New York Tourist Credit Card Information Hacked

110,000 credit card numbers of New York City tour patrons have been stolen by hackers using a SQL injection attack. SQL injection attacks are one of the oldest and simplest forms of internet attacks. The hackers were able to access names, addresses, e-mail addresses, credit card numbers with expiration dates and security codes.

The organization, CitySights NY, has begun notifying customers and offering them one year of free credit monitoring as well as a 50% off coupon for a future tour. A spokesperson for CitySights NY’s parent company, Twin America,  says that they are taking steps to improve data security. They have locked down server access and have installed application firewalls.

US Bank Accused of Data Breach Cover-Up

Two small business owners find themselves at the center of a class action lawsuit against banking giant US Bank over the accusation of a large scale data breach cover-up. The family-owned online Paintball retailer, Paintball Punks, received 9 orders that were placed using US Bank credit cards. As was standard protocol, the credit card security numbers and billing addresses were verified. Weeks later, US Bank customers began disputing the charges and US Bank recouped their losses by doing "charge backs" where they essentially take back the money that was given to the retailer.


These charge backs cost Paintball Punks over  $11,000, while this amount seems small, the class action law suit was filed due to the unknown scope of the alleged breach. After investigating the claims by US Bank, one owner claims that a US Bank employee divulged that there had been a breach, but it did not go public. The alleged cover-up is in violation of state and federal data breach laws. U.S. Bank maintains that there was no breach and that the claims made in this lawsuit are wholly without merit.

Bank of America Breached: Employees Take Customer Data

According to papers filed last week at the New York Supreme Court, four former Bank of America employees left the organization for another wealth management firm, and brought an unnamed number of customer databases with them.

The employees felt that they were entitled to the information in the databases based on a contact sharing protocol that many banks agree to during job negotiations. Bank of America denies agreeing to this protocol.

Further hearings on this case will take place in January. This case comes as Bank of America is rumored to be preparing for the posting of damaging leaked documents pertaining to the mortgage crisis, by the website WikiLeaks.

Ohio State University Exposes 760,000 Identities – Largest Educational Institution Breach of 2010

The Ohio State University recently revealed a large data breach.  This breach has exposed 760,000 identities and has the potential to cost the university $4 million. OSU has notified all affected persons and has indicated that the servers accessed stored Social Security numbers, dates of birth, and addresses. Although there is no evidence that the data was stolen, when personally identifiable information is accessed there is potential for identity theft to  occur.

The $4 million dollar cost associated with the breach includes consulting, notification costs, credit security, and a call center open for individuals with concerns.  OSU has begun working with consulting firms trying to improve security.  Many steps must be taken to secure this large University’s data.

Of the 68 recorded breaches in educational institutions, this breach has affected the largest amount of records.  760,000 records affected is a very large number of records and this is just one of the many breaches the University has had. Ohio State University averages 10 data breaches per year and virtually all of these involve Social Security numbers.

McDonald’s Loses Customer Information to Hackers

Malicious hackers stole an undetermined number of customer information from another company’s database. Arc Worldwide, a company hired by McDonalds to send promotional email messages, was hacked and McDonald’s customer data including names, phone numbers, postal addresses, and e-mail addresses were accessed. The data does not include Social Security Numbers, credit card numbers, or any financial information.  McDonalds’ customers who had information in this database have been contacted and advised not to respond to anyone claiming to be from McDonald’s and asking for personal or financial information.

Do you entrust a business partner with any confidential information? Do you know if they have the proper processes in place to prevent a leak? What about your own information, is it secure?  Contact Attevo about a risk assessment.  It could mean the difference between safe data and a data breach.

Read more about the McDonald’s breach here.

Being honest about DLP in light of evolving malware and insider risk

We were recently posed the following question on a DLP message board: 

Zeus and other trojans today encrypt data before they get sent over regular channels (HTTP) to the drop sites. It's also easy for users to install open source encryption software (e.g. TrueCrypt) and encrypt files before they get copied to USB drives. 

The issue here is that DLP relies on content analysis and packet inspection, but if it can't be understood, DLP doesn't seem to be helpful.Short of draconian measures like blocking all USB ports or blocking all data that cannot be identified, are there practical ways that DLP or other means can help?

For the sake of discussion, let's leave aside techniques like better access control, application whitelisting, or tighter file permissions for now. I'd also like to leave aside data-at-rest scanning to preemptively encrypt and/or move to secure locations. The assumption is that users keep copies of sensitive files on their local PCs, unencrypted. Let's assume we're talking about a typical large enterprise that can't force their employees to only use certain applications and can't prevent them from using social networking sites.

Mark Mahovlich, Director of Business Development at Attevo, provides his insight:

Outside of the obvious choice of disabling the administrative capabilities of a managed endpoint, the reality is you would have to deploy one, I say all, of the following content security practices:

1. Endpoint Controls - If you have the right endpoint technology deployed, you can stop the user action before it moves to the encrypt or transmit phase.  Policy would define enforcement action based upon the content and the end user activity. For example, "Deny the ability to copy and paste confidential data (even a subset of the data) into any unapproved application (email, IM, HTTP post, etc.)  In your, case, "deny any Encryption Activities that are not my company approved Encryption Technology,"  This would stop any third-party encryption, and allow you to automatically de-crypt and scan data content (for compliance to Policy) for anything the end user did encrypt manually.
2. Content Gateway -  Deploy Content Gateway technology that is capable of de-encrypting SSL Encrypted traffic.  Why is this important?  Google Mail.  In this use case, we will assume the endpoint is not being managed, and hence does not have any ability to block end user activities with confidential data (as in #1).  The end user accesses Google Mail and attaches a confidential document or pastes confidential date into the Email.  Because Google Mail is SSL encrypted traffic, most DLP solutions would not be able to monitor, identify and take action on the confidential data per Policy.  Therefore, you need a Content Gateway to de-encrypt the Google Mail traffic allowing your DLP solution to analyze the confidential data and provide enforcement actions per Policy.  
3. DLP Network Monitor -  Deploy a DLP solution that allows you to monitor, analyze and enforce action on network protocols (HTTP, HTTPS, FTP, IM, SMTP, CIFS, NFS, and other P2P channels).  The solution would detect traffic that was encrypted using a  third-party product, and would be set by Policy to deny that transmission.

Why all three layers?  It provides as much Risk Mitigation as possible, given that end users will find many paths to send data and perform their job function.  Most data leakage is simply misuse (see the Secret Service Findings for hard data).  However real life experience tells us that the truly malicious end user will try more than one channel to reach his goal.  People are very creative. 


In addition, technology moves at a rapid pace.  As seen in the Google example above, organizations will go to great lengths to secure their application driven revenue.  Consider the security concerns and breaches being seen today simply with Web 2.0 technologies.   What will Web 3.0 bring?  Single Point solutions simply will not provide the coverage necessary for an organization to adequately protect itself.

WikiLeaks Threatens Release of Unredacted Documents

For WikiLeaks Founder, Julian Assange, the days following the latest release of secret documents have brought legal troubles, sex crime allegations, and death threats. 

In response, Assange has released an encrypted document to tens of thousands of hackers and open-government campaigners that contains all of the documents that WikiLeaks has received to date. Assange's  lawyer has said that if anything happens to Assange, either physically or legally, the encryption key will be released, and all of the documents will be immediately available. Assange refers to the document as his "insurance policy." 


This file is believed to contain US Government papers on the Guantanamo Bay detention camp as well as damaging private-sector documents pertaining to the energy and banking industries. It is believed that two of the targets are industry leaders BP and Bank of America.


Does your organization have processes in place to prevent data loss?
Start your conversations with Attevo now to mitigate your organization's risk and exposure because your industry could be next. Call (216)928-2800 to set up a meeting today!

Fines Imposed by UK’s Information Commissioner’s Office

Two organizations, Action for Employment Ltd. (A4e) and Hertfordshire County Council, were recently fined by the UK’s Information Commissioner’s office (ICO) for data breaches that occurred in June.  Information Commissioner, Christopher Graham, said "these first monetary penalties send a strong message to all organizations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

A4e was fined £60,000 for the theft of an unencrypted laptop.  The laptop was owned by A4e and stolen from an employee’s home. The laptop contained personal records of approximately 24,000 employees.  Although a policy stating all data temporarily stored on a laptop computer should be encrypted existed, the stolen laptop was not because it was not a part of a recent encryption rollout. 

Hertfordshire County Council was fined £100,000 after confidential documents were faxed to the wrong recipients on two separate occasions. The ICO believed that they should have taken a stronger action after the first accidental fax, but they failed to do so.

Does your organization have policies and procedures in place to protect your data in the event of a theft? Are you able to prevent accidentally faxing a confidential document? Contact Attevo about a risk assessment.

Read more about this story here.