Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

Hacker Sentenced To Prison For Sony Data Breach

You may remember a series of data breaches during 2011 at Sony Online Entertainment and the Sony Playstation Network. ComputerWorld reported that 25-year-old Cody Andrew Kretzinger was sentenced to one year plus one day in prison for his role in the May 2011 hack into Sony Picture's systems and databases. After serving prison time, Kretzinger will also serve one year of home detention.

Kretzinger was a member of the LulzSec hacker group. Another group member, Hector Xavier Monsegur, was arrested in June 2011 and then served as an F.B.I. informant. Monsegur will be sentenced in August 2013.

Update: Schnucks Data Breach Exposed 2.4 Million Cards

Back in March 2013, this blog reported about the Schnucks supermarket data breach. On Monday, the St. Louis Business Journal reported:

"Over a three-month period, up to 2.4 million credit and debit cards used at 79 Schnucks stores may have been compromised..."

Two civiil lawsuits have been filed against the company. Now we know more than we did in March. Still, not good.

Data Breach At Schnucks Supermarkets Affects Customers And Their Banks

St. Louis-based KSDK television reported a data breach at Schuncks supermarkets. The supermarket chain isn't yet sure exactly where (e.g., which stores) and how the breach occurred (e.g., in the store or with a debit/credit card processor). The breach occurred about a week ago.

Schnucks operates stores in Missouri, Illinos, Iowa, and Indiana. Customers have already seen unauthorized charges on their debit/credit cards. A representative from Montgomery Bank reported that about 600 of their accountholders have already filed fraud claims. Some customers wonder why the store has not posted alerts in its stores, so shoppers can use cash instead:

“They’re just letting people use their cards and not saying anything.”

Reportedly, the retailer has hired a forensics technology firm to assist it with a breach investigation. It sounds to me like the company' was caught unprepared and its post-breach response needs improvement. Customers need to be notified prompty to take appropriate action to avoid or minimize identity theft and fraud.

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Report: It Takes Months For Organizations To Detect And Resolve Data Breaches

I started writing this blog after a data breach at a former employer exposed my sensitive personal information. The consequence was that I had to take action due to a former employer's sloppiness.

Given that history, a new report by the Ponemon Institute, and sponosred by Solera Networks, caught my attention. The report included results from a study of data breaches in organizations to understand the differences between malicious and non-malicious data breaches, plus any lessons learned from the post-breach and forensic investigations.

Typically, after a data breach organizations' IT departments investigate independently or with the assistance of an outsourced technology consultant, the data breach. That investigation includes the cause of the breach, the specific computer systems and/or networks compromised, the number and types of records accessed (e.g., current employees, prior employees, contractors, students, etc.), and the specific data elements (e.g., names, street addresses, bank account numbers, Social Security numbers, e-mail passwords, etc.) accessed and/or stolen. By understanding what happened, organizations, in theory, can better secure their computers and networks from future data breaches.

The Ponemon study used the following definitions for data breach types:

"... we define a non-malicious breach as a system error, employee negligence or third-party snafu and a malicious breach is defined as one involving the theft of information assets by a criminal insider or [external hacker]..."

I found the results fascinating for several reasons. In my personal experience, my former employer's breach included data tapes shipped via a third-party vendor which never arrived at the off-site storage facility. This affected my privacy along with that of both current and other former employees.

First, the global results from the Ponemon report:

• 54% of IT professional respondents said (e.g., Strongly Agree or Agree) that the severity of data breaches has increased during the past 24 months
• 52% of respondents said (e.g., Strongly Agree or Agree) that the frequency of data breaches has increased during the past 24 months
• Only 44% of respondents said that their organization has the tools, personnel, and funding to quickly detect data breaches
• Only 43% of respondents said that their organization has the tools, personnel, and funding to prevent data breaches
• While 63% of respondents said that understanding the root causes of data breaches has increased data security in their organization, but only 40% said they have the tools, personnel, and funding to determine the root causes of data breaches
• On average, it took organizations 49 days to detect non-malicious data breaches, and 80 days -- almost 3 months -- to detect malicious breaches. For resolution, it took 83 and 123 days, respectively.
• Only 39% of respondents that experienced a malicious breach said that they were confident (e.g., Very Confident and Confident) that their organization determined the root cause of the breach

This is not good. It takes a long time to detect breaches, if at all, and a long time to fix them. The most frequent types of data breaches experienced during the past 24 months:

• 47% - Employee or contractor negligence
• 32% - System error or malfunctions
• 24% - External attacks
• 23% - Third party mistakes or negligence
• 14% - Malicious insiders

Where the data breach occurred within the organization varies:

Breach Location	Malicious Breaches	Non-Malicious Breaches
Within business unit	15%	27%
During transit or transmission to a third-party location	6%	22%
Off-site	30%	20%
Off-site data center	12%	12%
On-site data center	9%	9%
Unable to determine	28%	9%

When the breach was discovered:

When Discovered	Malicious Breaches	Non-Malicious Breaches
Immediately	2%	20%
Within one week	19%	19%
Within one month	29%	28%
Within 3 months	24%	16%
Within 6 months	6%	4%
Within 1 year	4%	2%
Within 2 years	2%	1%
Unable to determine	15%	10%

So, an astounding 15% of the time organizations were never able to determine when malicious data breaches were detected. That's about one out of every six breaches. How malcious breaches were discovered:

• 28% - Forensic tools and methods
• 19% - Loss preventiona tool such as DLP
• 15% - Notification by law enforcement
• 10% - Automated monitoring
• 9% - Accidental discovery
• 6% - Audit or assessment
• 3% - Legal filing or complaint
• 3% - Manual monitoring
• 3% - Notification by partner or third-party
• 3% - Consumer or customer complaint
• 3% - Unsure
• 1% - Other

Second, some country-specific results:

• 41% of survey respondents from the USA said (e.g., Strongly Agree and Agree) that their organization were ready with the tools, personnel, and funding to prevent data breaches. The average across all countries was about 44%. Organizations in Japan (56%) and Singapore (58%) led the way with prevention readiness.
• 42% of survey respondents from the USA said that their organization were ready with the tools, personnel, and funding to quickly detect data breaches. The average across all countries was about 44%. Again, organizations in Japan (55%) and Singapore (57%) led the way with detection readiness.
• 33% of survey respondents from the USA said that their organization's leaders view data security as a top priority. The average across all countries was about 37%. Again, organizations in Japan (51%) and Singapore (50%) led the way with senior management leadership.

The study included a survey of 3,529 Information Technology professionals in eight countries. 54% of survey participants report directly to the chief information officer (CIO) in their organization. Participants were selected from organizations that had at least one data breach during the past 24 months. The survey included organizations from both the public and private sectors.

Survey respondents by country:

• 659 - USA
• 566 - Japan
• 445 - Brazil
• 431 - United Kingdom
• 423 - Canada
• 395 - Australia
• 309 - Singapore
• 301 - United Arab Emirates
• 3,529 - Total

Third, survey respondents by industry:

• 18% - Financial Services
• 11% - Federal and central government
• 7% - Services
• 7% - Retail, Internet
• 6% - Professional services
• 5% - Industrial products and chemicals
• 4% - State, province and local government
• 4% - Communications
• 4% - Consumer products
• 4% - Entertainment and media
• 4% - Hospitality
• 3% - Defense contractor
• 3% - Retail, conventional
• 3% - Technology and software
• 2% - Energy and utilities
• 2% - Education and research
• 2% - Healthcare and medical devices
• 2% - Pharmaceuticals and biotech
• 1% Transportation
• 1% - Other
• 100% - Total

What is a consumer to take from the results in this report? As I see it:

1. Data breaches will continue to happen. The bad guys also read reports like this, and determine where the soft or easy targets are.
2. There is an opportunity for companies and senior executives in the USA to do much better and take a leadership role. Will they?
3. Outsourcing matters, since about 48% of malicious breaches happened off-site or during transit/transmission with a third party contractor or partner
4. Despite what senior-level executives say in speeches and press releases about valuing data security, the survey suggests otherwise. Many organizations don't have the necessary tools, personnel, and funding.
5. Despite what senior-level executives say in breach notification letters after a data breach, they often don't know what happened and won't for a long while, if they ever do. Too many never determine when and what happened.
6. Informed consumers realize the reality is that you have to protect your sensitive personal data. Don't rely on a employer or former employer to do it.
7. All of this applies to mobile app developers, app stores, online retailers, and related Internet companies since the study included those industries, too.

Access the complete "Post Breach Boom" Ponemon report here.

Facebook Hacked. Site Says User Data Not Compromised

In case you were away for the long weekend and missed it, on Friday Facebook.com announced via its website that it had been hacked:

"Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues... We have found no evidence that Facebook user data was compromised."

This means that the old saying still applies: a chain is only as strong as its weakest link. In this case, your sensitive personal information on a social networking site is only as secure as the weakest (mobile or website) app developer.

Most Trusted Companies For Privacy Study

Recently, the Ponemon Institute released the results of its annual study of the companies consumers trust the most to maintain their privacy. The study asked consumers to name and rate the companies they trust the most to protect their personal information. Key findings from the study:

"New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20). Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy."

The only government organization in the top 20 is the U.S. Postal Service (#5). Some noteworthy findings about consumers' habits:

"78% of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation... 63% of respondents admit to sharing their sensitive personal information with an organization they did not know or trust... 59% percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. 55% say their privacy has been diminished by virtue of perceived government intrusions."

These findings should be a wake-up call to companies operating within the Internet industries, namely app developers and social networking website operators. About data breaches:

"49% of respondents recall receiving one or more data breach notifications in the past 24 months. 70% of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident."

About consumers' expectations of data security (bold emphasis added):

"73% of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59%), the ability to be forgotten (56%) and the option to revoke consent (55%)."

Companies and their lobbyists would be wise to comply with these findings about important privacy features. Some troubling findings from the Ponemon study:

"Only 35% of respondents believe they have control over their personal information and this result has steadily trended downward over seven years. Less than one-third (32%) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese."

Study respondents said that the most significant threats to their privacy were:

• 61% - Identity theft
• 56% - government surveillance
• 42% - notice of data breaches
• 40% - violations of civil liberties
• 36% - annoying background chatter
• 32% - spam
• 30% - employer intrusions
• 28% - stalking
• 23% - annoying advertising
• 19% - children abuses

Ponemon has conducted this study for the past seven years, and noted that the importance of privacy by respondents has increased during this time. The study, conducted during October through December 2012, included responses from 6,704 adults in the United States. About 217 companies were named by respondents from 25 industries. 47% of respondents were male. The average age of all respondents was 34.6 years, with an average income of $55,900. The study defined "personal information" as:

"Information about yourself and your family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, purchases, website preferences, health information, account activity and many other pieces of data about you and your household."

Maybe the next study will include photographs, video, and other items posted on social networking websites.

The top 20 most trusted companies from the 2012 study:

1. American Express
2. Hewlett Packard
3. Amazon
4. IBM
5. US Postal Service
6. Procter & Gamble
7. USAA
8. Nationwide
9. eBay
10. Intuit
11. Verizon
12. (Tie) Johnson & Johnson and FedEx
13. 13. WebMD
14. Weight Watchers
15. U.S. Bank
16. Disney
17. Microsoft
18. (Tie) United Healthcare and VISA
19. AT&T
20. Mozilla

I was surprised that respondents ranked the banking industry so favorably. Companies I noticed that did not make the top 20 list: Apple and Google. I suspect that the perception of "children abuses" as a privacy threat will increase in the future.

Download the Ponemon report, "2012 Most Trusted Companies For Privacy" (Adobe PDF).

Data Breach At Nationwide Insurance Affects More Than 28,000 Consumers In Georgia

On Monday, the State of Georgia Insurance Commissioner (GADOI) confirmed a data breach at Nationwide Insurance. Hackers gained unauthorized access to private and sensitive information at the company's online computers.

The announcement contained few details. It did not list the specific personal data elements stolen or exposed, nor explain how the breach happened and what the insurance company is doing so this breach won't happen again.

About 28,467 Georgia residents and policyholders were affected. The insurance company has agreed to:

• Provide the GADOI with copies of written breach notices sent to affected consumers,
• Set up a toll-free phone number (800-760-1125) for breach victims to ask questions, and
• Provide breach victims with at least one year of free credit monitoring services

Some news sources reported that the F.B.I. is investigating the breach. Another news source reported that names, birth dates, drivers license numbers, and marital statuses were stolen. Given the personal data elements stolen, the hackers can do damage.

This is not the first data breach at Nationwide. A check of the breach database at Privacy Rights Clearinghouse found that the insurance company had two small breaches (Florida and New York) during 2007 where laptops containing sensitive personal information were stolen from employee's cars. In 2006, Nationwide was one of severalinsurers affected by a lockbox theft at Concentra Preferred Systems in Ohio.

The insurance company has not disclosed the number of affected consumers in other states. More details will emerge and the number of breach victims will most likely increase since several states require notice of data breaches.

NASA Data Breach Affects About 10,000 Employees And Contractors

Last week, the National Aeronautics and Space Administration (NASA) announced a data breach on October 31 where an employee's laptop computer was stolen from a locked car. The laptop contained the sensitive personal information for about 10,000 employees and contractors.

NASA first notified all of its employees in an e-mail message. The agency has contracted with ID Experts to provide free credit monitoring and fraud resolution services for breach victims. In the e-mail message, the agency warned that it make take up to sixty (60) days to notify all affected persons.

The stolen laptop was password protected, but did not have full disk encryption. As a result of the data breach, the agency has mandated that any laptops removed the its offices contain full disk encryption:

"The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data."

The agency expects to encrypt all laptops by by December 21, 2012 after which any laptops removed from its offices will have all data encrypted, whether or not that laptop contains sensitive information.

Mintz Levin Updates Its Listing of States Data Breach Notification Laws

Recently, Mintz Levin updated its listing of states data breach notification laws. The listing, often referred to as the "Mintz Matrix" (Adobe PDF), summarizes the data breach notification laws for 46 states, plus the District of Colombia, the U.S. Virgin Islands, and Puerto Rico.

Within the past few months, the states of Texas and Connecticut have amended their breach notification laws. Alabama, Kentucky, New Mexico and South Dakota do not have any laws about data breach notifications.

Breach notification laws typically describe the kinds of data elements (e.g., Social Security number) that comprise consumers' sensitive personal information, the format (e.g., paper, electronic) of information covered by the laws, the types of information that must be encrypted, the types of businesses and government entities covered by the state's law, and both the time period and methods by which notification must be provided to consumers affected by the data breach.

Mintz Levin is a law firm focusing upon general business, intellectual property, biotechnology, litigation, telecommunications, regulatory issues, and financial planning. Earlier this month, former Massachusetts Governor William F. Weld joined the firm.

South Carolina Officials Say 657,000 Businesses Also Affected By Data Breach

The South Carolina data breach that affected 3.6 million consumers is more extensive than originally announced. On Wednesday October 31, state updated their breach announcement with 657,000 businesses also affected. The update also included 620,000 phone calls to Experian by consumers seeking breach information, and about 418,000 consumers have signed up for one year of free Experian ProtectMyID service.

The State also expanded the assistance it is providing both businesses and individuals affected by the breach. Starting today, Friday, South Carolina offers for free to businesses that have filed a state tax return since 1998 the CreditAlert services from Dun & Bradstreet Credibility Corporation. CreditAlert will notify business customers of changes to their business credit file, such as a business address change, or a company officer change. Business owners can visit www.dandb.com/sc/ or call CreditAlert customer service toll free at 1-800-279-9881.

The state is also offering to affected South Carolina businesses the Business Credit Advantage from Experian, which provides unlimited access to a company’s business credit report and score. Interested businesses can sign up for Business Credit Advantage at www.smartbusinessreports.com/SouthCarolina. Businesseshave until December 1, 2012 to sign up.

The state also announced expanded assistance for individuals. Free fraud resolution services are extended past one year, and individuals with children can sign up for the "Family Secure Plan" to protect the Social Security numbers and sensitive personal information of minors and children also exposed/stolen during the data breach. Consumers have until January 31, 2013 to sign up.

The fact that businesses were also found to have been impacted by the breach, suggests that the breach inivestigaton is ongoing: determining the entitites affected, the data elements stolen, and how the unauthorized access and theft was performed technically. As reported by The State:

"Like other S.C. taxpayers, state businesses will be able to get free credit monitoring. But companies will get longer coverage. Businesses that have filed state taxes since 1998 can sign up for lifetime record monitoring from Experian starting [Thursday] and Dun & Bradstreet starting Friday. Consumers can get one year of monitoring and insurance from Experian, paid for by the state."

Why the longer coverage for businesses? The threat to both from identity criminals does not magically end after one year. Of course, businesses have more money, on average, than individuals. I look forward to hearing more from the state about why they chose to give businesses longer coverage for free. It suggests that the state has not finished improving its data security methods and systems.

If you are new to the issue of identity theft and fraud, then the alert services and credit monitoring service will likely help you get started and learn how to protect your sensitive personal information. However, it won't stop all identity fraud, so the value is in the fraud resolution services.

Are you a South Carolina resident or business owner? We'd like to hear about your experiences with the ProtectMyID, CreditAlert, or Business Credit Advantage services.

Massive Data Breach In South Carolina Affects 3.6 Million Consumers

With all of the news and focus on hurricane Sandy, you may have missed this news item. On Friday October 26, the South Carolina Department of Revenue (DOR) announced a data breach where a hacker accessed and stole information affecting 3.6 million consumers, or about 77% of the state's population. The breach victims include consumers who have filed a state tax return since 1998.

The data stolen included 3.6 million Social Security numbers, and 387,000 debit- and credit-card numbers. All except 16,000 credit card numbers were encrypted. None of the Social Security numbers were encrypted.

On October 10, the state's Division of Information Technology informed the DOR of a "potential cyber attack." With the recommendation of law enforcement, the DOR contracted with Mandiant, an information security company, to help with the breach investigation, secure the computer system, and install new equipment and software for stronger protections.

On October 16, breach investigators discovered two breaches during September and one during August. On October 20, weaknesses in the state's computer systems were closed. The state has arranged for one year of free credit monitoring and fraud resolution services with Experian ProtectMyID. Affected consumers should contact ProtectMyID online or via phone (1- 866-578-5422) to see if there personal information was stolen.

By Monday October 29, about 455,000 consumers had called Experian, and about 154,000 had signed up for the ProtectMyID service. However, there have been problems and criticism of the state's response to the data breach. The complaints by consumers trying to call Experian (to see if their information was stolen) included busy phone signals, recordings, no answer, and long waits on hold.

Callers who got through successfully to Experian received a code so they could sign up online for ProtectMyID. At a Monday October 29 press conference, South Carolina Governor Nikki Haley announced the code so breach victims could sign up online for the ProtectMyID service.

If you were affected by the South Carolina data breach, please share your opinions about the state's response or the ProtectMyID service.

Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.

In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.

In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.

Bloomberg reported that this approach by identity thieves:

"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."

You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:

• Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
• Credit reporting agencies should include mandatory, yearly data security training for their client users

What's your opinion?

Massive Data Breach At IEEE Affects 100,000 Members

Late last month, the IEEE (Institute of Electrical and Electronics Engineers) experienced a massive data breach affecting 100,000 of its members. The breach left the usernames and passwords of its members exposed in plain text for a month.

An independent security researcher discovered the breach and notified the organization on September 24. On September 25, the IEEE confirmed the breach.

The breach is an embarrassment for the IEEE, which describes itself on its website as:

"... the world’s largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity."

Basic data security methods include the encryption of sign-in credentials. CSO Online reported:

"Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it 'plain stupid.' Paul Ducklin, writing at Sophos' Naked Security blog, called it, 'a veritable security disaster'... A number of IEEE members were also failing to use basic security... seven of the top-10 most popular passwords were combinations of the number string '1234567890,' in order. Others in the top 20 included 'password' and 'admin'..."

Massive Data Breach At TD Bank Affects 260,000 Consumers

Several news outlets have reported about a massive data breach at TD Bank, affecting about 260,000 persons from Maine to Florida. The affected consumers include 35,000 in Maine, 3,000 in Florida, 73,000 in Massachusetts, and 43,000 in New Hampshire. According to the CBS affiliate in Philadelphia, most breach victims -- about 150,000 -- are in states in the New England region of the USA.

The bank is notifying affected customers via letters. In a breach notice sent to the New Hampshire Attorney General (Adobe PDF), the bank said:

"We have determined that personal information of New Hampshire residents was included on two data backup tapes that we shipped to one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them..."

The sensitive personal information exposed/stolen includes full names, addresses, Social Security numbers, bank account numbers, birth dates, and driver's license numbers. The bank is offering breach victims with one year of free credit monitoring services via ITAC Sentinel Plus.

In a statement, Martha Coakley, the Massachusetts Attorney General, said:

"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves... We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss.”

A close review of the bank seems appropriate, since banks are not supposed to lose things, since they are entrusted with valuable items. And, this is not the bank's first data breach:*

• March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges 
• March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts

This breach sounds similar to what I experienced in 2007 with IBM, where computer data tapes were lost or stolen during shipment from its headquarters fo an off-site storage facility. That breach sounded like theft, as does the recent TD Bank breach. Vendors don't just accidentally lose computer tapes. Misplace them, perhaps. Lose, no.

Things I noticed in the TD Bank breach notice to its affected customers lacked:

• If a vendor or contractor was involved with transporting the missing/stolen computer data tapes, the corrective actions the bank is taking with this vendor to avoid a repeat of this breach
• If an employee was involved with transporting the missing/stolen computer data tapes, the internal employee training and data security methods is taking to avoid a repeat of this breach. Sadly, there are numerous breaches where company employees left data tapes unsecured in parked autos.
• Notice about how results of its breach investigaton will be communicated to breach victims
• Whether or not the data on the tapes was encrypted; and if it wasn't encrypted why not
• An explanation of why only 12 months of free credit monitoring, when the usability of stolen personal information is far longer

*Note: breach history from Privacy Rights Clearinghouse.

Massive Data Breach At Northwest Florida State College Affects About 300,000 Persons

Last week, officials at Northwest Florida State College (NWFSC) announced a data breach that affected more than 275,00 persons. The affected persons include about 76,500 current and former students, 200,000 Bright Futures scholars, and 3,200 employees.

The breach occurred between May 21 and September 24, 2012, and included the unauthorized access of one of the school's computer servers.The sensitive personal data exposed/stolen includes full names, addresses, birth dates, and Social Security numbers. The Bright Futures persons affected include students during the 2005-06 and 2006-07 academic years. The data exposed/stolen about Bright Futures students includes full names, birth dates, Social Security numbers, ethnicity and gender. NWFSC announced that no student academic files were compromised.

The data exposed/stolen about employees included full names, Social Security numbers, birth dates, banking direct-deposit account numbers, addresses, phone numbers, and college email addresses. A breach investigation is ongoing, where NWFSC has hired an unnamed technology consultant, and is working with local law enforcement. According to a press release:

"The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education to formally notify all students impacted by the data breach."

Northwest Florida State College has contracted with an external consultant, to ensure the college’s data remains safe and secure. Further, the Okaloosa County Sheriff’s Office cybercrimes unit continues to investigate the matter with assistance from the Florida Department of Law Enforcement.

NWFSC advises affected persons:

"... individuals who notice improper use of their Social Security number and believe they may be the victim of identity theft should contact the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Affected persons may also call the local sheriff’s office and file a police report of identity theft, keeping a copy of the police report."

In an Oct. 8, 2012 memo to employees (Adobe PDF), NWFSC said:

"... one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees..."

The memo to employees outlined three specific identity theft and fraud actions by the thieves:

"The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card..."

Given this active identity fraud, both students and employees should take the threat seriously, and take immediate actions to check their credit reports at the three major credit-reporting agencies; and place a Fraud Alert or Security Freeze if appropriate. Plus, NWFSC should offer breach victims free credit monitoring and resolution services for at least two years.

Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

• Western Beaver County School District: $700,000
• The Catholic Diocese of Des Moines: $600,000
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
• Patco: $588,000
• Experi-Metal, Inc.: $560,000
• Village View Escrow: $465,000
• An unidentified construction company in California: $447,000
• Choice Escrow: $440,000
• An unidentified solid waste management company in New York: $150,000
• An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.

Hacker Group Announces Theft Of 12 Million Apple Mobile Device Identification Numbers

A hacker group has announced the theft of 1 million Apple iPhone UDIDs, or Unique Device Identifcation numbers. The hacker group claimed that the data breach was to highlight the unannounced tracking of US citizens by the Federal Bureau of Investigation (FBI) agency. The Next Web reported:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people..."

The AntiSec hacker group stole 12 million UDIDs, and has publicly released 1 million of them.

What is a UDID? If you read this blog, then you already know what UDIDs are. Every smart phone, tablet, and mobile device has one: a 40-digit number that uniquely identifies each device. If you switched devices recently, chances are your telecommunications provider (e.g., Sprint, AT&T, Verizon, etc.) probably required that you provide them with the UDID for your new device.

The UDID is a bonanza for companies, marketers, government agencies, and any entity interested in tracking consumers. When matched with your 10-digit phone number and iTunes account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device. Parents, who gave their children mobile devices, also need to be aware of the tracking threat. Links between your device's UDID and your Apple iCloud account would enable even more extensive tracking at the document level.

The Huffington Post advises consumers who want to check if their UDID was stolen:

"First, use the website whatsmyudid.com to figure out how to access your UDID, which can easily be found by plugging Apple devices into iTunes. Next, copy and paste the ID into The Next Web's data checker, or use tech consultant Sean MacGuire's website to quickly scan through the hacked IDs."

This blog has reported privacy abuses where app developers and marketers allegedly collected consumers' UDID without notice and without consent, including this class-action suit against Apple and this class-action suit against Ringleader Digital and several other companies. The sad reality is that consumers' UDIDs could already be in a lot more entities' databases, since too many mobile device apps fail to provide privacy policies, and collect data without notice and without consent.

[Update 3:30 pm: one blogger analyzed the data released by the hackers, and concluded it isn't so bad since not much other personal data was stolen. I don't place much weight on this view, as there is no guarantee the hackers released everything stolen.]

[Update 10:00 am: the FBI denies that it has the data the hacker group claimed it has.]