Anyone who peered inside the mixed paper bin at the Dupont Recycling Center this afternoon got an eyeful.
Files, in plain sight, which authorities say contained sensitive medical and identity information.
“Upon finding those, they discovered it wasn’t a small amount. it was a large amount that we had to notify hutcheson medical center and one other medical facility,” says Investigator William Puckett with the Chattanooga Police Department.
If you’re a current or former University of California, Berkeley student, and have taken advantage of the on-campus health services at some point in the past ten years, you may want to check your credit report. The university today announced that it has discovered a massive data theft involving 160,000 current and former UC Berkeley students.
via UC Berkeley Hit With Major Data Theft – Network World.
All but one of the legal claims filed against Hannaford Bros. — the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards — has been dismissed.
via Most claims dismissed in Hannaford data breach suit – Network World.
When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company’s data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.
But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team’s security practices.
A few things were left out of our story today that shows the state is making millions of dollars a year selling driver information that includes dates of birth, while lawmakers are seeking to hide that same information about government workers.
We’ve started asking authors of the legislation if they have reactions to our report. But so far we’ve haven’t be able to reach them.
Quick background:
Dates of birth are the key identifier the public can use to identify whether government workers have criminal records. This newspaper has used that information multiple times to show the hiring of people with criminal histories in schools and the juvenile justice system.
via DMN INVESTIGATES Blog | The Dallas Morning News .
The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers.
The contract award comes a month after credit card giant Visa said RBS was no longer in compliance with the Payment Card Industry (PCI) security standards, a set of guidelines designed to protect cardholder data.
RBS spokesman Josh Passman said the company expects to be re-certified as PCI compliant “within the next few weeks.”
The contract awarded to RBS is a what’s known as a “zero dollar” contract, meaning the government doesn’t award a specific dollar amount. Rather, the approved vendor takes a convenience fee for each transaction it processes. According to a copy of the contract listed at fedbizopps.gov, RBS’s base convenience fee will be 1.95 percent of the amount the taxpayer owes the federal government.
IRS spokesman Anthony Burke said RBS will not be allowed to process credit card payments for taxpayers owing money to Uncle Sam until Jan. 20, 2010. Before that date, he said, RBS will not only have to show that it is once again PCI compliant, but that it also has passed the IRS’s own payment security audit.
“All service providers must undergo system acceptability testing,” Burke said. “We have a third-party who runs a series of tests on all of our providers to make sure their systems are security before they accept credit card payments” on behalf of taxpayers, he said.
The company will join two established payment processors approved by the IRS to process tax payments on behalf of the government: Nashville-based Link2Gov Corporation and Official Payments, out of San Ramon, Calif.
RBS Worldpay, based in Atlanta, is the U.S. payment-processing division of The Royal Bank of Scotland Group, the fifth biggest banking group in the world, according to the company’s Web site.
via Security Fix – IRS Awards Tax Payment Contract to RBS Worldpay.
An unknown cyber criminal (or group of them) has broken into computer systems housing information about the U.S. Defense Department’s $300 billion Joint Strike Fighter project, the Wall Street Journal reports today, citing a number of “current and former government officials familiar with the attacks.”
It’s unclear how much damage the attacks have caused to the jet-fighter project, given that the cyber intruders were able to download “sizable amounts of data” related to the aircraft’s (also called the F-35 Lightning II) in-flight maintenance diagnostics but weren’t able to access the most sensitive information, related to flight controls and sensors (which is stored on computers not hooked up to the Internet), according to the Journal. The Air Force is currently testing prototypes of the aircraft, said to be the most expensive ever commissioned by the Pentagon.
The attackers allegedly access the Joint Strike Fighter information by exploiting vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, the Journal reports, citing “people who have been briefed on the matter.” Although none of the contractors have commented publicly on the computer compromise, Lockheed Martin is the lead contractor on the program, while Northrop Grumman Corp. and BAE Systems PLC are also playing important roles in its development. “Computer systems involved with the program appear to have been infiltrated at least as far back as 2007,” according to the Journal, which cites unnamed sources who state that the intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems. The guilty party loaded software onto the Pentagon’s computers that encrypts the data as it’s being stolen, which means investigators don’t know exactly what data has been taken.
This latest alleged cyber intrusion comes less than two weeks after the Journal reported that spies from China, Russia and other countries have hacked into the U.S. electricity grid and installed software that could cause mass outages, a story that has been criticized by some computer experts as hype perpetuated by government officials looking for more funding.
It’s unlikely that U.S. investigators will be able to ascertain the identities of those behind the attack, unless they can get the cooperation of China and any other countries that might be involved, says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Of course, it’s also possible that computers in China were hacked into in order to make it look like China is to blame, she adds.
State-sponsored spies aren’t the only ones who’ve successfully hacked into U.S. government computers though. Scottish computer hacker Gary McKinnon, 42, has for years been fighting extradition to the U.S. for in 2001 and 2002 allegedly breaking into networks owned by NASA, the US Army, Navy, Department of Defense, and the Air Force, causing about $800,000 in damage and ruining 300 computers. McKinnon, who suffers from Asperger’s Syndrome and could face life in prison in the U.S. if convicted, says that he hacked into U.S. government systems that had no password or firewall protection to search for information on “UFOs, free energy and anti-gravity technology,” Sky News reports.
There’s no silver bullet for protecting sensitive information, Denning says. Encrypting data might help, she adds, but an “adversary may be able to fool the system into decrypting the data or plant malicious code on the system that captures keys.”
Government computer security is a big problem, but some agencies do better than others, according to Denning, who points to the annual FISMA report (mandated by the Federal Information Security Management Act of 2002). The 2007 report gave five federal agencies (the Social Security Administration, Justice Department, Environmental Protection Agency, Agency for International Development, and National Science Foundation) an “A+” for their security efforts, but the average score was a “C” (and the Defense Department received a “D-”).
Image of an F-35 Lightning II Joint Strike Fighter taking off from a Lockheed Martin facility in Fort Worth, Texas, © U.S. Air Force
via Unknown hackers steal details on U.S. Joint Strike Fighter project: Scientific American Blog.
The personal information of more than 45,000 Federal Aviation Agency employees and retirees exposed to possible identity theft. FAA reports hacked server was not connected to air traffic control system or any other FAA operational system.
Just a day after President Obama ordered a comprehensive review of the government’s cyber security systems, the FAA (Federal Aviation Agency) reported Feb. 10 hackers illegally accessed an agency computer and stole employee personal identity information. The FAA said in a statement the hacked server was not connected to the operation of the air traffic control system or any other FAA operational system.
According to the FAA, two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006. All affected employees will receive individual letters to notify them about the breach.
“The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information,” stated the FAA. “The agency is also providing a toll-free number and information on the employee website for those who believe they may be affected by the breach.”
The FAA did not state when the breached occurred. The FAA was not immediately available for further comment.
The number of reported data breaches in the United States jumped nearly 50 percent in 2008, according to the ITRC (Identity Theft Resource Center). All totaled, there were 656 breaches reported last year, up from 446 in 2007. The breaches led to nearly 35.7 million records being exposed.
According to the IRTC, only 2.4 percent of all the data breaches had the information secured by encryption or other strong protection methods. Just 8.5 percent had the exposed data protected by passwords.
“Our sense is that two things are happening – the criminal population is stealing more data from companies and that we are hearing more about the breaches,” the ITRC said in a statement. “ITRC has been tracking breaches since 2001. One thing we absolutely can say is that [data breaches are] not a new problem.”
Heading Obama’s 60-day cyber security review will be Melissa Hathaway, who served as the cyber security coordinator executive under Mike McConnell, former President Bush’s Director of National Intelligence. The review will cover all of the government’s cyber security plans, programs and activities.
“The national security and economic health of the United States depend on the security, stability and integrity of our nation’s cyberspace, both in the public and private sectors,”John Brennan, assistant to the president for Counterterrorism and Homeland Security, said in a White House statement. “The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties.”
A data breach at US electronic transaction firm RBS WorldPay has been linked to a gang that used debit cards to steal millions of dollars from ATMs.
The FBI has released images of thieves believed to be part of a gang that took money from ATMs in 49 cities around the world using cloned debit cards in late November.
The thefts stemmed from a data breach at RBS WorldPay in which hackers stole the personal data of 1.5 million card holders, in early November, according to the Washington Post.
The thefts, which come within weeks of a data breach disclosure by Heartland Payment Systems, highlight the vulnerability of data processed by these firms.
Heartland, which is being sued for failing to protect customers from identity fraud, has announced a dedicated department to encrypt data on all its systems.
ADVERTISEMENT
Despite being compliant with the Payment Card Industry Data Security Standard PCI DSS, cybercriminals were able to gain access to Heartland’s systems.
The PCI DSS does not currently require that credit card data be encrypted on internal networks, which Heartland says it will now implement.
Robert Carr, chief executive of Heartland, has defended the PCI DSS as a good standard, but said increasingly sophisticated attacks demand end-to-end encryption.
Encryption of data in motion between internal systems is the next logical step according to Carr, but he said constant monitoring will always be required.
Carr has called for greater information sharing in the payments industry to prevent cybercriminals from re-using techniques in multiple attacks.
via ATM heists linked to RBS WorldPay data breach | 6 Feb 2009 | ComputerWeekly.com.