LifeLock Sued By Customers
LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.
As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.
What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.
“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.
Californian Supermarket Shoppers, Victims of Identity Theft
Over 100 shoppers at a supermarket in Los Gatos, California, became victims of identity theft when their private records have been stolen from their debit and credit cards through the checkout card reader. The thieves from the Lunardi’s grocery store used the stolen PIN numbers and card information to create fake cards which were subsequently use them to shop around.
The supermarket customers have been reporting cases of identity theft to authorities for over a week, and according to Dark Reading have been losing an average of $1,000 from their bank accounts.
“What we have here is more than one person — they’ve been able to get in there (Lunardi’s) and switch out the ATM card reader,” said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. “Once they’ve done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone.”
88,000 Patients Exposed to Identity Theft
Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.
According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.
“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.
Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.
Private Information on Iredell County Taxpayers Stolen
The Iredell County Tax Collector’s Office has just informed the public about an information theft that has taken place at the end of April. The incident involved a courier vehicle that provided services for First Citizens Bank which was stolen in Charlotte. The vehicle’s shipment containing included data related to Iredell County tax payments. According to Prime Newswire, Charlotte law enforcement officials are currently investigating the incident, but the contents of the shipment are yet to be recovered.
The stolen shipment contained a computer report of 468 taxpayer’s check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments.
Expensive Security Keeps Breaches Away
UK companies have tripled their spendings on information security defenses in the past three years, fact that has caused reported security breaches to drop by a third. That means 300% more money spent gets you to 30% less breaches.
According to the most recent edition of the UK government-sponsored Information Security Breaches Survey, quoted by the Register, the number of companies reporting a security breach is now at roughly the same level as in 2002, after reaching a peak in 2004.
Expenditure on information security has increased from two per cent to seven per cent of the IT budget on average over the last six years. But this increase in spending is uneven with a significant minority (21 per cent) of companies spending less than one per cent of their IT budget on information security.
Nonetheless, the security landscape has improved markedly over that period with 94 per cent of wireless networks now encrypted, versus only 47 per cent in 2002. More than half (55 per cent) of UK companies have a documented security policy, versus 27 per cent in 2002. Two in five businesses provide ongoing security awareness training to staff – twice as many as six years ago.
DLP on the Right Track, but not Fullproof
Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.
In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:
“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”
The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”
Stolen Hardware - Most Common Cause for Data Breaches
Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.
the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
Employees Are Great at Circumventing IT Security Policies
According to a survey conducted by Palo Alto Networks and quoted by DarkReading, employees in most enterprises are constantly circumventing corporate security policies by deploying unauthorized applications, including video viewers, streaming audio, P2P, and Google applications.
Palo Alto Networks used data from 20 different enterprises, gathered during vulnerability assessments, to reach the study results.
Employees are using a broad variety of tactics for circumventing IT policies on network usage, Palo Alto found. For example, approximately 80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user’s identity and surfing habits from IT monitoring tools.
“There’s no business reason for using proxies in the enterprise, other than to hide your activity from IT,” Mullaney says. “But we see at least some use of them in most of the enterprises we [assess].”
Hannaford - An Inside Job
Recent details on the Hannaford security breach point to an inside job. It appears Hannaford employees are most likely to have planned and then infected over 300 servers of the grocery chain.
Experts said the breach should serve as a big lesson for retailers: It’s as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it’s foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford’s claims it did.
“The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges,” said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford’s regularly. “I don’t see how anyone at Hannaford could get that level of access unless they were a very well-known entity.”
The Hannaford data breach has exposed over 4 million credit card accounts, thus being the second largest breach ever reported.
