Log in

Archive for the ‘Security Flaw’ category

2011 a bad year for Medical data breaches – Millions of patient data compromised

December 21st, 2011

Beth Givens at Privacy Revolution session

PRC Director Beth Givens gives an insight into Medical data breaches

The San Diego-based Privacy Rights Clearinghouse has come up with a list of 2011’s six most significant data breaches.

An overview

2011 has been a bad year for Medical data breaches. According to the PRC there were a total of 535 breaches that involved 30.4 million sensitive records. When we talk about sensitive information we mean Social Security numbers, drivers license numbers, financial account information and medical data.

Top breaches

The worst hit was Health Net as nine of its data servers went missing from a Northern California data center in January. The servers had records of almost two million current and former policy holders.

Sutter Health experienced data breach when its company-issued computer was stolen from Sutter’s Medication Foundation offices. Health Data of more than 4 million patients was compromised.

Tricare Management Activity and Science Applications International Corporation – Backup tapes containing data ofto 4.9 million patients were stolen from an employee’s car.

What do regulators have to say?

Regulators feel industry and legislative mandates to protect sensitive information need a revamp. National data privacy laws are gaining importance on both the national and local levels. Regulators are looking at industries where personal information is of utmost importance. Institutes such as HIPAA in healthcare and the Gramm-Leach-Bliley Act (GLBA) in financial services. It is not only the lawmakers who are imposing mandates for data security. There are a few indutries like Payment Card Industry Data Security Standard (PCI DSS) that have come up with security regulations when it comes to storing credit card information.

The other important aspect eyed by IT professionals is cloud computing. A recent EMA survey shows that organisations that had adopted or planning to adopt cloud computing were making sure that the use of data security and privacy controls was an important aspect of Service Level Agreements (SLAs) with Cloud providers.

According to Paul Hogan, CEO of T3 “This recent legislation proposal shows the absolute crisis that the US and the world’s largest corporations and government are facing regarding data breaches and the subsequent leakage of extremely sensitive consumer and government information. Cyber attacks have been around for a long time, however due to their sensitive nature, large corporations have tried their best to keep them from being reported to the media, which would no longer be possible if this legislation passes which we believe is simply a matter of time.”

Here is Beth Givens, PRC director’s statement “This is a conservative number,” said Givens. “We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our chronology is only a sampling.”

Hospitals can secure themselves with Alertsec

Organisations and hospitals, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, Security Flaw, computer security software, data breach, data encryption, identity theft, laptop encryption

Tags: AlertSec Xpress Check Point data breach Health Net January Northern California Payment Card Industry Data Security Standard Privacy Rights Clearinghouse San Diego Social Security number Sutter Health

SEC wants companies to disclose their data breaches

October 15th, 2011

SEC orders companies to report data breaches

Corporate giants have been handling data breaches traditionally i.e. not revealing the breaches, not offering details. They always preferred keeping mum. It won’t be an exaggeration if we say that tens of billions of dollars worth of data is compromised every year from U.S. companies and very few of it gets reported !

But that is about to change. The Securities and Exchange Commission (SEC) has formally asked corporations to report data breaches and cyber crimes. The new guidelines issued by the SEC state that publicly traded companies must report cybertheft or attack and any risks associated with data.

These guidelines have been a result of Sen. John D. Rockefeller’s initiative. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”

“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.”

The current regulations do not specifically talk about cyberattacks. They only expect companies to report if there is risk to their material wealth. But now companies will be forced to talk about cyberattacks, thanks to these guidelines. The guidelines might, in addition to the above, ask the companies to disclose data breaches that took place in the past.

Cyber security is being beefed up through these regulations as cyber crime is on the rise. The recent major breaches including Sony’s and Citigroup Inc have resulted into this action.

Melissa Hathaway, an ex-White House cyber coordinator said in her statement “It’ll force executives to really understand what’s going on within their corporations,”. “I think it will create the demand curve for cybersecurity.”

Which cyber-incidents will be included in the guidelines?

Cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions will be a part of these new regulations.

Here is the exact wording in the guidance:

Registrants should address cybersecurity risks and cyber incidents in their MD&A [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Lawsuits and settlements, Security Flaw, computer security software, data breach, data encryption

Tags: business Citigroup Computer crime Computer security data breach International Monetary Fund John D. Rockefeller Melissa Hathaway Public company SEC Securities and Exchange Commission Sony U.S. Securities and Exchange Commission US Securities and Exchange Commission

Contractor to be blamed for Stanford Hospital’s data theft

October 9th, 2011

Stanford Hospitals blamed for data breach

Third parties have recently been in the news for data breaches. You give your data for security purpose to a third party contractor and Bam! The next thing you know is it is stolen!

The recent case detailed below talks about a breach that exposed the personal data of some 20,000 patients, thanks to the contractor’s negligence.

Stanford Hospital Clinics class action suit

20,000 patients’ personal information was made available on a public Web site for a year. That led to the class action suit against Stanford Hospitals.

Shana Springer, one of the patients whose information was compromised, filed the class-action lawsuit against Stanford Hospital & Clinics and Multi-Specialty Collection Services. Stanford Hospital & Clinics and Multi-Specialty Collection Services is an outside vendor that was allegedly responsible for the breach. The lawsuit asks for $1,000 per patient.

Here is what the hospital spokesperson had to say: The hospital intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit,’”

Case details

A spreadsheet maintained by a third party billing contractor, Multi Specialties Collection Services (MSCS), was allegedly posted on Student of Fortune website that allows students solicit homework help for a fee.

The spreadsheet apparently included names, diagnosis codes, account numbers as well as admission and discharge dates of about 20,000 patients who visited the hospital’s Emergency Room in 2009.

According to Stanford Hospitals, this data was encrypted. But looks it MSCS decrypted the data and put it into a spreadsheet. A person who had probably no clue about what he was doing and posted it on the website further managed this spreadsheet. The identity of this individual has not been divulged by MSCS.

Statements released by the hospital:“This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract with SHC and is shockingly irresponsible,”

According to the MSCS contractor, Frank Corcino, he decrypted the details and put it into a spreadsheet. He later handed off the spreadsheet to a job applicant as parts of a skills test.

It appears that the applicant was unaware the spreadsheet data was private and posted it on the homework help site in Sept. 2010. The data remained on the site until August 22, 2011 and was later discovered by a patient.

What AlertSec has to say?

Alertsec is the frontrunner in offering hard disk encryption as a fully managed service. We provide information security in a cost-effective & easy way.

By using encryption software, you greatly enhance the laptop security, as there is no way that the information is compromised if lost or stolen. A theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. A small price to pay compared to what can happen if you lose confidential or senstive data. Our industry news provides a few examples of this.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software-licensing model.

1 comment »

Posted in Computer security, Data Protection, Lawsuits and settlements, Security Flaw, Uncategorized, computer security software, data breach, data encryption

Tags: alertsec data breach Emergency department Enter your zip code here MSCS Patient Stanford Hospital Stanford Hospital Clinics Student of Fortune Website

The U.S. Senate Judiciary Committee approves three Democrat-proposed data breach bills

September 26th, 2011

Sen. Patrick Leahy's bill wins approval

Breach notification and data security are now closer to reality, thanks to the three bills three bills, proposed by Chairman Leahy(D-VT), Senator Blumenthal (D-CT), and Senator Feinstein (D-NH).

The Senate Judiciary Committee approved the bill on Sept 22. The committee’s 10 Democrats voted in favor and its eight Republicans voted against it. Leahy was disappointed that no Republican supported the measures.

About the three bills

As per the three bills, businesses are required to develop data privacy and security plans and set a federal standard for notifying individuals of breaches of sensitive personally identifiable information (SPII).

The Leahy bill

This bill is also known as the Personal Data Privacy and Security Act of 2011,. It is a cyber-security and online-privacy measure introduced to deal with threats from hackers and malicious software.

Three important points about Senator Leahy’s bill:

a. ‘Data minimization’ provision, requiring businesses to establish a plan to minimize the amount of SPII the business retains and to delete SPII that is no longer needed to fulfil a (unspecified) business purpose or legal obligation.

b. Previous iterations of Leahy’s bill had several sections on government access to commercial data. These have now been stricken off.

c. An important addition during markup was a provision designed to ensure that the CFAA is not used against people who merely violate website terms of service

Is this time any different?

Cyber security bills have been introduced before but not much was done about them. Data breach cases are growing at an exponential speed and hopefully this time is different.

Senator Chuck Grassley and the EFF concerned about the new bills

Here is what Senator Grassley had to say “Americans want and need the Congress to work with private businesses to create jobs,” “However, under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost, and consumers still going unprotected because the over-notifications will be ignored.”

EFF and a group of civil liberties organizations and scholars have requested the committee to ensure the CFAA doesn’t punish ordinary computer users who happen to breach terms of use.

Discrepancies in the bill

According to the current bill, government employees who violate employment agreements remain vulnerable to contract-based prosecutions under the CFAA. All computer users should be protected against such charges irrespective of their work place.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No comments »

Posted in Bkis, Hackers, Identity and Information loss, Security Flaw, full disk encryption, identity theft

Tags: CFAA Check Point Chuck Grassley Computer crime Computer Fraud and Abuse Act data security disk encryption Electronic Frontier Foundation Enter your zip code here Federal Emergency Management Agency Harry Reid Patrick Leahy United States United States Senate Committee on the Judiciary United States v. Lori Drew

DigiNotar forced into bankruptcy after a hack attack

September 21st, 2011

DigiNotar winds up its operations. Hackers intercept google docs

Internet security company DigiNotar, whose servers were hacked into by an Iranian hacker in July, had filed for bankruptcy. A Dutch judge has granted the bankruptcy filing Tuesday.

About DigiNotar

DigiNotar is an Internet security solutions company offering services in the field of identity management, electronic signatures, reliable document exchange and electronic archiving. DigiNotar has gained popularity and trust in the field of Internet security over the years in The Netherlands.

The hacking incident at DigiNotar

The DigiNotar site was hacked into by ‘Comodohacker’, which exposed around 300,000 Iranians to GMail and Google Docs interception. False DigiNotar certificates known as SSLs, were issued to customers and used in an apparent attempt to snoop on Google users in Iran.

Using the login cookie the hacker logged in directly to the Gmail mailbox of the victims and read the stored emails. In addition he was able to log in all other services Google offers like stored location information from Latitude or documents in Google Docs.

The hacker also succeeded in creating a fraudulent certificate for *.google.com on 10 July.

How was the hack found out?

Google’s Chrome team landed on a DigiNotar-issued certificate for google.com that didn’t match its internal certificate list for google.com. According to Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, vendors add a similar feature to their software so they could automatically confirm the legitimacy of a certificate. “You need to disincentivize actors to hack CAs. In the current system, we need to live with the fact that CAs can be hacked,” he said

Voluntary bankruptcy

According to DigiNotar’s parent company Vasco Data Security, the firm has filed for voluntary bankruptcy. The company is winding up its affairs and is being supervised by one of its trustees.

Statement by T. Kendall Hunt, VASCO’s Chairman and CEO

“Although we are saddened by this action and the circumstances that necessitated it,”. “We would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO’s core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business. In addition, we plan to cooperate with the Trustee and the Judge to the fullest extent reasonably practicable to bring the affairs of DigiNotar to an appropriate conclusion for its employees and customers. We also plan to cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar.”

Can digital certificate disasters be prevented?

The downfall of DigiNotar has sparked debate in the digital world about preventing digital certificate disasters in the future.

Hackers are going to continue their hacking games so there are no guarantees that such a digital disaster could be prevented altogether. What can be done is that vendors could store a whitelist of proper certificates for the top 10 or 20 targets of cyberespionage, such as Facebook, Gmail, Yahoo, and Tor, as well as any high-profile sites.

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.