[SecurityRatty] tag: hmrc

Timing is Everything...

Sun, 06 Jul 2008 20:00:00 +0000

I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure" While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...

Why I welcome the Hannigan Report

Thu, 03 Jul 2008 14:00:00 +0000

As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

Security Briefing: July 2nd

Wed, 02 Jul 2008 09:20:43 +0000

Back in the saddle again. It’s a short week for both sides of the border here in North America. Happy post Canada Day to my brethren and a Happy (and approaching) July 4th to our cousins to the south.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

2600 HOPE conference bringing hacking to New York City (and we’ll see you there) | CNET
FBI Investigating Major ATM Hacking Ring | Las Vegas Now
Study: Unpatched Web Browsers Prevalent on the Internet | PC World
Netherlands man arrested for hacking 50,000 credit cards | Security Pro Portal
Vint Cerf Says Government Needs To Encourage Internet Competition | Information Week
The Government’s Top Hackers? | Veracode
HSBC sites vulnerable to XSS flaws, could aid phishing attacks | ZDNet
HMRC goes cap-in-hand to Americans for help with fraud | The Independent

Tags: News, Daily Links, Security Blog, Information Security, Security News

Can The Gov Be Trusted With Your Personal Data?

Thu, 26 Jun 2008 08:44:35 +0000

Survey says…(insert buzzer noise)

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain’s biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn’t individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain’s tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

HMRC data debacle used to bait phishing lure

Fri, 22 Feb 2008 12:26:29 +0000

A phishing attack targeting victims of the HMRC data loss debacle has been spotted on the net.

GE Money and Iron Mountain unable to locate tape

Mon, 07 Jan 2008 11:01:37 +0000

Technorati Tag: Security Breach

Date Reported:
12/28/07

Organization:
GE Money

Contractor/Consultant/Branch:
Iron Mountain

Victims:
GE Money Bank customers

Number Affected:
Not disclosed*

*"found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included" This is New Hampshire information ONLY as stated in the breach notification.

Types of Data:
Names, addresses, Social Security numbers, and credit card numbers.

Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money customers and is one out of a set of nine that were sent to Iron Mountain sometime last year.

Reference URL:
State of New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the official New Hampshire breach notification and letter sent to affected persons:

Our storage vendor, Iron Mountain, has been unable to locate a single backup tape from a set of 9 that we delivered to them last year.
[Evan] I am a little surprised. In my dealings with Iron Mountain they have done an excellent of inventory control.

This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number
[Evan] Unencrypted backup tapes containing confidential information is bad karma. Just ask IBM, Kraft, The Hartford, HMRC, etc.

It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.

There is no record of the tape being removed from the facility and we have no indication that your personal information has been or will be used inappropriately

We have restored the contents of that tape from the next full set and have nearly completed a search for any sensitive consumer information.

Although we believe the chance for misuse is very low, we are notifying individuals via first class mail, and providing a toll-free number for them to contact us with any questions.

We have found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included.

GE Money regrets this incident and is committed to protecting its' customers and their information. Prior to learning of this incident we had already instituted additional security measure that will prevent any future occurrences.
[Evan] Let's hope this means that they are now encrypting sensitive data at rest, including that which resides on backup tapes. If in fact they are now encrypting this information, why not just say so?

We take our responsibility to safeguard your personal information seriously and regret any inconvenience this incident may have caused. We appreciate your understanding and thank you for being a GE Money Bank customer. If you have any questions about this situation, please do not hesitate to contact us at 1-866-913-6690, we are available Monday through Friday, 9:00 am to 7:00 pm EST.

Commentary:
GE Money is also offering 12 months of credit monitoring for those persons that had Social Security numbers on the lost tape. My thoughts on 12 months of credit monitoring are pretty well-known now. Personally identifiable information is good for a lifetime (and sometimes beyond) so 12 months is very limited, and "credit monitoring" alerts a victim after the fact.

It's hard to blame Iron Mountain too much for this breach, although they did lose the tape. Iron Mountain must handle millions and millions of tapes, maybe they should be allowed to lose one (or maybe two). GE Money handles some very sensitive personal information for their customers and encrypting backup tapes in not a new concept.

Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures

HMRC loses data cartridge that affects 6,548 pensioners

Mon, 31 Dec 2007 20:30:11 +0000

Technorati Tag: Security Breach

Date Reported:
12/18/07

Organization:
HM Customs and Revenue (HMRC)

Contractor/Consultant/Branch:
None

Victims:
Countrywide Assured pension customers

Number Affected:
6,548

Types of Data:
Names, addresses, dates of birth, national insurance numbers*, and pension contributions.

*~equivalent to Social Security numbers in US

Breach Description:
A "data cartridge" sent from Countrywide Assured to Her Majesty's Revenue and Customs (HMRC) has been lost at an HMRC office in Cardiff. The data cartridge was sent via courier in September, 2007 and contained sensitive personal information belonging to Countrywide Assured pension customers.

Reference URL:
BBC News Story

Report Credit:
BBC News

Response:
From the online source cited above:

Names, addresses, date of births, national insurance numbers and pension contributions were included on a data cartridge which has been lost.
[Evan] This is all prime data for theft.

It had been sent by courier in September from Countrywide Assured.

signed for by HMRC but has since gone missing
[Evan] Not only does HMRC lose data in transit, but they also lose data in house.

It is understood that Countrywide Assured, which is based in Preston in Lancashire, has written letters to the 6,548 affected customers.

"It is very unlikely that any unauthorised person would be able to access the customer information due to the nature of the medium on which the data is held.
[Evan] Security through obscurity doesn't work. This is one of the oldest security fallacies in the book. Don't count on the nature of the medium to provide adequate security.

"We are taking this loss extremely seriously and have done everything possible to locate the data cartridge. We would like to apologise to all those affected."

The spokesman said PricewaterhouseCooper was carrying out an independent review of data loss and HMRC was implementing additional measures to ensure that confidential data was transported and held safely at all times.
[Evan] Its good to see that a third-party has been brought in to consult HMRC. It is obvious that they need it.

Commentary:
What can we say about the people responsible for ensuring confidential information remains secure at HMRC? This is the seventh breach concerning HMRC this year, and the fourth reported on The Breach Blog since October. The head of HMRC already resigned in November as a result of these breaches. Who else should be held accountable? I have lost patience with these people.

Obviously (or maybe not), the proper use of encryption would have offered better assurance of data security that does "the nature of the medium on which the data" was held. I sincerely hope that HMRC encrypts all confidential data at rest soon.

Past Breaches:
Six others reported in the last 12 months concerning HMRC.
November, 2007 - 25 million UK residents affected by HMRC breach
November, 2007 - 15,000 UK pensioners at risk through lost HMRC CD
October, 2007 - Stolen HMRC laptop affects 400

When Too Much Security Means No Security at All

Mon, 24 Dec 2007 09:30:19 +0000

We all know about the law of unintended consequences - the principle that the actions we take can have results that are unpredictable, and sometimes even the exact opposite of what we're hoping to achieve. Media reports out of the United Kingdom this week seem to offer a spectacular example of this principle at work in the world of enterprise security. The details are still emerging, but what's come out so far should be a wake-up call for security and risk professionals everywhere.

Last month, HM Revenue & Customs (HMRC), the U.K.'s tax and excise agency, acknowledged that it had suffered one of the worst data breaches in history (see "Data Loss Could Have Huge Impact on U.K. Banking Industry"). The agency had somehow managed to lose the entire national child benefits database, which contains highly confidential information on a staggering 25 million individuals - literally every household with dependent children in the U.K. The database was stored on two computer disks that were apparently lost while being transported and that still haven't been recovered. The U.K.'s citizens, who are very sensitive about privacy issues, were predictably outraged, parliamentary and regulatory inquiries were launched, and HMRC's chairman was forced to resign. But the agency blamed a single comparatively low-level staffer for causing the breach by downloading the benefits database onto disk. Now it looks like the story was a lot more complicated than that - and HMRC still hasn't learned its lessons from this debacle.

Reports in the U.K. media in the past few days suggest that the downloading was actually ordered by senior officials as part of official HMRC policy. As if that weren't bad enough, HMRC still seems to be working hard - even after the data breach - to make sure that most of its personnel don't even know what the agency's official policy is, much less follow it. It turns out that HMRC has a detailed policy manual governing the handling of confidential information. But in the days after the data breach, HMRC apparently decided that the manual itself was so sensitive that it had to be kept confidential. According to the media reports, only senior staff are allowed physical access to the manual, while lower-level personnel receive only a Web-based briefing that discusses general principles of security and confidentiality.

How are people supposed to follow a policy when they don't know what it is? I'll leave that question to the bright lights at HMRC. Even if they aren't ready to learn the lessons of this data breach, I hope you are. And one of the most important is that well-crafted, well-communicated security policies and policy documents are the bedrock of effective enterprise security. That's why Gartner security analyst Les Stevens recently published a three-part series of Toolkit documents focusing on creating, implementing and communicating an enterprise security framework. You can use these documents to build enterprisewide consensus on security issues, develop appropriate security policies and processes, and - crucially - communicate them to the necessary stakeholders within your enterprise. Take a look. I think you'll be glad you did.

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 1)

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 2)

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 3)

The Breach Blog November Review

Tue, 04 Dec 2007 10:55:55 +0000

Technorati Tag: Security Breach

The Breach Blog Month in Review November, 2007

Thirty-nine (39) breaches were reported on the The Breach Blog during the month of November, 2007 compared with thirty-five (35) during the month of October. November ranks second to September (44) in the number of breaches reported in a month, since The Breach Blog began compiling reports in August.

The month started out like most of the others, with our first breach report coming on the first day of the month. On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information. We reported it on November 1st. Art.com should be complimented on their decision to encrypt sensitive data.

The most read breach of the month concerned a stolen laptop belonging to the United States Postal Service in Oahu, Hawaii that affected 3,000 postal workers. This breach was reported on The Breach Blog on November 2nd, so this may contribute to its link popularity for the month.

There were multiple organizations that reported their 2nd (or 3rd or 4th) breach since we started keeping track, and there were two organizations that reported more than one breach in November alone! Organizations that have reported breaches before, in addition to one or more in November include Her Majesty’s Revenue and Customs (3 total), Montana State University (4), Capital Health (2), United States Department of Veterans Affairs (2), and the State of Massachusetts (2). Montana State University reported three breaches and Her Majesty’s Revenue and Customs (HMRC) reported two in November alone!

The breach reported by Her Majesty’s Revenue and Customs (HMRC) was by far the single largest breach offender in terms of the number of affected individuals. HMRC reported lost “discs” containing sensitive information belonging to Standard Life pensioners on November 2nd, then followed up with lost “discs” containing sensitive information about 25,000,000 individuals AND 7,250,000 families. This single breach alone reportedly affects ½ of the British population! The head of HMRC resigned, and victims are left wondering. This breach occurred not only because of poor security but also lack of common sense.

It was an interesting month to say the least.

Summary
Anytime there is even one breach to report it means that someone’s life has been impacted by a failure of information security. It wasn’t the worst of months, but it certainly wasn’t the best either. November closed out with an estimated five billion dollar price tag with HMRC contributing 96+%.

Stats for November:
Number of breaches: 39
Number of victims: 25,944,451 (seven breaches unknown, 944,451 without HMRC) Average number of victims/breach: 665,242 (24,854 without HMRC)
Average cost/breach: $131,052,674 ($4,896,238 without HMRC)*
Total Cost: $5,111,056,847 (186,056,847 without HMRC)*
Most popular breach type: Stolen unencrypted laptop or device (9), Employee mistake (9)

Stats for October:
Number of breaches: 35
Number of victims: 943,419 (eight breaches unknown)
Average number of victims/breach: 26,954
Average cost/breach: $5,309,938*
Total Cost: $185,853,543*
Most popular breach type: Stolen unencrypted laptop (11)

*based on the number of victims multiplied by the average cost of $197 per lost/stolen record "investigating the breach, notifying customers, restoring security infrastructures and recovering lost business." (source Ponemon Institute's 2007 Cost of Data Breach Study)