The Kansas Department of Administration is tightening its computer security standards an audit revealed Wednesday that state equipment slated for sale to the public contained confidential information.
A review of the state surplus property program, which sells outdated equipment to the public, found seven of the 15 machines inspected contained information considered confidential under state and federal law, including one computer that still had 2,856 Social Security numbers in a file.
"After reading through this report, I had to take a couple nitroglycerin tablets and go lay down," said Rep. Virgil Peck, R-Tyro, a member of the Legislative Post Audit Committee that received the results.
Some of the computers were reformatted, but that doesn't permanently delete all files. Auditor Allan Foster demonstrated an off-the-shelf program that can retrieve such data off a hard drive.
He said some state agencies had policies for properly removing information but thought the surplus program would wipe the hard drives clean. Other agencies had no policy at all.
Carol Foreman, deputy secretary of the Department of Administration, wrote in a letter to the Legislative Division of Post Audit that now, when agencies transfer old machines to the surplus program, they will provide a certificate stating all data has been properly removed.
The surplus program also will inspect each computer from now on and notify agencies of improperly cleaned computers.
Gavin Young, spokesman for the Department of Administration, said they also were working with a company that helps destroy hard drives.
In their review of the 15 computers, Foster and his staff found state employee personnel information, the names and Social Security numbers of Medicaid recipients, employee accident reports, and an investigative report into alleged improprieties by a grant recipient.
"The results were pretty disturbing," Foster said.
He warned that the audit didn't grasp the full extent of the problem.
The report focused only on discarded computers in Topeka and didn't include old equipment from state offices outside of Shawnee County.
And officials said it was impossible to know if any of the approximately 600 computers sold through the program last year might have included confidential information.
Young said there have been no reports of identity theft related to computers from
state agencies.
Even one computer slipping into the wrong hands "could cost the state dearly," Foster said, referring to money the state would have to pay to protect affected people from identity theft.
Of the seven computers still containing confidential information, they came from the adjutant general's office, the Department of Administration, the Kansas Health Policy Authority and the Kansas Sentencing Commission
By James Carlson
Showing posts with label Data security. Show all posts
Showing posts with label Data security. Show all posts
Sunday, June 22, 2008
Thursday, June 12, 2008
Most data breaches discovered too late, study says - networkworld.com - 11 Jun 2008
Most companies only learn about network data breaches in the months after their data has already been compromised, according to a new study.
The study, conducted by Verizon Business, looks at data breaches in a wide variety of industries, such as retail, food and beverage, technology services and financial services, and examines more than 500 forensics investigations comprising roughly 230 million records over a period of four years.
Looking at the big picture, the study finds that three-fourths of all data breaches lead to compromised data within a matter of days. Despite this, the study also finds that 63% of enterprises don’t learn about data breaches until months after their data has been compromised. What’s more, 70% of all data breaches are discovered by third parties, such as customers or banks, meaning that most companies have no idea that their data has been compromised until they are alerted by an outside voice.And even after breaches are discovered, the study finds that nearly half of them take weeks to fix, while only 37% are fixed within a matter of days or hours.
A strong majority (73%) of enterprise data breaches come from external sources, while only 18% come from internal sources such as IT administrators or employees. However, while internal data breaches are far less common than external data breaches, they are far more damaging to data security: a median of 375,000 records are compromised during internal security breaches, compared with a median of 30,000 for external security breaches, according to the study.
The most popular method for breaching company data is hacking, which accounts for 59% of all data breaches studied. Thirty-nine percent of all hacks occur at the application or service layer, while 23% occur at the operating system or platform layer. Interestingly, the study finds that 18% of all hacks exploit known data vulnerabilities. Of these known vulnerabilities, full nine-tenths had patches available for six months prior to the breach.
The study lists several ways for businesses to guard themselves against future data breaches, most of which do not require a heavy investment in upgrading IT infrastructure. In the first place, the study says that companies fail to actually enact their established security policies. The study also notes that 83% of all network attacks are not difficult attacks to thwart, and the 85% are opportunistic attacks that are not directed against a particular entity but are rather initiated randomly through techniques such as phishing.
What’s more, the study finds that evidence of 82% of all breaches studied is available to the victims but that this evidence is not noticed or acted upon. Thus, the study recommends that enterprises concentrate on enforcing the basics of data security – such as actively monitoring data logs and creating data retention plans – before they take extra precautions against sophisticated hacking or malware assaults.
“Security breaches and the compromise of sensitive data are very real and growing concerns for organizations worldwide,” says Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. “This can help companies better understand data breaches. . . . Most importantly, it urges organizations to be proactive in their approach to security.”
By Brad Reed
Wednesday, June 11, 2008
Card details stolen in web hack - BBC News - 10 Jun 2008
The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website, BBC News has learned.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
It said Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January.
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud.
Apacs, the trade association for the payment industry, said a specialist police force was investigating the case.
Cotton Traders was founded by ex-England rugby captains Fran Cotton and Steve Smith and has one million customers.
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website.
'Security issue'
It said: "Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
It added: "We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
BBC News has learned that customer addresses were also stolen in the hack.
The breach follows last year's attack on the website of TK Maxx, in which 45 million card details were lost.
In that case, data was accessed on the firm's computer systems over a 16-month period and covered transactions made by credit and debit cards dating as far back as December 2002.
The exact method used to hack the Cotton Traders website is not known.
The firm has said customers worried about their cards should contact their card provider.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
It said Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January.
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud.
Apacs, the trade association for the payment industry, said a specialist police force was investigating the case.
Cotton Traders was founded by ex-England rugby captains Fran Cotton and Steve Smith and has one million customers.
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website.
'Security issue'
It said: "Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
It added: "We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
BBC News has learned that customer addresses were also stolen in the hack.
The breach follows last year's attack on the website of TK Maxx, in which 45 million card details were lost.
In that case, data was accessed on the firm's computer systems over a 16-month period and covered transactions made by credit and debit cards dating as far back as December 2002.
The exact method used to hack the Cotton Traders website is not known.
The firm has said customers worried about their cards should contact their card provider.
Saturday, May 31, 2008
Bank loses tapes with data on 4.5M clients - computerworld.com - 30 May 2008
Connecticut AG blasts BNY Mellon for failing to notify victims for three months
May 30, 2008 (Computerworld) Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.
The bank informed the Connecticut State Attorney General's Office that the tapes belonging to its BNY Mellon Shareowner Services division were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.
Archive America refused to comment about the missing backup tape, citing confidentiality agreements. A People's United Bank spokesman could not be reached for comment.
BNY Mellon Shareowner Services, which includes handling employee stock option plans, said that it has begun notifying affected clients. It contended that none of the unencrypted data has been accessed or used.
"We'd like to provide people with a more current characterization [of what happened], but we are not yet in a position to make that available," said BNY Mellon spokesman Ron Sommer. "Our intention is to make it available as soon as we can."
Blumenthal said that the bank's offer of a year of freed credit monitoring to those affected by the breach is "grossly inadequate." He also slammed the bank for not promptly notifying customers of the security breach.
"The loss of this tape — so far unrecovered and unremedied — is inexplicable and unacceptable," wrote Blumenthal. "I am especially concerned by the delay in informing customers, possibly heightening the risks of wrongdoing."
Blumenthal said that he is working with the New York and New Jersey attorneys general and the Connecticut Department of Consumer Protection to investigate the breach. Further, he said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility.
This week, a lawyer representing 40 affected individuals filed a class-action lawsuit against the New York bank in Connecticut Superior Court. Attorney Michael Stratton, who represents the plaintiffs, said he is seeking up to seven years of free credit monitoring and credit insurance for customers, along with unspecified damages.
"It's inconceivable to me that you have unencrypted data on tapes being transported and stored. I can't imagine why you wouldn't have a sophisticated encryption program to make it virtually impossible to break the code even if they were to become lost," remarked Stratton
Friday, May 30, 2008
Data theft, web attacks nightmare for IT heads: Survey - The Econimic Times - 29 May 2008
NEW DELHI: It is insider threats and emerging web-based attacks that are presenting nightmares for directors of IT firms than just the hacking menace, reveals a recent survey.
More than 80 per cent of the 103 IT directors surveyed felt that insider threats which are defined as either unintentional data leakage or deliberate data theft, as the biggest problem to their respective organisations.
According to the survey conducted by US-listed Secure Computing Corporation, only less than one in five respondents said that external threats posed by hackers are more dangerous.
About 37 per cent of the respondents had experienced leakage of sensitive information in the past year. Further, internal security is found to be the top priority for the directors.
The survey was conducted among senior attendees at the Infosecurity Europe exhibition last month. Among the respondents, 34 per cent said e-mail is the biggest current security threat, followed by Voice over IP (25 per cent) and web surfing (21 per cent).
However, four in five directors surveyed felt that they could be better prepared for web-borne threats. In terms of external threats, malware is found to be the major headache for about 56 per cent of the directors whereas only 22 per cent are concerned about hacking. Moreover, 31 per cent of the respondents felt that viruses pose a big threat followed by spam (18 per cent) and data leaks (14 per cent). The survey showed that the biggest budgets would be spent on strengthening internal security, with 35 per cent of IT directors identifying it as their priority for planned investment.
Thursday, May 15, 2008
Stolen hard drive data put Formula One drivers at risk of blackmail, reports claim - www.sophos.com - 13 May 08
Business and home users must make sure they securely dispose of computer equipment to avoid identity theft
IT security and control firm Sophos has reminded organizations and home users of the importance of securely disposing of computer equipment, in light of the arrest of a man accused of attempting to blackmail Formula One racing drivers Adrian Sutil and Lewis Hamilton.
German police are reported to have arrested a man who is alleged to have tried to sell a hard disk which had belonged to Sutil, and contained personal information, details of Swiss bank account transactions, photographs, and private correspondence between the 25-year-old German who drives for Force India and his racing ace friend, Lewis Hamilton.
The suspect, who has only been named as "Dieter", was arrested by undercover detectives at an autobahn service station outside Munich as he tried to sell the disk to Bild Motorsport magazine for 10,000 Euros (approximately £8,000).
"This is a timely reminder to businesses and individuals alike that if you are disposing of an old computer make sure you securely wipe its hard drive first. Whether you are taking the PC down to the garbage tip, selling it onto a friend, or giving it to charity, it is critical that the data on it is properly overwritten and permanently erased," said Graham Cluley, senior technology consultant for Sophos. "This is computer security 101. Identity thieves have been known to hang around junkyards picking up old computers just minutes after they have been dropped off, and then using data recovery tools to see if financial records, passwords and other information useful for stealing identities can be unearthed. And if you're a business or mega-rich celebrity such as a Formula One driver the losses can be even more acute."
Sophos experts believe that if Adrian Sutil's father Jorge had properly erased the contents of the computer when he disposed of it a year ago, the racing drivers would not have been at risk of blackmail.
"Deleting a file doesn't necessarily mean that it's really gone - and a computer-savvy con-man using simple tools can often bring information back from the dead. To properly defend yourself you need to make sure your hard drive data has been overwritten, preferably multiple times. That's why Government offices are told to use military-grade erasure software to ensure that data cannot be recovered by criminals from dumped PCs," continued Cluley. "Businesses also need to have a strict policy in place about how they deal with old computers, hard drives and storage devices to ensure that sensitive information does not fall into the wrong hands."
Dieter faces charges of attempted blackmail and possession of stolen personal data. If found guilty, he could face a maximum of up to five years in jail.
German police are reported to have arrested a man who is alleged to have tried to sell a hard disk which had belonged to Sutil, and contained personal information, details of Swiss bank account transactions, photographs, and private correspondence between the 25-year-old German who drives for Force India and his racing ace friend, Lewis Hamilton.
The suspect, who has only been named as "Dieter", was arrested by undercover detectives at an autobahn service station outside Munich as he tried to sell the disk to Bild Motorsport magazine for 10,000 Euros (approximately £8,000).
"This is a timely reminder to businesses and individuals alike that if you are disposing of an old computer make sure you securely wipe its hard drive first. Whether you are taking the PC down to the garbage tip, selling it onto a friend, or giving it to charity, it is critical that the data on it is properly overwritten and permanently erased," said Graham Cluley, senior technology consultant for Sophos. "This is computer security 101. Identity thieves have been known to hang around junkyards picking up old computers just minutes after they have been dropped off, and then using data recovery tools to see if financial records, passwords and other information useful for stealing identities can be unearthed. And if you're a business or mega-rich celebrity such as a Formula One driver the losses can be even more acute."
Sophos experts believe that if Adrian Sutil's father Jorge had properly erased the contents of the computer when he disposed of it a year ago, the racing drivers would not have been at risk of blackmail.
"Deleting a file doesn't necessarily mean that it's really gone - and a computer-savvy con-man using simple tools can often bring information back from the dead. To properly defend yourself you need to make sure your hard drive data has been overwritten, preferably multiple times. That's why Government offices are told to use military-grade erasure software to ensure that data cannot be recovered by criminals from dumped PCs," continued Cluley. "Businesses also need to have a strict policy in place about how they deal with old computers, hard drives and storage devices to ensure that sensitive information does not fall into the wrong hands."
Dieter faces charges of attempted blackmail and possession of stolen personal data. If found guilty, he could face a maximum of up to five years in jail.
Subscribe to:
Posts (Atom)