Archive for January, 2010

Who Breached: Ontario Teachers Insurance Plan
Number Affected: 8,600
Information breached: Social Insurance Numbers
How: laptops stolen

On December 3rd, laptops containing the private information (names, address, social insurance numbers) of about 8.600 Ontario teachers was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan. Those affected were notified of the breach in mid-January.

The theft is characterized by police as a “smash and grab” with the laptops being one item among those stolen. This theft comes one month after a USB key containing some personal health information of 80,000 people was lost in Ontario.

It is not clear what security precautions, if any, were on the stolen laptops. We do know the laptops were unencrypted, so likely other security precautions were also not taken.

Act now to protect your own assets and the information on those assets by having a strong mobile data security policy and calling Absolute to ask about our laptop security solutions. For those in the healthcare field, please refer to our Healthcare Resources page.

Today’s World Data Privacy Day and what better way to spend it than to take a look at the effects of data breaches. The Ponemon Institute and PGP have released a new report about the Cost of a Data Breach in 2009. In 2008, the cost was found to be $202 per breached record. The 2009 cost per breached record increase to $204, a very marginal increase from the previous year. But it adds up.

The 2009 study examined the records of 45 U.S. companies that experienced a data breach that year, with records lost in the range from 5000 to over 101,000. The study found that, for the first time, companies are spending more on technologies to prevent and remediate breaches. The organizational cost of a data breach, on average, was $6.75 million. The most expensive breach resolution recorded in the study was $31 million.

Given the first-ever increase in technology spending in this category, the areas where spending was concentrated included technologies in encryption, identity and access management, data loss prevention and endpoint security.

In a similar study, the Ponemon Institute found that the cost of a lost laptop in 2008 was nearly $50,000. It is encouraging to see that companies are paying attention to these costs – which include lost customer trust and loyalty - and are investing in technologies, such as those offered by Absolute Software, to mitigate these costs.

What are you doing to help stop data breaches in your organization?

Image: clipart

I have to admit, I’m a sucker for a good title. This post on Help Net Security – “Online Fraud: Avoiding the Seven Deadly Sins” – caught my eye for obvious reasons. It’s a basic 7-step program to reduce the treat of online transactions from the corporate perspective – not the consumer perspective, as is so often the case. These tips can help reduce the risk for customers doing business with you online – a good thing!

1. Log transactions
2. Pay attention to browser and http header information
3. Don’t transact with automated scripts (BOTS)
4. Keep your fraud tactics covert
5. Pay attention to mobile commerce
6. Mask sensitive data
7. Don’t allow non-words in data fields

Read more about these ’sins’ here. And for further reading, check out this great article: Secure Online Transactions

Image: clipart

The first HIPAA-related lawsuit has just been filed by Connecticut Attorney General Richard Blumenthal. The AG is suing Health Net of Connecticut for failing to secure private patient medical records and financial information for 446,000 Connecticut residents and for failing to promptly notify those at risk from the breach.

In his lawsuit, Blumenthal is seeking a court order blocking Health Net from further HIPAA violations.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”

A forensic consulting firm had determined that the data at Health Net was easily viewable, lacking encryption or other protections from unauthorized access. This went against company policies and against HIPAA compliance law.

For more about HIPAA, see our past articles here and here.

Via IronKey Blog, Health Imaging ; Image: clipart

With the most recent update to Facebook privacy settings (December 2009), there are some new things you should know and steps you should take to safeguard your privacy. Though a “wizard” guided Facebook users through the changes after the new settings rolled out, several settings were changed by default and were not included in the wizard. Many of these changes made information public by default, which is not something many users would want (and which the FTC is complaining about).

There are 4 levels of privacy in Facebook, with “everyone” meaning that all your information is available to search engines. The most private setting is “Only Friends”.

In order to review your privacy settings, go to Settings > Privacy Settings in Facebook. You will want to review the privacy settings on all the first 4 sections. The website “Make Use Of” suggests the following actions to review your settings:

• Create / Make use of Friend Lists
• Control Search Visibility
• Control Who Sees Photos
• Control Wall Notifications
• Control Relationship Status / Contact Information Visibility

The new Facebook privacy settings offer a lot more options to protect your information at a granular level if you take the time to alter your settings. So, make yourself aware of the options and choose wisely!

Via makeuseof

While at CES, where we made the big announcement that LoJack for Laptops would now have Intel Anti-Theft Technology, we gave a couple of video interviews. Those interviews have made their way to YouTube.

First up, an interview with Stephen Broscoe of Absolute Software for GeekNews. Stephen talks about the new partnership, explaining how LoJack for Laptops works with Intel AT to lock down missing laptops. You’ll also get some handy information about many of the purchasing methods for our software – and you can, of course, find more on that here.

This second segment is with iGizmoMag interviewing Richard Cohen. This interview gives you a good primer into how our software works as well some insight into how much else is often recovered when a laptop is found (I bet you never thought of that part!):

Five Computrace equipped laptops were stolen from an office burglary in late 2009, though with a little help from the Absolute Theft Recovery Team, police recovered four soon after. These recoveries pointed directly to a suspect, resulted in an arrest, and conveniently, an informant. Police were tipped off to a second suspect, who Absolute was able to confirm as the unauthorized user of the fifth machine. An investigator paid a visit to the suspect’s residence.

As it would seem, laptop theft was among the suspect’s many unlawful hobbies. The victim’s laptop was recovered from the home, along with three other computers that did not have Computrace installed. Additional stolen property was also seized, as well as narcotics and a substantial amount of Napalm. The suspect was arrested, and will soon be joined by four of his associates who are being detained in connection to the case.

Please note that indictments and criminal complaints are merely unproven accusations and the accused in all cases are presumed innocent until proven guilty.

Absolute Software announced yesterday that Computrace now accepts remote commands via SMS sent from the Absolute Customer Center, in addition to the previous communication over the Internet. IT administrators now have two quick and easy ways to remotely communicate with, and disable, laptops. This is a huge asset if a laptop goes missing, enabling IT administrators to mitigate potential data breaches much more quickly.

The new feature is called Monitoring Center Initiated Calling (MCIC) allows for a Computrace Agent call to happen as soon as possible, vs waiting for a routine check-in call. The SMS command tells the laptop to phone home. IT administrators can use MCIC so that they can remotely execute Computrace functionality, including location tracking, deletion of sensitive data, and Intel® Anti-Theft Technology locking.

For more about this piece of news, read here.

Mashable put together a popular article recently entitled “3 Ways Educators Are Embracing Social Technology”. The article talks about the challenges teachers face with budgets and small class sizes alongside changing technologies. The article also talks about how these new technologies are being embraced to fight back against the onslaught of problems.

The three social media technologies talked about in the article are Skype, mobile phones and Twitter.

Examples in the article include using Skype for language learning (calling a class in another country), using mobile phones to ask teachers questions via SMS, and using Twitter to encourage collaboration outside of the classroom.

The studies included found that the use of these technologies increased student motivation, increased attentiveness and overall learning. The overall summary of this is to think outside the box in how to integrate new technologies to create a rich learning environment for students.

We have talked in the past about the successful integration of laptops into the learning program and how technologies increase student achievement. Also be sure to check out our Student Laptop Security site for tips on protecting your laptop at school.

In the wave of the terrible 7.0 earthquake in Haiti, we all want to help out.  But we must take the time to make sure our contributions to charity are actually going to charities and not to online scammers. As this CNet article highlights, online scams are not new in the wave of major natural disasters.

“After Hurricane Katrina, it was reported that there were some 4,000 bogus Web sites (for donation), and in that disaster we knew in advance that it was coming, so some of those Web sites even popped up before the hurricane hit, but you’re certainly seeing the same effect today,” said Sandra Miniutti, director of marketing for Charity Navigator

The FBI have put out a release reminding everyone to donate money only to charities you know and trust and only by directly typing URLs for those charities. Beware of unsolicited emails requesting charity donations and do not give your personal or financial information to anyone seeking contributions.

Read here for more tips on avoiding charity scams.

If you’re in Canada, remember that the government is matching your donations. All of us at Absolute are taking full advantage of it, and we encourage you to donate too.