Data from NASA, TSA and Defense Intelligence Agency Found in Market
June 25, 2009 | Leave a Comment
By Robert McMillan
IDG News Service
A team of journalists investigating the global electronic waste business has unearthed a security problem too. In a Ghana market, they bought a computer hard drive containing sensitive documents belonging to a major government contractor.
The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained “hundreds and hundreds of documents about government contracts,” said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked “competitive sensitive” and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.
The data was unencrypted, Klein said in an interview. The cost? US$40.
The government contractor is not sure how the drive ended up in a Ghana market, but apparently the company had hired an outside vendor to dispose of the PC. “Based on the documents we were shown, we believe this hard drive may have been stolen after one of our asset-disposal vendors took possession of the unit. Despite sophisticated safeguards, no company can inoculate itself completely against crime.”
A spokesman would not say who was responsible for disposing of the drive, but in its statement the company noted that “the fact that this information is outside our control is disconcerting.”
Some of the documents talked about how to recruit airport screeners and several of them even covered data security practices, Klein said. “It was a wonderful, ironic twist,” Klein said. “Here were these contracts being awarded based on their ability to keep the data safe.”
According to Klein, it’s common for old computers and electronic devices to be improperly dumped in developing countries such as Ghana and China, where locals scavenge the material for components, often under horrific working conditions.
Last year the U.S. Government Accountability Office found that a substantial amount of the country’s e-waste ended up in developing countries, where it was often dangerously disposed of.
The reporters bought seven hard drives, Klein said. The other drives contained sensitive information about their previous owners, including credit-card numbers, resumes and online account information.
Off-camera, sources in Ghana told the reporters that data thieves routinely scour these hard drives for sensitive information, Klein said.
It’s easy for criminals to find data on drives, even when they’ve been legitimately wiped clean, Moulton said. He buys used hard drives by the hundreds for his classes. These drives have been professionally wiped, but his students always find at least one drive in each class with information still on it.That’s because it’s easy for a drive to get missed during the wiping process or improperly wiped. Compounding the problem, the software that some recycling companies use doesn’t actually remove all data from the drive, especially data that may be hidden on corrupted parts of the hard drive known as bad blocks, he explained.
Source: CSO Online
TJX to Pay $9.75 Million for Data Breach
June 23, 2009 | Leave a Comment
By W.J. Hennigan
Retail giant TJX Cos. agreed Tuesday to pay $9.75 million to 41 states including California to settle an investigation of a massive data breach that jeopardized millions of payment card numbers.
TJX, the parent company of the T.J. Maxx and Marshalls discount clothing chains, will pay $7.25 million in settlement and investigation costs. In addition, $2.5 million will go to create a data security fund for those states. California’s share is $624,393.
In January 2007, TJX disclosed that hackers had tapped into its computer systems, which stored about 50 million customers’ credit and debit card numbers. The breach wasn’t detected for more than a year.
The Framingham, Mass., company emphasized in a news release that it “firmly believes it did not violate any consumer protection or data security laws.”
California Atty. Gen. Jerry Brown had a different take, citing TJX’s 2004 internal audit, which found security vulnerabilities.
“TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people,” Brown said in a statement. “This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards.”
TJX’s chief financial officer, Jeffrey Naylor, said the settlement would allow TJX and the states’ attorneys general to take “leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry.”
Eleven people were arrested on the hacking charges. Two pleaded guilty, and two have pleaded guilty to related charges, TJX said.
In California, TJX operates 103 Marshalls stores, 73 T.J. Maxx stores, 31 HomeGoods stores and seven A.J. Wright stores.
william.hennigan@ latimes.com
Source: Los Angeles Times
