Previous month:
June 2012
Next month:
August 2012

14 posts from July 2012

Update: Massachusetts 2011 Breach Notification Report

Back in April, this blog discussed the release of the 2011 Data Breach Notification Report (Adobe PDF) by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). Since then, I further analyzed some of the results from the report. New charts are below.

You may remember that the report covered data breach activity since October 31, 2007, when the state's breach law went into effect. The 2007 law requires businesses that store consumers sensitive personal information to notify the OCABR if they experience or suspect a data breach. In 2009, the state enacted tougher data security rules. In March 2010, the law was amended to require applicable businesses to develop a comprehensive, written information security program and to encrypt certain data.

Some highlights from the report:

  • 1,833 data breaches and 3,166,031 Massachusetts residents affected since November 1, 2007
  • Notable data breaches during 2011: Sony Playstation, Michael's craft stores, Departments of Unemployment Assistance and Career Services
  • Industries with the most data breaches include financial service, health care, education, and state government
  • While the number of breaches are evenly split between malicious and non-malicious categories, on average malicious data breaches affect a larger number of residents with each breach compared to non-malicious breaches
  • On average, breaches where information is stored in electronic formats are substantially larger than breaches where information is stored in paper format

Breach history (number of data breaches):

YearMalicious BreachesNon-Malicious BreachesTotal Breaches
  # % of Total   % Of Total
2007 11 44% 14 56%  25
2008 257 55% 214 45%  471
2008 261 61% 170 39%  431
2010 161 36% 291 64%  452
2011 241 53% 213 47%  454
Total 931 51%
902 49% 1,833
The non-malicious category includes breaches where, "... either negligence or mistakes by employees or third-party contracgtors resulted in exposing personal information..."

The malicious category includes breaches:

"... made by disgruntled former employees of businesses which held personal information who either retained access to data, or used the access codes of a former coworker to gain access."

The average number of residents affected per data breach:

YearMalicious BreachesNon-Malicious BreachesTotal Average Residents/Breach
2007   372   356   363
2008 1,009 2,139 1,522
2008 1,337   209   892
2010 5,757   374 2,291
2011 3,811   421 2,221
Total 2,640   773 1,721

Breach activity based on the storage format of the information:

  # Breaches
Residents / Breach # Breaches
Residents / Breach
2007 20 432 7 16
2008 331 2,112 81 21
2008 324 1,074 106 54
2010 326 2,912 143 437
2011 364 2,954 106 140
Total 1,365 2,256
443 192

The number of breaches by industry:

IndustryBreaches: 2011
Breaches: 2007 - 2011
Commercial 19 43
Education 24 101
Entertainment 10 30
Federal Government -- 1
Financial Services 257 955
Food & Beverage 5 35
Health Care 63 214
Local Government 2 7
Manufacturing 4 29
Not-For-Profit 4 30
Other 36 164
Pharmaceutical 1 16
Retail 2 21
State Government 18 87
Technology 12 79
Telecommunications 2 17
Trade Union -- 4
Total 459 1,833

I’ve Got The Facebook Social Plug-In Blues…

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she discusses what happens when a user clicks the social networking service's Like button.]

By R. Michelle Green

What happens when I like something on Facebook? What is triggered by expressing an ostensibly innocuous opinion about something, or expressing interest in a movement or event?

Liking a comment just provides a labeled count. Liking a site like Huff Post or Newsweek (rather than a particular article on the site) means I am permitting that entity not only the count, but also delivery, along with their content, my face, name and any information I’ve made public. You wouldn’t necessarily know what content your face is presented with, just that it’s content from that site. The Like button is one of Facebook’s social plug-ins. Facebook provides a nice two minute video describing how FB plug-ins work: instead of having your social experience in one place and your specialized information experience all the way over there in a separate browser tab (oh the effort), social plug-ins bring your social experience to your personal experience, wherever you are on the web. Your information resides at FB and is simply transmitted to the other page. (Can haz UR info, says an LOL cat in the video. No, says the cartoon representing FB.) It saves you from laboriously looking for what you want to read by learning instead what your friends’ read (and, FB implies, what you want to read). This is what Facebook tells users.

What do they tell developers? Enough to get paid $3.2B in 2011 ad revenues.

Many developers want everything, not just public info. Any desktop or mobile app gets basic info from you: id, name, picture, gender and locale (i.e., English speaking in the US), and anything else you’ve made public. If they want more, their authentication request to you must ask you for permission – and for many users it’s routine to give it (how are you going to know where the pizza places near you are if you don’t give up your 9 digit Zip Code, for example). But if you want to play the game / get the coupons / preview the video / win a prize bad enough, will you worry about providing access to any photo you’re tagged in? Or your actual location? Or the contents of your lists of friends (or their lists of their friends)? Or the location of your child’s school? (it could be in that photo’s metadata...)

Extended permissions could include the ability to access your inbox, read your notifications, or create/modify on your behalf events posted on your page. The range of possible permissions is quite scary. And before you say hey I’d never agree to that, tell me the last time you fully read some site’s Terms of Use. Even cooler (for the developer) is their continued access to you, whether you are on or offline. (FB now times out offline access, but the developer can still get expiring offline access renewed...) A developer’s stories can become a, “... persistent ‘brand billboard’ of ongoing updates, which tell the story of the relationship between the consumer and the brand.” Except that most owners of billboards get paid for the use of that space...

And FB continues to busy itself adding still more info to the curation of your life. Now they plan to tell others what messages you did and didn’t read from within a Group’s posts. Will seeing get misinterpreted as liking, or supporting? Can you really believe it won’t? And this capability cannot be disabled as currently configured.

Oooh, I sound paranoid. Ok, hypothetical. Say there’s a politician I don’t like (just one!?!) He finally said something rational, and I wanted to reinforce it. Maybe I just ‘liked’ the comment; maybe I inadvertently ‘liked’ the individual. When I next sign on (days? weeks?), my timeline might be filled with events and comments, ostensibly from me (implicitly, if not explicitly), with which I disagree.

I’ll readily admit there are hurdles or checkpoints where the user, FB or the developer could intervene, but the framework is clearly there.

Not sure I’d ‘like’ that.

CFPB Begins Supervision Of Credit Reporting Industry

At a July 15, 2012 Credit reporting Field Hearing in Detroit, Richard Cordray, Director of the Consumer Financial Protection Bureau (CFPB), explained the bureau's role in overseeing the credit reporting industry. Some highlights from Mr. Cordray's speech:

"After the financial crisis and extreme credit crunch of 2007-2008, tens of millions of Americans are now being pursued by debt collectors. Many people’s credit ratings have taken a hit and... They are blocked from obtaining access to the credit that is often so essential to meaningful opportunity – to get an education, start a business, or buy a house. We understand these realities at the Consumer Financial Protection Bureau because we hear about them from consumers every day. We also believe it is important to get out of Washington and listen directly to consumers by meeting them face to face. So we are glad to be with you today..."

About the CFPB's oversight role:

"Today, the Consumer Bureau is issuing a new regulation to expand our supervision program to oversee these credit reporting companies. The authority to supervise firms is the authority to conduct on-site examinations of whether and how they are complying with the law... we will be supervising the credit reporting companies that are the larger participants in this marketplace. These companies have never before been subject to a federal supervision program. Starting this September, we will be monitoring and examining them just as we monitor and examine the big banks... Up to this point, no single federal government agency could access all the information necessary to generate a complete picture of what was happening inside these companies..."

The credit reporting industry is huge, as the three largest credit reporting agencies (Experian, Equifax, and TransUnion) maintain credit reports for about 200 million people in the USA. Those reports contain inputs from about 10,000 information providers: lenders and companies that make loans to individuals.The industry sells about 3 billion credit reports every year to potential lenders. What consumers may not know:

"A credit report contains information about the consumer’s transactions – including loans that a consumer has paid on time, has paid late, has not paid, or has paid off, along with current amounts and sources of debt. The credit reporting companies also collect and report on information about consumers’ finances available from public records, including civil judgments, liens, and bankruptcies from thousands of federal, state, and local courts and public offices. The information contained in consumers’ credit reports is used to derive their credit scores... Credit scores translate this great mass of information into a single number that indicates, in shorthand, a consumer’s expected likelihood of repaying a loan... But credit reports are also used in a wide range of other types of decision-making – including determinations about eligibility for rental housing, what deposits are required for utility or telephone service, and premiums for auto and homeowners’ insurance. Credit reports are even sometimes used to determine eligibility for a job. Banks, landlords, cell phone providers, and all kinds of other companies rely on the accuracy of this information..."

The CFPB will focus on three areas:

"First, our oversight of the credit reporting companies will help us make sure that the information provided to them is itself reliable. Lenders and others who furnish information to the credit reporting companies are legally required to have policies in place about the accuracy and integrity of the information they report – which includes identifying consumers accurately, correctly recounting their actual payment history, and keeping their information and record-keeping in order. Otherwise, their sloppy work becomes the true source of harm to the consumer’s overall creditworthiness... Second, given the number of complaints we have already heard from consumers, and the findings reached in some (but not all) reports on the subject, we want and need to know more about the accuracy of how the credit reporting companies assemble and maintain the information contained in consumer credit reports. Accuracy is critical for consumers and for markets... because of the increasingly significant role these reports are taking on in our financial lives, the collateral consequences of mistakes can greatly harm consumers... Third, we are keenly interested in understanding more about the problems and frustrations that consumers tell us they encounter in trying to resolve disputes about the information contained in their credit reports. Some errors may be unavoidable even in the best of systems. But when consumers find what they perceive to be erroneous information in their credit reports, they should not be burdened by unreasonably laborious processes to get errors removed from their files..."

During the last five years, I've written plenty about credit reporting agencies including fraud alerts, security freezes, data breaches, violations, offshore outsourcing, consumer satisfaction surveys, reviews of credit monitoring services offered by credit reporting agencies, and several industries that historically haven't used but now want access to the information in consumers' credit reports. It was good to read Director Cordray's remarks.

Data Breach At The Consumerist Website

A data breach at The Consumerist website has exposed the passwords of users who have submitted comments at the website. As a result of the breach, the website was taken down twice last week and the commenting feature was temporarily disabled. In an announcement, the website stated:

"Because of the nature of the investigation, we cannot – at this time – share further details of the specific changes. But we do want you to know of two actions we will be taking in the next few days that may affect your experience on the site:"

So, the breach investigation is ongoing. The website plans to reset all users' passwords. The website advises users to:

  • Change your passwords at any other websites where you use the same password to sign in
  • Run a scan of your computer to check (and remove) any computer viruses installed

At its July 16 breach announcement, the website had hoped to restore the commenting feature in a couple days. At press time, a check of the website found that this feature was still disabled.

Data Breach At Beth Israel Deaconess Medical Center Affects 3,900 Patients

About 3,900 patients of Beth Israel Deaconess Medical Center (BIDMC) are being notified of a data breach exposing their sensitive personal information. According to the Boston Globe newspaper, the patient records were stored on a physician's laptop which was stolen from an office on May 22. The hospital has already notified local law enforcement and began a breach investigation to determine the data exposed/stolen.

This is a second major breach at the hospital. In July 2011, a breach exposed the protected health information (PHI) of about 2,021 patients after a vendor failed to restore security controls on an Internet-connected computer during routine maintenance. That 2011 breach exposed patients' names, BIDMC medical record numbers, gender, date of birth and the date and name of radiology procedures. According to the 2011 breach announcement, the breached computer, infected with a computer virus, had transmitted stolen data to an unknown location.

A check of the hospital's website did not find an announcement yet about its 2012 breach. Hopefully, the data was encrypted on the laptop. Earlier this month, BIDMC was again rated by U.S. News & World Report as a leading hospital in the USA.

After its 2011 breach, BIDMC provided affected patients with one year of free identity protection services, and a list of state and federal resources.

[Update, Tuesday May 23, 1:30 pm: BIDMC released a press release later on Monday, explaining that it was in hte process of contacting affected patients. Local law enforcement had arrested a suspect, but the stolen laptop had not been recovered.]

CFPB Announces Capital One Bank To Pay $165 Million For Deceptive Marketing Tactics

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) announced Wednesday the terms of a Consent Order where Capital One Bank (USA), N.A. will pay both $140 million to about 2 million customers, and a $25 million fine for deceptive marketing tactics. After an investigation, the CFPB:

"... identified deceptive marketing tactics used by Capital One’s vendors to pressure or mislead consumers into paying for “add-on products” such as payment protection and credit monitoring when they activated their credit cards."

The CFPB found that Capital One vendors misled customers about the benefits of these add-on products (e.g., increase their credit scores), deceived about how the products operated (e.g., not always told that the products were optional), misled about their eligibility (e.g., some call center representatives sold products to ineligible consumers), misinformed consumers about the cost of products (e.g., told it was free when it wasn't), and enrolled without their consent.

Additional enforcement actions by the CFPB against Capital One Bank:

  • Stop marketing these add-on products until after the bank submits a compliance plan to the CFPB that is approved by the CFPB
  • The $140 million reimbursement of consumers includes interest, and applies to customers who either enrolled in or tried to to cancel an add-on product on or after August 1, 2010
  • Pay claims that were previously denied to truly eligible customers
  • Payments will a credit to current Capital One Bank customers, or a check to former customers
  • An independent auditor will review the bank's actions for compliance with the Consent Order

The CFPB also disclosed that this Consent Order was:

"... in coordination with the Office of the Comptroller of the Currency (OCC), which is separately ordering restitution of approximately $150 million from Capital One. This amount includes the same $140 million refund... The OCC’s order also includes separate restitution for additional consumers harmed by unfair billing practices taking place between May 2002 and June 2011 in violation of Section 5 of the Federal Trade Commission (FTC) Act. For the combined activity, the OCC is assessing a $35 million civil money penalty against Capital One."

It an separate press release, the OCC:

"... based its $35 million penalty on the bank’s failure to develop and implement a comprehensive and effective enterprise risk-management program to detect and prevent unfair and deceptive practices, and the duration of and failure to correct those practices."

In a press release from the bank, Ryan Schneider the President of Capital One's Card business said:

"We are accountable for the actions that vendors take on our behalf... These marketing calls were inconsistent with the explicit instructions we provided to agents for how these products should be sold. We apologize to those customers who were impacted and we are committed to making it right."

The bank's press release did not state whether it fired its vendors involved in these deceptive marketing tactics, or took other monetary, legal, or disciplinary actions. Nor did it state what disciplinary actions, if any, it took against the bank's executives in charge of hiring or managing the vendors' activities. Ideally, those actions will be outlined in the compliance plan so these types of deceptive marketing tactics don't happen again with the same or different vendors.

It is wonderful to see the CFPB protecting the interests of consumers, and coordinating its enforcement actions with other agencies. As a Capital One credit card customer, I am doubly pleased. What's in Capital One Bank's customers' wallets? A little more money soon from Capital One.

Survey: 11% Of Banking Customers Ready To Switch To Another Bank

According to a recent surevy of about 5,000 banking customers, about 11% are ready to switch to another bank. That represents about $675 billion in assets, according to a March 2012 survey by Javelin Strategy & Research. Key findings:

"Citibank and Bank of America are the most vulnerable giant banks by far, with as many as one in four customers at risk of switching... although Americans were riled about banking fees, the didn't switch their primary [bank] in greater numbers. The reason: Convenience trumps fees... built on a foundation of big branch systems, broad ATM networks, convenient online banking, and... mobile banking..."

The leading reasons why consumers switch banks:

  • 33% - Too many fees
  • 21% - unsatisfactory customer service
  • 15% - more convenient location
  • 12% - moved their residence

Download the summary (Adobe PDF) of the "Bank Switching in 2012" Javelin report. Related articles:

Survey Documents Sporadic Access To Privacy Policies By Mobile Device Apps

The Future of Privacy Forum (FPF) recently released the results of its June 2012 survey of mobile device apps and privacy. The survey goal was to understand how often apps provide users with a privacy policy. While a privacy policy is a minimal first step towards data security, it provides both a baseline for consumers to judge the app's operation, and informs users about what sensitive personal data the app uses, and where that data is shared. An industry problem is that too many mobile apps for children still lack privacy policies.

The FPF examined 150 of the most popular mobile apps across three platforms: iOs App Store, Google Play,9 and Kindle. Key findings from the survey:

  • 61.3% of all apps examined presented users with a privacy policy. That total included 69.3% of free apps and 53.3% of paid apps.
  • The apps examined included many well-known apps: Angry Birds, ESPN Score Center, Facebook, Google Earth, Google Search, Instagram, Netflix, Shazam, Skype, Style Me Girl, Twitter, Virtual Makeover, The Weather Channel, Yahoo! Mail, and more.
  • The availability of privacy policies vary greatly by app store and app type:
% of Top Apps That Have A Privacy Policy*
  Free Apps Paid Apps
iOS App Store 84% 64%
Android - Google Play
Kindle Fire - Kindle App Store
48% 48%
All Platforms
69.3% 53.3%
*Privacy policy either in the app listing page, in the app, or in the developer's website

Ideally, apps should provide immediate and easy access to their privacy policies from the app listing page within the app store. Unfortunately, this access varies greatly:

% of Top Apps That Provide Access To A Privacy Policy On The App Listing Page In The App Store
  Free Apps Paid Apps
iOS App Store 48% 28%
Android - Google Play
Kindle Fire - Kindle App Store
0% 0%
All Platforms
22.7% 13.3%

Ideally, apps should provide immediate and easy access to their privacy policy from within the app, too. Performance here is somewhat better:

% of Top Apps That Provide Access To A Privacy Policy From Within The App
  Free Apps Paid Apps
iOS App Store 60% 44%
Android - Google Play
Kindle Fire - Kindle App Store
20% 28%
All Platforms
48% 32%

The other measure of privacy is whether apps collect location-based data (e.g., GPS) and provide users with an opt-in choice before data collection. The researchers found:

"... 12 out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and ten out of those fourteen had privacy policies. The study revealed that almost all of the leading apps requesting precise location data did have a privacy policy in place, but found that some very well known apps did not."

Based in Washington, DC, the Future of Privacy Forum (FPF) is a think tank that seeks to advance responsible data practices. The FPF hosts the website that provides best practices for data security for mobile app developers.

The FPF survey is a good first step. Consumers should be warned that the FPF survey did not evaluate whether developers' mobile apps actually complied with the promises in their privacy policies. That is an important issue to be addressed -- often in the courts, or by diligent technologists.

In June, California Attorney General Kamala Harris announced a deal with to ensure that any apps that collect personal data from California residents have privacy policies. Earlier in the year, several app store operators (e.g., Apple Inc., Google Inc., Inc., Microsoft Corporation, RIM Ltd., and Hewlett-Packard) agreed to a similar arrangement with the California AG. This makes one wonder where the other states' attorney general are on this issue.

Since security experts have documented multiple threats that target Apple and Android mobile devices, wise consumers look for trustworthy apps and protections in privacy policies. What do you look for in a mobile app privacy policy?

Beware of Latest Trick By Banks To Trap Consumers: Zombie Bank Accounts

Perhaps you moved to a new town, which your old bank doesn't serve. Or maybe you simply wanted better customer service and/or lower prices. So, you completed the time-consuming research to find a new bank, opened an account at a new bank, moved your money over, and paid any fees while closing your account at the old bank. Unfortunately, your old bank may not be finished with you.

Some consumers have reported instances where their old bank re-opened previously closed accounts, typically referred to as "zombie bank accounts." These accounts are difficult to kill and they incur lots of expensive fees, without any notice or consent to consumers.

How could this happen? Consumer Reports investigated and found that:

"... two of the nation's 10 largest retail banks, bank of America and Chase, reserved the right to reopen a closed account if there was a subsequent deposit; and Bank of America might also reopen an account after an attempted withdrawal."

Apparently, Wells Fargo bank also reserves the right to reopen previously closed bank accounts.

"Zombie bank accounts" is the latest in a long line of ill-conceived, customer unfriendly attempts by companies to ignore consumers' explicit requests: zombie cookies, zombie databases, and zombie e-tags. Now, it's the banks' turn again after the huge interest-rate hikes. and transaction manipulations to increase fee revenues during 2009.

Of course, a closed account should remain closed -- and the bank should reject both attempted deposits and attempted withdrawals at the old account. Otherwise, chaos results.

In October 2011, Congressional representative Brad Miller (North Carolina) proposed legislation to both make it easier for consumers to switch to another bank, and to prevent the zombie banking practice. 32 Congressional representatives, including Michael Capuano (MA), Judy Chu (CA), John Conyers (MI), Louise Slaughter (NY), and John Tierney (MA) have co-sponsored the bill, H.R. 3077, which is currently in subcommittee. Write to your elected officials and tell them to support this bill -- that "closed means closed" for bank accounts.

The fact that banks practice zombie bank accounts, and that corrective legislation is required, both say a lot about the banking industry's ethics (or lack thereof). Meanwhile, experts advise consumers:

  • Review your bank's customer agreement,
  • Discuss the bank's reopen account policy with a bank representative, and get it in writing before closing a bank account, and
  • Submit complaints to the Consumer Financial Protection Bureau (CFPB)

In March 2012, the CFPB began accepting complaints from consumers about checking and savings accounts. And, the agency has helped some consumers close zombie bank accounts.

Has your old bank open a zombie bank account? If so, share your experience below. Please name the bank, and whether you filed a complaint with the CFPB.

FTC Halts Companies Misrepresenting Health Care Insurance

If you live in a state that requires health care insurance, it's important to to recognize valid health insurance plans. Last month, the U.S. Federal Trade Commission (FTC) announced a settlement which stopped several companies from operating a telemarketing scam offering bogus health insurance. The settlement included Health Care One and its affiliate companies:

The suit named Michael Jay Ellman, the managing member of Health Care One and the sole director of Americans4Healthcare, and Robert Daniel Freeman, the president, secretary, treasurer, and owner of Elite Business Solutions. In its 2010 lawsuit (Adobe PDF) the FTC alleged:

"Since 2006, Health Care One has been a seller and marketer of a “national healthcare discount program” which masquerades as health insurance and promises to save consumers money on their healthcare costs. Enrollment is offered at various price points, ranging from $79.95 to $99.95 per month, with a one-time enrollment fee typically around $100. Health Care One markets this program through television and radio commercials... Defendants have made numerous material misrepresentations to consumers... These misrepresentations can be grouped into five categories: a. that the program offered is health insurance; b. that the program is affiliated with, or endorsed or sponsored by, the federal government; c. that enrollment in the program will result in substantial healthcare savings to the consumer; d. that the consumer will be able to obtain program benefits from the consumer’s current healthcare providers and from other healthcare providers in the consumer’s local community; and e. that Health Care One and Elite Business Solutions will refund the money the consumer has paid to enroll in the program if the consumer submits a cancellation request before the thirty-day trial period expires."

The settlement agreement prohibits the defendants from violating the Telemarketing Sales Rule, requires them to return ill-gotten profits, and prohibits them from:

"... making misrepresentations in connection with the sale of any good or service, including falsely representing: that a program is insurance; affiliation with, or endorsement or sponsorship by, the federal government; that purchase of a good or service will result in substantial savings to consumers; any material aspect of the good or service; the total costs associated with the good or service; and any material refund and cancellation policies, including, but not limited to, the likelihood of a consumer obtaining a full or partial refund..."

In 2010, The FTC began a crackdown, along with several state attorney generals and insurance commissioners, on companies misrepresenting "medical discount plans" as health insurance plans. Consumers seeking low-cost health insurance had been tricked into buy the medical discount plans, which typically were not health insurance, weren't accepted by many doctors, and didn't cover many procedures nor devices. The companies had targeted consumers without health insurance.

A check of the current Health Care One website now finds this disclaimer near the page bottom:

"HealthCareOne is not health insurance and is not intended to replace insurance."

Survey: Banking And Financial Executives Say Unethical Or Illegal Behavior Is Necessary To Succeed

A recent ethics survey of banking and financial executives in the USA and UK found that:

"Misconduct is still widespread... 26% of respondents indicated that they had observed or had firsthand knowledge of wrongdoing in the workplace. Nearly one-fourth of respondents believed that financial services professionals may need to engage in unethical or illegal conduct in order to be successful... 16% of respondents, would commit a crime–insider trading–if they could get away with it. Nearly one-third of all financial services professionals reported feeling pressured by bonus or compensation plans to violate the law or engage in unethical conduct. Nearly one-quarter of the respondents felt similar pressure from other sources... Only 41% of respondents reported that staff within their own organization had “definitely not” engaged in unethical or illegal conduct to be successful. 39% of UK respondents believed that others in their company have definitely not engaged in such misconduct to get ahead. 43% of US respondents had a similar view..."

Yes, you read that correctly. About a quarter of survey responds said it was okay and maybe necessary to perform unethical or illegal behaviors to succeed in business. And given the survey findings, some of the same respondents don't simply believe this, but also saw unethical/illegal behavior in the workplace.

Survey respondents have a dim view of government regulators:

"Only 30% of all respondents felt that the SEC/SFO effectively deters, investigates and prosecutes securities violations... In the UK, 34% of financial services professionals felt that the SFO is effective... In the US, only 26% of financial services professionals felt the SEC is effective... With respect to FINRA and the FSA, only 29% of all respondents felt these agencies effectively deter, investigate and prosecute securities violations... In the UK, 32% of financial services professionals felt that the FSA is effective...In the US, 27% of financial services professionals felt FINRA is effective."

About the risks to whistle-blowers of exposing wrongdoing within their banks, the survey found:

"...14% of all respondents believed that their employers were likely to retaliate if faced with a report of wrongdoing in the workplace..."

Banking and finance seems to be an ethics-challenged industry. The researchers concluded:

"The best way to avoid corporate scandals is to establish and nurture a culture of integrity in the workplace. Too often, scandals result from a long chain of mistakes, where one breakdown in judgment cascades to another breakdown, and then another. In time, isolated and seemingly random unethical or illegal choices snowball..."

The survey (Adobe PDF), conducted during June 2012 by Populus and the law firm Labaton Sucharow, included 500 senior-level executives. Labaton Sucharow provides legal services to protect and advocate for whistle-blowers who report violations to the SEC. The firm also represents companies, institutional investors, and consumers in complex securities litigation.

Executives' attitudes extend far beyond finance. Recently, a Federal U.S. appeals court found that a bank's poor data security was responsible, after thieves used wire transfers to steal about $689,000 from a construction business. Among its failures, the bank also failed to notify the company about the wire transfers it was processing.

With attitudes like this among banking executives, now is not the time for politicians to argue for less regulation. Survey results like this are a call for agencies like the FTC, DOL, and SEC to step up their monitoring programs.

Malware Snuck Into Both Apple and Google App Stores

InformationWeek reported that a bogus app designed to steal the address books of both Apple iPhone and Google Android smart phone users' made its way into both the Apple App store and the Google Play store, and stayed there for at least a week. The bogus app was titled, "Find and Call." Some app users complained that the app sent SMS spam to their address book contacts.

Apparently, malware targets all operating systems for all devices.

FTC Sues Wyndham Worldwide For Misrepresenting Its Data Security

Late last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against Wyndham Worldwide Corporation, the Parsippany, New Jersey-based international hotel conglomerate, for alleged data security failures that resulted in three data breaches at Wyndham hotels in less than two years. The suit (Adobe PDF) alleged that:

"Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia. In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants’ Phoenix, Arizona data center."

Specifically, the suit alleged that Wyndham's website privacy policy misrepresented the data security measures the company used to protect consumers' sensitive personal and payment information. The suit alleged that the hotel's data security:

"... failed to use readily available security measures to limit access between and among the Wyndham-branded hotels’ property management systems, the Hotels and Resorts’ corporate network, and the Internet, such as by employing firewalls... allowed software at the Wyndham-branded hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text... failed to remedy known security vulnerabilities on Wyndham branded hotels’ servers that were connected to Hotels and Resorts’ computer network, thereby putting personal information held by Defendants and the other Wyndham branded hotels at risk. For example, Defendants permitted Wyndham-branded hotels to connect insecure servers to the Hotels and Resorts’ network, including servers using outdated operating systems that could not receive security updates or patches... allowed servers to connect to Hotels and Resorts’ network, despite the fact that well-known default user IDs and passwords were enabled on the servers, which were easily available to hackers through simple Internet searches... failed to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess. Defendants did not require the use of complex passwords for access to the Wyndham-branded hotels’ property management systems..."

This is pretty damning, since sensitive information that should have been encrypted wasn't, passwords were too easy to guess, and obsolete web server software prevented data security updates. The suit, filed in U.S. District Court in Arizona, named as defendants both Wyndham Worldwide and three of its subsidiaries:

It is good to see the FTC take these types of actions, especially because consumers have no way to verify that companies comply with the promises in their data security and privacy policies.

Celebrating Five Years Online!

Five years ago today, I started the I've Been Mugged blog. Since then, I've learned a lot about identity theft, fraud, privacy, and data breaches. This blog has been a good tool to organize my thoughts, learnings, and the online resources I've found.

And wow has readership grown! During those early days in 2007, about 8,000 people total read this blog during six months. Now, about the same number of users read the blog every nine ten days.

For that growth, some thank-you messages are necessary. First, I'd like to thank all I've Been Mugged readers. I am grateful for our readership and for the comments you have submitted. We have explored together many interesting topics, and I look forward to more exploration.

Second, I'd like to thank the bloggers and the consumer advocates I've met online. Without their suggestions and encouragement, The quality of I've Been Mugged posts wouldn't be as high as it has been. Some bloggers I'd like to thank by name: Lori Magno, Diane Danielson, Michael Krigsman, Drew McLelland, Ryan Barrett, and Ronni Bennett (who leads by example far more than she realizes).

Third, I'd like to thank guest authors Bill Seebeck, and R. Michelle Green. Fourth, I'd like to thank the Privacy Crusaders. If you know who they are, then you know the good they've done.

Fifth, I'd like to thank IBM for losing my sensitive personal data during their February 2007 data breach. That incident caused me to start blogging, and more importantly to start thinking about the privacy of my personal information. The more I learned about data breaches and the way companies assist (or don't) their data-breach victims, the more I realized that I had to do something. Rather than be angry, blogging seemed like a healthy and appropriate response.

If you haven't noticed yet, I named this blog in honor of IBM's data breach = I've Been Mugged.

And, I especially want to thank my wife, Alison. Without her support and flexibility, I couldn't write I've Been Mugged.

What's next? The pace of change both on the Internet and in sectors like banking provide a wealth of topics. We'll continue to write about identity theft topics, data breaches, privacy, banking, and areas where corporate responsibility is lagging. Of course, we'll follow hot topics such as mobile deata security, health care breaches, and behavioral advertising.

We'll continue to report on both emerging and controversial issues that affect consumers. And, we'll sprinkle this blog with plenty of ID-theft humor, since it's never all doom and gloom.

If you are a new visitor, there are several easy ways to explore the blog:

  • The near right column includes a tag cloud with subjects
  • The far right column lists both popular discussions and my favorite posts
  • The near right column also includes a collection of posts to help you use Facebook safely
  • If you are curious about a topic, use the search box on the right
  • To access product and service reviews, select Reviews in the above horizontal navigation bar
  • To browse a collection of ranked lists, see Rankings