Archive for October, 2007

A laptop has been stolen from the University of Iowa, putting 184 students and graduates at risk for identity theft.

A former teaching assistant had the names, grades, and Social Security numbers for 184 students on a laptop, which was subsequently stolen from his home in Arizona. Only 100 of the names are suspected to have Social Security numbers attached to the files.

The students and graduates affected took “Philosophy and Human Nature,” “Philosophy and the Just Society,” or “Principles of Reasoning” taught by Tuomas Manninen some time between 2002 and 2006.

School officials say that identity theft is “unlikely”, since the Social Security numbers are “difficult to locate” in the files.

The University of Iowa is getting attention for this data breach. Although the breach only affects 184 students, a similar data breach occurred in 2006 when a professor’s laptop was stolen. At the time of the 2006 breach, the University of Iowa said they were trying to reduce the use of Social Security numbers.

Via wcfcourier ; Tags: university of iowa, data breach, data security, university security, social security numbers

Absolute Software’s LoJack for Laptops helped prevent the identity theft of a man in Lynnwood.

Michael Pierson left his laptop in his car while he went to the mall. Though only gone for a half-hour, Michael returned to find his car had been burglarized, and his laptop was missing.

Michael Pierson was prepared, though. He had installed Computrace LoJack for Laptops.  Absolute Software was notified of the theft and when the laptop next came online, the IP address was sent to Lynwood police. The police were able to track the thieves to a motel where there was evidence that the thief was running an identity theft operation.

In this case, identity theft may have been the motivator for the burglary. With the help of Computrace LoJack for Laptops, the crime was prevented and the laptop returned.

Story from KIRO Seattle Tags: lojack for laptops, computrace, absolute software, laptop recovery, laptop theft, laptop security, identity theft

It has been a bad week for laptop theft. A laptop containing personal information was stolen from the car of a member of HM Revenue and Customs (HMRC) in the UK.

The stolen computer contained data about high value customers who invested in Individual Savings Accounts as provided to them by banking institutions. HMRC has advised the banking institutions to notify the affected customers.

“The incident has been reported to the police and we are carrying out an urgent internal enquiry. HMRC places the utmost importance on the security of confidential material and we have in place very clear processes governing the handling of such material.”

On a positive note, the laptop was not completely without defenses. The laptop was password protected and encrypted. In data breach news, this is a very rare set of precautions. In addition, HMRC is being up front and honest in taking the blame:

“We obviously deeply regret what’s happened and we are obviously responsible.”

Although the HMRC data is protected by defenses, it is still at risk. Strong security policies would limit the amount of data that can be taken off-site, and laptop recovery & data wipe software would enhance data security.

Unlike our previous example, the HMRC came forward with full disclosure about the breach. Given that the data was well protected, they were not required by law to notify customers. However, taking responsibility for the lost data is being viewed by many as a “refreshing level of ethical responsibility.”

Via IT Week, Silicon.com Tags: hmrc, laptop theft, data breach, encryption, laptop security, it security, business security, government security

Semtech has notified its US employees that a recent laptop theft has put them at risk for identity theft.

Late in September, Semtech sent a letter to an undisclosed number of its 690 employees letting them know that their data is at risk. A laptop was stolen from the office of one of Semtech’s vendors, also undisclosed.

Semtech has declined to offer additional information about their data breach to customers or the press. It is unknown what data has been put at risk, when the theft happened, or the time between theft and notification. Given the current environment surrounding data breaches, greater disclosure of this information may have been to the benefit of the company’s public relations efforts.

Semtech is offering identity theft protection services for one year to those affected.

Via Pacific Coast Business Times Tags: semtech, data breach, identity theft, it security, business security

According to a new set of data from Zone-h.com, more than half of security gaps are the result of configuration mistakes, brute force attacks and social engineering.

Unpatched vulnerabilities and new vulnerabilities represent 26% and 19% of web server penetrations – the remaining 55% are outside the purview of software prevention.

Essentially, even up-to-date software management could not prevent 55% of web server penetrations. Even a so-called “perfect” security tool, though it does not exist, would not provide 100% protection.

What does this mean? That technology is not a solution in and of itself. Security policies are essential – training and security management have a large impact on data security.

Via cso online ; Tags: data security, web security, server security, business, business security, it security, security survey

According to a new survey from Forrester Research and Secure Computing, businesses have not upgraded their security tools to deal with Web 2.0 applications.

The survey found that as companies continue to adopt Web-based applications (Web 2.0 applications), security tools have not evolved to deal with new threats posed by these applications. Technologies such as online collaboration and file-sharing put businesses at risk for attacks.

Some facts from the study:

• 97% of companies consider themselves prepared for malware threats
• 79% say they are victims of malware attacks on a frequent basis
• 68% of companies admit they have room for improvement
• 96% of companies see value in web 2.0 applications
• 5% of companies have taken measures to protect users of web 2.0 applications
• 33% have data leakage prevention in place

You can see an immediate discrepancy – companies consider themselves prepared for threats, yet clearly they are not. Most companies are well protected from traditional attacks, but not from these newer ones. Aside from the threat of malware, there is also the insider threat of employees using these tools to remove data from the company.

“Companies really need to adjust their policies for the Web 2.0 world in general. Internet use policies should include social Web sites, blogs, and the other varieties, and this has to be spelled out specifically,” said Paul Henry, Secure Computing’s vice president of technology evangelism. “Beyond that, these companies simply need stronger technical safeguards; a lot are barely protecting against the initial generations of Web-based threats that we’ve seen.”

Recommendations from the report include upgrading security technologies, revising security policies, and increase training.

Via Zero Day ; Tags: web 2.0, security, business security, it security, malware, insider threats

The intern responsible for the Ohio State Data Breach has come forward to make a statement. As previously reported, the intern left a computer back-up tape containing employee names and Social Security numbers in his car, which was subsequently robbed.

The intern, who took the back-up tape home has been made a scapegoat, receiving blame for not taking adequate steps to safeguard the information.

The intern, Jared Ilovar, was fired after refusing to resign from his post. In an email to the press, Ilovar says he was made a scapegoat and that his car was one of five broken into at his apartment complex.

“I was a victim of a random car theft, and now I am the scapegoat for the state of Ohio,” he wrote in the e-mail. “On the subject of instructions, I was never instructed by my employer on how to properly secure, store or watch over the data tapes at night. … I was the newest person in the door, so I inherited the job of taking the data tapes out of the building. That was the extent of my instructions.”

Read more on the Ohio situation here:

• Ohio State Data Theft
• Absolute Software to protect Ohio laptops

Via courant.com Tags: ohio state, ohio, ohio data breach, ohio state data breach, intern, data breach, security policy

According to Deloitte, people are the primary source of data breaches in banking security in the UK.

The survey, of Top 100 financial services companies, found that employees and customers are the key sources of security breaches. Nearly one third of respondents could tie a security breach to employee misconduct or error. It’s no surprise, therefore, that 91% are concerned about the internal / people risks to business security.

More than half of the respondents – 65% – have experienced an external security breach. Customers are often at fault for these, with a lack of awareness and anti-virus protection on their computers. Viruses, spam, worms and identity theft scams all are directed at consumers, who are less aware of the risks and therefore more vulnerable.

A red flag result of the study: less than two thirds of surveyed companies have an IT Security strategy in place, and nearly one quarter of companies provided no security training in the past year.

Mike Maddison, UK head of security and privacy services at Deloitte, said: “You can have the best technical systems in place, but they are unlikely to operate effectively unless you educate people on their obligations and how to fulfil them.”

More and more, surveys are showing just how many security breaches are due to poor security policies and training, yet, many businesses still fail to address these basic issues.

Via mirror.co.uk Tags: data breach, financial data breach, financial industry, data security, it security, business security

Boeing has fired an employee who spoke with the Seattle Post-Intellencer about alleged computer security problems at Boeing. The employee claimed that the company was misrepresenting the results of its data security audits in the filings to the Securities and Exchange Commission.

The Seattle Post-Intelligencer published a story in July stating that Boeing was not protecting data from theft, manipulation or fraud. The employee claims he was trying to save the company in so doing. He claims that he had earlier tried to raise his concerns with the company and with the Securities and Exchange Commission, but they were not addressed and he was treated badly as a result.

Boeing is required, by the Sarbanes-Oxley Act - to prove they have internal control of their data to prevent it from being manipulated and misrepresented to stockholders. The Seattle P-I obtained documents outlining the challenges Boeing faced in compliance, and the failure of IT to control the data environment. Examples cited were: access to data by employees who should not have access, manipulated security audits, and threats to employees to produce evidence for the audits.

Boeing has faced many data threats this year, including the theft of sensitive company information that could have cost the company billions, and three separate cases of laptop theft and data loss.

Boeing is now investigating, and has fired, the employee who disclosed the information to the Seattle Post-Intelligencer. There has been no confirmation that the information provided by the employee was accurate.

You can read the original Boeing story here.

Via wired ; Tags: boeing, boeing security, data loss, data security, it security, sarbanes-oxley act, sec, data threat, fired

The Gap has suffered a data breach as a result of a laptop theft, putting 800,000 job applicants at risk for identity theft.

The Gap issued a press release on September 28 to announce that a laptop containing Social Security numbers was stolen from the offices of a third-party vendor responsible for job applicant data. The Gap has an agreement with its vendors that states that laptops must be encrypted – the laptop that was stolen was not, however, following the outlined security policy.

800,000 job applicants from the US, Canada and Peurto Rico who applied to The Gap, Banana Republic or Old Navy were affected. Those affected applied online or by phone during July 2006 and June 2007. Those affected have been sent letters with information and the offer of free credit monitoring services for one year. Canadian job applicants are likely unaffected, as their Social Security Numbers were not included on the laptop.

“Gap Inc. deeply regrets that this incident occurred. We take our obligation to protect the data security of personal information very seriously,” said Gap Inc. Chairman and CEO Glenn Murphy. “What happened here is against everything we stand for as a company. We’re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.”

It is an unfortunate incident for a company that appears to be taking its security quite seriously. A tight security policy extends to vendors, as it did in this case. Unfortunately, the laptop was not encrypted as required by the agreement. A stronger security policy, internally and with vendors, would include a laptop tracking and recovery solution such as Absolute’s ComputraceComplete.

The Gap has put up a website with more information at www.gapsecurityassistance.com and has a 24/7 help line at 1-866-237-4007

Via information week ; Tags: data breach, the gap, gap, job applicants, data loss, laptop theft