Privacy Digest

Verizon plays fast and loose with the wrong 1,200 e-mail addresses - Via NetworkWorld.com Community:

This should be a vendor's first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you're trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably ... and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post -- "Run-amok Verizon robo-caller torments 1,400 customers" -- which recounted the nine phone calls in 24 hours that were received at my house last month.

"I had something similar occur today," Williams writes. "In a period of three hours I received 14 e-mails promoting Verizon's 'Secure the Information. Secure the Infrastructure' webinar series, and three e-mails promoting their '2008 Data Breach Investigations Report Road Show.' "

The excessive volume of e-mail wasn't the half of it, though.  read more »

World Bank Under Cyber Siege in 'Unprecedented Crisis' - Via FOXNews.com :

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.  read more »

248,000 in N.C. affected by lost personal data - Via The News & Observer:

RALEIGH - About 248,000 North Carolinians are among those whose personal information was included in tapes lost by the Bank of New York Mellon, the state Attorney General's Office said today.

The company is notifying people affected by the security breach and offering them two years of credit monitoring for free.

In a news release today, state Attorney General Roy Cooper recommended that consumers accept the free credit monitoring as well as notify credit bureaus, consider placing a freeze on their credit and continue checking their credit frequently.  read more »

MI6 Terror Photos, Data Accidentally Sold On Ebay - Via Slashdot:

Barence writes "In what's turning out to be a bad week for security in the UK, confidential MI6 documents, fingerprints and photos relating to suspected Al-Qaeda terrorists have been found in the memory of the second-hand Nikon Coolpix camera, which was bought on eBay for only £17. The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC. Remember, this is the same MI6 which plans to recruit new members via Facebook, a userbase not exactly famous for its dedication to privacy, security and discretion. The news comes on the back of yesterday's embarrassment over a local council whose VPN device ended up on eBay with confidential login details left on it."

(Read Original Article - Via Slashdot.)

Passport Snooping Gets Fed Intelligence Analyst Up to Year in Prison - Via Threat Level:

A former State Department Bureau of Intelligence and Research analyst pleaded guilty in federal court Monday to unlawfully accessing passport records of celebrities, actors, athletes and politicians.

Lawrence Yontz, 48, of Arlington, Virginia, faces a maximum year in prison when sentenced in December, the Justice Department said. Yontz is the only person charged in a scandal that has rocked the State Department's Passport Information Electronic Records System.

The system maintains data on 127 million passports and can be accessed by more than 20,000 employees.  read more »

Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts - Via Threat Level:

Some enterprising finance workers are finding their own solution to the growing banking crisis, judging by a spate of recent federal indictments: using their access to bank computers to plunder accounts.

Missouri Citibank employee Brandon Wyatt was charged last week with identity theft for a scheme that allegedly began in January 2006, and continued until late last month. Wyatt is accused of tapping Citibank's computers for customer information, then using it to set up checking accounts online with competing banks, including Bank of America, Washington Mutual and AmTrust.

Wyatt allegedly wire transferred customer funds from Citibank to the new accounts, then cashed them out with additional transfers, checks, debit card purchases and ATM withdrawals. His take, according to federal prosecutors in St. Louis, was at least $380,000.  read more »

Has Another Major Retailer Security Breach Occurred? - Via PogoWasRIght - Privacy News Headlines:

The Consumerist blog is reporting that they've been receiving inquiries from readers about an unnamed merchant breach that has led to replacement of Citibank cards. One customer service rep reportedly told a customer that this involved a hack and could be as big as the TJX breach.

So what is this breach and is it related to the an earlier report we posted that AmEx was also replacing cards due to a breach at an unnamed merchant?

The timing of all this is interesting and I wonder if the sudden flurry of card replacements is a result of the government notifying even more businesses that they had been hacked by the ring involved in the TJX breach. I guess we'll just have to wait until more is revealed.

It really would be so much easier to report the news if the news contained actual .... um... details.

(Read Original Article - Via PogoWasRIght - Privacy News Headlines.)

Personal Information Of 23,000 Ivy Tech Students Sent Out Over E-Mail - Via Indiana News Story - WRTV Indianapolis :

INDIANAPOLIS -- The personal information of about 23,000 Ivy Tech students was accidentally sent out in an e-mail to 1,400 people, according to a letter from the school.

In the letter Ivy Tech Indianapolis Vice President of Administration William Morris writes that the e-mail was sent during the last week of July.

He said an employee intended to e-mail the list -- which included the names, addresses and Social Security numbers of students who were enrolled in distance-education courses -- to a colleague. Instead, the file drop was sent to an e-mail group that included about 1,400 current and former Ivy Tech Indianapolis employees, including some current and former student employees.  read more »

Fog of attack clouds Best Western hack - Via The Register(UK):

Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.  read more »

Could this chip have prevented the TJX breach? - Via The Boston Globe:

TJX Cos. is urging banks and other retailers to embrace a multibillion-dollar technology that uses a tiny computer chip to stop criminals from using stolen debit and credit cards.

In one of the first interviews by a top TJX executive following a record security breach, vice chairman Donald G. Campbell told the Globe that the US payment system should follow countries in Europe and Asia that have rolled out credit and debit cards embedded with computer chips. If the cards were in use worldwide, he said, the technology would have ruined a scheme in which thieves stole as many as 100 million account numbers from TJX since 2005, by making the numbers harder to reuse.

Amid rising losses to fraud, the remarks add to a debate among merchants, banks, and payment companies over how to improve the security of the 1 billion plastic cards held by US consumers. Many other countries already have introduced the high-tech cards that slide into special readers at the checkout counter. But the technology hasn't caught on in the United States because of the high costs, and TJX says that puts the country at a greater risk for fraud.  read more »

Survey: IT staff would steal secrets if laid off - Via ITworld(Computerworld UK) :

Most IT staff would steal sensitive company information, including CEO's passwords and customer details, if they were laid off, according to a new survey from Cyber-Ark.

A staggering 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant. The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords.

The research also revealed that, of that 88 percent, a third would take the privilege password list to gain access to valuable documents such as financial reports, accounts, salaries and other privileged information.  read more »

ITRC: Breaches Blast ’07 Record - Via PogoWasRIght - Privacy News Headlines:

With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.

As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident.

.... More important than the individual numbers, perhaps, are the details of a breach, something that is often lacking or glossed over in reports. As one example, when third party benefits administrator Administrative Systems, Inc., disclosed that its office had been burgled in December 2007, it did not reveal the total number of clients affected, nor the total number of individuals whose unencrypted data were on the stolen computer. Given that just one of the dozens of clients informed this site that it had to notify 250,000 of its customers, the numbers for that breach might be staggering.  read more »

Best Western: 1 hotel, 1 log-on, 10 customers - Via PogoWasRIght - Privacy News Headlines:

The following is an updated statement from Best Western, via email. Thanks to ITRC for sending us a copy.

This statement is intended to provide further detail on the largelyerroneous story originated by The Sunday Herald newspaper in Scotland,concerning the breach of Best Western's Central Reservations System.

We can confirm that on August 21, 2008, three separate attempts weremade via a single log-on ID to access the same data from a single hotel.The hotel in question is the 107-room Best Western Hotel am SchlossKopenick in Berlin, Germany, where a Trojan horse virus was detected bythe hotel's anti-virus software. The compromised log-in ID permittedaccess to reservations data for that property only. The log-in ID wasimmediately terminated, and the computer in question has been removedfrom use.

We can also confirm that we have been able to narrow down the number ofcustomers affected by this breach to ten. We are currently contactingthose customers and offering assistance as needed.  read more »

Breakdown in security led to compromise of SSNs - Via PogoWasRIght - Privacy News Headlines:

Promotion selection lists containing the names and Social Security numbers of more than 50,000 active-component noncommissioned officers were compromised earlier this year and in 2005, according to officials familiar with an ongoing Army investigation.

The 2008 sergeant first class list that was compiled by a board that met in February initially was the subject of the probe. The public version of that 8,620-name list was released by Human Resources Command March 20.  read more »

Should Companies Share Criminal Blame In ID Theft? - Via Slashdot:

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.'  read more »

Revealed: 8 million victims in the world's biggest cyber heist - Via The Sunday Herald (Scotland):

EXCLUSIVE(The Sunday Herald - Scotland): Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.  read more »

UK gov't loses personal data on 4M people in one year - Via Computerworld(Australia) :

The U.K. government has lost the personal information of up to four million citizens in one year alone.

The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April.

And the trend has not stopped - in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June.  read more »

FBI Apologizes to Post, Times - Via The Washington Post :

FBI Director Robert S. Mueller III apologized to two newspaper editors yesterday for what he said was a recently uncovered breach of their reporters' phone records in the course of a national security investigation nearly four years ago.

Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.

The Justice Department's inspector general, who is reviewing the bureau's procedures in such cases, uncovered lapses that allowed FBI agents in 2004 to obtain telephone records of Post staff writer Ellen Nakashima, who was based in Jakarta, Indonesia, at the time. The FBI also obtained telephone records of an Indonesian researcher in the paper's Jakarta bureau, Natasha Tampubolon.

Records of New York Times reporters Raymond Bonner and Jane Perlez, who worked in Jakarta in 2004, also were compromised, the Times confirmed yesterday.  read more »