There’s been enough interesting information security and privacy news here in my own frigid (subzero) snowy back yard in central Iowa to keep me from looking beyond the state for discussion material. Well yes, I did look beyond anyway…what I found will wait until another day.
Yesterday was interesting in that the Iowa Department of Education announced a security breach into their GED database and the Microsoft versus Comes/Iowa class action lawsuit was settled out of court.
Yes, they are linked.
As part of the settlement Microsoft must pay “half of any unclaimed proceeds to the Iowa Department of Education (DoEd) to help schools purchase computer hardware and software.”
Hopefully that money will go towards strengthening information security programs in schools; most need it. However, the breach shows that the DoEd needs it also.
“The Iowa Department of Education said a hacker has gained access to up to 600 General Educational Development records contained in a protected department Web application. Department staff discovered Monday that someone had hacked into the application, which contained names, addresses, dates of birth and Social Security numbers of people who obtained GEDs in Iowa between 1965 and 2002. The information was secured when the GED Web application was taken offline.”
Perhaps an inside job? The following has a few small tidbits to indicate so…
“The application contains approximately 160,000 records, but officials estimate that no more than 600 may have been viewed. The Department of Education is advising people who received their GEDs in Iowa between 1965 and 2002 to closely watch their credit reports and to inform local law enforcement agencies of any unusual credit activity. The Department of Education has posted information on its Web site about credit protection. The information is available at http://www.iowa.gov/educate.”
But then again, possibly not. Wonder how long the PII was accessed before someone noticed the unauthorized activity? Would be interesting to look at the logs showing no more than 600 records were viewed.
Let’s go to the Iowa DoE site to see if there is more information…
Nothing more than in the published news story except for the following 4 additional sentences:
“” The Department of Education has acted and will continue to act swiftly to address the situation, and we stand ready to assist those individuals potentially affected,” said Judy Jeffrey, director of the Iowa Department of Education. The department has notified the Iowa Department of Public Safety’s Division of Criminal Investigation and the Federal Bureau of Investigation, and the two agencies are investigating the incident. In addition, the Iowa Department of Education, with assistance from the Department of Administrative Services’ Information Technology Enterprise (DAS), is completing a thorough review of its web applications. In addition, the DAS has directed state agencies’ chief information officers to reassess security of their web applications.”
What does “assist those individuals potentially affected” mean? It is good they will help, possibly through credit monitoring? This is much better wording, though, than the typical statement organizations have made telling the impacted individuals to closely monitor their credit reports on their own dime.
Thank you Microsoft, for helping Iowa’s DoEd help to improve information security! I probably shouldn’t claim my proceeds of the settlement so the pool can be increased by that little bit more…every bit helps. The DoEd’s state budget always seems too small for security funding anyway.
So there’s the link between Microsoft and the IA DoEd…what about Perkins? That link is through the Microsoft lawsuit.
First a little background on the lawsuit…as reported by Radio Iowa:
“Attorneys today announced a settlement in the state’s case against computer giant Microsoft. The state sued alleging that Microsoft illegally overcharged for its software by keeping customers from having a choice of other software from 1994 through 2006.
The terms of the settlement were not released pending final court approval which is expected in April. Information that was released on the settlement says Microsoft will provide half of any unclaimed proceeds to the Iowa Department of Education to help schools purchase computer hardware and software.
Roxanne Conlin, lead attorney for the state’s case says: “We’re very pleased, we think that this is an excellent settlement for consumers of Iowa, and that it will also be helpful to Iowa schools. And that was an important feature for us.” Conlin says the early settlement wasn’t expected.”
I wonder why Microsoft will only provide *HALF* of unclaimed proceeds to the IA DoEd? C’mon Mr. Bill, you are supposed to be a strong education advocate, why not give *ALL* unclaimed proceeds to the Iowa DoEd? You’ve got billions any way.
“The court will consider the joint motion for preliminary approval of the settlement on April 20. Iowans who bought Microsoft operating systems including MS-DOS, Windows 95, Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows for Workgroups, Windows NT Workstation, Windows 2000, and Windows XP are covered in the settlement. Microsoft founder Bill Gates had been scheduled to come to Des Moines later this year to testify in the case.”
It seems like I’ve bought several of these over the years.
The local media were looking forward to having Gates in town…yes, they are now disappointed. Wonder if he’s ever been to Iowa?
Okay…finally to the Perkins connection. This actually came from the Computerworld report this morning about the settlement:
“Wallis said that Gates and Jeff Raikes, president of the Microsoft division responsible for Office and the company’s Dynamics business applications, were both expected to testify at the trial in the spring.
But, he added, “we have a pattern of consistently settling these old cases whenever we can [do so] on a reasonable basis. That opportunity presented itself.” Wallis said Roxanne Conlin, the lead lawyer for the plaintiffs, called him on Sunday, and the two of them met at a local Perkins restaurant “and worked out most of the details.””
Yes, those Perkins omelettes do engender warm feelings and cooperative spirit. My sons love their Perky Bear Pancakes.
The Computerworld piece provided a few more details:
“Last month, the plaintiffs posted about 3,000 documents, including letters, memos and e-mails from Raikes and other Microsoft executives, on a public Web site called www.iowaconsumercase.com. That site wasn’t accessible today, as would-be visitors were asked to enter a username and password. Neither Conlin nor Wallis would comment on whether the site was being taken down as part of the settlement deal.”
Hmm…I couldn’t find it cached either…
“The Iowa plaintiffs had been seeking up to $330 million in damages, alleging that customers had overpaid for software because of anticompetitive practices by Microsoft. The terms of the settlement aren’t being disclosed pending an April 20 court hearing on the proposed deal, and both Conlin and Wallis declined to say how much money Microsoft will pay as compensation to the individuals and businesses that qualify as members of the class represented by the lawsuit.
But Conlin said the agreed-upon amount is roughly proportional to the compensation paid in Minnesota, based on the number of customers and their software purchases. In Minnesota, the overall population is about 50% larger than Iowa’s. But the period for eligible purchases of Microsoft products was three years shorter than it was in Iowa.
According to information released by the Iowa plaintiffs during the trial, the lawsuit covered 7.5 million purchases of Windows and other Microsoft products between May 1994 and June 2006. More than 1,100 Microsoft customers opted out of the suit, but Conlin said that number was a statistically insignificant portion of the overall base of users who made qualifying purchases. “It was just half of half of half a percent of the total number of people affected,” she said.
Regarding a claim by the plaintiffs that they had proof Microsoft was violating its 2002 antitrust settlement with the DOJ, Conlin said it’s unclear if and when the public may have access to that information. “We did what lawyers are supposed to do, which is turn it over to the U.S. Department of Justice and the Iowa Department of Justice,” she said.”
I’m looking forward to seeing how much Microsoft will provide to me as a purchaser of their OS’s as part of this settlement; guess I may find out on April 20.
In the meantime, there you have the story…
1) Buy Microsoft operating systems => 2) File lawsuit because you were overcharged => 3) Install the overpriced OS’s in schools and the DoEd => 4) Hackers break into your systems => 5) Lawyers eat at Perkins and Microsoft agrees to give a fraction of the leftover lawsuit settlement to DoEd => 6) Go back to 1)
Isn’t this a circular program?
Tags: awareness and training, government, hacker, Information Security, Iowa, IT compliance, lawsuit, logs, Microsoft, policies and procedures, privacy, privacy breach