Group items tagged

All but one of the legal claims filed against Hannaford Bros. -- the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards -- has been dismissed. U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages. The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account following the Hannaford breach.

Better to settle with the FTC than get your company's reputation as consumer-friendly (deserved or not) dragged through the court of public opinion.

Sears Holdings has agreed to settle allegations it collected personal data from customers without adequate disclosures, the Federal Trade Commission said on Thursday. The FTC had accused Sears Holdings, created in 2005 with the merger of Sears and Kmart, of paying online customers $10 to allow the company to track their online browsing. But the FTC said Sears also collected information on non-Sears sites, such as online bank statements, drug prescription records and emails. "The software would also track some computer activities that were not related to the Internet," the FTC said in a statement. Sears did disclose all it would monitor in a lengthy user license agreement, but the FTC argued it was not enough. "The complaint charges that Sears' failure to adequately disclose the scope of the tracking software's data collection was deceptive and violates the FTC Act," the FTC said in a statement. Sears did not immediately reply to two telephone calls and one email seeking a comment. Under the settlement, Sears is required to destroy the data collected and make future disclosures more prominent.

It's hardly a bed of roses these days for IT companies and their managers. There are plenty of things nagging at high-tech vendors, too, according to the annual RiskFactor Report for Technology Businesses published by the financial consultancy, BDO Seidman. The information was gleaned from fiscal year 2008 10-K SEC filings of the 100 largest publicly traded U.S. tech companies. Strong competition and consolidation risk factors top the list of IT managers' concerns. Failure to develop new products or services is also a big headache. Other items making the worry list: * International operations. * Management of current and future M&As. * And, for the first time: Natural disasters, war, conflicts and terrorist attacks. So how should a top manager deal with all this uncertainty? Play some tennis, go for a run, gobble a few Tums and then forge ahead with the best ideas you have.

A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil." Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company's failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security. In the article, [Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that." That one comment brought down the house, and not in a favorable way. "I just read Bill Brenner's interview with Heartland Payment Systems' CEO Bob Carr and truthfully, my blood is boiling," Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. "Basically, he's throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn't find anything, therefore he should be off the hook. I say that's a load of crap."

Premier Election Solutions (formerly Diebold Election Systems) admitted in a state hearing Tuesday that the audit logs produced by its tabulation software miss significant events, including the act of someone deleting votes on election day. The company acknowledged that the problem exists with every version of its tabulation software. The revelation confirmed that a problem uncovered by Threat Level in January, and reiterated in a report released two weeks ago by the California secretary of state's office, has widespread implications for election jurisdictions around the country that use any version of the company's Global Election Management System (GEMS) software to tabulate votes. "Today's hearing confirmed one of my worst fears," said Kim Alexander, founder and president of the non-profit California Voter Foundation. "The audit logs have been the top selling point for vendors hawking paperless voting systems. They and the jurisdictions that have used paperless voting machines have repeatedly pointed to the audit logs as the primary security mechanism and 'fail-safe' for any glitch that might occur on machines. To discover that the fail-safe itself is unreliable eliminates one of the key selling points for electronic voting security."

An insider at the California Water Service Company in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country. Abdirahman Ismail Abdi, 32, was an auditor for the water company, which delivers drinking water throughout the state and is located in San Jose, Calif. Abdi resigned from his position on April 27. Allegedly, that night he went back to work and made three wire transfers totaling more than $9 million from the company's accounts to an account in Qatar. Abdi was seen by a janitor on the night of the crime, according to the San Jose Mercury News, citing court documents filed Wednesday in the federal court at San Jose. The next morning, the water company discovered what had been done and worked with their bank to have the money returned to their account. The company notified police, who are currently investigating the case, Jose Garcia, public information officer at the San Jose Police Department, told SCMagazineUS.com on Friday.

Internal controls failure.