Breach Disclosure Laws are Pointless

June 10th, 2008 by Alina (0) Data Loss, Data Theft, Identity Theft, In The Spotlight, Laws & Standards

Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.

Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.

The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:

We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.

LifeLock Sued By Customers

May 27th, 2008 by Alina (0) DLP, Data Loss, Data Theft, IT security, Identity Theft, In the News, security breach

LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.

As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.

What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.

“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.

Europeans Protect Their Passwords, Not Personal Data

April 27th, 2008 by Alina (0) Data Leakage, Data Loss, IT security, security breach

A survey conducted by conference group Infosecurity Europe showed Europeans are getting smarter and better at protecting their passwords, but are still not making enough efforts to protect their personal data.

According to the survey quoted by SecurityFocus, only 21% of the nearly 600 people queried near the Liverpool Street Station in London gave up their password when offered an incentive (in this case, a chocolate bar), down from 64% last year. However, of those refusing to reveal their passwords, six in ten later identified the type of information, such as date of birth, pet’s name, or anniversary date , they had used to create their password.

Women appear to be more trusting with password information than men, giving up their secret code 45 percent of the time, compared with only 10 percent of the time for men. The result may indicate that computer-security training of female office workers is behind that of their male counterparts.

Another incentive used in the survey was a fictive drawing with a Paris trip as a prize. Seven out of ten people gave up their name and e-mail address or a phone number, while six out of ten people revealed their date of birth.

“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department,” Claire Sellick, event director for Infosecurity Europe said in a statement. “This type of social engineering technique is often used by hackers targeting a specific organization with valuable data or assets such as a government department or a bank.”

CareFirst Dental HMO Exposes Data of 75,000 Members

March 28th, 2008 by Alina (0) Data Loss, IT security, In the News, endpoint security, security breach

One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.

One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.

Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.

Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.

A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.

The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.

Personal Data Thrown in the Dumpster

March 20th, 2008 by Alina (0) IT security, In the News, security breach

The financial information and social security numbers of hundreds of inhabitants of Flint, USA, have been found in a dumpster. Customers of the Affordable Realty entrusted these private details to the realty mortgage company. When Affordable Realty was evicted from the building where their office was location, company representatives thought the best place to get rid of the data would be the nearest dumpster.

ABC12 News has video record of the incident, along with some text comments. Let’s hope the company is properly held responsible in order to prevent similar future incidents.

Thumbnail Drive with Data of Job Seekers Lost

March 8th, 2008 by Alina (0) Data Leakage, Data Loss, endpoint security

A company hired by the Nevada Department of Public Safety to do background checks for 109 job applicants managed to loose the private data of said job seekers. According to an article in Chron.com, their private records were stored on a thumbnail drive owned by one of the hired firm employees.

Following this incident, the Department of Public Safety has temporarily suspended the use of outside vendors for background checks while it is reviewing all its processes and procedure.

UK Companies Pay £47 for Every Lost Private Record

February 25th, 2008 by Alina (0) Data Leakage, In the News, endpoint security, security breach

The Register explores the costs of data breaches for UK companies in an article published earlier today. And the numbers they publish should scare companies from both UK and different countries as laws and regulations seem to get harsher by the minute.

While the average price per lost record is of £47, the average total price paid by a company exposed to data breaches is of £1.4 million. These troubling amounts are the result of a study conducted by the Ponemone Institute. 21 UK companies took part in the research and the winners are financial companies, who report the most expensive data breaches of about £55.

The size of the losses examined ranged from 2,500 records to more than 125,000 and costs ranged from £84,000 to £3.8m.

Breaches by third parties were more expensive than in-house losses - on average £59 rather than £42 in-house. This is a difficult issue for big companies to deal with, because their supply chain will include hundreds or even thousands of partner and outsourcer companies.