Group items tagged

A list of user names and passwords for customers of Comcast, one of the nation's largest Internet service providers, sat unprotected on the Web for the last two months. The list was 8,000 lines long, but Comcast said late Monday that just 700 of those lines contained information for active customer accounts. Kevin Andreyo, an educational technology specialist in Reading, Pa., and a professor at Wilkes University, came across the list Monday on Scribd, a document-sharing Web site. Mr. Andreyo was reading a recent article in PC World entitled "People Search Engines: They Know Your Dark Secrets… And Tell Anyone," when he was inspired to find out what information about him was online. He searched for his own e-mail address on the search engine Pipl. The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.

Industry Insiders Discuss HIT and HIPAA Issues March 30, 2009 by Astrid Fiano, Writer A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996--protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act--protecting identifiable information being used to analyze patient safety events. So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees. Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit. Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations

All but one of the legal claims filed against Hannaford Bros. -- the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards -- has been dismissed. U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages. The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account following the Hannaford breach.

This week, the Government Accountability Office issued a report related to privacy and security issues at FDA and another report about the agency's plans to modernize its IT systems, Government Health IT reports. Privacy and Security Report On Monday, GAO released a report suggesting that FDA has not included sufficient privacy and security protections in its plans for a medical product safety monitoring system called the Sentinel Initiative. The system would use data from insurance companies, academic institutions, government agencies and health care providers to track the performance of medications and medical devices. According to the FDA Amendments Act of 2007, the initiative would have access to data from 25 million people by mid-2010 and 100 million people by mid-2012 (Foxhall, Government Health IT, 6/2). For the report, GAO conducted an audit of FDA's planning process for Sentinel from May 2008 to May 2009.

Privacy & security are individual rights and responsibilities, not just corporate or governmental responsibilities. Reliance on technology is bound to fail without motivation for all involved to find mutual benefits.

Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses. Information technology companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately, we can't rely just on technology for identity protection. While some of these security incidents involve someone hacking into a system, many involve a human failing. Examples include a laptop with confidential information being lost or stolen and employees e-mailing sensitive data to their personal e-mail accounts so they can work on it from home.

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

The United States' 35-year-old federal privacy law and related policies should be updated to reflect the realities of modern technologies and information systems, and account for more advanced threats to privacy and security, according to a report sent today to OMB Director Orszag. In its 40-page paper, the National Institute of Standards and Technology's Information Security and Privacy Advisory Board calls for Congress to amend the 1974 Privacy Act and provisions of the 2002 E-Government Act to improve federal privacy notices; clearly cover commercial data sources; and update the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them. The panel included technology experts from industry and academia. The panel wants heightened government leadership on privacy and suggests the hiring of a full-time chief privacy officer at OMB and regular Privacy Act guidance updates from the office. Chief privacy officers should be hired at major agencies and a chief privacy officers' council should be created, much like the Chief Information Officers' Council that is chaired by OMB's e-government and IT administrator.

More than 6 million current and former customers of online brokerage TD Ameritrade Holding Corp. will be able to benefit from the settlement of a class-action lawsuit filed over the theft of client contact information. Formal notice of a settlement agreement will be sent to people who used TD Ameritrade's services before mid-September 2007. U.S. District Judge Vaughn Walker in San Francisco approved a revised version of the settlement agreement earlier this month despite some misgivings about it. Last summer, Walker rejected an earlier version of the deal. Anyone who held an Ameritrade account or provided an e-mail address to the company before Sept. 14, 2007, could benefit from the lawsuit. The database that was breached included information on 6.2 million people. The plaintiffs in the lawsuit said they received unwanted e-mail ads about certain stocks. The ads appeared to be designed to manipulate the value of thinly traded stocks. Ameritrade officials and one of the lead plaintiff's attorneys, Scott Kamber, have said the data theft has not been linked to cases of identity theft. As part of the proposed settlement, the Omaha-based company will pay nearly $1.9 million in legal fees and cover the cost of one year of anti-spam service for the victims. Ameritrade also promised to better protect customer data. Those terms have not changed from the original proposed settlement. But the new agreement will more clearly state that Ameritrade customers were at risk of identity theft, and it will preserve customers' ability to pursue identity theft claims against Ameritrade. Most of the changes to the agreement happened because the Texas Attorney General's Office and a former named plaintiff objected to the previous deal. In his order, the judge questioned whether the settlement does enough to benefit Ameritrade clients whose information was stolen. "The court is particularly concerned that TD Ameritrade has agreed to pay the class counsel $1.87 million and yet the

Why employers should actually perform background checks.

A former Texas lottery worker was arrested while training for a new job Tuesday - his fourth with the state - and charged with illegally "possessing" personal information on 140 lottery winners and employees, including their names and Social Security numbers. Joseph Mueggenborg was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed. He was fired and the information was turned over to criminal investigators. When arrested Tuesday, however, the computer analyst was training for yet another job, at the Texas Department of Licensing and Regulation. Travis County prosecutor Jason English said it was "concerning" that the man was still working for the state after being fired by the comptroller. Susan Stanford, a spokeswoman for the Texas Department of Licensing and Regulation, said the department was unaware Mueggenborg had been fired and was under investigation when he was hired as a systems analyst three weeks ago. He was receiving job-related training at the time of his arrest, she said. The department has secured Mueggenborg's computer and begun a forensic study.

Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week. The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement an agencywide information security program. Inspectors general conduct annual reviews of agency progress. The GAO review, which took place between last December and this month, concluded that, partly based on inspectors general and federal Office of Management and Budget (OMB) reports, that 23 of 24 agencies contain lax controls to ensure that only approved users can access system data. Meanwhile, 22 of 24 agencies described information security as a "major management challenge," according to the report.

Concerned that Google knows too much about you? The company provides many ways to protect your privacy online -- you just need to find them. Here are six good ones. 1. Know your privacy rights: Use the Google Privacy Center. This site includes all of Google's privacy policies, as well as privacy best practices for each of its products and services. Although the "legalese" of privacy policies can be difficult to understand, Google's Privacy Channel offers a library of short YouTube videos with practical tips on protecting your data when using Google products and services. Try the "Google Search Privacy" and "Google Privacy Tips" series. 2. Protect your content on the services you use. Some content that Google stores for you, such as photos uploaded in Picasa Web Albums, are public by default. You can protect your privacy when you upload photos by choosing the appropriate checkbox. Choices include "unlisted" (accessible only if you have the Web link, and not indexed by Web search engines) or private (viewable only by named users who must sign in). Another example: You can take a Google Chat "off the record" if you don't want the instant messaging transcript stored. In contrast, Google Latitude, which tracks your whereabouts by way of GPS-enabled cell phones, does not share your location data by default. You must authorize others to see it. Latitude stores your last known location, but not your history. 3. Turn off the suggestion feature in the Chrome browser. By default, Chrome retains a history of Web sites you've visited -- and the full text of those pages -- so it can try to guess which Web address you want as you type in the "Omnibox." You can turn the feature off by going to "Under the Hood" under Options and unchecking the "Use a suggestion service" box. You can also select other privacy options, including surfing in Chrome's "incognito" mode. 4. Turn off Web History. You may have turned on the Web History option, also called Personalized Search, when yo

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

Google never fails to surprise. It's the scope and scale of their ambitions that impresses me ranging as they do from relatively simple applications that are just way cool such as Sky Map, through their Chrome Web browser (which is now looking pretty stable), to the subject of this newsletter: Google Health. Google Health, which was launched as a beta (of course) in spring 2008, is a free repository for your personal health information. Using the service you can create online health profiles for yourself, family members or others you care for (these profiles can include health conditions, medications, allergies and lab results), you can import medical records from hospitals and pharmacies, share your health records with "your care network" (which may include family members, friends and doctors), and browse an online health services directory to find services that are integrated with Google Health. After you sign up you can import your medical records from Allscripts, Anvita Health, The Beth Israel Deaconess Medical Center, Blue Cross Blue Shield of Massachusetts, The Cleveland Clinic, CVS Caremark, Healthgrades, Longs Drugs, Medco Health Solutions, Quest Diagnostics, RxAmerica and Walgreens. What you'll wind up with if you update all of the sections is a pretty complete health profile, which means that privacy has to be a concern. Interestingly, because becoming a subscriber is voluntary it appears that the service is exempt from the provisions of the Health Insurance Portability and Accountability Act of 1996.

A third (34 per cent) of discarded hard disk drives still contain confidential data, according to a new study which unearthed copies of hospital records and sensitive military information on eBayed kit. The study, sponsored by BT and Sims Lifecycle Services and run by the computer science labs at University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US, also found network data and security logs from the German Embassy in Paris on one purchased drive. Researchers bought 300 drives from eBay, other auction sites, second-hand stalls and car boot sales. A disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system's manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers. Lockheed Martin denies that the disk came from it. The arm manufacturer has launched an investigation that aims to uncover just how the sensitive data might have been wound up on the disk. Two discs bought in the UK apparently came from Lanarkshire NHS Trust, including patient medical records, images of X-rays and staff letters. Lanarkshire NHS Trust runs the Monklands and Hairmyres hospitals. In Australia, the exercise turned up a disk from a nursing home that contained pictures of actual patients and their wound photos, along with patient details. A hard disk from a US bank contained account numbers and details of plans for a $50bn currency exchange through Spain. Details of business transactions between the bank and organisations in Venezuela, Tunisia and Nigeria were also included. Correspondence between a member of the Federal Reserve Board and the unnamed banks revealed that one of the deals was already under scrutiny by the European Central Bank, and that federal investigators were also taking an interest. Yet anothe

Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The "Red Flags and Address Discrepancy Rules," which implement sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC). The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy. The agencies' staff have jointly developed answers to these FAQs to provide guidance on numerous aspects of the rules, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy.

Consumers, who become victims of identity theft through access to public records, do not have a clue as to how they became a victim. They cannot know unless the fraudster who "legally accessed" the public information is caught and confesses that they used or sold the information for identity theft. Most often end users of stolen identities are caught, not the kingpins. Illegal immigrants who purchase identities on the street sometimes for hundreds of dollars do not know the source. * What can an identity thief do with a name and SSN? Here is a short list. * Make a fake Social Security Card (see image below) * Make a fake Medicare Card and get medical treatment and Medicare benefits * Use the fake Social Security Card to get a driver's license or passport * Get a job and government benefits. * Get credit and open new financial accounts * Get housing, utilities and phone service * Get insurance * Thieves use fake ID to elude law enforcement by pretending they are you.

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

As I mentioned two weeks ago, a recent survey indicates that more than half of large companies have limited knowledge of which systems or applications their employees have access to. This marks a system access problem, and a growing risk during a period of frequent and large layoffs. If a company needs to turn off access manually (which is often the case), it may miss several user accounts that they don't realize exist. This leaves the door open for past employees, and others, to access important data, including financial information and customer information. To learn more about these open-door system risks, I asked Courion vice president Kurt Johnson about his firm's research.

Diplomats and civil servants are to be warned about the danger of putting details of their family and career on social networking websites. The advice comes after the wife of Sir John Sawers, the next head of MI6, put family details on Facebook - which is accessible to millions of internet users. Lady Sawers disclosed details such as the location of the London flat used by the couple and the whereabouts of their three children and of Sir John's parents. She put no privacy protection on her account, allowing any of Facebook's 200 million users in the open-access London network to see the entries. Lady Sawers' half-brother, Hugo Haig-Thomas, a former diplomat, was among those featured in family photographs on Facebook. Mr HaigThomas was an associate and researcher for David Irving, the controversial historian who was jailed in Austria in 2006 after pleading guilty to Holocaust denial. Patrick Mercer, the Conservative chairman of the Commons counter-terrorism sub-committee, said that the entries were a serious error and potentially damaging.