Archive for May, 2008

The Office of the Information & Privacy Commissioner (OIPC) of British Columbia published an investigation report concerning the Ministry of Health earlier this month.

On October 3, 2007 an employee of X-Wave, a contractor for health insurance billing in New Brunswick, packaged four unencrypted computer tapes into an envelope. The tapes, which contained personal information of residents of British Columbia and New Brunswick, were being sent to Health Insurance BC (HIBC). These tapes did not arrive.

The investigation reveals that this method of transferring personal information did not meet the security measures required under the Freedom of Information and Protection of Privacy Act. In addition to this, the existing policies at the Ministry of Health delayed the timely detection of the lost data tapes. Notification to affected individuals and to the OIPC was also delayed by nearly two months.

OIPC reports that the Ministry breached the Act in the following ways:

• Sending data on unencrypted magnetic tapes
• Not requiring the sender to notify the receiver of when the package would be received
• Not requiring the sender to use a courier with a tracking service
• Not instructing the sender to refrain from sending more unencrypted tapes while the issue was under investigation
• Taking 41 days to notify affected individuals of the breach

New Ministry procedures are aimed to counter these issues, and to ensure that personal information is no longer transferred in this way. You can read more here.

Via Dan Michaluk image: wikipedia ; Tags: data breach, data tape, magnetic data tape, oipc, bc, british columbia, ministry of health

According to a new report from Gartner, many retailers have not reported data breaches to their customers. The study found that 21 of the 50 retailers interviewed have had a data breach, but only 3 of these 21 breaches had been disclosed to the public.

The sample size for the survey is too small to draw firm conclusions about the industry as a whole, but it does highlight a troubling pattern. Gartner analyst Avivah Litan says:

“Sensitive data is being stolen and most of the time it’s not being disclosed. There are a lot more breaches than we hear about.”

This not only touches on the importance of consumer trust, but also a lack of compliance with data breach regulations that require consumers to be notified. Companies have noticed the bad press to result from such data breach notifications, and they don’t want to call the same attention to themselves.

The survey did not make clear if the retailers surveyed had broken state laws by not informing customers, but Litan said it was a possibility. 4 companies have been fined by credit card companies for not meeting Payment Card Industry compliance requirements, and another 11 were threatened with fines.

In other retailer news, a survey shows that most retailers using card payment technology will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. This deadline requires merchants to have a firewall to protect web applications or to have completed a web application software code review to ensure vulnerabilities are patched. The main reason behind the inability to meet the deadline is that retailers don’t understand what they need to be doing, which undermines the purpose of the new legislation.

Via PC World, Finance Week ; image: pindiyath100 @moreguefile ; Tags: retailers, retail industry, breach, data breach, data security, breach notification, pci dss, pci, compliance

Absolute Software has won the 2008 CODiE award for “Best Data Security Solution” by the Software and Information Industry Association (SIIA).

The CODiE Awards are issued yearly for excellence in software development and corporate achievement. The CODiE Awards program is the only peer-recognition awards program in the software and content industries, giving companies the opportunity to earn praise from their competitors.

The “Best Data Security Solution” award is selected from a wide range of security-related software solutions, including anti-virus products, firewalls, encryption, intrusion detection, etc. ComputraceComplete was selected from a group of six finalist software solutions to win this honor. For a full list of CODiE winners, go here.

To learn more about ComputraceComplete, Absolute Software’s software-as-a-service (SaaS) solution for post-theft computer recovery, remote data delete and off-the-network IT asset management, go here.

Tags: absolute software, computrace, computrace complete, computracecomplete, codie award, codie awards, codie awards 2008, software awards, best data security solution, data security, it security, siia, software and information industry association

Foreign Affairs Minister Maxime Bernier resigned on May 26th after admitting he left classified NATO documents at the apartment of his ex-girlfriend, Julie Couillard, a former model with past links to members of the Hells Angels.

The NATO documents included information from last April’s summit in Romania, including NATO’s military strategy in Afghanistan. Bernier did not realize he had forgotten the papers until they were returned by lawyers Sunday night, more than a month later, and delayed telling Prime Minister Stephen Harper until Monday afternoon. Bernier then resigned from his post.

“Mr. Bernier has learned and informed me that he left classified government documents in a non-secure location,” said Harper. “This is a serious error and the minister has accepted his responsibility.”

Stephen Harper called a news conference just hours before Julie Couillard made claims that Mr. Bernier had been careless with government papers. The government has received a lot of public criticism for Mr. Bernier’s relationship with Ms. Couillard, though Harper has been defending Bernier’s right to privacy.

“Let me be very clear: this is not to do with the minister’s life or the life of a private citizen, 99 percent of which I think is completely off bounds,” said Harper.

Maxime Bernier’s ministry position was replaced by David Emerson, and Bernier’s bio has been completely wiped from the Stephen Harper website. The police are looking into allegations raised about this and other matters, as described here, and to whether this will be considered a criminal offense in breach of national security.

hat tip: flyinghamster, via globe and mail, ctv Tags: harper, bernier, maxime bernier, data breach, security breach, canada, canadian government, government, canada government, foreign affairs, stephen harper

Who Breached: Bank of New York Mellon
Number Affected: 4.5 Million
Information breached: Social Security Numbers
How: backup tape lost

The Bank of New York Mellon has breached the data of 4.5 million people after an unencrypted backup tape disappeared three months ago from a third party storage company, Archive Systems. The company was to transport ten tapes to a data storage facility, but one went missing.

The missing data tape includes Social Security Numbers and bank account information for 4.5 million people (consumers, investors) went missing on February 27, 2008. The lock on the transportation truck was damaged, so it is possible the tape was stolen. The Bank of New York Mellon has not addressed concerns about why the backup tapes were not encrypted. No information about the breach is available on the bank website.

Attorney General Richard Blumenthal says that the breach “seems highly dangerous” and potentially devastating with the threat of identity theft. Blumenthal is demanding that Bank of New York Mellon provide affected customers with more than just credit monitoring (suggestions include identity theft insurance and free credit freezes).

“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark.” – Blumenthal

Although the data breach occurred three months ago, consumers only began to be notified six weeks ago. The second half of affected consumers are being notified this week.

You can read more from Richard Blumenthal’s letter here. [PDF]

Via attrition, norwalk plus, sc magazine, reuters, informationweek ; image: clarita @morguefile ; Tags: data breach, breach, bank of new york mellon, 4.5 million, identity theft, data tapes, backup tapes, encryption, data security

A new survey released by Symark and eMediaUSA indicates the security vulnerabilities associated with orphaned accounts. Orphaned accounts are user accounts that remain active after an employee has left a company. The study reveals that 42% of businesses do not know how many orphaned accounts they have, and 30% have no procedure to locate and remove them.

800 security, IT, HR and C-level executives in all industries were surveyed about orphaned accounts and the processes in place to find and remove them. When an employee leaves an organization, IT and security administrators should make it a priority to shut down access immediately. However, many IT staffers are overworked and this step is overlooked. Failure to terminate employee access creates holes in security that hackers or malicious insiders can access.

Other findings from the survey:

• 27% of respondents say that >20 orphaned accounts exist in the organization
• 30% say it takes more than 3 days to terminate access, 12% say it takes more than a month
• More than 38% have no way to know if an orphaned account was used to access information
• 15% said an orphaned account has been used to access information at least once

The survey indicates, at the very least, that there is a hole in IT security that needs to be patched. In some cases, it is clear that orphaned accounts are still being used, and this is a significant risk to security.

“Controlling access to proprietary systems and information continues to present an IT security challenge… gaps in access and entitlements control — and the significant audit defects resulting from them — are one of the concerns most frequently mentioned in focus interviews,” said Scott Crawford, research director at Enterprise Management Associates.

Larger companies face more complex challenges in managing employee access. Limiting access, and revoking it when an employee leaves the company, is a vital step to ensuring data compliance. Policies and technologies should be put in place that can manage and revoke user access easily.

If your company were surveyed, how well would you fare with these questions? Are there orphaned accounts you may not even realize you have?

Via tech target, business wire ; image anitapatterson @morguefile ; Tags: it security, data security, data access, business security, orphaned accounts

Google Health, which gives users instant electronic access to their health histories, launched this week. The service allows users to link information from pharmacies and care providers, with plans for more health information access.

Partnerships with Google Health have already been announced with Walgreen’s, CVS, Longs Drugs Stores, AllScripts, Quest Diagnostics, and the Cleveland Clinic.

Users sign up to allow Google Health access to health information, giving users opportunities to customize their profile with information on prescriptions and doctors. Users can also search for doctors from within the system. Google has been receiving millions of search requests from people trying to find information about injuries, illnesses and treatments, and Google Health was their solution.

In general, privacy watchdogs feel Google already has access to too much information about its users, and this merely adds to that. Google Health services are not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that anyone seeking your medical records subpoena you and give you a chance to deny access.

By providing access to your health records to Google Health, HIPAA rules no longer apply. The Google privacy policy may not be enough to protect your medical records as strongly as it should be. Google representatives say that health information is stored on the most secure computers at Google, but the Google TOS gives some pause. Unless you actively disable it, you are giving Google access to give your data to third parties:

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

The privacy policy says that a copy of your data may still be retained after you disable such access:

If you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information.

Google explains the difference between their policies and HIPAA in this blog post and in this very handy comparison chart. It does help to answer questions about security, although I still think the “access by default” approach is a dangerous one. In the end, you must decide if you trust Google enough to have access to your information. And you must take an active role in determining what third parties, if any, you wish to access that information.

What do you think of Google Health? Will you sign up?

Via ZDNet, AP, Technology Review Tags: google health, hipaa, medical information, data security, medical data, personal records, privacy, medical identity theft, google, google services

I opened up my mail this week to see a flyer from the Canadian Conservative Government via our MP Stockwell Day. The front of the flyer is shown above. There is a quote on the back as follows:

“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity-theft activity before the damage is done.” – Rob Nicholson, Minister of Justice

According to the flip side, the Canadian Conservative Government is putting forward tough new laws to prevent identity theft, to compensate victims, and to put identity thieves behind bars. I am supposed to cut out the bottom half of this flyer and return it with the answer to this question as “Yes” or “No”:

“Do you support the Conservative Government’s tougher laws against identity theft?”

Sounds great – proactive, right? I have a problem with it though. There is no information about what these laws are, what they do, or where I can learn about them. No website, nothing. I have absolutely no idea to which law the flyer refers.

So, if a member of the Conservative Government would like to fill the public in on which of the multiple identity theft bills before Parliament they are referring to, I’d be happy to answer their survey.

Tags: id theft, id theft survey, canada, identity theft, parliament, laws, legal system, conservative government, stockwell day

Last month, a United States court ruled [PDF] that border agents have the right, without cause, to search your data devices as you enter the country. If your device is encrypted, you have to hand over your encryption key.

The US government has the right to download the entire content of your laptop or data device, and to keep it indefinitely. And according to security expert, Bruce Schneier, these types of searches are happening at the borders of many countries. There has been a major backlash to this from every corner, including from civil liberties groups and from the business community.

Business travelers who carry sensitive information may have to expose this information – aside from breaking confidentiality, it can also result in a data breach incident. Copied and seized data may be subject to breach notification laws, since such data has been exposed and can no longer be accounted for. If you want to take action against this violation of digital privacy, you can learn more here.

5 Data Device Security Tips for International Travel

1. Hide Your Data

Bruce Schneier is advising one solution: hide your important data in a second encryption on your drive. Programs like PGP Disk or Truecrypt will allow you to encrypt a portion of your hard drive with a strong password, and you can hide the icon for added protection. The data would be invisible upon inspection, though smart forensic software could find it. Take note that if asked by security officials if there is an encrypted partition, you are legally required to answer truthfully.

2. Limit Your Data

This is the easiest solution – if you don’t have data, it can’t be found. Delete any un-needed information (old emails, photos, confidential information) with a secure file erasure program. Delete your browser’s cookies, cache and browsing history before heading through security. Also, IT administrators using Computrace can use its Data Delete function to securely erase files. And turn your computer off before heading through. Clean out your other devices in the same way.

3. Use a VPN

Some companies are issuing laptops for travel that are “clean” of any pre-existing data. Once the traveler is at the destination, the data can be downloaded over an encrypted virtual private network. The data can be re-synced before exiting the country, and the laptop wiped clean once again.

4. Ship It

Put sensitive data onto an encrypted drive or card and let FedEx get it to your destination for you.

5. Store It Online

If you don’t have a VPN set up to download information onto a clean laptop, you can set up a similar system on your own. After deleting what information you don’t need, Chris Sogholan of CNet recommends encrypting the data and uploading it to one or two secure places on the web such as Amazon S3. Then make your laptop clean with a secure file erase.

Sources: guardian, gizmodo, eff, cnet, info week, us politics, idg
Photos: morguefile by pdell, ppdigital, somadjinn
Tags: data security, border, laptop, laptop security, border search, business travel, security, it security, business security

Who Breached: Chilean Government
Number Affected: 6 million Chileans
Information breached: Identity Card Numbers
How: Hacker

A hacker, known ironically as “Anonymous Coward”, has exposed the personal data of 6 million Chileans.

Police Chief Jaime Jara confirms that the data of 6 million people was stolen on Friday from servers at the Education Ministry, the electoral service and the military. The information was posted briefly (less than 24 hours) online in the comments section of a popular Chilean technology blog, Fayerwayer.com, in three compressed files. Data included identity card numbers (like SSNs), addresses and more.

Despite the fact that the data was quickly removed, it had been linked to by many other websites. Sever sites were re-posting the files almost immediately. The potential exists that the data was downloaded and that it could still appear on additional websites.

The hacker took the data to prove a point. According to a note online, he took it in order to “demonstrate how poorly protected the data in Chile is, and how nobody works to protect it.” The hacker even gave instructions on how to download the information without being traced.

Indeed, the point has been proven. Focus is now on government IT security and lax privacy laws, including the regular selling of election voter data. The news has garnered additional attention since the data contained the information on the daughter of the Chilean president.

A prosecutor, a specialist in high-tech crime, was appointed yesterday to investigate how the hacker gained access to the data. The government has announced plans to strengthen data protection with new legislation.

—

Another notable breach this week so far has affected 13,000 Pfizer employees after a company laptop and flash drive were stolen.

Via attrition, AP, ABC, AP Tags: chile, chile hacker, hacker, chilean, breach, data breach, breach government, data