Archive for November, 2007

The Canadian government has provided a concise checklist for responding to a privacy breach. Though all steps should be taken to prevent data breach incidents, there is an uncontrollable element to data security. Therefore, it is prudent to have a set of protocols on what to do if a data breach does occur.

The checklist begins with an incident awareness check: when was it, where was it, how was it discovered, what caused it, and who does it affect?

There is a step by step checklist provided which goes into detail on the following:

1. Breach Containment and Preliminary Assessment
2. Evaluate the Risks Associated with the Breach
3. Notification
4. Prevention of Future Breaches

Read the full details here. A similar, though less detailed, checklist is also provided by the US Federal Trade Commission (FTC) here.

Tags: data breach, privacy breach, data breach management, breach management, business security, data security, it security, data breach notification

Who Breached: Cabarrus County
Number Affected: 28,000
Information breached: Social Security Numbers
How: laptop loss

Officials in Cabarrus County, North Carolina have notified 28,000 people that their personal data has been breached.

A laptop went missing from the Cabarrus County Emergency Medical Services on October 28th when it was accidentally left on an ambulance’s back bumper. The laptop contained personal data, including Social Security numbers, for 28,000 people whom the EMS had cared for in the past 4 years. The laptop also included medical information on 58 recent patients.

Information stored on the computer is protected by double passwords, so it is unlikely that if found, someone would be able to access the patient records. However, it is possible that information on the computer could be breached by an individual who has highly developed computer programming skills.

The Attorney General’s Office and the three major credit reporting agencies (Equifax, Experian and TransUnion security) have been notified of this potential security breach.

Those affected have been notified by letter and a call center has been set up. New software will also be purchased to avoid storing any personal information on the computer’s hard drive.

You can read more from the Cabarrus County announcement here.

Via breach blog, Charlotte.com Tags: data breach, cabarrus county, cabarrus county data breach, identity theft, security

The team at SecurityFocus has written a comprehensive piece on Proactively Managing Security Risk. They lay out the framework for a new approach to enterprise security at all levels:

‘The current approach to security is based on perimeter defense and relies on firewalls, intrusion detection systems, and intrusion prevention systems. These approaches depend on a priori information. However, the increasing speed at which new exploits and attacks are being devised mandates a new layer of security defense for enterprise IT infrastructures — a layer that provides consistent protection rather than perpetually lagging behind the morphing tricks of hackers. We propose such a new defense layer and a model that proactively manages server security risks and that co-exists with and complements the traditional security solutions.”

A proactive system would analyze corporate resources and do a risk assessment. Then, it would develop plans to protect those assets. The approach does not count on foreknowledge of attacks.

Highlights from the paper:

• Add a proactive security layer to the existing layered approach (”defense-in-depth” approach)
• Accept that not all risk can be eliminated ; rather, focus on minimizing the damage that can be done when security is breached
• Operating costs can be reduced through planning
• The proactive model (the “intrusion tolerance model”) provides risk assessment tools to every level of the security architecture
• The proactive model does not replace the reactive one – they must co-exist

This is a very data-heavy paper, but it is quite interesting. Looking at the various graphs and tables, it is clear that this could lead to a more efficient and secure approach to security management. You can read the entire paper here.

Tags: enterprise security, security management, it security, business security

The PCI Security Standards Council has announced its intention to create a new data security standard known as the Payment Application Data Security Standard (PA-DSS).

The PCI Council’s mandate is to help foster adoption of PCI (payment card industry) Standards. The PA-DSS will become the new standard for best practices in the industry and is being supported by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa.

PA-DSS is aimed at helping companies eliminate unnecessarily-stored libraries of customer information in payment systems. The standard will help developers of payment applications to eliminate features that have led to unnecessary data storage. PA-DSS is working with application developers to improve programs and will then enforce the adoption of the standard by the Payment Card Industry.

The PA-DSS is currently drafted and expected to be approved early in 2008. This is a proactive move to minimize the risk for data breaches and resulting identity theft.

Bob Russo, general manager for PCI Security Standards Council, notes:

“As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud.”

Read more on PA-DSS here / Read the PCI Council statement here.

Via infoworld Tags: pci, pci standards, pci council, payment standards, data breach, data retention, data storage, payment applications, data security

Who Breached: City University of New York (CUNY)
Number Affected: 23,000
Information breached: Social Security Numbers
How: laptop theft

The City University of New York (CUNY) has notified 23,000 current and former students that their personal data has been breached following a laptop theft from a locked financial-aid office in Midtown.

CUNY sent letters to affected students on October 19th indicating the laptop was stolen around October 15th; representatives are not sure how access was gained to the secured room. Harvey Shifter, a spokesperson for CUNY’s Financial Aid office, said the laptop was non-functioning (a blue screen at activation) and password-protected. Despite this assurance, it is still possible to access the data via an external hard disk and to break the password.

Students were urged to contact their credit card companies and take other steps to protect their identities by initiating a fraud alert. No compensation is being offered in the form of credit monitoring services.

With no leads, the police have closed the case.

What is most worrying about this data breach is the response of school officials. It seems as though officials assume the data was safeguarded with a password.

Students have been unhappy with the response time of school officials in notifying them of the breach and in subsequent queries. Students have placed calls to the official noted in the breach notification that have gone unanswered.

Via SCMagazine, NY Post, the ticker Tags: cuny, data breach, city university of new york, data loss, identity theft, stolen laptop, laptop security

California Governor Arnold Schwarzenegger vetoed a data breach bill in mid-October. The bill was designed to give consumers greater protection against identity theft through more stringent merchant data practices.

Assembly Bill 779 (info here) was designed to give consumers greater credit card protection through limits on the type of payment information retailers can store. The bill would also have required more stringent security practices and data breach notification requirements.

Schwarzenegger dismissed the bill stating that the costs for merchants would have been prohibitive. 

“This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace,” he said in a message to members of the California State Assembly. “This measure creates the potential for California law to be in conflict with private sector data security standards.”

I would think the track record of the private – and public – sectors with regards to data breaches would indicate a need for something more than existing security standards.

Via infoworld, the register ; Tags: arnold schwarzenegger, california, data breach bill, data breach legislation, data breach law, california law

Who Breached: Hartford Financial Services Group
Number Affected: 237,000
Information breached: Social Security Numbers, Driver’s License Numbers
How: 3 lost data tapes

The Hartford Financial Services Group Inc. has notified 237,000 policy holders of a breach of their confidential information.

Three backup data tapes were discovered missing on September 27th, 2007. The tapes contained the names, addresses, Social Security numbers and driver’s license numbers for customers of the personal lines claims center. The company does not know if the tapes were misplaced or have gone missing.

Hartford spokeswoman Shannon Lapierre does not think the data was stolen and assures customers that the data can only be read with sophisticated equipment. The data was not, however, encrypted.

Hartford Financial is offering free credit protection for 1 year including credit monitoring, unlimited credit reports and $20,000 in identity theft protection.

Via PC World ; Tags: data breach, it security, business security, data loss, identity theft

As of November 1, 2007, the Privacy Rights Clearinghouse has estimated that 167,706,372 million records containing sensitive personal information have been breached since January 10, 2005. Averaged per day during this time period, 163,776 records are breached every day.

A table of data breaches:

The largest data breach on record is that of TJX (45.7 million records), but such large figures are not as common as the continuous smaller data breaches happening daily around the world. We become desensitized to the news unless it reaches such record numbers, but if you look at the total data breach tally and the daily average, you can gain some valuable perspective on how large the issue really is.

According to the Privacy Rights Clearinghouse stats as analyzed by etiolated.org, some industries are faring better than others. The Education field is still on an upward trend regarding number of data breach incidents (not records), while Government appears to have made some improvements. However, if you consider the table above, its the records stolen that form the most alarming figures. The data shows that, on average, more data is being breached per breach incident than ever before.

2007 is going to be a record year for data breaches. And this is one record you don’t want to win.

Tags: data breach, data breaches, records lost, stolen, identity theft, id theft, security breach

Are email addresses private data? And, if so, should they be considered during a data breach?

Brian Krebs asks this intriguing question at Security Fix. When email addresses are breached or stolen, they may end up being used for targeted emails (spam or email attacks). Email addresses are powerful tools for attack, including phishing schemes designed to gain access to more personal data. Therefore, an email is like a window into personal data.

A database of email addresses & names for SunTrust & ADP employees was stolen from Salesforce.com. That data was then used in a phishing scheme which was carefully crafted. The scheme urged the employee to download a PDF in reference to an identity theft claim.

Approximately 500 people received those emails, and a few fell for the scam. The issue at hand is not phishing, as that is a fairly universal problem now, but whether or not people should be notified if their email address is breached.

Are email addresses confidential? Some would argue they are available in the public sphere. Others would argue that some remain private and that access to emails in list form increases the risk for phishing scams and potential identity theft incidents.

What do you think? Are email addresses confidential?

Tags: phishing, confidential information, business, security, data breach