Log in

Posts Tagged ‘breach notification laws’

Online political activist, Aaron Schwartz, faces jail time for data theft

July 23rd, 2011

Schwartz arrested for stealing data

Heard of sophisticated hacking? Narrated below is a classic case of one such hack.

Harvard researcher and founder of Reddit, Aaron Schwartz, has been arrested in Boston on charges related to computer hacking. It appears he allegedly downloaded articles that he was entitled to get free.

According to Lawrence Lessig, the Harvard center’s director, where Mr.Schwartz recently completed his fellowship said“Aaron has never done anything in this context for personal gain — this isn’t a hacking case, in the sense of someone trying to steal credit cards,” . “That’s something JSTOR saw, and the government obviously didn’t.”

The indictment

According to the indictment the researcher, Aaron Swartz, broke into the computer networks at the Massachusetts Institute of Technology. He wanted to gain access to JSTOR, a nonprofit online service for distributing scholarly articles online. He allegedly downloaded 4.8 million articles and other documents. It won’t be an exaggeration if we say he downloaded the entire library! To top it all he did this without authorization and distributed the documents through file sharing networks.

Post-Indictment

Demand Progress has set up a web page and petition in support of Swartz. They are questioning the indictment and the legal strategy that makes downloading “so many journal articles” a felony that should be punished with jail time. Demand Progress is the website where Aaron earlier worked as an Executive Director. According to the website “the alleged victim has settles any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute.”

Mr. Schwartz is looking at 35 years in prison and $1 million in fines for charges related to wire fraud, computer fraud and unlawfully obtaining information from a protected computer. He was arraigned in Federal District Court after surrendering to the authorities. Surprisingly he has pleaded not guilty to all counts. He was released on $100,000 unsecured bond

History

Aaron released a “Guerrilla Open Access Manifesto,” in 2008 asking activists to fight against the sequestering of scholarly papers.

“It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture,” he wrote. One goal: “We need to download scientific journals and upload them to file-sharing networks.”

Attorney’s statement

A United States attorney, Carmen M. Ortiz, said: “Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.”

Was data compromised?

Apparently no personal data was compromised. Around 7,000 institutions are members of JSTOR and pay fees as per their financial position. 14% of subscribers pay no fee at all. The JSTOR archives feature journals focused primarily on the humanities and social sciences.

Alertsec and data security

Organisations and individuals are being trained to deal with their data security in a better way. Companies are required to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is the security service that keeps all your data secure through encryption software.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, Uncategorized, computer security software, data breach, data encryption, identity theft

Tags: Aaron Schwartz aaronswartz breach notification laws computer encryption software data breach data security Enter your zip code here Filesharing Harvard University Indictment JSTOR Lawrence Lessig Massachusetts Institute of Technology Reddit United States Attorney United States district court

Wake Forest Baptist suffers data breach

July 18th, 2011

Data breach at Wake Forest Baptist Medical Center

Medical records are the most vulnerable lot. Umpteen cases of hacking into medical data have been making headlines.

The latest joining the bandwagon is the Wake forest Baptist.

What happened?

Winston-Salem, N.C.-based Wake Forest Baptist Medical Center suffered a data loss of medical records and documents that affected 357 people.

Wake Forest Baptist Medical Center had fired an employee, Linda Bowden Turner, on June 1. It appears she had taken pages from 136 patient medical records and 221 employee documents that included Social Security numbers of past and current employees.

Ms. Turner was charged with larceny by employee. According to her attorney and WFBMC Ms. Turner was a hoarder and did not commit this deed intentionally.

Here is the statement issued by the Medical Center “On the afternoon of May 31, 2011, Wake Forest Baptist Medical Center received a call about documents, belonging or pertaining to the medical center, discovered in the basement of a rental home. Following an immediate response by our Privacy and Compliance Offices and with assistance from the Winston-Salem Police Department, our staff removed boxes from properties and storage units owned by former employee, Linda Turner”.

“None of the documents discovered comprised a complete patient medical record,” the center said. “The employment records date from a time when many hospitals used Social Security numbers as the employee identification number. Wake Forest Baptist discontinued this practice several years ago.”

Investigation showed that there were employment and medical documents mixed in with large volumes of the former employee’s personal documents, newspapers, magazines and trash.

There was no evidence found that said that the information was misused in any way. The documents appeared to be undisturbed in storage areas till the discovery.

Post breach

Wake Forest Baptist mailed Thursday a letter to affected individuals offering a free year of Debix credit-monitoring services, which require registration for use.

Soon after the incident the medical center has started training employees regarding the proper handling of paper documents containing personal or protected health information. Training program also includes training new staff and implementing this program in the annual mandatory compliance training.

The medical center has submitted a report to the appropriate regulatory agencies, including the U.S. Department of Health and Human Services, the North Carolina Attorney General and The Joint Commission. A review of the case has been completed by the North Carolina Department of Health Services Regulation (DHSR). DHSR found no discrepancies.

Implementing security measures with Alertsec

Time and again it has been proven that most laptops are stolen or valuable document taken from the place of work. Alertsec Xpress is the web-based service powered by Check Point Full Disk Encryption – the global leader in encryption for laptops and is used by big and small organizations that have recognized the need to protect their information.

Alertsec Xpress provides:

Fully managed service for your convenience.
Very cost effective service.
Market leading laptop protection service.
Quick and easy implementation.
Easy to use protection.
Transparent solution.
Global 24/7 helpdesk.
100% secure and reliable encryption.
Powered by Check Point – the market leader

.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, computer security software, data breach, data encryption, identity theft

Tags: Baptist breach notification laws computer encryption software Computer security data breach data encryption data security Enter your zip code here Health care Hospital identity theft Joint Commission Medical record Medicine North Carolina Social Security number Winston-Salem Winston-Salem North Carolina

WellPoint fined $100,000 for breach

July 12th, 2011

Indiana State files lawsuit against data breach

Health insurer WellPoint (Indiana-based) has to settle a fine of $100,000 to for a data breach that involved the personal information like name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information of 32,000 Indiana customers.

Why?

The reason for the fine is because it waited for long before informing Indiana officials of a security breach that involved personal information of 32,000 members. It has also been asked to reimburse affected parties up to $50,000 as part of the settlement reached with the Indiana Attorney General. In addition it has to provide up to two years of credit monitoring and identity theft protection services to affected customers.

“This case should be a teaching moment for all companies that handle consumers’ personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general’s office and consumers promptly,” Zoeller, Indiana Attorney General, said. “Early warning helps minimize the risk that consumers will fall victim to identity theft.”

What happened?

Personal information was compromised at least 137 days between October 2009 and March 2010. According to the suit WellPoint learned of the problem Feb. 22, 2010, but didn’t inform the clients until June. The Indiana state law also required that the Attorney General’s office be immediately notified but Wellpoint failed to do so.

The lawsuit

The Indiana Attorney General lawsuit alleged that member information was accessible from Oct. 23, 2009 till March 8, 2010. It stated further that WellPoint received written notification from Sarah Groveunder, a consumer, about the breach but failed to contact her till Mar 4. WellPoint started informing affected consumers only from June 18 and did not finish notifications until July 30.

What is surprising is that warning letters to a total of 47 companies were sent since the 2009 law went into effect for being slow to notify authorities about breaches. “Many companies keep vast quantities of consumers’ personal data and they are required to handle it confidentially and not carelessly. That’s not just good business practice; that’s the law,” Zoeller said in a statement

Security

According to Legal Newsline the site was immediately secured. WellPoint issued the following statement soon after the settlement: “Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information. We have implemented I.T. security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately.

How can Alertsec help?

Thus in the absence of full disk encryption, privacy of consumers gets compromised. It is vital to use Data encryption software in order to keep our data safe from breaches. Data security and recovery software is the need of the hour. $13/month is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: breach notification breach notification laws business computer encryption software Computer security data breach data security data theft prevention Encryption Enter your zip code here Indiana Personally identifiable information security Social Security number WellPoint

Personal data compromised at Washington Post

July 8th, 2011

Hackers hit Washington Post

Hacking seems to be getting a profession these days and that too an exciting and lucrative one !

Security experts have been warning all organizations that they are vulnerable to cyber-attack. These attacks are not only limited to small companies but also big companies like Sony, NASA etc.

Definition of hacking

According to Wikipedia Hacking may refer to:

Computer hacking, including the following types of activity:
- Hacker (programmer subculture), activity within the computer programmer subculture
- Hacker (hobbyist), to heavily modify the software or hardware of one’s own computer system
- Hacker (computer security), to access computer networks, legally or otherwise
- Computer crime

Latest vicitm of hacking

The Washington Post Jobs site has been hacked ! Hackers accessed its employment Website and stole 1.27 million userIDs and e-mail addresses of its registered job-hunters.

According to the newspaper publisher’s July 6 report hackers hit the Washington Post’s job board twice, once on June 27 and again on June 28. They stole roughly 1.27 million user IDs and e-mail addresses. Fortunately passwords to the actual Jobs account and other personal information such as resumes and personal addresses were not compromised.

“We quickly identified the attack and took action to shut it down,” the Washington Post said.

Users may receive spam as a result of the breach and should avoid opening suspicious or unsolicited e-mails or responding to the messages, according to the Post. The problem is even more serious than that, according to Josh Shaul, CTO of Application Security.

This breach has affected the registered users big time. The people registered on the site are job-seekers who fall for spear phishing. “It’s impossible to resist looking into legit looking e-mails that come in offering you the opportunity to work,” said Shaul.

Washington Post has confirmed that additional security measures to prevent similar attacks have been implemented, and is “conducting a thorough audit of the security of the Jobs site.”

Michael Sutton, vice president of security research at Zscaler Labs, in an e-mail said “From the attacker’s perspective however, harvesting 1.27 million active email addresses constitutes a successful attack. When e-mail addresses can be sold in the underground market or used to send spam, there’s little doubt that the data breach will be leveraged for profit.”

Is hacker group Anonymous behind the attack?

This attack could be the work of Anonymous or any of the other members of the AntiSec campaign. Anonymous has been very active in recent weeks, breaking into the Arizona Police Department, among other targets.

AntiSec has typically targeted large governmental and media giants. But so far no one has admitted their role in this attack.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

Fully managed service for your convenience.
Very cost effective service.
Market leading laptop protection service.
Quick and easy implementation.
Easy to use protection.
Transparent solution.
Global 24/7 helpdesk.
100% secure and reliable encryption

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption, identity theft

Tags: Application Security breach notification breach notification laws business computer encryption software Computer security Credit card data breach data security data theft prevention E-mail Hacker hacking NASA Spam Washington Post

Apple’s systems hacked, internal passwords stolen

July 6th, 2011

User names stolen from Apple server

Hacking groups

Hacking attacks are on the rise. Hacker groups such as LulzSec have been successfully breaking into networks of big companies like Fox, Sony, AT&T, PBS, Citigroup and even the CIA. LulzSec, an anonymous group of hackers, have claimed responsibility for hacking into several major company websites.

The latest in the line is Apple’s website. It appears that hackers have broken into Apple’s systems before posting a list of names and password hashes online. The names were not linked to the more than 200m customer credit cards stored on the iTunes online store.

The complete story

Hacking group Anonymous broke into an Apple server, collecting 26 administrative user names and passwords. The group announced the breach through its Twitter where it shared a link to the data posted on text-sharing website Pastebin. “Apple could be target, too,” the group tweeted. “But don’t worry, we are busy elsewhere.”

LulzSec group has been very active in the hacking field and recently announced it was ending its hacking operation and asked its users to support Anonymous. Their movement is called “AntiSec.” Both Anonymous and LulzSec have always targeted big companies disclosing their political motives.

What does Apple have to say?

Apple declined to comment declined to comment and has not confirmed the breach as yet. Fortunately the data that was hacked has little value to the culprits.

Why is this happening?

“Part of the problem is that companies don’t have an incentive to disclose when a breach occurs unless it’s required by law,” said Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “But the volume [of attacks] suggests something is going on.”

Hacking operations by groups like Anonymous and LulzSec started with Sony who is still having a hard time getting its systems back on track since its breach in April.

One of the reasons for these successful hacking attempts is the very nature of most major corporations’ digital data. Up till now, large companies had an Internet website for public information and an “intranet” for internal use. But the picture has drastically changed today. A company’s public online presence includes websites, YouTube channels, Facebook pages and Twitter accounts – all very vulnerable for getting compromised!

Add to this the high-profile nature of such services. Even though Social networking platforms like Twitter or Facebook offer very less business value, they can be used to quickly and publicly embarrass a company – the latest in the news – Fox News Twitter account which displayed fake Obama tweets! Stay tuned..

Time for giant Corp orates to tighten their security – AlertSec’s security services

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.