Log in

Posts Tagged ‘lawsuit’

Lawsuit filed against Countrywide

April 11th, 2010

: Image via Wikipedia

There is a serious threat to the data of customers in organizations worldwide. Apparently this is the data that contains information about their names, ages, social security number etc. As IT systems become an inherent part of organization’s assets with that we are also witnessing increase in incidents reporting data loss. The impact of this data loss is huge leading to financial implications.

The latest casualty are customers of Countrywide financial. The disturbed customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information. According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.

The data theft was originally attributed to a single employee working over a two-year-period has now exposed tens of thousands of customer records. According to the lawsuit alleges that Countrywide Financial employees have stolen and sold “tens of thousands, or millions” of customers’ personal financial information.

While going through one of the news-stories, we discovered the letter that was sent to the customers. Here is a copy of the letter:

According to the lawsuit the defendants were slow to admit the massive breaches of confidentiality, and offered little or not support. The complaint stated, “Countrywide delayed several months before informing their customers.” “Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures.”

Have a comment? Share your thoughts by commenting on this blog-post.

Stay Secure, Protect Your Data – Get Alertsec Now

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

Countrywide settlement over ID theft gets initial OK (seattletimes.nwsource.com)

2 comments »

Posted in Encryption, Lawsuits and settlements

Tags: Bank of America Home Loans Check Point Class action Computer security Countrywide Financial lawsuit Punitive damages Theft

Massachusetts Enforces New Security Laws for Consumer Protection

February 26th, 2010

As we predicted earlier this month, more legislation is being passed by governments to hold companies accountable for data breaches and increase overall security of businesses. Massachusetts is the latest to join this trend- starting March 1st, businesses in the Commonwealth will be held to a much higher standard when dealing with protecting their customer’s personal data. Organizations which fail to comply with the new law before the start of next month can face fines and be liable for civil lawsuits.

The new legislation is extremely important because, even though it only applies to companies in a specific state, it have many global implications. The main one is that governments are taking note of security breaches and considering them a serious threat. The new laws demonstrate that businesses which fail to protect their internal data will face punishment. Data encryption needs to be a part of every corporation’s security strategy- the law specifically mentions that personal customer information has to be encrypted!

A Look at the New Laws

Massachusetts Privacy Law – 201 CMR 17 Compliance [PDF] was created to protect customers from identity theft and other troubles that result from a company revealing personal information to outside parties. The law outline the measures businesses need to take to keep customer data secure. An article from Bank Info Security summarizes the new rules:

The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents’ personal information to encrypt the data when it’s stored on portable devices or transmitted via the Internet. The personal information is a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers. The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) says it is trying to create a culture of security around personal information.

The articles points out that the law may be difficult to enforce- in fact, the original deadline for compliance was pushed back from August 2009. However, Massachusetts businesses shouldn’t rest easy- those found in violation of the law can face severe penalties under Regulation of Trade, chapter 93A, section 4, including:

Civil penalty of $5,000 per violation
Payment of the costs of investigation and litigation of such violation (including attorney’s fees)
Payment to victims of security breach

How to Respond

Businesses, particularly those in Massachusetts, need to develop comprehensive longterm security plans for protecting their company’s customers. The new laws aren’t meant to penalize companies for experiencing data breaches; rather, they’re supposed to encourage companies to practice smart security protocol. Organizations worldwide can follow the laws voluntary and enjoy a higher level of security and, ultimately, better relations with customers.

In order to avoid unnecessary costs associated with data breaches, companies need the right technology. Our Alertsec Xpress full disk encryption service helps businesses comply with new laws by securing customer data. We offer encryption software that’s extremely easy to use and a must-have for any company which wants to be protected from online threats.

Further Reading
Mass. Data Privacy Law: Are You Compliant? [Bank Info Security]
Massachusetts raises the bar for personal data protection, globally [Ovum]

No comments »

Posted in Data Protection, Encryption, Lawsuits and settlements

Tags: Computer security Credit card Encryption identity theft Law lawsuit Massachusetts Massachusetts Office of Consumer Affairs and Business Regulation new law

ING Compromises Customer Data

February 14th, 2010

Millions of people use search engines like Google to access all sorts of information every day. It’s become a common practice for users to search their names to see what comes up.

Imagine doing that and seeing your personal information show up in the search results, available for anyone to see. Everything including your address and social security number would appear. A security breach by the Internationale Nederlanden Groep (ING), a worldwide financial service provider, made this horror a reality for 106 of its customers. Though the file which hosted the compromised data has since been removed, the repercussions of the breach are still largely unknown.

Investigating the Breach

A filing [PDF] from the company to the the New Hampshire Attorney General’s Office explained:

On January 25, 2010 a customer alerted her securities broker to the fact she was able to access customer information through the ingfunds.com website. An electronic file containing customers’ personal information was inadvertently made accessible through the ingfunds.com website due to an isolated error, which has been resolved. The file was mistakenly posted to the website in August 2008. The error was quickly detected and the ability to access the file via link on the website was removed. The file, however, remained accessible through a specific search conducted via a web search engine. The file included the name, address, account number and social security number for 106 shareholders.

It’s remarkable that ING stored the private details of some of its customers on a file that wasn’t encrypted or even hosted on a private server. What’s really striking as dangerous is the fact that accessing this information wouldn’t require any complicated hacking- a clever search engine user could stumble on the social security numbers and do untold damage! Customers of financial institutions deserve a higher class of service- organizations like ING have a responsibility to ensure that the information they’re entrusted with remains well-protected.

Next Steps and Lessons for ING

While poor data security is hard to forgive, ING has acted quickly to resolve the issue and has done everything possible to help the customers affected. On top alerting the authorities in a timely manner, the company has conducted investigations into each customer’s account and announced that no suspicious activity had occurred. As an additional apology, ING offered a free year of credit monitoring and fraud coverage to the 106 customers to help prevent the future risk of identity theft.

Unfortunately, ING can’t get rid of this embarrassing situation that easily. Mainstream media will pick up the story and will end up damaging the business’s reputation and brand image. More so, the error may be a lot a more serious than the company realizes. It’s very likely that a number of the 106 victims will leave ING and take their business elsewhere. Some may even sue the company, especially if they incur damages due to the security breach. Identity theft may have already happened- sometimes it takes a while for the crime to be noticed. Even the Attorney General may end up imposing a fine for irresponsible business practices!

Keeping customer data secure should be an imperative for any business organization. Companies need to protect private information to avoid all the problems that ING will have to deal with in the coming weeks and months. Had ING encrypted the files which contained personal user details and stored them on a private server, this debacle could have easily been avoided.

Further Reading
ING Fund client data exposed on the web for 18 months [Office of Inadequate Security]

4 comments »

Posted in Data Protection, Encryption, Identity and Information loss, Lawsuits and settlements

Tags: business data breach ING lawsuit organization privacy unencrypted

RockYou’s Sour Rhapsody

January 31st, 2010

RockYou.com, once a successful major application developer for popular social networking websites like Facebook and MySpace, is now singing a different tune. While the technology company has enjoyed great success toward the end of 2009 and secured a significant amount in funding for its projects, it experienced a major security breach as it was ushering in the New Year. As we mentioned in an earlier post, a ton of personal information was leaked. A poor SQL database exploit allowed hackers and other clever computer geeks access to RockYou’s entire list of users and their passwords.

While outside database access is never a good thing, the situation could have went a lot smoothly for RockYou if it had protected its information using data encryption software. The company’s storage method was a little ridiculous- according to Techcrunch: ”The database included a full list of unprotected plain text passwords. And email addresses!” Not only did the company fail to keep their the database protected, they didn’t even try to secure their user’s private information! As you can imagine, the fiasco is still hurting RockYou. The site had to put up an apologetic security notice and send out messages to every user, asking them to change their password and informing them of the cyber attack.

The Rocky Future

Though RockYou has already suffered a serious blow to its reputation in the world of the technology, the worst is yet to come. A class action lawsuit has been filed against the company, lead by Alan Clardige. The complaint alleges:

“While some security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ personally identifiable information by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers…

It is anyone’s guess whether the case will be heard and tried in the courts- it’s more likely that RockYou will work out some sort of settlement agreement- but the damage is already done. As a business that appears to primarily depend on investors for capital, RockYou has lost its status as a secure corporation and is likely to have trouble in the future.

Lessons to be Learned

An interview with a person claiming to be the RockYou hacker helps point out a scary truth- 30% of websites store their users’ login information without encryption, having plain text passwords on their database. While there’s no way to verify the statistic, it’s main message rings true. Most companies, even online businesses, are woefully unprepared for all the dangers of the Internet. Full disc encryption, something that should have been a standard for many years, is still unknown and unused by a multitude of companies.

It’s best to not have a shocking wake-up call like the security team at RockYou did. Choosing to purchase encryption software before disaster strikes will help avoid any P.R. disasters and let you stay out of the courtrooms. To try the proven technology we offer and protect your business, sign up for a free trial of Alertsec Xpress today!

Further Reading
RockYou Raises A Whopper – $50 Million In Venture Capital [Techcrunch]
Serious SQL flaw could have compromised millions of Rockyou.com users [Net-Security]
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now. [Techcrunch]
Social Application Developer RockYou Sued After Data Breach [Softpedia]
RockYou Hacker: 30% of Sites Store Plain Text Passwords [ReadWriteWeb]