Group items tagged

With the ink barely dry on headlines about what could be the biggest security breach in history (identity thieves hacked into payment processor Heartland Payment Services, possibly gaining access to the credit-card information of millions of consumers) signing up for a credit-monitoring service may have jumped a few notches on your to-do list. After all, paying $12 or so a month seems like a small price to pay for the peace of mind that -- through regular alerts about activity on your credit reports and other monitoring services -- you'll be protected from identity theft. Right? Think again.

Visa Inc. said recent alerts it sent to credit card issuers are not related to a new breach, countering reports that a second payment processor had been compromised. In a statement issued Friday, San Francisco-based Visa said the alerts "were part of an existing investigation and are not related to a new compromise event." Credit unions last week reported receiving alerts from Visa and MasterCard about credit and debit card accounts that were exposed in the breach of a payment processor. They reported that the compromise was unrelated to the breach announced by Heartland Payment Systems in January. Information about newly affected accounts was relayed to banks and credit unions Feb. 9, via Visa's Compromised Account Management System (CAMS). The system, which informs banks of compromised account numbers, gives issuers the ability to monitor, close, or block the compromised accounts. Visa's statement did not say what existing investigation the alerts are related to and a company spokesman said he couldn't provide that detail. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," the company said in its statement. "In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones." Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said it's impossible to draw any conclusions based on the Visa statement. "It doesn't say if the breach is public or not, so it may be older but not revealed yet," he wrote in an email. "In other words, it just adds to the confusion. I assume the full story will come out eventually, and since they don't identify the breach it's hard to really evaluate this at all." Heartland disclosed Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards.

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services. But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages. Any company that thinks there are no risks in employing less than best practices for data privacy and security needs a wake up call. The headlines are all too familiar. Some well known consumer services company (or less known wholesale data processor) announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced USB drive or backup tape. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises to never do it again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been unwilling to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resu

Hackers, possibly from Asia, have stolen about a decade's worth of personal information on current and former UC-Berkeley students, the university announced Friday. The breaches involved records dating to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians. No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked. The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services. About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university's associate vice chancellor for health and human services. "What's been taken is bits of data that the thief might put together into an identity," he said. The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed. UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information. The thefts were discovered about a month ago, but system administrators did Advertisement not realize the breadth of the attack until April 21. The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university's associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said. "You should think of it as a public building," Waggener said. "They got into the building properly, but then they broke into secure areas." Administrators at Mills College, which contracts with UC-Berkeley for

Exactly one week after the Heartland Payment Systems (HPY) breach was first announced to the public, the first lawsuit has been filed against the payments processor. The class action lawsuit filed Tuesday by Chimicles & Tilellis LLP of Haverford, PA in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserts that Heartland "made unreasonably belated and inaccurate statements concerning the breach." The complaint says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach. Chimicles & Tilellis' complaint also says in addition to the questionable timing of the announcement of its breach, (Read Heartland Class Action suit PDF) "there are materially misleading statements and omissions in Heartland's public description of the breach and its consequences." Heartland announced the breach in a press release on the same morning of President Barack Obama's inauguration. The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at Heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach. Heartland is the fifth largest payment processor in the country and handles 100 million transactions per month for more than 250,000 small retailers, gas stations, restaurants and other small and midsized companies. The suit also states that Heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that Heartland did not detect th

Identity thieves are getting more clever and are increasingly using stolen information to get driver's licenses, employment and government assistance, according to a new report. The survey by the Identity Theft Resource Center also found that the greater awareness of this problem by the public has led to more people discovering they are victims themselves, through monitoring of their bank accounts and credit card statements. Typically, victims learned of their identity theft when they were denied a job or credit or were informed by law enforcement. "Most of our information is beyond our control," said Linda Foley, co-founder of the Identity Theft Resource Center, which surveys victims each year to see how identity theft is changing. "If a thief wants to get it, he will find a way to get it." The report covers the experiences of around 100 of the 1,500 people who were victimized in 2008 and contacted the center, a nonprofit that helps people recover from identity theft. Stolen personal information is now cheap - identities may sell on the black market for as little as 60 cents each - and thieves churn through them quickly to lower their chances of getting caught, Foley said. Rather than opening 10 or 20 credit card accounts in a victim's name, they now open two or three, charge as much as they can and move on to the next person. This raises the cost of identity theft to businesses, whose average loss to fraud nearly doubled last year to $90,107, up from $48,941 the year before.

As I'm sure you know, former NSA analyst Russell Tice revealed that the agency spied on journalists and ordinary Americans - not just communications between the U.S. and overseas. Speaking on the Keith Olbermann show on MSNBC, Tice said: "The National Security Agency had access to all Americans' communications," he said. "Faxes, phone calls and their computer communications. … They monitored all communications." He made a further appearance on Olbermann Thursday (view above), in which he said that the NSA combined these illegal wiretaps with credit card and financial data. ""This [information] could sit there for ten years and then potentially it marries up with something else and ten years from now they get put on a no-fly list and they, of course, won't have a clue why," Tice said. "This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate," Tice said. "And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says 'potential terrorist'." Why were they monitoring reporters? New York Times reporter James Risen told Olbermann he thought it was a plot "to have a chilling effect on potential whistleblowers in the government to make them realize that there's a Big Brother out there that will get them if they step out of line."

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

Cornell University officials are investigating the theft of a school computer that may have compromised the personal information of about 45,000 current and former students, faculty and staff. University spokesman Simeon Moss says the university has sent e-mails about the incident to everyone whose data was on the computer. They're being offered one year of free credit reporting, credit monitoring and identity restoration services. A Cornell Web page on the theft says there have been no known misuses of the data, which include Social Security numbers. The page says the laptop was in the possession of a Cornell technician who was doing some troubleshooting. Moss says police are investigating the theft.

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

"A CEO who publicly posted his Social Security number on billboards and TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says. The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc., which is based in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud. Davis has previously admitted that he was the victim of an identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan which wasn't repaid and ended up being handled by a collection agency. The New Times reported that Davis has been a victim of similar ID theft at least a dozen more times."

Might not want to put much stock in Lifelock.

Parents of 18,541 Metro Nashville students will receive letters next week outlining a security breach that put their children's Social Security numbers online for three months. Advertisement Boston-based Public Consulting Group Inc., which holds a five-year, $2.6-million-a-year contract with the state to collect student data from various districts, corrected the error March 31 after a parent using Google to search her daughter's name found it - along with personal data for the students and 6,000 parent names. Art Staehling learned Wednesday that his teenage daughter was on the list and said he's concerned what could happen to her identity. "I find it hard to believe that an established company had a problem of this magnitude," Staehling said. The consulting group will pay for parents of affected children to check all family members' credit reports through Experian and for a year of monitoring. One of the group's owners, Stephen Skinner, said the error happened when workers running a test Dec. 28 on random student data inadvertently stored a file to an insecure directory. They discovered the error March 5 and took down the file, which contained student names, gender, race or ethnicity, date of birth, Social Security number and, in some cases, parent names. But they were unaware Google's search engine had already found the file and indexed it. That's how the parent, who is also a Metro schools employee, found out about the breach weeks later. Public Consulting Group worked with Google to take the information down.

Late last month, the House passed an economic recovery package containing $20 billion for health information technology, which would require the Department of Health and Human Services to develop standards by 2010 for a nationwide system to exchange health data electronically. The version of the recovery package passed by the Senate yesterday contains slightly less funding for health information technology ("health IT"). But as Congress moves to reconcile the two stimulus packages, conservatives have begun attacking the health IT provisions, falsely claiming that they would lead to the government "telling the doctors what they can't and cannot treat, and on whom they can and cannot treat." The conservative misinformation campaign began on Monday with a Bloomberg "commentary" by Hudson Institute fellow Betsy McCaughey, which claimed that the legislation will have the government "monitor treatments" in order to "'guide' your doctor's decisions." McCaughey's imaginative misreading was quickly trumpeted by Rush Limbaugh and the Drudge Report, eventually ending up on Fox News, where McCaughey's opinion column was described as "a report." In one of the many Fox segments focused on the column, hosts Megyn Kelly and Bill Hemmer blindsided Sens. Arlen Specter (R-PA) and Jon Tester (D-MT) with McCaughey's false interpretation, causing them to promise that they would "get this provision clarified." On his radio show yesterday, Limbaugh credited himself for injecting the false story into the stimulus debate, saying that he "detailed it and now it's all over mainstream media."

Kaiser Permanente says that the personal information of 29,500 employees in Northern California may have been exposed in a security breach. "A handful" of employees have reported identify theft, the Oakland, Calif.-based managed-care giant said. Police in San Ramon, Calif., seized a computer file containing the employee information from a suspect who was arrested. The suspect was not a Kaiser Permanente employee, and officials declined to provide further details. The file contained the names, addresses, phone numbers, Social Security numbers and dates of birth of the Kaiser workers. No health plan member information or personal health information was involved in the data breach, according to Kaiser officials. "We regret that this unfortunate incident occurred, and we understand the anxiety and worry that some employees may feel," said Gay Westfall, senior vice president for human resources at Kaiser Foundation Health Plan and Hospitals, Northern California, in a written statement. Kaiser is providing one year of free credit-monitoring to workers whose information was in the file.

Two Philadelphia law firms have filed class action suits on behalf of all cardholders in the U.S. who had their credit or debit card data stolen in the Heartland Payment System (HPY) data breach. This brings to three the total number of class action lawsuits filed against the Princeton, NJ-based payments processor. The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen. Heartland says last year it processed 100 million card transactions per month, but an unknown number of cards were impacted by the breach. The law firm says fraudulent activity has occurred on some of those cards. The law firm alleges that Heartland's security measures and intrusion detection systems were inadequate. "Because of Heartland's inadequate data security, cardholders have had their card information compromised, have been exposed to the risk of fraud, have spent and will spend time to monitor their accounts and dispute fraudulent charges, and have suffered other economic damages," the law firm says in its statement regarding the suit. Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey. Sheller P.C. has also filed a consumer class action suit against RBS WorldPay for its security breach that was made public on Dec. 23, 2008. Previously, Chimicles & Tilellis LLP of Haverford, PA filed suit in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Co

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information. In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans' lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring. The lawsuit came after a VA data analyst in 2006 admitted that he had lost a laptop and external drive containing the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty troops. The laptop was later recovered intact.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Probing Federal IT Security Programs: Gregory Wilshusen, GAO February 23, 2009 Government Accountability Office auditors will have a busy spring, examining a number of federal government programs aimed at securing government information systems and data. In an interview with GovInfoSecurity.com, Gregory Wilshusen discusses how the GAO is looking at how private industry and two dozen federal agencies employ metrics to measure the effectiveness of information security control activities. Other current GAO information security investigations he discusses include: Federal Desktop Core Configuration intended to standardize security features on personal computers purchased by the government. Trusted Internet Connection initiative aimed at slashing government Internet connections to fewer than 100 from more than 2,000. Einstein automated networking monitoring program run by U.S Computer Emergency Readiness Team. Gregory Wilshusen is director of information security issues at GAO, where he leads information security-related studies and audits of the federal government. He has more than 26 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.

Johns Hopkins is alerting more than 10,000 of its hospital patients that they may have been victims of identity theft. An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia, according to this letter from Baltimore-based Hopkins to the Maryland attorney general's office. Most of the patients are at very low risk, the letter says - they're included because the former employee accessed their records in the course of her work. But a few dozen have already been identified as likely victims, and a few hundred who have Virginia mailing addresses and whose records were accessed by the former employee may also be at risk. Hopkins is offering those patients credit monitoring, fraud resolution and identity-theft reimbursement for certain expenses.

Be careful what information you give to recruiters!

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor. The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information. The spam campaign showed the intruders successfully harvested e-mail addresses from the Web site, although Michener said it's not clear if SSNs were also obtained. Nonetheless, Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. The company is offering them one year of free credit monitoring, as SSNs are often used by identity thieves. "We wanted to err on the side of caution," Michener said. Aetna hired an IT forensics company to investigate how the Web site had been compromised. "At this point despite a thorough review, they've not been able to pinpoint the precise breach," Michener said. Aetna posted alerts on the job site, its main Web site and its internal intranet about the spam campaign, Michener said.

Identity theft concerns are focused on the security and necessity of the collection process. Collecting personal information just because you can is unsafe. Organizations can reduce privacy risks by not collecting unnecessary personal info. Once the data gets into the data life cycle pipeline, the cost of managing and destroying it escalates. The Federal Trade Commission estimates that as many as 9 million people have their identities stolen every year. According to the Privacy Rights Clearinghouse, more than 200 million instances of data breaches have occurred since the beginning of 2005, and they show no signs of letting up. In the first quarter of 2008 alone, more than 85 million incidents were reported. The causes of data breaches run the gamut: Hackers get unencrypted, transmitted data and data at rest; laptops are stolen or lost; storage Relevant Products/Services devices are lost by third-party shipping companies; flash drives or PDAs are left lying around; Social Security numbers are accidentally printed on envelopes; or data is found on discarded computers. This article examines the organizational risks to CPAs and their clients or corporate employers of improperly managed data throughout the data life cycle. It also discusses best data management practices and proper procedures for responding to a data breach. Data breaches, whatever the cause, are costly. According to a study by the Ponemon Institute, the average cost of a data breach in 2007 was $6.3 million. The average cost to an organization per record compromised is about $197, which is typically spent on phone calls for customer notification, providing free credit monitoring, discounts on membership fees, or discounts on merchandise to make up for the security Relevant Products/Services breach. Some organizations also experience an increase in customer turnover. The organization typically spends additional money in data protection Relevant Products/Services enhancements. Companies sanctioned by