bank accounts, get credit cards, or get jobs with these identities. And it can take years to uncover this fraud because of the mismatched information.

As the fraud is under a different name, it usually won’t show up on your credit report, but it could nonetheless affect your identity. Information from the fraud could appear in many databases that contain Social Insurance Number information. The false information could affect your ability to get a job or a loan, for example.

Privacy expert Chris Hoofnagle said, “What synthetic identity thieves do is pollute the files.”…

“Your Social Security number right now is the key to really destroy your life because if someone uses it with or without your name, it still can come back to haunt you,” said Hoofnagle.

To determine if you have been a victim of Synthetic Identity Fraud, carefully review your Social Security statement each year to ensure all income is your income and be aware that if you get a lot of mail in someone else’s name, it could be a sign of fraud. Checking credit reports yearly is also recommended to detect all forms of identity theft.

Via 10news ; Tags: identity theft, id theft, synthetic identity theft, synthetic identity, identity fraud, synthetic id fraud, id fraud

Cyberbullying is becoming more of a problem in the US. According to new research from the Pew Internet Project [PDF report link], one third (32%) of US online teenagers have been the victim of cyberbullying.

These attacks include receiving threatening messages; having their private emails or text messages forwarded without consent; having an embarrassing picture posted without permission; or having rumors about them spread online. When asked what form the cyberbullying took, the most common response was the sharing of private information (IMs, emails, etc) rather than direct threats.

Girls were more likely to be targets of cyberbullying than boys.

Teens who share their identities online are more vulnerable to cyberbullying.  Further, it was observed that there is a direct correlation between time spent online and cyberbullying. Additionally, the use of social networking sites has spurred greater cyberbullying. 39% of social network (Facebook, Myspace) users had been cyberbullied in some way, versus 22% of teens not using social networking sites.

Cyberbullying, unlike bullying in general, can expose a victim to hundreds or even thousands through an email, blog post or profile. Additionally, many cyberbullies use the web to embolden their actions, as they can “hide behind their monitor.”

Via the BBC ; Tags: cyberbullying, cyber bullying, bullying, cyberbully, cyber bully, social networking, teens online, online safety, bullying policy