Montgomery Ward Kept Customers in the Dark on Data Theft
In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.
According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.
Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.
New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
The US and Romania, a Perfect Team
It looks like Romanians and US citizens are really great at teaming, regardless of their intentions. While a team of 22 Romanians and 9 Americans got together to create a credit and debit card fraud ring, the US and Romanian authorities, helped by other countries, collaborated on catching them. SecurityFocus covered the story, but their numbers are a bit blurry. They speak of 33 individuals being charged on this issue, but for the live of me I can’t tell who the other 2 are. Maths mistake or 2 more of different citizenship?
The members of the fraud gang allegedly used spam e-mail messages to get their victims to visit a fake website, where they were urged to enter in financial details. The U.S. members of the group used the gathered information to create counterfeit credit and debit cards, then stealing millions of dollars from thousands of cards.
“International organized crime poses a serious threat not only to the United States and Romania, but to all nations,” Deputy Attorney General Mark R. Filip said during a press conference in Romania, according to a statement announcing the indictment. “Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore our efforts to prevent their attacks cannot end at our borders either.”
TJX Fired Employee Who Exposed Their Lack of Security
TJS, the company where the world’s biggest data theft involving credit card information occurred, fired an employee who exposed the company’s faulty security practices by leaving posts in an online forum. The story of employee showing how easy it was to breach TJX was made public by the Register.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.
Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.
According to the Register, Benson’s posts never revealed enough information to actually facilitate a security breach at TJX Maxx, but that didn’t really help him keep his job. All for the best, if we consider his statement:
“They’re telling the public they’re PCI compliant,” he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. “That I think is unethical.”
He also admitted he hasn’t acted out of selfless motives. As he pointed out, he still has private records stored on the TJX network. A faulty security system would expose him as much as any other employee or customer.
Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
CoSoSys’ Secure it Easy to Protect VIPdesk Critical Data on Removable Storage Devices
CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected the newly released Secure it Easy version 2.0 software to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.
See more details on in company’s online press room.
CoSoSys to Protect VIPdesk’s Critical Data Housed on Removable Storage Devices
CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected their most recent released Secure it Easy software, version 2.0, to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.
“Legislative requirements enforced by an increasing number of US states and the recent Federal Trade Commission rulings against companies who did not prevent sensitive data exposure are stipulating clear actions to be taken in case of data theft or private record exposure. Such laws call for proactive management of portable devices that are capable of storing private information,” said Roman Foeckl, Managing Director of CoSoSys. “This set of features within Secure it Easy enables organizations of all sizes to better comply with government regulations and industry standards regarding data breach management and IT governance.”
See the full press release here.
IBM Thinks the Securiy Business is Dead
At the RSA Conference 2008 taking place in San Francisco, IBM stated they are going to leave the security business to start providing sustainable solutions instead. This declaration has been given by Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services and then quoted by Dark Reading:
The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win.”
So, how does IBM define the creation of sustainable business?
Business sustainability is all about building security into systems and processes, she said. “If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments.”
“It’s time to give up on the fantasy that education and antivirus will cure consumer security woes. It is not up to consumers to protect themselves. It is not their problem. It is our problem, because online commerce is not sustainable if it is not inherently secure. And the only way to make it inherently secure is to take ownership of the security problem.”
Fighting Trojans, worms, insider attacks, and outsider attacks one by one is futile, she said.
Interesting approach indeed! However, I can’t help noticing how the security industry is limited to antivirus applications (antispam solutions are not even mentioned). In a technological world where most security solutions are moving towards standard compliance, where niche security fields, such as endpoint security, stress the need to manage threats and benefit from advantages instead of blocking threats and benefits alike, the IBM position seems to come a bit late. IT security is definitely more than trying to keep viruses away, maybe someone should tell IBM about it.
Sensitive Medical Data of 2500 Patients Stolen
Private medical details of over 2,500 patients taking part in a study conducted by the National Institutes of Health have been stolen. The information was stored on a government laptop computer which was stolen in February. The data accounted for seven years of clinical trial, exposing names, medical diagnoses and details on patients’ heart scans. Although governmental policies enforce it, the stolen data was not encrypted.
It took NIH a month to reveal the theft and start notifying the patients whose sensitive records have been lost. According to the Washington Post, the reason behind NIH officials’ hesitation was their concerns they would cause false alarms.
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that “when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically.” She said that “we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust.”
NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute’s research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.
Given this recent data theft incident, government agencies should really take the findings of the Government Accountability Office regarding security more seriously and start implementing more effective security policies.
