The black market for data is much more sophisticated than most people realize. It’s not a “one price fits all” scenario. There are price points, just like in any advanced market. And, just like the same markets, there are services provided to prospective customers.

Francois Paget of McAfee’s Avert Labs blog has shared a discovery about the prices going on different “quality” levels of data on the black market.

Avert Labs has discovered a “price list” for everything from credit card numbers to bank account logins and other personal data that is sold in the underground economy. A tip led them to a website that was auctioning off data, including bank logons and credit card information, with prices such as:

• Washington Mutual (US), balance $14,400 (sell price 600 euros/$924)
• Citibank (UK), balance 10,044 pounds/$19,626 (sell price 850 euros/$1,310)

If you buy a bank account login, and the data owner has cancelled the account within 24 hours, they’ll even give you a replacement stolen account.

So, the black market is an organized system with value for quality, and even customer service. The same website sold information in “bundle prices” and offers free data only a daily basis, as “goodies” to entice their sale.

Visit the Avert Labs site for more information and screen shots of the system in question.

Via CNet Tags: black market, data, data resale, underground economy, data breach, personal data, data resale, identity theft, fraud

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

• Joliet West High School hacked, breaches data for “about every student”
• New York-Presbyterian Hospital/Weill Cornell Medical Center finds 40,000 person breach in audit, likely stolen by an employee

hat tip to Attrition.org ; Tags: laptop theft, laptop security, data breach, breach, security breach, education breach, identity theft, id theft, breach notification

Today’s oddball piece of security news: house identity theft! What is ‘house identity theft’? The FBI say it’s the result of combining identity theft with mortgage fraud - the result of which is house stealing. How the criminals do it:

1. Pick your house to steal
2. Assume your identity & create fake IDs
3. Purchase property tranfer forms from any office supply store
4. Forge your signature and use your IDs to sign YOUR house over to THEM

Scary, isn’t it? It’s that easy.

The FBI say that mortgage fraud is growing, and its combination with identity theft could grow as well.

Via network world Image credit: melodi2 @ morguefile Tags: identity theft, house stealing, house identity theft, fraud, mortgage fraud

Who Breached: Hannaford Brothers
Number Affected: 4.2 million
Information breached: Credit, Debit Card Numbers
How: network intrusion

Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.

The Maine-based supermarket chain reported an intrusion into its computer network that put 4.2 million customer credit and debit card accounts at risk. The breach affects all 165 of its stores in the Northeast and 106 Sweetbay stores in Florida, as well as a number of independent grocers who sell Hannaford products. The card numbers were stolen during the card authorization transmission processes dating back as early as December 7th. The breach was only contained on March 10th.

Unlike many data breach reporting incidents, the Hannaford Bros. data breach has already been connected with 1800 cases of reported fraud. The fraudulent credit card activity came to light on February 27th. Despite reported fraud incidents, the notification to affected consumers only began on Monday, after the breach had been contained.

Do you think it was socially responsible for Hannaford to wait until after the breach had been contained to warn consumers of their fraud risk?

Via attrition, wmur, cnet Tags: hannaford, data breach, fraud, breach, breach notification, hannaford bros., business security, hacking

HSBC is being hit by a wave of fraudulent activity this week. A savvy customer noticed that his account had been emptied by someone in Bulgaria, and another customer was hit from California and Canada.

Keith, the first customer to notice the fraud, found that money was being taken out of an ATM in Bulgaria and that, after some difficulty accessing any information at all, his money would be credited back in 11-15 business days. No alert was sent to Keith that his credit card was being used outside the country, nor was he called to verify if that was ok.

Emily, the second customer, was informed by the HSBC Fraud Investigator whom she called that:

“their fraud department was so overwhelmed, it was ’still in the developing stage of how we’re going to handle’ it. I asked if she knew how many customers were affected and she stated ‘We don’t even know.’”

The investigator said all customers would be notified by letter, not by phone, due to the magnitude of the fraud. Unfortunately for both these customers, there was no direct way to escalate the call to the fraud investigators without several block attempts from the call center overseas.

Via the consumerist Tags: hsbc, fraud, bank fraud, atm fraud, banks

New Zealand’s Owen Thorn Walker, 18, has been accused of unleashing a mega-botnet that infected more than 1.3 million computers and, as a result, stole more than $20 million.

The teen was said to have been the leader of a group of programmers who created the botnet designed to steal credit cards and manipulate stock trades. Walker now faces up to 10 years in jail, if found guilty under New Zealand law.

Arrests such as this one, and another teen hacker arrest in the US (who infected hundreds of thousands of PCs with adware), remind us that not all cybercrime originates from organized crime syndicates, and that individuals, even teens, can cause significant damage. Botnets have surpassed spam as the largest Internet security issue.

“We worked closely with U.S. and Dutch authorities on this investigation. This arrest is significant not just to New Zealand but the international community as well,” said Detective Inspector Peter Devoy of the New Zealand police, underlining the degree of cooperation now being employed to bring in these individuals.

“Very few people who carry out this sort of offending are ever prosecuted, so the resolution of this case has huge international implications,” he added.

A botnet is a collection of software robots - “bots” - that run autonomously and automatically. This is not always malevolent, but in the case of most botnets, it means that “zombie computers” - compromised endpoints - run programs such as worms and Trojan horses. The BBC estimated in 2007 that up to a quarter of all Internet-enabled computers may be an unknowing part of these botnets.

Via pc world, wikipedia Tags: botnet, hacker, hackers, teen hacker, arrest, zombie computers, bots, internet security, cybercrime, worms, trojans

A hacked laptop is destroying the career of a pop / film star in China. Edison Chen, a pop star in China, took his laptop in for repairs - but, while it was there, its contents were downloaded without his knowledge. Unfortunately for Edison Chen, the worst was yet to come. Very explicit images of Edison and other pop icons were uploaded to the web.

The photos show Canadian-born Edison Chen in bed with eight of Hong Kong’s 10 top actresses and singers. Thousands of photos of this nature were leaked from the laptop. It has become the biggest celebrity sex scandal in the history of the Chinese internet.

The person responsible for copying and uploading the photos is doing so incrementally. For the past two weeks, a few dozen photos have been uploaded each day. Each day creating more scandal for Edison and other celebrities. Images go up on various servers, through various services, over email, and are passed around on memory devices.

Edison Chen made a statement to the press today about the situation. Chen has said he will be removing himself from the entertainment industry - he has quit his job.

“The lives of many innocent people have been affected by this malicious and criminal conduct. And in this regard, I’m filled with pain, hurt and frustration. I hereby use this opportunity to apologise to anyone who has been affected by this strange, strange ordeal,” he said in a short video statement.

Chen admits to taking the photos himself in private. The laptop or its files were not encrypted. Hong Kong police are arresting people suspected of sharing the images, although none of the suspects have been identified as the original uploader. Protests have erupted in China against the ‘crackdown’ going this far.

Via guardian.co.uk, reuters, shanghaidaily Tags: data, data breach, data leak, hacked, edison chen, china, pop star, scandal, encryption

A woman is suing Best Buy for $54 million after her laptop was lost while in for repairs.

Raelyn Campbell brought her damaged computer to Best Buy for repairs on a faulty on/off switch and, after 3 months, the firm admitted to losing the laptop. Campbell has filed a lawsuit with the Superior Court in the amount of $54 million, her valuation for the personal information, lost time and frustration from the laptop loss.

Campbell says her demands escalated in response to stalling from the company. Campbell is claiming to have been misled by information about her laptop’s whereabouts, was concerned when she was not notified about the potential for identity theft, and was ‘insulted’ by the $900 gift card she was offered as compensation.

Raelyn Campbell claims to have thousands of dollars of music and irreplaceable photos on her laptop, contributing to her valuation of its loss. However, I would consider more of that blame to lie with Ms. Campbell for not backing up or otherwise protecting her data.

Ms. Cambell admits to choosing a high lawsuit figure in order to gain media attention. She is not being represented by a lawyer in this case. Offers to settle have been rejected until such time as she feels the loss of the laptop has been explained.

Via red tape chronicles Tags: best buy, lost laptop, identity theft, laptop security, lawsuit

A new study conducted by Websense has determined that most websites offering up attack code (malware) are legitimate domains that have been hacked. This is the first time legitimate sites have outnumbered malicious sites (sites intentionally built to seed malware) in malware attacks.

51% of malicious sites in the latter half of 2007 were compromised (hacked) and seeded with malware that would infect unpatched computers visiting those sites. There are many attractive reasons inviting this change in tactics. Legitimate sites have existing traffic, free hosting, are trusted by consumers, and offer a level of anonymity for the source of the malware (ownership cannot be traced).

Dan Hubbard, vice president of Websense, says:

“More and more, attackers are compromising legitimate Web sites to infect visitors with information-stealing code or to add users’ machines to botnets. Additionally, they are increasing the sophistication of their attack methods and building resilient infrastructures… Organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain.”

The report indicates that this trend of infecting legitimate sites is accelerating. The previous report indicated legitimate sites hosting malware were in the mid-30% range. Sites are now being hacked en masse - with anywhere from 10,000 to 90,000 sites being compromised at once. Exploit tool kits (do-it-yourself malware creation kits) account for 19% of malicious sites created or compromised.

Continue reading the report at Websense.

Via computerworld Tags: malware, it security, security, hacking, scripts, malicious website, web attack, security

Who Breached: U.S. Department of Veterans Affairs (VA)
Number Affected: 12,000
Information breached: Social Security Numbers
How: theft of 3 computers (2 desktop, 1 laptop)

The U.S. Department of Veterans Affairs is investigating another potential data breach after 3 computers (two desktop, one laptop) were stolen on November 11 from the Roudebush Veterans Affairs Medical Center. The computers contained Social Security numbers for as many as 12,000 medical patients and were protected only by password.

An Indiana congressman Steve Buyer says that the hospital failed to follow new safety protocols:

“The information that was accessed should have never been portable,” Buyer said in an interview Thursday from Washington. “That information should have been secure on a server in a data storage system in a remote location.”

The VA department has a long history of data breaches, including the May 2006 breach of information for 26.5 million veterans following the theft of a laptop and hard disk. Since this major breach, the VA has had other incidents of scale 1.8 million, 250,000, 16,000 and 16,5000 individuals affected. This is the third data breach related to the theft of computers.

Regulations on data security were reportedly strengthened after the May 2006 breach. Congressman Buyer lays the blame for the ongoing issues with poor security training and consistent security standards:

“I recognize that we’re dealing with human vices — theft — and we’re dealing with human negligence,” Buyer said. “That’s why it’s so important that information be encrypted and that we limit people’s access to certain information.”

This new breach just adds to the very troubling pattern of poor security standards that continue to plague the VA. A stronger security policy (including security software) and training scheme at all levels of the VA could help prevent such accidents from happening.

Arrest for theft of 1.8 million

An arrest has recently been made in relation to the theft of 1.8 million Social Security numbers in January of this year. Tae Kim was arrested after a month long-investigation when he was caught using fraudulent credit cards at a jewelry store. Kim was an auditor for Veterans Affairs from 2003 to February 2007 - his home computer contained 1.8 million Social Security numbers.

Via OC Register, ComputerWorld, Computer Weekly, IndyStar ; Tags: veterans affairs, data breach, data security, laptop security, laptop theft, fraud, identity theft, va