Group items tagged

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

A recent data breach study commissioned by the state of Maine sheds light on the losses banks experienced as a result of the data breaches at TJX and Hannaford Brother's supermarkets. The state's banks said they incurred $2.1 million in expenses related to data breaches since January 1, 2007. The Hannaford breach had the largest impact, affecting 71 financial institutions and incurring $1.6 million in expenses according to the Maine Data Breach Study. Hannaford is based in Scarborough, Maine. The TJX breach accounted for $485,000 in expenses. The report was issued by the Main Bureau of Financial Institutions in November 2008. It studied the impact of data security breaches on Maine banks and credit unions. Fifty credit unions and 25 banks headquartered in Maine responded to the survey. Financial institutions reported more than 18 million records breached last year, according to the Identity Theft Research Center. The San Diego-based nonprofit found that data breach reports across five industry sectors jumped to 656 last year, up 47% from 2007. About 12% of the reports came from financial-services firms, up from 7% in 2007. In Maine, the Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by 22 financial institutions. More than 700 accounts were used to buy items fraudulently, although five of the 22 institutions that suffered a fraud loss did not report the number of accounts, according to the report. The Hannaford breach cost some banks as much as $58,000 to reissue credit cards to customers. Investigation expenses cost nearly $30,000 for some banks. Communication to customers cost nearly $28,000, some banks and credit unions reported. Fraud losses of nearly $45,000 were tied to the TJX data breach. The losses were reported by six financial institutions. The expenses for reissuing credit cards cost some banks as much as $32,000. Investigation expenses were as high as $21,000 for some banks. Communication to custom

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

"The Identity Theft Resource Center (ITRC) reported its annual breach data for 2009 last week, and for the first time malicious attacks were more frequently identified as the source of those breaches than human error. In its "2009 Data Breach Report," the ITRC found 498 publicly disclosed breaches last year, down from 657 the year before. The downturn could have resulted from changes in breach disclosure, rather than a real drop-off in system compromises, the organization says. Interestingly, paper breaches now account for 26 percent of data leaks, up 46 percent compared to 2008. Malicious attacks outnumbered breaches attributed to human error for the first time in the three years the report has been compiled. The business sector accounted for 41 percent of data breaches, up from 21 percent the year before. Approximately 222 million records were compromised, the organization says -- and about 130 million of those came from the single breach at Heartland Payment Systems. Out of 498 breaches, only six reported they had either encryption or other strong security features protecting the exposed data, the ITRC says . "

Expect more action from the FTC on data privacy breeach

The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company's computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure. Indeed, "you can take out more data in a thumb drive now than people could take out in a super-computer 10 years ago," according to Kevin Kalinich, co-national managing director for Professional Risk Solutions at Aon. The risk of a data breach is very real for companies large and small across almost any industry, noted Mr. Kalinich. He cited a report from the University of California, Berkeley, that more data has been aggregated and stored in the last three years than in the entire history of mankind. He also noted that between 75 and 85 percent of Fortune 2000 companies have suffered a "material data breach," meaning there is a growing market for those selling insurance coverage for liability and repair costs, as well as loss control services. Companies that take an "it won't happen to me" approach to securing data need only look at news headlines to see that organizations are often hit by breaches, and as more data is being stored electronically, the potential for, and impact of possible breaches increase. Princeton, N.J.-based credit and debit processing company Heartland Payment Systems reported that it had been compromised in 2008 in a breach that involved up to 100 million records, which would be tops for number of records accessed in a breach. The Heartland incident would displace the 2007 breach of TJX, in which over 45.6 million credit and debit card numbers were stolen. The TJX breach, in turn, took the record set by a breach of CardSystems Solutions in 2005.

"A new report from Javelin Strategy and Research suggests that many credit and debit card holders fail to understand the importance of a notice saying that a credit card or debit card has been breached and do not protect themselves from fraud. The company's research found that people notified of a breach of their secure data were four times as likely as the public at large of actually experiencing financial or other fraud within a year of the notification. Further, those who experienced a breach in their secure data and then an incident of fraud very rarely link the fraud to the breach. "Among consumers who received a data breach notification in the past 12 months, 19% suffered fraud, yet only 2% attributed their fraud to a data breach, the firm reported. "It seems as if consumers are not connecting the dots on data breach notifications to fraud events. They are aware, in the abstract, some personal records of theirs have been compromised, but when they become a victim of fraud they do not make the connection to the breach notification.""

Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions applicable to health information were signed into law as part of the HITECH Act provisions of the massive economic stimulus legislation, H.R. 1 (111th Cong., 1st Sess. Feb. 17, 2009). Beginning no later than September 16 of this year, "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) will be required to give notice of breaches in the security of protected health information, and "business associates" of HIPAA-covered entities will be required to report such breaches to the covered entities. §13402(a) & (b). Currently, California and Arkansas are the only states that require that notification be given in the case of a breach in the security of medical or health insurance information. The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity's policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.

Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article). The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog - Educational Security Incidents - to the topic. When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today. What's going on? Why haven't things changed? John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops. "Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week. The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies. Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history. Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants. The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach. The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status. A Heartland spokesman said the company could no

Fireman's Fund Insurance Co. this week unveiled what it says is the first coverage available to small and medium-sized businesses for losses from payment card data breaches. News of the policy came on the same day that a non-profit research organization reported that data breaches increased 47% last year. The idea behind the coverage, according to Brian Gerritsen, product director at Novato, Calif.-based Fireman's, is to give peace of mind to business owners who are diligent about complying with the Payment Card Industry data-security standard, or PCI, the card networks' uniform protection rules that all card acceptors are supposed to meet. "That's what we're really trying to insure against-business owners trying to do everything in their power to protect their customers' cardholder data, but still find themselves in a data-breach situation and out of compliance with the PCI standards or other security standards that may apply to them," he tells Digital Transactions News. To get the coverage, however, a merchant must clear a number of hurdles. An applicant must already have property or liability coverage from Fireman's as well as the company's general data-breach policy first offered in 2006. The new payment card coverage is an add-on to that earlier product. Coverage is available to retailers and most other card-accepting merchants, but not schools and hospitals, says Gerritsen. The insurer excluded the former because of their high rate of data breaches and the latter because they hold extremely sensitive medical and personal data. If breached, a covered merchant could recoup about $160,000 in resulting expenses. That includes up to $50,000 for a PCI-specific forensic investigation, system scans and software, and hardware upgrades to get card security up to snuff. The policy also provides up to $100,000, with a 5% deductible, for PCI fines-"contractual penalties" in industry lingo-and related costs such as chargebacks and issuersâ€

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008. Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology. "It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

More electronic records were exposed in 2008 than in the previous four years combined and most of those breaches -- nine out of 10 -- could have been easily avoided with basic preventative controls consistently applied. In its 2009 Verizon (NYSE: VZ) Business Data Breach Investigations Report, Verizon Business Security Solutions analyzed 90 confirmed breaches that occurred in 2008, affecting 285 million compromised records. The company's previous data breach report covered from 2004 through 2007, a period that saw 230 million compromised records. About a third of the breaches in Verizon Business' caseload have been publicly disclosed, and additional disclosures are expected before the end of the year. But many breaches will remain unreported because of the absence of any applicable disclosure requirement. Among the report's findings: 91% of all compromised records were linked to organized criminal groups; customized malware attacks doubled; and the most common attack vectors were default credentials and SQL injection. In a statement, Peter Tippett, VP of research and intelligence for Verizon Business Security Solutions, described the report as a wake-up call. Businesses need strong security and a proactive approach, he said, particularly because the economic crisis is likely to spur even greater criminal activity.

Like this http://www.hdfilmsaati.net Film,dvd,download,free download,product... ppc,adword,adsense,amazon,clickbank,osell,bookmark,dofollow,edu,gov,ads,linkwell,traffic,scor,serp,goggle,bing,yahoo.ads,ads network,ads goggle,bing,quality links,link best,ptr,cpa,bpa. www.killdo.de.gg

Visa Inc. said recent alerts it sent to credit card issuers are not related to a new breach, countering reports that a second payment processor had been compromised. In a statement issued Friday, San Francisco-based Visa said the alerts "were part of an existing investigation and are not related to a new compromise event." Credit unions last week reported receiving alerts from Visa and MasterCard about credit and debit card accounts that were exposed in the breach of a payment processor. They reported that the compromise was unrelated to the breach announced by Heartland Payment Systems in January. Information about newly affected accounts was relayed to banks and credit unions Feb. 9, via Visa's Compromised Account Management System (CAMS). The system, which informs banks of compromised account numbers, gives issuers the ability to monitor, close, or block the compromised accounts. Visa's statement did not say what existing investigation the alerts are related to and a company spokesman said he couldn't provide that detail. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," the company said in its statement. "In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones." Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said it's impossible to draw any conclusions based on the Visa statement. "It doesn't say if the breach is public or not, so it may be older but not revealed yet," he wrote in an email. "In other words, it just adds to the confusion. I assume the full story will come out eventually, and since they don't identify the breach it's hard to really evaluate this at all." Heartland disclosed Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards.

It's been four years since data broker ChoicePoint acknowledged the data security breach that put it in the middle of a media firestorm and pushed data protection to the top of the infosecurity community's priority list. Since then, the business world has made plenty of progress hardening its data defenses -- thanks in part to industry standards like PCI DSS and data breach disclosure laws (click to see state-by-state map) now in place. But the latest data breach to grab headlines illustrates how vulnerable organizations remain to devastating network intrusions. Heartland Payment Systems, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services, admitted Tuesday it was the victim of a data breach some quickly began citing as the largest of its kind. The company discovered last week that malware compromised card data across its network, after Visa and MasterCard alerted Heartland to sinister activity surrounding processed card transactions. The Shadow of ChoicePoint The Heartland breach comes roughly four years after ChoicePoint announced -- as required by California's SB 1386 data breach disclosure law -- that conmen stole personal financial records of more than 163,000 consumers by setting up fake business requests. Since then, much bigger incidents have occurred, most notably the TJX data breach that exposed more than 45 million debit and credit card holders to identity fraud. Heartland President and CFO Robert H.B. Baldwin Jr. said Tuesday that 100 million card transactions occur each month on the compromised systems used to provide processing to merchants and businesses. As of Tuesday, the Privacy Rights Clearinghouse estimated that a total of 251,164,141 sensitive records had been compromised since early 2005. Up to 15 separate cases have been reported since Jan. 1, 2009.

A New Jersey credit-card processor disclosed a data breach that analysts said may rank among the biggest ever reported. Heartland Payment Systems Inc. said Tuesday that cyber criminals compromised its computer network, gaining access to customer information associated with the 100 million card transactions it handles each month. The company said it couldn't estimate how many customer records may have been improperly accessed, but said the data compromised include the information on a card's magnetic strip -- card number, expiration date and some internal bank codes -- that could be used to duplicate a card. Heartland, of Princeton, N.J., processes transactions for more than 250,000 businesses nationwide, including restaurants and smaller retailers. Avivah Litan, an analyst at research company Gartner, called it the largest card-data breach ever, based on her conversations with industry executives. Previously, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX Cos. in 2005 and 2006. Robert Baldwin, Heartland's president and chief financial officer, said it was too early to say how many records were accessed and that calling it the largest-ever breach would be "speculative." Representatives of Visa Inc. and MasterCard Inc. alerted Heartland to a pattern of fraudulent transactions on accounts the processor handled sometime last fall, Mr. Baldwin said. But an internal investigation and audits failed to detect a security breach. Last week, however, a forensic investigator discovered evidence of the breach. Mr. Baldwin said Heartland was targeted with malicious software that was "light-years more sophisticated" than malevolent programs commonly downloaded from the Internet.

Identity theft concerns are focused on the security and necessity of the collection process. Collecting personal information just because you can is unsafe. Organizations can reduce privacy risks by not collecting unnecessary personal info. Once the data gets into the data life cycle pipeline, the cost of managing and destroying it escalates. The Federal Trade Commission estimates that as many as 9 million people have their identities stolen every year. According to the Privacy Rights Clearinghouse, more than 200 million instances of data breaches have occurred since the beginning of 2005, and they show no signs of letting up. In the first quarter of 2008 alone, more than 85 million incidents were reported. The causes of data breaches run the gamut: Hackers get unencrypted, transmitted data and data at rest; laptops are stolen or lost; storage Relevant Products/Services devices are lost by third-party shipping companies; flash drives or PDAs are left lying around; Social Security numbers are accidentally printed on envelopes; or data is found on discarded computers. This article examines the organizational risks to CPAs and their clients or corporate employers of improperly managed data throughout the data life cycle. It also discusses best data management practices and proper procedures for responding to a data breach. Data breaches, whatever the cause, are costly. According to a study by the Ponemon Institute, the average cost of a data breach in 2007 was $6.3 million. The average cost to an organization per record compromised is about $197, which is typically spent on phone calls for customer notification, providing free credit monitoring, discounts on membership fees, or discounts on merchandise to make up for the security Relevant Products/Services breach. Some organizations also experience an increase in customer turnover. The organization typically spends additional money in data protection Relevant Products/Services enhancements. Companies sanctioned by

"Hackers are using a variety of weapons and exploiting errors such as default passwords and weak or misconfigured access control lists (ACLs), according to the latest Verizon Business Data Breach Investigations Report. The follow-up to April's 2009 Data Breach Investigation Report looks under the hood of the company's probes, analyzing how breaches happen and how to protect sensitive data. "Customers who read the 2009 Data Breach Investigation Report said they wanted to know how these attacks take place, give some examples from our caseloads and see if those circumstances can happen to them," said Wade Baker, Verizon Business research and intelligence principal. "

"This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us, including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us, the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system, and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation. Topics / Agenda - The Future of Electronic Payments * What Is The Problem? The Cybercrimes Arms Race * Who Is Heartland Payment Systems? * What Happened and What Has/Will It Cost? * What Did We Do About It and What Are We Doing Now? * Massive Quantity/Quality of Breaches Call for Enhanced Solutions * Our New Solution Called E3 -

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer's personally identifiable and financial information entrusted to businesses and other organizations. Many suchidentity theft, id theft, government security, government privacy regulations aim to prevent identity theft and privacy violations. While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or "crackers" who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President's Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.