Daily Mail Loses Laptop With Staff’s Private Info
The latest security breach involving a stolen laptop has recently been reported by Northcliffe Media, owner of the Daily Mail. The lost computer contained sensitive information on the company’s employees, such as names, addresses, bank accounts and sort codes of Mail and General Trust staff.
According to company representatives quoted by the Register, the said laptop was password protected but most likely not encrypted. Northcliffe Media warned its staff of the risk they were exposed to advised them to contact their bank in order to prevent future problems.
The letter, signed by group finance director M J Hindley, said:
The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen.
Insider Attacks Double in the First Half of 2008
Security attacks caused by insiders have doubled in the last year, according to the latest report released by the Identity Theft Resource Center (ITRC). The Center found that almost 16 percent of breaches reported so far in 2008 were insider-born and went up from 6 percent in 2007. 11.7 percent of the attacks came from individuals outside the company, down from 14.1 percent in 2007.
According to Dark Reading, the ITRC’s data is consistent with other reports on insider incidents showing an increase of such attacks. Additionally, many experts believe that disclosure of all incidents is also on the rise, mostly due to the legal requirements put in place by many states over the last year.
Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).
Top Vendors Join Forces for IT Security
Five major top vendors in the IT&C field, namely Cisco, IBM, Microsoft, Juniper Networks and Intel, have joined to launch the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASi is a dedicated IT security forum with the main goal of allowing co-operation between companies from all over the world in addressing security threats.
As Computing.co.uk pointed, ICASI will also provide a government-neutral approach to resolving global, multi-vendor security incidents.
“It is critical that the technology industry strengthen its ability to combat the ever-changing nature of the global cyber threat landscape,” said Malcolm Harkins, general manager of Intel’s information risk and security IT group.
Public Access vs. Private Records Protection
The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.
Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.
“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.
We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).
UK SMEs Warned To Improve Security
The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.
Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.
Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.
Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.
Stockbrokers Get Fine for Poor Security
The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.
London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.
The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.
HMRC Breach Caused By Poor Security
A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.
The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.
The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”
The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.
Researchers Call for Measurable Security Objectives
The next big step in security policies should be heavily focusing on ways to quantify completed and ongoing security objectives, says Pete Lindstrom, senior analyst at the Midvale, Utah-based research firm. The purpose of this move would be to both justify spendings and highlight the value yielded by ongoing projects.
This message was presented during the Burton Group Catalyst Conference ‘08 and as SearchSecurity.com noted, Lindstrom is sketching a new model to help security experts measure and articulate security program successes and failures to senior management.
“We need to get objective and quantitative in our environments in order to better manage our programs,” Lindstrom said. “We have to collect ourselves together as a profession and define what it means to meet our security objectives.”
DPS-contracted Company Breached
Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.
All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.
DCA Security Breach Exposes Private Records of 5,000
The state Department of Consumer Affairs has recently discovered a security breach exposing employees, contractors and board members to identity fraud. DCA has in response sent 5,000 letters warning those affected that the breach has compromised their names and social security numbers.
According to DCA spokesman Russ Heimerich quoted by Capitol Weekly, the breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department. The document also contained the salaries and titles of everyone on the list, but Heimerich pointed out these additional details were public information.
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
