Archive for April, 2010

« Older Entries
Newer Entries »

Data Breach Protection Law (HB 583) passed by Mississippi

April 16th, 2010
Map of Mississippi
Image via Wikipedia

Residents of the US state of Mississipi must be a happy, secured and protected bunch now.

On the opposite side of spectrum there is increasing pressure on organizations, small businesses and other agencies to adopt secure methods of data protection.

The state of Mississippi has become the 46th in the US to pass the ruling which requires that organizations and agencies owned by the government should inform the general public whenever there is a data loss incident or compromise of information without any delay. Primarily this data loss implies to loss of personal information either which is either natural or caused by malicious attackers. This data includes social security numbers, driver’s license or state identification numbers, or any credit or debit card account information.

HB 583 has defined the breach of information security as the loss of personal information that has not been secured by encryption.

The Purpose of the law?

Reduce the time taken by the responsibile companies to inform the victims about the data breach incidents. Previously there have been many incidents, where reports of data leakage emerged after over 2 years when the incident had first happened. It seems that the government, wants to cut down this time and ensure that the organizations treat these cases with a high level of seriousness.

The legislation was signed by Governor Haley Barbour on April 1 and it goes into effect from the 1st of July.

Additionally, the organizations hold responsibility for informing the appropriate  law enforcement agencies and also conducting their inhouse investigations for determination of the type of the incident.

Once again, it is a commendable job by the state legislators to fight cybercrime and hold individual companies and organizations to a higher level of responsibility for protecting consumer data.

To read the full version of the House Bill as sent to the governor, click here

Is your organization unprotected? Talk to Alertsec

We at Alertsec offer you convenient and cost-effective computer security software for Windows 2000, XP, Vista and 7.  Alertsec Xpress provides computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

Related articles by Zemanta
Reblog this post [with Zemanta]

No comments »

Posted in Data Protection

Tags:

Finance Giant DA Davidson Reprimanded for Data Breach

April 14th, 2010
Data Loss, Inc.
Image by RobotMachine via Flickr

In a nutshell, this can be termed as a surprising incident and an attack for which the official authorities were totally unprepared. The financial giant, DA Davidson has been fined $375,000 by US authorities for a series of failures that allowed criminal hackers from Latvia to steal vital customer information and threat them towards dire consequences. Closely similar to other such incidents of hacking, it is believed that confidential information of nearly 200,000 customers was stolen.

The information that has been leaked includes customer account numbers, social security numbers, names, addresses, dates of birth etc. It is believed that the database of the consulting company was compromised 3 years back in December 2007 by unknown hackers using simple SQL injection attack.

The company D.A. Davidson is a brokerage firm and regional investment bank based in Great Falls, Montana. Additionally, they also have presence in Oregon and overall, they have over eight offices in the state and a 105-employee investment banking operation.

A spokesman of the company said that the invaders used a sophisticated technique law enforcement officials had seldom before seen.

It was only when the hackers sent a threatening email the following month the company realized that they had been hacked. Although, the authorities could have easily identified the attacks through the web-sever logs. On their side, the hackers were offcourse demanding large amount of money.

After learning about this attack, the organization made appropriate notifications in the law authorities and also provided an update to their customers. In coordination with the secret service group, it was identified that 4 members of an attack were responsible for the hacking attack. Three of them were brought down from easter europe for legal charges in the federal court in US.

Although FINRA (Financial Industry Regulatory Authority) appreciated DA Davidson’s efforts post attack discovery, they also blasted the authorities for their lacklustre attitude before that. A high profile consulting team had advised D.A. Davidson to upgrade their computer systems and infact the customer database was not even encrypted and DA Davidson authorities had kept the password as default blank in place.

According to James Shorris, executive director, enforcement, Finra: “Broker-dealers must be especially vigilant about protecting its customers’ confidential information, which includes ensuring that its technology is sufficient. In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data – even though the firm had been advised before this incident to implement an intrusion detection system.”

Try Alertsec’s Encryption Software in 3 Easy Steps

Our encryption software protects your computer in just a few minutes!

  1. Register your subscription or 30-day free trial.
  2. Download and activate Alertsec Xpress.
  3. Your computer is now fully protected
Related articles by Zemanta
Reblog this post [with Zemanta]

1 comment »

Posted in Identity and Information loss, Lawsuits and settlements

Tags:

Lawsuit filed against Countrywide

April 11th, 2010
Former Countrywide Logo
Image via Wikipedia

There is a serious threat to the data of customers in organizations worldwide. Apparently this is the data that contains information about their names, ages, social security number etc. As IT systems become an inherent part of organization’s assets with that we are also witnessing increase in incidents reporting data loss. The impact of this data loss is huge leading to financial implications.

The latest casualty are customers of Countrywide financial. The disturbed customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information. According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.

The data theft was originally attributed to a single employee working over a two-year-period has now exposed tens of thousands of customer records. According to the lawsuit alleges that Countrywide Financial employees have stolen and sold “tens of thousands, or millions” of customers’ personal financial information.

While going through one of the news-stories, we discovered the letter that was sent to the customers. Here is a copy of the letter:

According to the lawsuit the defendants were slow to admit the massive breaches of confidentiality, and offered little or not support. The complaint stated, “Countrywide delayed several months before informing their customers.” “Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures.”

Have a comment? Share your thoughts by commenting on this blog-post.

Stay Secure, Protect Your Data – Get Alertsec Now

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

Related articles by Zemanta
Reblog this post [with Zemanta]

2 comments »

Posted in Encryption, Lawsuits and settlements

Tags:

The Hard Disk Ghost Strikes Again

April 8th, 2010
Samsung HD753LJ hard disk drive (750 GB storag...
Image via Wikipedia

It seems the evil spirit is back :) and again it is the confidential data at risk!

Like all premier hospitals, the Michigan based Providence Hospital is responsible to ensure the security of confidential data of their patients. However, in a recent incident they have issued letters to their patients which mentions that hard-drive used for protecting their data has been stolen from an official suite. Unacceptable to say the least!

Sequence of unanswered questions:

  1. While the incident happened in February, it was only reported to the police in the beginning of April. Generally, it is believed that the hospital authorities tried to located the hard-disk themselves before escalating the matter. Infact, even the hospital authorities weren’t themselves clear about this incident for a period of 4-5 days.
  2. It is not clear as to how the drive was stolen from a secure environment in the hospital
  3. Althought, the hospital has stated some numbers about the type of data loss, it is still not clear whether the data has been mis-used or compromised so far.

Apparently, the hard drive included patient information, including name, medical record number and/or clinical information. In addition, it also included proprietary business information and addresses and phone numbers of some employees.

A statement issued by Hospital said, “The hospital has taken aggressive steps to keep this from happening in the future, including reviewing policies and procedures for external drives and other portable electronic devices, and re-education and training of staff on necessary safeguards,” the hospital said in a statement. “Other actions included imposing appropriate disciplinary action. Providence and Providence Park Hospitals require Corporate Responsibility and Privacy training of all associates annually as a requirement of their job.”

View the news video of Providence Hospital Security Breach

About Alertsec

Businesses need to accept encryption as a key part of their data protection strategy. Do your company a favor and explore the benefits Alertsec Xpress can offer you.

Related articles by Zemanta
Reblog this post [with Zemanta]

No comments »

Posted in Hard Disk

Tags:

Stolen Laptops Reveals Private Details of 5,450 People

April 7th, 2010

While April 1st may be over, thieves are still making fools of companies left and right. The most recent victim is John Muir Health, a US hospital system, which has lost two laptops, compromising the personal health information of 5,450 patients. According to reports, the theft of the laptops occurred in early February, however, the organization is notifying the affected parties now.  The missing laptops weren’t protected by any type of encryption, making their contents relatively easy prey for savvy computer thieves. John Muir Health is rushing to do damage control: upgrading its security to include encryption on all computers and offering free identity theft protection services to patients whose private information may have been compromised.

We’ve seen this scenario over and over again. Companies are rarely prepared for any type of security breach and are thrown into a state of panic when one occurs. Don’t let your business fall into the trap. Learn from John Muir Health’s mistakes and improve data security at your company.

What Could Have Been Different?

Looking back, the folks at John Muir Health are probably wishing they did things a little differently. There are two main lessons for the company here- the first dealing with the importance enforcing proper workplace security practices and the other showcasing the value of encryption technology. Though the organization declined to explain how the laptops containing private medical records went missing, it’s quite likely that employee negligence played a role. Employees are usually the weakest links in a company and pose the biggest threat for a business’ security. Ideally, computers with private customer details or proprietary information would never leave the office or be accessible to outsiders.

Realistically, it’s extremely challenging to enforce such stringent measures; additionally doing so may be impractical, particularly for companies with “work-at-home” employees. It becomes a company’s responsibility to make sure that technology, especially computers which are taken out of the office or left alone in unmonitored areas, are properly protected from intruders. Encryption is the best defense a business can use to ensure that private information remains inaccessible to outsiders. It’s a cost effective technology which can help prevent serious damage in the future.

Had John Muir Health learned these two lessons before the laptops were stolent, the data breach could have been avoided entirely. Even if the employee had made a mistake and allowed the laptops to be taken, the medical information of 5,450 people would remain safe.

Consequences

As with most data breaches, John Muir Health had to face a number of consequences. On top of having to inform the patients affected by the theft and facing damage to it reputation, the company had to incur the expense of identity theft protection. Additionally, new laws could mean serious fines for the company- according the San Francisco Chronicle:

The 2009 federal stimulus package, which went into effect this year, requires medical security breaches affecting more than 500 people to be reported to the U.S. Health and Human Services Department and to the local media. The new law establishes a wide range of fines – from as little as $100 per incident up to $1.5 million in extreme cases.

Businesses need to accept encryption as a key part of their data protection strategy. Do your company a favor and explore the benefits Alertsec Xpress can offer you.

Further Reading
John Muir Laptop Thefts Affect 5,450 [Health Data Management]
Laptops with medical data stolen [San Francisco Chronicle]

No comments »

Posted in Alertsec Express, Computer security, Data Protection, Encryption

Tags: