UK: ICO fines Glasgow City Council £150K

 Breach Incidents, Government Sector, Lost or Missing, Non-U.S., Of Note, Theft  No Responses »
Jun 092013
 

The Information Commissioner’s Office (ICO) has issued Glasgow City Council with a monetary penalty of £150,000 following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

The serious breach of the Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar breach where an unencrypted memory stick containing personal data was lost.

In the latest incident, two unencrypted laptops were stolen from the council’s offices on 28 May last year. The laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.

One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including 6,069 individuals’ bank account details.

The ICO’s investigation found that, despite the ICO’s previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen.

Ken Macdonald, the ICO’s Assistant Commissioner for Scotland said:

“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.

“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.”

The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.

The ICO has produced guidance on the use of encryption software which is available on the ICO website.

SOURCE: Information Commissioner’s Office

FDIC: 2011 FIS Breach Worse Than Reported

 Financial Sector, Hack, Of Note  No Responses »
Jun 042013
 

More fascinating reporting by Brian Krebs:

A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.

Read about it on KrebsonSecurity.com.

FTC Fires Back In Lawsuit Against Wyndham

 Breach Incidents, Business Sector, Commentaries and Analyses, Federal, Hack, Legislation, Of Note, U.S.  No Responses »
May 282013
 

Brent Kendall reports:

The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.

We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.

Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it.

“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.

In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

The FTC’s new filing offered a different picture.  “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”

 

Read more on WSJ.  This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement.  The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point  that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act.  Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC.   Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security.  It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.

One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards.  Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.

To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security.  Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.

The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.

 

Who – if anyone – is responsible for notifying victims of some breaches?

 Commentaries and Analyses, Exposure, Of Note, U.S.  1 Response »
May 182013
 

I’ve blogged a number of times about how although law enforcement may uncover breaches or data theft, the victims often do not get notified in a timely fashion – if at all.  Here are just a few scenarios where no one may notify people whose data have been stolen:

  • Law enforcement discovers a handwritten list of hundreds of individuals’ names, dates of birth, and Social Security numbers
  • Paper records with sensitive information – sometimes including medical information – are discovered in a dumpster and traced back to a defunct business or practice.
  • Law enforcement investigates stolen information available for sale on an underground market.

When credit card information is involved, people are more likely to get notified, as law enforcement may send a list of numbers to AmEx, Discover, or other card issuers who then take steps to protect and notify the consumer.  But if there are no credit card numbers involved, it seems there are gaps in notification.

The recent controversy over the FERC/EDRM data set involving emails from Enron employees provides a useful example of the hole in our patchwork quilt on notification.  The data set, available publicly, contained unredacted PII – including Social Security numbers – on thousands of people.    

The data were originally gathered by the Federal Energy Regulatory Commission, and when the issue of redaction came up in court, the court was sensitive to the issue. But did FERC and their contractor do a thorough enough job in removing documents? It seems that they didn’t if there was so much PII left in the data set, even though FERC  and their contractor went through a number of reviews of the data set to delete personnel’s personal information that was not appropriate for public release, as detailed in in this document.  

The data set has been available for download for years, and many people knew that it contained PII.  Is this a situation that the individuals affected should have been informed about? As a privacy advocate, I would say, “definitely.” But who is responsible for notifying them? And even though EDRM and Nuix have released a newly washed data set, the other Enron email data set has not yet been re-released after new washing.  More importantly, even when it is released, copies of the older data sets remain on numerous people’s hard drives and are still available for download on the Internet. As a result, those whose PII were exposed are still at risk.

I would bet that FERC takes the position that it gave Enron and others an opportunity to have PII removed and therefore, they are not responsible for any notification. EDRM may take the position that they merely distribute/make available the government’s records, and therefore they are not responsible.

So is no one responsible or liable for exposing thousands of individuals’ SSN to cybercriminals? Is no one responsible for notifying individuals that their SSN and details have been available for download on the Internet for years, and have been downloaded by people all over the world? Is no one responsible for contacting every site that hosts the problematic data sets to ask them to remove them?

And if you believe that either FERC or EDRM are responsible and should be held accountable in terms of notification to individuals, what existing law(s) are you basing that on?

In the meantime, the buck seems to stop… nowhere.

Lessons from EDRM/FERC/Enron Data Privacy Breaches (updated)

 Breach Incidents, Business Sector, Commentaries and Analyses, Exposure, Government Sector, Of Note, U.S.  Comments Off
May 032013
 

Thanks to Joe Howie of BeyondRecognition.net for alerting me to what appears to be a very long-running, inadequately remedied breach that has exposed – and may be continuing to expose – the Social Security numbers and other personal information of thousands of people. I am posting this with some hesitation, as the data may still be live. But after days of getting no response from Amazon Web Services who were informed of this problem last week, I think it’s time to call attention to the failure of all involved parties to respond promptly.  John Martin of BeyondRecognition.net explains: 

The Electronic Discovery Reference Model (“EDRM”) is an e-discovery industry standards setting group, and the EDRM Enron Email Data Set v2 (“EDRM Data”) is a collection of documents originally gathered by the Federal Energy Regulatory Commission (“FERC”) as part of its investigation of Enron’s energy trading practices and then made public by it. EDRM Data is a reworked version of the original documents, with a label added to each email that reads,

“EDRM Enron Email Data Set has been produced in EML, PST and NSF format by ZL Technologies, Inc. This Data Set is licensed under a Creative Commons Attribution 3.0 United States License <http://creativecommons.org/licenses/by/3.0/us/>. To provide attribution, please cite to ZL Technologies, Inc. (http://www.zlti.com/).”

EDRM served as a direct download point for the EDRM Data for a period of time and later moved it to Amazon Web Services for downloading.

Breach Discovery. While working with the EDRM Data that we downloaded from the EDRM website, BeyondRecognition discovered that there were over 7,500 instances of unredacted social security numbers, credit card numbers, dates of birth, home addresses and phone numbers – a startling breach of privacy. Most of the data breach victims were Enron employees, but the victims also included spouses or children of the employees as well as third party contractors.

Read more on BeyondRecognition.net.

According to Joe Howie, the data set was still live and available as of two days ago, the last time he checked.  As of today, EDMR still links to the data set on AWS. Howie informs DataBreaches.net that this breach was reported last week to various agencies and entities. A post-script on the blog entry says:

BeyondRecognition has reported the data privacy issues in the EDRM Data to EDRM, FERC, Amazon Web Services who currently distributes the data set, the FTC (Reference Number 45277727), and the Texas Attorney General. We have offered lists of those social security numbers to the latter two agencies to aid in notifying the data breach victims and monitoring their SSAN accounts. As of April 30, 2013, that data set was still available for download from Amazon web services via a link from EDRM.net.

After years of being notified of problems, as described elsewhere in their blog entry, and after problems supposedly being fixed, the problems with unredacted PII remained, it seems. And by now, it’s unclear how many different individuals have downloaded the data set with so much PII in the clear.

As of yesterday, the Texas Attorney General’s Office had indicated to Howie that they would be attempting to download the data set as part of verifying the problem and determining its scope. I hope their investigation gets results. Thankfully, they have been more responsive than Amazon Web Services (AWS). DataBreaches.net called Amazon Web Services media communications two days ago to inquire why the data were still live after they had been notified of this breach last week, but did not get to speak to an actual person and they did not return my phone call as of the time of this posting.  A tweet to AWS two days ago asking for a phone number to report a breach was answered 24 hours later with a link to their abuse reporting form instead of the requested phone number. They did not respond to a follow-up breach reiterating the request for a phone number that would get results.

I realize that there’s a lot of responsibility/blame to be spread around on this breach, and that EDRM may be more responsible than AWS when it comes time to assign blame, but the fact that AWS did not (has not?) removed the data set is concerning and suggests to me that their breach notification system is sorely inadequate and in need of immediate improvement.

If you know anyone who was employed by Enron or was a spouse or dependent of an Enron employee, you might want to give them the heads up that their Social Security number may be in the hands of numerous people, including those with not-so-honorable intentions.

Update: After posting this, I learned that the Fifth Circuit may have permitted the release of this information.  From the available documentation, it appears that the court agreed that sensitive personal information (such as SSN) would be grounds for removing documents from public view. It appears, however, that not all documents containing personnel’s SSN were identified and flagged for removal request.  As such, individual employees of Enron and/or their dependents may have never been aware that their information was released and/or has been re-released.  In any event, decisions made in 2003 by others – including a court –  should not put individuals at risk of ID theft in 2013, when we’ve learned so much more about how easy it is to find – and misuse – SSN via searches.

Update 2: I subsequently received both an email and then a phone call from AWS telling me that they were investigating. I took the opportunity to encourage them to create a link on their home page with a dedicated email address/phone number for people to use to report data leaks so that they get prompt attention. I hope that they do that in the future and look forward to the results of their investigation. See an update post here.

Amendment to PA data breach notification statute passes, requires notification within 7 days of discovery

 Breach Laws, Of Note  Comments Off
May 012013
 

By a vote of 49-0, the Pennsylvania Senate passed Senate Bill 114, amending the state’s data breach notification law.

Section 1. Section 3 of the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, is amended by adding subsections to read:

Section 3. Notification of breach.
(a.1) Notification by State agency.–If a State agency is the subject of a breach of security of the system, the State agency shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the Office of Attorney General within three business days following discovery of the breach. A State agency under the Governor’s jurisdiction shall also provide notice of a breach of its security system to the Governor’s Office of Administration within three business days following the discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.

(a.2) Notification by county, school district or municipality.–If a county, school district or municipality is the subject of a breach of security of the system, the county, school district or municipality shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the district attorney in the county in which the breach occurred within three business days following discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.

(A.3) STORAGE POLICY.–
(1) THE OFFICE OF ADMINISTRATION SHALL DEVELOP A POLICY TO GOVERN THE PROPER STORAGE BY STATE AGENCIES OF DATA WHICH INCLUDES PERSONALLY IDENTIFIABLE INFORMATION. THE POLICY SHALL ADDRESS IDENTIFYING, COLLECTING, MAINTAINING, DISPLAYING AND TRANSFERRING PERSONALLY IDENTIFIABLE INFORMATION, USING PERSONALLY IDENTIFIABLE INFORMATION IN TEST ENVIRONMENTS, REMEDIATING PERSONALLY IDENTIFIABLE INFORMATION STORED ON LEGACY SYSTEMS AND OTHER RELEVANT ISSUES. A GOAL OF THE POLICY SHALL BE TO REDUCE THE RISK OF FUTURE BREACHES OF SECURITY OF THE SYSTEM.
(2) IN DEVELOPING THE POLICY UNDER PARAGRAPH (1), THE OFFICE OF ADMINISTRATION SHALL CONSIDER SIMILAR EXISTING POLICIES IN OTHER STATES, BEST PRACTICES IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND OTHER SOURCES AS APPROPRIATE. THE POLICY SHALL BE REVIEWED AT LEAST ANNUALLY AND UPDATED AS NECESSARY.

Section 2. This act shall take effect in 60 days.

h/t, Law360.com

 Older Entries