Archive for August, 2007

TJX’s second-quarter profits were slashed by more than half as the company recorded a $118 million charge as a result of their data breach.

The original estimate for the data breach of $59 million turned out to be far under the real cost associated with the incident.

One-tenth of the $118 million data breach cost covers existing costs – the remaining nine tenths of the cost is to cover future expenses from lawsuits, investigations and other items.

Despite a modest increase in sales this quarter, TJX shares fell 8 cents to $27.58.

Via Eyewitness News ; Tags: tjx, data breach, data breach cost, data loss, computer security, it security

Telework Exchange recently released a report entitled “Feds Walking the Talk on Security? – One year after the VA laptop scandal, is Fed’s data still going AWOL?”. The study finds that current Federal security practices, particularly related to employees unofficially working & using data at home, are putting Federal data at risk.

Telework Exchange, which is a public/private partnership examining telework within the Federal government, conducted the study to see just what had changed since the June 2006 Veterans Affairs laptop theft, which exposed personal information on upwards of 26.5 million people.

The study on Federal data security found that 13% of Federal employees with newly-issued laptops do not have encryption software installed. This is not an issue with telework (full/part-time out-of-office work) or with employee training, but rather with basic IT security practices being applied. The study found that telework employees had more security than their in-office colleagues, pointing to a potential flaw in security planning.

Some key findings from the study:

• 41% of respondents use a laptop for work (45% of these switching within the last year)
• 48% of respondents said their agency provided security training after the VA laptop scandal
• 47% of agencies provided updated security software on computers since the VA scandal
• 94% of teleworkers received security training vs. 87% of in-office workers

The study found that “unofficial teleworkers” – employees who take work home with them – pose a large security threat. 58% of regular office workers can be qualified as “unofficial teleworkers,” and this is where we see irregular security practices:

• 63% of unofficial teleworkers use their own PCs
• 54% carry files home
• 41% log into the agency network

You can see, then, that Federal data is highly mobile, and is being used in insecure and uncontrolled environments.

“The study points to the inevitability mobility/security challenge,” said Craig Bumpus, general manager, Utimaco America. “Employees who work unofficially at home on nights and weekends are removing data from the office – either by mobile device or by hard copy files – and working in unauthorized locations. Agencies must take the necessary security precautions to protect all computers and provide adequate training to employees on transporting data outside of the office.”

The report suggests that Security Policies be reviewed, security technology upgraded, and the population of unofficial teleworkers audited. All employees should be trained on how to handle data outside the office environment.

The study is available for download here [registration required].

Image via ppdigital at morguefile ; Tags: telework, unofficial telework, data security, information security, working from home, security policy, security, it security, federal data security, data breach, data mobility

Education Week has published an article which indicates that Social Networking can have educational benefits. According to a survey commissioned by the National School Boards Association (NSBA), 50% of teens say they talk to their peers about schoolwork online (IM, blog or social networking sites) or via text message. A larger proportion (60%) indicate that they discuss education-related topics such as college and career planning. According to the survey, 96% of students with access to the Internet build social networks. That more than 50% of these students discuss education is promising for educators. NSBA says that Social Networking technologies should be adapted for use in the classroom.

“When it’s another generation’s technology, it’s easy to be uncomfortable with it and say we don’t need it,” said Ann Flynn, the NSBA’s director of educational technology. “We want to say to people, explore these things. Figure out what kinds of tools they are. By no means are we saying people shouldn’t be safe. But we also don’t want to see policies that are so restrictive that the unintended consequence is to keep the technology out of the hands of educators.”

The NSBA suggests setting up chat rooms or blogs where students can talk about, and collaborate on, schoolwork. They also suggest altering policies that ban or restrict the use of these sites while at school. The survey found that the reports of cyberbullying or online bullying could be out of proportion to the fear induced by it. Their report indicated that 7% of students surveyed said they were victims of cyberbullying – this is much less than the 32% indicated in a survey by PEW conducted earlier this summer. The NSBA survey also included a separate study on how districts use technology. 96% of the district leaders interviewed say that teachers assign homework via the Internet, and nearly half of the schools go online for collaborative projects with other schools. Currently, 80% of schools ban chat software, and more than 50% ban the use of social networking sites. This policy may be too restrictive. Social networking can be embraced for its “social” modes of learning, and with education on Internet safety, can be a valuable educational tool.

“One reason why many educators do not find the technologies ‘useful educational tools’ comes from the fact that the teaching paradigm that most teachers use—kids ‘being taught’ (mostly by lecture)—conflicts with these technologies,” he said in an e-mail. “If you are lecturing, they are mainly an interruption. The technologies become much more useful (and in fact necessary) once the paradigm shifts to ‘students teaching themselves’ (with guidance).”

Many analysts also believe that social networking sites will be key assets in future job interviews. Currently 10% of companies review social networking profiles as a part of the candidate review process – a number which will only increase. Education should stem around embracing social networking sites, and their uses for education, but also on what types of information students should and should not be posting online. Security should also be considered part of the education process – this report by CNET recently exposed the dangers of allowing “friends” access to your personal information. You can read the full NSBA report here [PDF]. Tags: social networking, social networking education, education technology, technology in the classroom, facebook, myspace, social learning

The Idaho Army National Guard has suffered a data breach as a result of a stolen USB thumb drive.

A small computer drive containing the Social Security numbers & personal information for all Idaho National Guards (3,400 members) was stolen on Monday night from a soldier’s car. The soldier was traveling on official duty. Police believe the theft is part of a number of car burglaries in the area, and not a targeted attack.

“You name it, it was on there,” Dowling said of the so-called thumb drive. “Any time our soldiers’ personal data get compromised in any way, it’s a big concern for us. We want to make sure that all of our soldiers are informed and protect themselves.”

The National Guard is personally calling all Guard members and sending out notifications by mail. The day after the theft, the National Guard activated a phone tree normally used for natural disasters or state emergencies.

Although the Guard is in the process of encrypting all decides, this particular thumb drive had not not encrypted yet. There is no policy prohibiting soldiers from removing storage devices from office property.

Affected soldiers can go to www.idahoarmyguard.org for more information.

Via FOX & tg daily & Star Tribune Tags: national guard, data breach, idaho national guard, stolen data, identity theft

Absolute Software is holding an open survey about Corporate IT and Security, and would like to invite you to participate.

It’s a short survey, under 20 questions, and asks about what you think most important when it comes to computer security, as well as various questions on data breaches and laptop security.

We will be publishing key findings from the survey after it is complete.

Take the survey here.

Tags: absolute software, computer security, it security, security survey, laptop security

VeriSign, the company that operates an array of network infrastructure and provides a variety of security and telecom services, has suffered a data breach.

On July 12 or 13, a company laptop was stolen from an employee’s vehicle in a parking garage in California. The laptop contained data for an undisclosed number of current and former employee names.

The data breach included names, Social Security numbers, dates of birth, salary information, and home phone and addresses for VeriSign employees.

Here is an excerpt from the 5-page letter sent to VeriSign employees affected by the data breach:

VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign’s Information Security Department issues a quarterly publication to remind employees of this policy. For this incident, we disabled any access by the employee’s computer to the VeriSign network or any information located on the VeriSign network, going forward, and we are reviewing our security procedures to help prevent a recurrence of this type. Among other things, we plan to implement procedures to more strictly enforce our policy of encrypting sensitive data stored on company computers.

The employee responsible has left the company, and VeriSign is working to strengthen its data-protection policies, which were not followed in this case. Current policies state that data storage should be minimized & encrypted and that laptops should not be left in vehicles. In this case, the data was not encrypted; the laptop was password protected, although this offers little protection. VeriSign’s security policy does not include more stringent laptop security solutions above encryption, but probably should.

Local police believe the laptop theft to be tied to a number of local burglaries. No evidence of identity theft has yet appeared. VeriSign has sent a letter to victims notifying them of the breach and the risk for identity theft. VeriSign will provide credit monitoring services.

VeriSign may suffer a more prolonged consumer reaction to the breach. Seeing a security services provider subject to a data breach lowers consumer confidence in their abilities.

Via attrition.org, sc magazine, consumer affairs, wizbangblog ; image via cohdra on morguefile Tags: verisign, data breach, verisign data breach, laptop theft, laptop loss, laptop security, identity theft, theft, security, computer security

The Treasury Department’s latest audit found that security at the US Internal Revenue Service (IRS) is still lacking.

Government auditors posed as help-desk employees and called various IRS employees. 60% of IRS workers readily gave up their user names and agreed to change passwords when prompted. This poses a strong security threat, as passwords are at risk for being breached.

The same social engineering test was performed in 2001, when 71% of employees failed. Employee training improved this, and a similar test in 2004 revealed a failure rate of 35%. Now it seems those numbers have climbed once again.

Employees who failed the test said they exposed their login information because they thought it was legitimate, thought changing a password was different from disclosing it, or had experienced past computer problems.

This new audit reinforces the need for a strong security policy coupled with consistent security training in order to minimize the “people” threat to data breaches.

The inspector general for the Treasury Department concluded that:

“Employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work.”

It is recommended that IRS employees be re-trained on password security and the dangers of social engineering in obtaining secure and private information. A further audit has been suggested in order to gauge the disciplinary action taken by those who put the company security at risk. Regular social engineering tests should be conducted internally by the IRS in order to stay on top of this security issue.

To date, the IRS has not breached data in any way. The report concludes that IRS employees are the “weakest link” in the security system.

Download the full report from the US Treasury here. [PDF]

Via webcpa & channel register ; Tags: irs, irs security, password, passwords, password security, data breach, computer security, identity theft, internal revenue services, government, government security

Bruce Schneier gave a keynote address at the Black Hat conference in Las Vegas last Thursday where he talked about security being a state of mind.

The Black Hat conference was held over 3 days, with speakers and training sessions focused on computer security. Bruce Schneier’s “The Psychology of Security” keynote addressed the difficulty in quantifying security because of its emotional component.

“How we feel about security in a given situation can affect how secure we really are.”

Bruce Schneier says everybody is a security consumer – we all must continually decide how much money, time and effort we will spend to feel secure. This is a basic instinct. And it passes into the business realm in our security decision making process.

Schneier mentions that decisions are based upon severity of risk, the probability of risk, the magnitude of risk, and the effectiveness of a risk (the response choice). The assessment of these probabilities is subjective and often misjudged. Scheier recommends that companies spend more time considering their perceptions surrounding security – assessing these risks – in order to be better prepared.

Via CNet Tags: bruce schneier, black hat, security, computer security, business security, risk, risk assessment

On the lighter side of security, who would have thought that animals would become targets for identity theft?

According to the BBC, a dog breeder’s prize-winning poodle became the victim of identity theft. The pup’s pedigree details were posted online accidentally. A con-man then used the pedigree information to claim his own dog (using the poodle’s stolen credentials) had given birth to pedigree pups.

The identity theft came to light when a potential buyer noticed that the thief was trying to pass off his toy poodle puppies as standard poodles, under the stolen pedigree. With some digging, she was able to find the real owner and contact her. The police are now investigating the crime.

A Kennel Club spokeswoman advised breeders and owners against publishing full names and details of their dogs online.

She added: “You should only ever buy a dog or a puppy when you see it in the flesh.”

“If it is a puppy then you should be seeing it with its mother in the home in which it was born.”

Tags: identity theft, poodle, id theft, dog identity theft, poodle identity theft, stolen identity

ePals has launched a new community service for K-12 educators called Ask ePals.

Ask ePals is a free social networking site to find resources, content, advice, and to interact with teachers around the world. Although it is more focused on content than on social networking, it nonetheless provides the tools necessary to interact.

Ask ePALS is a service that brings together educators and experts from around the world and connects them with people looking for answers to questions that are specific to education.

Your Javascript is Disabled.
Click here to visit Ask ePals.

Via web 2.0 and school administrators Tags: epals, ask epals, educators, teachers, social networking, online community