Previous month:
April 2011
Next month:
June 2011

19 posts from May 2011

Yet Another Data Breach At Sony; Playstation Network Returns Online in Phases

Several news organizations reported that hackers attacked Sony Ericsson's Canadian eShop website. This latest Sony data breach affected only about 2,000 consumers. The Canadian eShop website provides accessories and support for phone customers. At press time, portions of the Canadian eShop website were unavailable.

The Canadian eShop breach is more bad news for Sony after massive data breaches at its Playstation Network and Online Entertainment units. Sony forecasts its breach-related costs in the United States at $171 million for the coming fiscal year ending March 2012, excluding any lawsuits.

On Tuesday last week, Sony disclosed a breach at its Sony Music Entertainment Greece website, which affected about 8,500 customers. Sony also disclosed that an unauthorized user had accessed and changed its Sony Music Indonesia website, and a hacker may have accessed its Thailand website to send e-mail spam.

On Friday May 27, Sony announced a phased restoration of service at its Playstation Network unit:

"... Sony Network Entertainment International (SNEI, the company) will begin a phased restoration of PlayStation®Network and Qriocity Services in Japan and Asian countries and regions including Taiwan, Singapore, Malaysia, Indonesia, and Thailand*1 on May 28. A new identity protection program will also be offered in conjunction with the phased restoration for PlayStation Network and Qriocity customers in Japan..."


Sears Finally Honors A Home Repair Service Contract

In March, I wrote about the difficulty a friend had getting Sears Home Improvement to honor a Master Service contract she purchased for her home boiler. Recently, Ilene wrote to me via e-mail with an update. Ilene tells it best in her own words:

"May 29, 2011. 10:32 AM
Hi George,

I am so grateful for the efforts you made to get the attention of Sears Home Improvement to give me the service I had paid for and to reimburse me for the bill I had to pay my plumber to restore heat (after 4 days to my home). It really beat suing them in Small Claims Court as I did the year before to get them to pay a $500 bill to my plumber to restore heat in the absence of any service from Sears Home Improvement!)

Stephanie, the woman from the Media Department called me shortly after your call asking her for Sears response to my complaints of no service, despite a Masters Insurance plan that I had purchased. She told me she had looked up the records and admitted, "Sears Home Improvement dropped the ball; you never should have gone for 4 days without heat!!" She asked me what they could do to make it up to me and I told her I certainly believed Sears should reimburse me for the bill I paid to my plumber. She told me to fax it and I received a check in the mail soon thereafter.

Stephanie then called and asked if I was satisfied. I told her I was glad for the reimbursement, but that the installation of the boiler had been faulty. The Installers hadn't skimmed the system as required by the plumbers code and as a result one of the pipes was clogged up and the radiator connected to that pipe had not given any heat since then (2 winters). I thought they should do what was necessary to get that fixed. [Sears] sent an independent contractor to inspect the installation. He spent at least an hour in the basement, so I knew he must have found problems, although he couldn't tell me before he submitted his report to Sears. A week or so later, I was called and told I would receive service and asked to set up an appointment. The contractor came and explained that the entire installation needed to be redone: even the pipes had been pitched in the wrong direction. He spent from about 8:30 in the morning to 7:00 in the evening, completely redoing the installation and creating new piping around the boiler. He also put in a chemical anti-coagulant to clear the clogged radiator pipe.

I have every expectation that this year, my heat will function properly, hopefully eliminating the need to call for service again. But if I do need service, I believe I will receive it, because you with your help, this wheel has squeaked!!

Even to my layman's eye, the new installation is completely different from the old! Now I know why every month since my new "more efficient" boiler was installed, I have received a letter from the gas company saying I am using more heat than any of my neighbors. When I think of the thousands of dollars I paid to insure an efficient boiler, it makes my blood boil to think of the money that I have wasted for the past two years on heat! I even had an energy audit to try and address the problem. Since I am not a plumber, I didn't realize the problem was the faulty installation!! I am sure now that my monthly gas bill will reflect the difference.

Stephanie is supposed to call me on Tuesday to check on how the installation went. She will ask me if I again am completely satisfied now, and I will tell her I am very glad my boiler has finally been installed properly, but I really would like a cash settlement for the money I wasted on gas for two years!! Also, I want to be sure, if I do need service in the future, I will get it, and not be told. "We don't have a contractor in your area" (how ridiculous! I live in Cambridge, Ma., not in Osh Kosh B'Gosh) or be put on hold until I tire of waiting and hang up. (Even now I wish I had kept my old (1920) boiler or had found a different company to buy and install my new one.) It is not that I am ungrateful, but I never should have had to go through all this to get what I paid for!! I am  retired and buying a new boiler was a huge hit to my budget. I was looking for a significant drop in my heating costs which I did not see. On the bright side, I am expecting a lower bill this winter!!

Again, thank you for your efforts. You were a great advocate for me!

Sincerely,
Ilene"


Banking With Obsolete Debit/Credit Card Technology

I have reported a lot in this blog about skimming: where identity thieves plant devices inside gas pumps at gas stations and attached to bank ATM machines to steal consumers' credit- and debit card account information. The thieves then make cloned cards with the stolen data and drain consumers' bank accounts.

I was disappointed to read in the June 2011 issue of Consumer Reports that banks in the United States use an old, obsolete technology for our credit- and debit cards:

"American credit- and debit card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy. The U.S. and some non-industrialized countries in Africa are among the only nations still relying on magstripe payment cards, which came into wide use in the 1970's."

So, we consumers bank in 2011 with 1970's technology. You may perform mobile banking with your state-of-the-art 2011 smart phone or tablet computer, but that card in your wallet or purse is still 1970's technology. If you travel outside the United States, perhaps you may have already noticed the problem:

"China has announced that it will no longer produce or accept [magstripe] cards after 2015... The European Central Bank has recommended that banks stop issuing magstripe cards after 2012."

So, the rest of the planet is moving towards newer debit/credit-card technology that offers far more security. The newer cards are called EMV "smart cards" with embedded computer chips that store and transmitt encrypted data with a unique identifier for each transaction. Encrypted data makes it more difficult for identity criminals.

According to Bank Info Security, ATM skimming losses far exceed gas station pump loses. ATM skimming losses average $350,000 per day in the United States. In Europe, 95% of the bank ATM machines are EMV compliant and bank ATM losses dropped 14% in 2010 in 22 countries: Austria, Belgium, Cyprus, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Slovakia, Spain, Sweden, Switzerland, and the United Kingdom.

Experts have seen ATM losses increase in Europe where identity criminals have created bogus EMV debit/credit cards with consumer bank account data stolen from magnetic-strip cards. So the thieves are smart and persistant... enough to use 1970's technology to hack 2011 technology.

Why aren't banks in the United States moving with the rest of the planet to newer card technology? that would seem to be the logical step, as it would help everyone worldwide: banks and consumers alike. According to Consumer Reports:

"The [identity theft and fraud] losses for banks do not yet exceed the costs of a switch-over, although merchants say that's because they usually shoulder much of the cost burden from fraud."

I don't use a telephone built in the 1970's. I don't drive a car built in the 1970's. And, I wouldn't want to either, and I'll bet that you feel the same way. Consumers should not have to bank with debit- and credit-card technology from the 1970's when newer, more advanced, and more secure technology exists.

If this bothers you (and I surely hope that it does), write to your elected officials in the U.S. Congress and demand action. And, ask your bank why its uses old technology. I am curious what answers you'll hear.


Computer Virus Attack Targeted Verizon Wireless Website

Identity criminals recently used a version of the SpyEye trojan computer virus to attack the Verizon Wireless billing website. This attack was nearly impossible for consumers to detect. Help Net Security reported:

"... the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is suspicious..."

The attack occurred between May 7 and May 13. The computer virus attempted to steal bank account information, including:

  • Account holder's full name and street address
  • Phone number and type
  • E-mail address
  • Social Security Number
  • Date of birth
  • Mother’s maiden Name
  • Debit/credit card number, expiration date and security card

With these personal information data items, thieves can open accounts and obtain credit in the victim's name. This version of the SypEye computer virus is similar to one used to attack banking websites.

A check of the Verizon corporate and Verizon wireless website did not see any press releases about the attack.


Sony Playstation Network Hacked Again

While trying to get its customers up and gaming again after its massive data breach, the Sony Playstation Network suffered another hack, even though the company doesn't call it a hack. The Playstation Network blog reported on Wednesday:

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed. Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."

The timing of this latest security problem couldn't be worse. The Sydney Morning Herald reported:

"Sony chief Howard Stringer has warned he can no longer guarantee the security of the electronics giant's gaming network in the "bad new world" of cybercrime..."

What? Bad new world of cybercrime? Data breaches are not new. Stringer's comments are disappointing, at best. If I were a Playstation Network customer, I'd cancel and close my account.

Earlier this month, Sony suffered two data breaches at its Playstation Network and at its Online Entertainment units. In testimony before the U.S. Congress, a security expert stated that Sony allegedly used obsolete data security software.

A former hacker and lead architect at MyKonos Software, Kyle Adams, said that the hackers may have accessed Sony's servers via its blog, which was running an obsolete version of the WordPress blogging software. Adams also suggested that the hack attack probably was not random and was persistent.


Data Breach at Massachusetts Unemployment Offices

On Tuesday of this week, the Massachusetts Executive Office of Labor and Workforce Development (EOLWD) issued a press release announing a dat breach at the Departments of Unemployment Assistance (DUA) and Career Services (DCS) network. Several employee desktop computers at the One Stop Career Centers were infected on April 20, 2011 with a computer virus that collected and transmitted the confidential information of DUA customers and employees. EOLWD learned of the computer virus on May 16, 2011.

The computer virus collected the following information: names, Social Security Numbers, Employer Identification Numbers, e-mail addresses, residential street addresses, and business street addresses. Bank account information may also have been stolen. The virus may have infected as manay as 1,500 DUA computers. With the assistance of Symantec, the EOLWD's computer security consultant, the virus was removed from all affected desktop computers.

While the exact number of breach victims was not disclosed, the press release advised that any consumers who conducted business at a DUA office between April 19 through May 13, plus about 1,200 businesses, should take the following precautions:

The EOLWD plans to notify breach victims directly. Depending upon the number of breach victims, Massachusetts law allows organizations to notify consumers via ads in newspapers or directly via breach letters.

The press release did not state when that notification will be sent, nor if the notification will offer breach victims with a period of free credit monitoring and identity-theft resolution services. The press release did not state whether the state will reimburse breach victims for the costs to place a Security Freeze on their credit reports.

In my opinion, the EOLWD letter to breach victims should address all of these concerns. Since this theft includes enough sensitive personal information for identity criminals to obtain loans or credit in the breach victims' names, I recommend that breach victims follow all of the above precautions. Learn about the differences between a Fraud Alert and a Security Freeze options. If you find fraudulent entries in your credit reports, then stronger protection of a Security Freeze option is needed, since it prevents credit from being issued unless you authorize it.

After a data breach in 2007 by a prior employer, I had to learn about these options. I first tried a Fraud Alert, but later placed a Security Freeze on my credit reports at Experian, Equifax, and TransUnion. For me, it was important to have the strongest protections available since I did not need more credit.

If you received a breach notification letter from EOLWD, what did the letter offer? Did you find the notification letter helpful?


Kids, Smart Phones, and The Internet: The Privacy Risks

Over at the Downtwon Women's Club blog, Diane Danielson has written a very good article about some of the risks children can expose themselves (and you) to with today's smart phone and Internet access. I've known Danielson for years and her blog is a high-quality one. While performing some online research, Danielson:

"... found the tweet of a kid writing expletives about the local cops. The child’s account was supposed to be a “protected” Twitter account, but for some reason it came up in a search via 3rd-party software..."

Danielson advises parents that nothing is truly private on the Internet, so some oversight by parents of their children's online use is necessary. Children don't yet understand the privacy issues and threats.

"Even if you don’t want to monitor your child, at least take that phone, iPod, laptop, iPad, and/or Xbox live away at at night. They really do stay up communicating via these platforms all night long. I noted that this offensive “tweet” was sent from a phone at 11:59 pm..."

Danielson advises parents to perform oversight by performing searches (e.g., Google, Yahoo, Bing, etc.) on your children's names, your home address, your name, and your name with your street address. I agree with her advice.


FTC Testifies before Congress About Mobile Privacy

With several mobile device tracking, data collection, and app abuse issues emerging recently, it is important to know the position of one of the chief regulatory agencies in the United States. On May 10, Jessica Rich, Deputy Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC), testified before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law about mobile device privacy.

Rich first cited some CTIA statistics: wireless penetration of 96% in the United States with 27% having smart phones. During 2010, about 62% of marketers used some form of mobile marketing for their brands.

Rich emphasized that the FTC has explored mobile and wireless issues since 2000, and hosted mobile wireless and consumer privacy workshops that explored some of the issues. As additional proof of the FTC's commitment to mobile privacy for consumers, Rich cited FTC actions against:

  • Google for allegedly deceiving consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent,
  • Twitter for serious lapses in the company’s data security that allegedly allowed hackers to hijack accounts and to obtain access to private “tweets” and non- public data,
  • Reverb Communications for alleged deceptive mobile gaming endorsements in the iTunes store,
  • Philip Flora for using 32 pre-paid cell phones to over 5 million unsolicited text messages to the mobile phones of U.S. consumers.

Based upon several privacy roundtable discussions, the FTC drafted a preliminary report with privacy recommendations:

"First, staff recommends that companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices... Second, staff recommends that companies should provide simpler and more streamlined privacy choices to consumers. This means that all companies involved in data collection and sharing through mobile devices -- carriers, handset manufacturers, operating system providers, app developers, and advertisers -- should work together to provide these choices and to ensure that they are understandable and accessible on the small screen... Third, the staff proposed a number of measures that companies should take to make their data practices more transparent to consumers, including improving disclosures to consumers..."

All of this was nice a start, but the FTC's position is still weak and is heavily tilted for corporations at consumers' expense. More balance is needed.

As I read the FTC' Richs testimony (PDF), the recommendations are not mandatory but voluntary. And she skipped an important issue: that most or all tracking programs are opt-out based (e.g., where consumers are automatically included), instead of opt-in based (e.g., where consumers are in control and must opt-in or register first before companies can track them).

What do you think?


Microsoft Affirms Its Commitment To Mobile Privacy

Lately, I am liking what I am hearing from Microsoft, versus the silly "sky is falling" letter from Facebook, Google and several other companies. In the Microsoft On The Issues blog, Andy Lees, President of Mobile Communications Business at Microsoft stated this:

"Many consumers and policymakers are asking important questions about how today’s phones are collecting and using information about a phone user’s location. The discussion has intensified over the past few weeks when the practices of two other companies in the mobile market were called into question... We at Microsoft believe this is an important discussion to have. To that end, below, I’ve included what we’ve shared with Congress about the ways Microsoft has taken privacy into account proactively..."

What I like most from Microsoft's statement is that consumers have the power of choice (also know as opt-in):

"1. User Choice and Control. Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information. Users that have allowed an application to access location data always have the option to disable access to location data at an application level..."

Contrast this with the letter from Facebook, Google and others objecting to opt-out. These companies seem so greedy that they don't want consumers to easily be able to opt-out or un-register from a tracking program. I also like this:

"2. Observing Location Only When the User Needs It. Microsoft only collects information to help determine a phone’s approximate location if (a) the user has allowed an application to access and use location data, and (b) that application actually requests the location data. If an application does not request location, Microsoft will not collect location data."

You can download the complete text of Microsoft's statement (Adobe PDF).


Facebook And Google Claim The "Do Not Track" Bill Is Bad For The Economy

In a letter to the California legislature (PDF), several companies including Facebook and Google claim that the proposed "Do Not Track" law is bad for the California economy:

"California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The bill covers an overly broad range of information, and would regulate indirectly virtually all businesses who collect, use or store information from a website. The measure would negatively affect consumers who have come to expect rich content and free services..."

The companies that signed this letter included Acxiom, Allstate, American Express, Experian, Facebook, Google, Acxiom, Reed Elsevier, Specific Media, Time Warner Cable, Yahoo, and others. The companies claim that SB 761 is unnecessary because:

"... consumers can easily opt out of the collection of data through browser tools. The four leading Internet browsers - Internet Explorer, Safari, Firefox, and Google Chrome - all provide user-friendly filtering options that block the ability of companies to collect data or track Internet use."

This is not entirely correct, as websites and companies are not required to honor the do-not-track request from the web browser. According to these companies, this is how California's economy could be harmed:

"SB 761 would create a second, conflicting set of standards to which companies would have to conform or else face class action lawsuits. This would, in turn, create significant confusion and uncertainty for investors, businesses and consumers. Online commerce would simply be unworkable if websites were forced to comply with a patchwork of privacy and notice laws. This would impose an unprecedented and arduous regulatory burden on Internet commerce. Further, a do not track requirement on the use of this data would stifle innovation..."

A patchwork quilt of laws? That is what we have today with breach notification and data security across states. If these companies can exist with a patchwork quilt of breach notification laws in one area, they can live with a patchwork quilt of laws in another area.

The bigger issue is that these companies have taken a strong stand for extensive tracking. How? These companies are content with opt-out as the program standard: consumers are always automatically included and the burden is on consumers to consistently opt-out. I have long argued in this blog for the program standard to be opt-in: consumers aren't included until the consumers chooses to register or opt-in.

Plus, I Facebook's objections to any limitations on consumer tracking is not a surprise to me, given Facebook's ties to Rapleaf, and how Facebook uses its social plugins to both deliver content and to track consumers across the Internet. When you visit a website with a facebook social plugin, Facebook captures the date and time of your visit, the web page visited, your IP address, your computer's operating system, and (if you are signed into Facebook) your Facebook user ID number. This data collection rivals what Google collects.

The letter has a "sky is falling" aspect to it. These companies operated well when the Internet had little or no tracking. They will survive regardless of the claims.


Proposed "Do Not Track" Law In California: Senate Bill 761

It's been a busy couple of weeks regarding privacy news, and unfortunately the Sony data breaches have temporarily pushed aside other important news. Since California led the way with data breach notification legislation for consumers, I definitely wanted to discuss the following news.

In February of this year, California Senator Alan Lowenthal introduced legislation (California Senate Bill 761) to provide consumers with greater protections and controls with mobile privacy. Since February, the original legislation has been amended a couple times. The latest bill revision at April 25 stated:

"... to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state, to provide a consumer in California with a method to opt out of that collection, use, and storage of such information. The bill would specify that such information, includes, but is not limited to, the online activity of an individual and other personal information. The bill would subject these regulations to certain requirements, including, but not limited to, a requirement that a covered entity disclose to a consumer certain information relating to its collection, use, and storage information practices. The bill would, to the extent consistent with federal law, prohibit a covered entity from selling, sharing, or transferring a consumer's covered information. The bill would make a covered entity that willfully fails to comply with the adopted regulations liable to a consumer in a civil action..."

This bill starts to get a handle on the extensive data sharing by companies that most companies do not disclose in their website privacy and terms policies. Covered information includes consumers' online usage, including (bold text added for emphasis):

"... the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application... Any unique or substantially unique identifier, such as a customer number or Internet Protocol address... Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual's financial account."

That should sufficiently cover the UDID unique identifier in smart phones and mobile devices. I hope that more states pursue and adopt similar legislation. As reported in The Register UK:

"California stands to become the first US state to pass do-not-track legislation and is poised to beat any national law. The Do Not Track Me Online Act was only introduced to the US House of Representatives in Washington DC in February – that was by another Californian Democrat, Jackie Speier – and must navigate Capitol Hill's partisan log jam."

What I found most important for consumers to know:

"... the problem with do-not-track at the browser level is that there's no requirement on the web site to honor the do-not-track request."

The consumer advocacy group Consumer Watchdog sponsored the California legislation, and wrote this in an April 2011 letter Google (PDF):

"As you are aware, online commerce relies on consumer trust. Sadly, much of the current Internet business model is based on invasive and pervasive tracking of consumers’ online activities without their knowledge or control. This should not be the business model of a company whose motto is “Don’t Be Evil.” Do Not Track legislation would give consumers meaningful protection and control. It would build their confidence in the Internet – a win, win situation for business and consumer."

I agree with ConsumerWatchdog, as I have covered in this blog the pervasive and undisclosed online tracking in posts about tracking by credit reporting agencies, unannounced tracking with Fash cookies, persistent tracking with "zombie" cookies., and tracking by the advertising networks.


Sony Used Obsolete Data Security Software; Debix Offered

On Friday, eWeek reported that the massive Sony Playstation Network data breach could have been avoided if Sony had used basic online data security measures:

"Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee..."

Consumer Reports reported much of the same:

"In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers—and knew about it months in advance of the recent security breaches..."

Between the two Sony PSN and SOE breaches, about 102 million consumers worldwide have been affected. Sony has arranged for 12 months of complimentary credit monitoring service via Debix for breach victims in the United States. Sony is currently notifying breach victims of the June 18 deadline to enroll in the Debix AllClear ID Plus program. Sony has not disclosed the number of breach victims in the United States, nor what credit monitoring service will be offered to breach victims outside the United States.

This past week, Congress held hearings about the Sony and Epsilon data breaches. In a letter from Sony to the U.S. Congress, the company stated that it had experienced a Distributed Denial of Service (DDoS) attack before the data breaches. Sony claimed that this DDoS attack and the sopistication of the data breach made breach detection difficult to spot. When I read this, it sounded like Sony could not walk and chew gum at the same time. I expect much more from a multi-billion dollar corporation.

A response from Congressional Representative Mary Bono Mack (Republican - California), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, included this:

"Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy... these latest cyber attacks, they serve as a reminder – as well as a wake-up call – that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk..."

I view Mack's statement as too mild when the scope and severity of the breaches demand a stronger response. Mack could have emphasized more than just the need for fast breach notification of consumers. Consumers didn't cause this breach. While fast notificaton helps consumers somewhat, the best solution -- breach prevention -- lies with the corporation.

Massive breaches like Sony's will continue as long as companies act fast, loose, and sloppy with data security of consumers' sensitive personal data. Massive breaches like this will continue as long as the costs to upgrade data security outweigh the costs of any penalties. There have to be penalties for companies that repeatedly experience data breaches, and/or use obsolete data security software and methods.

It appears that in Sony's case, the company's sloppy data security made it easy for criminals to steal sensitive consumer information. 12 months of free credit monitoring is not enough, because the threat of criminals using stolen identity and bank data doesn't magically stop after 12 months. 5 or 10 years of complimentary credit monitoring service would be better. And, the cost of providing breach victims with free credit monitoring services is small compared to other post-breach expenses.

When companies offer a short, 12-month period of free credit monitoring, that effectively transfers the burden -- time and money -- to consumers from month 13 on. Even though consumers didn't cause this breach, consumers end up spending time and money long-term to monitor and protect their accounts long after the free credit monitoring period has ended.

What do you think?


Second Sony Data Breach Exposes Personal Data of 24 Million Consumers

Sony Online Entertainment logo You've probably heard of the massive Sony Playstation Network data breach that affected 77 million customers. Well, there has been a second Sony data breach.

In a May 2 press release, Sony Online Entertainment (SOE) announced that hackers had breached its servers and stole consumers' sensitive personal information, including name, address (city, state, zip, country), email address, gender, birth date, phone number, sign-in credentials (e.g., login name and hashed password), and debit/credit card account information:

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained."

The stolen bank account data included bank account number, account holder name, and account holder address. All of the above stolen personal data is sufficient for identity criminals to open fraudulent accounts and/or access existing accounts. SOE is notifying affected consumers via e-mail with Innovyx, their third-party email distributor. Reportedly, the e-mail notifications will contain either 'soe.innovyx.net' or 'soe.sony.com' in the sender field. SOE has also:

"Temporarily turned off all SOE game services; engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and quickly taken steps to enhance security and strengthen our network infrastructure..."

In a May 3 press release, SOE announced an update of their breach investigation:

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen..."

Since SOE gaming websites are down, SOE will add 30 days onto its customers' subscriptions and compensate them for each day of downtime. SOE produces popular, multi-player online games, including EverQuest, EverQuest II, Champions of Norrath, Clone Wars Adventures, and DC Universe Online.

Given that debit and credit card data was stolen, consumers should check their bank accounts for fraudulent entries and change their sign-in passwords. The SOE breach notification contains the usual disclosures advising consumers to check their credit reports for fraudulent entries and to contact the U.S. Federal Trade Commission's identity theft website for advice and tips about how to protect themselves and their bank accounts.


LastPass Announces Data Breach

Many consumers use software to manage the numerous passwords needed to sign into various online accounts and websites. LastPass, maker of password management software that works with web browsers and smart phones, announced that it had discovered some unexplained access to its servers. As a result of its investigation, the company is assuming a data breach:

"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes..."

PC Magazine rated highly both the free and premium LastPass versions. LastPass advised its customer to change their passwords:

"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words... To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address."

LastPass customers should monitor the company's blog for updates.

While this event is unfortunate, it is good to see a company act on the side of extreme caution, and notify consumers in a transparent, direct, and honest manner.


Mobile Phone Number And Data Are More Widely Available Than You Might Think

Phone calls in the middle of the night are never good.

My smart phone rang at 3:10 am the other morning. Yes, it woke me up. I glanced at the number and it wasn't from anyone I know. I went back to sleep concluding that if the call was really important, they would call again.

The next morning, my curiosity got the better of me. I paused work to look up the mystery phone number at the AT&T Anywho website. If the phone number is listed and isn't a cellular line, I have found that Anywho usually has it.

The Anywho Reverse Number feature didn't find the mystery phone number, but it suggested that the Intelius website might:

Anywho.com reverse number look-up search results

I followed the link to the Intelius website which identified the mystery caller from a number registered in North Dakota, plus some juicy details:

Intelius.com reverse number look-up search results

Who knew that Intelius captured and displayed the caller's GPS coordinates? I have not test how dynamic the GPS coordinates are; if they are static are updated real-time.

If I wanted to know more, I could have paid for an Intelius report; or searched Pipl or Spokeo. I didn't since my curiosity was satisfied. I don't know anyone from North Dakota. Plus, the call could have been an accidental butt-dial or drunk dial.

Where did Intelius get this mobile phone data? Who knows. The phone's owner could have included their mobile number on property ownership or other public documents. My guess: this person's mobile number was listed on a publicly-available social networking website page, or obtained via retailer or website that resold the data to an information broker.

The point: there is more data available online about you than you realize. Safeguard your personal details, and share them only with people/companies you trust.


Ponemon Report: Costs of a Data Breach

Given the massive Sony Playstation Network data breach in April, and the claim by a Marketplace expert that Sony delayed customer notification to lower its post-breach costs, I thought that I would take another look again at the report about breach costs.

Back in March 2011, the Ponemon Institute released findings for breach costs for 2010. There are separate reports for the U.S. and the U.K.. Findings from the U.S. report:

  • More organizations respond faster to data breaches. In 2010, 43% notified breach victims within a month, up 7% from 2009.
  • Faster response costs more. Organizations that notified breach victims within a month incurred an average cost per-record cost of $268 in 2010, up $49 (22%) from $219 during 2009. Companies that took longer to respond incurred an average cost per record of $174, down $22 (11%) from 2009.
  • Malicious or criminal attacks were about a third (31%) of all data breaches.
  • Malicious or criminal attacks are more expensive, too, averaging $318 per record during 2010, up $103 (48%) from 2009.
  • The average cost per record comprised $74 of direct costs (34%), up 22% from 2009, and $144 of indirect costs (66%). Ponemon found that direct costs have been increasing since 2008 while indirect costs have declined. Direct costs include expenses for organizations to comply with data security regulations (Federal, state, and local), breach detection, and the notification of breach victims and government officials.
  • Data breach costs have risen for a fifth consecutive year. The average organizational cost of a data breach was $7.2 million during 2010, up 7% from $6.8 million in 2009.
  • The customer churn after a data breach contributed to breach costs, and varied by industry. While the average churn rate across all companies studied was 4%, the highest churn rates were in pharmaceuticals and healthcare (7% each). The industries with the lowest churn rates were the  public sector (less than 1%) and retail (1%).
  • Similarly, the average cbreach ost per record varied by industry. In 2010, the industries the highest average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). The industries with the lowest per-record costs were media ($131), education ($112), and the public sector ($81).

The causes of data breaches and their associated costs:

Breach Type Frequency 2010 Avg. Cost/Record
First Timer YES
20% $326
Malicious or criminal attack YES
31% $318
Third-Party Mistake YES
39% $302
Quick Response YES
43% $268
Lost or Stolen Device YES
35% $258
System Failure YES
27% $210
Negligence YES
41% $198
CISO Leadership YES 45% $193
External Consulting Support YES
37% $191

The analysis of costs:

Cost Type 2010 2009
Lost Customer Business Due To Churn
39% 40%
Legals Services: Defense
14% 14%
Investigations & Forensics
11% 8%
Audit and Consulting Services
10% 12%
Customer Acquisition Costs
9% 9%
Contact Costs: Inbound
6% 5%
Contact Costs: Outbound
5% 6%
Legal Services: Compliance
2% 2%
Identity Protection Services
2% 2%
Free or Discounted Services
1% 1%
Public Relations / Communications
1% 1%
TOTAL
10% 102%

Based on the above cost analysis, the free or discounted credit monitoring services organizations often provide breach victims (e.g., consumers, employees) is not a major cost component. It suggests that companies could provide longer periods of free credit monitoring and credit restoration services. For example, the State of Texas is offering its breach victims a single year of complimentary credit monitoring.

Ponemon studied breaches for 51 companies. Download the 2010 Ponemon U.S. Cost Of A Data Breach report (PDF format).


Sony Apologizes For Its Playstation Data Breach

Forbes reported a Sony press conference on Sunday where the company apologized for its recent Playstation Network (PSN) data breach:

"Kazuo Hirai, head of the company’s networked product division began by saying that, 'we’d like to extend our apologies to the many Playstation Network and Qtriocity service users who we inconvenienced and worried because we potentially compromised their customer data. We offer our sincerest apologies.' ”

Sony executives at the press conference included Kazuo Hirai (Corporate Executive Officer, Executive Deputy President and President of Consumer Products & Services Group), Shinji Hasejima (Senior Vice President, Corporate Executive, Chief Information Officer), and Shiro Kambe (Senior Vice President, Corporate Communications). The company confirmed that PSN customers' passwords were not encrypted and were hashed. The company promised to offer several freebies and premium content for its customers affected by the data breach under a "Welcome Back" appreciation program.

A PSN press release on Sunday repeated much of the information from the press conference (video), the company said that some PSN and Qriocity services, which were shut down immediately after the data breach. The company expects to resume full services within a month. The order of planned resumption of services:

  • Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems. This includes titles requiring online verification and downloaded games
  • Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
  • Access to account management and password reset
  • Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
  • PlayStation®Home
  • Friends List
  • Chat Functionality

Sony emphasized that it will not ask PSN customers for passwords via e-mail, and asked customers to be alert form phishing spam. Sony also summarized its efforts to strengthen the security of its networks:

  • Added automated software monitoring and configuration management to help defend against new attacks
  • Enhanced levels of data protection and encryption
  • Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
  • Implementation of additional firewalls

The Welcome Back program makes sense as customer churn is one of the largest expenses companies experience after a data breach.


Consumers Should Secure Their Home WiFi

Prior posts have advised readers to secure their home WiFi networks. And I know a few friends and family who still haven't. For those of haven't yet secured their home wireless routers, perhaps this Yahoo News story will move you.

 A Buffalo man found himself lying on his family room floor, with F.B.I. agents in the room with assault weapons trained on him. Shouts of "pedophile!" and "pornographer!" filled the room. The man claimed his innocence, but agents confiscated for three days his desktop computer, his wife's computer, their iPads, and iPhones.

After searching these devices, agents were then convinced that the Buffalo man was telling the truth. What happened? He had set up a new home wireless router without a password, and a neighbor used it download child porn.

In February of this year, the WiFi Alliance announced the results of a survey where 32 percent of Americans admitted to using a WiFi network that wasn't theirs. In 2008, that percentage was 18 percent. So, your neighbors are increasingly likely to use an unsecure home WiFi network, if you let them.

What should consumers do to protect themselves? The WiFi Alliance advises:

  • Use the newer WiFi Protected Access 2 (WPA2) security for your home wireless router. It encrypts data for privacy and controls who has access to your home network.
  • Use Wi-Fi CERTIFIED™ products that support WPA2 security.
  • Use strong passwords: at least 8 characters long, no dictionary words or personal information, and a mix of upper and lower case letters and symbols.
  • Use public WiFi hotspots for general Web surfing and don't use them to access sensitive websites, like your bank's
  • Turn off automatic connecting on your smart phone, laptop, and/or tablet devices
  • Be alert for wiphishing hotspots, that imitate trusted WiFi networks and then steal your sign-in credentials or personal data