Wonder no more, as the answer is no public: they do! You can buy hardware containing private details of strangers on eBay! Just a short while ago an IT manager paid 35 pounds on a computer hard disk containing one million sets of bank details.
The said hardware piece contained details of customers of American Express, NatWest and the Royal Bank of Scotland, as reported by The Register. And Andrew Chapman, the guy who paid the money, would have had everything he needed for identity thefts: names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers’ maiden names and scans of signatures.
The second hand computer the hard drive belonged to was the property of Graphic Data. The Archiving firm seems to be missing a second computer with the same type of information.
According to recently released data, US mid-sized companies are more concerned about information security than cutting down costs. The survey conducted by Arrow Electronics Inc collected data from 200 US companies with annual revenues from less than $ 100 million to over 1 billion. 80% identified security as a top business issue, while only 60% referred to cost reduction and 64% target improving their customer service.
Although they admit IT security is of utmost importance, few are satisfied with the level of security already implemented in their mid-sized businesses. Only 32 percent of respondents said their company is properly handling all threats. That leaves 68% of companies concerned, yet highly vulnerable.
Yet the 32% might also be quite vulnerable to all kinds of threats, as shown by David Vellante, co-founder and principal contributor of the Wikibon user group. His statement, quoted by Dark Reading, shown these respondents are only unaware of what’s really at stake.
”I believe that the 32 percent of respondents that are ‘very satisfied’ with how their company is addressing security concerns are deluding themselves — they should wake up and smell the coffee,” wrote Vellante. “As an industry, since 2000 we’ve spent billions on security in the form of virus protection, network security, firewalls and other infrastructure… do you feel more secure? No way!”
If you’re acquainted to endpoint security solutions and the threats they try to prevent, you have definitely heard of the inside threat. It refers to employees who breach security systems and compromise confidential data. Whether it criminal intent that drives them or ignorance, the effects on the company are the same: loss of money, trust, customers and quite a lot of hassle, all eventually leading to loosing more money.
There are dozens of examples and they such breaches keep happening. The latest has recently been reported by Countrywide Financial Corp. The FBI has just arrested one of their employees and his accomplice for stealing and subsequently selling private records on the company’s customers.
The breach is thought to have started three years ago. The employee in question used to copy batches of 2000 records containing sensitive details, such as social security numbers, and sell them to the competition. Those investigating what happened estimate the total number of affected customers to around 2 million. If you want more details on how it all happened, see the details in the LA Times.
In this specific case, the employee is thought to have acted knowingly. Yet he exploited a flaw in the company’s security. Had they monitored all the computers on their premises and make sure unauthorized data transfers to portable devices was denied, the whole breach would have been avoided.
The inside threat is real and can lead to significant damages. It’s not something to get paranoid about or fear, it’s something companies can easily monitor, preventing such data thefts.
Allowing your offspring to take part in a kids cooking show hosted by the BBC might not be as safe as you imagine. 250 children who applied for BBC1’s “Gastronauts” had to provide the television with a number of personal details which were later lost by an independent production company BBC was working with.
The children’s names, phone numbers, addresses and dates when parents were planning to be away were stored on a memory stick which was left unattended in a car belonging to an Objective Productions employee.
Although it has announced all those involved of the data loss, BBC tried to push the production company to take the fall for the breach as an attempt not to share responsibility. Yet security experts quoted by Vnunet.com state otherwise, showing both companies are responsible for the safety of data they are entrusted with. BBC should have reviewed its own security protocols and those of the company they shared the private records with. I wonder who they’ll blame next .
A flash drive containing private information on 2,600 former Dayton-area Delphi workers has recently been stolen from an unattended laptop of a Job and Family Services department employee. The information stored on said drive included names, addresses, social security numbers and telephone numbers of the workers.
Helen Jones-Kelley, director of the Job and Family Services department, quoted by the Dayton Daily News, said leaving the laptop unattended during lunch hour was a violation of department policy and the responsible employee could be taken disciplinary actions against, including termination.
In what those affected are concerned, the same department representative said they have sent letters to all those involved.
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!
Californian FBI agents have recently arrested a Countrywide Financial Corp. employee suspected to have stolen personal information about the home mortgage lender’s customers. This new negative event puts a whole new pressure on the company who has been severely affected by the current lending crisis and has also been investigated for fraud.
According to a Computerworld article, Rene Rebollo who was a senior financial analyst for Countrywide Home Loan’s subprime mortgage division, accessed customer data through his work computer and saved it onto flash drives that he then took out of the company. According to the FBI, Rebollo admitted three months ago to have given the private information to third parties. Another man accused of having bought the stolen data was also arrested along with Rebollo.
How much money did Rebollo make from selling the data? Not nearly enough to compensate the minimum 5 years he could spend in jail: 50,000 to 70,000 dollars! Countrywide is now analyzing if he has really exposed the identity of customers and if this is the case, all those affected will be notified.
It would be interesting to see a subsequent analysis of how much Countrywide lost in this affair. But it is hard to determine the costs of a bruised image and shattered trust in the company.