When you are the lead artist of a security mishaps that ended up in a data breach affecting some 24 million people, consequences are bound to catch up with you. And they just have caught up with shoe retailer Zappos.com and the bigger online fish behind them, Amazon.com. The two companies are being sued by the customers affected by the data breach, being accused of negligence.

A woman from Texas seems to be the main promoter in this Kentucky lawsuit. She claims that she and millions of other customers were harmed by the exposure of their personal account information. Zappos and Amazon have not commented on the lawsuit as of earlier today. 

The Zappos data breach was made public on Sunday when the company emailed employees and customers to let them know that names, phone numbers and email addresses of customers might have been accessed in a hacker attack.  The same statement reassured them that credit card and payment information had not been stolen. Zappos also advised its customers to reset account passwords on their site and any other sites where similar passwords were being used.

The attorneys of the Texas woman are seeking class-action status on behalf of the 24 million affected customers, claiming the security breach was actually a violation of the federal Fair Credit Reporting Act. The sum the lawsuit seeks has not been specified, but it is in the range of millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy. It also seeks to have Zappos court-ordered to pay for credit monitoring and identity theft insurance, plus periodic audits, for all those affected by the data breach.

The Ramnit worm, first discovered a year and a half ago, a malware that used to target online banking and FTP credentials, makes victims among UK and French Facebook users.

A new version of the worm managed to steal more than 45000 Facebook usernames and passwords and tried to attack the e-mail accounts and virtual private networks of affected persons. The worm has sent malicious links to victims’ friends, links that downloaded malware to the person’s computer, which helped spread the worm even faster.

It seems like the attackers are adapting to market tendencies, targeting social networks rather than traditional communication means (such as email).

For more details, you can read the techweekeurope.co.uk report.

The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.

A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.

A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.

A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.

Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.

It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?

Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.

What you can see in the picture is belonging to US Navy Drone Reaper. It is remotly controlled air vehicle used during combat missions in Afghanistan. A machine that is capable of neutralising targets or performing reckon missions. What would you say if you found out, that every “step” of the machine was tracked by a computer virus - a keylogger? dangerroom says that no more than 2 weeks ago on computers in Creech Air Force Base in Nevada. Since then, pilots are still performing overseas missions, and also there were several attempts to remove the malware. However,

We keep wiping it off, and it keeps coming back

It does not sound promising if one of most important America’s weapons is infected. It is not sure whether the infection was done on purpose or it was accidental. The virus is believed to be spread with removable devices, that are used to load map updates and transport mission videos from one computer to another.

Good thing is that there is no record of data breach, since the computers are not directly connected with the Internet. However, the malware hit both, classified and unclassified machines in the base, raising the risk that data might have been exposed to people out of military chain of command. One of the consequences is also ban on usage of removable devices in the base, as it is common in military computer networks.

It is not the first problem with information security of drones – there was already a case where fighters in Afghanistan could listen to the transmissions with 26 USD computer program.

It actually proves, how much security protocols are required in such facilities and how valuable can be device control in regard to even closed operations like Creech Air Force Base in Nevada.  In 2008, removable drives enabled to introduce agent.btz worm to Department’s of Defense Computer and still after 3 years, they are tryin to remove the virus. Let’s hope in this case the outcome will be different.

Nemours, an American organization for children’s health announces through a press release the loss of three unencrypted backup tapes that contained information such as the name, address, date of birth, social security number, insurance and medical treatment information and bank account information of 1.600.000 patients and employees.

The three backup tapes were stored in a cabinet that might have disappeared during a facility modernization project.

So far, there is no evidence that the tapes were stolen, accessed or used for fraudulent purposes.

Nemours offers free credit monitoring, identity theft protection and call center support.

Find their press release here: http://www.nemours.org/mediaroom/news/2011/missingtapes.html

An investigation inside the Living Healthy Clinic of Wisconsin, US has revealed the existence of a virus on a computer in the network that exposed 3000 patient records.

The experts have concluded that the attack was not targeted, as it was reported that the same type of virus was found on other computers in the US that had nothing to do with the clinic.

The information exposed after the attack included names, addresses, social security numbers and medical records of some patients.

The officials will announce the affected persons on the security breach and they will inform them on the measures to take to protect themselves.

An unauthorized email sent by the recruitment company Hays to 800 RBS (Royal Bank of Scotland) employees has uncovered the amounts paid to contractors working temporarily for the bank.

Even though the people who received the email are employees of the bank and therefore obliged to keep the confidentiality of the information they have found out, RBS says they are ‘extremely disappointed’ and they are collaborating with Hays to recover the exposed data. The recruitment company has already started an investigation on this breach.

After this incident, discussions on the big salaries offered to contractors by a bank that is majority-owned by the state were started.

More information on this insider data leak here.

According to datalossdb.org, a site belonging to the Open Security Foundation, that publishes the latest news regarding data loss and data breaches, the month of 2011 with the largest number of such incidents was June, when 90 cases were recorded.

The causes of these incidents were very diverse: from the ever-present theft of computers, laptops or hard drives and other portable devices, to fraud, hacking attacks, personal information disclosed on websites, viruses, documents thrown in the dustbin, etc.

The most significant breach from June was the one produced at Sony Pictures, when the LulzSec hackers have accessed one million records of Sony clients in Belgium and the Netherlands.

Hackers targeting the Hong Kong stock exchange have managed to do enough damage to force them to close afternoon trading for seven listed companies. The attack targeted the news section of the stock exchange and managed to severely disrupt day-to-day activities.

The news website, which publishes companies’ regulatory filings, started going down at noon, however according to Hong Kong stock exchange representative, the trading part of the website had not been breached. The stop in trading that affected HSBC, Cathay Pacific Airways and the Hong Kong Exchanges & Clearing, which runs the stock exchange, was a necessary measure as all had released price-sensitive information earlier in the day. As the fresh news could not be accessed, it was safer to end the afternoon trading for the seven companies.

“Our current assessment is that this is a result of a malicious attack by outside hacking,” said Charlies Li, chief executive of Hong Kong Exchanges & Clearing.

The partially closed trading session affected stocks that made up 18% of the Hang Seng index’s weight. Moreover, this is a historic first – the first time the Hong Kong stock exchange has to suspend trading for technical reasons.

Photo source