Posts Tagged ‘Data Breaches’

« Older Entries

Apple’s systems hacked, internal passwords stolen

July 6th, 2011
Servers

User names stolen from Apple server

Hacking groups

Hacking attacks are on the rise.  Hacker groups such as LulzSec have been successfully breaking into networks of big companies like Fox, Sony, AT&T, PBS, Citigroup and even the CIA.   LulzSec, an anonymous group of hackers, have claimed responsibility for hacking into several major company websites.

The latest in the line is Apple’s website. It appears that hackers have broken into Apple’s systems before posting a list of names and password hashes online. The names were not linked to the more than 200m customer credit cards stored on the iTunes online store.

The complete story

Hacking group Anonymous broke into an Apple server, collecting 26 administrative user names and passwords. The group announced the breach through its Twitter where it shared a link to the data posted on text-sharing website Pastebin. “Apple could be target, too,” the group tweeted. “But don’t worry, we are busy elsewhere.”

LulzSec group has been very active in the hacking field and recently announced it was ending its hacking operation and asked its users to support Anonymous. Their movement is called “AntiSec.” Both Anonymous and LulzSec have always targeted big companies disclosing their political motives.

What does Apple have to say?

Apple declined to comment declined to comment and has not confirmed the breach as yet. Fortunately the data that was hacked has little value to the culprits.

Why is this happening?

“Part of the problem is that companies don’t have an incentive to disclose when a breach occurs unless it’s required by law,” said Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “But the volume [of attacks] suggests something is going on.”

Hacking operations by groups like Anonymous and LulzSec started with Sony who is still having a hard time getting its systems back on track since its breach in April.

One of the reasons for these successful hacking attempts is the very nature of most major corporations’ digital data. Up till now, large companies had an Internet website for public information and an “intranet” for internal use. But the picture has drastically changed today. A company’s public online presence includes websites, YouTube channels, Facebook pages and Twitter accounts – all very vulnerable for getting compromised!

Add to this the high-profile nature of such services.  Even though Social networking platforms like Twitter or Facebook offer very less business value, they  can be used to quickly and publicly embarrass a company –  the latest in the news – Fox News Twitter account which displayed fake Obama tweets! Stay tuned..

Time for giant Corp orates to tighten their security – AlertSec’s security services

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.

Enhanced by Zemanta

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags:

ACS: Law Fined over Data Breach

May 25th, 2011
data slide

DATA Breach

Data breaching is one the most dangerous criminal offense in the case of internet and computer law. According to ICO every organization should encrypt their data, so that an unknown person can not access their data. The law says that the data stored in the computers and mobile data storage devices of every organization must be encrypted, because these are the main targets of the hackers. As most of the data contains personal details, so if anybody hacks the data or it is lost due to the fault of some people the organization will suffer as the hacker can  misuse it for his own benefits.

Though every organization is aware about the effect of data loss and the importance of data encryption but most of them neglect this part. According to modern research the negligence towards the data encryption mainly happens due to the lack of commitment of the ICO. In most of cases it has been found that ICO released the accused person or the organization by just imposing a minimum fine, whereas the actual amount of fine is very high.

Recently Andrew Crossley, the controversial solicitor has been accused of data breach. It has been found that he and his organization was sharing files illegally. However the information security world was shocked when they found that Andrew had been fined only £1,000 by the ICO for data breach.

The ICO gave some reasons in their defense. In a press conference they announced that the way Andrew and his organization were using the personal details of other organizations and their clients that were totally illegal and unlawful. That was against the law of data breaching. As soon as it came to the sight of ICO they took immediate action against Andrew. But as ACS law had seized all the properties of Andrew so he was unable to pay the full amount. Taking this into consideration, ICO decreased the amount of fine.

But the people are not happy with this decision, because according to the law of data breach the amount of fine must be £400  * the number of people’s data has been misused. So the amount should have been much higher than £1,000. They have even questioned the impact and power of ACS law and ICO. Because according to the law ICO has no power to investigate the property of the accused person. They have to depend on the documents of that person and it is very easy to manipulate those documents. Though the case of Andrew went to the court and the court also announced him guilty of data breach and misusing but still the ICO failed to fine him more.

This is not the first time where a person has been released by the ICO after charging a very low amount of money. As a result of this the people are losing their faith in ICO day by day. So the government has to take some immediate steps to increase the power of ICO.

About Alertsec:
Alertsec is the front runner in offering data encryption as a fully managed service. We provide protection for all information stored on laptops and PCs in an easy, convenient, and cost-effective way. By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption.

Enhanced by Zemanta

No comments »

Posted in Alertsec Express, Lawsuits and settlements, Security Flaw, data breach, data encryption

Tags:

Fine Gael website has been Hacked and Personal Data of 2,000 Supporters were Breached

January 18th, 2011

When you are talking about data in IT organizations hacking attacks will continue to thrive. Again in any professional organization, the tendency of such kinds of attacks happening in real-time is very common. Through the medium of this blog, we’ve been highlighting several breach incidents which present strong warnings for organizations to enhance their mechanisms for the protection against data loss incidents. One such way of ensuring the data security is through the use of data encryption software.

Today we are going to talk about Fine Gael, a political party portal and how it became the latest victim of data breach incident.

Fine Gael website Hacked by an “Anonymous” Group

Enda Kenny

Fine Gael party leader Enda Kenny

As we mentioned above, Fine Gael is the new website of an Irish political party. It has been hacked by “Anonymous”, an online hacking group. The website was launched last week and the reason of launching was to invite members of the public to share their views on policy and the future of Ireland.

Fine Gael has been formed in 1933 and considered as the moderate political party. On Tuesday Party replaced its old website finegael.ie with the new website finegael2011.com. This site has been hosted by the American internet firm ElectionMall Technologies which is a US firm.

Personal Data of Around 2000 Supporters were Revealed

So how does it feel to be among those whose data is revealed? Exactly this is what happened to the supporters of Fine Gael. The hacking incident had an impact on the personal data of around 2000 supporters. Irish Central reported that the number of affected is believed to increase to 4,000. This attack took place on Sunday and immediately after the attack website was forced offline. The hacker was forwarded the personal details file to media organizations. This file was containing the IP addresses, phone numbers and e-mail addresses of approximate 2000 people.

Why the New Hosted Website was Hacked

According to the attackers, the site was hacked because comments submitted to the site by users were being censored and forwarded around 2,000 members’ details with the claim that the party was censoring comments from the public. Hackers posted a message on the Fine Gael website after removing the message posted by them. The posted message was “Nothing is safe, you put your faith in this political party and they take no measures to protect you. They offer you free speech yet they censor your voice. Wake up!”

A spokesperson for Fine Gael said the attack was “assumed to be by Anonymous”, but “the link is yet to be proven”.

This online “Anonymous” Group is best known for its attack on websites and has been also tried to bring down several payment sites including Mastercard.com and Visa recently to block the payments to Wikileaks.

Action Taken By the Party

As a follow-up activity, party has informed the people, whose data has been compromised by an email about the breach. Also warned them that the hacked data was included their personal details like names, email addresses, constituency details and phone numbers. Fine Gael contacted to the data protection commissioner “Billy Hawkes” who is investigating this case and also contacted the Garda Computer Crime Unit in relation to the attack. The FBI has also involved in this case after ElectionMall contacted the US police.

According to Hawkes, party suspects that the personal data of those who posted comments or registered their details has been compromised. In a statement party said the website will be offline “while we follow-up with the appropriate authorities to resolve the matter.”

How Alertsec Xpress Would Have Helped

In an incident which highlights the need of a data security and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.  Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Related articles
Enhanced by Zemanta

1 comment »

Posted in Hackers, Uncategorized, data breach

Tags:

Better Business: How Data Breaches can lead to Identity Theft

January 12th, 2011
identity theft
Image by Rosie O’Beirne via Flickr

Data breaches continue to plague businesses and there are likely thousands of data breaches that go undetected or unreported. People have been victimized by security breaches multiple times, for example, by their schools, local, state or federal government, financial institution or many other organizations. Sometimes organizations have had multiple breaches. Maximum reported breaches by organizations could not clearly state that how much data was accessed or stolen.

What Counts as a Data Breach?

A data breach is the release of secure information to untrusted environment weather intentionally or unintentionally. It is a security incident in which confidential or protected data is stolen, transmitted or used by an individual who is unauthorized to do so. An incident of data breach may involve financial information like personally identifiable information (PII), personal health information (PHI), credit card details or bank details. It may also include trade secrets of corporations or intellectual property.

Reported Data Breaches Every Year

Approximately 10 million people are the victims of identity theft every year. The Identity Theft Resource Center in 2010 recorded 662 data breaches in the United States, which was nearly 33 percent increase from 2009 and at least 498 data breaches reported in 2009, which was actually an improvement from 657 the year before. According to the lists maintained by private groups that track reports of breaches, from January 2005 through December 2006 more than 570 cases of data breach were reported.

Big Companies are also not Safe

Well established popular hospitals, government agencies and other organizations have also been the victims of data breaches. Recently some big companies like fast food giant McDonald’s and Japanese Automaker Honda also get affected by the data breach. So it’s not the case of how big a company is but how much it is aware about the data security software and encryption software. There are only 46 states and three territories, which have enacted data breach laws, since 2005.

Companies must be Proactive in Notifying Consumer

According to the state and federal laws, companies must be proactive in notifying consumers in the case of data breach. If you are a business owner or executive, you have a responsibility to minimize the damage from a data breach. As soon as you become aware of a potential data breach, seek assistance from an attorney or risk-consulting company. They can help identify what state or federal laws require you to do, including alerting consumers or government agencies. Most companies will set up a hotline for the consumers to address their concerns and questions.

Consumers can File a Fraud Alert

If consumers receive a notification about a breach that they don’t thoroughly understand, they can call the company. They can also call their financial institution and get their advice on what to do. Check their statements as soon as they receive them and notify the financial institution immediately if there are fraudulent charges. They can file a fraud alert with all three credit reporting agencies (Equifax, Experian and TransUnion). These financial institutions are required to flag their credit report for 90 days and notify them if someone tries to open a new account using their information.

It is a very big responsibility for the organizations to secure sensitive consumer information. Organizations need to do a much better job in the case of handling and storing the sensitive digital data. They will have to increase their awareness and reaction towards the data and security breaches. Securing personal data is a very difficult task and is must for the organizations to use encryption programs. This is the only secure way to safeguard the data.

How Alertsec Xpress Would Have Helped

In an incident which highlights the need of a data security and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.  Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Related articles
Enhanced by Zemanta

No comments »

Posted in Identity and Information loss, data breach

Tags:

The Ghost of the Laptop Thief Strikes Again

February 12th, 2010

Who is he? Is he the mysterious man who breaks walls and steals data or is he A.J. Raffles. Whatever be the case, the data thief is striking quite regularly & making it big everytime. This time his victim was the corporate office of AvMed Health Plans in Gainesville. The objective was to to steal the two company laptops. But as mentioned in Ceridian’s case, the loss was not just the cost of physical devices. It also meant that the personal information of more than 200,000 current and former subscribers, their dependents was compromised.

Once again the exposure of data was a common set of objects:

  1. The personal information includes names, addresses, phone numbers
  2. Social Security numbers
  3. Protected health information.

While we believe that any aspect of data loss needs to be treated with a high degree of seriousness, in this case the company admitted that the data was structured randomly & the losses amounting from the theft are very low as well.

How did the invisible ghost strike?

It is a bit surprising to know & difficult to understand that the laptops were stolen from the closed doors. According to the security employees, the doors of conference room were properly locked in the evening but when they came the next day, the laptops were found to be stolen. Apparently, the only people to have the keys with them are the security staff & the cleaning crew. So do this mean that we should zero down on them as the invisible ghosts?

But rightly so, Cochita Ruiz Topinka, the spokeswoman of AvMed mentioned that they didn’t want to jump to any conclusions.

Why the delay in announcement?

If you notice carefully, there has been a decent delay in the security breach announcement. While the incident was determined in December, the public announcement of breach was only made on 5th February. According to the authorities, the delay in announcement was caused to avoid problems in investigation and for setting up the identity protection services.

The magnitude of the loss

As mentioned, it is believed that there is no major loss since the data was completely unstructured. However, things will become clear when the members being the identity protection registration process.

Ed Hannum, President & COO mentioned in a press release, “We will do all we can to work with our members whose personal information may have been compromised and help them work through the process”. “We regret that this incident has occurred, and we are committed to prevent future occurrences.”

Data Theft Humour:: Via I've Been Mugged

What you can do

In the meantime, if you are an affected subscriber this is what you can do. Register yourself with Debix Identity Protection Network, which would tell you if your information was potentially exposed. You can call Debix at 877-263-7998 (TTY 877-442-8633).

Be it Ceridian, Hitech or AvMed the sequence of events is quite similar. There is a physical device that is stolen for e.g. a laptop or portable disk. The loss is reported by the authorities, there is an initial silence and after a period of weeks/months it is made public. While we can understand the delay by the authorities, what certainly don’t augur well are the methods of encrpytion. If the organizations can use the right type of data security software and laptop encryption methods, it would ensure that the data remains protected if a physical device theft is reported.

3 comments »

Posted in Data Protection, Encryption

Tags: