Insider Attacks Double in the First Half of 2008

July 7th, 2008 by Agent Smith (0) Data Loss, Data Theft, IT security, Laws & Standards, Research and Studies, endpoint security, security breach

Security attacks caused by insiders have doubled in the last year, according to the latest report released by the Identity Theft Resource Center (ITRC). The Center found that almost 16 percent of breaches reported so far in 2008 were insider-born and went up from 6 percent in 2007. 11.7 percent of the attacks came from individuals outside the company, down from 14.1 percent in 2007.

According to Dark Reading, the ITRC’s data is consistent with other reports on insider incidents showing an increase of such attacks. Additionally, many experts believe that disclosure of all incidents is also on the rise, mostly due to the legal requirements put in place by many states over the last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

Public Access vs. Private Records Protection

June 30th, 2008 by Alina (0) DLP, Data Loss, Data Theft, Identity Theft, In The Spotlight, Laws & Standards, endpoint security, online fraud, security breach

The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.

Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.

“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.

We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).

UK SMEs Warned To Improve Security

June 30th, 2008 by Alina (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, endpoint security, online fraud, security breach

The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.

Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.

Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.

Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.

HMRC Breach Caused By Poor Security

June 29th, 2008 by Alina (0) DLP, Data Leakage, Data Loss, IT security, Identity Theft, In The Spotlight, Research and Studies, endpoint security, online fraud

A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.

The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.

The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

Montgomery Ward Kept Customers in the Dark on Data Theft

June 29th, 2008 by Alina (0) Data Leakage, Data Loss, Data Theft, IT security, In the News, Laws & Standards, online fraud, security breach

In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.

According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.

Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.

DCA Security Breach Exposes Private Records of 5,000

June 28th, 2008 by Alina (0) DLP, Data Loss, Data Theft, IT security, Identity Theft, In the News, endpoint security, security breach

The state Department of Consumer Affairs has recently discovered a security breach exposing employees, contractors and board members to identity fraud. DCA has in response sent 5,000 letters warning those affected that the breach has compromised their names and social security numbers.

According to DCA spokesman Russ Heimerich quoted by Capitol Weekly, the breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department. The document also contained the salaries and titles of everyone on the list, but Heimerich pointed out these additional details were public information.

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

New PCI Standards Disregard Inside Threats

June 27th, 2008 by Alina (0) Data Encryption, Data Leakage, Data Loss, Identity Theft, In The Spotlight, Laws & Standards, encryption schemes, online fraud, security breach

Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.

As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.

Secerno representatives showed that the new and “improved” standard does not address real threats effectively:

“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.

“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”

Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.

Virgin Media Loses Unencrypted CD with Customer Data

June 27th, 2008 by Alina (2) DLP, Data Leakage, Data Loss, IT security, Identity Theft, endpoint security, security breach

Virgin Media, the branch of Richard Branson’s empire operating in the entertainment and communications fields, has recently disclosed the loss of an unencrypted computer disc containing bank account details of 3000 UK customers.

The data loss was discovered on May 29th, and according to Virgin Media, the CD also contained names and addresses of customers. According to Finextra.com, the breach affects customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year. Company representatives don’t know why the data was burned onto a CD to begin with, as the company policy stated that secure FTP transfers should be used instead of CDs.

In a statement a Virgin Media spokesperson says: “We have been working with the Information Commissioners’ Office on this matter and we are in the process of contacting all of the affected customers to ensure we meet our responsibilities and fully support them through this process.”

Virgin Media says it is now conducting a review of its data protection policies and practices.

Insurance Files Found in Dumpster

June 27th, 2008 by Alina (0) Data Loss, IT security, Identity Theft, In the News, security breach

It looks like insurance companies also fail to rank high when it comes to security. While one would expect any data provided to such a company to remain private, it so happens that in Richardson insurance files may as well be found in the dumpster.

That was the case of an incident taking place a little while ago when hundreds of such files containing names, social security numbers and policy numbers were found in a Richardson dumpster. As WFAA.com who covered the story notes, it was quite a treasure waiting to be discovered by identity thieves.

Who found the files? Two men, one looking for boxes to move and another one driving by, who saw the first one taking pictures of the dumpster in question.

The files were dumped here by a company called Texas Insurance Claims Services which processes people’s claims.

We asked the owner why he threw them away. He wouldn’t go on camera but said he was only required to keep the files five years and could then toss them.

The company says it sometimes uses commercial shredding services but decided not to do so this time. Authorities say it’s not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.

Sensitive Data of Healthcare and Airline Companies found in Argentina and Malaysia

June 24th, 2008 by Alina (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, Identity Theft, endpoint security, security breach

Researchers at Finjan have recently discovered 500 megabytes of confidential data on servers located in Argentina and Malaysia. The private records contained Citrix single sign-on credentials for accessing patient and financial data at a major U.S. hospital and major healthcare organization and also credentials for accessing a large U.S. airline carrier’s passenger and cargo lists, flight schedules, security measures, and financial data.

According to DarkReading quoting Yuval Ben-Itzhak, CTO of Finjan, the Finjan research findings shows criminals are shifting focus to different data that they can easily steal and effectively sell to the highest bidder.

“It’s supply and demand. The fact is these people are now going after data that’s different from [the standard] credit card and SSN,” Ben-Itzhak says. “A year ago, a [stolen] credit card was $100. Now you can get one for $10-$20 a card.”

But that doesn’t mean cybercriminals still aren’t pilfering credit card data, other security experts argue. “I don’t think there is a shift in cybercriminals stealing data other than credit card numbers. The stolen data from popular and mainstream Trojans is mainly grabbed via keylogging — everything is captured, [and] then the wheat is separated from the chaff,” says Guillaume Lovet, senior manager for Fortinet’s Threat Response Team.