1.5 Million Medical Files At Risk In Health Net Data Breach
November 19, 2009 | Leave a Comment
A hard drive with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost six months ago and was first reported Wednesday, state and company officials said.
The insurance company informed the state attorney general’s office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported.
A portable, external hard drive with Social Security numbers and medical records “disappeared” and is still missing from the insurer’s Northeast headquarters in Shelton, a Health Net spokeswoman said Wednesday.
The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey and New York, the spokeswoman said.
The data were compressed, but not encrypted. The information is formatted as images and requires a special computer program to be read, state and company officials said. Health Net plans to send out letters to its customers notifying them of the breach.
Attorney General Richard Blumenthal and Insurance Commissioner Thomas Sullivan each said he is investigating what happened, and why the company waited six months to report the incident.
The data breach is another in a series of information security lapses involving Connecticut residents in recent months. Most, including a large breach of People’s United Bank customer information, have included bank records or Social Security numbers. The missing hard drive at Health Net is the first publicly reported, widespread release of patients’ medical records, at least in recent state history.
“Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” Blumenthal said in a prepared statement.
Sullivan said his office is requiring Health Net to offer credit protection monitoring through Debix, a company that provides identity-theft protection services.
“My main concern is protecting the members and participating providers,” Sullivan said. “We are currently working with Health Net to ensure adequate notification and protections for all involved.”
Health Net suggests that customers with questions call the company phone number on the back of their benefits card, said Alice Chaves Ferreira, a spokeswoman for Health Net of the Northeast Inc.
“Health Net will provide credit monitoring for over two years — free of charge — to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” Chaves Ferreira said.
The company didn’t know what information was on the hard drive, which is why the information wasn’t reported sooner, Chaves Ferreira said. Health Net conducted a lengthy investigation, including a forensic review by computer experts, she said.
It was only then that the company concluded the lost data included a vast trove of information.
Earlier this month, Anthem Blue Cross and Blue Shield of Connecticut reported that a laptop was stolen this summer in the Chicago area, compromising personal information of nearly 850,000 doctors, therapists and other health care providers in 50 states, including 19,000 in Connecticut.
Last year, Bank of New York Mellon lost computer tapes that jeopardized information on more than 600,000 state residents, including many account holders at People’s United Bank.
By MATTHEW STURDEVANT
Source: The Hartford Courant
Data breach could affect 60,000 GIs, civilians
November 17, 2009 | Leave a Comment
The Corps of Engineers is investigating the recent loss of an external hard drive that could pose identify theft problems for as many as 60,000 soldiers and Army civilians.
Maj. Mark Young, a Corps of Engineers spokesman in Washington, said the security breach occurred in the command’s Southwestern Division, which is headquartered in Dallas, in early November.
“Right now the focus is on investigating [the incident], alerting people who may be affected, and taking measures to make sure it doesn’t happen again,” he said.
Information stored on the missing hard drive includes personal data, such as names and Social Security numbers, on a number of current and former soldiers and some civilian employees, according to information provided by the Southwest Division.
Most of the affected population includes soldiers whose files went before the Fiscal 2008 sergeant first class and 2008 master sergeant promotion boards, and the 2007 colonel promotion board and the 2009 lieutenant colonel command board.
“Those who may be impacted by this incident will be notified electronically through the Army Knowledge Online Web site, or by mail,” according to a statement issued by Southwest Division Nov. 13.
Officials said that as of that date, there were no known cases of identify theft associated with the lists.
This is not the first time that the personal information on the 30,812 soldiers considered by the 2008 sergeant first class board has been compromised.
Just weeks after the board adjourned in February 2008, the Army’s Criminal Investigation Command determined that an advance version of the list made available to commanders and their designated representatives had been improperly posted on the Internet.
Within days of that finding, CID officials also determined that a listing of 20,048 soldiers considered by the 2005 master sergeant board had been compromised.
Those findings were particularly troubling because until last year, commander copies of lists not only included the names of all soldiers selected and not selected by a board, but their Social Security numbers.
The Army continues to allow designated commanders access to select and non-select lists, but does not include any part of a soldier’s Social Security number on the lists.
Database security and the threat of identify theft is a major problem in both the government and private sector, according to the Open Security Foundation.
According to data maintained by this nonprofit organization, there have been 363 major incidents this year of data breaches involving personal identifying information.
Included are the compromise of personal data in 6,675 files maintained by the Boston University Army ROTC battalion, and 130,000 soldier files maintained by the Army National Guard.
The Federal Trade Commission identity theft Web site provides helpful information for people who believe their personal information has been compromised.
By Jim Tice - Staff writer
Source: Army Times
Is it time for a national data breach notification law?
November 16, 2009 | Leave a Comment
Federal lawmakers are again considering legislation that would create nationwide rules for notifying potential victims of identify theft when organizations improperly expose their sensitive information.
The Senate Judiciary Committee approved two bills this month that would impose data breach notification requirements on businesses, and a bill with notification requirements is making its way through the House.
It’s not the first time lawmakers have pushed for such federal requirements. However, previous efforts stalled in the legislative process. In the absence of federal requirements, most states have promulgated their own laws, creating a complicated legal patchwork.
Gail Hillebrand, senior attorney at the West Coast Office of Consumers Union, a nonprofit organization that publishes Consumer Reports, said some states have requirements that are more stringent than the ones that Congress is proposing. Hillebrand said consumers are already receiving proper notifications from businesses and that companies tend to follow the requirements of the state with the highest standards when there is a breach that affects people nationwide.
She said it was a positive sign that the bill proposed by Sen. Patrick Leahy (D-Vt.) dealt with data brokers, or businesses that get paid for collecting, transmitting or providing sensitive personal data.
Hillebrand said her group supports both bills that recently made it through the Senate Judiciary Committee and supports the notice of breach approach in the House bill. However, for the House measure, the group has concerns about the scope of the pre-emption of state laws that address data safeguards.
Meanwhile, Enrique Salem, CEO of Symantec, said in an e-mail that the Leahy bill was “a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur.” Salem said Symantec believes the United States urgently needs to pass a national data breach law.
By Ben Bain
Source: Federal Computer Weekly
U.S. Government Suffers ‘Largest Release Of Personally Identifiable Information Ever’
October 4, 2009 | Leave a Comment
The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data.
The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled.
The incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.
“This is the single largest release of personally identifiable information by the government ever,” Bellomy told Wired.com. “When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it.”
But NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself.
The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.
When the unencrypted drive failed, Bellomy says he tried to subvert the longstanding recycling policy by hiding the drive in his safe. But it was taken out of his control when he was put on long-term leave. Under the conditions of the maintenance contract, if NARA did not return the drive, GMRI would have billed the agency $2,000 for a replacement.
He adds that more drives failed after the November incident, and that he performed a forensic scan on them to prove that they were full of sensitive data.
“I said you can’t turn them back in. The data is Privacy Act — it’s against the law,” Bellomy told Wired.com. “We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”
The Pentagon requires that old drives be degaussed (de-magnified) or physicall destroyed. In a 2006 report still in effect, the National Institute of Standards and Technology recommended purging and destruction methods (.pdf), while OMB rules (.pdf) dating to the same year require that agencies follow those NIST standards and encrypt sensitive data being sent or stored remotely.
But NARA says that while it no longer will send back drives, no rules were broken, and that warning veterans would cause unnecessary fear.
“NARA does not believe that a breach of PII (personally identifiable information) occurred, and therefore does not believe that notification is necessary or appropriate at this time,” NARA told Wired.com in an e-mailed background paper (pdf). “This view could change if the [inspector general] investigation of this incident later determines that GMRI … or their subcontractors took some illegal or unethical action that may have compromised sensitive data contained on the inoperable November 2008 disk drive.”
As part of a six disk RAID 5 set-up, the drive likely contained about 18 percent of the database, and the disk also likely contained a quick look-up table that included all veterans’ names and service-record numbers, according to Bellomy.
US-CERT, the nation’s clearinghouse for data breaches and hacks, was notified in February by a NARA employee named Thomas Bennett, according to a document (.pdf) Bellomy provided to Wired.com.
“The information system contains a significant amount of Personally Identifiable Information (PII) and Sensitive PII about veterans,” wrote Thomas Bennett, a NARA employee. “As a result, we believe that is likely that the defective drive contains PII and SPII. At this time, we are trying to determine the location and status of the drive.”
The status of the NARA investigation is unclear, though the incident was alluded to in a recent report on the inspector general’s activity.
“We are aware of the incidents and are looking into it,” said Ross Weiland, the assistant inspector general for investigations at NARA . He declined further comment.
This isn’t the first time that veteran’s data has been lost or that NARA has been investigated for controversial data-handling practices.
The Veteran’s Administration lost a laptop containing personal records on more than 25 million veterans in 2005 and, earlier this year, settled a class action suit over the breach by paying out $20 million.
NARA recently lost a hard drive full of data from the Clinton White House, including 100,000 Social Security numbers, political records and event logs. The data has still not been located.
Both the House Oversight Committee for Veterans Affairs and an oversight committee for NARA were notified of the lost drive, but neither committee returned calls seeking comment.
By Ryan Singel
Source: www.Wired.com
DoD Units Fail to Sanitize Hard Drives Before Shipment
September 26, 2009 | Leave a Comment
Several military units failed to adequately sanitize hard drives of data, including Social Security numbers of military personnel, before shipping the IT equipment to other organizations, in violation of Department of Defense rules, the DoD inspector general said in a report.
The IG took to task individual units as well as the Defense Reutilization and Marketing Service for failing to implement adequately DoD internal controls that require the sanitization, documentation and full accountability of excess unclassified IT equipment before releasing the equipment to other organizations. “The instances of nonperformance occurred because DoD components did not follow policies, adequately train personnel or develop and implement site-specific procedures to ensure excess unclassified equipment was sanitized and disposed of properly, said the 53-page report, which was issued Sept. 21.
Additionally, the IG said, DoD guidance issued by the assistant secretary of defense for networks and information integration, who also serves as the Defense CIO, and the Navy CIO was out of date and did not cover sanitizing and disposing of new types of information storage devices. As a result, four DoD units could not ensure personally identifiable information or other sensitive departmental information was protected from unauthorized release, and one of the units could not account for an excess unclassified computer.
Specifically, the IG reported, the following pieces of excess unclassified IT equipment contained readable information.
•An electrocardiogram machine waiting to be shipped from the 436th Medical Group at Dover Air Force Base in Delaware to another Air Force component contained the full names and Social Security numbers of three patients. Officials told us that the electrocardiogram machine contained this information because the 436th Medical Group personnel were unaware that some medical equipment, such as electrocardiogram machines, contained hard drives. The 436th Medical Group officials said they had not been properly trained to sanitize all types of excess unclassified IT equipment.
•Five hard drives waiting to be shipped from the Naval Air Warfare Center Aircraft Division, Naval Air Station Patuxent River, Maryland, to a DRMS processing center contained readable information. One computer contained information such as phone numbers, e-mail addresses, instant messaging traffic, pictures, and various system log files. These hard drives contained information because the Naval Air Systems Command and Naval Air Warfare Center Aircraft Division had not adequately trained personnel responsible for sanitizing equipment or developed site-specific policies that clearly defined sanitization and disposal roles and responsibilities. For example, Naval Air Warfare Center Aircraft Division lab personnel had not received formal training on degaussing equipment and, in one instance, used an audio-video degausser - a process to eliminated an unwanted magnetic field - to degauss hard drives.
•Three hard drives waiting to be redistributed from the 50th Space Communications Squadron, Schriever AFB, Colorado, to another Schriever AFB command contained personal user folders or default operating system information. The information remained on the equipment because the 50th Space Communications Squadron had not established and implemented a process ensuring that excess unclassified IT equipment containing more than one hard drive was properly sanitized. Two of the three hard drives that were not properly sanitized were pulled from computers that housed more than one hard drive, and the equipment custodian did not physically verify whether these computers contained more than one hard drive. No explanation was available as to why the third hard drive had not been properly sanitized.
•A hard drive sent from the U.S. Army Garrison West Point, New York, to a Defense Reutilization and Marketing Service processing center contained bytes of random characters. Officials told us that this occurred because the U.S. Army Garrison West Point did not properly train personnel. In addition, U.S. Army Garrison West Point did not follow proper procedures by performing the required verification of sanitized excess unclassified IT equipment before sending equipment to a Defense Reutilization and Marketing Service processing center.
According to the IG, the commander of the 436th Medical Group and the 50th Space Communications Squadron did not provide comments on the draft report issued on June. The IG requested comments from them on the final report to be issued in a month. Management comments the IG received were partially responsive, and the auditors asked for further clarification.
The IG recommended that the:
•Defense CIO and the deputy chief of naval operations for communications networks update current sanitization and disposal policies to ensure they address current technology issues;
•Navy CIO establish and implement a clear, detailed policy for sanitizing and disposing of excess IT equipment including electronic storage devices; and
•DoD units sanitize and account for excess unclassified IT equipment in accordance with applicable laws and regulations.
IG auditors visited six Defense units, nine Defense Reutilization and Marketing Service processing centers and two contractors and selected 543 of 4,105 pieces of excess unclassified equipment to review.
Source: Government Information Security News
Health Care Unprepared to Secure Digital Health Records
August 5, 2009 | Leave a Comment
In a survey of more than 100 companies, Deloitte found that most organizations only dedicate 1 to 3 percent of their IT budgets to security and that 43 percent of these organizations lack a Chief Information Security Officer.
A new report on the state of security within health care shows that these organizations are unprepared to meet the increased risks to their information in the wake of coming requirements by the federal government to push adoption of digital patient records.
Released last week, the 2009 Global Security Study for Life Sciences and Health Care from Deloitte found that these organizations lag far behind other vertical when it comes to security practices.
“Many of them may not have reached the level of maturity that is considered acceptable,” Amry Junaideen, Deloitte’s global life sciences leader within the security and privacy services division, told Channel Insider. In a survey of more than 100 companies, Deloitte found that most of these organizations only dedicate 1 to 3 percent of their IT budgets to security and that 43 percent of these organizations lack a Chief Information Security Officer.
As the Obama administration continues to push forward plans to implement a centralized digital medical record system by 2014, health care organizations are going to have to adjust their security strategies in three key areas in order to properly protect such a system, Junaideen says.
The first is governance and personnel awareness training. The second is developing a risk management framework to prioritize security activities. And the third is layering the right processes and technologies around the governance and risk management frameworks.
Of the three, Junaideen believes risk management to be the most critical.
“Every organization needs to take a risk-oriented view of their environment,” he says. “Especially organizations that don’t have the resources to do what they absolutely have to do. What they must do is ensure they are spending their limited resources on only the right kinds of things.”
Junaideen says that value added resellers with security solutions have a good opportunity to profit from what has traditionally been known as a tricky market to sell to if they approach it in the right way.
“What they can do for those kind of organizations is to provide cost-effective, package type solutions that do not require all of the infrastructure and resources and the sophistication that will be required if an organization is trying to do something in house internally on their own,” he says. “If they go in with a solution or a process or a framework that really will require as much commitment from the organization that they are trying to provide the service to, I think that the whole process breaks down.”
Source: www.ChannelInsider.com
Financial Industry Accounts for 93 Percent of 285 Million Compromised Records; Most Breaches Avoidable if Proper Precautions Taken
July 14, 2009 | Leave a Comment
Verizon Business 2009 Data Breach Study Finds Significant Rise in Targeted Attacks, Organized Crime Involvement
BASKING RIDGE, N.J. - More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the “2009 Verizon Business Data Breach Investigations Report” (DBIR).
This second annual study - based on data analyzed from Verizon Business’ actual caseload comprising 285 million compromised records from 90 confirmed breaches - revealed that corporations fell victim to some of the largest cybercrimes ever during 2008. The financial sector accounted for 93 percent of all such records compromised last year, and a staggering 90 percent of these records involved groups identified by law enforcement as engaged in organized crime.
Verizon Business investigative experts found, as they did in the company’s first report covering 230 million compromised records from 2004 to 2007, that nearly nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.
Similar to the first study’s findings, the latest study found that highly sophisticated attacks account for only 17 percent of breaches. However, these relatively few cases accounted for 95 percent of the total records breached - proving that motivated hackers know where and what to target.
“The compromise of sensitive information increased dramatically in 2008, and it’s past time to be vigilant about enterprise security,” said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. “This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age — particularly since the economic crisis is likely to trigger a further increase in criminal activity.”
Key Findings of the 2009 Report
This year’s key findings both support last year’s conclusions and provide new insights. These include:
* Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
* Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to h ackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
* In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
* Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
* Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
* Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.
The State of Cybercrime: 2009
As the cybercrime market continues to e volve, so do the targets, techniques and types of attackers. The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. In 2008, Verizon Business witnessed an explosion of attacks targeting PIN data.
These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer’s credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer’s account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.
The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.
The geographic distribution of external data breach sources continue to show high activity in Eastern Europe, East Asia and North America. In fact, the 2009 report shows that these regions accounted for 82 percent of all external attacks.
Among investigators, Tippett pointed out, “Eastern Europe is known as a notorious haven for organized cybercrime outfits, which played a major role in breaches throughout 2008.”
“We have a great deal of evidence that malicious activity from Eastern Europe is the work of organized crime,” he said. 20However, he added, “On the bright sight, efforts with law enforcement led to arrests in at least 15 cases (and counting) in 2008.”
Financial Services Sees Biggest Increase of Any Industry
As was the case from 2004 to 2007, data breaches investigated in 2008 affected a wide array of organizations. While the retail industry continues to be the most frequently targeted, accounting for a third of all cases, the biggest rise was in financial services, which more than doubled its share to 30 percent. But more importantly, the financial sector accounted for more than nine out of 10 of the more than 285 million records compromised.
The increase in data breaches in the financial sector reflects the recent trends in cybercriminal activity, especially the focus on acquiring PINs to sell them on the black market. Said Tippett, “The financial services firms were singled out and fell victim to some very determined, very sophisticated and, unfortunately, very successful attacks in 2008.”
Food and beverage establishments, the second most frequently hit industry in the first report, dropped to third place in 2008 with its share falling from 20 percent to 14 percent.
The number of investigations handled by the Verizon Business investigative response team outside the United States rose to more than one-third of its caseload in 2008. In addition to breaches requiring extensive investigations across the United States, m any breaches hit organizations in Canada and Europe, while casework continued to increase in Brazil, Indonesia, the Philippines, Japan and Australia. Assuming attackers continue to pursue soft targets internationally, concern in emerging economies can be expected to rise as well, especially with respect to consumer data.
Tippett said, “Our task is not getting any easier; the sum total of information in the world grows continually and permeates everything we do and everywhere we go. While the majority of attacks remain rather mundane, the criminals are adapting to our current protection strategies and inventing new ways to attain the data they value.”
Recommendations for Enterprises
The 2009 study again shows that simple actions, when done diligently and continually, can reap big benefits. Based on the combined findings of nearly 600 breaches involving more than a half-billion compromised records from 2004 to 2008, the Verizon Business RISK team recommends:
* Change Default Credentials. More criminals breached corporate assets through default credentials than any other single method in 2008. Therefore, it’s important to change user names and passwords on a regular basis, and to make sure any third-party vendors do so as well.
* Avoid Shared Credentials. Along with changing default credentials, organizations should ensure that passwords are unique and not shared among users or used on dif ferent systems. This was especially problematic for assets managed by a third party.
* Review User Accounts. Years of experience suggest that organizations review user accounts on a regular basis. The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured and given appropriate privileges.
* Employ Application Testing and Code Review. SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking. Web-application testing has never been more important.
* Patch Comprehensively. All hacking and malware that exploited a vulnerability to compromise data were six months old, or older - meaning that patching quickly isn’t the answer, but patching completely and diligently is.
* Assure HR Uses Effective Termination Procedures. The credentials of recently terminated employees were used to carry out security compromises in several of the insider cases this year. Businesses should make sure formal and comprehensive employee-termination procedures are in place for disabling user accounts and removal of all access permissions.
* Enable Application Logs and Monitor. Attacks are moving up the computing structure to the application layer. Organizations should have a standard log-review policy that requires an organization to review suc h data beyond network, operating system and firewall logs to include remote access services, Web applications, databases and other critical applications.
* Define “Suspicious” and “Anomalous” (then look for whatever “it” is). The increasingly targeted and sophisticated attacks often occur to organizations storing large quantities of data valued by the criminal community. Organizations should be prepared to defend against and detect very determined, well-funded, skilled and targeted attacks.
Tippett concluded, “This report clearly shows it’s not about clever or complex security protection measures. It really boils down to ensuring the basics are met from planning to implementation to monitoring of the data.”
About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a global leader in communications and IT solutions. We combine professional expertise with the world’s most connected IP network to deliver award-winning communications, IT, information security and network solutions. We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees - enabling them to increase productivity and efficiency and help preserve the environment. Many of the world’s larg est businesses and governments - including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions - rely on our professional and managed services and network technologies to accelerate their business.
Source: Verizon Business
Data from NASA, TSA and Defense Intelligence Agency Found in Market
June 25, 2009 | Leave a Comment
By Robert McMillan
IDG News Service
A team of journalists investigating the global electronic waste business has unearthed a security problem too. In a Ghana market, they bought a computer hard drive containing sensitive documents belonging to a major government contractor.
The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained “hundreds and hundreds of documents about government contracts,” said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked “competitive sensitive” and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.
The data was unencrypted, Klein said in an interview. The cost? US$40.
The government contractor is not sure how the drive ended up in a Ghana market, but apparently the company had hired an outside vendor to dispose of the PC. “Based on the documents we were shown, we believe this hard drive may have been stolen after one of our asset-disposal vendors took possession of the unit. Despite sophisticated safeguards, no company can inoculate itself completely against crime.”
A spokesman would not say who was responsible for disposing of the drive, but in its statement the company noted that “the fact that this information is outside our control is disconcerting.”
Some of the documents talked about how to recruit airport screeners and several of them even covered data security practices, Klein said. “It was a wonderful, ironic twist,” Klein said. “Here were these contracts being awarded based on their ability to keep the data safe.”
According to Klein, it’s common for old computers and electronic devices to be improperly dumped in developing countries such as Ghana and China, where locals scavenge the material for components, often under horrific working conditions.
Last year the U.S. Government Accountability Office found that a substantial amount of the country’s e-waste ended up in developing countries, where it was often dangerously disposed of.
The reporters bought seven hard drives, Klein said. The other drives contained sensitive information about their previous owners, including credit-card numbers, resumes and online account information.
Off-camera, sources in Ghana told the reporters that data thieves routinely scour these hard drives for sensitive information, Klein said.
It’s easy for criminals to find data on drives, even when they’ve been legitimately wiped clean, Moulton said. He buys used hard drives by the hundreds for his classes. These drives have been professionally wiped, but his students always find at least one drive in each class with information still on it.That’s because it’s easy for a drive to get missed during the wiping process or improperly wiped. Compounding the problem, the software that some recycling companies use doesn’t actually remove all data from the drive, especially data that may be hidden on corrupted parts of the hard drive known as bad blocks, he explained.
Source: CSO Online
TJX to Pay $9.75 Million for Data Breach
June 23, 2009 | Leave a Comment
By W.J. Hennigan
Retail giant TJX Cos. agreed Tuesday to pay $9.75 million to 41 states including California to settle an investigation of a massive data breach that jeopardized millions of payment card numbers.
TJX, the parent company of the T.J. Maxx and Marshalls discount clothing chains, will pay $7.25 million in settlement and investigation costs. In addition, $2.5 million will go to create a data security fund for those states. California’s share is $624,393.
In January 2007, TJX disclosed that hackers had tapped into its computer systems, which stored about 50 million customers’ credit and debit card numbers. The breach wasn’t detected for more than a year.
The Framingham, Mass., company emphasized in a news release that it “firmly believes it did not violate any consumer protection or data security laws.”
California Atty. Gen. Jerry Brown had a different take, citing TJX’s 2004 internal audit, which found security vulnerabilities.
“TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people,” Brown said in a statement. “This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards.”
TJX’s chief financial officer, Jeffrey Naylor, said the settlement would allow TJX and the states’ attorneys general to take “leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry.”
Eleven people were arrested on the hacking charges. Two pleaded guilty, and two have pleaded guilty to related charges, TJX said.
In California, TJX operates 103 Marshalls stores, 73 T.J. Maxx stores, 31 HomeGoods stores and seven A.J. Wright stores.
william.hennigan@ latimes.com
Source: Los Angeles Times
NARA- Hard Drive From Executive Office of President Clinton Missing
May 20, 2009 | Leave a Comment
By Ben Bain
Nara suffers data breach, investigation under way into missing hard drive with personal information.
An external hard drive with personally identifiable information from the Executive Office of the President during the Clinton administration is missing from a National Archives and Records Administration facility near Washington, government officials have said.
The missing device has copies of electronic storage tapes with data about White House staff members and visitors from the Clinton era, and the amount of personal information missing isn’t known, NARA said in a statement released May 19. The agency’s inspector general is investigating the incident. Officials said staff members confirmed that the hard drive went missing in early April, and they subsequently informed agency officials, the Homeland Security Department’s U.S. Computer Emergency Readiness Team and Clinton’s representative.
NARA also said it will issue a breach notification to people affected by the loss, and it has reviewed its internal controls and improved security processes.
NARA’s IG briefed staff members of the House Oversight and Government Reform Committee May 19, and Rep. Edolphus Towns (D-N.Y.), the committee’s chairman, and ranking member Rep. Darrell Issa (R-Calif.) said they would pursue the issue.
“I am deeply concerned about this serious security breach at the National Archives,” Towns said. He plans to hold separate briefings for committee members with NARA’s IG and the FBI so they can “begin to understand the magnitude of the security breach and all of the steps being taken to recover the lost information.” Towns said the FBI is conducting a criminal investigation into the matter.
Issa’s office said the missing drive contains 1T of data with “more than 100,000 Social Security numbers (including Al Gore’s daughter), contact information (including addresses) for various Clinton administration officials, Secret Service and White House operating procedures, event logs, social gathering logs, political records and other highly sensitive information.”
“This egregious breach raises significant questions regarding the effectiveness of the security protocols that are in place at the National Archives and Records Administration,” Issa said. He also called on Adrienne Thomas, NARA’s acting head, to testify about the incident during a hearing the committee’s Information Policy, Census and National Security Archives Subcommittee plans to hold May 21.
Source: Federal Computer Week
