We are undergoing a data protection renaissance. New laws have considerably expanded corporate obligations regarding security and privacy for information in all forms. A significant obligation of the laws is applicable to basically all organizations; the duty to provide reasonable security for all corporate information. Bottom line, generally all organizations have some legal obligation to establish effective information security programs. It is important to realize that in most cases there are no hard and fast rules regarding which specific security measures a company should implement to satisfy its legal and privacy law obligations. In this podcast I discuss what you need to know to protect your business when trying to comply with the multitude of privacy laws, and I describe a unified, process oriented best practice approach organizations can use to address the requirements of such laws as HIPAA, GLBA, Canada’s PIPEDA, the EU Data Protection Directive, among many, many others.
Archive for June, 2006
Insider Threat Example: Bank Employee Gives Customer Data to Fraudsters Who Then Took Funds From AccountsFriday, June 30th, 2006
Here is another example of an actual insider threat…how an employee with access to customer funds used this access to commit fraud…
"The Bangalore police have arrested one 24-year old Nadeem Kashmiri, on charges of having leaked confidential customer data from a BPO of HSBC, resulting in a loss of almost 233,000 pounds (Rs 1.95 crores) to the bank’s UK-based account holders.
HSBC says it takes its data protection responsibilities very seriously, and that hence it has initiated legal action against Kashmiri, who until earlier this month was an employee at HSBC’s Bangalore global service center.
Kashmiri was an employee of HSBC Electronic Data Processing India (HDPI), an offshore unit of the multinational bank. The bank approached the police on June 22, once it was convinced about his involvement. The police had been on the lookout for him since then.
Meanwhile, Kashmiri is accused of passing-on confidential information pertaining to certain HSBC customers in the UK that was used to access the bank accounts of the victims through telephone banking services. Impersonating genuine account holders, the fraudsters extracted funds out of these accounts. They also carried out fraudulent transactions through the ATM and debit cards of the victims. It is reported that a gang of scamsters in the UK had paid Kashmiri for carrying out this fraud.
The fraud was uncovered by HSBC’s own security teams, when some customers complained to the bank about discrepancies in their accounts, ultimately leading to Nadeem Kashmiri’s suspension in April pending HSBC’s investigations.
HSBC, convinced that Nadeem Kashmiri had perpetrated the fraud, terminated his employment, and reported the crime to the Bangalore police. HSBC is assisting the Indian police in their investigations, and the bank intends to pursue Kashmiri’s conviction as vigorously as possible.
The Bangalore police will be in touch with their UK counterparts to solve the case; and HSBC is in touch with affected customers who have been assured of full re-imbursement of losses."
Points out the need for good information security controls along with audit logs and the ability to monitor access to sensitive data. There will always be personnel who will do bad things if they have the opportunity. However, effective detective controls along with preventive controls will help to address the insider threat.
A good case study for an information security awareness or training exercise.
On Day Stolen VA Laptop and Disk Recovered, VA Announces They Also Lost a Backup Tape In A Different LocationFriday, June 30th, 2006
Well…Jim Nicholson, the VA Secretary, must be relieved the much publicized stolen laptop and disk were recovered (more on that later), but then it he announced a backup tape "with more than 16,000 case records is missing from the Veterans Affairs regional office in Indianapolis."
Actually the backup tape was discovered missing on May 5, two days after the laptop and disk were stolen. Why did they wait to announce this additional incident along with the news of the recovered laptop and disk? Did the VA think that it would be just too overwhelming for the public to learn that the records of 26.5 million veterans and individuals in active service AND that a backup tape was missing? Likely they didn’t want to look even more sloppy with information security practices…with incidents occurring at virtually the same time in different locations. I guess yesterday they saw a good opportunity for a "we have some good news, and bad news" moment.
Or, did they plan not to report the lost backup tape at all, but then decided it would lessen the impact of that incident if they announced it WITH the news that the laptop and disk were recovered? Both took way too long to be reported to those whose personal information were stored on the devices.
And the statements downplaying the likelihood that the data on the recovered laptop and disk wasn’t accessed are meant to be positive spin, but c’mon! In this day and age a significant portion of th population know that complete disks and files can be copied without leaving any evidence of such activity. Regarding the recovered laptop and disk…
"The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams ‚Äúhas determined that the (Maryland) data base remains intact and has not been accessed since it was stolen.‚Äù More tests were planned, however."
Who knows…or will ever know? It’s very possible the data was not copied. But it’s also possible it was. Why can’t the agencies involved with investigations be upfront with their statements and just admit that there is no way they can determine whether or not the data was copied?
Organizations who have incidents, thefts and losses need to realize there are tens of thousands of information security professionals who know better than to believe their spin…they should not release such downplaying comfort statements to the public in the same way a parent talks to their preschool child. Not only will info sec pros see right through the spin, but those with no info sec savvy will gullibly believe that they have nothing to worry about. People need to realize there are many more bad things that can be done with personal information than just commit identity theft…and the bad things can occur for a very long time after the incident.
"A missing laptop and hard disk containing personal data on over 26.5 million veterans has been recovered, Department of Veterans Affairs (VA) Secretary Jim Nicholson announced this morning.
"The investigation continues to see whether or not this information has been compromised in any way," or whether copies of the data have been made, Nicholson said just before a scheduled hearing before the House Commitee on Veterans Affairs."
I did not see any press release about it on the official VA info website however…hopefully they will post something soon.
More on this later…I want to see what the official VA press release says about this…and of course how the situation develops and impacts the credit monitoring promises…and what forensics will be done on the recovered computer and disk…etc…
Technology continues to advance, security tools continue to emerge, but the good ‘ol tried and true social engineering exploit is still as effective as it ever was. I found an article published today, "Hook, line and sinker," very interesting. It describes how computer-based attacks, such as phishing exploits, are being combined with social engineering.
There are some good stories within this article to not only help demonstrate the need for a comprehensive information security and privacy training and awareness program that includes information on identifying and not falling victim to social engineering attacks, but they could also be used within your training and awareness efforts.
Yesterday (6/26) a Market Wire news story reported ANSI was partnering with the Council of Better Business Bureaus (CBBB) to establish a new standards panel to address identity theft prevention and identity management standards.
This is a good proactive move; if a comprehensive federal law cannot (or will not) be created to address data protection and privacy in a way that provides good guidance and data protection requirements for all types of businesses, then it makes sense that non-profit organizations step up to grab the bull by the horns and provide sound guidance…actionable standards for businesses to use to demonstrate due care while also protecting information using realistic means. That is my hope for such standards, anyway. (I’m optimistic)
This partnership was actually announced by ANSI on 6/23. The following is an excerpt:
"The prospective panel would serve to identify existing published standards (and those in development) as they pertain to identity theft protection as well as identify areas of need where updated or newly developed standards would further minimize the threat of identity theft or enhance identity management.
Standards pertinent to the panel’s work may cover areas such as:
- Protocols for managing sensitive customer data — Access, management, storage, and disposal;
- Employment records management, storage, access and disposal;
- Employee qualifications and training to handle sensitive data;
- Criteria for selecting contractors who use or maintain organizational data;
- Remedies to quickly recapture and restore the integrity of stolen identities or other personally-identifiable information;
- The possible utility of universal identifiers as a tool to combat identity theft and fraud;
- Protocols to anticipate new identity theft tactics as the marketplace continues to evolve."
Well, this list isn’t definitive; notice the news release indicated the "work may cover" these areas.
Some of the items in the list are also noble, but lofty, goals…particularly the last three listed. However, it is good that these issues will be addressed by organizations that will hopefully have people involved with the project who are knowledgeable in information security, privacy and realistic business practices.
I’ll monitor activity and see where the initiative goes…hopefully it will be a vast improvement!
Yesterday a ZDNet published a story, "Microsoft to publish its privacy rules."
"Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products. The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft."
Indeed most organizations need help with creating privacy standards. Privacy is a relatively new concept within organizations, and most still view it solely as a legal issue. It is so much more.
Privacy, in addition to information security, must be built into all business processes, from the beginning of the planning stage all the way through to the retirement of a process. Privacy policies, procedures and standards must be created to ensure consistent privacy implementation throughout all levels and areas of the enterprise. Most organizations do not have privacy policies (beyond just their posted website privacy statement), let alone privacy procedures and standards. If Microsoft has good standards to use as a model, then I applaud their efforts.
"This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’" he said. "The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’"
This could be a fantastic document to help CISOs and CPOs partner to provide guidance to IT areas in creating standards for programmers and developers. It would also be a good start in leading the privacy standards development efforts for the rest of any enterprise. So many areas have access to personally identifiable information (PII) and communicate directly with customers, consumers and employees, that it is critical they know the ways in which the PII must be protected, and the ways in which communications must occur to be consistent with how they release PII and not end up being social engineered into revealing PII. This requires more than just high-level policy statements (which are certainly necessary), but also requires detailed procedures specific to business services and products, and standards to ensure consistent application across enterprises.
This is also a good example to set for other vendors who need to be addressing privacy within their own products. Perhaps Microsoft should challenge the other technology giants to also make their privacy standards public…I wonder how many of them actually even have such documents?
I’m not saying that Microsoft is perfect in their information security and privacy practices…no company is…they can definitely improve in places. However, it is admirable that they are willing to open themselves up to such scrutiny; will others follow suit?
When checking the news this morning I felt like I was in the Twilight Zone; it seemed that the news of information security incidents just kept popping up, one right after the other.
I envisioned a TZ episode, perhaps entitled, "Data Wants To Be Free," with the plotline: Overnight all the personal data for every business in North America and the EU (yes, this needs to be an international story) has been stolen…every hard drive, every storage device and every laptop computer…CISOs and CPOs anguish about what to do while copies of everyone’s personal data that were on these devices continue to be mysteriously posted to thousands…no, make that millions…of Internet sites…the major credit reporting agencies increase their computing power to accommodate credit monitoring for basically all the U.S.’s…and rest of the world’s…population…the public panics and jams the credit card companies phone lines with requests to cancel their accounts and establish new ones… Okay, I’ll stop with the silly storyline…but is it really so far-fetched? 🙂
Back to the real (and in many ways equally as scary) news…
Here are the first eight incident stories that leaped out at me this morning; I found many more after these, most in smaller venues, but I think this listing demonstrates how information security and cybercrime really seem to be out of control with data virtually flying out of businesses and going to who-knows-where every day.
- Tops employees’ personal data stolen (Buffalo News) – For the second time in a month, a laptop computer containing personal information on Tops Markets employees has been lost, the supermarket’s parent company said Friday. The computer was stolen from a Deloitte Accountants employee during a commercial airline flight, said a spokesman for Dutch supermarket company Royal Ahold NV. Neither Ahold nor Deloitte would say when or where the laptop was stolen, how many supermarket employees are affected or exactly what personal information is at risk. (click the link to read the full story)
- Navy finds sailors’ private info on Web: Latest in string of security gaps affects 28,000 (San Francisco Chronicle) – Navy officials this week discovered that personal data for nearly 28,000 sailors and family members appeared on a public Web site, fueling more concerns about the security of sensitive information belonging to federal employees. (click the link to read the full story)
- City Hall break-in puts thousands at risk (Hattiesburg American) – Thieves who broke into Hattiesburg City Hall made off with more than $150,000 in computer equipment, including four computer servers that contained personal information of at least 23,000 city residents and employees. Sometime late Thursday or early Friday, two unidentified men broke out a window on the southeast side of the building to gain entry into the basement level. There they shattered the door of the information technology department and took the computer equipment, Hattiesburg Police Chief David Wynn said Friday. (click the link to read the full story)
- Stop & Shop employees‚Äô data stolen (Worcester Telegram) – A laptop computer containing personal information of current and former employees of supermarket chains Stop & Shop, Giant and Tops was stolen during a commercial flight, the supermarkets‚Äô parent company said yesterday. It was the second such incident disclosed by the company this month.
The U.S. subsidiary of Dutch parent company Royal Ahold and an auditor whose employee had the computer would not say when the laptop was stolen, how many supermarket employees were affected or describe what personal information had been divulged. (click the link to read the full story)
- 619 students’ secure data revealed online (Bradenton Herald Today) – A number of Catawba County high school students received an unwanted adult-world graduation present: Their Social Security numbers were exposed on the Web. The mother of a graduate found the numbers along with test scores of 619 students on a school Web site this week. She found the page while looking on Google for information about a beauty pageant contestant. Catawba County Schools officials said the page was password protected and they had no idea how Google got access. Google was working to remove the page Friday night. (click the link to read the full story)
- Identity data stolen along with laptop (Roanoke) – A laptop containing the personal information of more than 200 people was stolen from a Roanoke-based staff attorney for the federal Social Security Administration. The computer contained the names, Social Security numbers and, in some cases, medical information of the 228 people whose records may have been compromised, said Mark Lassiter, a spokesman for the Social Security Administration. (click the link to read the full story)
- Thief steals Bank of the Orient ID data (Pacific Business News) – An estimated 28,000 consumers of Bank of the Orient are potentially at risk for identity theft after a robbery at a branch in Los Angeles, the company said Friday. The San Francisco-based bank, which has two branches in Honolulu, said magnetic tapes containing customers’ names and Social Security numbers were stolen during the heist. (click the link to read the full story)
- STOLEN LAPTOP CONTAINED STUDENTS’ PERSONAL INFORMATION (Bay City Newswire) – A laptop stolen from a San Francisco State University faculty member’s car on June 1 contained identity information of 3,035 business students, SFSU spokeswoman Ellen Griffin said today (June 23, 2006). The university was notified of the incident on June 6 and alerted students on June 13. About 95 percent of the names on the stolen computer were alumni, but some were current students. There is no indication that information on the laptop has been used illegally, but because it contained 2,816 social security numbers and other personal data, university officials sent a warning letter to affected students. (click the link to read the full story)
Earlier this month the AICPA, proponent of good privacy programs and creator of a privacy management methodology (actually apparently built around OECD privacy principles) reported that it did not remove personally identifiable information (PII) from a hard drive they sent to an outside repair shop, and the drive was subsequently stolen. Irony. Someone within their organization was not following their own advice (yep, human nature…and possibly lack of awareness and training…at work).
Today it was reported that two laptops were stolen from the car of an FTC employee that contained PII about 110 individuals. More irony.
"The information includes individuals’ names, addresses, Social Security numbers, birth dates, and "in some cases, financial account numbers," the regulatory agency said this week."
"The analyst had violated a department security policy by taking home the sensitive data. The incident prompted calls for all government agencies to adhere more closely to the Federal Information Security Management Act."
It makes you wonder, will a regulatory oversite agency such as the FTC fine itself? Appears they need to beef up their information security program. Should they require themselves to have independent, 3rd party audits for the next 20 years? Should they require an extensive list of information security and privacy actions to be implemented? Well, okay…I’m being facetious…but this really is ironic…the agency that is constantly scolding businesses for lax security…WHICH IS A GOOD THING; WE NEED AGENCIES THAT UPHOLD THE LAWS AND BUSINESS PROMISES…now experiences an incident. This is the type of situation all CISOs and CPOs have nightmares about…trying as hard as the can to have a good program, and then having a hugely publicized incident occur as a result of one person’s lack of knowledge about security, or carelessness, or whatever other excuse can be attributed.
"Commission Notifies Individuals of Theft
The Commission today announced it is notifying approximately 110 individuals that two FTC laptop computers, one of which contained some of their personally identifiable information, were stolen from a locked vehicle. The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops. The personal information was gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers. The letters being sent to the individuals, some of whom are defendants in current and past FTC cases, explain the type of information about that individual that may have been on the laptop, and the steps the individuals should consider taking to limit their risk of identity theft. The FTC will offer these individuals one year of free credit monitoring.
The FTC’s Inspector General has been notified and is investigating the theft. The local police department, as well as appropriate federal law enforcement agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, also have been notified."
Well, their information within the message certainly is lacking…they are using statements similar to the ones that they have scolded other organizations for using…such as, "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." Come on, now…it would have been much more effective to just say, look, we made a mistake. We should have ensured all the PII on our mobile computing devices were encrypted. We were silly not to.
The fact there were "several thousand files" contained on the laptops is pretty much irrelevant; it takes just a few seconds to a few minutes to do a search using the native OS utilities to find data within any of hundreds of thousands of files.
Most of the individuals whose PII were compromised were defendants in current cases. What would REALLY be ironic is if they were defendents in laptop theft cases! 🙂
A friend of mine (thanks Barry!) pointed out an interesting article from a couple of days ago that reported a new Virginia law will go into effect July 1 requiring all public and private colleges and universities to submit student names, birthdates and social security numbers (SSNs) to state police to cross-check against sex offender registries.
Hmm…interesting and disconcerting article…let’s see more about the law…
Appears the law, known as HB 984, Sex Offender and Crimes Against Minors Registry, was actually signed by Governor Kaine on April 24 and covers a very wide range of actions to identify and catch sexual predators in an effort to keep children safe, and I applaud such efforts when they are well considered and thoughtfully framed.
However, it appears in the quest to catch all these disgusting monsters, the zealousness of the law writers went beyond just accumulating known offenders, and even likely offenders, and cast a net lumping a large group of individuals who have absolutely no characteristics of being sexual predators, but are merely a targeted stratum of the population…those attending institutions of higher education. Within all the text outlining the characteristics and requirements for known sexual criminals, the following text is curiously dropped:
"¬ß 23-2.2:1. Reporting of student information to Sex Offender and Crimes Against Minor Registry.
Each public and private two- and four-year institution of higher education physically located in the Commonwealth shall electronically transmit data including (i) complete name, (ii) social security number or other identifying number, (iii) date of birth, and (iv) gender to the Department of State Police, in a format approved by the State Police, for comparison with information contained in the Virginia Criminal Information Network and National Crime Information Center Convicted Sexual Offender Registry File, for all applicants that are offered acceptance to attend the institution. This data shall be transmitted before such time that an applicant becomes a "student in attendance" pursuant to 20 U.S.C. 1232g(a)(6) at that institution. However, institutions with a rolling or instantaneous admissions policy shall report enrollment in accordance with guidelines developed by the Department of State Police in consultation with the State Council of Higher Education and the Virginia Community College System. Such guidelines shall be developed no later than January 1, 2007.
Whenever it appears from the records of the State Police that a person has failed to comply with the duty to register or reregister pursuant to Chapter 9 (¬ß9.1-900 et seq.) of Title 9.1, the State Police shall promptly investigate and, if there is probable cause to believe a violation has occurred, obtain a warrant or assist in obtaining an indictment charging a violation of ¬ß 18.2-472.1 in the jurisdiction in which the person was enrolled with the educational institution."
So individuals who are pursuing a college education in Virginia now by default have all their personal information combined in with all the known sex offenders and criminals? The intent is certainly noble, but what kind of precedent does this set to collecting the personal information of individuals from basically any other population stratum? And where will this information about all the students be stored? How will access to it be protected? How long will it be retained? Will it be combined within the databases of known sexual predators? And what will prevent this personal data from being used for other purposes?
I am all for catching criminals and the horrible monsters who shatter childhoods. No one wants to see these disgusting poor substitutes for human beings be locked away with the key thrown away more than I. However, incorporating the personal informtion of innocent individuals who happen to be pursuing high education into a database with these animals is not the right thing to do.
Noble intentions are good. However, lawmakers really need to consider the negative impacts their good and noble intentions, and poorly written laws, have upon innocent people.