Archive for the ‘Lawsuits and settlements’ category

« Older Entries

Finance Giant DA Davidson Reprimanded for Data Breach

April 14th, 2010
Data Loss, Inc.
Image by RobotMachine via Flickr

In a nutshell, this can be termed as a surprising incident and an attack for which the official authorities were totally unprepared. The financial giant, DA Davidson has been fined $375,000 by US authorities for a series of failures that allowed criminal hackers from Latvia to steal vital customer information and threat them towards dire consequences. Closely similar to other such incidents of hacking, it is believed that confidential information of nearly 200,000 customers was stolen.

The information that has been leaked includes customer account numbers, social security numbers, names, addresses, dates of birth etc. It is believed that the database of the consulting company was compromised 3 years back in December 2007 by unknown hackers using simple SQL injection attack.

The company D.A. Davidson is a brokerage firm and regional investment bank based in Great Falls, Montana. Additionally, they also have presence in Oregon and overall, they have over eight offices in the state and a 105-employee investment banking operation.

A spokesman of the company said that the invaders used a sophisticated technique law enforcement officials had seldom before seen.

It was only when the hackers sent a threatening email the following month the company realized that they had been hacked. Although, the authorities could have easily identified the attacks through the web-sever logs. On their side, the hackers were offcourse demanding large amount of money.

After learning about this attack, the organization made appropriate notifications in the law authorities and also provided an update to their customers. In coordination with the secret service group, it was identified that 4 members of an attack were responsible for the hacking attack. Three of them were brought down from easter europe for legal charges in the federal court in US.

Although FINRA (Financial Industry Regulatory Authority) appreciated DA Davidson’s efforts post attack discovery, they also blasted the authorities for their lacklustre attitude before that. A high profile consulting team had advised D.A. Davidson to upgrade their computer systems and infact the customer database was not even encrypted and DA Davidson authorities had kept the password as default blank in place.

According to James Shorris, executive director, enforcement, Finra: “Broker-dealers must be especially vigilant about protecting its customers’ confidential information, which includes ensuring that its technology is sufficient. In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data – even though the firm had been advised before this incident to implement an intrusion detection system.”

Try Alertsec’s Encryption Software in 3 Easy Steps

Our encryption software protects your computer in just a few minutes!

  1. Register your subscription or 30-day free trial.
  2. Download and activate Alertsec Xpress.
  3. Your computer is now fully protected
Related articles by Zemanta
Reblog this post [with Zemanta]

1 comment »

Posted in Identity and Information loss, Lawsuits and settlements

Tags:

Lawsuit filed against Countrywide

April 11th, 2010
Former Countrywide Logo
Image via Wikipedia

There is a serious threat to the data of customers in organizations worldwide. Apparently this is the data that contains information about their names, ages, social security number etc. As IT systems become an inherent part of organization’s assets with that we are also witnessing increase in incidents reporting data loss. The impact of this data loss is huge leading to financial implications.

The latest casualty are customers of Countrywide financial. The disturbed customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information. According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.

The data theft was originally attributed to a single employee working over a two-year-period has now exposed tens of thousands of customer records. According to the lawsuit alleges that Countrywide Financial employees have stolen and sold “tens of thousands, or millions” of customers’ personal financial information.

While going through one of the news-stories, we discovered the letter that was sent to the customers. Here is a copy of the letter:

According to the lawsuit the defendants were slow to admit the massive breaches of confidentiality, and offered little or not support. The complaint stated, “Countrywide delayed several months before informing their customers.” “Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures.”

Have a comment? Share your thoughts by commenting on this blog-post.

Stay Secure, Protect Your Data – Get Alertsec Now

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

Related articles by Zemanta
Reblog this post [with Zemanta]

1 comment »

Posted in Encryption, Lawsuits and settlements

Tags:

Behind the Scenes: A Look at Our Laptop Encryption Protection

March 6th, 2010
Icon from Nuvola icon theme for KDE 3.x.
Image via Wikipedia

Today we’re going to to do a little bit of self-introspection and try to demonstrate why we think Encryption is necessary in fast paced world and why it makes sense to use Alertsec’s encryption protection.

In a recent report yet again, McAfee which is a leading maker of Internet security software had given strong warning that there are many hackers who are targeting the intellectual property systems being used by the hackers. They also believe that it is time that the security focus is increased. This is the latest addition to the attacks on Google which revealed where they originated in China and resulted in theft of its intellectual property.

Infact, we always believe that the single most important asset for an organization is the information itself.  With transition from Web1.0 to Web2.0 the deskops are being increasingly replaced the laptops and have become the major computational source.

The majority of the data loss occurs to due the loss or theft of the equipment. However, it can be easily controlled with the installation of a laptop encryption system. Essentially what it does is ensure that there is no loss or damage to the information or credentials.

According to the FBI, losses due to laptop theft totaled more than $6.7 million dollars in 2005. The Computer Security Institute/FBI Computer Crime & Security Survey found the average theft of a laptop to cost a company $89,000. Depending on the information kept on a laptop, lack of proper security precautions allows a thief to easily acquire such information as personal bookkeeping files, documents containing passwords, addresses, as well as employee and customer information stored on company laptops.

Nevertheless, statistics tips it is quite evident that there is big loss of laptops due to theft. Infact, we’ve also found out that as many as 1 in 10 laptops will be stolen during its lifetime.

We at Alertsec Xpress offer full disk encryption which is superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

  1. Secure and Reliable
  2. Secure disposal of old laptops
  3. Transferable subscriptions
  4. Convenient (24/7 Helpdesk)

Do check the technical specifications about our laptop encrpytion service here, we would be glad to hear from you.

Related articles by Zemanta
Reblog this post [with Zemanta]

No comments »

Posted in Encryption, Lawsuits and settlements

Security Breach at Shell Reveals Personal Employee Information

February 27th, 2010

Security breaches can happen anytime, anywhere, and can affect practically anyone in an organization. In the past, we’ve covered several examples where breaches revealed customer’s passwords and social security numbers. Today, we explore a different type of breach- one which leaked the personal details of 170,000 employees and contractors of Royal Dutch Shell. This incident is important because it provides a perfect example of how storing unencrypted data on company computers can be dangerous and have serious consequences that can strike a company from the inside.

The situation is particularly difficult for the infamous oil corporation- the database of names and personal contact details has been e-mailed to several non-governmental organizations, including Greenpeace, Friends of Earth, and Shell Guilty. Shell has attempted to prevent the NGOs from publishing the information, explaining that in doing so, they would be breaking the law. Additionally, Shell is launching a full scale investigation in an effort to figure out how their employee information ended up accessible to third-parties. While it’s difficult to guess at the techniques used by the hackers involved, one thing is clear- Shell computers aren’t protected by full disc encryption services and, as a result, are much more vulnerable to online threats.

Shell’s Information is a Serious Problem

Understandably, Shell is trying to prevent the security breach from being seen as a serious problem. An article from TimesOnline included a statement from the company:

Yesterday Shell sought to play down the leak. A statement said: ‘Certain data concerning Shell employees and other individuals on our internal address list has been disclosed to some external parties. The data is mainly business-related.’

While there may be some truth in the statement’s claims about much of the information being publicly available and not damaging the company, it’s likely that Shell’s employees feel differently. According to a report by the BBC, some of Shell’s workers had their private home telephone numbers leaked. Even if no personal telephone numbers were leaked, the breach brings attention to the poor status of computer security at Shell. Employees can’t work well knowing that their personal details aren’t well-protected. This last complication is troublesome, at least for Shell, which will need to improve the way it does business in order to reassure its employees that their private information is safe. Dealing with the aftermath of a crisis, such as Shell’s security breach, can be extremely costly and in many cases, a damaged reputation can’t ever truly be recovered, regardless of how much money is spent.

Lessons to Learn

Ironically, Shell’s security breach came at a convenient time- had Shell discovered the breach in April, a new set of laws (covered here and here) would have allowed the company to be charged fines of up to £500,000. However, even without the monetary cost, Shell lost something extremely valuable: the trust of its employees. Shell workers are much less likely to remain loyal to a company which isn’t proactive about protecting its internal information.

In order to earn and maintain the trust of its workers, a company needs to employ solutions which are easy to use and keep data secure. Had Shell been using our Alsertsec Xpress computer security software, the company may have avoided the embarrassing security breach and kept its positive reputation among employees. Our software is specifically designed to keep all business parties happy and secure- it encrypts data, making it much more challenging for the others to access it.

Further Reading
 Shell investigates posting of personal data [TimesOnline]
Shell security breach reveals employee details [BBC]

Reblog this post [with Zemanta]

1 comment »

Posted in Data Protection, Encryption, Lawsuits and settlements

Tags:

Massachusetts Enforces New Security Laws for Consumer Protection

February 26th, 2010

As we predicted earlier this month, more legislation is being passed by governments to hold companies accountable for data breaches and increase overall security of businesses. Massachusetts is the latest to join this trend- starting March 1st, businesses in the Commonwealth will be held to a much higher standard when dealing with protecting their customer’s personal data. Organizations which fail to comply with the new law before the start of next month can face fines and be liable for civil lawsuits.

The new legislation is extremely important because, even though it only applies to companies in a specific state, it have many global implications. The main one is that governments are taking note of security breaches and considering them a serious threat. The new laws demonstrate that businesses which fail to protect their internal data will face punishment. Data encryption needs to be a part of every corporation’s security strategy- the law specifically mentions that personal customer information has to be encrypted!

A Look at the New Laws

Massachusetts Privacy Law – 201 CMR 17 Compliance [PDF] was created to protect customers from identity theft and other troubles that result from a company revealing personal information to outside parties. The law outline the measures businesses need to take to keep customer data secure. An article from Bank Info Security summarizes the new rules:

The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents’ personal information to encrypt the data when it’s stored on portable devices or transmitted via the Internet. The personal information is a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers. The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) says it is trying to create a culture of security around personal information.

The articles points out that the law may be difficult to enforce- in fact, the original deadline for compliance was pushed back from August 2009. However, Massachusetts businesses shouldn’t rest easy- those found in violation of the law can face severe penalties under Regulation of Trade, chapter 93A, section 4, including:

  • Civil penalty of $5,000 per violation
  • Payment of the costs of investigation and litigation of such violation (including attorney’s fees)
  • Payment to victims of security breach

How to Respond

Businesses, particularly those in Massachusetts, need to develop comprehensive longterm security plans for protecting their company’s customers. The new laws aren’t meant to penalize companies for experiencing data breaches; rather, they’re supposed to encourage companies to practice smart security protocol. Organizations worldwide can follow the laws voluntary and enjoy a higher level of security and, ultimately, better relations with customers.

In order to avoid unnecessary costs associated with data breaches, companies need the right technology. Our Alertsec Xpress full disk encryption service helps businesses comply with new laws by securing customer data. We offer encryption software that’s extremely easy to use and a must-have for any company which wants to be protected from online threats.

Further Reading
Mass. Data Privacy Law: Are You Compliant? [Bank Info Security]
Massachusetts raises the bar for personal data protection, globally [Ovum]

Reblog this post [with Zemanta]

No comments »

Posted in Data Protection, Encryption, Lawsuits and settlements

Tags: