Insider Compromises 2 million Private Records
If you’re acquainted to endpoint security solutions and the threats they try to prevent, you have definitely heard of the inside threat. It refers to employees who breach security systems and compromise confidential data. Whether it criminal intent that drives them or ignorance, the effects on the company are the same: loss of money, trust, customers and quite a lot of hassle, all eventually leading to loosing more money.
There are dozens of examples and they such breaches keep happening. The latest has recently been reported by Countrywide Financial Corp. The FBI has just arrested one of their employees and his accomplice for stealing and subsequently selling private records on the company’s customers.
The breach is thought to have started three years ago. The employee in question used to copy batches of 2000 records containing sensitive details, such as social security numbers, and sell them to the competition. Those investigating what happened estimate the total number of affected customers to around 2 million. If you want more details on how it all happened, see the details in the LA Times.
In this specific case, the employee is thought to have acted knowingly. Yet he exploited a flaw in the company’s security. Had they monitored all the computers on their premises and make sure unauthorized data transfers to portable devices was denied, the whole breach would have been avoided.
The inside threat is real and can lead to significant damages. It’s not something to get paranoid about or fear, it’s something companies can easily monitor, preventing such data thefts.
BBC Admits Loss of Children’s Data, Rejects Any Responsibility
Allowing your offspring to take part in a kids cooking show hosted by the BBC might not be as safe as you imagine. 250 children who applied for BBC1’s “Gastronauts” had to provide the television with a number of personal details which were later lost by an independent production company BBC was working with.
The children’s names, phone numbers, addresses and dates when parents were planning to be away were stored on a memory stick which was left unattended in a car belonging to an Objective Productions employee.
Although it has announced all those involved of the data loss, BBC tried to push the production company to take the fall for the breach as an attempt not to share responsibility. Yet security experts quoted by Vnunet.com state otherwise, showing both companies are responsible for the safety of data they are entrusted with. BBC should have reviewed its own security protocols and those of the company they shared the private records with. I wonder who they’ll blame next :).
Stolen Flash Drive with Personal Info on 2,600 Delphi Workers
A flash drive containing private information on 2,600 former Dayton-area Delphi workers has recently been stolen from an unattended laptop of a Job and Family Services department employee. The information stored on said drive included names, addresses, social security numbers and telephone numbers of the workers.
Helen Jones-Kelley, director of the Job and Family Services department, quoted by the Dayton Daily News, said leaving the laptop unattended during lunch hour was a violation of department policy and the responsible employee could be taken disciplinary actions against, including termination.
In what those affected are concerned, the same department representative said they have sent letters to all those involved.
11 Arrested in the TJX Identity Theft and Data Breach Case
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!
Countrywide Employee Arrested For Stealing Customer Private Data
Californian FBI agents have recently arrested a Countrywide Financial Corp. employee suspected to have stolen personal information about the home mortgage lender’s customers. This new negative event puts a whole new pressure on the company who has been severely affected by the current lending crisis and has also been investigated for fraud.
According to a Computerworld article, Rene Rebollo who was a senior financial analyst for Countrywide Home Loan’s subprime mortgage division, accessed customer data through his work computer and saved it onto flash drives that he then took out of the company. According to the FBI, Rebollo admitted three months ago to have given the private information to third parties. Another man accused of having bought the stolen data was also arrested along with Rebollo.
How much money did Rebollo make from selling the data? Not nearly enough to compensate the minimum 5 years he could spend in jail: 50,000 to 70,000 dollars! Countrywide is now analyzing if he has really exposed the identity of customers and if this is the case, all those affected will be notified.
It would be interesting to see a subsequent analysis of how much Countrywide lost in this affair. But it is hard to determine the costs of a bruised image and shattered trust in the company.
Laptop With Anheuser-Busch Employees’ Private Data Stolen
Global beverage company Anheuser-Busch has recently released information on the theft of a laptop containing private records of current and former employees. The theft took place in June at an office from the St. Louis area.
Tim Farrell, the company’s vice president for corporate human resources, quoted by DailyPress.com said Anheuser-Busch sent letters to an undisclosed number of employees and ex-employees letting them know what had happened. As the stolen laptop contained Social Security numbers, home addresses and marital status, the company also offered a year of free credit reporting. According to the same source, the private records stored on the stolen computer was password-protected and encrypted.
Banks Prefered by Fraudsters in 2008
It looks like fraudsters have a thing for banks and have been showing this affinity in the first six months of the year. This is the conclusion of the latest Fraud Barometer released KPMG Forensic’s.
According to the barometers quoted by CRN UK, fraud has increased by 50 percent, generating 630 million pounds for fraudsters. Banks toped in losses, reporting a record amount of 350 million, with 128 fraud cases coming to court. The most frequent types of fraud were mortgage fraud, and accounting and employee frauds.
KPMG also released dark predictions for the future, stating that the figures they released are most likely to get worse, one of the causes being the full impact of the credit crunch.
Stay Clear of Computer Threats on Vacation and Business Trips
And how exactly can you do that? CoSoSys has just released version 3.0 of Carry it Easy +Plus which focuses on increased security for security for USB flash drive users that access their data on public PCs like in internet cafés or hotel business centers.
Carry it Easy +Plus 3.0 has a whole range of features on display that are great for road warrior or the luckier ones of us who are vacationing: Website Password Manager, PC-Screen Lock128 bit AES data encryption, Outlook e-mail, contact and calendar sync, File & Folder Sync, No Trace Internet Browsing and much more.
So why do you need such tight security? The official release explains it:
When vacationing or travelling for business, the simplest technology-bound actions on your daily routine can expose you to real threats. Accessing your webmail account in an Internet café or on a different public PC you might run across in hotel business lounges or in airports exposes you to having your login credentials stolen by keyloggers or other malicious applications. The same can happen when plugging in your notebook in an unsecured network.
With the new SafeLogin feature in Carry it Easy +Plus as your password manager, all your website login credentials are stored securely in encrypted format on your portable storage device and automatically entered on any PC without the use of a keyboard. This feature does not only make logging in secure but also more convenient.
US Federal Agencies Welcome Data Theft
After 15 months of investigation into 24 major US federal agencies, the Government Accountability Office (GAO) has release a report showing that key US Departments still don’t take data security seriously. Given the list of breaches we’ve been covering affecting everyone from colleges and hospitals to the US Army, I’d say it’s high time they started!
According to the report quoted by Vnunet.com, around 70 percent of laptops and handhelds used by agency failed to comply with Office of Management and Budget (OMB) rules and didn’t use encryption making the data available to anyone intending to steal it. The OMB rules are not even close to being new, as they decided all federal laptops should be encrypted back in 2007.
“We are recommending that OMB clarify governmentwide encryption policy to address agency efforts to plan for and implement encryption technologies,” said the report.
“We are also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.”
Other practices of extremely low levels of security (or should we say non-existent security) include Nasa employees refusing to deploy encryption software on their laptops and members of the Department of Education who weren’t told encryption software was installed so they of course weren’t using it. From what I know if they’re using Windows, whenever a new program is installed, you have a quite nagging message in your Startup Menu. How patient must one be to simply ignore it over and over again 
Slim Risks, yet HCC Still Warns of Lost Data
Hillsborough Community College programmer’s laptop stolen from a hotel parking lot in Georgia rises identity theft concerns. All the private records the laptop used to contain on about 2,000 HCC employees has previously been deleted and the computer is password-protected, yet fears of someone with sophisticated software retrieving the data made HCC take action.
Spokeswoman Ashley Carl told Tampa Bay Online that the programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers but had subsequently deleted the data and also emptied the Trash bin.
The college also is looking into acquiring technology that will allow workers to remotely locate laptops and to encrypt computers or disks. In addition, it stressed to employees who use laptops to use extra caution when securing the devices.
HCC officials announced all their potentially affected employees of the threat and advised them to closely monitor their bank accounts. This was indeed a speedy and rather thorough reaction from HCC, especially since their determined to prevent future incidents by deploying and endpoint security solution along with enforcing other IT security policies.
