Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption

Stratfor relaunches site post hack attack

Stratfor is officially back but its servers are heavily burdened due to its offer of free access. Stratfor CEO criticized the attackers for targeting the company, an email said. Stratfor aka Strategic Forecasting is back online after it was hacked into last month.

The new site

Stratfor relaunched  the new site on Jan. 11 exactly 18 days after the hacking group Anonymous hacked into its servers on Dec. 24. The hackers hacked Stratfor’s servers and took away data related to its subscribers and also defaced the site. The information that was dumped online included 75,000 credit card numbers and 860,000 usernames and passwords. Almost 50,000 of the addresses had a .mil or .gov domain. According to a Stratfor spokesperson there was going to be a delay with the site re-launch. The company planned to bring in a team of consultants and experts to tackle the security issues. The company further decided to move all credit card management activities to a third-party company so that customer data remained secure.

According to George Friedman, CEO of Stratfor “This was our failure,”. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.” “I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation,” Friedman said. The FBI had informed credit card companies of the breach and had provided a list of compromised cards, so “our customers were therefore protected,” he said, adding, “We were not compelled to undermine the investigation.” “This attack was clearly designed to silence us by destroying our records and the website,”.

What went wrong?

Apparently Stratfor had failed to encrypt credit card data and had stored the information in cleartext. After the passwords were analyzed, it was seen that security practices were not followed.There was no check on passwords when they were created by users.

Friedman further added “We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents, and conversely, the hub of a global conspiracy,”. According to him the media had publicized “incompetents” part while the hacking community focused on the “global conspiracy” part.

Relaunch offer

It appears that NHS staff has been breaching the Data Protection Act (DPA) by posting private patient data and photographs on Facebook. Data breaches took place across the country between July 2008 and July 2011. Civil liberties group Big Brother Watch submitted Freedom Of Information requests which showed that there were 806 separate data breaches at 152 NHS trusts during the above mentioned period. The report states that more than 20 incidents of patient information was posted on social networking sites and 91 cases where NHS staff was caught viewing details of colleagues.

Consequence of the data breach

Around 100 staff members were dismissed due to breach of Data Protection policy.

What does the Director of Big Brother Watch have to say?

‘This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.’

The above shows that data breaches in the NHS are proving to be a ‘major problem’. ”The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost represents serious infringements on patient privacy.”

He further added: “It is essential the NHS is transparent about these incidents and failing or refusing to disclose that a data breach has taken place is unacceptable.”

Big Brother Watch feels that the NHS does not have a robust data security policy in place to ensure patients’ privacy is protected. It is of the opinion that such cases are going to keep increasing as more and more NHS staff members are going to get access to the new computer database having patient information. This new database called ‘The Summary Care Record’ will provide GPs, hospital doctors and paramedics immediate data about patients, such as allergies or medications.

NHS guilty of data breaches. Patient data compromised

Incident at the Nottingham University Hospital NHS Trust

A member of medical staff took a photograph of a patient in bed and showed it to friends on the social networking site. Needless to say, the member was dismissed.

What is being said about tightening of data security?

Information Commissioner’s Office said: “We continue to work with organizations from across the NHS to improve the security of patients’ information and will consider taking action where it is clear that an organization has failed to meet its legal obligations.”

Health Minister Simon Burns added: “We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organizations are responsible for ensuring their staff understand and follow that guidance.”

Hospitals can secure themselves with Alertsec

Organisations and hospitals, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.

State of Massachusetts has seen the maximum number of data breaches in the past twenty months. Personal information of about two million Massachusetts residents i.e. one in every three people who are residents of Massachusetts, has been breached through electronic data breaches.

According to the 2007 state laws all companies doing business in Massachusetts must inform consumers and state regulators about security breaches that might result in identity theft. The list includes leaks of individual names along with sensitive data like Social Security numbers, bank account, credit card and debit card numbers. The law came into being in 2007 as a result of a 45 million hack of credit card numbers from Framingham-based retailer TJX Cos.

Martha Coakley, Attorney General, said that nearly 1,200 data breaches have been reported. Quarter of these were the result of intentional hacking.

The largest breach in the time period was the hacking of information of about 800,000 people that was lost by a vendor hired to destroy it. In addition, information on 210,000 residents entrusted to a state agency was put at risk.

These data breaches contained information from names and addresses to medical histories.

What MA residents had to say?

Daniel Paul, a courier, gets the jitters when he thinks about it. He made online purchases with his credit card but started getting charged for things he didn’t buy: his credit card had been hacked. It was a nightmare to get things back on track.

Here is what he had to say ”Just going through getting everything changed back, changed over, getting charges off your account, your credit– it was awful,” said Paul.  ”I hope I never have to go through it again.”

Mike Paquette, Chief Strategy Officer for Corero Network Security in Hudson, MA said ”In today’s internet world there are so many opportunities where information can be disclosed, as an individual, unfortunately there is very little that you can do,”said.

Consumers do have the option of suing, but it really doesn’t get them anywhere as it is very difficult to prove data theft.

Consumers must carefully keep a track of their online transactions. It is always advisable to deal with well-known companies and do your homework about the company’s info.

Data security with Alertsec

Alertsec is here to take care of our security issues especially for anyone working with PCs. Alertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

.

A serious data breach

There was a recent case of a USB drive found unattended in a pub in South London. The drive contained carried data of around 26,000 social housing tenants and bank details of some 800 tenants

Breach details

Apparently, the USB drive owner worked for housing associations Lewisham Homes and Wandle Housing Association. The data belonged to the tenants of these housing associations. The USB drive was seen lying in the All Inn One pub. The authorities were immediately notified; fortunately, the data was not compromised.

According to Sally-Anne Poole, acting head of Enforcement at the ICO “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.”

The Lewisham Homes and Wandle Housing Association had breached the 1998 Data Protection Act by not encrypting the information of 26,000 people.

Action taken by the ICO

The ICO gave the housing bodies a stern warning and made them aware that they had clearly breached the Data Protection Act. Had the stick gotten into the hands of a hacker, all hell would have broken loose.

Reactions by security experts

According to Edy Almer, VP of product management at Safend: “It is good to see that data stored on the USB was most likely not compromised and that the immediate response from the breached party was to make things right. It is important to note it was a third party contractor that lost the data and not trained internal staff, thus highlighting the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data.”

Mark Fullbrook, UK and Ireland director at Cyber-Ark’ reacted: “This is yet another example of the poor data protection policies operating within organisations today. Using a memory stick to transport sensitive information may be convenient, but it’s certainly not secure and whilst in this case the memory stick was returned to its rightful owners, should it have fallen into the wrong hands the repercussions could have been severe”

Action taken by the housing associations

Lewisham Homes has revised its data security procedure and the contractor/owner of the stick has been dismissed.

What can be done to protect data?

Using encrypted software is the need of the hour. Be it an organization or an individual, if you are carrying data, it has to be protected, no matter how what it is.

Use Alertsec

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption

Battle between Sony and Insurer Zurich American Insurance Co. over Playstation hacks

After reading this piece of news you might wish you were not a PlayStation Network (PSN) user!

Sony’s mainstay insurance provider, Zurich American Insurance Co., is refusing to accept liability for damages and compensation regarding the recent hacks where 77 million PSN customer accounts were compromised.

The insurance provider has filed legal papers covering a total of 55 pending class-action lawsuits that customers have lodged against Sony.

The firm has brushed off its responsibility of covering data breach monetary damages as well as any other miscellaneous claims made by Sony.

History

Sony’s PlayStation Network and Qriocity networks were compromised in the month of April. According to their statement “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services,”

On Tue April 26 Sony confirmed that personal data of millions of customers had been compromised.

On Wed April 27 a class-action lawsuit was filed in the U.S. accusing Sony of failing to protect, encrypt and secure the private and sensitive data of its users.

Present

Nevertheless, Sony has gone ahead and filed insurance claims as it feels it is a fair coverage under previously agreed upon terms.

According to Sony the financial loss from the breaches is more than $178 million this year.  The Japan based firm wants the insurer to cover costs related to the 55 class-action lawsuits under a general liability insurance policy written by Zurich.

Customer reactions and cyber risks

Customers are furious about their loss of privacy and waiting for settlements. It is time to redefine cyber security and the legalities there in. Companies are under the impression that general liability insurance covers everything. According to Ty Sagalow, an insurance consultant and founder of Innovation Insurance Group, “There are probably still some risk managers out there that think that their comprehensive general liability policy cover breaches,” says Sagalow, who was one of the main experts in charge of first drafting cyberinsurance policies for Zurich when he worked for the company prior to starting his own consulting shop. “These types of cyberevents are not covered in the typical standard forms of insurance.”

Cyber insurance

Cyber insurance  is the insurance which covers loss occurred over the internet . The phenomenon is a recent one and yet to stabilize. Hence organizations like Sony must take into account adding additional coverage that can hold up to court scrutiny when things go haywire.

How can Alertsec help in cases of data breach?

Alertsec Xpress is the security service that protects data stored on your PC. As laptops are used in place of desktops, chances of data getting hacked are more. Unless your laptop is encrypted, you are running a big risk of your data getting compromised.

Encryption software helps enhance the laptop security. Alertsec uses industry leading Check Point Full Disk Encryption (former Pointsec) software that simplifies data protection.

Laptop stolen from car containing patient data

Laptop theft

The  most prevailing fear among most  computer users is that of Laptop theft. No matter how much care you take, thieves manage to get away with such thefts.

Corporate America looses over USD 5.4 billion each year in cases of laptop theft. That means 12,000 laptops disappear every week from U.S. airports alone, and a laptop is stolen every 53 seconds. As employees get more and more mobile, this problem becomes more serious.  If you add to this healthcare privacy laws, then asset security can impact your business significantly.

The recent news of laptop being stolen from an employee’s car in Goodlettsville, Tenn. got security experts thinking if enough was being done in the field of data security.

The report

According to the report, PhyData LLC, a medical billing and management company  reported a laptop stolen from an employee’s car on May 7 at the RiverGate Mall. The laptop contained more than 1,500 patient names and their personal information including names, Social Security numbers, dates of birth and medical ID numbers.

These people were patients with Advanced Diagnostic Imaging , Premier Radiology and Anesthesia Services Associates between Jan. 2009 and Dec. 2010

PhyData spokeswoman Joy Sweeney said in a statement that no evidence was found that any of the information had been accessed or misused. She further stated that the company had set up a toll-free help line with Kroll Inc., and is offering identity-theft protection services to affected patients. The company’s laptops are also now all encrypted and password protected

What Tennessean’s had to say

“Stolen from the trunk. That alone sounds strange when detailing where the thief stole it and wasn’t drawing any attention, from busting in the trunk. When the true story comes forward we will see the employee left it inattentive”

“Taken from the trunk? Was there signage on the auto? Why would someone open a trunk with so many other cars around and possible property in view? This IS NOT the whole story on this one”

“There is no conspiracy.  Usually, when the trunk gets busted it’s because the driver parked and then placed valuable items in the trunk, thinking that it’d be safer.  Someone in the parking lot — possibly thieves looking to catch people placing stuff in their trunks — watches the driver from the moment he enters the garage and, once they’re sure the driver won’t be back, go to work.  After all, if an item weren’t valuable, why would anyone go through the effort of putting it in the trunk.”

What AlertSec has to say?

Alertsec is the frontrunner in offering hard disk encryption as a fully managed service. We provide information security in a cost-effective & easy way

By using encryption software, you greatly enhance the laptop security as there is no way that the information is compromised if lost or stolen. A theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. A small price to pay compared to what can happen if you lose confidential or sensitive data. Our industry news provides a few examples of this.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal  30 day trial.

Cybercrime

Wikipedia defines cybercrime as “any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. A computer can be a source of evidence. Even though the computer is not directly used for criminal purposes, it is an excellent device for record keeping, particularly given the power to encrypt the data. If this evidence can be obtained and decrypted, it can be of great value to criminal investigators”.

The AT&T iPad hacking case

More than 100,000 Apple iPad users were a victim of data breach after the hackers accessed AT&T’s servers. Last June, Daniel Spitler of San Francisco, Calif., and Andrew Auernheimer of Fayetteville, Ark. broke into a computer without user authorization. They tried to obtain email addresses from the SIM card addresses of at least 114,000 iPad 3G users. Initially the attack appeared to be a sophisticated hack, the actual exploit used an automated script to submit HTTP requests for thousands of possible serial numbers and collect AT&T’s responses.

Post-breach, AT&T issued a statement. “This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses… may have been obtained,”.

How Daniel pilfered AT&T’s servers?

Daniel Spitler wrote a script called the “iPad 3G Account Slurper” and used it to access AT&T servers thereby getting info on e-mail addresses and associated unique iPad numbers. Spitler got in touch with co-defendant Andrew Auernheimer over Internet Relay Chat and they both hatched the plan of taking advantage of the Web site hole and the data from 100,000 accounts that was exposed.

Update on the case

Daniel Spitler has pleaded guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users. He is allegedly member of the Goatse Security hacking group. Spitler faces up to 10 years in prison and, $500,000 in fines on one count of conspiracy to gain unauthorized access to computers and on one count of identity theft. He is scheduled to be sentenced September 28 in Newark federal court.

Andrew Auernheimer was arrested January 18 in Fayetteville, Ark., while appearing in state court. Charges against him are still pending. He had pleaded not-guilty saying that he and his Goatse Security hacking group were planning to warn AT&T about the hole and notifying iPad 3G customers about the exposure of their data. But the chat logs were evidence enough to point out that they had not contacted AT&T.

“The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen,” said Michael B. Ward, special agent in charge of the FBI’s Newark Division. “It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information.”

How Alertsec can protect our computers?

Alertsec provides protection for all information stored on laptops and PCs in an easy, convenient, and cost-effective way. It uses Check Point Full Disk Encryption (former Pointsec) software, and has created a web based encryption service that radically simplifies deployment and management of PC encryption.

Alertsec Xpress is the service that automatically protects ALL information you store on your PC

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption.
• Powered by Check Point – the market leader

Data Encryption

As the technology is upgrading day by day, people are getting more involved to their work and they have very little time for the things which seem negligible at the starting but can be very dangerous in future. In today’s world 99% people are more interested in sending and receiving data through internet and mobile data storage devices. But among those 995 people 90% people do not encrypt their data though they know that the data contains personal information and the chances of data lose or hacking is very high.

Sending data through internet has high chances of getting hacked. Because the number of hackers are increasing in a rapid rate day by day and those hackers are so efficient in their job that they can easily hack the unencrypted data from the internet. And if those hacked data contains any sort of personal information then they can misuse those data, even they can make some criminal offenses by using those data and without doing anything wrong you will become a criminal. At the time of sending data through internet lot of people can easily access your data if your data is not encrypted.

Another importance of data encryption is that is helps to protect your computer from viruses. Though you may think that your computer/ laptop is protected enough because of the anti-virus and router you are using, but remember keeping your data safe from the hackers is not that easy. And if your computer becomes virus affected, then any other computer presents in your office or home can be easily affected by the virus.

Now internet is available in the hostels, cyber cafe, hotels and those connections have no protection. So the data can easily be hacked of accessed by some other person.

And data encryption also helps to protect the data of different mobile data storage devices. As the data storage devices sometimes contain personal or sensible data, so the loss of any storage device can be very harmful for us. Because any one can misuse those data. But we will keep our data encrypted then we will be sure that no one can misuse those data.

These are the main reason behind the data encryption. Data encryption not only keeps our data safe but also helps us to be tension free.

About Alertsec:-

Alertsec Xpress is the No.1 encryption service provider for hundreds of banks and financial institutions worldwide. They are providing 24*7 customer service system. By offering computer protection software, encryption with lowest TCO (Total Cost of Operation), Checkpoint and Pointec they are assuring to make data secure. For more details about Alertsec log on to: http://www.alertsec.com

Encryption

File encryption or Full disk encryption?? That is the most important question for most of the organizations now a day. Because some of the organizations encrypted their important files but still failed to prevent data lose, and file encryption does not allow encryption on in and out moving data. So the organizations are not finding any profit in adopting data encryption. Full disk encryption is the only solution of their anxiety.

Now the organizations are not sure whether they will apply the full disk encryption on each and every system of their organization or just on those systems which contain sensitive data. According to PCI and ICO the answer is an organization should apply the full disk encryption to all the system. Because only a few stuffs of the organization can access the sensitive data but still there is a chance that due to some emergency an ordinary stuff can also get access to sensitive data. So, be ready before the mistake has been done.

Full disk encryption not only save your sensitive data but also assures you the protection of each and every single data of your organization. But some people do not want to apply encryption because of some drawbacks and those drawbacks can cause data loss or computer malfunction, because the following things can happen due to encryption:-

1. Password forgotten.
2. Problem in the hardware.
3. Data corruption due to the encryption of data.
4. Normally people like to make some common as well as weak password just because they can remember it. Those passwords are known as weak keys password.
5. Sometimes we write down our passwords because we do not have the confidence that we can remember them.
6. Data corrupted by the encryption process.
7. The encryption algorithm can be cracked sometimes.

But we have to keep in mind before applying full disk encryption that encryption does not enhance or reduce risks, it just provides protection to your data from data loss.  So it depends on us that how we are applying the full disk encryption process to our system. Before the implementation of full disk encryption we have to be very careful about the following factors:-

1. The encryption process is approved by the Advanced Encryption Standard (AES) or not.
2. Due to presence of scratch pad the modern day’s computers cannot protect the hard disk and full memory. And the dangerous thing is that through these scratch pads the hackers can easily access your data.

Another problem with encryption is that there is a chance of potential data loss, but in case of full disk encryption as full disk encryption works in the hardware level not on the software level, so the chances of interaction between the encryption and other applications automatically reduces and as a result of it the probability of data loss also reduces.

So, if your system has sensitive data and you do not want to lose those data, and then apply full disk encryption to your system because it does not drop the speed of your system but it makes your system fully protected.

About ALERTSEC:-

Alertsec Xpress is the No.1 encryption service provider for hundreds of banks and financial institutions worldwide. They are providing 24*7 customer service system. By offering computer protection software, encryption with lowest TCO (Total Cost of Operation), Checkpoint and Pointec they are assuring to make data secure. For more details about Alertsec log on to: http://www.alertsec.com