US Federal Agencies Welcome Data Theft

After 15 months of investigation into 24 major US federal agencies, the Government Accountability Office (GAO) has release a report showing that key US Departments still don’t take data security seriously. Given the list of breaches we’ve been covering affecting everyone from colleges and hospitals to the US Army, I’d say it’s high time they started!

According to the report quoted by Vnunet.com, around 70 percent of laptops and handhelds used by agency failed to comply with Office of Management and Budget (OMB) rules and didn’t use encryption making the data available to anyone intending to steal it. The OMB rules are not even close to being new, as they decided all federal laptops should be encrypted back in 2007.

“We are recommending that OMB clarify governmentwide encryption policy to address agency efforts to plan for and implement encryption technologies,” said the report.

“We are also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.”

Other practices of extremely low levels of security (or should we say non-existent security) include Nasa employees refusing to deploy encryption software on their laptops and members of the Department of Education who weren’t told encryption software was installed so they of course weren’t using it. From what I know if they’re using Windows, whenever a new program is installed, you have a quite nagging message in your Startup Menu. How patient must one be to simply ignore it over and over again

Endpoint Security Strategies for SMBs

SMBs have specific requirements when it come to IT security in general and endpoint security in particular: they need comprehensive policies, high-end technology, all downsized at a larger scale and a fair price. They don’t need cheap and unreliable solutions, they just need the best there is, adjusted to their size.

If you’d like to know more about what the IT security market has to offer, what challenges arise from the current business environment, which are the real threats SMBs face, how to properly asses the costs of a security breach, how easy it is to lose data or have it stolen, read the latest white paper published by CoSoSys, Easy Guide to Comprehensive IT Security Strategies for SMBs - High-End Endpoint Security, Data Loss Prevention and Portable Device Management at a Reduced Scale.

Data Watchdog Warns of Poor Data Protection in UK Institutions

Data protection watchdog, the Information Commissioner’s Office has recently confirmed that it has served enforcement notices on two UKgovernmental institutions, HM Revenue and Customs and the Ministry of Defence.  The decision, made public in the Information Commissioner Richard Thomas’ annual report comes as a response to high profile data breaches occurring within the twe organizations.

According to IT Week, both departments will be compelled to provide progress reports detailing how they are improving data governance practices.

This piece of news comes shortly after the same office called for European data protection laws to be reformed to make them more business-friendly. The recommendation was made by the same Richard Thomas at the annual Privacy Laws and Business conference in Cambridge. Thomas said existing legislation was out-dated and increasingly ill-suited to the internet age.

Insider Attacks Double in the First Half of 2008

Security attacks caused by insiders have doubled in the last year, according to the latest report released by the Identity Theft Resource Center (ITRC). The Center found that almost 16 percent of breaches reported so far in 2008 were insider-born and went up from 6 percent in 2007. 11.7 percent of the attacks came from individuals outside the company, down from 14.1 percent in 2007.

According to Dark Reading, the ITRC’s data is consistent with other reports on insider incidents showing an increase of such attacks. Additionally, many experts believe that disclosure of all incidents is also on the rise, mostly due to the legal requirements put in place by many states over the last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

Public Access vs. Private Records Protection

The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.

Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.

“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.

We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).

Stockbrokers Get Fine for Poor Security

The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.

London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.

The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.

The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.

DPS-contracted Company Breached

Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.

All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.

Montgomery Ward Kept Customers in the Dark on Data Theft

In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.

According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.

Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.

New PCI Standards Disregard Inside Threats

Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.

As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.

Secerno representatives showed that the new and “improved” standard does not address real threats effectively:

“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.

“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”

Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.

Breach Disclosure Laws are Pointless

Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.

Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.

The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:

We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.