21 Feb 2012
Councils penalised for child data breach

Croydon Council and Norfolk County Council have been penalised for breaching child data laws.

The Information Commissioner's Office (ICO) has fined the councils a total of £180,000 for their failure to keep sensitive information relating to the welfare of children secure.

Croydon Council received a £100,000 penalty after a bag containing papers relating to the care of a child sex abuse victim was stolen from a pub, while Norfolk County Council was served with an £80,000 fine for disclosing information about allegations against a parent.

Stephen Eckersley, head of enforcement at the ICO, commented:  "We appreciate that people working in roles where they handle sensitive information will - like all of us - sometimes have their bags stolen. However, this highly personal information needn't have been compromised at all."

The incidents coincide with a similar occurrence at Cheshire East Council, who was ordered to pay a £80,000 penalty for failing to protect the security and appropriateness of disclosure when emailing personal information.

Source: http://www.co-operative.coop
20 Feb 2012
Borough council rapped over serious data breaches

The borough council twice sent banking details to the wrong people and published highly sensitive information online, a new Government report has revealed.

Basingstoke and Deane Borough Council has come under fire from the Information Commissioner’s Office following a spate of serious data breaches in 2011.

Borough council chief executive Tony Curtis said the authority was refreshing its staff training  to stop further breaches.

The head of enforcement for the commissioner’s office, Stephen Eckersley, has issued a legal document to the council forcing it to take action following the mistakes.

In May and June 2011, council tax officers twice accidentally disclosed name, address, bank, and credit card details to the wrong people. In June, a three-page gypsy liaison report containing sensitive personal information was published on the council’s website, without personal details being blanked out.

And in May last year, a letter outlining a case of alleged benefit fraud was given to the wrong person. The same person was later given a confidential list of 29 people living at two supported housing properties.

Following the commissioner's report, Tony Curtis sought to reassure residents that measures were being put in place to curb further mistakes and said he had written to staff reminding them to take extra care with sensitive information.

“We take these breaches very seriously,” he said. “We are handling many thousands of transactions and sheets of paper a week and human or machine errors are very difficult to eradicate completely. I can, however, assure residents that we are doing everything that we can to stop such a breach happening again. The importance of data protection has been reinforced to all our staff and they are all refreshing their annual data protection training.

“Every team in the council is being required to address how their processes can be tightened.

“We need to be extra vigilant to ensure that personal data remains secure.”

The borough council was one of five authorities rapped by information commissioner Christopher Graham last week.

Youth charity Fairbridge and social care provider Turning Point, which has a district office in Winklebury, was also criticised.

“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act,” said Mr Graham.

“Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.”

Source: http://www.basingstokeobserver.co.uk
07 Feb 2012
Data breach? Blame your third party's remote access systems

An in-depth study of data-breach problems last year where hackers infiltrated 312 businesses to grab gobs of mainly customer payment-card information found the primary way they got in was through third-party vendor remote-access applications or VPN for systems maintenance.

"The majority of our analysis of data-breach investigations -- 76% -- revealed that the third-party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers," the Trustwave report published today states. The vast majority of the 312 companies suffering the payment-card breach were retailers, restaurants or hotels and they came to Trustwave for incident response help because Visa, MasterCard or another payment-card organization had traced a batch of stolen card cards to their businesses, demanding a forensics investigation within a matter of days.

In fact, only 16% of the 312 companies managed to detect the payment-card data breach on their own, says Nicholas Percoco, senior vice president at Trustwave and head of its SpiderLabs division. Most of the time, sophisticated analysis by the payment-card organizations of a large volume of fraud reports from customers about unauthorized credit-card use was the trigger for the call from Visa or MasterCard to investigate a suspected breach.

Percoco said forensics investigations did show there had been a data breach in all 312 cases, with about 29% of the attacks against these businesses traced to originating in the Russian Federation. However, a full 32.5% of the attacks had wholly unknown sources since they originated through Internet anonymity services.

Although the businesses hit by payment-card hackers claimed to be compliant with Payment Card Industry (PCI) security standards, in reality there were often gaps. The third-party vendor remote-access applications and VPNs used for systems maintenance were often the way attackers got in by stealing the simple, reusable passwords in use.

The Trustwave reports notes, "System logins require a username and password, and often these combinations are pitifully simple: administrator:password, guest:guest, and admin:admin were commonly found in our investigations. Many third-party IT service providers use standard passwords across their client base. In one 2011 case, more than 90 locations were compromised due to shared authentication credentials."

Percoco says the PCI standard for remote-access administration requires two-factor authentication, which wasn't being used. Percoco notes that these IT systems vendors at fault did have a price to pay. They were not only required to fix the issues identified, but also faced fines for noncompliance with the PCI standards and Percoco adds, ordered to "pay to recover the costs of the fraud."

The Trustwave report reveals some shocking statistics. Where it was an outside organization, rather than the business itself, that pushed for a forensics investigation, "analysis found that attackers had an average of 173.5 days within the victim's environment before detection occurred." Businesses that did so-called "self-detection" to detect attackers on their own did a little better -- the hackers only spent an average of 43 days inside their networks after the initial compromise.

And in a case from Europe last year in which a payment service provider was hacked and multiple servers and a wide-area network of more than 1,000 hosts were attacked, Trustwave says it identified the "single point of weakness as a legacy X.25 node."

The X.25 protocol, which was widely used in the 1980s to build wide-area networks, still finds use today with financial institutions for inter-bank data exchange, the report states. The attacker in this case "identified an internal development system and proceeded to re-write a well-known rootkit on the HP-UX operating system. The rootkit was then installed across a number of cardholder data processing servers to mask the presence of other malicious programs introduced by the attacker."

Trustwave says the "malicious scripts harvested cardholder data by terminating the legitimate instances of payment-processing software and then restarting the software with a Trojanized-debugger attached. The debugger captured all inter-process communications including unencrypted payment card data from within the system memory, which was otherwise encrypted when at rest on the disk and in transit on the network."

This attack went on from almost 18 months and the "attacker was only identified when a subtle flaw within their own customized malware alerted the payment service provider's operational staff to suspicious activity."

Source: Trustwave 
02 Feb 2012
Proposed EC data protection rules help cloud adoption

The proposed new European Union data protection regulation will support the adoption of cloud computing, says European Commission Vice-President Neelie Kroes.

“The Commission proposal, presented last week, is designed to improve privacy online while allowing for the development and use of the new services we need. Rules fit for the Cloud era,” she told the Fuelling the European Economy event hosted by Microsoft in Brussels.

Last week, Kroes, who is in charge of the Digital Agenda, called on public authorities, industry, cloud buyers and suppliers to come together in a European cloud partnership at the World Economic Forum in Davos, Switzerland .

While a European cloud partnership would help resolve issues like interoperability, Kroes said the EC’s proposed new rules for data protection are key to help address privacy concerns.

Cloud computing, she said, can bring significant productivity benefits to all because it promises scalable, secure services for greater efficiency, greater flexibility, and lower cost, but some commentators have suggested the proposed EC data rules could hamper cloud adoption.

Kroes has responded by arguing that the proposed data protection framework will make EU citizens’ rights to privacy and the protection of personal data work in the digital era.

The EC’s data protection proposal, she said, starts from everybody owning their own personal data, so putting personal data in the cloud need not mean losing control of that data.

“Second, we have proposed rules more relevant to a networked, connected world. Clouds cross borders, and so does the data they hold. So we will make it easier to operate Clouds both within and outside our Single Market,” said Kroes.

The proposal for a Regulation to replace a Directive, she said, means there will be a single set of rules for Europe, not 27 different ones.

Kroes said under the new rules there will also be a one-stop-shop of enforcement, so that even if an operator is active in several EU countries, it will only have to deal with the data protection authority where it has its main operations.

“Cloud users should not have to guess where their provider is: if a company offers goods or services to people in the EU, or is monitoring them, then it shouldn't matter where that company's based – in Madrid, Mumbai or Mountain View. Our rules should apply to the data,” she said.

Kroes said cloud-friendly data protection rules and a cloud partnership are only part of the European Cloud Computing Strategy.

In the coming weeks, Kroes said she will give details about plans for building a coherent, Cloud-friendly legal framework in Europe and engaging with the international community as well as an update on the technical progress for security and interoperability.

“Because our strategy needs to be joined up. It is only by examining our policies from many different areas, testing how well they fit the Cloud, and improving them accordingly, that we can create a European environment where the Cloud can truly flourish,” she said.

http://www.computerweekly.com
25 Jan 2012
EU data protection law proposals include large fines

Firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws.

The European Commission has put forward the suggestion as part of a new directive and regulation.

The new rules include users' "right to be forgotten" and an obligation on organisations to report data breaches "as soon as possible".

The boss of one tech-focused organisation described the proposals as a "tax" on firms holding customer data.

The Justice Commissioner, Viviane Reding, said it was important for EU citizens - particularly teenagers - to be in control of their online identities.

"My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information," she said.

The commission says that key changes to the 1995 data protection rules include:

  • People will have easier access to their own data, and will find it easier to transfer it from one service provider to another
  • Users will have the right to demand that data about them be deleted if there are no "legitimate grounds" for it to be kept
  • Organisations must notify the authorities about data breaches as early as possible, "if feasible within 24 hours"
  • In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it
  • Companies with 250 or more employees will have to appoint a data protection officer
  • The rules would apply to data handled outside the EU if the companies involved offered services to citizens living in the 27-nation zone
  • The commissioner said that by simplifying the current "patchwork" of rules and cutting red tape, businesses could expect to save a total of 2.3bn euros ($3bn; £1.9bn) a year

However, organisations which break the rules face penalties.

The commissioner suggested that companies that charged a user for a data request be fined up to 0.5% of their global turnover. She said that sum should double if a firm refused to hand over data or failed to correct bad information.

She added that companies responsible for more serious violations could be fined up to 2% of their turnover. The sum is capped at 1m euros for other bodies.

Cost worries
One lawyer told the BBC that the benefits would be outweighed by the new burdens placed on businesses.

"The one bit of a good news is that they result in harmonisation across Europe which is better than the existing situation with 27 different national laws, but the content of some these proposals is very onerous," said Marc Dautlich, head of information law at Pinsent Masons.

"These are all going to involve costs and resource. And in a difficult economic climate."

Adam Malik, organiser of the Digital London conference, said that he accepted that customers had a moral right to ask for data deletion, but the new rules - as he understood them - could place some enterprises in jeopardy.

"This is just an additional tax on all businesses which hold electronic customer records," he said.

"Also we need clarity on what is personalised data. Lots of lawyers will be happy about this directive for years to come - meanwhile innovation is discouraged."

Security company FireEye also expressed concern about the suggested data loss demands.

"Reporting within 24 hours of discovery is admirable but if the company wasn't aware of the breach for 24 days then where do all involved stand?" asked its director of European operations, Paul Davis.

But others were more positive about the proposals.

"Businesses can either see it as a glass half-empty or a glass half-full," said Alan Mitchell, strategy director of Ctrl-Shift, a technology consultancy whose clients include the UK government.

"This legislation will enable UK and EU business to lead this growing market and develop new technologies and businesses."

The rules need to be approved by the EU's member states and ratified by the European Parliament before they can come into effect.

That could take two or more years, during which time they may be amended or rejected outright.

23 Jan 2012
Fortnum & Mason in breach of credit card data security standards over hamper refunds

'Queen's favourite grocer' Fortnum apologises for email offering refund on receipt of full credit card details

Fortnum & Mason told a customer still waiting for a Christmas hamper ordered in November that it would provide a refund only if full credit card details were supplied by email.

With orders for hampers costing up to £5,000 yet to be fulfilled, the central London store sent an email saying: "[Fortnum] will require your card details to arrange a refund (type of card, name of the card, long number, expiry date, security number)."

The customer refused to give the details for fear of credit card fraud. A Fortnum customer service employee then replied, in an email seen by the Guardian and the IT magazine Computerworld UK: "I understand you do not want to give out your details however, we do not keep them on file due to security reasons, the only way I can refund you is if I do have them. We will instantly destroy your details as soon as you are refunded."

UK data security standards prohibit companies from requesting consumers' full credit card details via unsecured emails. Such requests could allow fraudsters to create cloned credit cards using the primary account number, the long number on the front of the card, and the card verification value (CVV) code usually found to the right of the signature strip on the back of the card.

Fortnum, which has still not delivered all its Christmas hamper orders after an IT glitch in December, has apologised for the error.

"We can confirm that an error was inadvertently made in an effort to expedite a refund," a spokesman said. "We apologise for causing concern for this genuine human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again."

The "Queen's favourite grocer" increased sales by 8% last year despite a sit-in by UK Uncut tax avoidance protesters costing it at least £54,000 in lost sales. Fortnum, which is owned by the Weston family, who also own Selfridges department stores, recorded pre-tax profits of £1.1m in the year to July, according to its latest accounts, compared with a £5.9m loss in 2009.

Source: http://www.guardian.co.uk
18 Jan 2012
Health care provider slammed for "unacceptable" data breach

Unencrypted memory stick with sensitive patient information was lost

The Information Commissioner's Office (ICO) has taken action against a health care provider after an unencrypted memory stick containing sensitive patient information was lost.

Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act after losing the memory stick. The ICO says the memory stick contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, some of which was sensitive information relating to individuals' care and mental health.

The memory stick was lost in August 2011 and has not been recovered, the ICO says. Praxis alerted all affected people and has so far received no complaints.

The avoid any potential data breaches in the future, Praxis has agreed to make sure that all portable media devices are encrypted and any information that is no longer needed will be securely disposed of. The company has also updated its data security guidance.

"Carrying people's personal information around on an unencrypted memory stick is clearly unacceptable," said Christopher Graham, UK Information Commissioner. "The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning."

"Today's joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents' personal information is protected," added Iain McDonald, Isle of Man Data Protection Supervisor.

The ICO has been getting tough on data breaches recently. In December 2011 it handed out its biggest penalty to date, fining Powys County Council in Wales £130,000 for sending details of a child protection case to the wrong recipient. That was just a few days after it fined Worcestershire County Council £80,000 and North Somerset Council £60,000 after both emailed highly sensitive information to the wrong recipients.

Earlier this year it emerged the ICO was set to hand out what would be its biggest ever penalty, with a fine of £375,000 being handed down to Brighton and Sussex University Hospitals NHS Trust after 232 hard drives containing sensitive patient information were stolen while being decommissioned.

The Trust has said it will appeal the fine as it was the victim of a crime rather than the guilty party.

Chris McIntosh, CEO of ViaSat UK, drew comparisons between the fines handed out by the ICO and those handed out by the FSA for regulatory breaches and failure to take due care.

"The ICO should not stop lobbying for more powers to enforce its responsibilities. Audits on demand and increased financial penalties are the minimum it should aim for: when the likes of the FSA can fine companies more than 6 times the ICO's maximum penalty for failures to act with due care, it seems clear that penalties could be increased from the £500,000 limit," he said.

17 Jan 2012
Hackers breach T-Mobile Web server, leak staff data

A Web server hosting part of T-Mobile's official website has apparently been compromised by "TeaMp0isoN", a hacker collective associated with Anonymous, and some of the information hosted on it was stolen and made public on Pastebin.com on Saturday.

The revealed information consists of names, email addresses, phone numbers and passwords of some 80 employees, including its media relations team, and judging by the date of the document containing the data, the information seems to have been stolen last October.

The Pastebin post does not reveal the reason behind the leak, but does point out the fact that most included passwords are laughable.

"Look at the passwords, epic fail. All the passwords are manually given to staff via an admin who uses the same set of passwords," the group pointed out in the post. 

But revealing poor security practices was only part of the reason for the leak. Contacted by Eduard Kovacs, they shared that they attacked the company's server because T-Mobile is known for supporting the "Big Brother Patriot Act" law.

The company has yet to confirm this incident, but the fact that media contact page hosted on the server is currently offline might give credence to the group's claims.

Source: http://www.net-security.org
16 Jan 2012
Zappos Hacked, 24 Million Users’ Data Stolen: How to Protect Your Account Information

Online shoe and apparel retailer Zappos was hacked Sunday and the Amazon-owned company is asking its customers to change their login credentials, as 24 million of its users' data was stolen in the hack.

According to a notice from the company, 24 million customers' names, e-mail and billing addresses, phone numbers and the last four digits of the credit cards were stolen in the hacking incident, which also included Zappos' satellite discount Web site, 6pm.com.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," said CEO Tony Hsieh in an announcement posted on the Web site Sunday night. Hsieh said an investigation is underway.

Hackers did not receive full credit card information or other payment info as that information was stored on another server the hackers could not crack.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hesih said. "I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."

According to Hseih, all passwords were reset as a security precaution and customers were given and will receive additional instructions on security measures.

Hsieh said that while all members of the company will help assisting customers affected in the hack, Zappos is temporarily turning off its phones due to increased call volume, instead opting to assist via email or Twitter.
"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," according to an email written to employees.

The hack, while more than substantial, was not the biggest hack in the past year. In April, Sony's PlayStation Network was the victim of a similar hack, compromising the data of nearly 70 million customers.

In addition to a copy of the email that went out to customers notifying of the hack, Zappos posted password reset instructions and security tips of its Web site to give insight into how customers can protect their accounts.

"Please create a new password by visiting Zappos.com and clicking on the 'Create a New Password' link in the upper right corner of the web site and follow the steps from there," the company said.

Zappos advises that customers:

1.     Create a new password for their Zappos account (though passwords have already been expired and reset for security purposes) at http://www.zappos.com/passwordchange

2.     Also, create new passwords for any other Web site where similar login credentials (user names and/or passwords) are used.

3.     Ignore any emails or calls from Zappos.com or other Web sites that ask for personal or account information

4.     If any additional questions, customers can email a representative at securityquestions@zappos.com

It is unclear if Zappos will offer affected customers free identity theft protection services at this moment.

Source: http://www.ibtimes.com
11 Jan 2012
Companies prove careless when enlisting data recovery services

Survey finds companies suffer data losses by failing to vet security policies of third-party data recovery partners

Even the most vigilant IT security department could invest countless hours and dollars into defending its company's data troves from infiltration by malicious outsiders, only to hand over a laptop containing highly sensitive information to a seedy third-party data recovery outfit that ends up selling the laptop drive's contents for cash.

This sort of event isn't as uncommon as one might think (or hope), according to a study released by Ponemon Institute titled "Trends in Security of Data Recovery Operations." Among the 87 percent of survey respondents who said their organization suffered a data breach in the past two years, 21 percent said the breach occurred when a drive was in the possession of a third-party data recovery service provider. For the report, commissioned by DriveSavers, Ponemon surveyed 769 IT security and support practitioners at U.S. health care, financial, and government organizations, most of whom report to CIOs and CISOs.

Those figures may not be surprising when you consider how many organizations readily turn to third parties to recover data from storage devices: 85 percent, up from 79 percent in 2009. What's more, 37 percent of respondents said they use multiple third parties, and 39 percent say they use third parties at least once per week.

The appeal of going with a third party is evident: It can be faster and less expensive than doing it in-house. For example, an employee's laptop may die while he or she is on the road. It's easier -- and sometimes necessary -- to use the closest local data-recovery service than to deal with shipping a machine to the home office.

The problem, however, is a lack of proper vetting of third-party data-recovery providers: Survey respondents said that when choosing a service, the most important criteria tended to be speed of service, successful rate of recovery, and overall quality of service. Those are all important factors, but only 28 percent said that data security was a main selection criterion. In general, 30 percent of respondents conceded that their vetting process was merely fair; another 9 percent deemed it poor.

Ponemon offers the following tips for selecting a data recovery vendor:

  • Develop a policy with guidelines for employees to follow when selecting a data recovery service provider
  • Create training and awareness programs for employees to ensure sensitive and confidential data is protected throughout the data recovery process
  • Require your provider to provide proof of internal controls and data security safeguards, such as compliance with SAS 70 Audit Reports
  • Ensure that the providers' engineers are trained and certified in all leading encryption software products and platforms
  • Request proof of chain-of-custody documentation and a certified secure network
  • Check that the partner requires background checks of its employees
  • Ensure that the company does secure and permanent destruction of data, when required
  • Ensure that the company encrypts data files in transit
  • Ask for proof of Certified ISO 5 (Class 100) clean room, in which sealed drive mechanisms can be opened in accordance with all leading hardware and storage device manufacturers' specifications but not void the original warranty

Source: http://www.infoworld.com/
05 Jan 2012
The Data Protection Gaffes of 2011

A number of high profile organisations fell victim to sophisticated, targeted security attacks in 2011, proving that there are indeed bad guys out there trying their best to steal valuable information.

At the same time, there was abundant evidence that when it comes to data protection, organisations are often their own worst enemies. The extent of the issue was evident in the wide range of organisations that suffered data protection gaffes during 2011.

One of the country’s best known brands – Barclays Bank – suffered a string of data protection embarrassments during the year.

In June, Which? Money published a study of data protection complaints against banks. It found that Barclays Bank topped the list, with 116 legitimate complaints to the Information Commissioner's Office in 2010, just above Lloyds with 114 complaints. The most common breaches by banks, the study found, were failures to respond to subject access requests.

In September, a former Barclays employee was found guilty of illegally accessing a customer’s data. The woman, the wife of a convicted sex offender who abused her position to find out details of her husband’s victim, had chosen to “ignore training [Barclays] provide”, the bank said. “All staff receive annual training on the importance and regulatory requirements of the Data Protection Act and the consequences of any breach"

But Barclays was in the headlines again in November, when it emerged that a woman applying for a mortgage had her credit rating damaged by a glitch in the bank's credit checking software. The system accidentally accessed the woman's credit history multiple times, prompting her score to deteriorate.

The ICO found that it was "unlikely that Barclays has complied with the requirements of the [Data Protection Act]", but did not take any action against the bank.

Nevertheless, the deputy information commissioner David Smith did call on the banking sector to improve its data protection practices. "Getting it right on data protection doesn’t just mean keeping data secure," he said at an event held in June by the British Banker’s Association. "The law also gives individuals an important right to remain in control of their information. I want to remind banks of the need to take this obligation seriously, providing full responses in a timely manner.”

In March, retail, banking and services conglomerate the Co-operative Group apologised after details of 83,000 customers of its funeral planning service were accidentally published online. It blamed the episode on a contractor but it was nevertheless an embarrassing gaffe for the Co-op, which also launched a legal advice service this year.

Healthcare and local government
The healthcare sector was once again a conspicuous data protection offender. In August, for example, a hospital in Dublin was forced to admit that patient records had been subject to "unauthorised access and disclosure" after being sent to the Philippines for transcription, having initially described reports of the breach as "unsubstantiated".

Tallaght Hospital revealed that although its policy was that patient identifiers should not be used in reports or letters, and that information sheets be maintained to track each report, neither of these policies had been followed in practice.

It would be unfair to blame London Health Programmes, a division of NHS North Central London (NHS NCL), for having 20 of its laptops stolen from a storeroom. But the fact that one of the laptops contained 8.6 million patient records, reported by The Sun newspaper to have been unencrypted, and that the incident was only reported to police three weeks after the laptop went missing, does justifiy criticism.

Local government had its fair share of data protection transgressions. An analysis of over 100 local authorities by activist group Big Brother Watch revealed in November that they had collectively suffered 1,035 data breaches since 2008, although only 53 were reported to the ICO. These breaches included the loss of 244 laptops, 98 memory sticks and 93 mobile devices.

The council named as the ‘worst offender’ in Big Brother Watch’s report, Buckinghamshire County Council, complained that it was simply the victim of its own rigorous breach reporting practices.

Clearly, though, local government is struggling with data protection as much as any other sector. And in this case, the ICO is prepared to take rigorous action.

In December, the watchdog fined Powys County Council a record £130,000 after sensitive information relating to child protection case was mailed to the wrong recipient. The information had been picked up accidentally from a shared printer.

The reason for the severity of the fine was not only the sensitivity of the data in question, but the fact that a similar breach had occurred at the council a year before, but it had not taken on the recommendations that the ICO had given at the time.

The fact that the ICO pursues organisations such as Powys County Council while some financial institutions seem to go unpunished drew criticism during the year.

That was compounded during the Leveson enquiry into press standards, when a former police officer alleged that the ICO had enough evidence to crack down on an entire supply chain of stolen personal data, from corrupt government employees, through fences and to journalists. But, they alleged, the commissioner felt that newspapers were powerful a target to pursue.

At the end of the year, the ICO addressed some of these concerns in a strategy document. “We cannot address all risk to the upholding of information rights equally,” it said. “This means we have to take account of factors such as the volume, nature and sensitivity of information involved, and the number of people whose information rights might be impacted.”

Elsewhere in the document, it explained that “education, awareness raising and the provision are key activities for us. This is how we can maximise our impact.”

But thanks to public data breaches such as the above, most IT professionals are aware of their obligations to uphold data protection and privacy rights. The challenge for 2012 then, for organisations and the ICO, is to understand how that organisational knowledge can conveyed to every individual, and how technological measures can be used to uphold the information rights of citizens and customers.

Source: http://www.information-age.com
16 Dec 2011
5 Best Practices For Meeting SOX Security Requirements

Achieving compliance with Sarbanes-Oxley requirements remains a chief chore for all publicly traded companies—and a chief budget driver for IT compliance and security initiatives. Yet SOX’s computer security requirements remain vague, and auditors’ evaluations continue to be subjective.

IT managers often think of SOX as a technology mandate, but it is primarily an accounting and financial reporting mandate. Nowhere in the Sarbanes-Oxley Act will you see a reference to encryption, network security, password complexity or logging capabilities. Indeed, a SOX compliance effort should be driven by the business side, with IT playing the role of key facilitator.

So how do you approach compliance purely from an IT perspective? To pass a SOX audit, your company must implement security best practices for any system that touches anything and everything related to financial reporting and accounting systems. To achieve that goal, there are several elements you must put in place.

1. For Web-enabled applications, ensure that all sensitive data, along with authentication credentials, are Secure Sockets Layer (SSL)-encrypted. Most SSL implementations use RSA public/private key exchange for session setup and encryption. When an SSL session is set up, the Web server sends its public key to the client, and the client uses that public key to create a session key with the Web server.

2. Deploy all the common end-point protection tools that would be required in any secure environment. This applies primarily to end-point antivirus, malware protection, host intrusion prevention systems and client firewalls.

3. Reduce the operating attack surface on all clients and servers accessing critical financial systems. Most companies think they’re doing a good job here, but if employees are going to access critical financial and accounting applications from a fat client PC, there’s a whole lot more that needs to be done than simply performing Windows updates.

4. Consider application streaming or desktop virtualization for accessing critical financial and accounting applications. Most companies use streaming applications via Citrix XenApp or VMWare ThinApp to solve problems with performance, mobility and remote access. However, app streaming also is a terrific way to protect key applications from intruders.

5. Wrap your databases with activity monitoring and auditing software. SOX auditors are concerned primarily with the accuracy and integrity of your financial data. Simply stated, you should be auditing all activity on all tables that contain sensitive information.

Source: http://www.darkreading.com

15 Dec 2011
Visa Investigates Security Breach at European Payment Processor

Visa is investigating a potential security breach at an European payment processor that might have affected cardholders in eastern Europe.

"Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway," the company said in a statement. "We are working closely with our member banks to ensure cardholders are protected," it added.

The potentially affected payment processor is serving an undisclosed merchant chain that does business in several eastern European markets, Visa said.

Multiple banks have been alerted and some have already taken steps to limit the potential fraud. Romanian state-owned CEC Bank is in the process of reissuing 17,000 payment cards as a result of the incident.

The bank received official reports according to which information corresponding to a number of payment cards issued by Romanian and foreign financial institutions had been compromised.

CEC Bank said that the attack didn't target its customers in particular and that the compromise wasn't the result of vulnerabilities in its systems. Other banks are expected to make similar announcements in the days to come.

The Romanian Association of Banks (ARB) confirmed that some banks were alerted about a potential security breach that might have exposed information about transactions performed with some cards.

The association said in a statement posted on its website that it did not expect cardholders to be affected. If suspicious transactions are detected, customers should contact the issuing banks for clarifications, it added.

"Concerned cardholders should keep a close eye on their accounts and report any unusual or unexpected activity to their issuing bank," said Catalin Cretu, Visa Europe's country manager for Romania.

"Cardholders who are innocent victims of fraud will get their money back, subject to the terms and conditions of their bank," he explained.

07 Dec 2011
Largest ICO fine issued to Powys County Council for two breaches of sensitive data

The Information Commissioner's Office (ICO) has issued its largest monetary penalty to date with Powys County Council ordered to pay £130,000 after child protection case details were sent out incorrectly in two instances.

It is in connection with two breach incidents. The first was reported to the ICO in June 2010 when a social worker sent information relating to a vulnerable child to the same recipient, with the child known to the recipient. The ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures and warned that it would face further action should a similar incident occur again.

The second breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. The ICO said it understood that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked by the sender.

The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient's mother via her MP.

Anne Jones, assistant commissioner for Wales, said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It's the most serious case yet and it has attracted a record fine.

“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO has also issued a legal notice ordering the council to take action to improve its data handling and warned that failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems,” said Jones.

Jonathan Armstrong, lawyer at Duane Morris LLP, said: “Local authorities have to approach data protection differently, people will print information to a shared printer and in some instances these reports will be up to 60 pages long and there is a tendency to collect it later.

“We are seeing the ICO bring more cases for manual data security and I think the ICO is right; you have got to have a holistic approach to information management. This may not be the end of the story at the monetary notice says that there may be a civil case brought by the victim.”

Armstrong also said that the council had effectively wasted taxpayers' money through staff not observing the Data Protection Act.

Tony Pepper, CEO of Egress Software Technologies, said the cases have set a clear precedent.

He said: “This record fine places social services in every local authority firmly in the spotlight, and we believe these fines are only the beginning. This concerning trend reinforces that it's more important than ever to change the way we share confidential data. 'Protection that follows the data' and multi-factor authentication all play their part in ensuring that only authorised recipients access confidential information.”

The ICO's enforcement notice places a legal requirement on the council to make further improvements to its data protection practices and requires that all staff must be trained on how to follow the council's guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.

02 Dec 2011
Cloud security: Better than you think

Security is almost always cited as the primary inhibitor to wider cloud adoption by businesses.

For example, more than three-quarters (77 percent) of 390 IT pros surveyed think the use of cloud computing makes it harder to protect privacy and 50 percent worry about a data breach or loss, according to the 2011 IBM Global Business Resilience and Risk Study.

Well, those IT pros need to get over it, said Joe Coyle, CTO of Capgemini, the system integrator and IT consultant.

“Everyone is screaming for an accepted security model for the cloud and I think it’s already here. People just need to take a deep breath,” Coyle said in an interview this week.

On the technology side, his only concern is at the hypervisor level and even there, it’s not so much about security as it is about auditing. “You need good reporting and auditing tools so that providers can prove that virtual machine A doesn’t encroach on virtual machine B,” he said.

Virtualization is great at carving up a physical environment into multiple pieces, but moving that technology into a shared environment opened up a whole can of worms where people worry about overlapping partitions and other things. Those tools are now becoming available, he said.

Whether companies run their technology in house, in the cloud or a combination, they need to make sure they (or their proxy) run a hardened, properly patched operating system; that idle CPUs are shut down; that files are encrypted; and that firewalls and DMZs are up to date and working.

Bulletproofing SLAs for the cloud

Companies also need to make their service level agreements (SLAs) reflect those expectations for performance, uptime etc. and clearly delineate which vendor (or cloud provider) is responsible for which pieces of the puzzle. That’s not all that different how SLAs should be negotiated and written by companies with  in-house data centers running hardware, software and networking gear from multiple vendors.
A big caveat here: Large public cloud providers like Amazon, do not negotiate SLAs, so this discussion revolves around enterprise, private or co-located clouds.
People think SLAs are a bigger deal in the cloud, but the principles are the same, Coyle said. Just as with security, a company needs to break down the layers of its stack from the operating system and hypervisor to the file systems, the network, the applications. Then it needs to lay out who has  responsibility for each tier and component within that tier clearly. Layering the cloud atop existing IT doesn’t change any of that and reinforces the need for very detailed SLAs.

“The famous example is ‘I can’t be down for more than two hours,’” Coyle explained. “Well, what do you mean by ‘down?’  If you can’t get to your data, is that because your building [itself] is down or is it the connection to an outside data center?”

IT pros for the buying company need to spell that out in advance and in as much detail as possible so the SLAs are enforceable, Coyle said.

Source: http://gigaom.com
01 Dec 2011
Council is fined £60k after confidentiality breaches

NORTH Somerset Council has been fined £60,000 for breaching the Data Protection Act when a member of staff sent highly sensitive and confidential emails to the wrong recipient.

The penalty comes after a report by campaign group Big Brother Watch revealed 16 breaches of confidentiality made by the council in a three-year period, including losing 10 laptops, as well as notepads containing child protection meeting information.

The Information Commissioner’s Office (ICO) served the fine after a council employee sent five emails, two of which contained sensitive information about a child’s serious case review, to the wrong NHS employee.

The mistake happened when an employee selected the wrong email address from a contacts list.

But despite being told of the error, the employee made the same mistake a further three times between November and December 2010.

Even after two of the council’s assistant directors outlined the errors to the employee, the staff member made the mistake for a fifth time on that same day, according to the ICO.

In a statement, the ICO said: “The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training.

“In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.”

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure.”

Councillor Tony Lake, North Somerset Council’s executive member responsible for data protection issues, said:

“We take our data security responsibilities seriously, which is why we reported this incident to the ICO ourselves, so that he could carry out his own investigation of the matter.

“As soon as we became aware of the data loss we also launched our own internal investigation to establish how this error occurred.

“As a consequence, disciplinary action has been taken, and a programme of appropriate training has been delivered, both within the service area where the breach originated, and more widely across the council to ensure all staff are aware of their data protection responsibilities.

“We will continue to work hard to guard against future losses.”

The council says it will pay the fine early, reducing the sum by 20 per cent to £48,000.

Source: http://www.thewestonmercury.co.uk
25 Nov 2011
Welsh police sex checks among 85 data protection breaches

Checks on women for sexual purposes is among 85 recorded breaches of data protection in Wales' four police forces, BBC Wales has learned.

Details obtained under the Freedom of Information Act show a range of breaches over the last five years for non-policing purposes.

Checks on prospective housing tenants and family members, and data passed to third parties are other breaches.

Two police workers were sacked and another has resigned as a result.

South Wales Police's professional standards unit has recorded 26 incidents since 2006 where an officer or member of staff has breached the Data Protection Act.

All of the above-mentioned examples, with the exception of the sackings and resignation, took place within the South Wales force.

It also had breaches involving checks on children and associates, checks on friends of daughters and other checks on people for personal reasons.

Some of the cases related to single checks while others indicate more than one check was made.

In 2009, it referred to "checks upon women approached for sexual purposes" as another example.

Dismissed
Dyfed-Powys Police said it does not hold information for 2006, 2007 and 2010.

But it said an official was dismissed in 2008 for making checks on data for reasons other than policing.

Another official was given a written warning for making checks for personal gain, and another was given advice after revealing sensitive information through an unsafe personal e-mail.

And in 2009, another official was sacked for revealing information while a staff member resigned after accessing personal information without authorisation.

North Wales Police recorded seven examples in 2006 of gaining access to data for reasons other than policing, one in 2007, 12 in 2008, 17 in 2009 and eight in 2010.

There were also three examples of disclosing data in 2007, two in 2008, one in 2009 and one in 2010.

North Wales Police said they "take the security of data seriously and investigate thoroughly every allegation of a breach of the Data Protection Act.

"Investigations regularly take place, and any member of North Wales Police who is found to have breached data protection rules will be disciplined".

According to Gwent Police, there have been no breaches of the Data Protection Act within the force over the last five years.

22 Nov 2011
Staff sacked after security breaches at police and councils in Norfolk

Police officers and council staff in Norfolk and Suffolk have been sacked or resigned after being caught accessing the public’s personal data, it has emerged.

A Freedom of Information request has revealed more than 150 breaches of the Data Protection Act since 2008 at the region’s hospitals, police forces and councils.

Examples of breaches included confidential council documents found in a skip, papers on 25 children in care disappearing and never recovered and a report containing information about a child considered at risk of harm being hand-delivered to the wrong address.

Restricted police documents were stolen from a Norfolk police officer’s home, while there was a string of breaches at hospitals including cases where sensitive information about patients was lost in the post or left in public places. But bosses insist they take the handling of personal data extremely seriously and in each case where the Data Protection Act (DPA) has been breached, they have taken action to tighten up the system.

At Norfolk police there were 22 breaches between 2008 and this year. A police constable resigned after being convicted of a breach of the DPA for disclosing information from the force’s crime intelligence system and a police community support officer was sacked after being convicted of obtaining details of a call to police and passing it on to a family member.

Both convictions were in 2008. The same year saw a PCSO dismissed for disclosing information after browsing police systems while another member of police staff was sacked for accessing details of a crime and disclosing information.

In 2009 a PCSO was sacked for accessing the Police National Computer for personal reasons, while another PCSO quit last year after being caught checking details of family members.

Written warnings, a caution and advice were also handed to constables, a sergeant and a PCSO for accessing information for personal or non-policing reasons, while, in another breach, in 2010, restricted documents were stolen from the house of a police officer.

A Norfolk Constabulary spokesman said: “Breaches of the Act are taken extremely seriously by the Constabulary and all staff are aware of the role they have to play in ensuring data is recorded, managed and shared appropriately, and the importance of maintaining confidentiality and respecting the rights of the public over personal information.

“Any breaches of the Act or force policy by staff will not be tolerated and if individuals are found misusing the privileged access they have to information they will be subject to disciplinary action and possibly criminal proceedings.”

At Norfolk County Council there have been 46 breaches since December 2008. A member of staff was dismissed in June 2009 for unauthorised access and alteration of social services records, while members of staff resigned before they could be dismissed in December 2009 and February last year for unauthorised access to social work records.

Last February also saw confidential service users’ files found in a skip outside a council building. An investigation was launched, but no conclusion was reached as to how they ended up there.

In May 2011, a child protection conference report - drawn up at a meeting to discuss a child considered to be at risk of harm - was hand-delivered to the wrong address.

That breach was referred by the county council to the Information Commissioner’s Office, the data protection watchdog, and the council is awaiting the judgement.

A large number of the breaches were because emails containing people’s details, such as names and addresses, were sent to the wrong people.

John Brock, corporate data protection officer at Norfolk County Council, said: “The council constantly strives to handle personal data securely and has a system in place to record any incidents that occur so that we can improve the way we handle data.

“None of the incidents of data loss have involved large volumes and in some cases the data have been recovered.

“Whereas any incidents are clearly a cause for concern, they should be seen in the context of the many thousands of items of personal data that are handled by thousands of council staff each year.”

The Norfolk and Norwich University Hospital said it had no reported breaches. The James Paget University Hospital at Gorleston had 35 breaches, 28 of which were this year, which bosses put down to an increase in reporting them.

A spokesman said many related to emails being sent in error or paperwork containing names being left where it should not be.

The Queen Elizabeth Hospital, King’s Lynn, had 65 breaches since 2008, of which five were considered ‘major’, with many of the others involving paperwork being found in “inappropriate places” within the hospital.

A spokesman said: “We regard any breach as unacceptable but the word ‘major’ refers to the potential impact such a breach might cause, rather than the actual impact.

“So, for example, in the most recent case a surgeon photocopied pages from a patient’s medical notes and took the photocopies out of the hospital with the intention of referring them to someone else, but it was discovered he had not obtained the patient’s permission.”

Other breaches included two at Norwich City Council involving stolen or lost laptops, one at the East Anglian Ambulance Service, 52 at Suffolk police and 18 at Suffolk County Council.

Source: http://www.edp24.co.uk
21 Nov 2011
Your biggest data breach risk may be on your payroll

Data breaches may conjure images of malicious hackers and global cyber gangs, but often the worst breaches come at the hands of a company’s own employees.  Whether these workers are well-meaning but careless, or soon to be ex-employees en route to a competitor, a company’s staff can pose a serious threat to its security.    

The headlines are rife with stories of companies that have been burned – intentionally or accidentally – by its own employees.  As just one example, DuPont faced this problem a few years ago when it discovered that one of its research scientists had stolen more than 600 files by copying them to a portable hard drive, prompting DuPont to file a lawsuit against this scientist for breach of contract and misappropriation of trade secrets.  Previously, another DuPont research scientist was sentenced to 18 months in prison for stealing proprietary company information valued at $400 million.

While internal breaches as spectacular as this may not be the norm, most companies will be impacted – at the very least – by garden variety breaches at the hands of departing employees.  A Ponemon Institute study on this topic found that many employees on their way out the door feel entitled to company information or work product, with nearly 60 percent of employees who quit a job or are asked to leave stealing some kind of data. 

Seventy-nine percent of those who admitted to taking data said they did so despite knowing that this wasn’t permitted, with e-mail lists as the most popular stolen data, followed by non-financial business information, customer contact lists, employee records and financial information.  Almost one quarter of the study’s respondents said they still had access to their employer’s computer network even after they left, demonstrating how easy it can be for ex-employees to cause harmful data breaches to companies.  If an organization hasn’t properly trained its employees or protected itself, the company can face both financial liabilities to customers whose data was stolen by employees as well as Federal prosecution.

So what steps should organizations take to bolster their security from current or former staff?
  • Make sure your company has clear policies and procedures in place which address data security.
  • Train your employees how to protect information.  Make sure staff members are aware that they should never share passwords, and enforce a regular schedule for changing passwords and the physical security of these passwords (don’t publicly post them).  Remind employees to never leave files open and to destroy confidential documents that are no longer needed. 
  • Assign a privacy officer to stay on top of these issues.   Whether it’s a full-fledged position or an added responsibility for a designated employee, a privacy officer will help keep your company in compliance with identity theft laws.
  • Offer your employees an identity protection program.  This will serve to both protect your employees and help enforce some of your privacy procedures.
  • Install monitoring systems, whether automated or outsourced to a third party.  For example, watch out for procedures that could raise red flags, such as employees logging in and accessing multiple files late at night, or data that is transferred to mobile or external devices.
  • Develop a culture of privacy awareness.  Keep the topic of security front and center in the communication and activities with your staff.
Source: http://www.lexology.com
17 Nov 2011
Nearly Half of UK Corporate Laptops Still Not Protected Against Data Loss

A new UK survey from Check Point has shown that nearly half of UK public and private sector organisations are still risking data breaches, losses and leaks from their portable PCs and devices. 52% of respondents said they used data encryption to secure their business laptops, 43% said they did not have encryption deployed and a further 5% admitted they didn’t know if encryption was used.

While the survey shows that more UK organisations are taking action to protect their laptops and removable media – a similar UK survey by Check Point in October 2010 found that just 40% of organisations had encryption deployed on their laptops – a significant proportion of businesses are still vulnerable to breaches from loss or theft of portable PCs.
In addition, the survey of 320 UK IT managers and senior IT staff revealed that only half of organisations used data encryption to protect removable media, such as USB memory sticks, removable drives and DVDs. 44% said they had no solutions deployed to protect these devices, and 6% of respondents said they did not know if encryption was used.

A growing issue for organisations is consumerization of technology – employees using personal laptops or smartphones for work purposes. 61% of organisations surveyed said that employees use personal devices for work (up from 55% in Check Point’s October 2010 survey), yet 42% of the respondents said they had no formal process for deploying security to these devices, leaving corporate network at risk. Only 17% of the organisations said they insisted on deploying security on personal devices used for work purposes, and 42% restrict access to the organisation’s network or data resources to authorised corporate devices only.

When asked if their organisation had experienced a data loss incident in the past 12 months, whether accidental or malicious, 73% said they had not experienced an incident. 13% reported a breach due to a lost or stolen laptop; 8% reported a breach from an email being accidentally sent to the wrong recipients; and 7% reported a lost or stolen USB stick or removable storage device.
Terry Greer-King, Check Point’s UK managing director said: “It’s encouraging that more UK firms are protecting their laptops and data, but the rate of growth is slow, and nearly half of organisations still do not secure their data on portable computers and devices. At the same time, new threats such as consumerization are emerging, and many organisations haven’t established measures to secure the use of personal laptops and smartphones in the workplace.

“These threats need to be addressed by a combination of education and technology so that organisations can protect their data, their business and their employees against the risks of security breaches.”

Despite email breaches being the second most common vector for breaches, and the UK Information Commissioner’s Office levying its first fine for email data breaches on a Council earlier in 2011, only 32% of respondents said they had any kind of data leak prevention solution to protect email traffic and sensitive files from reaching unauthorised individuals. 15% of those surveyed reported they were considering solutions, and 38% said they had no plans to deploy a solution.

The Check Point email survey, conducted together with eMedia, gauged the opinions of 320 senior IT staff, IT managers and IT directors across a wide range of UK companies from the public and private sectors.

16 Nov 2011
Facebook security breach raises concerns

A widespread spam attack on Facebook has caused violent and pornographic images to be posted on some users’ profile pages, representing one of the worst security breaches in the young Web site’s history and raising concerns about its vulnerability to hackers.

The company, which acknowledged the problem Monday, said it was working to shut down the accounts responsible for the attack.

The disturbing pictures surfaced as the company tries to quell concerns about user safety and privacy. Facebook is reportedly near a settlement with the Federal Trade Commission over complaints about the way it stores and shares user data. Experts said that while this latest attack didn’t appear to compromise users’ data, it was a serious security breach.

“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms,” Facebook spokesman Andrew Noyes said in a statement. “Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.”

According to Facebook, users were somehow tricked into copying and pasting malicious code into their browser bars. Hackers then gained access to their profiles and could post whatever they wished, and any of the user’s Facebook friends could see the images.

Chester Wisniewski, a security researcher at Sophos, said similar schemes in the past have lured users in with promises of free or discounted products.

It was unclear Tuesday who was responsible. Groups of hackers have threatened to put out a virus to “take down Facebook” over their concerns with the way it handles user privacy.

Daimon Geopfert, a security expert for RSM McGladrey, said that this was one of the largest Facebook attacks he has seen. The scale and speed were “unprecedented,” he said.

Experts said it was easy to imagine another attack on the Facebook platform that would be more troubling: sending false messages to family and friends to lure them to malicious sites, where they might be tricked into revealing private information. They warned that hackers could use the template of this attack to launch copycat efforts.

The presence of the photos upset many Facebook users, who took to Twitter to say they were weighing whether to deactivate their accounts.

Part of Facebook’s success has stemmed from its ability to get developers to create games and other applications that work seamlessly on the site’s platform. But giving such leeway to outside programmers means the site is also vulnerable to hackers, Wisniewski said.

Facebook could be doing more to stop these kinds of attacks, he said, such as checking the credentials of programmers who register with the site and giving users the option to double-check any actions before they take effect. The company has made an effort to make things seamless, he said, but convenience often comes at the expense of security.

“The technical pieces of this aren’t going to matter,” Geopfert said. “The idea that it happened and that the platform is more risky than you thought is damaging.”

Washington Post Co. chairman and chief executive Donald E. Graham is a member of the Facebook board of directors.

Source: http://www.washingtonpost.com
14 Nov 2011
Data Breach Puts 35 Million Gamers at Risk

Video game company Valve announced last Thursday that it had suffered a data breach of its popular game download service, Steam. In a message to customers on the Steam forums, Valve founder Gabe Newell explained that the service's database, containing customers' personal data, had been breached.

"This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," Newell explained. "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."

As with similar data breaches, this is a good news/bad news situation for Steam's 35 million users. The good news, of course, is that those credit numbers were encrypted, meaning there's little risk of direct theft happening as a result (though Newell did urge users to monitor their credit card activity).

The bad news is that whoever broke in can still do plenty of damage with the data. As we explored earlier this year, a hacker who possesses your email address and other personal information could craft a convincing-looking phishing email to try to trick you into giving up other information or to click on malicious links.

Passwords are also a concern. While accounts for the Steam service itself are believed by Valve to be secure, Newell did say that users with accounts for the discussion forums will be required to change them. More importantly, people who use the same password for multiple services are at risk for breaches of their other accounts; if a hacker has your email address and the password you used for the Steam forums, he or she is likely to try that combination on various popular services and hope to get lucky.

"If you're a forum user and use that same password elsewhere, you're highly likely to have those [accounts] broken into," explains Chester Wisniewski of security firm Sophos.

What makes this particular breach notable though, aside from the sheer number of affected users, is that it's just the latest in a long string of attacks involving companies that serve gamers. The most significant, of course, was the massive breach of the PlayStation network that compromised the personal data of more than 100 million users. Meanwhile, similar attacks have been carried out this year against Japanese game companies Sega and Square Enix, as well as a minor breach of Nintendo that thankfully did not result in any customer data being stolen.

So what gives? Are video game companies worse than the rest of the business world at securing their customers' data?

Wisniewski says this probably isn't the case, noting that poor data security is a universal problem and that it's more likely that the high-profile nature of gaming companies simply makes it a bigger story when they are attacked. He does, however, say that the Steam attack bears some hallmarks of a more amateur attack, suggesting that this may have simply been the work of someone who already uses the service and decided to mess around.

"If this was Russian hackers trying to steal credit card numbers, they wouldn't have touched the forums," he says, referring to the fact that the breach was preceded by the forums being defaced last weekend. "I think it's an amateur hacker."

Once again, then, it's a good news/bad news situation. The good news is that you don't need to worry about a video game company's data security any more than you need to worry about any business's data security. The bad news is that the current state of data security means you're at risk any time you hand over personal data to a business, whether it's a game publisher or a clothing retailer.

The lesson, then, is to be circumspect about who you give your data to, and keep those passwords secure.

08 Nov 2011
Data security: breaches can result in huge costs

This year, Marks and Spencer had to contact its customers, warning them their email addresses had been stolen, after Epsilon, a US-based email marketing supplier, was attacked by computer hackers.

The incident laid bare risks to businesses ranging from retailers to banks when they hold customer data. According to Paul Bantick, a senior underwriter in insurer Beazley’s technology, media and business services team, retailers are among the most exposed to this type of risk.
“If you think about it,” he says, “people are going through their stores swiping their credit cards all day long.”

But it is not just retailers who are potential targets. Companies are storing ever greater amounts of customer data, while coming under constant pressure to run faster, lighter IT systems. Guarding against a data security breach is more important than ever.

Insurers and brokers identify several steps to minimise this risk.

According to Karen Avery, practice leader for resiliency services at Marsh Risk Consulting, it is essential for a company to map out what information it has, and its economic value, so it can make the right decisions about protecting it.

“What a criminal would do is map out the information value chain and look for the weakest link,” she says. “Taking this end-to-end approach allows you to understand where the weak links are, and apply the appropriate solutions.”

Jeremy Smith, practice leader in Willis’s London cyber-risk and data security team, says once the sensitive data have been identified, companies can look at ways of protecting against unauthorised disclosure. That may involve IT or it may be just more basic precautions.
One way to minimise the risks of a data breach is to limit the number of people who have access.
“You need to establish barriers, to ensure that information is limited in terms of how it is communicated for its intended purpose and what locations are using it.
“Really, it is just making sure that you have a good grip on exactly who is handling the data and why,” he says.

Data should be encrypted he says, while sending them to third parties should be limited whenever possible, Mr Smith adds.

If something does go wrong, it is essential to have contingency plans in place.
“You should have a data breach response plan,” he says “so that when there is a data breach, the right people know who’s meant to be doing what.”

It is also good practice to have a dedicated privacy officer, or information security officer.
“Having a good plan in place can seriously reduce the costs resulting from the breach as, in these kinds of situations, the longer things run without being dealt with in the proper fashion, the more costly it can get,” he adds.

Banks and retailers can also protect themselves against the costs related to a data breach through specialist insurance policies.

Bob Parisi, who leads on cyber-risks in Marsh’s financial and professional practice, says estimates put the size of the market at between $400m and $800m of annual gross written premium.
While the market has traditionally been concentrated on the US, it is now developing in Asia and Europe, he says.

Willis’s Mr Smith says the cost of cover depends on the amount of personal data a company is holding, the nature of that information, and the quality of security – for example whether the company complies with ISO 27002, the data security standard.

Mr Parisi says the cost has also become more affordable, as more insurers have entered the marker, and they have become better at understanding cyber-risks.

Beazley’s Mr Bantick says that the cover “is cheaper than traditional liability lines of business”.
He notes that retailers, banks and healthcare organisations are among the biggest buyers of this type of cover. “Retailers are the number-one buyer of this type of insurance,” he says.
But the increase in cover has been accompanied by an upswing in claims.
Whereas the US has for some time generated significant claims, incidents are now occurring across the world.

The US already has strict data protection legislation, and more comprehensive European rules have been proposed, says Mr Smith.
“Data breach is a truly global phenomenon,” he says.
Many claims are for the cost of dealing with a data security breach, for example containing the breach and notifying customers.

Affected companies may offer customers credit monitoring, while there may be the public relations costs of protecting the company’s reputation after the incident.

Mr Bantick says companies are “buying this insurance policy to bring in people who are managing [security breaches] every day. They just want this thing to go away”.

But companies face fresh risks as a result of new technologies, from staff increasingly using tablet computers to storing data in the “cloud”.

“A lot of companies are lured by the low cost of cloud providers,” says Marsh’s Ms Avery. “[But] you have to look at all of your information. Is it co­located? Where does it reside? Is the server in your country?”

Ben Beeson, a partner at Lockton, an insurance broker, says companies are working through whether to outsource data to cloud providers, as they could remain liable for the risk of a data breach.

“Businesses are grappling with that conundrum. My feeling is it will become more prevalent. Businesses will use the cloud,” he says.

But he adds: “There is nervousness about how this is being addressed.”

02 Nov 2011
Are You Really in PCI Compliance?

WARNING: Your business may not be in compliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage, costly fines and even loss of the ability to accept and process credit cards.

Despite merchants' increased focus on meeting PCI DSS requirements, credit card security breaches continue to occur with alarming regularity. According to the Identity Theft Resource Center, there were 662 disclosed data breaches in 2010. Worse, although it has been nearly 10 years since the original Visa CISP program was published and multiple deadlines for different types of merchants have passed, many businesses don't even realize they're not compliant -- until it's too late.

One root cause: Most validations are self-assessments performed by IT personnel who haven't been trained to test PCI DSS compliance. Without a proper assessment by either trained internal personnel or third-party assessors, many merchants will continue to believe, erroneously, that they're in compliance with the PCI standard.

Given the potentially astronomical costs of a data breach -- Ponemon Institute's 2010 Annual Study: U.S. Cost of a Data Breach found the average cost of a breach to be $7.2 million -- convenience store executives should take care to confirm their businesses are not among the many that are misinterpreting PCI DSS requirements and failing to protect their systems appropriately from security breaches.

Compliance and Validation Requirements 
The PCI standards apply to all merchants and service providers -- regardless of industry or size -- that store, process or transmit cardholder data. Compliance with the standard is mandatory, and it is critical to understand that only validation procedures vary because of card volumes.

Other than not validating processes at all, the most common reason for PCI DSS noncompliance is performing the self-assessment questionnaire using too narrow of a scope. Additionally, many IT organizations assume certain controls are in place when they're not, or they misinterpret the requirements of the standard.

Getting the scope right is critical to an accurate compliance validation. Companies must keep in mind that PCI DSS applies to all of their systems, including all external connections into the merchant network; all connections to and from the authorization and settlement environment (e.g., routers, switches, firewalls, web servers and wireless connections); any cardholder data repositories, including those outside of the authorization and settlement environment (such as document images and voice recordings); and all systems connected to any of the above.

Effectively, merchants and service providers must either "segment" their PCI-affiliated devices from the rest of their network or validate their entire network. This is an area that merchants frequently misunderstand.

To clarify how the audit scope, self-assessment questionnaire and scans should be interpreted, merchants should heed the following guidelines:

• In a nonsegmented or "flat" network, all devices are in scope for audits and scans. Therefore, the entire network needs to comply with PCI DSS requirements. 
• Even in a segmented network, those systems that connect through the firewall to the cardholder systems remain in scope.

Steps to Compliance and Proper Validation
The following steps provide a brief overview of what companies can do to assess their PCI DSS compliance and remediate potential risks.

Step 1: Obtain expertise on the PCI standard. PCI DSS is not simple, and assessing your compliance without the benefit of the PCI Council's training is unlikely to yield the correct conclusions. The PCI Council publishes the Internal Security Assessor training schedule on its website, www.pcisecuritystandards.org. A Qualified Security Assessor (QSA) firm also can assist with your assessment if you lack internal personnel with the right skills.

Step 2: Perform a scope and gap analysis. After you have a trained assessor to work with, the next step is to perform a scope and gap analysis of your systems and networks. This will determine if your configuration properly segments PCI data from externally accessible systems and the rest of the internal network. The gap assessment should then cover all PCI requirements within the appropriate scope.

Although self-assessment questionnaires have been vastly improved to address all PCI controls, organizations should still refer to the PCI Requirements and Security Assessment Procedures (www.pcisecuritystandards.org/documents/pci_dss_v2.pdf) when carrying out the gap analysis to ensure requirements are properly interpreted. Determining your scope and gaps also will assist in determining what might need to be remedied and how best to approach the process.

Step 3: Segment your PCI network. One of the best ways to reduce risk -- and the PCI scope -- is to separate the PCI systems from other internal systems with a proper segmentation, including a firewall.

Step 4: Implement other ways to limit the scope. Other methods can be used to reduce the scope. For instance, if a card number is encrypted inside a secured personal identification number (PIN) pad device, and it remains encrypted until it reaches the processor, this "end-to-end encryption" can remove card-present transactions -- and potentially the entire point-of-sale environment -- from scope. Many PIN pad vendors now offer this capability.

Too many companies have looked for the easy way to validate compliance with PCI DSS without really "digging under the covers." As a result, too many criminals are compromising merchants' data security -- and consumers are unnecessarily at risk.

Compliance with PCI DSS is an absolute requirement for all merchants and service providers, so it must be taken seriously. If there's any chance your company has validated compliance based on incorrect interpretations or assumptions, take action immediately to address your severe risk of exposure to a data security breach.

Source: Protiviti Inc
25 Oct 2011
ICO - Private sector data breaches up 58 percent

The Information Commissioner’s Office (ICO) has revealed that the number of data security breaches in the private sector has increased by 58 percent year-on-year.

Between 1 April and 30 September 2011, there were 136 breaches reported to the ICO, compared to 86 in the same period last year.

Although organisations in the private and public sector are not obligated to report data breaches to the ICO, the increase notifications may be due to greater awareness among businesses of their responsibilities under the Data Protection Act (DPA). Awareness may also have grown on the back of high-profile security breaches this year, such as those by LulzSec and the Sony Playstation hack.

The ICO’s recent survey of businesses and public sector organisations revealed that nearly three quarters (74 percent) of businesses now know that the DPA requires them to keep personal information secure – up 26 percent on last year’s figure (48 percent).

However, the ICO believes that the increase in number of breaches reported indicates that businesses need to act on their heightened awareness.

Christopher Graham, the Information Commissioner, said: “I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the DPA’s principles higher than ever.

“However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining. Businesses seem to know what they need to do – now they just need to get on with doing it.”

The ICO has the power to impose a fine of up to £500,00 on organisations that allow a security data breach to occur, but Graham said that businesses should also consider the threat to their reputation if they do not ensure breaches are avoided.

“Customers will turn away from brands that let them down,” he said.

Source: http://www.computerworlduk.com
24 Oct 2011
‘Big Four’ Probe, EU Utilities, Regulators Named: Compliance

PricewaterhouseCoopers, KPMG, Deloitte and Ernst & Young – ‘the big four’ – have been referred to the Competition Commission by the OFT for further investigation.

The regulator referred the consultancy groups following a public consultation on the supply of statutory audit services to large companies, which closed in September.

John Fingleton, chief executive of the Office of Fair Trading, said the market for large company audits lacks sufficient competition and does not work well for customers.

He added: "It is highly concentrated, largely supplied by four big firms, with clients rarely switching between auditors. There are also high barriers to entry for new and smaller competitors. These are not the indicators of a competitive market.

"Voluntary and industry-led efforts to increase competition and choice in this market have proved unsuccessful.

"Following extensive consultation, we have concluded that a reference to the Competition Commission is appropriate. We believe that such an inquiry will also complement the EU's legislative process."

Ahead of the referral, the Commission held a series of discussions with other audit service providers and their customers.

Despite concerns about related work continuing in the European Union, the OFT decided there was an urgent need for an inquiry now, for what could be a UK-specific problem.

Public interest

David Herbinet, London managing partner of Mazars, said he agrees that an inquiry is needed, if only for the public interest.

He explained: "We need a much more open vibrant market. This would better serve the twenty-first century needs of shareholders and wider society. More competition would enhance audit quality and foster the growth agenda.

"It would bring much needed innovation in audit reporting, improve client service and lead to more distinctive service offerings. It is a basic economic principle that improved competition leads to a healthier market and a better deal for clients.

"It is now time for those resisting change to justify their position."

Herbinet said that London needs a thriving audit market that is protected against dominant players leaving the market unexpectedly.

He continued: "The problem however is a wider European and global one as well and so we look forward to Brussels bringing forward proposals to ensure a level playing field across the European Union and one with an increased number of quality players on the pitch with size no longer being taken as a proxy for quality"

Source: Bloomberg
18 Oct 2011
Internal fraud on the rise, Kroll's Annual Global Fraud Report shows

Fraud remains predominantly an inside job, according to the Kroll Annual Global Fraud Report released today. This year's study shows that 60 percent of frauds are committed by insiders, up from 55 percent last year. Overall, fraud concerns among executives around the globe rose approximately 15 percent led by information theft and corruption and bribery. The findings are contained in a study commissioned by Kroll with the Economist Intelligence Unit of more than 1,200 senior executives worldwide.

Half of all companies surveyed (50 percent) said they are moderately to highly vulnerable to information theft, up sharply from 38 percent in 2010. Moreover, IT complexity is the leading cause of increasing fraud exposure, cited by 36 percent of respondents compared with 28 percent last year. Information-based industries continue to report the highest incidence of theft of information and electronic data. These include financial services (29 percent), technology, media and telecoms (29 percent), healthcare, pharmaceuticals and biotechnology (26 percent) and professional services (23 percent).

Despite heightened levels of concern, the overall prevalence of fraud decreased this year to 75 percent from 88 percent last year. Roughly one in four companies were hit by physical theft of cash, assets and inventory or information theft, both down from record highs in 2010. In contrast, management conflict of interest (21 percent), vendor, supplier or procurement fraud (20 percent) and internal financial fraud (19 percent) all saw notable increases. The incidence of corruption and bribery nearly doubled over the past year from 10 to 19 percent.

"This year's study provides a reason for both optimism and concern," said Robert Brenner, Vice President Americas, Kroll Business Intelligence and Investigations. "While the overall volume of fraud has declined, the types of problems on the rise -- management conflict of interest, financial fraud, corruption and bribery -- pose greater risks of serious financial and reputational damage to an organization. Companies are paying attention and investing more in detection and prevention of fraud generally. However, they continue to lag in their attention to laws such as the FCPA and UK Bribery Act that are intended to root out bribery and corruption. Developing the necessary culture and controls across ever more global operations will be one of the challenges going forward."

For the second straight year, fear of fraud is dissuading nearly half of companies surveyed from becoming more global. Forty six percent of respondents indicated that fraud had dissuaded them from pursuing business opportunities in at least one foreign country. Corruption and bribery are the leading factors in that decision, cited by 62 percent. The biggest impact has been on emerging economies, with fraud deterring 15 percent of businesses from operating in Africa, 10 percent in China and 9 percent in India.

Companies, however, seem unprepared to deal effectively with corruption. According to the survey, only 27 percent of respondents said they are well-prepared to comply with regulations, such as the Foreign Corrupt Practices Act and UK Bribery Act. Of those companies that are subject to one of these two laws, less than half, 43 percent, have trained senior management, agents, vendors and foreign employees to be compliant with one of these laws, and just 39 percent have assessed the risks arising from them. Furthermore, only 37 percent of companies surveyed believe that their due diligence provides a sufficient understanding of a potential partner's or investment target's compliance with these acts.

Other key findings include:

-- The economic cost of fraud: How expensive is fraud to companies? This year's survey found that on average fraud cost companies 2.1 percent of earnings in the past 12 months, which is equivalent to a week of revenues over the course of a year. Eighteen percent lost more than 4 percent of revenues to fraud in the year, while 53 companies, or one quarter of that group, lost more than 10 percent of revenues to fraud.

-- Combatting information theft poses new challenges for industries: One of the major challenges faced by companies defending against information theft is the variety of data being sought by fraudsters. While proprietary data is the most common target, customer and employee data are also targets for theft. The data category sought the most by fraudsters varies by industry, depending on the value of the data a company is likely to have. For technology, media and telecoms companies, the most common target category is proprietary data (cited by 36 percent of respondents), while for financial services companies it is customer information (29 percent).

-- Fraud largely remains an inside job: Last year's survey found that among companies impacted by fraud, junior employees and senior management were the most likely perpetrators at 22 percent each. This year, for junior employees that figure climbed to 28 percent and remained about the same for senior management (21 percent). A further 11 percent was committed by an intermediary or agent for the company, meaning that this year, 60 percent of fraud was committed by someone who worked for the company in some way. However, for the companies that lost the most revenue from fraud, senior executives are more likely to be the perpetrators (29 percent) with junior employees involved in only 8 percent of the cases.

The fifth Kroll Annual Global Fraud Report includes a full detailed industry analysis across a range of fraud categories and regions. To obtain a copy please visit www.kroll.com/fraud .

Notes to editors

Please click the Kroll 2011-2012 Kroll Global Fraud Report fact sheet for key findings and graphics, including a detailed look at the industries, regions and types of fraud covered in the report.

Methodology

Kroll commissioned The Economist Intelligence Unit to conduct a worldwide survey on fraud and its effect on business during 2011. A total of 1265 senior executives took part in this survey. Nearly a quarter of the respondents were based in North America (23 percent) and Europe (24 percent), 28 percent from Asia-Pacific region, 15 percent from the Middle East and Africa, and 11 percent from Latin America.

Ten industries were covered, with no fewer than 50 respondents drawn from each industry. The highest number of respondents came from the financial services industry (17 percent). One half of the companies polled had global annual revenues in excess of $500 million.


SOURCE: Kroll
04 Oct 2011
NHS Loses 800 Patient Records On Unencrypted USB

The Surrey and Sussex Healthcare NHS Trust lost the records of 800 patients and did not inform them 

People may trust the NHS with their health, but they should seriously reconsider its ability to safeguard their personal data, after yet another embarrassing data breach.
It has emerged that Surrey and Sussex Healthcare NHS Trust, which runs East Surrey Hospital lost the confidential records of 800 patients on an unencrypted memory stick.
The data breach happened way back in September 2010, and according to the Crawley Observer, the lost details included patient names, operation details, and dates of birth. The lost memory stick was never recovered.

Patients Not Informed

The NHS has a long track record with losing people’s confidential data, but what makes matters worse in this particular case is that the 800 affected people were never informed their details had been misplaced.
“We take the confidentiality of patient information extremely seriously,” chief executive Michael Wilson was quoted as saying by the Crawley Observer. “All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”
Meanwhile the ICO told eWEEK Europe that the case was reported to it soon after the data loss incident, but the case only came to the public’s attention when it was mentioned in the annual 2010/11 report from the Surrey and Sussex Healthcare NHS Trust.
“After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the Trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it,” said the ICO spokesperson.
“The Trust was also warned that any repetition of such an incident may result in formal regulatory action,” the ICO said.

Long Litany

While the NHS may be good at safeguarding people’s health, it has a truly shocking reputation for protecting people’s confidential data.
In early September the University Hospital of South Manchester NHS Foundation Trust was ruled to have breached the Data Protection Act (DPA) by losing sensitive personal information relating to the treatment of 87 patients. A memory stick was lost by a medical student when he copied data onto a personal, unencrypted memory stick for research purposes.
But the list of other NHS data breaches does not stop there.
In July researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients. And last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.
In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

03 Oct 2011
Data Breach Hits 5 Million Soldiers, Family Members

Nearly five million current and former soldiers and their family members had their data stolen from a military contractor in September, putting them at risk for identity theft. The lost information includes individuals’ names, Social Security numbers and medical information.
The data was saved on computer tapes that were stolen from a car belonging to an employee of Science Applications International Corp. (SAIC), a large military contractor that runs medical centers for soldiers and their families.

“The employee was responsible for transporting the tapes between federal facilities in San Antonio, Texas,” Vernon Guidry, a spokesman for SAIC, told Credit.com.
The tapes contained the medical records of 4.9 million patients at hospitals and military clinics in the San Antonio are from 1992 through Sept. 2, 2011, as well as patients elsewhere whose lab work and pharmacy prescriptions were handled by San Antonio-area facilities, according to a written statement by Tricare, a Defense Department health care program.

Also included were patients’ addresses, phone numbers, lab tests, prescriptions and clinical notes. The tapes did not contain any financial information like bank account numbers.
To view the data, the thief would need have specific hardware and software, plus knowledge of the data system’s structure, making it unlikely that the information could be accessed or misused.

“There is no indication that the data has been accessed by unauthorized persons,” Tricare said in its statement.
Tricare plans to send letters to all the victims of the data breach over the next four to six weeks.

26 Sep 2011
What to Do if You've Been Hacked

It's a nightmare scenario every business fears.

Your tech department has spotted suspicious activity on the company network. Your customers and employees are getting hit with credit-card fraud and identity theft. MasterCard Inc. is on line one.

The panic sets in: Your company has been hacked!

So, what do you do?

First, take a breath and remember that you're not alone. Last year, 662 organizations publicly disclosed data breaches, according to the nonprofit Identity Theft Resource Center, a figure that includes real-world theft and accidents as well as cyberintrusions. And the actual number is likely much higher than that, since not all hacking incidents get disclosed.

Next, remember that getting hacked doesn't have to be a business-crippling experience. While it will likely set a company back financially, if handled properly it won't have a long-lasting impact.

"The public is forgiving when it's apparent that the company is doing the right thing," says Lori Nugent, a lawyer at Wilson Elser Moskowitz Edelman & Dicker LLP who specializes in breach cases. In fact, if a company is on top of the technological problems and communicates well, it can build loyalty among its customers, she says.

There are a number of small but critical steps businesses need to take when they find out they've been breached. Here's a look at what to do when it happens to you.

Don't unplug. The natural instinct when an employee discovers he or she has been hacked is to power off the machine (and maybe throw it against the wall in frustration).

But it's the wrong move.

True, turning off the Internet connection and detaching the computer from the corporate network can help prevent the infection from spreading. But shutting the machine down can also erase valuable evidence that will help investigators determine what's been stolen and where it's been sent. A lot of malware—a catchall term for programs like viruses written and installed by hackers—resides in a computer's memory and not on the hard drive. Turning off a computer erases the memory, and with it many traces of the hack, security experts say.

Call in the pros. By now, you've probably realized you're in over your head. There are many companies that specialize in post-breach forensic investigation; it's a good idea to get in touch with one of them now. In fact, you should have one on speed dial for emergencies.

Also, now is the time to tell the police. (This is a separate step from disclosing the breach publicly, so you can wait to make that decision.) Local law-enforcement groups typically don't have the resources to investigate a breach, but filing a police report is often necessary to collect insurance. If you decide you do need official help, the Secret Service is the federal entity charged with investigating hacking intrusions. The Federal Bureau of Investigation also has a cyber division.

Keep a chain of custody. From here on out, you aren't just trying to stop the breach; you're also planning for the inevitable legal fallout. Maybe you won't get sued, but if you do, you'll need to be able to demonstrate that you responded to the breach in an appropriate manner. Record every time someone touches a compromised computer or server and everything that's done to it.

Find out if the breach is still open. Don't assume that because one infected computer has been cleaned up or removed the attack is over. The hacker could have taken control of multiple machines. At this stage, your job is mostly to sit back and let the pros do a thorough search of your systems. Be patient: Learning the full scope of a breach can be a time-consuming process, so don't worry if this takes a few days or longer.

Among the things the experts will need to do is find the malware that the hacker used and determine what kind of information it's programmed to find and where it sends it. Likewise, they'll check the logs of all the outbound communications for any suspicious activity. Patrik Runald, a researcher with security company Websense Inc., says that hackers often send data to so-called dynamic hosts that constantly change their Internet addresses. Most legitimate websites don't use this kind of addressing. If data are still being sent to these types of addresses, it's a possible sign that a breach is still happening.

Stop the bleeding. Now that the pros have assessed the scope of the problem, take the infected computers offline. Investigators will take a digital snapshot of the information on them, leaving you free to erase their contents. Also, block all access to and from any of the Internet addresses associated with the malware.

It's also important to figure out how the hacker broke in, and to fix that hole. Again, experts can look through log files and trace the hacker's movements to, say, find the email with the fake spreadsheet that an unsuspecting employee opened.

Find out what they stole. This will be slow and frustrating, but it's important to get right—so don't take shortcuts, and resist the temptation to call off the hunt too early.

If companies aren't thorough in their analysis, they'll have to disclose that a breach was bigger than they originally said. This can hurt a company that's trying to rebuild trust with a customer base, as was the case with TJX Companies Inc., which eventually said it lost more than double the number of records it initially announced in the breach it disclosed in January 2007. (A TJX spokeswoman declined to comment.)

"I always say correctly is better than quickly," says Brian Lapidus, the chief operating officer of Kroll Inc.'s fraud-solutions division.

Figure out whom to tell. This is when you bring in the lawyers.

Forty-six states have laws that specify when a company has to inform people whose records have been exposed in a data breach. And they're all different. Other entities, such as the federal Department of Health and Human Services, have separate reporting requirements for organizations they oversee.

Usually, if the data stolen include a name and something like a credit-card or Social Security number, then notification laws are triggered. But sometimes if the data are encrypted or there's a strong reason to believe that the information won't be misused, there's no need to tell anyone. In other cases, credit-card data could be so old that all the cards would have expired.

"Sometimes it's pretty clear that the data is not likely to be misused or the data doesn't meet the notification requirements," says Ms. Nugent, the breach lawyer.

Deciding whether to disclose a breach isn't just a matter of law. Sometimes companies do it because they're afraid it will get out or just because they think it's the right thing to do.

Email marketing firm Epsilon Data Management LLC, a division of Alliance Data Systems Corp., earlier this year said that email addresses it manages for companies like Target Corp. were stolen by a hacker. The company wasn't legally obligated to disclose the breach because email addresses aren't considered personal information. But Epsilon CEO Bryan Kennedy concluded that the news would get out anyway and that coming clean was in the best interest of Epsilon's customers.

Be Apologetic. You probably feel like a victim, but remember, so do the people whose information was stolen. And in their minds, it's your fault.

Remember also that your customers will probably expect the worst when they get the news about the breach. "Consumers tend to jump immediately from a data breach to identity theft," says Matthew Mors, a vice president at Mix Public Relations who has helped craft the response to many breaches.

So, while your lawyer will probably tell you not to apologize, striking a conciliatory tone is important. A good breach-notification letter will make it clear that you are taking the issue seriously and that you've gotten to the bottom of it. Also, be sure to stress that you have taken steps to make sure that something like this doesn't happen again.

Some people will still be concerned, so set up a website with more information and give them a phone number they can call. In some cases, businesses offer customers a year of free credit monitoring after a breach. An increasingly common freebie is credit-restoration services for anyone who runs into problems as the result of a breach.

Source: http://online.wsj.com
23 Sep 2011
Alleged Hacker Arrested in Sony Pictures Data Breach

Los Angeles - An alleged member of a computer hacking group was arrested today in Phoenix and is expected to be transferred to Los Angeles to face federal charges of hacking into Sony Pictures Entertainment's system, officials said. 

Upon the arrest of 23-year-old Cody Kretsinger, an indictment was unsealed in Los Angeles federal court charging the Phoenix resident with conspiracy and the unauthorized impairment of a protected computer for his alleged role in the cyber attack against Sony Pictures, according to the U.S. Attorney's Office. 

According to the indictment, Culver City-based Sony's computer system was hacked from May 27 through June 2 by a group known as LulzSec, or Lulz Security, whose members anonymously claimed responsibility on the group's website. 

Kretsinger, allegedly also known by the moniker "recursion," is believed to be a current or former member of the group. 

The extent of damage caused by the compromise at Sony Pictures is under investigation, according to Steven Martinez, assistant director in charge of the FBI's Los Angeles field office. 

The indictment accuses Kretsinger and co-conspirators of stealing confidential information from Sony Pictures' computer systems and distributing the material on LulzSec's website before announcing the attack on Twitter. 

LulzSec is known for its affiliation with the international hacking collective known as Anonymous, which conducts cyber attacks and disseminates information stolen from individuals and companies perceived to be hostile to its interests, officials said. 

In the recent past, LulzSec has been linked to the hacking, or attempted hacking, of numerous targets, including various websites that represent governmental or business entities. 

Kretsinger is expected to make his initial appearance today before a federal magistrate in Phoenix, at which time the government will request he be transferred to Los Angeles, prosecutors said. 

If convicted, Kretsinger faces a maximum sentence of 15 years in federal prison, prosecutors said.

21 Sep 2011
Japan’s largest arms contractor suffers cyberattack

Defense Minister Yasuo Ichikawa urged Mitsubishi Heavy Industry Ltd. to strengthen its data security systems.

“We are not aware of any important data having leaked to the outside,” Ichikawa said.

The company makes ships, submarines, missile parts and other weapons for Japan’s military.

Mitsubishi Heavy said it had been attacked in August with viruses apparently programmed to breach its computers and servers to gain unauthorized access to protected data. It did not say why it waited until this week to disclose the attack.

“We discovered that there had been a possible leak of system information such as network addresses from some of the computers at the company,” it said in a statement Monday.

It said it has been working with police and independent experts to contain the damage.

The attack involved more than 80 servers and computers at 11 of the company’s facilities related to nuclear power, missiles and submarines, the Nikkei business newspaper said Tuesday.

Attackers allegedly used simplified Chinese characters — the writing system used in mainland China — to remotely control the infected computers, and authorities are investigating the case as suspected spying, the nationwide Yomiuri newspaper reported Tuesday, quoting unidentified sources.

In Beijing, Chinese Foreign Ministry spokesman Hong Lei denied China was involved. “Criticism that China initiated a cyberattack is not only groundless, it goes against development of international cooperation on cybersecurity,” Hong told a daily briefing.

An annual U.S. assessment of China’s military in August said a number of computer systems, including U.S. networks, were the target of intrusions in 2010 that appeared to originate in China. The breaches were aimed at stealing data, but also exhibited the kinds of skills needed for more destructive network attacks, it said.

Another Japanese defense contractor, shipmaker IHI Corp., also reportedly came under cyberattack in recent months, receiving a number of emails with virus-loaded attachments.

Separately, Japan’s National Police Agency said Tuesday that online messages were circulated last week in China calling for attacks on Japanese government websites ahead of the 80th anniversary of the Sept. 18 “Mukden Incident.”

The 1931 event led to the Japanese occupation of China’s northeast and eventually the invasion of much of the country. The date has in the past been marked by official commemorations and scattered anti-Japanese protests.

The police agency said several government websites were temporarily disrupted over the weekend, without linking the outages to the messages.

Chief Cabinet Secretary Osamu Fujimura said the series of computer problems underscored the need for the government to “further strengthen its information security measures.”

Source: The Associated Press
19 Sep 2011
Sony hires former Homeland Security officer in wake of data breach

Sony Corp has hired a former official from the US Department of Homeland Security as their chief information security officer. The move comes after Sony was the target of a devastating cyber attack earlier this year that subsequently caused shares in the company to fall 55 percent, according to Reuters.

Philip Reitinger is the former head of the US National Cyber Security Center for the Department of Homeland Security and will now be in charge of keeping Sony’s network, and more importantly, user's personal data safe from further attacks. A Sony spokesperson said that the network issue was a catalyst for the appointment and that the company is looking to bolster security even further.

In early April, the hacker group Anonymous executed a distributed denial of service (DDoS) attack against the SonyPlaystation website. Later that month, between April 17 and 19, the Playstation Network was hacked and certain PSN and Qriocity account details were compromised. Sony pulled the plug on those networks and hired an external security firm to perform a complete investigation.

The outage lasted for roughly three weeks and cost Sony nearly $175 million. Over 100 million accounts are thought to have been compromised in the attacks. In response to angry customers, Sony offered all affected users two free PS3 or PSP games of their choice as well as a selection of free movie rentals for one weekend and a free month’s subscription to Playstation Plus for non-subscribers (or an extension of 60 days for existing members).

16 Sep 2011
Rogue traders will always pose risk to compliance controls, says industry

The $2 billion rogue trading incident at UBS demonstrates that determined individuals will always be able to circumvent internal systems and controls despite the recent regulatory scrutiny on this area, industry officials said. The case also highlighted the need for banks to think about their reward structures, they added.

UBS yesterday confirmed that 31-year-old London-based trader Kweku Adoboli had lost the bank around $2 billion in unauthorised deals. The director of exchange-traded funds (ETFs) and “Delta 1? was arrested on suspicion of fraud at his desk by City of London Police at 3:30am.

Brian McDonnell, a partner at Olswang, said that the Financial Services Authority (FSA) would undoubtedly turn to possible systems and controls issues at the Swiss bank and said that there had been plenty of recent regulatory activity in this area. He pointed out that even the most diligent of firms could be at risk from a lone rogue individual.

He told Thomson Reuters: “If the controls are in place and the person is being properly managed and supervised then a firm has done all it can be expected to do. Even the best-managed firm which has adhered to the FSA’s recommendations on systems and controls is still going to be potentially susceptible to determined rogue elements. Unless you completely hamstring a trader, they will operate with some discretion and, of course, that trust can be abused.”

Other City sources were less charitable and pointed out that the rogue trading could have been aided by weaknesses in the bank’s systems.

Lisa Osofsky, a regulatory adviser at risk consultancy Control Risks, said that “compliance cultures” were often missing on trading floors, especially with the huge incentives on offer for star performers. Osofsky, a former money laundering reporting officer at Goldman Sachs, said that there needed to be a “corporate will” to manage risky high performers. “This doesn’t happen overnight. So who was asleep at the switch or more likely who was patting him on the back?” she asked.

QUESTIONS ABOUT MANAGEMENT SUPERVISION

One senior City professional cautioned: “There is little fact around at the moment, but lots of conjecture.

“Still, the numbers are high and there will be major question marks over the lack of control and management supervision in the equities division at UBS,” he said.

The fact that the rogue trading was likely to push UBS into another quarterly loss when the bank was trying to get its head back above water would simply make it worse for an already troubled institution, he added.

Simon Morris, a partner at law firm CMS Cameron McKenna, dispelled the notion that rogue traders worked alone. “No rogue trader works in a vacuum, and UBS’s management must have taken its eye off the ball to allow a trader to operate on this scale without sufficient supervision and without the systems to monitor his trades. They, and the shareholders, must now pay the bill for this laxness.”

Osofsky said the case demonstrated that banks needed to vet the individuals they took on in high-risk positions very carefully. She said that banks could sometimes be short-sighted about those they hired and told Thomson Reuters: “As a firm you are only as good as the people you hire so you need to ensure people are properly vetted before they are entrusted with client money.”

McDonnell expressed surprise that the trader had apparently managed to rack up such losses with ETFs. He said that the funds were not regarded as the highest risk and were seen as fairly “vanilla”. “It goes to show that maybe ETFs have become slightly higher-risk investments themselves,” he said.

Osofsky questioned what lessons had been learnt from previous rogue trading cases and pointed out that compliance officers were often not taken as seriously as they should be in large banks. She suggested that a change of approach might be needed. “You need to talk about changing behaviour, not only to reward money making but also to reward good compliance measures and people who abide by them,” she said.

One industry official said that the case highlighted that banks needed preventative as well as detective controls and also showed the need for desk/trader oversight and limit monitoring. She said that the timing was especially unfortunate following the publication earlier this week of ring-fence recommendations by the Independent Commission on Banking (ICB), chaired by Sir John Vickers. There was also an issue about whether the trader’s conduct was deliberate, a mistake or market abuse.

The scandal is a blow to Maureen Miskovic, who took over as chief risk officer at UBS at the start of the year. She arrived from State Street, the U.S.-based financial services group, with a strong reputation and has shaken up risk management at the bank, according to one industry source.

Source: http://www.reuters.com/
02 Sep 2011
ICO slams Scottish Children’s Reporter Administration for data breaches

The Information Commissioner's Office (ICO) found the Scottish Children's Reporter Administration (SCRA) in breach of the Data Protection Act for both incidents.

In September 2010, nine case files containing names, dates of birth, social reports and referral decisions of children was sold to a second-hand furniture shop.

Just four months later, legal papers containing sensitive information about a child's court hearing were sent to the wrong e-mail address.

Both breaches resulted from the SCRA's failure to ensure its data protection and IT security guidance were followed by staff, the ICO said.

On both occasions the personal data which was compromised related to young children. The data breaches were caused by human error by SCRA staff that could easily have been avoided, said Ken Macdonald, ICO assistant commissioner for Scotland.
 
But in both cases the information was not circulated widely and the SCRA has since taken action to ensure the personal information it handles is kept secure, said Ken Macdonald.

"I would urge other organisations, particularly those handling sensitive information relating to young people, to follow suit," Macdonald said.

The ICO is working with the SCRA to raise its staff's awareness of its data protection obligations.

Neil Hunter, chief executive of the SCRA has signed an undertaking to ensure staff are made aware of the organisation's policies around the storage and use of personal data, and that sufficient checks are put in place to ensure the policy is followed in accordance with the Data Protection Act.

01 Sep 2011
Notable Data Breaches of 2011

Enterprise data systems are proving to be porous, as a number of breaches over the past few months have affected not only large banks, but major organizations outside of financial services as well.

An August breach at Citigroup's Japanese card unit was followed by another one in the same month, which was caused by leaks at retailers that the bank did not identify. Bank of America, which was affected by the same breach, responded by issuing new debit cards.

To a certain extent, Citi lucked out in Japan, since the compromised data included names, addresses, birth dates and gender. That's certainly not information a bank wants in the hands of crooks, but they can do much more damage with personal identification numbers and card security codes, which the bank was able to protect from the hackers in Japan.

In another breach at Citi, in May, more than 360,000 accounts were affected and almost 220,000 cards were replaced. As with the Japan breach, hackers were able to access names of consumers and other contact information, but they did not obtain card security codes, which are usually necessary to commit crime.

Citigroup, of course, isn't alone. A former Bank of America employee was arrested in California and charged with selling customer data the employee allegedly stole in May, including driver's licenses, Social Security numbers, PINs and maiden names. One victim told the Los Angeles Times that crooks had used information to order new checks and execute money transfers.

At the online marketing company Epsilon, a subsidiary of Alliance Data Systems, someone hacked into the files of clients including Capital One Financial, JPMorgan Chase and the supermarket chain Kroger. Another retailer, Michaels Stores, suffered a data leak after PIN-pad tampering allowed hackers to gain access to personal ID numbers, impacting dozens of stores across the country.

Credit unions have also been struck. In June, dozens of credit unions replaced debit cards after holders reported fraudulent use, including Century FCU, First Class CU, Firefighters CU, and PSE CU, as well as banks such as KeyBank and First Merit. In this case, stolen card information was used to create fake debit cards.

Sony's PlayStation Network temporarily shut down after a breach affected as many as 77 million users, and even the U.S. Senate was targeted by hackers after a breach this spring.

Beyond the stresses on IT and business units, the breaches have also led to political pressure, as a couple of bills that failed to become law in the past have resurfaced in the current Congress for consideration. Sen. Patrick Leahy, D-Vt., and Rep. Mary Bono Mack, R-Calif., have pushed legislation that would require timely disclosure of breaches-Citi was criticized for a gap of several weeks in its public announcement of the May breach-as well as disclosures about how inaccuracies in enterprise databases are corrected.

While there are lots of software and strategies in play to combat breaches, security experts generally agree that beyond making security a centralized focus that stretches across the entire enterprise, there's no best practice or single tech play that can protect an institution-requiring the mix of strategies such as the ones discussed in our poll.

"No one possesses that one silver bullet that will make us more secure. Data breach prevention is an ecosystem with lots of players," says Murray Walton, chief risk officer at Fiserv. "Understanding the problem is a full-time job."

22 Aug 2011
Lush avoids ICO fine after website data breach

Cosmetics retailer Lush breached the Data Protection Act after the security of its website was compromised for a four month period, the Information Commissioner’s Office (ICO) said today. The breach, which occurred between October 2010 and January 2011, meant that hackers were able to access the payment details of 5,000 customers who had previously shopped on the company’s website. 

As a result of the breach, the ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard. The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO. 

Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush found out that their website had been subject to a hacking incident which had allowed hackers to access their customers’ payment details. On uncovering the incident, the security of Lush’s website was immediately restored. 

The ICO’s investigation found that, although the company had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on their website. The retailer’s methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach. 
 
Acting Head of Enforcement, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

Mark Constantine, Managing Director of Lush Cosmetics Ltd, has signed an undertaking committing the retailer to taking necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary. All future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.

Source: The Information Commissioner’s Office (ICO)
19 Aug 2011
Report contends that recent high-level breaches could have been avoided and suggested tokenization as an effective line of defense

In an analysis of recent data breachs at Epsilon, Sony and Citigroup, Protegrity observed that cyber-criminals have shifted their focus from targeting financial information to stealing personally identifiable information, the company said in its report released Aug. 17.

The personal information includes names, email addresses, home addresses, health data, passwords and even sensitive corporate information.

Entitled "It's Not Just About Credit Card Numbers Anymore," the Protegrity report took a detailed look at the data breaches and concluded that personal information was "highly valuable" to cyber-criminals but "vastly underprotected." The shift in targeted data is also a reflection of the improved security measures in place to protect financial information, Protegrity said. The report also found "clear evidence" that the same level of attention towards protecting the personal information of employees, and customers is not present in organizations.

“Data breaches are spiraling out of control, and companies such as Sony, Citi and Epsilon are finding out just how expensive it is not protect customer data properly,” said Suni Munshani, CEO of Protegrity and author of the report.

Protegrity looked at the malicious attacks to "dissect" each breach to determine how they occurred, how they could have been prevented and what victimized organizations should do next, Munshani said. Approximately 92 percent of all data breaches in 2010 were "relatively unsophisticated" external attacks, and nearly all of them could have been prevented or mitigated relatively easily, according to Verizon's recent 2011 Data Breach report.

"That is a stunning indictment of the data protection methods used by corporations today, even in the face of strict regulatory requirements," Munshani said.

While Epsilon has not revealed details of how the breach occurred, the Protegrity report quoted Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, who said implementing "the right security controls" such as a password, could have prevented the theft.

Epsilon has improved its cloud security, implemented stringent access control rules through two-factor authentication and worked with Internet service providers to “build an unprecedented anti-phishing" tool, Munshani wrote in the report.

Sony had deployed a robust perimeter prior to the breach, but neglected to secure the data in case malicious attackers managed to get a foothold into the network and become trusted insiders, according to Protegrity. The entertainment giant also did not receive an alert about the breach because it wasn't running a full forensic audit system, but discovered it as part of a routine security scan, Munshani said. Citigroup likely was a victim of phishing or some other social engineering attack.

Organizations should treat personal information as sensitive as if it was financial data, and keep careful eye on where the data is going at all times, Protegrity said.

“Data security solutions like tokenization and consistent security policies would have prevented all of the three data breaches mentioned in the report and saved those companies tens of millions of dollars in damages and litigation.” Munshani said.

The PCI Security Standards Council supports using tokenization to secure data for the payments industry. The council released its Tokenization Guidelines Supplement on Aug. 12 to outline what merchants can do to protect their data to meet PCI compliance rules, Ulf Mattson, CTO of Protegrity told eWEEK. Storing tokens can help reduce the amount of cardholder data in the environment, which would reduce the effort required to implement PCI DSS requirements, Mattson said.

Under the rules published in the supplement, merchants considering tokenization should perform a thorough evaluation and risk analysis to identify the unique characteristics of their particular implementation, Mattson said. 

15 Aug 2011
Thousands of pupils’ personal data at risk in website hack

The Information Commissioner’s Office (ICO) has found a school in Hampshire in breach of the Data Protection Act (DPA) after the personal details of nearly 20,000 people were put at risk when the school’s website was hacked.

According to an undertaking signed by Bay House School, computer hackers, including at least one of its own pupils, accessed the school’s internal information management system via an attack on the school’s remotely-hosted website.

In March, hackers gained access to the system after discovering that a member of staff used the same password to log into the school’s web and management systems. Despite Bay House School having a policy in place to prohibit the use of duplicate passwords, the school did not have checks in place to ensure the policy was adhered to.

As a result, the personal details of 20,000 individuals, including teachers, parents and around 7,600 pupils risked being exposed online. The data included names, addresses, photographs and some sensitive medical history information.

The problem was identified shortly after the hack occurred and the security of the website was immediately restored.

The school will now ensure that reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school’s management system. It will also remind staff of the duplicate passwords policy, and at least annually carry out penetration testing on the school’s IT systems  to ensure the personal information held remains secure.

“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to log in to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults,” said Sally Anne Poole, acting head of enforcement at the ICO.

09 Aug 2011
Citigroup Reports Another Card Breach

Citigroup’s Japan credit card unit reported that personal information for about 92.400 customers was stolen

Eight weeks after a hacker cracked Citigroup’s credit card database, the company’s credit card unit in Japan, Citi Card, reported in a message to its user base on 5 August that “certain personal information of about 92,400 customers has allegedly been obtained and sold to a third party illegally”.
This breach, however, apparently did not involve online hacking. Citigroup told police that a person involved in a company to which Citi Cards outsourced part of its business had illicitly obtained the information and sold it to a third party.

No unauthorised use

Information made vulnerable includes account numbers, names, addresses, phone numbers, dates of birth, gender and the date the account was opened. Citi revealed that personal identification numbers and security codes (CVV, or Card Verification Value, data) were not compromised.

Despite the data theft, no unauthorised use of the cards had been reported by the end of business on 5 August, the Kyodo News reported.

On 15 June, Citigroup reported in a letter to customers that 360,083 credit card accounts were accessed as a result of an online data breach. Citigroup originally reported June 9 that “roughly 1 percent” of its 21 million credit card accounts had been accessed by hackers, or about 210,000 accounts.
As a result of that attack, Citi disclosed that hackers stole $2.7 million (£1.6m) from about 3,400 customers in North America in May following a major data breach. Citi was criticised for not reporting the breach sooner.

08 Aug 2011
NHS pulls the plug on its £11bn IT system

After nine years and with billions already spent, doomed computer system is abandoned

A plan to create the world's largest single civilian computer system linking all parts of the National Health Service is to be abandoned by the Government after running up billions of pounds in bills. Ministers are expected to announce next month that they are scrapping a central part of the much-delayed and hugely controversial 10-year National Programme for IT.

Instead, local health trusts and hospitals will be allowed to develop or buy individual computer systems to suit their needs – with a much smaller central server capable of "interrogating" them to provide centralised information on patient care. News of the Government's plans comes as a damning report from a cross-party committee of MPs concludes that the £11.4bn programme had proved "beyond the capacity of the Department of Health to deliver".

The Commons Public Accounts Committee (PAC) said that, while the intention of creating a centralised database of electronic patient records was a "worthwhile aim", a huge amount of money had been wasted.

"The department has been unable to demonstrate what benefits have been delivered from the £2.7bn spent on the project so far," Margaret Hodge, chair of the PAC, said. "It should now urgently review whether it is worth continuing with the remaining elements of the care-records system. The £4.3bn which the department expects to spend might be better used to buy systems that are proven to work, that are good value for money and which deliver demonstrable benefits to the NHS." A further £4.4bn was expected to be spent on other areas of the vast IT project.

The nine-year-old NHS computer project – the biggest civilian IT scheme ever attempted – has been in disarray since it missed its first deadlines in 2007. The project has been beset by changing specifications, technical challenges and clashes with suppliers, which has left it years behind schedule and way over cost.

Accenture, the largest contractor involved, walked out on contracts worth £2bn in 2006, writing off hundreds of millions of pounds in the process. Months earlier, the US supplier IDX, contracted to provide software in and around London, had also withdrawn from the project, making a $450m (£275m) provision against future losses from the two contracts.

The PAC said part of the problem had been weak leadership in the department. "The department could have avoided some of the pitfalls and waste if they had consulted at the start of the process with health professionals," it said.

"We are concerned that, given his significant other responsibilities, [NHS chief executive] David Nicholson has not fully discharged his responsibilities as the senior responsible owner for this project. This has resulted in poor accountability for project performance."

The report also criticises the contracts between the department and suppliers – so far, £1.8bn has been paid.

"One supplier, Computer Sciences Corporation (CSC), has yet to deliver the bulk of the systems it is contracted to supply and has instead implemented a large number of interim systems as a stopgap," it said.

The department told MPs it may be more expensive to terminate the contract than see it through, while another provider, BT, "has also proved unable to deliver against its original contract".

The Independent understands that next month the Government will set out a new strategy for IT in the NHS which will abandon any attempt to link up the NHS in a central system while trying to integrate those parts that have already been delivered.

The Government is involved in negotiations with contractors of the original scheme to claw back as much money from the contracts as possible – while not laying itself open to costly legal challenges. "We want to give control over decisions about new systems to the local NHS, rather than forcing a one-size-fits-all solution," a government source said.

"This allows trusts to retain the systems they want to suit their local needs, while taking advantage of elements of the new system. It means change can happen without ripping out entire existing systems, making that change more manageable, and, given the fast pace of technological change, greater ability to exploit the new innovations.

"We are working with the Cabinet Office right now to ensure we secure maximum value for the taxpayer on all contracts."

Responding to the PAC report, a department spokesman said: "The Government recognises the weaknesses of a top-down, centrally imposed IT system. Although elements of the programme have been delivered successfully, the policy approach previously taken has failed to engage the NHS sufficiently.

"We have already taken action to improve value for money in the NHS IT programme. We have reduced spending on the NHS IT programme by £1.3bn. We are engaging with the NHS to ensure it delivers even greater benefits for patients. We are determined to deliver even more value for money from the programme."

IT disasters...

E-Borders (Cancelled June 2011):

The scheme was originally created to check passenger details against UK police immigration watch lists. The Government tore up supplier Raytheon's £742m contract on the e-Borders immigration programme in July last year, after delays led the Home Office committee to say it had "no confidence"in the company.

Department Home Office

Cost £118m

ID Cards (Cancelled in January 2011):

Ministers claimed ID cards would help in the fight against illegal immigration and terrorism by storing details of all UK citizens on a centralised database. The scheme proved unpopular and was scrapped in January this year.

Department Home Office

Cost £257m (Source: Home Office)

Electoral register database (Cancelled in July 2011):

Plans to create an expensive database of electors were abandoned by the Government last month. The Co-ordinated Online Record of Electors (Core) was legislated for in 2006 and intended to make it easier for political parties to verify the legitimacy of their donors.

Department Ministry of Justice

Cost The database, which would have been administered by a new independent public body, would have cost an estimated £11.4m.

Firecontrol (Cancelled in December 2010):

Firecontrol aimed to replace 46 fire control centres in England with nine regional sites. The project was scrapped in December 2010 after suffering a series of delays, increased costs and an inadequate IT contract, according to a select committee report.

Department Communities and Local Government

Cost £469m (Source: National Audit Office)

Scope 2 (Cancelled July 2009):

The project was designed to allow the secure sharing of sensitive intelligence data between relevant departments in government and officials abroad. It was cancelled after reports of technological problems and escalating costs.

Department Cabinet Office

Cost £24.4m (Source: Cabinet Office)

Story of a sick system

October 2002 The Department for Health launches the NHS National Programme for IT, in a bid to create an electronic care record for patients in England and connect 30,000 general practitioners to 300 hospitals.

2006 Accenture, the largest contractor, walks out on contracts worth £2bn, writing off hundreds of millions of pounds in the process. Months earlier, the US software supplier, IDX, also quit the project.

2007 The Government misses its first deadlines as a report by the King's Fund criticises the Government's "apparent reluctance to audit and evaluate the programme".

2008 A report to the Enfield Primary Care Trust reveals difficulties with the system the previous year saw 63 patients of the Barnet and Chase Farm Hospitals NHS trust have their operations delayed because of missing data. The trust previously found the system had failed to flag up possible child-abuse victims.

2009 An earlier Public Accounts Committee report notes that the project has provided "little clinical functionality... to date".


03 Aug 2011
News International Warns Sun Website Users Of Breach

News International has sent emails to thousands of people who earlier visited the website of its newspaper The Sun, about a data breach which led to the leak of their personal information.

According to the International Business Times, News International sent out a large number of emails to warn people who participated in opinion polls and games on the website, that their personal information consisting of names, addresses, dates of birth, email addresses and phone numbers has been copied from the website and leaked on public forums.

Chris Duncan, the director of the Customer Data division at News International has revealed that the data was compromised on the day the Sun’s website was hacked, July 19th, when a fake article about the death of media mogul, Rupert Murdoch, was published. Duncan also added that none of their transaction details had been affected.

The man believed to be responsible for the attack, going by the codename Batteye, has denied anything to do with the hacktivist groups Anonymous and LulzSec. Batteye has taken credit for the data breach and posted a message on Pastebin.

The message reads, “Mankind makes mistakes. Mankind is all the better for them. Mankind learns from them. Some people, however, do not learn. Until these people are pruned by natural selection, incarceration, or otherwise, then mankind will not develop.”

02 Aug 2011
Cybercrime Fight Costing Companies More This Year

Cybercrime cost corporations 56 percent more this year than last, according to an annual study from the Ponemon Institute 

"Cybercrimes can do serious harm to an organization's bottom line," said the study, which found that the median cost related to cybercrime to the 50 companies in the survey was $5.9 million.

Larry Ponemon, founder and chairman of the Traverse, Mich., company that bears his name, told PCWorld there have been several root causes for the bump up in the cost of cyber crime. "Sophisticated stealthy types of cyber crime are happening more frequently," he said.

When the study was done last year, he explained, more visible forms of cybercrime dominated the mix - viruses, worms, Trojans, malware and botnets. "Now we're seeing more insidious kinds of attacks like malicious code, denial of service, stolen devices, Web-based attacks and malicious insiders," he observed.

"Those are more costly to deal with," because it takes more time to clean them up, he said. Last year, when more conventional cybercrime tools dominated the landscape, it took an average of 14 days and $247,744 to clean up an attack. This year, with a jump in stealthy tactics, that average increased to 18 days, and the cost climbed to $417,748.

Stealth attacks are more difficult to clean up because they "move in quietly to position the attacker lower in the infrastructure and to be able to go after information in a longer term, strategic way," according to ArcSight Public Sector CTO Prescott Winter.

"They're more ingenious in how they launch the attack, which makes them harder to find once they launch it," Winter said.

It's also getting more difficult to defend against intruders, Ponemon noted. "Some of these intruders throw a one-two punch," he said. At the front door, there's a denial of service attack that consumes a defender's resources, he explained, but at the same time other attacks are launched on the defender's position - an insider threat, for instance, and proliferating botnet software.

"When you're getting attacked from two fronts, it's just harder to defend yourself," he said.

That's especially true for organizations who believe strong perimeter defenses alone will protect them, Winter contended. "There's no such thing as a bulletproof perimeter anymore," he said.

"It's absolutely guaranteed these days that the attacker will get in," he maintained. "So the strategy has to change from watching the outside wall to trying to figure out what's happening inside the network."

The study also discovered:

The cost to smaller organizations of a cybercrime incident is higher on a per capita basis than to larger organizations.

The number of attacks on the companies in the survey increased over last year by 44 percent, to 72 successful attacks per week.

Forty percent of the external costs to an organization for cybercrime were attributed to data theft, a 2 percent dip from 2010, and 28 percent to business disruption and lost productivity, a 6 percent increase from last year.
The biggest internal costs attributed to cybercrime were tagged to detection and recovery (45 percent).

The cost of cybercrime can be moderated by the use of security information and event management systems. The outlay for dealing with a cybercrime incident for firms with those systems was 24 percent lower than for those without the systems, the study noted.

01 Aug 2011
Security Survey Reveals Data Theft Surge Despite Increased IT Security Budgets


NetIQ Corporation today announced the results of an IT security survey commissioned through Harris Interactive, revealing the current effectiveness of data protection efforts. While more than one-half of IT budgets are allocated towards security, 70 percent of respondents have been impacted by security breaches and still struggle to mitigate attacks due to limited time and resources. Fifty-five percent of respondents also admit they lack the ability to manage security in virtualised and cloud environments and are least confident in their ability to successfully monitor and secure consumer devices, such as smart phones and tablets.

Net