Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption

SEC orders companies to report data breaches

Corporate giants have been handling data breaches traditionally i.e. not revealing the breaches, not offering details. They always preferred keeping mum. It won’t be an exaggeration if we say that tens of billions of dollars worth of data is compromised every year from U.S. companies and very few of it gets reported !

But that is about to change. The Securities and Exchange Commission (SEC) has formally asked corporations to report data breaches and cyber crimes. The new guidelines issued by the SEC state that publicly traded companies must report cybertheft or attack and any risks associated with data.

These guidelines have been a result of Sen. John D. Rockefeller’s initiative. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”

“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.”

The current regulations do not specifically talk about cyberattacks. They only expect companies to report if there is risk to their material wealth. But now companies will be forced to talk about cyberattacks, thanks to these guidelines. The guidelines might, in addition to the above, ask the companies to disclose data breaches that took place in the past.

Cyber security is being beefed up through these regulations as cyber crime is on the rise. The recent major breaches including Sony’s and Citigroup Inc have resulted into this action.

Melissa Hathaway, an ex-White House cyber coordinator said in her statement “It’ll force executives to really understand what’s going on within their corporations,”. “I think it will create the demand curve for cybersecurity.”

Which cyber-incidents will be included in the guidelines?

Cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions will be a part of these new regulations.

Here is the exact wording in the guidance:

Registrants should address cybersecurity risks and cyber incidents in their MD&A [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Sensitive info papers lost from filing cabinet

Data breaches are online as well as physical

Data breaches are not restricted to online or soft copy data loss. They also include theft or loss of physical documents.

Here’s a look at a recent case of physical and digital data theft.

Scottish Children’s Reporter Administration (SCRA) breaches Data Protection Act for the second time

The Scottish Children’s Reporter Administration (SCRA) is in breach of data security related to children’s data twice in the last 6 months. The SCRA is an organization dedicated to protect children in the judicial system. The body investigates the care of Scotland’s most vulnerable children.

Details of the two breaches

In January 2011 the Scottish body sent documents containing a child’s personal data to the wrong email address. The documents carried sensitive information like child abuse related to the legal case which had the contact information of the child’s mother and witnesses.

Later, in September 2010, the body somehow lost 9 case files which contained personal data such as birth dates, names and social report. Apparently the files got lost when the filing cabinet which contained these files was moved and later sold to a second-hand furniture shop.

Mishandling of sensitive information

Ken Macdonald, assistant information commissioner for Scotland, is concerned that data had been breached twice by the same organization.

“On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided,” said Macdonald. He further added “I am pleased that the Scottish Children’s Reporter Administration has taken action to make sure that the personal information they handle is kept secure and would urge other organizations, particularly those handling sensitive information relating to young people, to follow suit,”. Fortunately both times the information was not circulated.

Information handling post breach

Neil Hunter, chief executive of the SCRA, is renewing the organization’s data protection policy and training employees about data security.

The ICO (Information Commissioner’s Office) is holding workshops related to raising awareness of data protection obligations among staff.

About ICO

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Security guaranteed with Alertsec Xpress

This incident highlights the need of a data security and data encryption software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Alertsec has offices in the US, UK, Sweden and operates in many other countries around the world through partners.

Its mission is to continuously improve its products and services in order to deliver the easiest and most cost-effective managed encryption service on the market

Time to move to Cloud computing?

It is high time security standards for data are redefined. The recent hacking attacks stress this need and laws against hackers need more strengthening.

Is cloud computing the answer to the hacking question?

The Commission on the Leadership Opportunity in U.S. Deployment of the Cloud, or CLOUD2 — came up with a plan as to how the government should work with industry, academia, and other nations to use Cloud technology effectively.

The government will study viable cloud computing solutions for technology and make a decision about its implementation in federal IT.

The CLOUD2 commission body consists of 71 of the nation’s experts from the cloud computing industry who dedicate more than 2,000 hours of work in person and in the cloud. The Commission is headed by Salesforce.com Chairman and CEO Marc Benioff and VCE Chairman and CEO Michael Capellas.

The CLOUD2 commission is hoping to use cloud adoption to foray into the global IT world and create employment.

“The debate around cloud computing is over – everyone agrees the shift to the cloud is inevitable,” said Marc Benioff, chairman and CEO, salesforce.com and the Commission’s Co-chair. “The Cloud First Buyers Guide for Government provides the best practices for how agencies can evaluate and deploy cloud services, helping them make huge gains in productivity and efficiency.”

According to Michael Capellas, CEO of VCE, a cloud venture backed by Cisco and EMC “Today’s recommendations by the commission will help further accelerate adoption of cloud computing within the government infrastructure,” Capellas said in a statement. “Faster adoption of cloud computing will strengthen the United States’ leadership position in the global marketplace and ignite creation of jobs that will be in high demand over the next decade.”

The 14 recommendations include four  important areas of cloud computing

The Commission has also produced a Cloud Buyer’s Guide, it is available online at http://www.cloudbuyersguide.org/

Presentation of the above recommendations

The committee has presented  its recommendations with federal CIO Kundra (outgoing), Commerce Secretary Gary Locke, and Pat Gallagher, director of NIST.

Concerns over cloud

Although companies can benefit from the cloud, they are still concerned about the security risks.

David LeDuc, SIIA’s senior director of public policy says ” “The reality is that most of the fear associated with security as it pertains to cloud computing, is that people think they’ll have less control over the systems and the information. They feel they’re relinquishing direct control of their data,”

Data stays safe with Alertsec

Alertsec Xpress offers a customizable data encryption software solution from Checkpoint, the industry leader in encryption software (former Pointsec). Alertsec has come up with a web based encryption service that helps in deployment and management of PC encryption.

Indiana State files lawsuit against data breach

Health insurer WellPoint (Indiana-based) has to settle a fine of $100,000 to for a data breach that involved the personal information like name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information of 32,000 Indiana customers.

Why?

The reason for the fine is because it waited for long before informing Indiana officials of a security breach that involved personal information of 32,000 members. It has also been asked to reimburse affected parties up to $50,000  as part of the settlement reached with the Indiana Attorney General. In addition it has to provide up to two years of credit monitoring and identity theft protection services to affected customers.

Read more: http://www.ihealthbeat.org/articles/2011/7/7/wellpoint-to-pay-100k-to-settle-lawsuit-over-indiana-data-breach.aspx#ixzz1Rs49DlJw

“This case should be a teaching moment for all companies that handle consumers’ personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general’s office and consumers promptly,” Zoeller, Indiana Attorney General, said. “Early warning helps minimize the risk that consumers will fall victim to identity theft.”

What happened?

Personal information was compromised at least 137 days between October 2009 and March 2010. According to the suit WellPoint learned of the problem Feb. 22, 2010, but didn’t inform the clients until June. The Indiana state law also required that the Attorney General’s office be immediately notified but Wellpoint failed to do so.

The lawsuit

The Indiana Attorney General lawsuit alleged that member information was accessible from Oct. 23, 2009 till March 8, 2010. It stated further that WellPoint received written notification from Sarah Groveunder, a consumer, about the breach but failed to contact her till Mar 4.  WellPoint started informing affected consumers only from June 18 and did not finish notifications until July 30.

What is surprising is that warning letters to a total of 47 companies were sent since the 2009 law went into effect for being slow to notify authorities about breaches. “Many companies keep vast quantities of consumers’ personal data and they are required to handle it confidentially and not carelessly. That’s not just good business practice; that’s the law,” Zoeller said in a statement

Security

According to Legal Newsline the site was immediately secured. WellPoint issued the following statement soon after the settlement: “Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information. We have implemented I.T. security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately.

How can Alertsec help?

Thus in the absence of full disk encryption, privacy of consumers gets compromised. It is vital to use Data encryption software in order to keep our data safe from breaches. Data security and recovery software is the need of the hour. $13/month is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

Hackers hit Washington Post

Hacking seems to be getting a profession these days and that too an exciting and lucrative one !

Security experts have been warning all organizations that they are vulnerable to cyber-attack. These attacks are not only limited to small companies but also big companies like Sony, NASA etc.

Definition of hacking

According to Wikipedia Hacking may refer to:

• Computer hacking, including the following types of activity:
  • Hacker (programmer subculture), activity within the computer programmer subculture
  • Hacker (hobbyist), to heavily modify the software or hardware of one’s own computer system
  • Hacker (computer security), to access computer networks, legally or otherwise
  • Computer crime

Latest vicitm of hacking

The Washington Post Jobs site has been hacked ! Hackers accessed its employment Website and stole 1.27 million userIDs and e-mail addresses of its registered job-hunters.

According to the newspaper publisher’s July 6 report hackers hit the Washington Post’s job board twice, once on June 27 and again on June 28. They stole roughly 1.27 million user IDs and e-mail addresses.  Fortunately passwords to the actual Jobs account and other personal information such as resumes and personal addresses were not compromised.

“We quickly identified the attack and took action to shut it down,” the Washington Post said.

Users may receive spam as a result of the breach and should avoid opening suspicious or unsolicited e-mails or responding to the messages, according to the Post. The problem is even more serious than that, according to Josh Shaul, CTO of Application Security.

This breach has affected the registered users big time. The people registered on the site are job-seekers who fall for spear phishing. “It’s impossible to resist looking into legit looking e-mails that come in offering you the opportunity to work,” said Shaul.

Washington Post has confirmed that additional security measures to prevent similar attacks have been implemented, and is “conducting a thorough audit of the security of the Jobs site.”

Michael Sutton, vice president of security research at Zscaler Labs, in an e-mail said “From the attacker’s perspective however, harvesting 1.27 million active email addresses constitutes a successful attack. When e-mail addresses can be sold in the underground market or used to send spam, there’s little doubt that the data breach will be leveraged for profit.”

Is hacker group Anonymous behind the attack?

This attack could be the work of Anonymous or any of the other members of the AntiSec campaign.  Anonymous has been very active in recent weeks, breaking into the Arizona Police Department, among other targets.

AntiSec has typically targeted large governmental and media giants. But so far no one has admitted their role in this attack.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption

HEI discovered a vulnerability in an information system at certain of its hotel properties, which might have been exploited due to which credit card information related to certain transactions occurring between March 25 and April 17, 2010 may have been compromised.

The possible data breach could have given the hackers sensitive information such as credit card types, credit card numbers, expiration dates and security codes stored in the magnetic stripe on the back of each card. The hackers also compromised the property management system at the Algonquin Hotel, according to the letter signed by Troy Waterman, HEI’s senior vice president of finance.

In a letter to customers who stayed at one of its properties, the Algonquin Hotel, the firm informed customers that they believed that the point of sale system used in its restaurants, bars, and gift shops and the information management system used at check-in were illegally accessed and transactions intercepted. Customers were informed that the credit card’s number, expiration date, security code, and encoded magstripe data were at risk.

A HEI spokesman today said that though the company has notified 3,400 customers, there is no indication so far that the credit card data has been misused. Meanwhile, HEI is now offering a year’s worth of credit monitoring services for free.

Secure your organization with Alertsec

Alertsec Xpress is used in all organisations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to large multinational companies with offices around the globe. By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption.

For security and technology observations, consider following us on Twitter.

Related articles by Zemanta

• Hotel Operator Warns of Data Breach (pcworld.com)
• Accomodations Will Be Made – Hotel Card Systems Attacked, Breached (infosecurity.us)

A laptop containing vital and sensitive data was stolen from Martin Hatton’s home in Blenheim Road, Horsham between 10pm on Monday August 30 and 5.20am on Tuesday August 31.

Mr. Hatton, the managing director of Mendage Projects Ltd, said: “The information contained on the laptop is quite crucial to me carrying on my day to day business.” He added, “The laptop even contained work he had done on the Houses of Parliament.”

Meanwhile, a reward of £10,000 is on offer for the recovery of the equipment and information leading to the conviction of those responsible.

The laptop was in a leather computer bag which also contained some memory sticks for each of the projects Hatton was working on. The bag also had all his business contacts’ cards along with all his current work notes. Moreover, his mobile phone containing 400-500 contacts was also taken.

Hatton said, “The theft has put me back weeks on the projects I was working on. It will cost me a lot of money to employ people to do the work again.” He also added, “I’m incensed by the fact someone’s broken into our home while we were sleeping in our beds.”

How to prevent data breach?

In cases of laptop theft, the insurance company may cover the hardware loss, but the data might be lost forever, or in worst cases might land in the wrong hands. Thus, data security software is required which will reduce the theft to merely that of hardware. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Related articles by Zemanta

• WinMagic’s SecureDoc Full-Disk Encryption Solution to Fully Support Intel Advanced Encryption Standard New Instructions (AES-NI) (eon.businesswire.com)
• Do You Know Where Your Laptops Are? (itexpertvoice.com)

The main concern while running a business is keeping your computing devices like desktops, laptops etc. and their data secure. The portability offered by laptops, increases their chance of being stolen as people are constantly leaving them unattended at public places. Many a times these devices are left behind at restaurants, subways, coffee shops, airports etc. Although the insurance company may cover the hardware, the files and data on the machine may eventually be untraceable and forever lost.

Recently BSI carried out their 8^th Annual Computer Theft Survey in the United States. Here are the key findings from that survey:

• More than 5.5 Million computers were stolen in the United States in the last 3 years.
• More than half (58.7%) of the respondents have been a victim of computer theft in the last year.
• According to FBI, 97% of unprotected computers (i.e. computers that do not use any data encryption software or computer security software) are never recovered.
• 68% of the devices stolen were laptops, followed by desktops (10%) & others like PDA’s, iphone etc. (22%)
• 67%  of computer theft occurred while respondent was mobile (moving about),
• 91% of respondents did not use data encryption software to encrypt the proprietary data on their stolen device.
• Average total replacement cost of each stolen computing device was $43,264.66.
• 71% of respondents reported downtime due to computer theft ranging from several days to more than a month.
• Only 21% of those surveyed used extensive data protection like dedicated data encryption software, but about 70% did not use any safeguard or security protection at all.

These numbers are very similar to the numbers in the surveys done earlier on this issue, clearly indicating that people are not doing anything more to protect their data than they were doing earlier.

If you carefully analyze the survey data, you will notice that only 3% of stolen computing devices are recovered; even then only 9% people are using data encryption software to protect their data.

Encrypt your Data for peace of mind!

We spend huge sums to protect our internal networks, but forget that there are people carrying laptops that are connected to these internal networks. These laptops are equally vulnerable to theft & hacking. This fact has been highlighted in the survey, according to which 67% of computer thefts occurred when the respondent was outdoors.

By using laptop encryption software, we could have greatly enhanced the laptop security as there is no way that the information is compromised if the laptop is lost or stolen. A theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop.

Secure your data using Alertsec

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution. The AES encryption algorithm and extensive 3rd party certifications offer you security that is used by millions. Try it for free today.

Related articles by Zemanta

• Why Use Data Encryption? (brighthub.com)
• Identity Theft in Laptops (socyberty.com)

Apparently, the year has already witnessed 325 incidents which has lead to the exposure of 8.3 million recosrds. This number definitely indicates that the overall incidents for they year 2010 will exceed the cases that had happened in 2009. The reported incidents in 2009 were 498.

While the Business industry had accounted 208 of the total incidents in 2009, this year the number has already reached 121 incidents. In 2009, the cases reported from the Government/Military sector were 2009, while this year they have already reached 54.

The most surprising of all the categories is the Banking sector. While last year (2009) there were ‘57′ standing at 11.4% of the total breaches. This year inside 6 months, while the number has grown to ‘37′ the percentage of incidents has dropped to 11.1%.

Once again – The report highlights a key and an alarming fact. 41.8% of the stories have been reported from the business vertical.

Statistical reports like these are a fair lesson for organizations to implement proper security policies in place. Not only do the organizations need to be proactive they also need to take appropriate measures to encrpy data, implement computer security software, data enryption methods etc.

Data Security with Alertsec Xpress

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or senstive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Related articles by Zemanta

• Data Breaches up in 2008 (braintreepaymentsolutions.com)
• Stop Trying to be Me (Identity Theft) (socyberty.com)