Dec 30 2009

ATM bandits hack security

Category: pci dss,Security BreachDISC @ 11:31 pm

ATM at the secretary of state in Portage, MI
Image via Wikipedia

Overseas gangs have cracked the code of ATM anti-skimming devices in Australia just two months after their roll-out.

ATM Security Breach News Video

Overseas gang has cracked the code of ATM using skimming devices in Australia, where bank customers are defenseless against organized crime unless they check ATM themselves against any sign of tempering.

Awesome Aussies in the game of cricket but their banking system still use magnetic stripe rather than magnetic chip which make it as an easy picking for the overseas gangs

Related articles by Zemanta

Tags: Australia, Automated teller machine, Bank, Banking Services, Banks and Institutions, Financial services, Magnetic stripe card

Dec 22 2009

FBI Probes Hacks at Citibank

Category: Security BreachDISC @ 4:45 pm

NYC - TriBeCa: Smith Barney-Citigroup Building
Image by wallyg via Flickr

The Wall Street Journal

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.

Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

Citigroup is currently 27%-owned by the federal government.

The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

Continue reading at The Wall Street Journal

Tags: Business, Citibank, Citigroup, FBI, Federal Bureau of Investigation, Federal government of the United States, Government agency, Russian Business Network, United States, United States Department of Homeland Security, Wall Street Journal

Dec 18 2009

Major security breach

Category: Security BreachDISC @ 2:20 pm

drone
from AFP

Into The Breach

By Josh Rushing in Asia

When I was embedded with the US military in Helmand Province, Afghanistan, in August I wandered into a tent that I immediately recognized from my days in the military. It was an operations tent, but it was far more technologically advanced than any operations center I ever witnessed as a US Marine. There were rows of tables with soldiers at laptops all facing enormous television screens that were filled with video of a family compound in southern Afghanistan. I was amazed at how clear the drone’s video was, even though it was being filmed in the dark of night.

It was easy in that tent, in the middle of what locals call the desert of death, to see how vital drones had become to the US military for both intelligence gathering and for remote-controlled strikes – bombings that Al Jazeera continuously reports on from Pakistan and Afghanistan to Iraq and Somalia.

Standing in the back of the tent gave me cover to observe the video for about 10 minutes before an officer noticed me and escorted me out. He was obviously flummoxed that my embed credentials had allowed me to gain access to such sensitive video. Little did I know at the time, that with a $26 computer programme and a cheap television satellite dish, I could have been seeing everything that the drones were broadcasting. And why not? As the Wall Street Journal reports the signal from drones is unencrypted, a fact militants in Iraq have been taking advantage of and a fact the US military has known about for a decade or more.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: Afghanistan, Asia, drone, drone breach, Helmand Province, major security breach, pakistan, Unmanned aerial vehicle, Wall Street Journal, waziristan

Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security BreachDISC @ 2:38 pm

University of California, San Francisco
Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.


Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.


Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number

Nov 30 2009

Hackers steal credit-card numbers from restaurant customers

Category: pci dss,Security BreachDISC @ 2:44 am


Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question

By Theodore Decker
THE COLUMBUS DISPATCH

Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.


Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

Related articles by Zemanta

Prevent and Protect from Credit Card Fraud and Scams

httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

Reblog this post [with Zemanta]

Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security

Nov 19 2009

Health Net healthcare data breach affects1.5 million

Category: hipaa,Security BreachDISC @ 2:10 pm

Health Net, Inc.
Image via Wikipedia


Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question or high level risk assessment.

The Practical Guide to HIPAA Privacy and Security Compliance

By Robert Westervelt, News Editor
19 Nov 2009 | SearchSecurity.com

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data..

“Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said.

It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals.

Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

“You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.”

In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said.

Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group.

“A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said.

Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems.

Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data.


Perhaps healthcare management still doesn’t realize that they might be potentially liable for lack of reasonable safeguards to protect organization assets. Do you think it’s time for healthcare management to take information security seriously as a potential business risk?

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: arra and hitech, data loss prevention, data security, disk encryption and file encryption, Health care, Health Insurance Portability and Accountability Act, Identity Theft, identity theft and data security breaches, Personally identifiable information, Security, security awareness training

Nov 06 2009

Laptop Heist Exposes Doctors’ Personal Data

Category: hipaa,Security BreachDISC @ 6:50 pm

doctor

Another stolen laptop puts thousands of people’s personal data at risk but this time it’s the caregivers — not the patients — who are at risk.

November 6, 2009
By Larry Barrett:

More than 10,000 physicians’ and dentists’ personal data was exposed last week in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the health care providers’ Social Security numbers and other data to a personal laptop that was later stolen.

Anthem spokesman Christopher Dugan said the security breach took place at the national level and the files did not include any patients’ personal data.

The Blue Cross Blue Shield Association said the employees’ ill-fated decision to transfer the sensitive information to a personal laptop violated the insurer’s security policies.

Just last week, more than 33,000 patients receiving care from a Daytona Beach, Fla. medical center were notified that their data may have been compromised when a laptop was stolen from an employee’s car.
New Hampshire is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised.

Anthem officials said it will provide free credit-monitoring services to all the affected physicians and dentists for a year.

It’s not been the best of months for the insurer.

On Oct. 5, Blue Cross warned another 39,000 doctors that a yet another laptop stolen from the company’s Chicago headquarters could have potentially exposed an assortment of personal information including Social Security numbers and tax identification numbers.
A Ponemon Institute by Traverse City, Mich.-based data security researcher Ponemon Institute estimates that more than 12,000 laptops are stolen or lost at airports alone each week.

It also found that the average large company has 640 laptops, 1,985 USB memory sticks, 1,075 smart phones and 1,324 other various data devices stolen or lost each year — ;a total of 800,000 data-sensitive memory devices a year.

Reblog this post [with Zemanta]

Tags: arra and hitech, crime, data breach, data security, Health Insurance Portability and Accountability Act, hipaa, laptop, Physician, Security, stolen laptop

Nov 05 2009

Senate Panel Clears Data Breach Bills

Category: Information Privacy,Security BreachDISC @ 6:29 pm

The Senate's side of the Capitol Building in DC.
Image via Wikipedia
Legislation Heads for a Senate Vote

November 5, 2009 – Eric Chabrow, Managing Editor
The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.

The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.

The other measure, the Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement.

Among the objections raised by Sens. Jeff Sessions of Alabama, the committee’s ranking Republican, and Jon Kyl of Arizona, the Republican whip, focused on the provisions defining personally identifiable information (PII) to include an individual’s full name along with at least two of the following: the person’s birth date, home address, telephone number and mother’s maiden name.

Sessions said this information is available from other public records, such as a telephone directory, and would place an undue financial burden on businesses to notify customers of the breach if that was the only information exposed. Kyl said if the bill results in too many notices being sent, consumers might ignore them, similar to how the public views the orange alert on terrorism. “With frequent notices, customers may not worry about it,” he said.

Another objection raised by a few Republicans – a point dismissed by some of their Democratic colleagues – was the bankruptcy provision in the Leahy bill. The consensus of committee members was that a person victimized by identity theft should face bankruptcy but several GOP members worried that the provision might be used to get persons facing bankruptcy for other reasons off the hook if they also had their identities compromised.

Still, Leahy said the legislation, first introduced four years ago, is overdue, and the public is clamoring for it. He cited a Unisys study that contends more Americans are concerned about identity theft than the H1N1 virus or meeting their financial obligations. Since 2005, the year the bill was first proposed, more than 340 million records containing sensitive PII have been involved in data breaches, he said, citing a Privacy Rights Clearinghouse report.

“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” Leahy said. “The president’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33 percent increase over the previous year. This loss of data privacy is a serious and growing threat to the economic security of American businesses.”

Reblog this post [with Zemanta]

Tags: Cyberspace Policy, Data Breach Notification, Dianne Feinstein, Identity Theft, loss of privacy, Personal Data Privacy and Security Act, Personally identifiable information, S. 139, S. 1490, Senate Judiciary Committee, United States Senate

Oct 31 2009

Lawmakers and an accidental disclosure

Category: Security BreachDISC @ 12:04 am

View of Capitol Hill from the U.S.
Image via Wikipedia

By Ellen Nakashima and Paul Kane
Washington Post Staff Writer
Friday, October 30, 2009

House ethics investigators have been scrutinizing the activities of more than 30 lawmakers and several aides in inquiries about issues including defense lobbying and corporate influence peddling, according to a confidential House ethics committee report prepared in July.

The report appears to have been inadvertently placed on a publicly accessible computer network, and it was provided to The Washington Post by a source not connected to the congressional investigations. The committee said Thursday night that the document was released by a low-level staffer.

The ethics committee is one of the most secretive panels in Congress, and its members and staff members sign oaths not to disclose any activities related to its past or present investigations. Watchdog groups have accused the committee of not actively pursuing inquiries; the newly disclosed document indicates the panel is conducting far more investigations than it had revealed.

Shortly after 6 p.m. Thursday, the committee chairman, Zoe Lofgren (D-Calif.), interrupted a series of House votes to alert lawmakers about the breach. She cautioned that some of the panel’s activities are preliminary and not a conclusive sign of inappropriate behavior.

“No inference should be made as to any member,” she said.

Rep. Jo Bonner (Ala.), the committee’s ranking Republican, said the breach was an isolated incident.

The 22-page “Committee on Standards Weekly Summary Report” gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: aides, breach, committe chairman, ethics committee, ethics violations, House ethics investigators, Lobbying, United States Congress, United States House Committee on Standards of Official Conduct, washington post

Oct 26 2009

ChoicePoint fined for security breach

Category: Security BreachDISC @ 1:10 pm

Seal of the United States Federal Trade Commis...
Image via Wikipedia

Into The Breach; Protect Your Business by Managing People,

Atlanta Business Chronicle reported on Monday, October 26, 2009 that ChoicePoint Inc. will pay federal regulators $275,000 for a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft, the Federal Trade Commission reported.

The company, now owned by Reed Elsevier Inc., also agreed to strengthened data security requirements. ChoicePoint now must report to the FTC every two months for two years detailed information about how it is protecting the breached database and certain other databases and records containing personal information.

The moves settle Federal Trade Commission charges ChoicePoint failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order.

In April 2008, ChoicePoint turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention.

The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also claimed ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information.

The FTC’s prior action against ChoicePoint involved a data breach in 2005, which compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft. The settlement and resulting 2006 court order in that case required the company to pay $10 million in civil penalties and $5 million in consumer redress.

Choice Point Victim
httpv://www.youtube.com/watch?v=90qWVtAuE_A

Reblog this post [with Zemanta]

Tags: ChoicePoint, Choicepoint breach, ChoicePoint fined, Federal Trade Commission, FTC, Identity Theft, Reed Elsevier, Security Breach, social security, Social Security number

May 18 2009

Security breach and notification

Category: Security BreachDISC @ 1:05 am

California Flag
Image by victoriabernal via Flickr

California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

notice

California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



Reblog this post [with Zemanta]

Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

Oct 13 2008

World Bank security breach and financial crisis

Category: Information Warfare,Security BreachDISC @ 1:56 am

The World Bank controls the World’s banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.

Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumers’ data during these crisis might not be the first priority for many suffering financial institutions.

World Bank Under Siege in “Unprecedented Crisis”

“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.”
“In total, at least six major intrusions — two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. ”

The World Bank’s technology and security expert states that the incident is an “unprecedented crisis.” Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.

Alan Calder wrote about “Data protection and financial chaos” and mentioned that “When financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?”
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutions’ demise if they let their guards down now and do not make a priority to protect customers’ data.

During this turmoil, some financial institutions’ upper management doesn’t have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.

Glassner “I don’t know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the ship” [quoted in ‘Wachovia’s Golden Parachutes” story in S.F. Chronicle of 10/10/08 pg. C1].

Bill Gates “I’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.”

Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: china, consumers data, data protection, deeply penetrated, financial chaos, financial crisis, full access, hackers, inicident, monetary gain, restricted treasury, Security Breach, sensitive data, spy software, treasure trove, unprecedented crises, unprecedented greed

« Previous Page