As the result of a hacker penetrating their e-commerce system, Network Solutions has determined that approximately 573,938 credit card holders may have had their data transfered. The company detected that hackers had placed unauthorized code on servers for some e-commerce merchants’ websites, and that this code may have been used to transfer data on some transactions. The credit card data was encrypted and PCI-compliant, and it is currently unknown how the malicious code entered the system.

From their news report:

The unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring.

Merchants and their customers are currently being notified. Network Solutions has additionally put together an informational website for their merchants at careandprotect.com. Consumer information is also included there for reference. They have included a blog in the website to answer questions that have arisen in the last week.

The quick and forthright response by Network Solutions has been quite impressive. They seem very keen to answer questions and be public with their responses. In addition, they have offered to foot the bill for customer notification, rather than those costs falling to the merchants affected.

Other notable data breaches from July:

• HSBC Life, Lost Media, 180,000 affected (read more)
• University of California San Diego Moores Cancer Center, Hack, 30,000 affected (read more)
• LexisNexis, possible organized crime, >13,000 (read more)
• Alberta Health Services Edmonton, Virus, >11,000 (read more)

Via datalossdb, the register,

In a conference call with investors, Heartland’s CEO, Robert Carr, shared the financial damage that was the result of the Q1 breach. They say that of the $12.6 million charge, less than $1 million is related to fines by Visa, but more than 50% of the cost is associated with a fine from MasterCard. The company is contesting the fines, which allege a failure by Heartland to take appropriate action upon learning of the network compromise.

Carr has been frank about talking about the data breach, and lays some blame on the payment industry itself for not having stringent enough best practices. Though I think it’s great that Heartland is encouraging new best practices, those best practices are a baseline of efforts in any industry. Companies should always be considering their particular risk factors and taking any added measures necessary to mitigate those.

Heartland was recently re-certified as PCI DSS compliant by Visa, MasterCard and Discover. However, much damage has been done to their reputation and, fines aside, the costs of this breach have been severe.

Image: Clipart

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart

The National Nuclear Security Administration (NNSA) wrote [PDF] to the LANL about the most recent computer theft expressing concern that the apparent “robustness of cyber security implementation” was not being vigilantly overseen. They say there are issues with individual security controls but also configuration management and accountability issues.

“In treating this initially as only a property management issue, my staff and I, and apparently the cyber security elements of the laboratory, were not engaged in a timely and proactive manner to assess and address potential loss of sensitive information.”

The quote above indicates a common misconception – that the loss of data devices is a property issue, not a data security issue. The memo advices LANL to treat all loss of equipment that can carry data – not just computers – as a cyber-security concern.

The letter revealed that 13 LANL computers have been stolen within the last year and that 67 are currently “missing.” Very little data was available – or collected – about what data has been compromised as the result of these breaches. Jeffrey Berger, director of communications at LANM, says that no classified data was held on any of the lost devices and thinks the leaked memos “distorted” the situation.

Los Alamos has suffered 3 major public breaches in the past, so none of this experience is ‘new’ to them. A system like Absolute Software’s Computrace could help with the asset tracking that appears to be a major problem for the lab – so they would know, in seconds, where every single computer is.

Via AFP, eweek, CNet, Computerworld, WSJ

The breached data includes contact information such as email addresses, phone numbers and usernames/passwords, but does not include personal data such as Social Security Numbers or financial data, as that is not data collected by the company. The breach affects USAJobs.gov (official job site for the US Federal Government) as well as Monster.com.

Despite the fact that SSNs and financial data was not breached, consumers should still be concerned about their lost data. Email addresses and other personal information can be used in various identity theft scams as a means to gain higher-level personal data. If consumers use the same access username & password for banking services, which is all too common (41% user the same password for everything, via Sophos), this information can be used directly in fraud or identity theft.

Here’s an opinion video from Sophos about the Monser.com breach and why it’s important:

In August 2007 Monster.com experienced a data breach that affected 1.3 million people, who then were targeted by phishers, and in October of the same year another a hacker hijacked job listings to infect visitors with malware.

Monster.com recommends that its users change their passwords (making it mandatory on the site), with a warning to not fall prey to phishing attacks based on that premise. Monster.com will not be contacting consumers about this breach, by email or by mail.

For tips about choosing a strong password, read here or here.

Via I’ve been mugged

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch

In a breach to rival those of TJX (~45 – 94 million) in the US and HMRC (25 million) in the UK, Heartland Payment Systems announced on January 20th that they have uncovered malicious software in their processing system. Cyber criminals gained access to their network and to the 100 million credit card transactions it handles each month.

Although no merchant information or Social Security Numbers were compromised, data that was improperly accessed included the information on a card’s magnetic strip (card number, expiration date, bank codes), which could be used to duplicate the cards. Heartland says that it cannot estimate the number of records that may have been accessed.

Avivah Litan, analyst at Gartner, calls the Heartland Payment Systems breach the “largest card-data breach ever“. Heartland’s president says it’s too early for such a “speculative” statement.

Heartland has set up a breach website with a statement of the incident:

“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

At the time of this breach, Heartland did not have real-time monitoring of network activities that would have detected the access. The company recommends that customers examine their monthly statements closely and to report any suspicious activity.

Earlier this month, CheckFree Corporation also notified more than 5 million customers that criminals took control of several of their domains and redirected customers to malicious websites.

Via FOX, Computerworld, WSJ