Previous month:
September 2007
Next month:
November 2007

31 posts from October 2007

TJX Violated 9 Of 12 Data Security Standards

According to a recent ComputerWorld article:

"New documents filed in a Boston federal court Thursday by banks suing The TJX Companies Inc. over its data breach claim that the Framingham, Mass.-based retailer had not complied with nine of the 12 security controls mandated by the Payment Card Industry (PCI) data security standards when the breach occurred."

Some of the reported problems:

"... a failure to properly configure its wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network and the storage of prohibited data. A forensics expert hired by the company to probe the incident, which exposed data on some 94 million accounts, also identified other deficiencies such as improper patching practices and a failure to maintain adequate logs."

If there's one thing I've learned, I now pay attention to news reports about data breaches at retail stores. If the retailer has a poor data security record, I won't shop there. Why? Simply, I can't trust them to protect my personal data. On the rare chance that I temporarily go insane and shop at a retailer with a spotty data security record, I'll pay for my purchases with cash.


Letter to Massachusetts Attorney General Coakley

As a consumer affected by a corporation's data breach and identity theft, I am quite excited about Massachusetts' new identity theft law which will be implemented during the next few months. On Sunday evening, I sent the following e-mail letter to Massachusetts Attorney General Martha Coakley:

To:   The Office of the Attorney General
        One Ashburton Place
        Boston, MA 02108
Dear Attorney General Coakley:
 
I am resident of Boston and I am writing to you about Massachusetts' new identity theft law (St 2007, c.82: Security Freezes and Notification of Data Breaches). I look forward to the implementation of this new law since I have been the victim of identity theft. Specifically, a prior employer lost my most sensitive personal data. So, as soon as the Security Freeze option is available in Massachusetts, i will sign up to better protect my identity and finances.
 
My letter to you today is about the notification part of the new state law, specifically the portions about "Breach Notification" and "Substitute Notification" by companies. When IBM Corporation lost my data in February 2007, the company finally notified me in May 2007. This delay was unacceptable to me since identity thieves could have done much damage during the interim. So, while IBM's written notification to me was helpful, speedy notification is also important to me since media coverage wasn't immediate.

Since then, I have researched identity theft. During my research, I have found that New Hampshire posts on its Department of Justice web site the breach notifications N.H. received from corporations.

My question to your office is this: when will Massachusetts post online the breach notification letters it receives? The online posting of breach notifications by your office would be a huge benefit to consumers for several reasons:
  1. Consumers can access a reputable, reliable site for the full content of breach notifications
  2. Online postings can solve the speed concern other consumers like me have
  3. In the situations defined by St. 2007, c.82, the online posting of breach notifications would also solve the requirement of "Substitute Notification."
  4. The online posting of breach notifications by Massachusetts would be comparable to another New England state.
  5. The online posting of breach notifications would be a positive signal that Massachusetts is serious about being a leadership state when it comes to identity theft
I look forward to hearing from your office soon. Thank you in advance for your attention to this and reply to my letter.

I sent this letter to the Mass. AG since the comparable office in New Hampshire posts breach notifications online. It is critical for consumers (e.g., customers, employees, and former employees) to receive prompt notification from companies which suffer a data breach. And, since Massachusetts' new law provides for "Substitute Notification" instead of a personal letter to each consumer, I want to know exactly how my state plans to provide "Substitute Notification."

I also sent copies of this letter to my federal and state representatives via the Congress.org web site. If you are a Massachusetts resident who feels as I do about identity theft, I encourage you to contact your state representatives.


Unfortunately, Your Average Joe's Data Breach

Update: congratulations to the Red Sox!(Good pixs.)

From last week's Boston Globe newspaper:

"Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday that thieves have stolen credit card data belonging to its customers. The Dartmouth-based chain estimated less than 3,500 of the 350,000 customers it served in August and September had their credit card information stolen. The 14-restaurant chain said it is working with the US Secret Service and major credit card companies to determine how the data theft occurred and precisely how many customers were affected."

It constantly amazes me why retail stores and restaurants store consumers' personal data long after the transaction has been completed. This has to stop since it places both the retail establishment and the consumer's personal data at risk.

Retail establishments must face the consequences of poor data security, not pass this responsibility along to banks and credit card issuers. I fear that this situation won't change as long as consumers are happy with replacement credit cards. It forces banks to sue retail establishments to recover the costs of  replacement credit cards after a data breach... or pass the cost along to consumers.


AARP And Identity Theft

When I was in my mid 40's, I joined AARP. At that time, I needed to learn a lot about elder care since my mother had died and my dad was seriously ill. (He died in 2002.) I figured that reading the print version of the AARP Magazine was the best way to learn the language of retirement (e.g., Medicare, Medicaid, etc.), and to learn about the issues related to elder care.

the magazine has some really interesting and inspirational articles, like the recent interview of the actor Morgan Freeman. During the years, I've subscribed to AARP's various e-mail newsletters and RSS feeds. The AARP web site recently published a good article about identity theft, titled Block Your Credit Reports to Prevent ID Theft.

If you are unfamiliar with the subject of identity theft, or if you want simple clear descriptions (like the difference between a Fraud Alert and a Security Freeze), then this is a good starter article. The article includes sample letters for users to request a Fraud Alert from one of the three national credit bureaus. The article should have included toll-free phone numbers for the three credit bureaus, but didn't.

As I mentioned, this is a good starter article. While the article doesn't tell you everything, it provides the basics in an easily readable format, so a consumer can place a Security Freeze on their credit report.


Is Second Degree Harassment Appropriate Punishment For This Cyber Crime?

Thanks to Jonathan Feeley for alerting me to this very interesting, if not bizarre, news item from the Boston Globe newspaper:

"A 34-year-old Uncasville woman has been charged with using the Internet to try to get revenge on an old boyfriend by breaking up his marriage. Pilar Stofega has been charged with second-degree harassment and breach of peace and released on $2,500 bond."

What Stofega did:

"... she created phony profiles of the former boyfriend's current wife on some adult Web sites that included the wife's home and work phone numbers and high school yearbook picture."

Stofega did this to create marital problems between her former boyfriend and his wife. Was this identity theft? Or Fraud? Does the punishment fit the crime? To me, Stofega's actions clearly meet the definition of fraud:

"Deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage." [Source: Dictionary.com]

"Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right." [Source: Merriam-Webster]

Not all harm to fraud victims is necessarily financial loss. Stofega clearly intended to cause harm by breaking up the victim's (wife's) marriage; plus, perhaps emotional distress to the victim and her husband. One could argue that a divorce would have had financial impacts, too.

Perhaps more importantly, Stofega didn't have the wife's permission to use the wife's identity, phone numbers, and picture to create phony profiles of the wife at social networking sites. So, Stofega's actions seem to meet the standard of identity theft, too... access to personal data the thief shouldn't have access to nor a right to use.

A consumer must be able to control their identity and their personal data. Stofega's crime is enough to give users of social networking sites, like Facebook and My Space, some pause about the personal data they share publicly. (See my prior post about warnings for social networking site users.) The person you date today could fraudulently abuse you online tomorrow.

So, does the punishment fit the crime? I say no. The punishment is not strong enough. What do you think?


Blogtoberfest (Meeting Boston Bloggers, Part Two)

During the day I'm super busy at my day job building web sites. However, I'm glad that I made time yesterday evening to attend the 2007 Boston Blogtoberfest event at the Pour House bar on Boylston Street.

This event was an opportunity to meet other Boston-based bloggers. I'd like to publicly thank Jenny Frazier for organizing the event. There must have been 40 or 50 bloggers in the downstairs room at the Pour House.

As I wrote in a prior post, I'm fairly new to blogging and this was my second blogger social (this week). It felt very empowering to meet several local bloggers, who write about a wide range of subjects:

The event was an added treat since I won one of the raffle prizes... a framed photograph of beautiful and historic Fenway Park.

Boston bloggers who weren't there, and I hope they attend the next event: Lori Magno's Moda di Magno, Kate Beaton's The Dish, Diane Danielson's Downtown Women's Club, and Mick O'Brien's Attention Shoppers.


Double Trouble For TJX

From the Boston Globe newspaper:

"More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history."

This massive data breach affected about 65 million Visa credit card holders and about 29 million MasterCardcredit card holders. The banks had sued TJX to recover the costs incurred from replacing their credit card customers accounts with new cards and account numbers.

"A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone..."

I have absolutely no sympathy for TJX. When a retailer accepts payments from customers using sensitive personal data (e.g., credit card numbers, checking account numbers, etc.), it is the retailer's responsibility to protect that personal data... especially since they are making money from the consumers' purchases. If the retailer wants the benefits, then the retailer must also accept the risks and the responsibility. It is not right to pass the cost (and the responsibility) to banks when they re-issue credit card numbers.

Consumers expect the retailer to employ adequate and updated data security measures. Consumers expect the retailer to notify them promptly of any and all data breaches, regardless of whether the states' laws specify notification.

If a retailer can't protect consumers' sensitive data, then don't accept it. It's really that simple. Want to learn more? Read my archive of TJX posts.


Meeting Boston Bloggers (Part One)

This week is one of those weeks where I need 48 hours in each day. I've been so busy that I haven't been able to read all of the posts I'd planned to this week.

First, my day job as a usability professional (I architect web sites for corporate clients) has been especially hectic and jam-packed. We're working simultaneously on two huge web site re-designs which have to launch between now and November 30th. Second, there have been several Boston-area blogger events this week which I just had to attend.

I'm fairly new to blogging, so I registered and attended the Tech Blogs event at the Cambridge Innovation Center Tuesday evening. The panelists included some well-known, heavyweight technology bloggers including: Don Dodge, Director of Business Development at Microsoft; Jimmy Guterman, Editor of Release 2.0; Barbara Heffner, partner at CHEN PR; Nabeel Hyatt, CEO at Conduit Labs; columnist Scott Kirsner from the Boston Globe; and Bijan Sabet, a venture capitalist at Spark Capital. Podcaster Dan Bricklin recorded the event posted the audio on his web site.

The panelists and audience shared several tips and suggestions about blogging as senior corporate executives, how to grow your blog audience, emerging trends, and common issues all of us bloggers face. If you are a business executive interested in how blogging can benefit your business, then I suggest you read Jonathan Feeley's post at Digital Interactif: 5 Reasons to start a Blog for your Business.

I learned a lot at this event and noticed that many of these successful bloggers use the same Typepad service which I use.


Activate The Anti-Phishing Software on Your Home Computer

Recently, I wrote a post about home computer data security since identity thieves use several methods to trick consumers into revealing sensitive personal data. I shared that post with friends, family, and peers, and received several e-mail replies. One common theme in those replies was that many people hadn't activated the anti-phishing software already available on their home computers.

For the unaware, phishing is a technique used by thieves to deceive consumers to submit personal information at a fake e-mail or web site designed to look like an authentic company's web site. The latest version of several browsers includes anti-phishing options. Since I use the Firefox version 2.0 web browser, I have turned on its anti-phishing software feature. To learn more, visit the Wikipedia page or the the Microsoft Anti-Phishing Technologies site.

My anti-virus software from McAfee also includes the Site Advisor Plus anti-phishing software. To learn more, visit the web site of the company that developed your web browser and/or your anti-virus software.

If you have already submitted your personal information to a phishing site, see the Anti-Phishing Working Group site for advice about what to do next. Your next steps depend upon the type of sensitive personal data you disclosed. There is specific advice if you disclosed your credit card number, Social Security number, or checking account number; plus advice if your computer has been infected with a software virus, such as spyware or a key-logger. The Privacy Rights Clearinghouse site also provides advice about what to do after a phishing attack.


The Data Security Risks with Offshore Outsourcing

We've all read news articles about how companies, in order to remain competitive, have moved jobs and work to other companies (outsourcing), and/or have moved jobs and work to companies in other countries (offshore outsourcing). Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.

Mr. Alexander gets right to the point:

"... there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts... it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well. The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing."

If you live in a state where consumer notification is required when the company has a data breach, it is important to remember that:

"With the rash of highly publicized data breaches, 36 states now have their own disclosure laws mandating that companies inform customers in the event of either an actual or suspected security breach. This applies to data breaches that occur overseas if you send sensitive customer data offshore."

I applaud Mr. Alexander for challenging CIOs (Chief Information Officers) CSOs (Chief Security Officers) to consider the risk and not just the financial benefits. Mr. Alexander lists two major issues regarding offshore data security and risk:

The first is granting offshore engineers access to computer systems located within your company's network. Are you monitoring the activities of the overseas engineers? If the work that's being sent offshore is project-based, are you ensuring that access is removed when the project is completed? Do you have security professionals monitoring the activities of the offshore engineers?

The second issue and most importantly:

"... review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk...  You should consider projects that don't entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesn't require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company."

The only issue I have with Mr. Alexander's article is his focus on CIOs and CSOs. I believe that general management, human resources, and customer service senior managers should be challenged also, to consider the risks of offshore-outsourcing decision. All departments handle sensitive data and all departments need training in effective data security practices. All of this becomes even more critical as companies headquartered in other countries acquire or merge with US-based companies.

For some background, read this GAO report about Medicare and Medicaid.or this article about data breaches at outsourcing firms in India. I'd love to see an consultancy or accounting firm independently audit the major brokerages against the criteria Mr. Alexander stated in his article. What do you think?


Elder To Comcast: It's Hammer Time!

I imagine that all of us, at one time or another, have received the run-around on the phone by incompetent customer service representatives. This Washington Post story was too good to pass up:

"Shaw storms in the company's office. BAM! She whacks the keyboard of the customer service rep. BAM! Down goes the monitor. BAM! She totals the telephone. People scatter, scream, cops show up and what does she do? POW! A parting shot to the phone!"

" 'They cuffed me right then,' she says."

"Her take on Comcast: "'What a bunch of sub-moronic imbeciles.'"

While parts of Shaw's story may seem humorous, it really isn't funny. Shaw's story really resonated with me. First, the staff in the Comcast office assumed that because Shaw and her husband are elders that they could push them around: ignore them and leave them sitting outside the office in the sun in August.

Second, I've had my own problems this week with Comcast: snowy cable TV reception TV channels which shut off intermittently. Not one but three Comcast technicians arrived Wednesday evening (after Comcast sent a confirmation that a technician would arrive between 11am - 2pm) to fix the problems. My TV service is better, but the reception still gets snowy at times on some channels. I thought that the chief benefit of cable is better TV reception versus over-the-air broadcasts.

I think that I'll spend more time at the Comcast Must Die blog, especially since Comcast practices Internet data discrimination by arbitrarily blocking some customers' usage.

After reading the Washington Post article, I began to wonder if the poor data security efforts by many companies to protect the sensitive personal data of former employees is also rooted in the same ageism Shaw experienced. What do you think?


Rising Cost of Data Breaches For Companies

From the Washington Post newspaper:

"Financially motivated data breaches are set to cost businesses 20 percent more each year until 2009, according to Gartner. John Pescatore, VP at Gartner, said the biggest risk to organizations came from targeted attacks. He said that "phishing and identity theft attacks have caused the rise of 'credentialed' attacks, in which the attacker uses the credentials of a legitimate user."

The good news in this is that the increased threat may push companies to better protect the personal data they archive of customers, employees, contractors, and former employees. This implication consumers: it's critical to protect home computers with both anti-virus software and anti-spyware software.


Bipartisan Bill Toughens Laws And Penalties For Identity Theft and Fraud

So far, I have not written about Federal identity theft and fraud legislation. That will change starting with this post.

On Tuesday October 16, Senators Patrick Leahy (D-VT) and Arllen Specter (R-Pa.) introduced a new bill, the Identity Theft Enforcement and Restitution Act of 2007 (S 2168), to provide federal prosecutors with new and stronger tools to fight identity theft and online crime. This new bill builds upon prior proposed legislation. Features of the new bill:

  • "Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft; "
  • "Expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations;"
  • "Eliminate the prosecutorial requirement that sensitive identity information must have been stolen through an interstate or foreign communication and instead focuses on whether the victim's computer is used in interstate or foreign commerce, allowing for the prosecutions of cases in which both the identify thief's computer and the victim's computer are located in the same state; "
  • "Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence;"
  • "Eliminate the requirement that the loss resulting from damage to a victim's computer must exceed $5,000; under this bill violations resulting in less than $5,000 damage would be criminalized as misdemeanors; "
  • "Add the crime of threatening to obtain or release information from a protected computer to the definition of a cyber crime and expands the definition of a cyber crime to include demanding money in relation to a protected computer, where the damage to the victim computer was caused to facilitate the extortion. By expanding this definition, violators of this provision are subject to a criminal fine and up to five years in prison."

Access to restitution. Stronger penalties. Enhanced powers for federal prosecutors. All of this sounds good to me, especially since identity theft crimes do severe damage and are, obviously, premeditated. I also like the bipartisan support of this new bill.


Put Home Depot On the Wood Pile of Laptop Data Breaches

Thanks to Jonathan Feeley for the alert about this Boston Business Journal article:

"... a laptop containing the personal information of thousands of Home Depot employees is missing after it was stolen from a Massachusetts worker's car... the Atlanta-based home improvement retailer said it is confident that the personal information was not the thief's target."

Network World reported that the data breach affected 10,000 Home Depot employees. Apparently, the laptop was stolen from a car while parked at a residence. The Home Depot has not disclosed the city or town where the data breach occurred. Was the employee fired? I hope so but the company hasn't disclosed that either. I guess that neither the company nor this dumb-a$$ employee studied the Data Breach Analysis flow.

Seriously, companies need to do more about data security when employees store massive amounts of sensitive data on a laptop which they bring home, on vacation, and leave in a highly insecure location like a parked car. It's very easy to find the long list of companies, universities, accounting firms, medical plans, hospital, and government agencies that have suffered data breaches via laptop theft. Here's a partial list of laptop only breaches with the date and number of records stolen/exposed:*

  • Univ. of California at Berkeley: March 2005: 98,400
  • MCI: April 2005: 16,500
  • California Department of Health Services: April 2005: 21,600
  • Oklahoma State Univ.: April 2005: 37,000
  • Colorado Health Dept.: May 2005: 1,600
  • U.S. Department of Justice: May 2005: 80,000
  • Kent State University: June 2005: 1,400
  • Eastman Kodak: June 2005: 5,800
  • Bank of America: June 2005: 18,000
  • Ohio State Univ. Medical Center: June 2005: 15,000
  • Univ. of Florida Health Sciences Center: August 2005: 3,851
  • J.P. Morgan Chase & Company: August 2005: undisclosed
  • Bank of America; September 2005: undisclosed
  • Univ. of Tennessee Medical Center: November 2005: 3,800
  • Boeing: November 2005: 161,000
  • First Trust Bank: December 2005: 100,000
  • Ameriprise Financial; December 2005: 260,000
  • Univ. of Washington Medical Center: January 2006: 1,600
  • Ernst & Young (UK): February 2006: 38,000
  • Mount St. Mary's Hospital: February 2006: 17,000
  • University of Northern Iowa: February 2006: 6,000
  • Metropolitan State College: March 2006: 93,000
  • Verizon: March 2006: undisclosed
  • Ernst & Young (UK): March 2006: undisclosed
  • Fidelity Investments: March 2006: 196,000
  • Boeing: April 2006: 3,600
  • Aetna: April 2006: 38,000
  • Mercantile Potomac Bank: May 2006: 48,000
  • M&T Bank: May 2006: undisclosed
  • Ernst & Young (UK): June 2006: 243,000
  • Buckeye Community Health Plan: June 2006: 72,000
  • YMCA (RI): June 2006: 65,000
  • Union Pacific: June 2006: 30,000
  • ING: June 2006: 13,000
  • Equifax: June 2006: 2,500
  • Armstrong World Industries: July 2006: 12,000
  • Toyota (TX): August 2006: 1,500
  • PSA HealthCare: August 2006: 51,000
  • U.S. Dept. of Transportation: August 2006: 132,470
  • Chevron: August 2006: undisclosed
  • Williams-Sonoma: August 2006: 1,200
  • Diebold: August 2006: undisclosed
  • General Electric: September 2006: 50,000
  • Camp Pendleton Marine Corps Base: October 2006: 2,400
  • T-Mobile: October 2006: 43,000
  • Gymboree: October 2006: 20,000
  • Starbucks: November 2006: 60,000
  • Notre Dame Univ.: January 2007: undisclosed
  • North Carolina Dept. of Revenue: January 2007: 30,000
  • St. Mary's Hospital (MD): February 2007: 130,000
  • Los Angeles County Child Support Services: March 2007: 243,000
  • Caterpillar: April 2007: undisclosed
  • Pfizer: June 2007: 17,000
  • Verisign: August 2007: Undisclosed
  • Connecticut Dept. of Revenue: August 2007: 106,000
  • AT&T (TX): August 2007: undisclosed
  • Gap: September 2007: 800,000

Dig deeper into thses breaches and you'll learn that often a company employee, subcontractor, or accounting firm employee had a laptop stolen off company premises. There are so many data breaches to learn from. It seems silly to store massive amounts of sensitive data on a single laptop. (Note the repeat offenders in the above list, too.) You'd think that companies would learn from the mistakes of others and tighten their data security processes and increase employee training!

Learn more about the sensitive data companies archive about customers, employees, and former employees.

* Source: Privacy Rights Clearinghouse


Consumers Think Their Computers Are Protected When They Really Aren't

There's a must-read article at CNNMoney which you should also forward to everyone on your e-mail list. The National Cyber Security Alliance (NCSA) and the McAfee, Inc. software company recently completed an online survey of consumers' computer usage and data security. Basically, consumers think that they are practicing safe computing when in fact they aren't.

First, the good news. Consumers seem to be aware of online viruses and threats:

  • 98% of survey respondents agreed that keeping their online security up-to-date is important
  • 87% use anti-virus software
  • 73% use a firewall
  • 70% use anti-spyware software
  • 27% use anti-phishing software

However, many consumers don't adequately protect their home computer:

  • 48% had not updated their computer's anti-virus software within the past month
  • 54% had been hit with a virus
  • 44% thought their computer was infected with spyware

Then, the bad news really piles up:

"When researchers were able to conduct a remote scan of consumers' computers, their findings revealed a significant gap between perception versus reality, where consumers thought they were protected, when in fact, they were not. In particular, the following results illustrate:"

  • "While 81 percent have a firewall installed on their computer, only 64 percent actually activated this anti-hacker protection"
  • "While 70 percent of respondents say they have anti-spyware software, 55 percent actually did"
  • "While 27 percent say they have anti-phishing protection, 12 percent actually do"

The McAfee study also included an interesting age-related finding:

"Americans ages 45 and older show more savvy than their younger counterparts when it comes to cyber security... 25% of them are fully protected versus just 18% of Americans ages 44 and younger."

Face it. Your family, friends, and classmates use some pretty buggy computers. Which means that the files they share are buggy, too. This is one reason why I rarely open the e-mail file attachments I receive at home from family, friends, and classmates.

The security products on my laptop automatically update about once daily, but often several times daily. My security software automatically runs a full system scan at least once weekly.

The bottom line: we consumers make it unnecessarily more difficult to lobby legislatures about stronger identity theft laws covering data breaches by employers, former employers, and retailers when we still leave our home computers vulnerable. Companies realize this.


Fake Microsoft Anti-Spyware Scam

Identity thieves seem to be always trying new methods to trick Internet users to disclose personal data. This time, the scam is an attempt to get credit card numbers. From InformationWeek magazine:

"This Fake Microsoft AntiSpyware Center page purports to be an 'Online Security Scanner' which scans the system for viruses and spywares," said Mohandas. "After the dupery scanning, the user will be presented with a dubious and falsified list of Trojans after which the user will be prompted to download and install an ActiveX Control to remove the threats."

"As it turns out, the ActiveX Control is a Trojan that hijacks Internet Explorer's home page, displays phony alerts and makes wild security threats in order to encourage the site's visitors to download AntiSpyStorm. Once installed, AntiSpyStorm offers a free security scan, which reports exaggerated threats to prompt the user to enter a credit card number and order the full version of the product."

All of this is a reminder to never click on e-mail attachments and to only visit sites you know.


Cyber Crime Exceeds Drug Crime

This is a statistic none of us should be happy about. From an InformationWeek article:

"McAfee CEO David DeWalt says cybercrime has become a $105 billion business that now surpasses the value of the illegal drug trade worldwide."

In his speech at the InformatonWeek 500 conference, DeWalt mentioned 5 trends he sees emerging in data security:

  1. Industry consolidation
  2. Rapid growth in Federal compliance requirements

See the article for the rest of the trends.


Governator Terminates New California Identity-Theft Bill

From the Sunday Oct. 14 Orange County Register:

"An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger. In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards."

This is sad news, since:

"The bill would have required businesses to follow new guidelines for the handling and storage of sensitive material; to notify consumers with a detailed protocol of how to address identity theft; and to incur out-of-pocket costs to provide restitution to consumers and share the burden of card issuers. Currently, when a security breach is suspected or detected, businesses only must notify card issuers, but have no liability themselves. AB779 would have made the business (or any other entity that utilized cards for payment) share responsibility."

According to the news report, the California Governor's reasons included the bill was vague and conflicted with existing identity=theft laws. To learn more, see my prior post and the California Progress Report.


The Data Companies Often Keep, And Should Protect Vigorously

After my experience with IBM's data breach, I first questioned why IBM archived all former employee data forever. Then I began to wonder what types of data companies archive about their employees and former employees -- not just about their customers.

The SearchSecurity.com site has a good summary article about the types of information companies archive:

Employee Health Financial
Name
Social Security numbers
Birth dates
Home phone numbers
Health records
Home addresses
Ethnicity and citizenship
Veteran and disability status
Email addresses
Drivers' license numbers
Medical record numbers
Health plan numbers
Account numbers
Certificate or license numbers
Device identification/serial numbers
Facial photographs
Account balances
ACH numbers
Bank account numbers
Credit card number and Exp. Date
Credit rating
Income data
Payment data
Account numbers
Expiration dates

This is a wealth of information. A virtual gold mine! What identity thief wouldn't want access to this? And, if you and I are aware of the wide range of information companies archive, you can be sure that identity thieves are aware, too.

What I like most about this article is that it clearly explains many of the key State and Federal US laws and standards that require companies to protect this personal data:

I was amazed while reading this article that some privately-held companies don't think that these laws and standards apply to them:

There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.

This definitely clarifies the problem among companies.


The Zen of Shredding

After I began shredding sensitive snail-mail regularly, I noticed how I felt. Some satisfaction with relief about not allowing dumpster-diving identity thieves victimize me. I felt good about protecting my personal data. There are also feelings of calm and lightness after a good shred.

Alex Kuczynski writes in the October 7 New York Times about her shredding experiences after an identity theft incident:

"But by then, I was shredding every identifying piece of paper that came my way. Not only did I purchase an Identity Guard 24-sheet strip-cut shredder for about $100, but I also disposed of the spaghetti-like strips in different garbage bins."

Alex adds:

"I discovered that the impulse to shred is twinned with the impulse to sort, cleanse and divest. The more I shredded, the more I came to look upon my shredder as the vehicle that would return me to a state of simplicity in which my natural power would be restored. This is the Tao notion of Pu: perceiving all things with a clear and unbiased mind, as if they were a block of uncarved wood."

I started shredding years ago when I first realized the dumpster-diving-identity-thieves problem and just how valuable pre-screened snail-mail credit offers are. However, I still haven't pruned old paper files.

So a couple weeks ago, I started to shred old bank statements which I should have shredded years ago. Experts advise you to keep key documents about 7 years. Since I have paper bank statements back to 1990, it's shredding time!

How often do you shred documents? How do you feel after a good shred?