LifeLock Sued By Customers

May 27th, 2008 by Agent Smith (0) DLP, Data Loss, Data Theft, IT security, Identity Theft, In the News, security breach

LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.

As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.

What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.

“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.

TJX Fired Employee Who Exposed Their Lack of Security

May 27th, 2008 by Agent Smith (0) DLP, Data Leakage, Data Theft, IT security, Identity Theft, In the News, Laws & Standards, security breach

TJS, the company where the world’s biggest data theft involving credit card information occurred, fired an employee who exposed the company’s faulty security practices by leaving posts in an online forum. The story of employee showing how easy it was to breach TJX was made public by the Register.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

According to the Register, Benson’s posts never revealed enough information to actually facilitate a security breach at TJX Maxx, but that didn’t really help him keep his job. All for the best, if we consider his statement:

“They’re telling the public they’re PCI compliant,” he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. “That I think is unethical.”

He also admitted he hasn’t acted out of selfless motives. As he pointed out, he still has private records stored on the TJX network. A faulty security system would expose him as much as any other employee or customer.

TJX Suspect Charged Along With 2 Other Hackers

May 20th, 2008 by Agent Smith (0) DLP, Data Loss, Data Theft, IT security, Identity Theft, In The Spotlight, endpoint security, security breach

A suspect in the largest private records theft in history has been charged along with two other men linked to similar scams. The three men, one of them suspected of playing a role in the 45.6 million credit card data theft from retailer TJX Companies, have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers, as explained by the Register.

“According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX’s rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik.

The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia, and a separate complaint names Albert Gonzales, who also went by the moniker Segvec. Together, they are accused of installing packet sniffers at 11 restaurants belonging to Dave & Buster’s. The sniffers captured track 2 credit card data as it passed from the restaurants’ point-of-sale terminals to servers at the chain’s central headquarters.”

CoSoSys in the Balkans through Inter Engineering

May 20th, 2008 by Agent Smith (0) Default

Inter Engineering, one of the main players on the data security market in the Balkans, and CoSoSys, vendor of network endpoint security and portable storage device enhancement solutions, announce today their strategic partnership to distribute the Endpoint Protector 2008 solution and additional support services in Greece, Cyprus and Malta. The distribution agreement between Inter Engineering and CoSoSys comes as a natural response to the increasing demand in Balkan countries for the numerous business and technical benefits that CoSoSys technology delivers.

“The developments in enterprise needs make Endpoint Security an indisputable part of a solid Policy” said Josmaarten Swinkels, CEO of Inter Engineering. “CoSoSys provides solutions which combine quality with flexibility and an attractive pricing model fitting extremely well in Inter Engineering’s solutions portfolio. We are happy to work with CoSoSys and optimistic about the future.”

“Inter Engineering has proven to be an absolute first-rate partner committed to the success of our customers,” said Roman Foeckl, director of CoSoSys. “We are pleased to have such a reputable and experienced company representing us in their home market.”

See more in the official press release available on the CoSoSys site.

Hospitals, a Danger to Your Personal Data

May 20th, 2008 by Agent Smith (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, Identity Theft, In The Spotlight, Laws & Standards, endpoint security

According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.

According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.

Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.

This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.

CoSoSys’ Secure it Easy to Protect VIPdesk Critical Data on Removable Storage Devices

May 8th, 2008 by Agent Smith (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, In The Spotlight, In the News, Laws & Standards, endpoint security, security breach

CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected the newly released Secure it Easy version 2.0 software to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.

See more details on in company’s online press room.

Californian Supermarket Shoppers, Victims of Identity Theft

May 8th, 2008 by Agent Smith (0) Data Loss, Data Theft, IT security, Identity Theft, In the News, security breach

Over 100 shoppers at a supermarket in Los Gatos, California, became victims of identity theft when their private records have been stolen from their debit and credit cards through the checkout card reader. The thieves from the Lunardi’s grocery store used the stolen PIN numbers and card information to create fake cards which were subsequently use them to shop around.

The supermarket customers have been reporting cases of identity theft to authorities for over a week, and according to Dark Reading have been losing an average of $1,000 from their bank accounts.

“What we have here is more than one person — they’ve been able to get in there (Lunardi’s) and switch out the ATM card reader,” said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. “Once they’ve done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone.”

88,000 Patients Exposed to Identity Theft

May 4th, 2008 by Agent Smith (0) Data Loss, Data Theft, Identity Theft, In the News, endpoint security, security breach

Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.

According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.

“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.

Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.

Private Information on Iredell County Taxpayers Stolen

May 4th, 2008 by Agent Smith (0) Data Leakage, Data Loss, Data Theft, IT security, Identity Theft, In the News, security breach

The Iredell County Tax Collector’s Office has just informed the public about an information theft that has taken place at the end of April. The incident involved a courier vehicle that provided services for First Citizens Bank which was stolen in Charlotte. The vehicle’s shipment containing included data related to Iredell County tax payments. According to Prime Newswire, Charlotte law enforcement officials are currently investigating the incident, but the contents of the shipment are yet to be recovered.

The stolen shipment contained a computer report of 468 taxpayer’s check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments.