[SecurityRatty] tag: disclosures

Best Western Forced to Play Defense on Breach Disclosure

Mon, 01 Sep 2008 03:33:25 +0000

A dispute between Best Western and a Scottish newspaper over the scope of a data breach at the hotel chain highlighted the need from companies to get out in front on breach disclosures, rather than being forced into damage-control mode.

Best Western forced to play defense on data breach disclosure

Thu, 28 Aug 2008 09:00:00 +0000

A dispute between Best Western and a Scottish newspaper over the scope of a data breach highlights the need for companies to get out in front on disclosures of data breaches.

Laptop stolen from R.E. Moulton may affect 19,000

Sun, 15 Jun 2008 18:15:45 +0000

Technorati Tag: Security Breach

Date Reported:
5/23/08

Organization:
OneAmerica

Contractor/Consultant/Branch:
R.E. Moulton, Inc.

Victims:
Customers

Number Affected:
~19,000

Types of Data:
"names in combination with social security numbers"

Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.

We are writing to inform you of an incident involving the possible disclosure of personal information.

Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.

A police report was filed and the police are actively investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.

Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.

At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.

Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.

Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.

Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.

While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.

Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.

In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.

We sincerely apologize for any inconvenience or worry this may have caused you.

We encourage you to contact the company at 800-553-5318 with any questions or concerns.

From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?

Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?

I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.

I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.

Past Breaches:
Unknown

Microsoft Security Intelligence Report 2H07

Wed, 23 Apr 2008 10:03:16 +0000

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir, and the download page is here).

As one of the contributors for the report, I'd like to highlight the findings summary for the Industry vuln trends:

Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
Despite the decrease, the number of new disclosures across the industry remains in the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously
the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
about half of all vulnerabilities disclosed in 2H07. Although this number is relatively
large, the number has declined significantly from earlier periods.

Here is the high level trend chart from the report:

Regards ~ Jeff

Vulnerability Roundup

Thu, 17 Apr 2008 07:57:11 +0000

The last couple of days have seen a series of vulnerability disclosures and security updates.

New Privacy Policy Wrinkles: Online Behavioral Advertising; and Potential new EU Data Protection Policy

Thu, 31 Jan 2008 08:24:31 +0000

Last year, Google proposed a $3.1 billion acquisition of Doubleclick, which prompted consideration of the acquisition by the Federal Trade Commission and a hearing before the Senate Judiciary Committee’s subcommittee on Antitrust, Competition Policy and Consumer Rights. Both the FTC and the Senate were addressing not only anti-trust risks for competition but also the implications for consumer privacy of a merger of the leading Web search engine and leading behavioral advertising provider.

The discussion led the FTC to suggest last month that Web advertisers using behavioral targeting consider adopting several privacy principles, called "Governing Principles For Online Behavioral Advertising" (The Principles are excerpted below). The FTC has suggested that these should be considered for implementation as private sector self-regulation in the same way that earlier online privacy principles had been adopted by the US private sector self-regulation in response to the Safe Harbor agreement to meet the privacy mandates of the European Union’s Data Protection Directive. The FTC is presently soliciting private sector comment on these principles and their impact on online commerce.

FTC-proposed Governing Principles For Online Behavioral Advertising Privacy

To address the need for greater transparency and consumer control regarding privacy issues raised by behavioral advertising, the FTC staff proposes:

Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:

Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

To address the concern that companies may not keep their privacy promises when they change their privacy policies, FTC staff proposes:

Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.

To address the concern that sensitive data – medical information or children’s activities online, for example – may be used in behavioral advertising, FTC staff proposes:

Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.

FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.

The staff is seeking additional information about whether tracking data is being used for purposes other than behavioral advertising and whether such secondary uses, if they occur, merit some form of heightened protection.

These principles and the US self-regulatory approach to the issue of behavioral advertising were presented this month to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The committee was considering the privacy policy implications of

"..."behavioural marketing" founded on computerized data collection and on targeted advertising which are creeping into nearly every aspect of the social and commercial transactions – searching, browsing, networking, emailing and telephoning. This new situation, however, raises some critical issues about the sufficiency of companies’ disclosures, the level of consumers’ understanding and control of their personal information as well as the security and confidentiality of the massive amount of sensitive personal data. Moreover, behavioral marketing directed at vulnerable individuals, such as young people and teens, clearly raises the question of the degree of privacy protection."

These discussions are preparatory to the pending update of EU Directive 2002/58/EC on data and consumer protection in the telecommunication domain by the Article 29 Working Party of the EU Directorate General for Justice, Freedom and Security. This group also is currently preparing a report on how well the privacy policies of the search engines of Google, Yahoo!, Microsoft, and others comply with the mandates of the EU’s Data Protection Directive.

A comment made by the chair of this group during the parliamentary meeting this month suggested that the Article 29 Working Party is considering implementing into EU policy that the Internet Protocol (IP) addresses associated with a specific person will be considered to be "personal data" and thus subject to the legal protections provided under the EU Data Protection Directive.

If this position should in fact become the basis for EU privacy policy, it could have enormous implications for Internet search engine operations within EU nations and may also impact the provisions of the US Safe Harbor agreement with the EU. This blog will track this activity as it unfolds and update events as they occur. Stay tuned.

Download: Windows Vista One Year Vulnerability Report

Wed, 23 Jan 2008 13:19:00 +0000

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.

This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.

The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.

Share this post :

TJX Lessons

Tue, 22 Jan 2008 11:11:00 +0000

Very enlightening read on TJX lessons one year later. Highlights:

"Breach disclosures don't always affect revenue or stock prices ... Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken."

"TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs."

"... many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI."

205 University of Wisconsin employees exposed

Mon, 21 Jan 2008 11:44:21 +0000

Technorati Tag: Security Breach

Date Reported:
1/16/08

Organization:
University of Wisconsin

Contractor/Consultant/Branch:
None

Victims:
Certain faculty and staff members who made purchases from the DoIT computer shop

Number Affected:
205

Types of Data:
University identification numbers*, email addresses and telephone numbers

*205 of the persons affected had university identification number based on their Social Security numbers

Breach Description:
Personal information belonging to University of Wisconsin at Madison faculty and staff members who made purchases from the DoIT "computer shop" was exposed on a publicly accessible web server.

Reference URL:
The Capital Times news story
Milwaukee Journal Sentinel news story
United Press International news story

Report Credit:
David Callender, The Capital Times

Response:
From the online sources cited above:

UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year.

The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology
[Evan] One year before being noticed is too long. Is the DoIT site regularly tested for information security vulnerabilities? It should!

Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes.
[Evan] I wonder what personally identifiable information serves for statistical purposes.

He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search.

Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed.

According to a letter to the affected faculty and staff dated Jan. 7, UW senior legal counsel Nancy Lynch wrote that the university became aware of the problem on Nov. 26.

Lynch wrote employees that their e-mail addresses, phone numbers and Social Security numbers were "inadvertently disclosed."

But Rust said the information did not constitute a security breach, since there was no indication that any unauthorized person -- other than the one staff member -- had actually accessed the information.
[Evan] Say huh? I guess it depends on your definition. According to Princeton University's WordNet, a breach is "a failure to perform some promised act or obligation" or "an opening (especially a gap in a dike or fortification)" According to Wisconsin law, a breach is "unauthorized acquisition of personal information", so I suppose if you have no evidence of the "unauthorized acquisition" you could get away this statement. Please don't think about running a web server without logging to show unauthorized access!

Rust said the UW delayed notifying staff members because it had to determine whether any information had been used, develop corrective measures, and ascertain the UW's legal liability. He said the UW complied with a state law requiring anyone affected by such an exposure to be notified within 45 days of the event.
[Evan] But if this was not a security breach, then why follow the Wisconsin "breach" notification law?

Rust acknowledged that although the faculty and staff names may not have been included in the information that was disclosed, in many cases their identity could be gleaned from their e-mail addresses, which usually consist of all or part of an individual's name, and from online directories that allow searches by phone number.
[Evan] Yes, this is a good point. Many UW-Madison email addresses follow a naming convention.

He also admitted that the exposure was due to the design of the database, which had been in use for about a year. He said that programmers knew the information could be accessed from outside, but apparently no one recognized that the data might include Social Security numbers and other personal information.
[Evan] Nuts. When do information security personnel get involved?

Rust said that, in contrast to those disclosures, anyone looking for personal information would have had to find the DoIT Web site in question and then would have had to know that some campus ID numbers still use Social Security numbers
[Evan] It's not hard to find! www.doit.wisc.edu/ techstore.doit.wisc.edu/. Security through obscurity DOES NOT work. Just because the information may not be easy to find does not ensure that it is secure. Didn't the person who found this stumble upon it while doing an internet search?

In an effort to control the release of personal information, the UW stopped using students' and employees' Social Security numbers as part of their campus ID numbers several years ago. But some longtime employees have not changed that ID number to a new, randomly generated number, he said.
[Evan] This is an excellent move by the University of Wisconsin, seriously.

"It's not to say that we're not taking responsibility for this exposure, but this is a reminder that if people don't want something like this to ever happen again, then they should really change that number," he said, adding that DoIT plans to phase out all Social Security-based ID numbers within about a year.
[Evan] This statement is troubling.

Commentary:
I have many issues with this breach and follow-up statements by the university. Too many for a blog posting. What issues do you find?

Past Breaches:
Unknown

Microsoft Security Intelligence Report - 1st Half 2007

Tue, 23 Oct 2007 12:35:43 +0000

The third volume of the Microsoft Security Intelligence Report (SIR) is now available for download at: www.microsoft.com/sir - this link will take you to a summary portal that has links to the downloadable document, upcoming webcasts about the SIR results, and so on.

As one of the primary authors for the vulnerability trends information, I will be hosting one of the webcasts on November 1, 2007 and you can register here: Microsoft Security Intelligence Report: Overview of Latest Trends in Vulnerabilities and Malicious Software (Level 100).

If you want to quickly download the report in pdf, click on this link.

There are lots of interesting results (with charts) in the SIR and I encourage you to look the whole report. However, here are a few of the things I would call out to you.

The number of disclosures of new software vulnerabilities across the industry continues
to be in the thousands, with more than 3,400 new vulnerabilities disclosed in
1H07. But this number actually represents a decrease from 2H06, the first period-to-period
decline in total vulnerabilities since 2003.

Note however, another trend as shown in the chart. High severity vulnerabilities continue to grow significantly, while the overall total flattened out. In the full report, you'll also note a trend reversal with complexity to exploit dropping as well.

There are a couple of other interesting results that I want to call out that you should examine with more detail in the full report

Social engineering plays a growing role in overall malware attack techniques. This is a key result since even with vulnerability-free software, these techniques could succeed against users of any platform.
Windows Defender has proportionally detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2, based on normalized data. This is a practical measure of benefit that is somewhat more valuable in my opinion than vulnerability comparisons.

That is enough teasers. Download the report at www.microsoft.com/sir.

Regards ~ Jeff