News

If you have been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, you may soon receive some unsettling news in the mail.

The University of Miami is notifying by mail 47,000 patients and visitors whose financial information may be at risk due to a recent data breach. Backup tapes containing two million medical records were stolen on May 17 out of a contractor’s van. The tapes are stored off-site for easy recovery in the event of a disaster. Although the University’s permanent records are not affected, the stolen back-up tapes contained names, addresses, Social Security numbers, health and financial information of UM Medical patients and visitors.

Although they determined the stolen information would be almost impossible to access by thieves, University Directors consulted security experts who were unable to extract any usable data. Despite the fact that the data is not likely to be retrieved by the thieves in possession of the tapes, the manner in which the University responded to the data breach, from full a public disclosure to its comprehensive investigation, was timely and uncompromising.

Source: http://www6.miami.edu/dataincident/index.htm

The U.S. Secret Service is currently investigating a recent data breach at Hannaford Bros. Co., an Eastern North American supermarket chain to find out exactly how this breach, which occurred between December 7, 2007 and March 10, 2008, and exposed 4.2 million customer credit and debit card numbers was carried out.

In past security breach cases such as that incurred by TJX Cos., thieves intercepted an entry point of wireless transactions however, Hannaford stores do not use such wireless systems and have been found to be compliant with the Payment Card Industry’s security standards.

These standards require that retailers maintain firewalls, encrypt data traveling through public networks and monitor and restrict access to cardholder data; and yet this data was somehow exposed when customers swiped their credit cards upon checkout - making the Hannaford Bros. security breach the first of this kind while sensitive data was in transit.

While the Secret Service investigates the who and the how of this case, PCI SSC and auditors may very well be re-evaluating vulnerabilities and threats, and implementing more rigorous security controls for all credit card transactions in order to reduce exploitation of such sensitive data.

Source: msnbc.com

In late February, 2008 The U.S. Federal Trade Commission published a report entitled Measuring Identity Theft at Top Banks. This is the first attempt made by a U.S. government department to meaningfully compare the performance of various institutions in identity theft prevention and evasion.

During the three-month-long study, the FTC found that HSBC, Bank of America and Washington Mutual led the list of defrauded institutions. While reported data breaches among varied institutions soared to 163 million affected records in 2007 estimated losses due to identity theft appear to have decreased.

The report and its findings have met with some criticism from its very author, Chris Hoofnagle. The senior fellow at the Berkeley Center for Law & Technology commences the report by stating that there is “no reliable way…to assess the relative incidence of identity fraud at major financial institutions.” Hoofnagle goes on to confess that the initial study was incomplete due to the fact that there is no set standard for comparing identity theft cases of telecommunications companies with those of financial institutions.

The author invites the public to read the report and submit suggestions, criticisms and comments. The full report may be viewed at http://repositories.cdlib.org/bclt/lts/44/

Source: www.securityfocus.com

PCI DSS stands for PCI Data Security Standard which is a set of comprehensive requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Any entity that stores, processes, and/or transmits credit card transactions is subject to the PCI DSS compliance requirements..

ERM now makes it easy and free to complete the Annual Self-Assessment Questionnaire required by the PCI Security Standards Council online!

An emerging security threat, dubbed ‘Silentbanker Trojan’ is cause for concern, even by some seasoned IT security professionals. First reported by Symantec Security in December 2007 as a very low risk, Level 1 threat, the Trojan has more recently exhibited a higher level of sophistication on a larger scale.

The Silentbanker Trojan obtains domain names of over 400 banks in the United States and overseas. Not only is the Trojan capable of recording keystrokes, capturing screen images and stealing confidential financial data of unassuming users, but it can also intercept transactions requiring two-factor authentication before encryption. The user-entered destination bank account details are changed to the attacker’s account details and the user is presented with a second authentication request.

The ability of the Trojan to perform this type of “man-in-the-middle” attack poses a higher risk than initially considered. Bank customers are fooled into transferring money in their accounts over to the attackers, FTP, POP, Web mail, protected storage and cached passwords can all be accessed and stolen, and infected users may be subjected to pornographic URLs in order for the attackers to make money from the promotion of such sites.

What initially was considered just another Trojan has seemed to evolve into a far-reaching and complex threat to information systems and consumers worldwide. Symantec suggests blocking the following sites which the Trojan has been found to access for updates and to send stolen information, and stress the importance of updating antivirus definitions regularly to avoid an eminent security breach.

Source: www.symantec.com