Group items tagged

Companies in the technology, media and telecommunications industries (TMT) significantly reduced investment in security spending in 2008, according to a new survey from Deloitte Touche Tohmatsu. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49 percent over the previous year. "This year's results indicate companies are explicitly scaling back. With funding decreasing and the threats increasing, it is more important than ever for TMT companies to be highly cost efficient in addressing their security risks," said Irfan Saif, a principal in Deloitte & Touche LLP's Audit and Enterprise Risk Services practice. "Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate." With the proliferation of digitized assets, security should claim a significant portion of a company's overall IT budget. However, only 6 percent of respondents allocate 7 percent or more of their total budget to IT security. This year represents a significant decline from the previous edition of the survey, which showed that 36 percent of the respondents allocated 7 percent or more of their budget to IT security. The survey also indicates that declining security investment is hindering adoption of new security technologies, with only 53 percent of respondents considering their organizations to be early adopters, or part of the early majority, down from 67 percent in 2007. Companies are focusing more effort on optimizing solutions that are already in place rather than investing in cutting-edge technology that can be capitalized upon during economic recovery.

The owner of a website onto which a purportedly stolen Goldman Sachs Group Inc computer code was downloaded has declined to say whether or not other people accessed the code while it was on the site. Roopinder Singh, who runs file storage website xp-dev.com, told Reuters in London on Friday that computer files show whether or not the valuable code -- which U.S. prosecutors have charged former Goldman employee Sergey Aleynikov with stealing -- was viewed by others, but he declined to say what they show due to the scale of the case. According to Singh, accounts at xp-dev.com initially have a privacy setting that only lets the user see them. However, users can change that setting to allow other people to view files. "Private is the default," he said. "You then have the option ... You can explicitly either share it (or keep it private)." He declined to say what the settings on Aleynikov's account were.

Regulators are examining Apple Inc's disclosures about Chief Executive Officer Steve Jobs' health problems to ensure investors were not misled, Bloomberg said, citing a person familiar with the matter. The Securities and Exchange Commission's review does not mean investigators have seen evidence of wrongdoing, the person told Bloomberg. The person declined to be identified because the inquiry is not public, the news service reported. Both the SEC and Apple declined to comment on the matter. Jobs, who earlier had said he had an easily treatable "hormonal imbalance," said last week his problems were "more complex" than originally thought, and he would take a medical leave of absence for six months. In 2004, Jobs was treated for a rare type of pancreatic cancer called an islet-cell, or neuroendocrine, tumor. Such tumors can be benign or malignant, but they usually grow slowly and are far less deadly than most pancreatic tumors.

Hackers, possibly from Asia, have stolen about a decade's worth of personal information on current and former UC-Berkeley students, the university announced Friday. The breaches involved records dating to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians. No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked. The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services. About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university's associate vice chancellor for health and human services. "What's been taken is bits of data that the thief might put together into an identity," he said. The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed. UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information. The thefts were discovered about a month ago, but system administrators did Advertisement not realize the breadth of the attack until April 21. The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university's associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said. "You should think of it as a public building," Waggener said. "They got into the building properly, but then they broke into secure areas." Administrators at Mills College, which contracts with UC-Berkeley for

A former Goldman Sachs computer programer accused of stealing secret trading codes from the investment bank was being held in federal custody on Monday, pending the posting of $750,000 bail. Sergey Aleynikov, 39, was ordered by U.S. Magistrate Kevin Nathaniel Fox in Manhattan on Saturday to post a $750,000 personal recognizance bond to be secured by three financially responsible people, according to court documents. The bond also was to include $75,000 in cash, and Aleynikov was ordered to surrender his passport and not to access the computer data at issue in the case. A preliminary hearing in his case was scheduled for August 3. Aleynikov, a Russian immigrant living in New Jersey, was arrested on Friday night by FBI agents as he got off a flight at Newark Liberty International Airport, according to court documents. He is accused of "theft of trade secrets" related to computer codes used for sophisticated automated stock and commodities trading at an unspecified, New York-based financial institution, according to the court affidavit filed by FBI special agent Michael McSwain. Sources familiar with the situation have told Reuters columnist Matthew Goldstein that the financial institution is Goldman Sachs. A Goldman representative declined to comment on Monday. A lawyer for Aleynikov, Sabrina Shroff, also declined to comment.

Some American Express card members' accounts may have been compromised by an employee's recent theft of data, the company said Thursday. American Express Co. spokeswoman Susan Korchak said a "relatively small portion" of card members was involved, but declined to be more specific. The former employee has been arrested and the company is investigating how the data was obtained, she said. The company is in the process of notifying affected card members by letter. In one such letter sent last week, American Express Privacy Officer Alfred Silipigni said he was informing the member of "an unfortunate issue" concerning his card. "We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company," he wrote. "The former employee has been arrested, and we are cooperating with law enforcement authorities with their ongoing investigation." American Express declined to disclose any more details about the incident beyond what was in the letter. The company has put additional fraud monitoring and protection controls on the accounts at issue, Korchak said. American Express has about 39 million corporate, small business and consumer cards in force in the United States.

"According to IT Skills and Certifications Pay Index released by Foote Partners, every category of IT certification, save one, saw a decline in pay premiums over the last 12 months. The percentages shown are the change in pay premium over the given period of time. "

A court has handed Blockbuster a preliminary defeat in a potential class-action lawsuit filed as a result of its participation in Facebook's ill-fated Beacon ad program, which notified members about their friends' e-commerce activity. U.S. District Court Judge Barbara Lynn in Dallas ruled that the case could proceed in court even though Blockbuster's contract with users calls for any disputes to be heard by an arbitrator rather than in court, and also says that users waive their right to file a class action lawsuit. Lynn determined that Blockbuster's contract with users was "illusory" because the agreement said that movie rental store could change the terms and conditions at any time. A Blockbuster spokesperson declined to comment on the case or state whether the company will appeal. The decision is a blow to Blockbuster because individual consumers would have had a difficult time bringing cases one-by-one against the company. But the decision paves the way for attorneys to argue that all consumers affected by Blockbuster's participation in Beacon should be able to proceed as a class. Internet law expert Venkat Balasubramani said Lynn's decision invalidating Blockbuster's user agreement was potentially far-reaching because many Web companies reserve the right to make changes to their terms of service. "It seems broad and could have impact on the terms of service used by a lot of different companies," he said.

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey. The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern. Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts. "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said. The failing economy may be driving the increased concern over insider threats, Steinoff said. "The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat." Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said. "[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that persp

Kaiser Permanente says that the personal information of 29,500 employees in Northern California may have been exposed in a security breach. "A handful" of employees have reported identify theft, the Oakland, Calif.-based managed-care giant said. Police in San Ramon, Calif., seized a computer file containing the employee information from a suspect who was arrested. The suspect was not a Kaiser Permanente employee, and officials declined to provide further details. The file contained the names, addresses, phone numbers, Social Security numbers and dates of birth of the Kaiser workers. No health plan member information or personal health information was involved in the data breach, according to Kaiser officials. "We regret that this unfortunate incident occurred, and we understand the anxiety and worry that some employees may feel," said Gay Westfall, senior vice president for human resources at Kaiser Foundation Health Plan and Hospitals, Northern California, in a written statement. Kaiser is providing one year of free credit-monitoring to workers whose information was in the file.

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud. One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

The largest threat to online advertising is growing as the economy declines. More individuals will turn criminal, purchasing products or generating income through fraudulent means. Billions of dollars are stolen from businesses each year, and in 2009 companies will fight fraud with fewer resources.According to CyberSource, an estimated $4 billion dollars was lost to fraud in 2008 up from $3.7 billion in 2007, and 87% of merchants must fight fraud with the same or less staff in 2009. The increase in eCommerce fraud from 2007 to 2008 (and one can expect, in 2009) follows the advertisers' shift to spend more of their budget online. Much like crime statistics, one has to wonder how much fraud is not being reported because, among many reasons, commission-driven employees are not motivated or your company lacks resources.In early 2008, I was approached by our CEO to start a new division that would address our partners' fraud concerns-both real and perceived. He said, "I'm not going to lie to you. It's a SOB job." I was sold, and the Best Practices Division began.My team establishes best practices (measurable, repeatable events, processes, and procedures) and applies them internally and externally (to our partners' online marketing practices). At its core, best practices (BPs) are a set of standards that provide transparency and clear expectations of behavior and results to everyone involved in the business process. This accountability will drive the long-term performance of the online advertising industry while maintaining profitability without additional federal regulation.The BP approach can be applied to every business model and used to fight fraud-wherever you find it. Industry norm places the onus on the advertiser to successfully qualify inbound leads as well as identify fraudulent traffic. In the past, advertisers had only two options: become an online fraud expert, or hire a vendor.Only a small percentage of companies will be successful with the

In Deloitte's sixth annual Global Security Survey, people are the problem. "[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement." On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.) Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents. Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance. In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new techno

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week. The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies. Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history. Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants. The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach. The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status. A Heartland spokesman said the company could no

Consumer Sentiment rose up by 1.8 points in early January to 61.9%, compared with market expectations for a slight decline to 59.0%. Despite this surprising gain, sentiment is still 8.4 points below its September level and 21.0% below its year ago level. The current level remains well below its recessionary average of the past 50 years. Current Conditions slipped by 0.3 points to 69.2%. This is 5.8 percentage points below its September level and 26.7% below its year ago level. Consumer Expectations jumped by 3.2 points to 57.2%. Nevertheless, they are still 10.0 percentage points below their September level and 16.0% below their year ago level. Bottom Line: Consumer sentiment climbed in early January. However, sentiment had collapsed in October in reaction to the intensification of the financial and credit market turmoil. Overall assessments of the economy, as well as assessment of current conditions and consumer expectations, are still significantly below their September level and well below their year ago levels. Thus, despite this month's increase, household assessments of the economy are still mired at recessionary levels. The causes of consumers' pessimism are also dampening real consumer spending.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

For months somebody (I don't know who) has been running a Facebook profile that bears my name, my personal information and several photos of me. An old high school friend had connected with the faker, instead of me. Several of the people with whom fake Matt is friends also appeared to be fakes, including a copycat of Vertex Pharmaceuticals ( VRTX - news - people ) founder and chief executive Joshua Boger. (Boger has a real Facebook profile but isn't friends with me. He declined to comment on the fakesters.) I couldn't see this Fake Matt's profile myself, even by searching for my name.