Tech Watch | InfoWorld Staff | TAG: Privacy

MORE ENTRIES

TAG: Privacy

September 21, 2007 | Comments: (0)

If it weren't for California 1386 and ChoicePoint, would we all be talking so much about data breaches these days? Maybe, but maybe not.

I'll never forget writing that first ChoicePoint breach story back in mid-Feb. 2005. It was one of those news items that really made you scratch your head and question how much such an event could potentially impact your own life.

I remember wondering how long this type of thing had been going on, how few were actually being reported, and how long it would be until someone subverted my identity.

A hop, skip, VA vet debacle and TJX Companies later, the consumer data-handling topic couldn't seem more relevant.

As we sit here reading, tomorrow marks the deadline for the White House's mandate for federal agencies to clean up their own data processing and retention activities. Progress is arguably being made.

But if it weren't for 1386 -- which was first introduced by California State Senator Steve Peace in 2002 -- we might not even be focused on the problem.

(If you believe Wikipedia, it's interesting to note that Peace maintained a career writing, producing and acting-in the "Attack of the Killer Tomatoes" movie series, among others, before jumping into politics. I think we all dream of making such landmark civic and cultural contributions to society; don't we? I do!)

Anyway, California lawmakers are back at it, trying to lead the way. With some 38 U.S. states having followed suit and passed their own breach notification laws, now the Golden State gang has a new bill you might want to consider.

Earlier this month, California bill AB 779 was passed near-unanimously in both the State Senate and State Assembly, and it now sits on the Governator's desk, awaiting the prodigious force of his personal stamp of approval.

(779 was authored by Calif. Assemblyman Dave Jones.. considering Peace's former employment, you have to wonder, it couldn't be that Davy Jones, right? Though, he's from Sacramento, not Clarksville, apparently.)

At the center of the bill is a requirement that would force retailers like TJX Companies to reimburse banks and credit unions for any expenses those firms are forced to endure as a result of a data breach -- namely for re-issuing credit and debit cards to those customers whose accounts have been exposed. Sounds fair enough, and other states are again expected to follow suit.

Industry watchers of all sorts are taking interest in this one, as, if the law spreads a la 1386, it could truly force retailers to improve their operations. Consider, after all, that TJX reported increased in-store sales after its breach, despite all the media hooplah. (Although some believe the firm will cough up roughly $1 billion in penalties once all its class-action suits, etc. are resolved.)

Javelin Strategy Analyst Rachael Kim notes that 779-type laws could help advance the PCI DSS regulation, which is also aimed at helping card issuers force retailers to better protect account data.

"What I find particularly interesting is the fact that this particular bill actually codifies the PCI DSS, prohibiting retailers and other merchants from storing sensitive authentication data, in addition to requiring merchants to use strong encryption and access controls," Kim wrote in a recent blog post.

She continues:

"What I'd like to know is whether or not a PCI compliant merchant is provided with safe harbor -- meaning that if they are indeed compliant with the PCI standards but experience a security breach, they will not have to cover issuer costs of notifying customers and reissuing cards. This has not yet been clarified. In my opinion, a PCI-compliant merchant should not have to cover these costs, as they’ve been doing everything they can to protect customer data (after all, the PCI standards are data security 'best practices,' are they not?)."

It's certainly interesting food for thought.

In the end, it sounds like we have to thank our Californian neighbors for again leading the charge in this arena.

Meanwhile, I'm holding out for Hollywood to produce "Attack of the Killer Data Incident."

Posted by Matt Hines on September 21, 2007 12:29 PM

June 10, 2007 | Comments: (0)

Privacy group accuses Google of smear campaign

Google questioned integrity of recent privacy report by suggesting "conflict of interest regarding Microsoft," non-profit says

Privacy group accuses Google of smear campaign Just one day after slamming Google with the worst privacy ranking among top Internet companies, London-based Privacy International (PI) has publicly accused the search behemoth of attempting to undermine the non-profit's report, saying Google suggested to the media that PI has a "conflict of interest regarding Microsoft."

Meanwhile, Google has lashed back at PI's report, released Saturday, saying in a statement that it the company "aggressively protects its users' privacy and stands behind its track record," according to reports.

"We are disappointed with Privacy International's report, which is based on numerous inaccuracies and misunderstandings about our services," said Nicole Wong, Google's deputy general counsel.

In " A Race to the Bottom: Privacy Ranking of Internet Service Companies," PI ranks the privacy practices of 23 of "the best and the worst performers both in Web 1.0 and Web 2.0 across the full spectrum of search, e-mail, e-commerce and social networking sites, including Amazon, Apple, Microsoft, Skype, Wikipedia, Yahoo, YouTube, and Google.

Overall, Google scored the absolute lowest, deemed "Hostile to Privacy" for its "track history of ignoring privacy concerns. Every corporate announcement involves some new practice involving surveillance."

Among the reasons for the low ranking, PI says that:

Google account holders that regularly use even a few of Google's services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.

Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option.

Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut.

Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the user's web movement.

Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law.

Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.

"Sour grapes?"
After releasing the report yesterday, PI today published on its Web site an open letter from PI director Simon Davies to Google CEO Eric Schmidt. In it, Davies accuses the company of calling into question the integrity of the group's findings, saying that Google "representative or representatives" contacted journalists about the study before it was released and "made particular reference to one member of our 70-member international Advisory Board. This man is a current employee of Microsoft."

While Davies doesn't deny that, indeed, one of PI's advisory board members is a Microsoft employee, he stresses that the member "joined our Advisory Board well before he was headhunted by Microsoft" and that "he is a decent, skilled and honorable man who upon his appointment with Microsoft offered us his resignation. We refused to accept it, and he continues to serve on the Board in a private capacity."

Further, Davies vehemently defends the group's independence and integrity, noting that it has campaigned against many company's over privacy, including Microsoft: "[We] publicly supported the EU Commission investigation into Microsoft, that we nominated Microsoft for the US Big Brother Award in 2003, that we awarded Microsoft the "Worst Corporate Invader" award at the 1999 US Big Brother Awards, [and] that we publicly accused Microsoft of subverting its software security ... ."

PI points out that while Microsoft did earn a rating of "Serious Lapses" -- two ranks better than Google, Windows Live Space was deemed a "Substantial Threat." Meanwhile Google's Orkut was not tagged with the worst rating as Google was; rather, it also received "Substantial Threat" status.

"Can I be so bold as to suggest that your company's actions stem from sour grapes that you achieved the lowest ranking amongst the Internet giants?" Davies writes. "We have no specific axe to grind with Google. It is one of many companies demonstrating a poor privacy performance, and in assessing that performance we are acting solely with the intention of raising public awareness."

He goes on to write, "I believe an apology from you is in order, but if you cannot deliver this then I think you should reflect carefully on the actions of your representatives before embarking on what I believe amounts to a smear campaign."

Privacy International's report can be downloaded here [PDF].

Posted by Ted Samson on June 10, 2007 12:10 PM

April 26, 2007 | Comments: (0)

TJX slapped with class action suit by banks

At this point, you've heard about the massive data breach at Massachusetts-based TJX Companies. You know, the Largest Data Breach of All Time in which malicious hackers owned the company's payment system for around two years, repeatedly breaking in, planting malicious programs and ferrying off sensitive credit card and banking card data on tens of millions of TJX customers?

Yeah, that one.

Well, as it turns out, consumers weren't the only ones who got hit by TJX's cluelessness. Banks -- especially in states like Massachusetts -- were also hard hit. Why? Because under current federal law, its banks, not merchants, who have to pay to make customers whole again: forgiving fraudulent purchases on credit and debit cards and, of course, cancelling compromised cards and bank accounts, then issuing new ones to their customers. Needless to say, that's an expensive process, especially when you've got to repeat it 45 million times, as banks across the country will have to do in the wake of TJX. Not surprise, then, that banks aren't taking this sitting down.

TJX already faces lawsuits from individual banks in the wake of the compromise. But on Tuesday, the Massachusetts Bankers Association took it up a notch: filing a class action lawsuit against TJX in U.S. District Court in Boston that seeks to recover damages in the “tens of millions of dollars.” The MBA is being joined in the suit by the Connecticut Bankers Association (CBA), the Maine Association of Community Banks (MACB), and individual banks as co-plaintiffs, MBA said.

The three bankers associations represent nearly 300 banks and include a slew of smaller local outfits like Saugusbank, Eagle Bank, Collinsville Savings Society in Collinsville, Connecticut. MBA said it expects many other banks to join as the suit progresses.

MBA claims that its members have faced "dramatic costs" in the wake of the massive hack and that the banking associations are filing the lawsuit to protect customer privacy and data security for customer
accounts (awww...isn't that nice!). The truth has more to do with the bottom line: New England is a hotbed of TJX stores and local banks are among the hardest hit in the nation by the TJX slip up, second, maybe only to California. And, at $25 a pop to replace stolen cards, banks have been bleeding money to clean up after the breach, with reports of "hot" (or stolen) cards still rolling in, according to an MBA statement attributed to Daniel J. Forte, president and CEO of the MBA.

MBA also thinks it has a chance to win in court against TJX, even though similar suits against hacking victims like BJ's Wholesale failed. (BJ's eventually settled with the FTC over the incident.)

“There are significant differences between this case and prior data breach lawsuits such as the BJ’s cases in Pennsylvania,” Forte said. “We think we have an advantage trying the case here in Massachusetts; when the BJ’s cases were argued in Pennsylvania, the plaintiffs did not include an unfair trade practices statutory claim, and Massachusetts law allows these claims," he said.

Banks want to prove that TJX misrepresented its handling of sensitive financial information (saying it was secure, when it wasn't). The group also wants to raise the stakes of data breaches for merchants, which they argue are the source of most breaches, but bear few of the costs.

If nothing else, TJX has given fuel to debates about passing stronger electronic privacy laws. So far, most of the initiatives on such laws have been industry-based, such as the Payment Card Industry (PCI) security standards.

Posted by Paul Roberts on April 26, 2007 08:44 AM

March 27, 2007 | Comments: (0)

Beleagured Governor leaks donor data

It hasn't been a fun two months for Massachusetts' new Governor, Deval Patrick. After running a stellar, grass roots campaign to defeat Republican Lt. Governor Kerry Healy and become the first African American governor of Massachusetts, Patrick -- a former Clinton Administration official and Coca Cola executive -- has stumbled out of the gates BIG time with serial scandals over his decision to lease a pricey Cadillac as his official transportation as opposed to the standard Chrysler, redecorate his office to the tune of more than $27,000 in taxpayer money (including $12,000 drapes), and hire a $70,000 a year personal secretary for the state's first lady -- itself a "first" in state history. So high were the hopes for Patrick and so ham fisted have been his moves since taking office that he's become the subject of out of town coverage in the Washington Post and elsewhere. The controversy has even spawned a dedicated conservative blog: devalpatrickwatch.com, which provides blow by blow coverage of the new Governor's rude awakening to the realities of public life.

Sadly, Patrick is continuing to provide fodder for attacks. His latest bumble involves the release of personally identifiable information, including home addresses of supporters on a Web site, Devalpatrick.com, that he launched to try to "get his message out." But, in a classic case of the message biting the messenger, Patrick had no sooner posted the new site than he was hearing it from Secretary of State William Galvin over the publishing of donor data.

According to the Boston Globe, visitors to the site who entered another person's last name or phone number could see the home address of anyone with that name, including unlisted phone numbers.

"We go to great lengths to protect the confidentiality of voting lists from vendors and sales people, and we're concerned there is information out there that shouldn't be, for instance, police officers' residential addresses, deceased voters, apartment numbers of elderly voters," Galvin said in a Boston Globe article. Some of the names listed are individuals with restraining orders, Galvin noted.

As he was forced to do with the drapes, car and secretary, Patrick found himself on the defensive and had his campaign remove most address information from the site and explain his actions.

The Web site, which was created to rally supporters and prompt civic engagement, was another example of how loosely secured Web sites. Security experts at Symantec said, in their most recent Threat Report, that 66 percent of new security holes target Web applications.

Posted by Paul Roberts on March 27, 2007 08:09 AM

March 15, 2007 | Comments: (0)

WellPoint's missing data shows up

Executives at WellPoint -- the nation's largest managed health care services provider -- are breathing a lot better today, and not just because they're keeping an eye on their diet and maintaining an optimal level of physical fitness.

Last week, the Indianapolis-based firm began the process of informing some 75,000 of its customers that it had lost a CD that carried unencrypted data including their health records and other personal data, however, the company claims it has now found the missing information.

In a statement released late Wednesday, the firm's New York-based Empire Blue Cross Blue Shield insurance unit said that the missing CD, which had been shipped to business partner Magellan Behavioral Health Services via UPS, by Health Data Management Solutions (HDMS), a third party vendor to Magellan, was discovered.

The company offered few details of the recovery other than to say that the CD had merely been misplaced in transit. Something tells me that WellPoint might swap overnight companies from Big Brown to FedEx, or fire some of its mailroom employees.

The incident highlights the challenges faced by corporations in meeting the increasingly strict terms of emerging data exposure reporting laws. As part of the statement on the misplaced -- and more importantly unencrypted -- CD the company couldn't help but give itself a little pat on the back saying that it "accelerated member notification as our members' security and trust are our highest priority."

Kudos to the firm for not actually losing the information, but it could have easily avoided the entire situation by somehow protecting the data. However, Empire Blue Cross said that it did have policies in place to prevent such incidents.

"The information was not transferred in accordance to our contractual terms with Magellan, who did not require HDMS to encrypt or password protect the data," the company said. "We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer were unacceptable."

Magellan will now only transmit personal health information electronically over a secure network, eliminating CDs and the use of a delivery service, WellPoint said.

I'm betting that the employee who failed to follow said rules is somewhere considering their job options right now.

Posted by Matt Hines on March 15, 2007 05:39 PM

December 14, 2006 | Comments: (0)

Thief jets with Boeing staff data

In a scenario that's become all too familiar over the past couple of years, a Boeing employee had his unattended laptop swiped, and it contained the personal information of about 328,000 Boeing workers and retirees, according to the reports.

The company was vague with the details, saying the theft occurred earlier this month but did not say where. The stolen system was reportedly password-protected, but the data was not encrypted.

While the lifted laptop did contain employee names, Social Security numbers, salary information, and other data that could be used for identify theft, it didn't store any proprietary customer or supplier data, a Boeing spokesman said.

The company will give affected employees free credit monitoring, a common gesture on the part of organizations that have let private data slip.

According to ConsumarAffairs.com, credit monitoring is of minimal value to individuals facing potential ID theft.

"Critics and consumers have noted that typical credit monitoring services are extremely limited, only covering fraud that results from usage of the credit card number. Stolen Social Security numbers can be reused to create new identities and open new accounts, which are not detected by fraud alerts."

"In fact, credit agencies will simply open a new sub-file for the new account, and not inform the original number owner. Victims of SSN-based identity theft often do not find out unless a debt charged by the new accountholder comes to them."

I continue to find it disturbing that large companies like Boeing (which has suffered two other leaks in the past 13 months of so), Chevron, and Wells Fargo, which should have both strict security policies regarding the transport of private data, as well as the financial means to invest in data-leak prevention and encryption technology, continue to suffer embarrassing and costly leaks.

To its credit, Boeing says it is working to implement encryption technology, a project it began after a data theft incident last April. According to CNet.com, "Boeing decided to start a project that would automatically encrypt files as they are pulled off the server... . The first groups to test this technology will be those working with employee data, but the encryption procedures eventually will be implemented in other areas of the company that deal with sensitive data. "

Other companies need to follow suit. This time, it was employee data that was stolen, the impact of which is perhaps relatively minor on the company's bottom line. Next time, what if it is indeed proprietary company data, or customer details, that get leaked?

Or perhaps companies are more diligent about protecting the latter. Again, the cost of dealing with an employee-data leak isn't negligible, but it's not the same as leaking application code or top-secret plans -- at least not to a company. The employees who have to deal with cleaning up their credit reports may feel differently.

Maybe it will take successful legal action on the part of those employees to compel other companies to be more diligent. I'm no fan of frivolous, get-rich-quick lawsuits, but I don't think this fits in that category.

Posted by Ted Samson on December 14, 2006 11:42 AM

November 03, 2006 | Comments: (0)

Starbucks spills 60K personal files

Joining an increasingly growing list of companies and governmental departments, Starbucks today revealed that its lost the private data files of some 60,000 current and former employees, according to reports.

The data, which includes employees names, addresses, and Social Security numbers, were on two of four laptops the company says it lost track of last September. The systems were discovered missing from a closet in the company's headquarters in Seattle.

"We have no reason to believe these laptops are in the hands of someone who wants to misuse them," said company spokeswoman Valerie O'Neil. "We just want to make every effort to protect our partners."

The company has alerted employees of the theft and potential risk of identity theft, and is offering free credit monitoring.

Stolen laptops seems to be a recurring theme in many of these data-leak incidents, and I can't help but wonder why so many companies keep such sensitive information -- unencrypted, no less -- on something as portable as a laptop.

Notably, Seagate recently announced a laptop with a encryption drive. Sounds like a step in the right direction.

Posted by Ted Samson on November 3, 2006 04:10 PM

October 20, 2006 | Comments: (0)

Fed gets D+ for weak data security

If the federal government was a college student, it would be on academic probation right now for a near-failing grade in Data Security 101.

In a report released last Friday, the Government Reform Committee slapped the feds with a pathetic D+ for its appalling track-record in adequately protecting U.S. citizens' personal data since 2003.

All 19 federal departments have suffered at least one data breach since 2003, according to the committee's report, which goes into quite some detail about the number of data breaches suffered by each department, including specific dates and incidences. (You can download the report here.)

According to the report, the Dept. of Veteran Affairs reported the most "incidents involving the loss or compromise of any sensitive personal data." The report didn't offer a specific number, just "hundreds." Next was the Dept. of Treasury, with 340 incidents. Third was the Dept. of Commerce with 297. The Dept. of Defense reported 43; the Dept. of Education, 41, and the Dept. of Health and Human Services have 24. The remaining departments each reported fewer than 10.

Perhaps even more troubling: It's possible that your information was swiped from a government database, and you don't even know it. According to the report, "agency responses to data losses appear to vary ... with some notifying all potentially affected individuals, and others not performing such notifications."

The thing is, they're not required to let you know if some malicious hacker makes off with your name, address, and Social Security number: "Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised," the report says.

Among the committee's overall findings:
Agencies do not always know what has been lost. "In many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete."

Physical security of data is essential. "Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees."

Contractors are responsible for many of the reported breaches. "Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors."

Conspicuously absent from the 15-page report, however: a single recommendation of how to deal with the problem. In other words, the committee does a great job describing just how hot the fire is in the burning house, what might have caused it, and how many residents are trapped inside. But apparently someone else will need to come up with ideas on how to put it out. Ah, government inaction.

Of course, data breaches don't just affect the government. Businesses -- and as a result, their customers and employees -- continue to fall victim to data theft. Yet aside from offering a year of free credit monitoring, companies appear to be moving at a glacial pace to address the problem.

Trouble is, until we see some compliance legislation forcing companies to better protect users' private data, there's no real incentive for them to invest the time and money toward, perhaps, exploring encryption technology, improving security measures to limit what kind of data employees can carry around, and keeping a better tab on how partners are handling your sensitive data.

But there's really no excuse for the government not to get its act together, and to do it now. If the data of citizens, including veterans, is so easily accessible, who knows what other information malicious hackers and thieves might have access to. Securing our nation isn't just limited to having well-trained soldiers on the border, state-of-the-art jets in the sky, and satellites in space keeping tabs on enemies; not in the Internet Age.

Unfortunately, this hasn't become an election-year issue, so it's not garnering the attention it deserves from the powers-that-be. I recommend taking a moment to send a letter to your local reps, citing this report and telling them to do something about it now.

Or am I overreacting? Is the government doing enough to keep our data safe? What's the answer here? There's an interesting discussion group going on right now in InfoWorld's IT Exec-Connect community where this topic could be expanded on further.

Posted by Ted Samson on October 20, 2006 01:44 PM

September 28, 2006 | Comments: (0)

GE brings data leak trend to light

Personal data continues to spill out of high-profiles. When will anybody give a dam? (Lousy pun intended.)

The most recently reported spill comes from GE. According to reports, one of the company's employee's laptop was swiped from his hotel room early this month. The system contained personal data of 50,000 GE employees, including their names and Social Security numbers.

GE's response has been pretty typical: Employees have been notified. They don't think their data's been misused. A year of free credit-monitoring has been offered. (2006 has no doubt become a boon year for the credit-monitoring industry. For those of you who haven't noticed, a year of free monitoring has become the de facto consolation prize from companies who have let their customers' or employees' personal data become compromised.)

So it looks like data leaks really are becoming business as usual. Is that a surprise? The fact remains that companies currently have no incentive to take strides in better protecting that kind of data. There've been no reprecussions to speak of, save for a bit if bad press, perhaps. (Well, the Dept. of Veteran Affairs, which suffered some leaks a while back, is taking action by implementing encryption, but that's more for political reasons, one would think.)

Of course, some people might point to a recent survey from Pleasanton, Calif.-based analyst firm Javelin Strategy & Research: "Javelin's research showed that despite recent hype, data breaches were responsible for just 6 percent of all known cases of identity theft, compared to 30 percent from incidents like losing one's wallet," Computerworld reported.

That's all well and good, but it's certainly no reason for companies to rest on their laurels, nor for consumers to breath an easy sigh of relief. Just give cybercriminals more time, and we'll start to see an increase of clever scams using stolen data, like how we saw AT&T leaked data used recently for an intricate phishing ploy.

No, I am not trying to be an alarmist here, but I am advocating that companies start working now on strategies to plug up data leaks. I predict that eventually, a company will be held accountable when its customers and employees fall victim to identity theft, and it will have to pay through the nose.

What do you think? Should companies be doing more to protect user data? Or is it really just an overblown threat?

Posted by Ted Samson on September 28, 2006 11:46 AM

September 12, 2006 | Comments: (0)

Update: Dems snagged Guv's tape

The campaign of Phil Angiledes, the Democrat taking on California Governor Arnold Schwarzenegger, has taken responsibility for passing an embarrassing audio recording of the governor to The Los Angeles Times, according to reports.

Cathy Calfo, Angiledes' campaign manager, is asserting that the campaign did nothing illegal in its actions, claiming that the audio file was freely available on Schwarzenneger's Web site; no hacking was required.

She also insists that the Democratic nominee was unaware that members of his campaign had swiped and shared the files until after the deed was done.

Schwarzenegger's campaign, however, said Tuesday that the sound files were stored "in a password-protected area of the governor's office network computer system."

However, CNet reported that the files were not password protected at all. From the CNet article:

The controversy may center on the design of the Web server called speeches.gov.ca.gov. The California government used it to post MP3 files of Schwarzenegger's speeches in a directory structure that looked like "http://speeches.gov.ca.gov/dir/06-21.htm.htm". (That Web page is now offline, but saved in Google's cache.)
A source close to Angelides told CNET News.com on Tuesday that it was possible to "chop" off the Web links and visit the higher-level "http://speeches.gov.ca.gov/dir/" directory, which had the controversial audio recording publicly viewable. No password was needed, the source said.

The California Highway Patrol is continuing to investigate how the files got leaked.

In the recording, Schwarzenegger is heard speaking about the ethnic background of state Assemblywoman Bonnie Garcia. Commenting on whether she is Cuban or Puerto Rican, Schwarzenegger says: "They are all very hot. They have the, you know, part of the black blood in them and part of the Latino blood in them that together makes it."

The governor has since apologized for his comments.

Sure, there's some gossipy intrigue to all this, but the incident raises some interesting questions, both ethical and technological.

On the ethical front: Is it OK to snag and distribute information from a competitor if said information is clearly intended to be locked away? Is that part of the spirit of capitalism and the free market: exploiting your opponents' weaknesses for competitive advantage?

And technologically speaking, it might give some organizations cause to look at some of the technologies that evaluate just how well-protected your public-facing Web applications are. Are you, in fact, leaving the door wide open for a burglar to stroll in, pick up some data valuables, and stroll out undetected?

But the biggest question of all is: Why hasn't the media yet coined a pithy name for this little episode with the suffix gate?

Thoughts?

Posted by Ted Samson on September 12, 2006 03:05 PM

September 11, 2006 | Comments: (0)

Governator hack investigated

California Highway Patrol officials have opened a criminal investigation into a number of hacks into Governator Arnold Schwarzenegger's office computers, reports the San Francisco Chronicle.

It comes after an embarrassing private taped conversation, in which Schwarzenegger referred to Latinos and African Americans as having "hot" blood or a passionate temperament, was leaked last week to the Los Angeles Times.

From the Chron report:

"...there was immediate suspicion the tapes were obtained by someone hacking into the computers in the governor's office, where the tapes were stored digitally."
Some experts said government computer systems are among the most vulnerable to outside hackers -- especially some systems used by California state agencies that are well known as antiquated.

"Government systems are penetrated on a regular basis," said Bev Harris, executive director of Black Box Voting, a Seattle-based group concerned about electronic voting and hacking.

Is this any surprise, when the federal government is failing in cybersecurity fives years after 9/11?

Talk back to us.

Posted by Mike Barton on September 11, 2006 02:52 PM

September 08, 2006 | Comments: (0)

Chase trashes 2.6M customer files

Chase Card Services reported yesterday that it inadvertently threw out storage tapes last July containing the personal information of 2.6 million current and former Circuit City credit card account holders.

Attributing the data-trashing to human error, company officials believe that the tapes, contained within a locked box, were compacted, destroyed, and buried in a landfill. The company reports working with federal and local law enforcement to investigate the fate of the data and says that thus far, at least, the personal data has not been misused.

"We deeply regret that this has occurred and apologize to those impacted," said Rich Srednicki, CEO of Chase, in a written statement. "The privacy of our customers' personal information is of utmost importance to us, and we take the responsibility to safeguard this information very seriously."

By the way, according to reports, the company will not disclose whether the data was encrypted. (I'll draw my own cynical conclusions from that, based on the number of other companies that have suffered spills of unencrypted data lately.)

The company began notifying affected individuals yesterday. The process will take up to three weeks. To those customers whose Social Security numbers were on the tapes, Chase will offer what's become the de facto consolation prize: a year of free credit monitoring service.

Chase also said that it will continue to monitor the affected accounts, and that it has "has strengthened a number of security procedures and is currently conducting a comprehensive review of all data storage and protection processes."

Posted by Ted Samson on September 8, 2006 12:54 PM

September 06, 2006 | Comments: (0)

Spying scandal brewing at HP

Hackers like Kevin Mitnick call it "social engineering." Other folks call it plain old lying. But today's private investigators have a new word for obtaining information under false pretenses; they call it "pretexting," and it's apparently big business.

One recent customer was HP chairwoman Patricia Dunn. It seems our distinguished competition at CNet reported information that could only have come from the HP boardroom, and Dunn was determined to find the leak. According to Newsweek, her decision to use pretexting to obtain the private phone records of other board members could land her in hot water.

Newsweek sources say Dunn analyzed the phone records, determined who the leaker was, announced her findings at the next board meeting, and demanded that the leaker resign from the board. The leaker refused, but board member Tom Perkins, who was not the leaker, did resign. In a letter to the board, Perkins characterized Dunn's actions as "untoward and illegal." He goes on to question the validity of recent HP filings with the Securities and Exchange Commisison, which failed to document the reason for his resignation.

Did Patricia Dunn go too far to protect HP's trade secrets, or do a company's best interests sometimes call for unusual measures? Is pretexting a legitimate information-gathering technique or just an underhanded trick? And was Perkins right to resign his place on HP's board while the leaker -- and Dunn -- still remain? Let us know what you think.

Posted by Neil McAllister on September 6, 2006 11:27 AM

September 06, 2006 | Comments: (0)

Wells Fargo leaks personal data

Wells Fargo has joined the unfortunate ranks of Chevron, AT&T, Williams-Sonoma, and the U.S. Department of Veteran Affairs, in suffering a recent leak of private data.

In this case, the financial insitution lost personal information about an unspecified number of its employees, according to reports. The company informed workers of the breach on Aug. 28.

The data was on a disk drive and/or a laptop, both of which were swiped from the trunk of a car. Whether they know it or not, the perpatrators got away with names, Social Security numbers, and presciption information.

There's a common thread in all these data-leak cases, one that I've alluded to previously: The data was being handled by third-party companies. Frustratingly, most of these companies won't disclose the name of their data-fumbling partners, which means they don't have to suffer embarrassing publicity and make promises to step up their security measures. Heaven forbid.

Third-party follies aside, maybe organizations aren't taking the problem seriously because courts have already set a precedent that relieves them of negligence if they lose customer data. Last March, U.S. District Judge David Doty in Minnesota ruled that Wells Fargo was not responsible for losing customers' personal data because said data was never misused by miscreants. The judge's general reasoning was, the people suing the company hadn't suffered any actual damages; they were just worried about future damages.

So there you have it. Companies have the luxury of saving money by being lax on security. If they spill your SSN, your address, your phone number, your health records -- info that could be used for identity theft or a targetted phishing scam -- they don't have to fret. That is, unless the data is abused in the aforementioned manner, in which case I expect the victims would then have to demonstrate that the perpatrators were using the data they'd harvested from said company.

It's a fascinating legal precedent, isn't it? Why are there strict government regulations and guidelines in HIPAA that protect patients' medical records, for example, but nothing to better ensure protection of customer data, which could be used just as maliciously?

Granted, I'd rather that companies and organizations take it upon themselves to enact better security measures, such as implementing encryption technology. But for the time being, there's no tangible ROI in that, I guess. It's cheaper to just e-mail out an apology and give victimized customers and employees a year of free credit monitoring.

Posted by Ted Samson on September 6, 2006 10:13 AM

Blog Profile for krails

Add to Technorati Favorites

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert