Group items tagged

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws. "This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an interview with Security Fix. At least 44 other states and the District of Columbia have similar data breach notification laws. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.

Chase Bank has sent out data breach notification letters to an undisclosed number of customers after a computer tape with customers' personal information was reported missing from a third-party vendor's storage facility. Tom Kelly, spokesperson for New York-based Chase, the commercial/consumer banking arm of financial giant JPMorgan Chase, says the vendor -- which he would not name -- confirmed it received and maintained the tape, and that its offsite facility had been searched thoroughly after the tape disappeared. Kelly would not say if the data on the tape was encrypted, but says its data can be read only with special equipment and software. "We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly says. A local ABC News station in Louisville, KY first reported the missing data tape and the notification letters being sent in August. Kelly says the notification letters are being sent out in batches, but would not say how long the tape has been missing, nor what type of customers' information (credit or banking) was on the tape. The electronic files, according to the notification letter, may have included names, addresses and Social Security numbers, but did not include any banking or financial information. Affected customers are being offered a free one-year subscription to the bank's identity protection program, Kelly says. For more information on 2009 data breaches involving financial institutions, see this interactive timeline

"Madison Avenue has joined forces with Internet companies in a last-ditch attempt to stop privacy regulations over the $29 billion online-ad industry. The industry is finalizing an ad campaign to educate consumers about how digital advertising works, creating an icon that would appear on Web pages or ads alerting consumers if their activity is being tracked and deploying new technologies to police the Web for illegal activities. At issue is the practice of tracking consumers' Web activities - from the searches they make to the sites they visit and the products they buy - for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers' Web activities and creating a simple way consumers can opt out of being tracked. Meanwhile, scrutiny in Washington continues to build. Lawmakers and regulators have broadened their scope beyond the Internet and are starting to examine privacy practices for a wider swath of media and technologies, from mobile phones and newfangled interactive TV commercials to telephone pitches and the advertisements consumers receive in their mailboxes."

"A key, centrist digital rights group is set to put out a report calling for strong federal privacy laws and guidelines to regulate the growing tracking and targeting of Americans online. It argues that the self-regulation approach that industry fights for just hasn't worked. The online ad industry has "historically failed to fully implement its self-regulatory principles," according to the 34-page draft report by the Center for Democracy and Technology. CDT is a centrist D.C. group that works with and is substantially funded by the tech industry, including companies like Facebook, Google and AOL that are deeply invested in targeted ads. "Recently revised self-regulatory principles still fall short (.pdf) even as written," charges the draft, obtained by Wired.com. These tough words spearhead a new tactic for a group more used to convening inside-the-Beltway tech policy forums than launching ACLU-style send-outraged-e-mail campaigns. The CDT, which splintered off from the rabble-rousing Electronic Frontier Foundation 15 years ago, is also planning to launch a "Take Back Your Privacy" campaign on Thursday, designed to garner support for its call for comprehensive federal privacy legislation. Dozens of tech firms, known and obscure, record users' behaviors as they interact with search engines, blogs, e-commerce sites and even government websites. The tracking goes on in the background with little knowledge by consumers and even less oversight from government authorities. The tech industry - like others subject to potentially blunt-forced government regulation - has argued that policing itself was enough to prevent egregious privacy intrusions that could proliferate without any real chance individuals would even be aware of them."

"In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run "leaner and meaner." Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation's center for financial services, an industry particularly devastated. Because the influence of privacy on profit is not immediately apparent, managers searching for excisable fat will doubtless be attracted to the privacy function, concluding that it makes no contribution to the bottom line. But although many view privacy solely as a legal concept, it often provides important commercial benefits. Where privacy does indeed contribute to profit, chopping away at privacy will be counterproductive, slicing off meat and bone, rather than fat. If management is not educated to this fact, the privacy function will be at unnecessary risk. There are 11 reasons why privacy may benefit the bottom line, which should be raised with management."

"Federal agents can examine webcam photos and other information secretly collected from students' laptops and stored in the Lower Merion School District's computer network, a judge has ruled. Acting on a request from federal prosecutors, U.S. District Judge Jan E. DuBois agreed to broaden an earlier order that limited the release of the photos to the students or their parents and lawyers. His order was signed Friday and made public Monday. FBI agents and prosecutors want to review the images to see whether any laws were broken when school district employees activated a tracking system that snapped photos and copied screen images from lost or stolen laptops. Lower Merion school officials have acknowledged poor planning and oversight led the tracking system to capture at least 50,000 images - some showing teens or their relatives in their homes - from laptops that had already been returned to students."

Confused by the difference between privacy & security? What might your kid's laptop camera capture if it was secretly turned on by their school while searching for stolen laptops? Soon the FBI will be able to tell you.

"This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us, including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us, the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system, and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation. Topics / Agenda - The Future of Electronic Payments * What Is The Problem? The Cybercrimes Arms Race * Who Is Heartland Payment Systems? * What Happened and What Has/Will It Cost? * What Did We Do About It and What Are We Doing Now? * Massive Quantity/Quality of Breaches Call for Enhanced Solutions * Our New Solution Called E3 -

Emily Riley of Forrester Research presented a lot of data during her keynote presentation at today's OMMA Behavioral Conference but one point she made seemed rather salient to me: many of those marketers and data firms involved in behavioral targeting seem to skip over social media as a source of information. They might look at the data surrounding the usage of those sites but they seem to rarely do any actually monitoring, let alone interacting there. It reminded me of an experience I had with my wife. We once lived in a building where we didn't have much interaction with our neighbors, very little beyond an occasional wave in the hallway. We could, however see their mail mixed with ours and our landlord's. My wife began to notice that the landlord and our neighbor were starting to get similar envelopes from law firms. I, being the incurious mail sorter I am, didn't really think much of it. She, on the other hand, was convinced that one of them must be suing the other and was able to spin out some fairly detailed scenarios based on other clues from the hallway, the presence of exterminators one day, the thickness of paint on the front door etc. One day I encountered our neighbor in the hallway and did my customary wave. "Oh by the way," He said, "We're moving out next week." Oh really? He then regaled me with the entire story which involved a variety of things including an exterminator, paint thickness, and law firms. My wife and I were both able to glean essentially the same information. However if I had approached him and said, without any warning, "I bet you and our landlord are having one heckuva legal squabble," he probably would have punched me in the nose. I also believe that the ease with which I was able to get the whole story out of him suggests that had we interacted more it would have been I scooping my wife and not the other way around. These two approaches to gathering information are akin to the difference between following

Hackers, possibly from Asia, have stolen about a decade's worth of personal information on current and former UC-Berkeley students, the university announced Friday. The breaches involved records dating to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians. No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked. The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services. About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university's associate vice chancellor for health and human services. "What's been taken is bits of data that the thief might put together into an identity," he said. The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed. UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information. The thefts were discovered about a month ago, but system administrators did Advertisement not realize the breadth of the attack until April 21. The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university's associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said. "You should think of it as a public building," Waggener said. "They got into the building properly, but then they broke into secure areas." Administrators at Mills College, which contracts with UC-Berkeley for

You have an unlisted phone number, you guard your personal information, you shred your financial papers- so everything is private and safe, right? Would you be alarmed to know that even when you think things are private, a perfect stranger can look you up online, see your address, birth date, past addresses, and even see a photo of your home, down to the detail of your child's play set out in the back yard? Alarmed yet? You should be. Take a look at this website: www.zabasearch.com. Simply plug your name in, and you are likely to be surprised, and probably a bit distressed to see all the information that is readily available online. How could this happen? Easy. Virtually every major change in your life is recorded somewhere in a government document. When you are born, a birth certificate is issued. When you obtain a driver's license, get married, buy a house, file a lawsuit ' all of these events are recorded in public documents easily available to you and to others. Government records are intentionally public in order to enable citizens to monitor the government and to ensure accountability in our society. The challenge is to balance the public's right to information with the individual's right to privacy.