Corporate data breaches raise the risk of consumer ID theft
If a company, bank of hospital handling your private details has suffered a data breach, you are four times more likely to have your identity stolen. So if you have received a notification letting you know your data has been exposed, you should acknowledge the greater risk for ID theft or fraud, says a recent study by Javelin Research and quoted by DarkReading.
This new report comes to completely contradict breached companies breached who commonly state they have no indication that the compromised data has been used by criminals.
“During each of the past three years, an average of 11 percent of consumers received a breach notification,” Javelin said. “Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach.”
Website exposes sensitive data on Californian commuters
Military personnel included in exposed group of carpooling employees
A website built to help commuters carpool to work is exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The reason for the data breach was caused by programming errors in the website code.
The bugs, discovered on the RideMatch.info website enable hackers to easily access personal information such as names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. According to a recent article published by The Register, the SQL injection vulnerability was still active 2 days ago, although it has been discovered two weeks before and reported to a developer who runs the website.
The issue has been discovered and reported bu Kristian Hermansen, a security researcher. Upon receiving a form to fill in by his employer, apparently a legal requirement for all employees, he investigated the website where the information was to be posted.
RideMatch.info is a joint project developed by transit authorities in five regional governments in Southern California. Each individual using the website enters work and home addresses and the time they leave from each. Based on the data, the website then teams them with others who live and work nearby and commute at similar times, thus providing an effective carpool matchmaking services. Too bad the same range of data can be accessed by any hacker willing to exploit the vulnerability!
Second Hand Hard Drive with Missile Defense Data
Buying second hand PCs might be quite an adventure. Especially if they contain sensitive information that could blow one’s mind out, as it happened for a group of researchers from the University of Glamorgan in Scotland. According to a DarkReading article, the researchers found their used hard drives to contain details of test-launch procedures for a U.S. defense missile.
The researchers have included these findings in the results of a a five-year study that aimed to show the dangers of poor hard drive and device data-wiping and disposal practices. Acording to this years’ results, which are not yet final, the research also led them to sensitive data from Ford Motor, Laura Ashley, and other businesses.
This year, the researchers found personal or sensitive data on 34 percent of 300 hard disks bought randomly at computer fairs and online auctions in the U.K., U.S., Germany, France, and Australia. The information was enough to expose individuals and firms to fraud and identity theft, they said.
So if someone indulged in the idea of starting a fraud or theft based scam, all they needed is to start buying used computer parts. It’s easy and far less dangerous than actually atemtping to steal the data directly from the businesses currently using them.
CoSoSys uses humor to teach about security threats
As you’ve probably seen on this blog, there are news about security breaches, people who’ve been affected by identity theft and fraud, billions of dollars in losses every single day. More a day in really bad cases. Although there’s a ton of information out there, individuals and companies still fail at protecting themselves against such breaches and at keeping their private data safe.
CoSoSys, leading developer of endpoint security and data loss prevention solutions, has chosen a different approach to raise awareness about the risks we face everyday: humor, namely a series of comic strips showing what can really happen. As CNET puts it, they put the fun back in security threats.
The first comic, originally published on CoSoSys’ EndpointProtector.com site shows how easy it is for an employee to copy your entire data base and take it to your main competitor. A simple thumb drive, three minutes left alone in the office, and that’s it!
But as fun and laughing are not the only goals of the strip, each of them also helps you find out what to do and how you do it. Designed to promote the company’s most popular DLP, endpoint security and device management solution, Endpoint Protector, each issue will show how everything can be prevented.
“Recent research performed in both the US and the UK shows a troubling trend: data breaches are rising in numbers and in costs as well. Millions of people have their data exposed to identity theft or fraud each year and few of those affected or those responsible of the incidents know that most of these instances could easily be prevented. Making sure that your private records and all endpoints in your network are secured is not a difficult task. That is why we are committed to put our best efforts into raising awareness and educating the public about staying safe without making any lifestyle compromises”, explained Roman Foeckl, CoSoSys CEO.
The next issues of the strip will be published each Thursday for the next 7 weeks. You can see them here or register to get them on your email. Easier if you asked me, as remembering to visit a link every week is not something I usually do.
FAA Data Breach Exposes Records of 45,000
A recent breach reported by the Federal Aviation Administration has exposed the private data of about 45,000 employees, as a result of a hack in one of the FAA computer systems. The FAA has released a warning notice, quoted in Dark Reading, stating that employee personal identity information has been stolen during the illegal access. Those affected by this security breach will also receive individual letter, letting them know their data is stolen and probably used in fraud or identity theft attempts.
“Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006,” states the notice. “The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.”
The FAA also stated it has learned its lesson and taken the necessary steps to prevent future incidents of the sort. They are also taking long term measures to protect personal information. As for those who have been affected by this very real breack, there’s a a toll-free number and some details on the employee site.
TJX finds closure for breach in big time sale
We’ve all come to refer to the TJX data breach as the largest one in history, with an estimated 45.7 million credit card accounts exposed through a brech in the discount retaler’s wireless network. Some even place the number of affected acounts in the vicinity 94 million. Whichever the real number is, it is huge, scary and as it has happened over a significant period of time, it got plenty of coverage.
In the recovery process, they had to pay 40.9 million dollars to settle a lawsuit, but according to the Register TJX had created a 118 million fund to pay for breach-related damages in August 2007. 11 people were charged in relation with the data theft and some trials are still ongoing. The retailer has made an attempt to close this dark chapter for good by offering one-day 15 percent discounts in all its US and Canadian stores, as a token of their appreciation for the customers “for retaining their loyalty after it did such a bad job of retaining their records”.
Nice strategy to reward customers, build trust and boost sales at the same time! But I believe they need to implement all the cutting edge security toys in the market and make every new added layer of protection public to ease the minds of those affected.
1.5 million exposed in RBS WorldPay Breach
Fashionably late, as the who’s who laws require, electronic payment services firm RBS WorldPay has admitted a breach that exposed 1.5 million payroll and gift card holders exposed to fraud and identity theft. The breach was caused by a group of hackers finding their way to the RBS network and accessing about 1.1 million social security records, along with other private details, reports The Register.
RBS disclosed the breach to law enforcement and regulators on November 10, but waited untill December 23rd to also let those affected know their private data was at risk. Great Christmas gift idea! Yet the company pledges strong commitment to prevent any fraud or identity theft attempts and offers 12 months complimentary membership to a credit monitoring service toall those whose personal information has been exposed by the hackers. Does this mean they will also take a good look at everything going on in their customer’s accounts between November 10 and December 23? 100 payroll cards have already been misused as a result of the breach, but have been deactivated since. We hope the toll does not go up.
Starbucks Loses Laptop with Employee Information
In the second half of November, Starbucks disclosed a security breach that had occured a month earlier. A company laptop went missing and was thought to be stolen. It contained private details of 97,000 employees from accross he USA.
The data loss was announced through a memo posted on Starbucksgossip.com and was later confirmed by Starbucks officials. The memo also recommended those affected to monitor their financial accounts and look or any suspicios activities, as well as take all the necesary steps to prevent misusage of the lost records.
According to Seattlepi.com, this isn’t the first laptop containing company information stolen from Starbucks. In 2006, the company discovered it had misplaced 4 out-of-use laptops containing the names, addresses and Social Security numbers of 50,000 former and 10,000 then-current employees. One would expect enhanced security after such an incident.
Inmate Exposes Prison Employee Data Base
There’s an ongoing silent war between inmates and the personnel of the prison holding them. There have been quite a few movies on riots, guards having their families threatened and other such. And now this topic hits the endpoint security arena: a former inmate has hacked into a prison’s network and made the employee’s database available to his imprisonment colleagues.
The 42-year-old Francis G. Janosko accessed the names, addresses, dates of birth, social security numbers and telephone numbers of employees working for the Plymouth County Correctional Facility in Massachusetts, said the US District Court in Boston. Using a thin client connected to a prison server, Janosko exploited a bug in legal research software made available to inmates to gain access to the database.
Janosko then shared the private details with his felllow inmates and also managed access the Internet and to download videos and digital photographs of prison employees, inmates and aerial shots of the prison. The hacking took place between October 2006 and February 2007. He is currently charged with identity theft and intentional damage to a protected computer. If convicted, the maximum sentence is 12 years in prison and a fine of $250,000. He could additionally be forced to pay unspecified restitution.
British party membership list gets posted online
If you are British and have been plotting to stalk a member of the British National Party (BNP) you might just have missed the opportunity. A list with all the party’s members, including names, addresses, and email addresses has recently shown up online. Some of those who just got exposed online are also underage (an extra “benefit” of the family plan BNP offers) and others had mentions of other personal details made public, such as job or hobbies.
As the Register puts it, “That’s how we know that that BNP members include receptionists, district nurses, amateur historians, pagans, line dancers and a male witch.” Members reacted pretty strongly, filing their comments with courses and outrage. As certain professions in the UK are expected to have no political color, they might even lose their job and according to several blog sources, some pretty powerful people in the BNP are to blame for the leak.
BNP spokespersons found out of the leak from the Register, but although completely unaware, they promised to treat whoever is responsible quite harshly!
