PI Newswire

According to a new survey, many states lack the proper resources to adequately protect some of their citizen’s most personal information. The NASCIO / Deloitte survey also found that internal and external threats to personal identifiable and personal health information are growing.

In a report entitled, “State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust,” 79 percent of State Chief Information Security Officers (CISOs) said their budgets for cybersecurity were cut or remain stagnant in the face of increasing threats. “Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard,” Steve Fletcher, president of NASCIO and CIO of the State of Utah, said in a statement.

But the problem is not just funding, says Deloitte’s Srini Subramanian. “Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level,” Subramanian said.

For this reason, the joint study suggested that states focus on governance and strategy to help CISOs receive the statutory support they need to raise the level of cyber awareness in their state, as well as the technical guidance to achieve security compliance.

Another key component of the study said that states must do a better job managing how contractors, service providers and other third party vendors handle sensitive and critical citizen data. Subramanian mentioned that President Obama has appointed a cybersecurity coordinator to address the issue, adding that governors and state legislators should make similar commitments to protecting citizen data.

View Source…

Privacy Commissioner Jennifer Stoddart has announced she will investigate how Veterans Affairs handles the personal information of wounded Canadian soldiers, after she found evidence that widespread privacy violations may have taken place at the department.

Valerie Lawton, a spokesperson for the commissioner, announced the pending investigation Tuesday afternoon in a statement.

Earlier in the day, Veterans Affairs Minister Jean-Pierre Blackburn said he had requested the probe. Stoddart’s office refuted that.

“The Commissioner has advised Minister Blackburn’s office that her investigation into a complaint about the handling of one veteran’s personal information has raised concerns about the possibility of systemic privacy issues,” Lawton’s statement said.

“As a result, she had already decided to initiate an audit of the department’s privacy practices.”

At a news conference to announce new support for the families of severely injured soldiers, Blackburn said that he was “very concerned about what’s happening” at the department.

“This morning we have a discussion with the privacy commissioner and I thought with all that news is coming, that it would be appropriate for the commissioner, the privacy commissioner, to look further in the department to see what’s going on, to enlarge what she has done up to now, to look further into the department to be sure that what’s going on there,” the minister said.

The audit will begin after Stoddart finishes looking into a complaint by Sean Bruyea, a veteran and a blunt critic of the department. Bruyea has said that his medical and psychiatric records appeared in a 2006 briefing note to Greg Thompson, the former minister of Veterans Affairs.

Read more…

The UK’s Information Commissioner Christopher Graham has confirmed that legal firm ACS:Law – the victim of a distributed denial of service attack by Anonymous 4Chan users – is not able to use the attack as an excuse for its failure to protect personal information.

UK-based ACS:Law is one of several anti-piracy bodies – including Australia’s AFACT – that has been targeted in attacks by large numbers of Anonymous users.

ACS:Law documents exposed in the aftermath of the attack revealed the extent to which it had convinced alleged file-sharers in the UK into paying thousand dollar per allegation settlements to avoid litigation.

On Tuesday, Commissioner Graham confirmed his office would investigate the alleged data breach, which had exposed the details of tens of thousands of ACS:Law’s targets.

A new list was also leaked – a list which contained the personal details of 8,000 Sky Broadband subscribers that had been in ACS:Law’s possession, according to a BBC News report.

Graham told the BBC that the breach appeared to be “pretty serious” and that he could issue a fine of up to £500,000 (AU$817,000) under the UK’s Data Protection Act.

“The question we will be asking is: how secure was this information, how was it so easily accessed from outside?” said Graham.

Any claim by ACS:Law that it was a victim of a DDoS attack would not pass as an excuse for exposing people’s private details, he said.

Read more…

Authorities in Europe have seized a nice video recorded by a group of carders showing the criminals installing a skimming device and hidden camera at an ATM in the United Kingdom to steal customer PINs.

Filmed from the hidden pinhole camera itself, installed above the ATM, the video shows how easy it is to capture the PINs as customers enter them on the keypad. But a few wily customers, who are wise to the carders’ tricks, manage to thwart their scheme by shielding the keypad as they type in their number.

Skimming has long been a successful means for carders to steal bank account PINs at ATMs. The carders install a fraudulent lookalike card reader over the legitimate reader — at ATMs, gas stations and elsewhere — that captures the customer’s bank account number from the magnetic stripe on the card as it’s placed in the reader. A pinhole camera then captures an image of the keypad.

The European ATM Security Team, which released the video this week, offers these tips for thwarting carders:
# Protect your PIN by standing close to the ATM and shielding the keypad with your other hand.
# Check to see if anything looks unusual or suspicious about the ATM. Jiggle the card slot. If there appears to be anything stuck onto the card slot or keypad, don’t use it. Don’t try to remove suspicious devices.
# Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you’re having difficulties, and don’t allow anyone to distract you.

View Source…

A government authority in Ontario is pushing new regulations to data security encryption for electronic medical records to provide a safer environment for patients in the country.

According to the Canadian Press, former health minister David Caplan is moving forward with an initiative to bolster security on electronic medical records and reduce th service’s cost to patients. Caplan was motivated to pursue the law after two instances of data loss revealed an apparent security flaw in the country’s healthcare sector.

The developments in Canadian law imply a changing environment for health information management. As new laws are released to boost security on patients’ medical information, investing in data-leak prevention can ensure regulatory compliance with government standards implemented to prevent medical data loss.

The law also covers fees for electronic medical records in Canada. Caplan said patients attempting to move their records to a new doctor faced “an enormous fee,” the Canadian Press reports.

Data-leak prevention is becoming more important for healthcare providers in the U.S., as well. Last month, South Shore Hospital in Weymouth, Massachusetts was scrutinized after losing information pertaining to 800,000 patients.

View Source…

NEWPORT BEACH – A Northridge man serving a prison sentence for credit card fraud in Los Angeles County pleaded guilty Friday in Orange County Superior Court to illegally accessing account information with the intent to defraud 50 Discover Card account holders.

Thomas Michio Taniguchi, 45, was sentenced to an additional seven years and eight months in prison and was ordered to pay $33,475 in restitution to Discover Card Financial Services.

Co-defendant Jerome Abaquin Gonzales, 33, Irvine, pleaded guilty last week to conspiracy to commit access card fraud and trafficking and possessing access card materials.

Gonzales was sentenced to three years of formal probation and one year in jail. His sentence was based on his lack of a prior record, minimal role in the scheme, full payment of $33,475 in restitution at his sentencing, and an early acceptance of wrongdoing, according to prosecutors.

Between December 2007 and March 2008, approximately 4.2 million Discover Card accounts were compromised in a data breach involving credit cards used by grocery shoppers at Hannaford Bros. supermarkets in New England and Sweetbay supermarkets in Florida.

At the time, the Hannaford data breach was and still remains one of the largest data breach to date in US history, according to prosecutors.

Taniguchi obtained compromised stolen Discover Card account information from the Hannaford breach by purchasing cardholder data on the black market via the Internet in March and April 2008, according to prosecutors. Taniguchi encoded the compromised data onto magnetic strips and placed them on the back of fake plastic cards branded with the Discover Card logo, prosecutors said.

Read more…

The computer printouts included names, addresses, phone numbers and medical records numbers for about 30,000 patients, but no medical information.

The California Department of Public Health is investigating whether the incident violates state and federal laws. Officials were not immediately available for comment.

The breached information appears to require notification to the U.S. Department of Health and Human Services’ Office for Civil Rights. The office publicly lists all breaches of protected health information–which includes names, addresses and medical records numbers, among other information–on a publicly accessible Web site, available here. The janitor was arrested on Sept. 10 and the breach presently is not on the HHS Web site. To access the Times story, click here.

Health Data Management’s Health IT Summit, Nov. 14-16 in Chicago, will include an educational session track on data breach issues. More information is available at healthdatamanagement.com/conferences

View Source…

7 a.m.: You wake up and look outside your window. It’s raining, so you decide to check the weather on television. Without realizing it, you’ve already shared information about yourself, possibly to hundreds of people, and your day has just begun.

In your daily life, there are dozens of ways you transmit personal information -without ever logging on to a computer -from using your credit card, to walking down a city street. Taken together, that information is called a person’s digital shadow.

With all the technology advances of the last 20 years, the length of an average person’s digital shadow has grown tremendously, and will grow even more in the coming years. The more information out there, the more chances there are that it can be used by others, sometimes against you, either as a way to profile you for a marketing campaign, or for more nefarious uses like stealing your identity, appropriating sensitive corporate data, or stalking your every move.

“It’s the sort of trail that you may not be aware of, because you don’t have physical contact with the machine that may be collecting the information,” said Colin Mc-Kay, the director of research, education and outreach with the office of the Privacy Commissioner of Canada.

“There are a large number of data points that you leave in your daily life that don’t necessarily identify you, but certainly identify your behaviours, your preferences and the choices you make.”

Read more…

No Social Security numbers, or specific medical or financial information was released when a Los Angeles County janitor allegedly sold 14 boxes of patient records to a recycling center, officials said Friday.

The Times reported details of the case, including the arrest of Robert Sanders, 55, in Friday’s newspaper. He was charged this week with felony commercial burglary.

The files, which contained the names of 33,000 patients, addresses, phone numbers and medical record numbers, were sold for $40, according to L.A. County Sheriff’s Department spokesman Steve Whitmore.

The privacy breach was discovered in late July when officials at Martin Luther King, Jr. Multi-Service Ambulatory Care Center in Willowbrook discovered files were missing from the facility, according to a news release Friday from county health and Sheriff’s Department officials.

An investigation into the missing files led authorities to Sanders, who was among the custodians questioned about where the files had gone.

“One such employee confessed that he had personally taken the files to a recycling company for its paper value,” according to the news release. “At that time, MLK-MACC referred the matter to the Sheriff who conducted a law enforcement investigation.”

Beginning next week, anyone affected by the breach will be notified by mail, officials said Friday. The letter will contain instructions about steps to take to prevent any potential harm.

“We take patient privacy in this department very seriously,” said Carol Meyer, head of operations for the Department of Health. “Despite measures previously employed by our facilities this unforeseen event occurred. In the wake of this unfortunate incident, we are redoubling our security measures to ensure the safety and integrity of patient information.”

Read more…

GOOGLE has confirmed the sacking of an engineer accused of spying on minors in its second major privacy scandal this year.

The search giant today said it had dismissed David Barksdale for breaking “strict” privacy policies.

The sacking comes after the company was involved in a worldwide privacy scandal earlier this year when it “mistakenly” collected personal data while gathering information for its Street View service.

Earlier today industry gossip blog Gawker published a number of allegations against Mr Barksdale from an anonymous source.

The source alleged that the 27-year-old harassed and spied on four underage teenagers by snooping on their chat logs and internet voice calls while he was employed by Google.

Mr Barksdale worked as a site reliability engineer at Google’s Kirkland office near Seattle in Washington and had access to private user data, the blog said.

Google today said it had sacked Mr Barksdale for breaching “strict” privacy policies, but would not confirm other details.

“We dismissed David Barksdale for breaking Google’s strict internal privacy policies,” said Google senior vice president of engineering Bill Coughran.

“We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls.

“That said, a limited number of people will always need to access these systems if we are to operate them properly — which is why we take any breach so seriously.”

A Google Australia spokesperson would not confirm if minors were involved in Mr Barksdale’s dismissal.

It is understood that Mr Barksdale is not the first Google employee to be fired for a privacy breach.

Gawker said it was not clear why Mr Barksdale would have spied on the teens and there were no allegations of sexual harassment.

Read more…

Former public sector employees in Delaware are seeking lawsuits after a state contractor leaked the Social Security numbers and birth dates of 22,000 state retirees, Delaware Online reports.

The information was found through the state’s website, pertaining strictly to Delaware’s retired state government employees, and was removed on August 20 after four days of exposure. For Gail Slaughter, who retired in 2007 after 33 years with the state’s finance department, those four days have put her at enough risk to seek damages from the government.

“I feel aggrieved. It’s something we’re going to have worry about for the rest of our lives,” Slaughter told Delaware Online.

Her attorney explained how a number of state retirees are at risk for identity theft as well.

“She’s expressed the same feelings that people have been saying,” said attorney Bruce Hudson, the news provider reports. “There’s nothing she or anybody else can do to change the fact that their information has been made public. She’s always going to have to live with the fear that her identity could be stolen.”

The case reveals the need for data-leak prevention solutions among large organizations. As the information was exposed for days without the knowledge of any employees or administrators, data-leak prevention can help organizations with large information management needs avoid unexpected legal issues related to their complex networks of information.ADNFCR-2797-ID-19939969-ADNFCR

View Source…

The other day I was talking to Hugh Thompson, adjunct professor of software security at Columbia University and founder of consultancy People Security, about his research related to online privacy and he mentioned how easy it can be to hijack someone’s e-mail account. So, I challenged him to try to steal mine.

Over the course of an hour, I watched as he mined the Internet for information about me that could be used to reset passwords on Web-based e-mail services, plucking tidbits from a variety of search and other sites to create quite a surprising dossier. I decided to share the experience (with a few omissions) in the hopes that other people will test how easily they could be stalked online so they can better protect their e-mail and other Web accounts.

Access to an e-mail account opens up access to all sorts of other information that could be used to steal someone’s identity and drain bank accounts, open up credit cards, and even take out loans in their name.

It’s not just personal information at stake in e-mail accounts. Use of weak password-reset security questions is believed to have allowed someone to access the Yahoo e-mail account of a Twitter employee last year and then use that to access the person’s Google Docs account where there was sensitive corporate information.

Read more…