Endpoint Protector Appliance: Stop data theft on Windows and Mac

Public Access vs. Private Records Protection

The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.

Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.

“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.

We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).

UK SMEs Warned To Improve Security

The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.

Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.

Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.

Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.

Stockbrokers Get Fine for Poor Security

The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.

London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.

The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.

The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.

HMRC Breach Caused By Poor Security

A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.

The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.

The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

Researchers Call for Measurable Security Objectives

The next big step in security policies should be heavily focusing on ways to quantify completed and ongoing security objectives, says Pete Lindstrom, senior analyst at the Midvale, Utah-based research firm. The purpose of this move would be to both justify spendings and highlight the value yielded by ongoing projects.

This message was presented during the Burton Group Catalyst Conference ’08 and as SearchSecurity.com noted, Lindstrom is sketching a new model to help security experts measure and articulate security program successes and failures to senior management.

“We need to get objective and quantitative in our environments in order to better manage our programs,” Lindstrom said. “We have to collect ourselves together as a profession and define what it means to meet our security objectives.”

DPS-contracted Company Breached

Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.

All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.

Montgomery Ward Kept Customers in the Dark on Data Theft

In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.

According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.

Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.

Former Employee Charged in Southeast Security Breach

A former Southeast Missouri State University employee has been charged in a security breach exposing 800 student names and social security numbers. The man has been indicted on charges of identity fraud and one charge of computer trespass after being found in possession of the private records in question.

According to the SouthEast Missourian, William Elum was the hall director of Dearmont during the 2006 to 2007 school year and was arrested May 27 in Atlanta. While no students have reported credit fraud as a result of the leak, Elum is accused of trying to access two student accounts.

“I haven’t seen any evidence that these data have been misused beyond the attempt the employee used to log on to our system in other students’ names,” said Dr. Dennis Holt, vice president for administration and enrollment management.

Nevertheless, university administrators are recommending students place a fraud alert on their consumer credit file and also a security freeze on accounts at credit bureaus.

DCA Security Breach Exposes Private Records of 5,000

The state Department of Consumer Affairs has recently discovered a security breach exposing employees, contractors and board members to identity fraud. DCA has in response sent 5,000 letters warning those affected that the breach has compromised their names and social security numbers.

According to DCA spokesman Russ Heimerich quoted by Capitol Weekly, the breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department. The document also contained the salaries and titles of everyone on the list, but Heimerich pointed out these additional details were public information.

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

6,500 CNET Networks Employees Exposed in Data Theft

Over 6,500 CNET Networks employees and relatives will soon receive notifications of a possible data breach as CNET has recently discovered the theft of computer systems from the offices used by the company to administer its benefit plans.

The information was handled by Colt Express Outsourcing Services in its Walnut Creek, California offices where the burglars broke in. According to PC Worlds’ coverage of the story, CNET was not the only company affected by the theft. While it’s not really clear which are the other companies exposed to the data theft, the Colt Express’ other customers include companies such as BroadVision, JDS Uniphase and 24 Hour Fitness.

The stolen equipment “contains the human resources data of several of their clients including CNET networks,” CNET Senior Vice President of Human Resources Jose Martin said in a June letter notifying employees of the incident.

The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET’s health insurance plans.