Archive for March, 2008

Who Breached: Blue-Cross Blue-Shield of Western New York
Number Affected: 40,000
Information breached: “Vital Information”
How: laptop missing since November

Blue-Cross Blue-Shield of Western New York is notifying 40,000 of its members that they are at risk for identity theft after a company laptop went missing in November of 2007.

You have read that correctly: a laptop went missing in November. And Blue-Cross Blue-Shield is notifying members now, in March. That is quite the lag time. And it remains unexplained. Personal information, simply stated as ‘vital information’, was contained on the laptop. No further details have been provided.

Blue-Cross Blue-Shield of Western New York is offering credit checks for those members affected by the breach. The company has not posted any information to its website.

Via wivb Tags: blue cross, blue shield, health, identity theft, data breach, laptop security, laptop loss, it security

The Missouri Attorney General’s Office has filed a lawsuit against PublicData.com, a company that buys and re-sells access to public government files to individuals and corporations (as a data broker). The lawsuit claims that the company sold the Social Security Numbers of some Missouri residents.

The Missouri AG Office is seeking to shut down the data broker’s website and fine its operators. The Missouri office learned of the PublicData website through a criminal case in Florida in which the defendant, charged with identity theft, claimed to have obtained information from this site.

PublicData provides a service that, through searching a driver’s license number, allows people access to their own government-held information (which they buy and make available). Businesses can buy access to this information under corporate accounts. The defendant claims to have searched random driver’s license numbers on the site, which gave him access to SSNs.

Attorney General Jay Nixon has this to say:

“This website is a gold mine for identity thieves and needs to be shut down as soon as possible to protect the privacy of Missourians. My office has already seen proof of how this site can be used to destroy the credit of innocent consumers in at least one prominent identity theft case.”

The company, PublicData.com, has responded to the suit with their own press release. The company was unaware that Missouri uses some Social Insurance Numbers as Driver’s License Numbers, and that said policy resulted in the unfortunate breach of information. In order to comply with privacy regulations, PublicData.com will no longer display driver’s license numbers for Missouri residents if they are the same as SSNs.

Via SC Magazine Tags: publicdata.com, public data, data broker, sued, drivers license, ssn, social security numbers, identity theft

James McGovern from the Enterprise Architect blog compiled a list of “Ten Mistakes that CIOs consistently make that weaken enterprise security.” The list is simple and straightforward.

The 10 Mistakes Are:

1. Use process as a substitute for competence
2. Hope that the problem will go away if you ignore it
3. Put network engineers in charge of security
4. Outsource too much
5. Rely primarily on a firewall and antivirus
6. Authorize reactive, short-term fixes so problems re-emerge rapidly
7. Undervalue the cost-savings of security
8. Fail to deal with operational aspects of security
9. Fail to understand the relationship of information security to the business problem
10. Put people in roles and give them titles, but don’t actually train them

A lot of the points have to do with a lax security policy – an inability to define and manage IT security, particularly when it comes to people (as much as process & technology).

Christofer Hoff has added a couple more mistakes to this list including: talking about threats, not risk; avoiding security awareness training; investing for compliance not security, and many more.

Tags: enterprise security, it security, business security, security policy, business, security

The Department of Homeland Security is concerned with a spike in hacker attempts to steal American health care records. Hackers, primarily from Russia and China, have accessed medical records from the military, but it is not clear if the private sector has been affected. DHS does not think the network was hacked for the express purpose of obtaining health care records, but such information was breached.

Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, thinks the motive could be espionage. Walker stated that medical information could be used against the US from a “national security standpoint” because any health information about leaders in the US could “be of interest” to potential enemies. Of course, the motive for the attacks could just as easily be for blackmail, fraud or for some strategic advantage.

Right now, there are no strict requirements to report health data breaches. The DHS is urging government and private sector health care companies to report any breaches. A lack of strict requirements for reporting, DHS suggests, fosters poor security practices that could be as much of a threat as this cyber attack.

Via FCW, pogo was right Tags: health care, health care records, hack, hacking, hackers, dhs, homeland security, medical id theft

Computerworld’s Anton Chuvakin lists “Five basic mistakes of security policy: The essentials can trip you up”. A security policy, whose purpose is to protect, define and minimize risk, is vitally important to organizations of all sizes. The creation of, and dissemination of, said policy is mandated by many corporate regulations. But, mistakes are made in the process that can have costly repercussions.

The 5 basic mistakes:

1. Not having a policy (at all, or if it’s only implied) – After a policy is created, document any deficiencies in current IT systems, analyze risks, assess the costs and get them up to compliance with the new policy.
2. Not updating the security policy – IT security threats are always evolving, so your policy should too. Update as your company network and business processes evolve.
3. Not tracking compliance with the security policy - If you don’t enforce your policy at all levels, it’s just a piece of paper. Make sure everyone knows about it, that awareness training is conducted regularly, and that activity monitoring is ongoing.
4. Having a “tech only” policy - As we’ve also noted before, people are as much of the problem as technology. The policy should cover people, process, and technology. Looking at log data of system and user activity is a good way to monitor compliance.
5. Having a policy that is large and unwieldy - Employees at all levels of the organization must understand it – a document too strict or too legally written will result in non-compliance.

What other mistakes do you think companies make with their security policies?

Image credit: Tags: security policy, security policies, it security, business security, security, data security, compliance

New Zealand’s Owen Thorn Walker, 18, has been accused of unleashing a mega-botnet that infected more than 1.3 million computers and, as a result, stole more than $20 million.

The teen was said to have been the leader of a group of programmers who created the botnet designed to steal credit cards and manipulate stock trades. Walker now faces up to 10 years in jail, if found guilty under New Zealand law.

Arrests such as this one, and another teen hacker arrest in the US (who infected hundreds of thousands of PCs with adware), remind us that not all cybercrime originates from organized crime syndicates, and that individuals, even teens, can cause significant damage. Botnets have surpassed spam as the largest Internet security issue.

“We worked closely with U.S. and Dutch authorities on this investigation. This arrest is significant not just to New Zealand but the international community as well,” said Detective Inspector Peter Devoy of the New Zealand police, underlining the degree of cooperation now being employed to bring in these individuals.

“Very few people who carry out this sort of offending are ever prosecuted, so the resolution of this case has huge international implications,” he added.

A botnet is a collection of software robots – “bots” – that run autonomously and automatically. This is not always malevolent, but in the case of most botnets, it means that “zombie computers” – compromised endpoints – run programs such as worms and Trojan horses. The BBC estimated in 2007 that up to a quarter of all Internet-enabled computers may be an unknowing part of these botnets.

Via pc world, wikipedia Tags: botnet, hacker, hackers, teen hacker, arrest, zombie computers, bots, internet security, cybercrime, worms, trojans

Michael Overly makes a very good suggestion for breach notification policies on the CSO Security blog. Michael notes that, although organizations are implementing policies on how to deal with a data breach once it’s known, those policies do not encompass the steps that would quickly notify them of said breach.

Before the response team can be put together, before documentation is completed, before the press and consumers are contacted, there is a gap between “finding the breach” and “reporting the breach.”

Michael suggests simple instructions for all employees to understand what a security breach looks like (from a lost USB key to unusual workstation activity), to accept responsibility to report it, and how to report it. It is important that the right people are notified as soon as possible, but this part of many security policies is currently weak.

Many companies face harsh public scrutiny if the breach is not reported promptly (not to mention legal consequences). Improving the breach notification process can help minimize any potential damages.

Tags: data breach, data breach policy, breach notification policy, security policy, it security, breach, breach reporting

South Carolina is considering a new identity theft bill. Lawmakers in the state say it has been lagging behind in the battle against identity theft. However, on Tuesday, the House approved a new identity theft protection bill. It will now go to the governor for final approval.

“We should have done it two years ago. The senate passed it a couple of times but the house was very, very thorough in looking at it. They improved the bill that we sent over. So I’m not complaining. I’m just glad we’ve got something,” says Greenville Senator David Thomas.

Despite the time it took to get this bill into play, if approved, it will be one of the toughest identity theft protection bills in the country.

The new bill covers:

• ability for consumers to place or lift a security freeze on their credit reports without a fee.
• penalties for businesses who do not properly discard paper and electronic information
• penalties if consumer reporting agencies don’t correct information on a credit report when notified
• prohibitions against using Social Security Numbers on membership cards or in mailings
• breach notification requirements when any type of personal information is breached

Tags: south carolina, identity theft, identity theft protection, law, legislation, bills, state law, id theft, id theft protection, id theft law

Chris Hoofnagle of the University of California, Berkeley, has published a paper measuring identity theft at banks in the US. The paper ranks the top institutions in the US based on their relative incident of identity theft (as reported by consumers to the FTC). Special attention is paid to financial institutions.

Currently, banks do not publicly disclose incidents of identity theft, though they are now mandated to publicly disclose a data breach. However, since not all data breaches lead to identity theft, the picture is incomplete for consumers wishing to make informed decisions about their banking.

As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others.

Facts from the paper:

• 88,560 complaints affecting 46,262 institutions were obtained from the FTC for the analysis (banking & otherwise)
• Institutions with highest frequency of complaints: Bank of America, AT&T, Spring/Nextel
• The top 25 institutions out of the 46,262 account for 49.9% of identity theft complaints
• Estimated events divided by total deposits at financial institutions shows that HSBC, Bank of America and Washington Mutual have he highest incidence of fraud
• ING has the lowest incidence of identity theft, with only a single event

Of course, information is limited and thus the methodology of the paper is not flawless. However, it does shed light on some interesting figures and, perhaps more importantly, on the pressing need for more publicly disclosed information related to identity theft. Why do all this? Chris Hoofngale says:

Consumers, regulators, and businesses lack objective tools to compare incidence of identity theft across financial and other institutions targeted by fraudsters. Without such tools, consumers cannot “vote with their feet” and choose safer institutions, regulators cannot allocate oversight and enforcement resources to high-risk institutions and practices, and businesses themselves cannot assess how well they perform relative to competitors in fighting this crime. While competition is a powerful force for consumer protection, the lack of information about identity theft makes the market less effective in
creating a race to the top among institutions to shield consumers from fraud.

Download the paper here [PDF]

Via emergent chaos Tags: identity theft, banking information, identity fraud, id theft, personal information, data breach, fraud rating, financial institutions, it security, information security, data security

British Columbia Mounties have just busted a major identity theft ‘hub’ in Surrey that had been the center for identity theft from all over Metro Vancouver.

The operation was run out of the basement of a home in the neighbourhood of Newton. This home served as a “mid-level hub” where stolen mail and identification was brought for processing. The people running the operation were using counterfeiting equipment to create new identification and fraudulent credit cards based on stolen identity documents. The counterfeit documents and cards were then re-sold.

During the raid, police seized: credit-card making equipment, 2400 pieces of stolen mail from 24 cities in BC and in Alberta, currency counterfeiting machines, 500 credit cards, 12 passports, 75 medical cards, hundreds of tax returns, 100 of CDs with personally identifiable data for tens of thousands of people, and Canada Post uniforms. Two people were charged with fraud, possession of stolen property and other offences. Charges are pending against 5 other people.

Considering the diversity of information that was obtained, it is clear that you need to beware of all of your personally identifiable information.

Via CBC Image credit: cohdra @ morguefile Tags: identity theft, bc, vancouver, id theft, id theft ring, identity theft ring, bust, hub