"Verizon’s 2013 Data Breach Investigations Report (DBIR) provides truly global insights into the nature of data breaches that can help organizations of all sizes to better understand the threat and take the necessary steps to protect themselves. The breadth and depth of data represented in this year’s DBIR is unprecedented. It combines the efforts of 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms — all working to study and combat data breaches. Over the years the number of contributors has grown. Since we started publishing the DBIR in 2008, our partners have contributed data information on more than 2,500 confirmed data breaches — totaling more than a billion compromised records."
News release: "The Internal Revenue Service...issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud. The Dirty Dozen listing, compiled by the IRS each year, lists a variety of common scams taxpayers can encounter at any point during the year. But many of these schemes peak during filing season as people prepare their tax returns. "This tax season, the IRS has stepped up its efforts to protect taxpayers from a wide range of schemes, including moving aggressively to combat identity theft and refund fraud," said IRS Acting Commissioner Steven T. Miller. "The Dirty Dozen list shows that scams come in many forms during filing season. Don't let a scam artist steal from you or talk you into doing something you will regret later." Illegal scams can lead to significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice (DOJ) to shutdown scams and prosecute the criminals behind them."
News release: "When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar — good or bad — provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated. A team led by Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research, developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm. "We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas. Basing a password on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure dramatically narrows the possible combinations and sequences of words, she noted."
"This document contains proposed regulations that create a new taxpayer identifying number known as an IRS truncated taxpayer identification number, a TTIN. As an alternative to using a social security number (SSN), IRS individual taxpayer identification number (ITIN), or IRS adoption taxpayer identification number (ATIN), the filer of certain information returns may use a TTIN on the corresponding payee statements to identify the individual being furnished a statement. The TTIN displays only the last four digits of an individual’s identifying number and is shown in the format XXX-XX-1234 or ***-**-1234. These proposed regulations affect filers of certain information returns who will be permitted to identify an individual payee by use of a TTIN on the payee statement furnished to the individual, and those individuals who receive payee statements containing a TTIN."
Monitoring Hacker Forums ADC Monthly Web Attacks Analysis, October 2012: "Imperva analyzed one of the largest-known hacker forums with roughly 250,000 members, as well as other smaller forums. Using search capabilities, we analyzed conversations by topic using specific keywords. We found:
"As part of nCircle's commitment to improving Internet security, we asked some of the brightest minds in security to help us compile a list of security tips and tricks for a wide range of readers. The resulting eBook includes a wide range of topics — from passwords and public Wi-Fi to Java configuration and sandboxing — and includes tips from security experts like Richard Stiennon, Adam Shostack, John Banghart, Brandon Williams and many others. The eBook is formatted to make it easy to share on social media platforms like Twitter and Facebook. Help us make the Internet a safer place. Download the eBook and chime in with a security tip of your own. Get the free eBook by downloading either the eBook version or the PDF version."
Mobile Device Location Data - Additional Federal Actions Could Help Protect Consumer Privacy, GAO-12-903, Sep 11, 2012
"The Department of Homeland Security (DHS) Control Systems Security Program manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide focused operational capabilities for defense of control system environments against emerging cyber threats...This report provides a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011..The most common infection vector for network intrusion was spear-phishing emails with malicious links or attachments. Spear-phishing accounted for 7 out of 17 incidents. At least one incident involved an infection from a removable USB device."
"The Federal Trade Commission, the nation's consumer protection agency, offers updated information explaining how to protect your child's information and your own, and the immediate steps to take to limit the damage identity theft can cause. Taking Charge: What To Do If Your Identity Is Stolen is a step-by-step guide that includes sample letters, forms and essential contact information. A brochure, Identity Theft: What To Know, What To Do, explains the basic steps of protecting information and responding to identity theft. Safeguarding Your Child's Future tells parents how to protect their children's information, find out if a credit report has been created for them, and respond to problems."
News release: "Check Point® Software Technologies Ltd...announced the results of a new ZoneAlarm report revealing differences in the use of computer security between Gen Y and Baby Boomers. The report, The Generation Gap in Computer Security, found that Gen Y is more confident in its security knowledge than Baby Boomers. However, 50 percent of Gen Y respondents have had security issues in the past two years compared to less-than-half of Baby Boomers. The broad adoption of digital media and social networking, combined with the increasing amount of sensitive data that is stored online, is making personal computer security more important than ever before. Yet the ZoneAlarm study reveals that 78 percent of Gen Y respondents do not follow security best practices while cybercriminals are launching new and more sophisticated attacks on consumers every day. In comparison, Baby Boomers are more concerned about security and privacy and twice more likely to protect their computers with additional security software."
Google Online Security Blog: "Approximately 12-14 million Google Search queries per day show our warning to caution users from going to sites that are currently compromised. Once a site has been cleaned up, the warning is lifted."
Follow up to June 6, 2012 posting, LinkedIn Member Passwords Compromised, this update via the LinkedIn Blog: An Update On Taking Steps To Protect Our Members, June 9, 2012: "...In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward. First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves."
Vicente Silveira, June 6, 2012: "We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Cybersecurity: Authoritative Reports and - Resources, Rita Tehan
Information Research Specialist, April 26, 2012
Computer World: "Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems. The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top 1 million published by Web analytics firm Alexa."
News release: "The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices. An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else. In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible. In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details."
"The Consumer Federation of America (CFA) released Best Practices for Identity Theft Services: How Are Services Measuring Up?, which analyzes how well identity theft services are providing key information to prospective customers. The study is based on CFA’s Best Practices for Identity Theft Services, voluntary guidelines that CFA developed with the help of identity theft service providers and consumer advocates. Released last year, the best practices resulted from CFA’s first study of identity theft services in 2009, which raised concerns about misleading claims about the ability to protect consumers from identity theft, lack of clear information, and other troublesome practices."
"Federal Trade Commission Chairman Jon Leibowitz released the agency’s 2012 Annual Highlights today at the spring meeting of the American Bar Association’s Section of Antitrust Law in Washington, DC, recognizing the agency’s continued efforts to protect consumers and promote competition. The Highlights, published in an online format for the first time this year, focus on the Commission’s work in multiple areas since March 2011, including online privacy, consumer fraud during the economic downturn, health care competition, and safeguarding children."
Active Authentication: "The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console. The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a “cognitive fingerprint.”
News release: "The Securities and Exchange Commission today announced a rule proposal to help protect investors from identity theft by ensuring that broker-dealers, mutual funds, and other SEC-regulated entities create programs to detect and respond appropriately to red flags. The SEC issued the proposal jointly with the Commodity Futures Trading Commission (CFTC). Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the Fair Credit Reporting Act from the Federal Trade Commission (FTC) to the SEC and CFTC for entities they regulate. The proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies that were previously required to adopt such rules."
FBI Fact Sheet on Internet Fraud: Includes information on: Avoiding Internet Auction Fraud, Avoiding Non-Delivery of Merchandise, Avoiding Credit Card Fraud, Avoiding Investment Fraud, Avoiding Business Fraud, Avoiding the Nigerian Letter or “419” Fraud, Common Fraud Scams, Investment-Related Scams, Internet Scams, and Fraud Target: Senior Citizens.
News release: "The Federal Trade Commission issued a staff report, Using FACTA Remedies: An FTC Staff Report on a Survey of Experience of Identity Theft Victims, summarizing the results of a survey of identity theft victims who were asked to describe their experiences dealing with consumer reporting agencies and, more generally, exercising their rights under the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA), to recover from identity theft. The survey showed that most of the respondents were generally satisfied with their experiences, but the report also noted areas for improvement. Congress has established several rights under the FACTA to help actual or potential identity theft victims protect themselves from, and recover from, identity theft. These rights enable victims to place fraud alerts on their credit report with the consumer reporting agencies, request a free credit report from the three national consumer reporting agencies when placing a fraud alert, block fraudulent information from appearing in their credit report, and receive a notice of these and other rights from the consumer reporting agencies."
News release: "The Federal Trade Commission today released its list of top consumer complaints received by the agency in 2011. For the 12th year in a row, identity theft complaints topped the list. Of more than 1.8 million complaints filed in 2011, 279,156 or 15 percent, were identity theft complaints. Nearly 25 percent of the identity theft complaints related to tax- or wage-related fraud. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."
News release: "The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes. The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks."
"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."
News release: "The Federal Trade Commission today sent a letter to the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees Internet domain names, expressing concern that the organization's plan to dramatically expand the domain name system could leave consumers more vulnerable to online fraud and undermine law enforcers' ability to track down online scammers. In its letter to ICANN, the Commission warned that rapid expansion of the number of generic top-level domain names (gTLDs) – the part of the domain name to the right of the dot, such as ".com," ".net" and ".org" – could create a "dramatically increased opportunity for consumer fraud," and make it easier for scam artists to manipulate the system to avoid being detected by law enforcement authorities. The Commission urged ICANN – before approving any new gTLD applications – to take additional steps to protect consumers, including starting with a pilot program to work out potential problems."
Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:
"Consumer Reports' Guide to online security outlines some of the most common Net threats—such as phishing, online scams, and computer viruses. (See: Best ways to stay safe online.) But our latest security report also notes that mobile phones and social media sites can also present a rising amount of ID theft risks since more consumers are using their smart phones to shop and sharing news of online bargains on Facebook. (See: Mobile phones: The new risk and Concerns about Facebook.) The Consumer Federation of America, a non-profit association of almost 300 consumer organizations, has compiled a list of 10 tips for having an ID theft-free holiday season (PDF) on its website, IDTheftInfo.org."
News release: "The loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected. SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes."
DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011
News release: "Check Point® Software Technologies Ltd. announced the results of a new report revealing 48 percent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks. Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge."
Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.
News release: "Want to know more about Internet safety and security? Visit the new and improved OnGuardOnline.gov for practical tips and resources on how to be safe, secure and responsible online. Created through a partnership of 16 federal agencies led by the Federal Trade Commission, it’s a great source of free information for your home, school, community group, or workplace. OnGuardOnline’s new features include a cybersecurity blog and information updates via e-mail. Also, the FTC has partnered with the Department of Homeland Security and other agencies in the Stop.Think.Connect Campaign™ to raise awareness of the need for stronger cybersecurity with new approaches to help increase online safety and security. The new OnGuardOnline blog offers cybersecurity news from around the government, how-to articles and videos, and insights from federal officials. Check back regularly for updates, or sign up to get an e-mail when a new post is up. You can copy information from the site, adapt it, post it, or link to it, and you can share your thoughts on the blog. Updating your website or blog? Link to OnGuardOnline. Editing a newsletter? Use our articles. Need hand-outs for a talk you’re giving? Print publications from the website, or order free materials from the FTC."
News release: "A new publication from the Federal Trade Commission, Protecting Your Child’s Personal Information at School, advises parents how to limit the risks of identity theft. It also explains the federal Family Educational Rights Privacy Act, which protects the privacy of student records and gives parents of school-age children the right to opt out of sharing contact information with third parties. In addition, the publication advises parents to ask their child’s school about its directory information policy, to learn about privacy policies of sports or music activities not formally sponsored by the school, and what to do if their child’s school experiences a data breach."
Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011
News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."
Faces of Facebook: Privacy in the Age of Augmented Reality - FAQ only - See also slides here. Alessandro Acquisti (Heinz College, Carnegie Mellon University), Ralph Gross (Heinz College, Carnegie Mellon University) Fred Stutzman (Heinz College, Carnegie Mellon University), August 2011
Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)]
News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."
News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:
Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.
Consumer Finance Protection Bureau: "The people just now reaching their sixties are part of America’s largest-ever generation of retirees. The CFPB is creating an Office of Financial Protection for Older Americans to ensure we serve this large community effectively. This Office will connect seniors with what they need to guide themselves through their financial lives. The Dodd-Frank Wall Street Reform and Consumer Protection Act requires this Office to be active by January 21, 2012. We are building it right alongside the rest of the consumer bureau, and in the coming weeks and months you’ll hear more from us about financial issues for seniors. Here are some places you can go now for senior financial protection information:
Catching AuthTokens in the Wild - The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011
Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."
DOJ OIG: The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat (Redacted Version), Audit Report 11-22, April 2011
EPIC: "Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.
News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.
EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."
"The Federal Trade Commission today told a House subcommittee that millions of consumers are victims of identity theft each year at a cost of billion of dollars and countless hours of consumers’ time to repair the damage. In testimony before the House Ways and Means Committee’s Social Security Subcommittee, the agency said helping protect consumers from ID theft and deal with its consequences is a critical part of the FTC’s consumer protection mission. In the testimony, the FTC recommended legislation to help mitigate the identity theft problem by making Social Security numbers less useful to identity thieves and making the numbers harder to access."
Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."
Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011
News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."
News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."
2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011
News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."
News release: "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."
News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."
Google Confronts China’s “Three Warfares”, by Timothy L. Thomas. Parameters, Summer 2010, Vol. 40, No. 2, U.S. Army War College.
Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network
News release: "The Federal Trade Commission has created a guide to help attorneys and victim advocates provide legal assistance to identity theft victims. Geared toward resolving issues out of court, the Guide for Assisting Identity Theft Victims describes how advocates can intervene with creditors, credit reporting agencies, debt collectors, and others, as well as self-help measures that victims can take. Victims may need an advocate’s help in a variety of situations: their age, health, language skills, or income prevents them from making effective disputes; they’re being pursued for someone else’s debt; they face uncooperative creditors or credit reporting agencies; or their case is complex."
News release: "The Federal Trade Commission today told the Equal Employment Opportunity Commission that the Fair Credit Reporting Act (FCRA) imposes requirements on Consumer Reporting Agencies (CRAs) - which include the three major credit bureaus - and on employers that use the information “to ensure that sensitive consumer report information is used with fairness, impartiality, and respect for consumers’ privacy.” Commission testimony given by Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, states that FCRA requirements placed on CRAs and employers are designed to promote privacy, accuracy, and fairness in the use of consumer reports. For example, before giving a consumer report to an employer, the CRA must take reasonable steps to ensure that the employer has a legitimate basis to obtain the report; must inform the employer of his or her obligation to provide certain notices to consumers; and must obtain the employer’s certification that he or she is complying with the FCRA and will not use consumer report information in violation of equal opportunity laws."
News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.
State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010
WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."
News release: "The Federal Trade Commission today unveiled a community outreach kit with new resources to help parents and communities keep kids safe online and on their mobile phones. With more than five million copies of the Net Cetera: Chatting with Kids About Being Online guide already in the hands of families across the country, FTC Chairman Jon Leibowitz announced the expanded campaign."
News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."
News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."
"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."
Identity Theft Reported by Households, 2007 - Statistical Tables: "Presents data on identity theft victimization reported by households from the National Crime Victimization Survey (NCVS). These statistical tables provide 2007 data on rates and types of identity theft, as well as demographic characteristics of victimized households and their monetary losses. Tables compare rates of identity theft victimization in 2005 to 2007. Estimates from the last half of 2008 are also presented and compared to estimates from the same 6-month period in 2007."
The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."
NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.
Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."
Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.
News release: Prepared Statement of the Federal Trade Commission On Keeping Score on Credit Scores: An Overview of Credit Scores, Credit Reports and Their Impact on Consumers, Presented by David Vladeck, Director, Bureau of Consumer Protection, Before the Subcommittee On Financial Institutions and Consumer Credit of the Committee On Financial Services, United States House of Representatives (March 24, 2010)
News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."
News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."
News release: "The Federal Trade Commission today released a report listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008.
News release: "Starting April 1, advertising for “free credit reports” will require new disclosures to help consumers avoid confusing “free” offers – which often require consumers to spend money on credit monitoring or other products or services – with the no-strings-attached credit reports available at AnnualCreditReport.com, or 877-322-8228. The Federal Trade Commission’s Free Credit Reports Rule will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:
Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.
News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."
News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."
News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."
"CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."
Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009
News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."
National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:
FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."
News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."
Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."
Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.
"Tracking people’s every move online is an invasion of privacy. It’s like being followed by an invisible stalker – individuals aren’t aware that it’s happening, who is tracking them, and how the information will be used. They’re not asked for their consent and have no meaningful control over the collection and use of their information, often by third-parties with which they have no relationships."
"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."
News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."
"The Federal Trade Commission today described its comprehensive efforts to combat identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The FTC also recommended legislative remedies to enhance the effectiveness of these efforts. The testimony presented by Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, highlighted the agency’s leadership role in developing a national strategy to combat identity theft as part of the President’s Identity Theft Task Force. The Task Force issued 31 recommendations that promoted an enhanced data security culture in the public and private sectors, launched victim assistance initiatives, and improved law enforcement’s ability to pursue and punish identity thieves."
News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."
"The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."
News release: "The Internal Revenue Service issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments. Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims."
Identity Theft Resource Center, 2009 Breach List, 3/3/2009 - Breaches: 89 Exposed: 1,140,146.
"The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."
News release: "The U.S. Small Business Administration issued a scam alert today to small businesses, warning them not to respond to letters falsely claiming to have been sent by the SBA asking for bank account information in order to qualify them for federal tax rebates. The fraudulent letters were sent out with what appears to be an SBA letterhead to small businesses across the country, advising recipients that they may be eligible for a tax rebate under the Economic Stimulus Act, and that SBA is assessing their eligibility for such a rebate. The letter asks the small business to provide the name of its bank and account number."
News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."
The Top 25 Errors are listed below in three categories:
"The IRS does not initiate communication with taxpayers through e-mail. Before identity theft happens, safeguard your information...IRS Identity Protection Specialized Unit, toll-free at 1-800-908-4490."
News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."
News release: "The federal bank, credit union, and thrift regulatory agencies today announced publication of a revised identity theft brochure – You Have the Power to Stop Identity Theft – to assist consumers in preventing and resolving identity theft. The updated brochure focuses primarily on Internet "phishing" by describing how phishing works, offering ways to protect against identity theft, and detailing steps to follow for victims of identity theft. The brochure includes contact information for three major credit bureaus, where to report suspicious e-mails, and where to access additional information."
"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."
News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."
News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."
OTS 08-051 - OTS Issues New Examination Procedures on Identity Theft Red Flags and Address Discrepancies: "This Regulatory Bulletin transmits revised Examination Handbook Section 341, Information Technology Risks and Controls, and revised Examination Handbook Section 1300, Fair Credit Reporting Act (FCRA). The revised Handbook Sections contain new guid-ance and examination procedures for the final rules on Identity Theft Red Flags and Address Discrepancies, which implement Sections 114 and 315 of the Fair and Accurate Credit Trans-actions Act (FACT Act) of 2003. This bulletin rescinds RB 37-15 dated April 20, 2006."
Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008
News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."
News release: "In keeping with the Patrick Administration’s commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations establishing standards for how businesses protect and store consumers’ personal information. Additionally, Governor Patrick has signed an executive order requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law."
News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."
News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."
News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."
Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."
News release: "Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, Attorney General Michael B. Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan announced today. The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice."
News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."
The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."
News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."
News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.
The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.
Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.
A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor
Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.
News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”
OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08
Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University
Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."
The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)
News release: "The Securities and Exchange Commission...took action to stop a sophisticated Internet scheme that stole the identities of unsuspecting individuals and netted more than $66,000 in illicit profits in just seven weeks. In a complaint filed in the U.S. District Court for the Eastern District of New York, the SEC alleged that one or more unknown traders conducted their entire online account intrusion scheme over the Internet and concealed their identities by, among other things, fraudulently opening brokerage accounts in the names of individuals who responded to a job advertisement on the Web site Craig’s List."
Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071
News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."
News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."
News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."
U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.
Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.
One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."
HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.
Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.
Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."
"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."
News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."
Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.
"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.
The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.
The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.
Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.
Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".
Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."
Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.
Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)
Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."
Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."
"Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep."
Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."
Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."
Press release: "The Federal Trade Commission today told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized."
Press release: "As merchants get busier with holiday shopping, the Federal Trade Commission reminds them to be sure the credit and debit card receipts they give customers comply with federal law. To reduce the risk of fraud and identity theft, the electronically printed credit and debit card receipts given to consumers must not include more than the last five digits of the card number, and must not show the expiration date."
Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."
McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.
Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."
"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."
Identity Theft, 2005 released on November 7, 2007: "Presents data from the National Crime Victimization Survey (NCVS) on identity theft victimization and its consequences. This report presents the first full year of data available after new questions about identity theft were added to the survey in July 2004. Identity theft is defined in the report as credit card thefts, thefts from existing accounts, misuse of personal information, and multiple types at the same time. Based on interviews with a nationally representative sample of 40,000 household residents, the report describes age, race, and ethnicity of the household head; household income and composition; and location of the household. Characteristics of the theft presented include economic loss, how the theft was discovered, whether misuse is ongoing, and problems experienced as a result of the identity theft."
Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."
Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.
CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."
Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.
The Identity Theft Enforcement and Restitution Act of 2007 would:
Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”
Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.
UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)
But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today's "bad guys" belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist.
Underpinning the success of the Internet is the confidence of hundreds of millions of individual users across the globe. But there is a growing perception, fuelled by media reports, that the Internet is insecure and unsafe. When this is set against the rate of change and innovation, and the difficulty of keeping pace with the latest technology, the risk to public confidence is clear.
The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless "wild west". It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system.
We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders.
The threat to the Internet is clear, but it is still manageable. Now is the time to act, both domestically, and internationally, through the European Union and through international organisations and partnerships.
"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."
Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."
Top 10 Risks Impeding the Adequate Protection of Government Information, Sponsored by the Office of Management and Budget and the Homeland Security Department as Directed by the Identity Theft Task Force, July 2007.
sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007
Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."
Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.
Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.
Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."
Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110
"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."
Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."
Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."
"The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."
Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."
Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."
The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor
Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."
Prepared Statement of the Federal Trade Commission On Public Entities, Personal Information, and Identity Theft, Presented by Betsy Broder, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Before the Ohio Privacy and Public Records Access Study Committee of the Ohio Senate and House of Representatives, May 31, 2007.
Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."
Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)
FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"
Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."
Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."
Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."
Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007
Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.
Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)
Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."
According to a press release from the Georgia Department of Community Health, contractor Affiliated Computer Services confirmed on April 9, 2007 the loss of a CD containing the personal data of state Medicaid and PeachCare for Kids(TM) members. The data included full names, complete addresses, social security numbers, member ID numbers, and eligibility dates for 2.9 million individuals (as reported by AP).
Treasury Inspector General for Tax Administration - Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices. March 23, 2007. Reference Number 2007-20-048.
Press release: "The Federal Communications Commission has strengthened its privacy rules by requiring telephone and wireless carriers to adopt additional safeguards to protect the personal telephone records of consumers from unauthorized disclosure. These new safeguards will help prevent unauthorized access to customer proprietary network information, or CPNI."
"CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC)."
Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."
Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data.">Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data. The Commission vote authorizing the publication of the notice in the Federal Register was 5-0. (File No. P072104; the staff contact is Alex Tang, Office of the General Counsel, 202-326-2447.)"
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."
Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."
Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."
Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."
"On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."
Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."
Declan McCullagh reported last week on the reintroduction of numerous antispyware and ID theft bills, many of which reflect the same language as previous versions of related legislation. The article has links to major bills as well as respective legislative background.
Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."
Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.
The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).
"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."
Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."
Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."
Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Press release: "The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft. The public comments on these issues will supplement the research and analysis being conducted, provide further information about the proposals being considered, and identify areas where additional recommendations may be warranted. The Task Force was established by an Executive Order 13402 on May 10, 2006."
Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."
Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."
Telephone Records and Privacy Protection Act bill [H.R. 4709] passed in the Senate by Unanimous Consent on December 8, 2006 - To amend title 18, United States Code, to strengthen protections for law enforcement officers and the public by providing criminal penalties for the fraudulent acquisition or unauthorized disclosure of phone records.
Press release: "Today, the Federal Trade Commission mailed claims forms for reimbursement to more than 1,400 identity theft victims who experienced out-of-pocket expenses due to alleged security lapses at data broker ChoicePoint Inc. These victims, who were identified with the assistance of law enforcement, should receive the claims form with instructions on how to file a claim. The FTC also has created a website – where consumers who do not receive a letter can download a claims form and obtain information about the claims process...The FTC and ChoicePoint reached a settlement requiring the company, among other things, to pay $5 million to be used to reimburse consumers for expenses due to identity theft caused by ChoicePoint's security breach. A press release explaining the settlement can be found here."
Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."
Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."
Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."
Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.
Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."
Effective November 1, 2006, New York states law "provides consumers may elect to place security freezes on consumer credit
reports by making such request to consumer reporting agencies [TransUnion, Equifax and Experian]."
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."
Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."
Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."
Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."
Press release: "The Federal Trade Commission today told the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations that protecting the privacy of consumers' telephone records requires a multi-faceted approach. Joel Winston, Associate Director of FTC's Division of Privacy and Identity Protection, said that coordinated law enforcement efforts targeting pretexters, steps by telephone carriers to protect their records from intrusion, and educating consumers about actions they can take to protect their records, will help safeguard consumers' telephone records."
Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]
Follow-up to September 19, 2006 posting, President's Identity Theft Task Force Announces Interim Recommendations, today OMB issued a memorandum of Recommendations for Identity Theft Related Data Breach Notification, from Clay Johnson, Deputy Director for Management.
FTC press release: "The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today."
FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."
Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]
From the Antiphishing Working Group, the June Phishing Activity Trends Report.
Follow up to August 9, 2006 posting, AOL Data Breach Causes Privacy Group to File Complaint With FTC, news today "the Electronic Frontier Foundation (EFF)...asked the Federal Trade Commission (FTC) to investigate America Online (AOL) and require changes in its privacy practices, after the company recently released search history logs that exposed the private lives of more than a half-million of its customers." A copy of the EFF complaint (11 pages, PDF).
Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.
StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."
Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."
Into the Breach: Security Breaches and Identity Theft/Research Report
July 2006 — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."
GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."
EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."
Treasury Inspecter General for Tax Administration - Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses, July 24, 2006. Reference Number: 2006-20-111.
AP reports that "[t]he names, addresses and Social Security numbers of as many as 540,000 injured workers [in New York] have been lost, and the state and a contracted company are trying to protect the workers from identity theft."
Matwyshyn, Andrea M., "Technoconsen(t)sus" (May 2006). Posted July 19, 2006 [Link to download]
Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.
FTC press release: "The federal financial institution regulatory agencies and the Federal Trade Commission are soliciting comments on a Notice of Proposed Rulemaking (NPRM) concerning identity theft “red flags” and address discrepancies. The NPRM, which has been reviewed and approved by each of the listed agencies, implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The regulations that the agencies are jointly proposing would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts."
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)
In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"
Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."
New York Times: Identity Thief Finds Easy Money Hard to Resist
From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.
Federal Times: "In a few months, the 3.6 million participants in the Thrift Savings Plan will begin using account numbers instead of Social Security numbers to access their retirement accounts. TSP administrators are switching to randomly generated account numbers to enhance security and protect participants' Social Security numbers from being stolen, said Mark Hagerty, director of automated systems at the Federal Retirement Thrift Investment Board, which oversees the TSP."
"Utica College's Center for Identity Management and Information Protection is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing, and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation, and legislation, working toward a more secure homeland."
Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."
Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."
AP reported that a hacker obtained personal data on over 25,000 Agriculture Department employees.
The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."
Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.
Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.
Press release: "In a major policy address on the challenges of privacy in our increasingly data driven world, Senator Hillary Rodham Clinton called for a comprehensive privacy agenda: a Privacy Bill of Rights that secures the interests of consumers; stronger, better enforced protection for medical privacy and a new national security consensus setting out clear rules to allow the government to use new intelligence techniques and make sure the public knows its rights and limits. Senator Clinton announced that she will introduce legislation to enact this Bill of Rights, the Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, the PROTECT Act."
Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.
Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."
Related government documents:
Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."
Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."
Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."
Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."
Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."
Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]
Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."
Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."
According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.
Follow-up to recent postings, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security and VA Launches Website and Call Center After Theft of Personal Data, from the Privacy Rights Clearinghouse: The VA's Data Breach – Tips for Veterans and Action You Can Take under Federal Law
The CCH Payroll Management Guide reports "Maryland employers, including the State, counties, and municipal corporations, may no longer print an employee's Social Security number on wage payment checks."
"In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."
Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.
Related government documents and news:
NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.
Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."
Related news and government documents:
Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."
Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.
Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.
FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."
Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."
"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]
FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."
The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."
Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)
Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).
The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."
Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership
Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."
Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."
Press release: "The House Energy and Commerce Committee unanimously approved new data security laws Wednesday that will ensure consumers' personal information is closely guarded and consumers are notified when they are at risk...The bill places new requirements on specific companies that specialize in collecting personal data. These "data brokers" will be required to implement effective security safeguards. If there is a reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct, these data brokers must notify consumers. Additionally, data brokers will be prohibited from falsely representing themselves to obtain personal data...H.R. 4127, the Data Accountability and Trust Act, passed 41-0. The bill "sends a clear message: 'If you can't protect it, don't collect it,'" said U.S. Rep. John Dingell, D-Mich., the committee's ranking member."
"The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."
"PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."
Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident
"Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"
Press release: "Large well-respected companies are helping to fund the virulent spread of unwanted and potentially harmful "adware" by paying for advertisements generated by those programs, a new report by CDT finds. In "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend," (10 pages, PDF) CDT details how -- through a complicated network of intermediaries -- major advertisers pay to have their products and services advertised though pop-ups and other ads generated by unwanted advertising software or "adware." The report dissects the financial relationships behind those arrangements and identifies a number of mainstream companies that advertise through one particularly unscrupulous adware distributor."
Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."
Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.
U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."
Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."
Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.
From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).
Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.
Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.
NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)
FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."
Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."
"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."
Related government documents:
Data Security: Federal and State Laws, February 03, 2006
Press release: "The 2006 Identity Fraud Survey Report - released by the Council of Better Business Bureaus and Javelin Strategy & Research - provides new facts on how identity fraud occurs, counterintuitive insights that challenge conventionally accepted beliefs about these crimes, and steps consumers can take to further protect themselves against this problem...people are not helpless in protecting themselves from identity theft. Contrary to popular belief, consumers do not bear the brunt of financial losses from identity fraud, Internet use does not increase the risk of identity fraud; and... seniors are not the most frequent targets of fraud operators." The press release includes key data from the report, but the full text (57 pages) must be purchased from Javelin Strategy & Research.
UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).
The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."
Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."
FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."
Press release: "The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information."
New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."
"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."
"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."
Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).
Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."
Press release: NCSL's Top Ten Legislative Issues Forecast For 2006.
"Cyber Security Industry Alliance (CSIA), the only advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems, today called on the federal government to assert greater leadership in the protection our information infrastructure in 2006. Its release of the National Agenda for Government Action on Information Security (11 pages, PDF) identifies 13 specific actions required to improve information security for consumers, industry, and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new Digital Confidence Index that reflects the public's lack of confidence in our nation's critical infrastructure." [Link]
Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."
Windows OneCare Team Blog: "WOC is devoted to helping users' get their machines in a secure and healthy state."
The Personal Data Privacy And Security Act of 2005 was approved by the Senate Judiciary Committee and moves forward to Senate hearings.
From the Anti-Phishing Working Group and SRI International, the following report, commissioned by DHS, Online Identity Theft: Technology, Chokepoints and Countermeasures (58 pages, PDF).
Follow-up to November 1, 2005 posting, Data Breaches Remain A Concern for Consumers and Lawmakers. The House Commerce, Trade & Consumer Protection Subcommittee passed the Data Accountability and Trust Act, H.R. 1427, on November 3. Congressional support for the legislation remains mixed.
A new, joint federal law enforcement and industry initiative to fight Internet fraud, called LooksTooGoodToBeTrue, was launched today (press release, 5 pages, PDF). "This website was developed to arm you with information so you don’t fall victim to these Internet scam artists." The site provides consumers with documentation on: Types of Fraud; Victim Stories; FAQs & Tips; Information Regarding Phishing Scams; a Fraud Risk Test; and Links to help prevent you from being scammed.
"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."
Press release, October 12, 2005: "The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance (14 pages, PDF) on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies."
The Complete Guide to E-mail, Inc. Magazine, October 2005: "What follows is a guide to the biggest e-mail concerns, particularly security, compliance, and archiving. We'll give you tools for building an e-mail policy now, which can save headaches later, and also advice on buying the right system."
"Kath Straub, Ph.D., CUA, Chief Scientist, looks at recent research on how people detect, and often miss, Web site fraud.."
Fine-tuning your Internet deception detectors is a brief, straight forward, practical guide to "how Internet deception works."
FTC press release: "The Federal Trade Commission today told the Senate Committee on Commerce, Science, and Transportation Subcommittee on Trade, Tourism, and Economic Development that spyware and other "malware" that is downloaded to consumers' computers without their consent can cause problems ranging from sluggish computer performance to loss of sensitive personal data. Chairman Deborah Platt Majoras said the FTC has an active program to address concerns about spyware and other malware, including research, law enforcement, and consumer education." Please note that this press release provides links to and descriptions of four cases brought by the FTC against defendants accused of distributing spyware and adware.
How to foil a Phish, by Sarah D. Scalet, documents the creation and implementation of a successful anti-phishing response plan by an anonymous financial institution. This case study provides a range of scenarios that confront banks dealing with a bombardment of email attacks, and offers practical resources and solutions.
Signed into law on September 30, S.B. No. 355: This bill would enact the Anti-Phishing Act of 2005. The bill would make it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. The bill would provide certain civil remedies and civil penalties for a violation in that regard.
Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."
"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."
How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)
The Pharming Guide by Gunter Ollmann (37 pages, PDF)
EPIC reports that "the Fair Credit Reporting Act's guarantee of free credit reports takes full effect today, and now residents of all states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228. You can monitor your credit free by requesting one of your three credit reports every four months. For more information, see EPIC's Fair Credit Reporting Act Page."
New York Governor Pataki signed the Information Security Breach and Notification Act on August 22. It "requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions."
Understanding credit reports requires homework, patience, By Patricia Sabatini, Pittsburgh Post-Gazette.
Webroot Software released their State of Spyware Report today (free but requires registration), which states in part that "...the number of websites distributing spyware has quadrupled since the beginning of 2005 to an astonishing 300,000 unique URLs." [press release] In addition, 80% of corporate computers are infected with malicious software, which can take the form of trojans, spyware or adware.
From the Reconnex August Insider Threat Index: "Ninety-one percent of companies who completed a Reconnex 48-Hour e-Risk Assessment in the month of July had credit card numbers entering or leaving their network and eight-two percent exposed social security numbers. Most concerning was the amount of personal data including name and SSNs exposed directly in the subject lines of emails, in clear, open text. The origin of the vast majority of these disclosures stemmed from human resources departments who often accidentally exposed employees' personal information when they communicate with partners in health insurance, payroll, workers compensation and other third-party processors. The personal data revealed by co-workers often included employee names, date of birth, social security numbers (SSN) and even sometimes bank routing information. This personal data was usually sent via Excel spreadsheets and in clear text. Sometimes the individual Excel spreadsheets contained thousands to tens of thousands of individuals personal data."
Press release from RSA Security: "A survey released [yesterday]...showed that – despite widespread fears of fraudulent activity and identity theft – consumers are willing to increase the amount of personal business they do online if their banks and other online service providers offer them strong authentication."
Press release from Unisys: "Survey results from Unisys Corporation launched [August 3, 2005] reveal that UK consumers' apathetic attitude to fraud could be helping to perpetuate the rapidly growing identity theft industry, which is now estimated to be costing UK businesses £1.3 billion per year."
IBM press release: "IBM reported that virus-laden emails and criminal driven security attacks increased by 50 percent in the first half of 2005 - underscored by a significant rise in 'customized' attacks on the government, financial services, manufacturing and healthcare industries. This substantial increase, along with a decrease in less profitable threats, such as spam and simple computer viruses, indicates a growth in targeted attacks against specific organizations and industries -- apparently created with the purpose of stealing critical data, identities or extorting money."
The U.S. Senate Special Committee on Aging held a hearing on July 27, Old Scams – New Victims: Breaking The Cycle of Victimization.
On July 20, the Privacy Rights Clearinghouse updated their Chronology of Data Breaches Reported Since the ChoicePoint Incident, which have impacted more than 50 million individuals.
Press release from the Progress & Freedom Foundation: "Notification Doesn't Benefit Consumers: State and Federal lawmakers should proceed with caution when considering notification legislation addressing the perceived growth of data security breaches, according to a new paper released by The Progress & Freedom Foundation. An Economic Analysis of Notification Requirements for Data Security Breaches (19 pages, PDF), authored by Senior Fellow and VP for Research Thomas Lenard and Adjunct Fellow Paul Rubin, finds the costs of such notifications to businesses and consumers are likely to be substantially higher than the benefits."
From WSJ free content, Information Security - Where the Dangers Are: The threats to information security that keep the experts up at night -- and what businesses and consumers can do to protect themselves.
As a follow-up to my December 12, 2003 posting, E-ZPass Technology, Law Enforcement and Privacy, see this article, A Pass on Privacy, from the Sunday New York Times Magazine: "The computer system to which you have surrendered your payment information also records data about your movements and habits. It can be hacked into." Read on.
Press release: "A bipartisan coalition of Senate Commerce Committee leaders today introduced comprehensive legislation (The Identity Theft Protection Act, S.1408) that protects consumers from identity theft. The bill sets national standards for notifying consumers of data breaches, requires businesses to improve their safeguards for sensitive consumer information, gives consumers the right to freeze their credit reports to thwart identity theft, and limits the solicitation of Social Security numbers."
From the U.S. Public Policy Committee of the Association for Computing Machinery (ACM), Data security & privacy bill part of a crowded Senate agenda (Part 1).
Press release, July 1, 2005: "Three House members today released a report on the need for strong federal laws to protect consumers from identity theft. The report, Identity Theft and Terrorism, prepared by the House Homeland Security Committee, highlights the security gaps currently existing in consumer database companies and large financial institutions."
Press release from the Identity Theft Assistance Center (ITAC): Financial Services Companies Partner With Federal Trade Commission to Provide Identity Theft Data to Law Enforcement: Identity Theft Assistance Center Achieves Key Objective.
Deloitte & Touche published their annual Global Security Study, 2005 (44 pages, PDF) which surveys the state of IT security in the finanical services industry.
Press release: "...the Personal Data Privacy and Security Act of 2005, legislation...would help consumers better protect the privacy of their personal information in the face of recurrent data security breaches across the country..." Note that the press release includes: key features and a summary of the Specter-Leahy legislation, Senator Leahy's statements on the introduction of the bill, and a detailed section-by-section summary of the bill.
Text of the bill, 91 pages, PDF
The cover story of the July 4, 2005 issue of Newsweek is on ID theft. Following are links to several articles from the issue, as well as a link to a relevant article from the New York Times Sunday Week in Review:
Press release from NJPIRG: "Today the New Jersey Legislature passed the potent, comprehensive "Identity Theft Prevention Act" (6 pages, PDF) with overwhelming, bipartisan majorities in each house. The law limits the use and display of social security numbers, requires business to thoroughly destroy discarded documents, requires businesses to notify consumers if an unauthorized person accesses enough information to steal their identity, and empowers consumers to prevent new account fraud with a user-friendly "security freeze."
In what appears to be a parallel data mining program to that of the Dept. of Education, about which I posted on November 30, 2004 (Federal Gov't Wants To Mine College and University Student Data), and again on April 6, 2005 (Gov't Proceeds With Plans to Mine Personal Data on Students), new reports today on an extensive military recruitment database created by the Pentagon. Comprised of personal data on tens of millions of high school and college-aged students, the management of the database is in the hands of a commercial company in Massachusetts. A coalition of privacy groups filed comments yesterday strongly opposing the database, stating that "the collection of this information is not consistent with the Privacy Act..." and that the collection of social security numbers "heightens the risk of identity theft."
From CNN Money, ID data breaches: as rampant as it seems documents the circumstances of the most recently reported incident of hacking, called skimming, that involved the illegal acquisition and storage of credit card data, the exact impact of which still has been not fully disclosed apparently due to the ongoing investigation.
FTC press release: "BJ's Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ's to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years."
From the Washington Post (reg. req'd), Private Eyes Fear Limits On Information Access
On Thursday, June 16, 2005, the Senate Commerce Committee held a Full Committee hearing to examine federal legislative solutions to data breach and identity theft.
The Scramble to Protect Personal Information, from today's New York Times, addresses the issue of significant vulnerabilities in the transfer mechanisms used for financial data, which have resulted in numerous recent headline grabbing reports on the loss and theft of personal data impacting millions of consumers.
Two articles worth reading on state and federal efforts to regulate data brokers in response to the continuing cascade of system breaches, thefts, loss of tapes/drives, and leaks resulting in the release of sensitive personal data: from the Washington Post (reg. req'd), States Keep Watchful Eye on Personal-Data Firms, and from PC World, Policing Information Brokers, the Sequel.
From EPIC, June 1, 2005: "Today, residents of eleven southern states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228."
Press release from the FTC, June 1, 2005: "Beginning today, a new federal rule will require businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information."
IBM press release, May 24, 2005: "IBM today introduced first-of-its-kind software that allows organizations to anonymously share and compare information without revealing private or sensitive personal details, introducing a new era of open, collaborative data sharing in financial services, healthcare, retail and other industries. The breakthrough IBM technology, DB2 Anonymous Resolution, helps customers to rapidly and more securely share information with other organizations, while protecting - or "anonymizing" - the identity of individuals within their respective data repositories."
From the Privacy Rights Clearinghouse, an update today to their report, A Chronology of Data Breaches Reported Since the ChoicePoint Incident
Federal Register, May 11, 2005: United States Sentencing Commission , NOTICES, Sentencing guidelines and policy statements for Federal courts, 24852–24856. SUMMARY: Pursuant to its authority under 28 U.S.C. 994(p), the Commission has promulgated amendments to the sentencing guidelines, policy statements, commentary, and statutory index. This notice sets forth the amendments and the reason for each amendment.
From Wired, this article Your Identity, Open to All clearly elucidates the privacy issues associated with signficantly increased accessibility to personal data on the web that is aggregated from public domain sources. Questions about the accuracy of this data, its timeliness, the reliability of the sources from which it is extrapolated, and the reasons for making it available are of critical importance in the context of increasing concerns related to cybercrimes, ID theft, privacy and availability of e-records to the public.
From the free content section of the April 21 WSJ, A Cottage Industry Blooms To Help Victims of ID Theft examines the costs and range of services offered by companies who market assistance to victims of online or offline ID theft. In addition, potential red flags about, and the limitations to, these services are noted.
Press release, April 1, 2005: Spitzer Calls for Regulation of Information Brokers and Increased Penalties for Computer Hacking. Note - links to the text of the proposed legislation, in PDF, are available via this press release, and highlights include the following:
Press release today: "LexisNexis U.S., a leading provider of legal, news and business information said today it has begun mailing notification letters to approximately 280,000 individuals whose personally identifying information may have been accessed by unauthorized individuals using passwords and IDs stolen from legitimate customers of its Seisint unit."
Press release: "Senator Hillary Rodham Clinton and Representative Edward J. Markey announced that they would introduce the Safeguarding Americans from Exporting Identification Data (SAFE ID) Act in the United States Senate and House today, legislation that would protect the privacy of consumers' most sensitive personal information. This legislation would close gaps in U.S. privacy laws that leave consumers vulnerable when American businesses and healthcare organizations send accounting and medical information overseas for processing, often without consumers' knowledge."
The San Jose Medical Group reported the theft, from their facility, of two Dell PCs to which confidential data on 185,000 patients had been copied from the organization's servers.
Senate Judiciary Committee hearing, "Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use," April 13, 2005
S. 751, A bill to require federal agencies, and persons engaged in interstate commerce, in possession of data containing personal information, to disclose any unauthorized acquisition of such information, introduced April 11, 2005.
Press release, April 12: Recent Examples of Egregious Loopholes That Are Compromising Personal Information Need Immediate and Thorough Action by Congress - Schumer-Nelson Bill Would Empower FTC, Inform Consumer to Prevent ID Theft in Future, Not Just Punish Wrongdoers after the Fact
"CDT will testify (text of statement submitted by CDT Exec. Director, 17 pages, PDF) April 13 before the Senate Judiciary Committee on the privacy and security issues raised by recent losses of personal information by data brokers and others. CDT will call for a stronger policy framework, requiring notice of breach, security safeguards, limits on use and disclosure of Social Security numbers, rules for governmental use, and application of "fair information practices" to data brokers."
Press release: LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access: "In addition to the 30,000 individuals already notified, LexisNexis will begin notifying approximately 280,000 additional individuals whose information may have been acquired during these recently identified incidents. LexisNexis will offer free support services to individuals who receive the notification, to monitor and protect them from possible fraud associated with identity theft, including credit bureau reports, credit monitoring for one year and fraud insurance. In addition, LexisNexis will provide fraud counseling services or specialized assistance on a case-by-case basis to any individual who has been the victim of identity theft related to these instances."
In States Scramble To Protect Data - Dozens of Privacy Bills Introduced After Spate of Security Breaches, the Washington Post reports that privacy legislation is under consideration in 28 states. However, industry support for a carefully crafted response on the federal level presents serious challenges to the future of these bills.
From the current issue of Managing Technology (Wharton School): Do You Know Where Your Identity Is? Personal Data Theft Eludes Easy Remedies
Subcommittee on Courts, the Internet, and Intellectual Property Oversight Hearing on Digital Music Interoperability and Availability, April 6, 2005.
Navigate to the full range of content in the article from this page, and see direct links to some of the highlights as follows:
The Use of Technology to Combat Identity Theft, Report from the Department of the Treasury on the Study conducted pursuant to Section 157 of the Fair and Accurate Credit Transactions Act of 2003 (116 pages, PDF)
From the Washington Post, via truthout, Net Aids Access to Sensitive ID Data addresses how it continues to be easy and inexpensive to obtain personal data on the web from a variety of sources, despite the escalating controversy focused on a range of recent ID theft scams launched against large database aggregators.
From the Privacy Rights Clearing House: Privacy Groups Urge Federal Reserve Board to Protect Consumers from Identity Theft and Stolen Convenience Checks
"LexisNexis has created a Web site with helpful information regarding data privacy at http://privacyfacts.lexisnexis.com."
Subcommittee on Commerce, Trade, and Consumer Protection hearing today on Protecting Consumer's Data: Policy Issues Raised by Choice Point. Prepared Testimony (PDF) is available from the following:
Two articles worth reading from The Los Angeles Times (reg. req'd):
From Internetnews.com, this article on soon to be released fee-based products providing consumers with tracking and alert services on fraudulent activities associated with their personal data.
"The Federal Trade Commission testified...before the U.S. Senate Committee on Banking, Housing, and Urban Affairs about the reach of existing federal laws that require certain information providers to safeguard sensitive information and to ensure that the information doesn’t fall into the wrong hands. The Senate Banking Committee is examining recent developments involving the security of sensitive consumer information." [Link]
The US Senate Committee on Banking, Housing, and Urban Affairs will hold a hearing on Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, 3/10/05, 2:30 PM. [Link]
Press release from Reed Elsevier PLC and Reed Elsevier NV: LexisNexis investigates compromised customer IDs and passwords to Seisint U.S. consumer data.
Press release from the United States Attorney, Central District of California, March 7, 2005: "An Encino man who used personal information fraudulently obtained from ChoicePoint Service and other companies to commit identity theft against thousands of victims was sentenced today to 66 months in federal prison. Adedayo Benson, a 38-year-old Nigerian national, was sentenced this afternoon by United States District Judge Gary A. Feess. In addition to the 5 1/2-year prison term, Judge Feess ordered Adedayo Benson to pay nearly $155,000 in restitution to 10 financial institutions."
From the Privacy Rights Clearinghouse, Criminal Identity Theft in California: Seeking Solutions to the "Worst Case Scenario"
Shareholders sue ChoicePoint: "A class-action lawsuit has been filed in U.S. District Court for the Central District of California on behalf of those who bought ChoicePoint shares between April 22, 2004, and March 3, 2005.."
From the Washington Post, New Industry Helping Banks Fight Back - Sleuths Hit Online Identity Thieves With 'Takedowns,' 'Poisoning'. A patch-work of emerging technology applications are available targeted to financial services and e-commerce, seeking to address growing consumer concerns with e-mail and website fraud. This article reviews the challenges posed by phishing and the possibility that there may be federal regulations down the road.
Message to ChoicePoint users appears after login: "Dear Customer - Based on recent issues, we are taking a proactive stance on managing access to sensitive information. ChoicePoint is requesting an update of your user and account information and reducing your access to some data - until we process the update. Your account is still open and searches are running. Some Social Security numbers, Drivers License numbers and birth dates have been truncated (only part of the number will display) on reports or searches. We understand this may cause concern for your company or interfere with productivity. We sincerely apologize and will compensate you by crediting some future searches on ChoicePoint products. An account representative will call you to update your information. If you call or email us now, we cannot update or change your data access. If you have data questions or product questions contact us at 1-800-279-7710 or email us. We are serious about serving customers and serious about the responsible use of information. These may seem in conflict, but we are working towards a better solution for all stakeholders. Thank you for your understanding."
As the citizens of additional states join the list of those eligable for free credit reports, problems associated with this program have been noted. The World Privacy Forum recently issued an extensive report documenting fraudulent activities that are complicating consumer access to the reports. In addition, the group reviews how use of the legitimate sites providing the credit reports may result in exposure to unwanted marketing, spam and related privacy intrusions.
Press release: "Symantec has been granted U.S. patent number 6,851,057 for a system that enables the detection of complex viruses, worms, and spyware. The technology, "data driven detection of viruses," is employed throughout Symantec's portfolio of industry-leading information security solutions at the desktop, server, and gateway for both consumers and enterprises."
Critical personal and professional data resident on the hard drives of PCs that have been sold, traded or stolen remains a significant problem with no easy remedy. According to this Times Online article which documents the range of sensitive data retrieved from the drives of major corporations and individuals alike, the only reliable means of thoroughly wiping data is "to put an axe through it."
Press release today from Sen. Patrick Leahy, co-founder and co-chairman of the Senate Internet Caucus, on the introduction of the Anti-Phishing Act of 2005 (S. 472). The release "includes the Senate Floor speech of Sen. Patrick Leahy introducing his bill to explicitly target Internet "phishing," and "pharming" with new federal criminal penalties, and a fact sheet on the bill."
From the Privacy Rights Clearinghouse, this February 2005 update to their guide, Online Data Brokers: How Consumers Can Opt Out of Directory Assistance and Non-public Information, includes a chart detailing the specific procedure required by 17 free and fee-based websites and services which aggregate and provide access to a range of personal data. Take some time and review the information that these sites maintain on you, and be aware that they do not comprise all available online sources. Also note that unlike the Do-Not-Call Registry, opting out of these websites is not a one time request. As the database content is refreshed throughout the year, ensuring that your information is permanently removed may be an insurmountable challenge.
What follows is a group of recent, relevant articles and documents associated with the escalating critical evaluation of database aggregation and sale of personal data and associated digital scams and ID theft.
Press release: Leahy Calls For Hearings On Information Brokers That Are Emerging As Private Intelligence Agencies Tuesday, February 22, 2005:
By Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors.
From the press release, Office of the Illinois Attorney General, February 16, 2005: "Joined by several other state Attorneys General, Attorney General Lisa Madigan has written to a Georgia company that collects vast amounts of personal and financial data urging that the company immediately notify any Illinoisans whose information may have been breached following the theft of such information from the company by identity thieves. Others signing the letter include Attorneys General of Alaska, Arizona, Connecticut, Florida, Idaho, Indiana, Iowa, Maryland, Massachusetts, Michigan, Ohio, Oregon, New York, North Carolina, North Dakota, South Dakota, Vermont and Washington."
Updates today on news earlier this week, Data Mining Aggregator Reports Widespread ID Theft, disclose that the scope of the ID theft scam may involve half a million individuals around the country, not just the 35,000 in California as initially reported.
From the National Association of State Chief Information Officers (NASCIO), Welcome to the Jungle: The State Privacy Implications of Spam, Phishing and Spyware (15 pages, PDF).
Reports today from MSNBC, Reuters (via CNN Money), and New.com on the theft of between 30,000 to 35,000 personal digital data profiles of California residents, which occured last fall. Related postings.
"This report (19 pages, PDF) provides a detailed, comprehensive analysis of identity fraud in the United States, in order to better understand methods for prevention, detection and resolution. Co-released by Javelin Strategy & Research and the Better Business Bureau, this report is issued as a longitudinal update to the Federal Trade Commission’s (FTC) 2003 Identity Theft Survey Report."
Press release: "Today IBM announced the results from its 2004 Global Business Security Index Report and provided an early look at potential security threats in 2005. Based on early indicators, a new and troubling trend this year may be the aggressive spread of viruses and worms to handheld devices, cell phones, wireless networks, and embedded computers, which include car and satellite communication systems." [thanks David Ries]
From the FTC press release: "The Federal Trade Commission has launched the seventh annual National Consumer Protection Week (NCPW), February 6-12, 2005, in cooperation with federal, state and local agencies, and national advocacy organizations committed to consumer protection and education. This year's theme, "Identity Theft: When Fact Becomes Fiction," focuses on minimizing the risk of identity theft and taking fast action if an identity thief strikes...The NCPW Web site contains helpful information for consumers and businesses on a variety of topics, including "phishing" scams, telecommunications fraud, Internet fraud, and the theft of printed documents with personal information, as well as protecting employees from identity theft in the workplace. The site also contains valuable consumer information on the steps to take if you become a victim."
As a follow-up to my posting yesterday, FTC Releases Annual Report on Consumer Complaints - ID Theft Tops List, this Washington Post article (reg. req'd) highlights that the D.C. metropolitan area led the country in the number of complaints to the FTC.
Press release: "The Federal Trade Commission today released its annual report detailing consumer complaints about identity theft and listing the top 10 categories of fraud-related complaints filed with the FTC in 2004. For the fifth year in a row, identity theft topped the list of complaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year."
S.116, Privacy Act of 2005. Introduced in Senate on January 24, 2005, Senator Dianne Feinstein (D-Calif.)
From USA Today: Identity theft, new law about to send shredding on a tear
Security Focus has an in-depth report on how a Hacker penetrates T-Mobile systems and steals personal data, including social security numbers, emails, photos and Secret Service documents. [via David Reis]
From PCWorld, Legislative Year in Review: All Talk, Little Action: "For good or ill, Congress kept to its usual snail's pace on a number of controversial issues ranging from digital copyright to spyware; other government agencies, however, made up for some of the slack."
Terminating Spyware With Extreme Prejudice chronicles efforts to be rid of spyware and adware programs using the extreme method of reformatting a PC hard drive, after all other avenues had failed.
"CleanSoftware.org is a resource to help Windows users find the best free daily-use software, free from nasties: adware, spyware, harmful/intrusive components, and threats to privacy." (via Slashdot) Versions of the software included are accompanied by red, yellow and green dots indicating the level of reliability.
From EPIC, Top Ten Consumer Privacy Resolutions.
Press release - FDIC Issues Study on Identity Theft and Seeks Comments on Possible Guidance to Bankers: "Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking."
As a follow-up to this posting, State Department documents obtained through a FOIA request, details of which are publicized in this ACLU white paper, provide broader insight into the privacy and ID theft issues implicit as a result of the new passports' implementation of Contactless Integrated Circuits.
A trio of PowerPoint presentations providing resources on the following timely issues:
As a follow-up to my May 17 posting, Biometric ID Will Be Added to US Passports, today's AP story, Electronic Passports Might Not Measure Up, details additional concerns that the information chips under development subject the passport holder to an ID theft scam that is simple to perpetrate.
Press release: The Federal Trade Commission has issued its final rules under the Fair and Accurate Credit Transactions Act (FACTA) regarding further definition of the terms "identity theft" and "identity theft report"; the duration of active duty alerts; and the appropriate proof of identity needed by consumers to block fraudulent trade lines in their consumer reports, place or remove fraud or active duty alerts, or truncate their Social Security number in their file disclosures.
This extensive examination into ID theft in America indicates that U.S. law enforcement have determined that a large proportion of these crimes are planned offshore, and that outsourcing has been a contributing factor.
Update to 10/08/04 posting, FTC Files Case Against Two Companies Who Market Spyware, that included a link to the complaint, see the 10/12/04 FTC press release, FTC Cracks down On Spyware Operation, for additional comments.
Prepared Statement of the Federal Trade Commission on Identity Theft and Social Security Numbers, Before the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce, September 28, 2004.
FTC press release, FTC Continues Education, Enforcement Efforts to Promote Information Security, and Commissioner Swindle's prepared statement (PDF, 17 pages) before the House Committee on Government Reform hearing, Identity Theft: The Cause, Costs, Consequences, and Potential Solutions?, September 22, 2004.
From the Privacy Rights Clearinghouse, Fact Sheet No. 24e: Is Your Financial Information Safe? September 2004:
A brief article in the August 26 Wall Street Journal, page B6, raises important questions concerning the security of confidential corporate documents stored on the hard drives of digital copiers, and potentially accessible by hackers if the drives have separate network addresses. From the article: "If a human resources department uses a digital photocopier to record employees' social security or driver's licenses, "That information is resident on that hard drive," says Edward McLaughlin, president of Sharp Document Solutions. "It is something that every financial institution is all over."
From the Privacy Rights Clearinghouse: FACTA, the Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some and Fact Sheet No. 6: How Private Is My Credit Report? Revised August 2004.
From AP: Big-time ID Theft A Symptom of Database Culture. This article details the scope and scale of retail credit card fraud and ID theft, crimes which are registering steadily increasing statistics...a downside of the "database nation."
Consumers in two states (California and Texas) may now use a "security freeze" to block access to their credit reports without their authorization, which they can provide to the credit bureau via a PIN (personal identification number). Vermont and Louisiana residents will be able to opt-in next summer. This ID theft deterrent does not have Congressional or industry support.
From VeriSign's press release today: "VeriSign's Anti-Phishing Solution protects enterprises through a five-tiered solution that helps prevent, detect and respond to attacks, thereby mitigating and eliminating identity theft and email fraud attempts."
Single-use credit cards fight fraud. A number of companies are offering disposable credit card numbers for online purchase transactions.
An online survey conducted in April indicates "that 75% of accountholders are less likely to respond to email from their banks, and over 65% said they were less likely to sign-up or continue to use their bank’s online services." These results reflect growing consumer concern with phishing and email fraud, occurrences of which are increasingly the focus of news articles.
Yesterday, California Senate Bill 1436, the Consumer Protection Against Computer Spyware Act, sponsored by Senator Kevin Murray, won approval by the Judiciary Committee. In addition, Assembly Bill 2787, which prohibits the download of spyware to a computer in California, was approved by the Committee on Judiciary.
Spyware: What You Don't Know Can Hurt You, Hearing by the Subcommittee on Commerce, Trade, and Consumer Protection, April 29, 2004 [Link to Witness List & Prepared Testimony, Related Documents and Bills.]
From Websense's fifth annual Web@Work survey, April 26: "92 Percent of Organizations with at Least 100 Employees Have Been Contaminated With Spyware, Yet Only Six Percent of Employees Believe They Have Been Infected."
From yesterday's FTC Spyware Workshop, the Consumer Software Working Group Examples of Unfair, Deceptive or Devious Practices Involving Software, "endorsed by a broad coalition of software companies, Internet service providers, anti-spyware technology vendors, and consumer groups convened by the Center for Democracy and Technology (CDT)."
The BBC reports that the results of recent surveys of London commuters, requesting their PC login passwords in exchange for chocolate, were that a majority of respondents provided them without hesitation. Must be really good chocolate! In addition, the survey established that pet names are all too often passwords of choice, and are also willingly shared. Scroll to the end of the article and review the reader comments as well.
Today the FTC hosted a public workshop, "Monitoring Software on Your PC: Spyware, Adware, and Other Software,'' (Agenda, pdf) "to explore the issues associated with the distribution and effects of software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge."
ISP EarthLink and privacy software company Webroot Software have published their first report on the pervasive impact of spyware, based on an audit covering the first three months of 2004, that includes scans of one million PCs. See also this PCWorld article on Spy Stoppers.
Yale Law School's Information Society Project hosted the CyberCrime and Digital Law Enforcement Conference March 26-28. From the conference, links to selected presentations are as follows:
From the FTC press release: "A new Spam Scam Alert from the Federal Trade Commission could help consumers avoid becoming identity theft victims."
From the Computer Crime Research Center: Internet fraud: volumes are increasing:
Treasury notice from the March 2 Federal Register:
RSA Security Study Shows Identity Theft Awareness High, But Consumer Confidence Low, (abstract only available online).
From PC Magazine, Identity Theft: What, Me Worry? is a useful article that documents the experiences of one couple who were victims of "low-tech" fraud, offers a series of steps to protect against such crimes, a guide to e-gov resources and credit bureau telephone numbers and web links, as well as a list of check fraud resources.
Assembly Bill 459, "an Act to repeal and recreate 409.521 of the statutes; relating to: inclusion of social security numbers and employer identification numbers in Uniform Commercial Code financing statements," was by Governor Jim Doyle on February 6.
From the FTC press release today: "The notice provides a background summary of FACTA and the rulemaking, contains an overview of the public comments received, and includes a section-by-section analysis of the final effective dates rules.."
Fraudulent Online Identity Sanctions Act (Introduced in House), February 3, 2004: HR 3754, To provide additional civil and criminal remedies for domain name fraud.
The Center for Democracy and Technology investigated problems of ID theft and fraud at state motor vehicle administration offices nationwide. They conclude, in the report referenced below, that driver license information is subject to widespread theft due to fraud and bribery, and recommend remedies to address the widespread availability of false licenses that compromise individual and national security.
Personal data, including social security numbers, birth dates, addresses and credit card numbers of 20,000 University of Georgia students and applicants may have been compromised by hackers who accessed the university's campus server. [Information Week]
The federally funded Internet Fraud Complaint Center, last week renamed the Internet Crime Complaint Center (IC3), reported a 60% increase in a range of cybercrimes from 2002 to 2003. According to the IC3, cybercrimes include: Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), On-line Extortion, International Money Laundering, and Identity Theft.
From Perry Aftab, this article on pro-active ways to use the web to ascertain what personal information is online about you and your children, and suggestions for safe web use and protecting your privacy while online. See also her site, WiredSafety, which focuses on resources to combat cybercrime.
The San Diego County Californa Board of Supervisors will institute an ID Theft Task Force in cooperation with the DA and law enforcement as a means to combat the second highest rate of ID theft in the state. [Link]
From the Privacy Rights Clearinghouse: Testimony on December 9 by Beth Givens to the San Diego County Chairman's Conference on Identity Theft--Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace. "The keys to prevention are two-fold, involving the credit industry and the workplace:
Today the Supreme Court heard oral arguments in Buck Doe v. Elaine L. Chao, Secretary of Labor (No. 02-1377), involving the Privacy Act of 1974 and the wrongful disclosure of the social security number of a coal miner seeking benefits for black lung disease.
A recently conducted customer information protection survey highlights increasing consumer concerns regarding the security of their personal data in online transactions, especially in the e-tail arena. The survey identifies specific companies (including American Express, eBay and AOL) and industries (including hospitals, pharmacies and banks) in whom respondents indicated particular trust.
"As Congress moves into the final wrangling over an update to the Fair Credit Reporting Act designed in part to slow the growth of identity theft, victim advocates are complaining the legislation might actually make things worse. The central issue is one of the oldest debates in American politics: states’ rights vs. a strong central government. But victim advocates worry that millions who face identity theft each year might have a hard time finding justice, and stopping the crime, if the states’ rights advocates lose the argument." [Link]
"So-called phisher e-mails, which look like authentic notes from real companies like eBay, Citibank or America Online, are a growing problem for Internet users, who continue to fall for the dupe and give away credit card numbers, Social Security numbers, and other critical personal data." [Link]
From today's Daily Business Review:
CircleID reports that a letter to ICANN, seeking increased privacy for the wealth of personal data available in the WHOIS database, has been signed by a coalition of 50 organizations, including the American Library Association (ALA). The ICANN Meeting is currently underway in Carthage, Tunisia through October 31, and a link to the agenda is here.
Federal Agencies' Guidelines [proposed August 12, 2003, by the FDIC, OCC, Federal Reserve and OTS] regarding Notification by Financial Companies when a Security Breach Compromises Customer Data and Exposes Individuals to Identity Theft: comments submitted by the Privacy Rights Clearinghouse on October 14.
From the press release on a new report to be issued September 25 by ID Analytics, titled National Report on Identity Fraud. "The year-long research project leading up to this report analyzed more than 200 million records, including valid and fraudulent consumer applications for credit, debit and new accounts, together with the largest collection of cross industry known frauds to date."
The Executive Summary for the report states:
The October 2003 issue of Consumer Reports has two free resources on their corresponding website to assist consumers in combatting ID theft:
H.R. 2622, to amend the Fair Credit Reporting Act, to prevent identity theft, improve resolution of consumer disputes, improve the accuracy of consumer records, make improvements in the use of, and consumer access to, credit information, and for other purposes, passed the House on September 10.
The Alias Among Us: The Homeland Security and Terrorism from Document Fraud, Identity Theft and Social Security Number Misuse, Senate Finance Committee Hearing, September 9, 2003 (this site provides links to testimony by seven witnesses as well as committee members).
From the Committee on Judiciary, Subcommittee on Courts, the Internet, and Intellectual Property September 4, 2003 - Oversight Hearing on "Internet Domain Name Fraud - the U.S. Government’s Role in Ensuring Public Access to Accurate Whois Data":
The Privacy Rights Clearinghouse provides summaries of, and links to, data on three recent surveys documenting the rise in the rate of ID theft:
The Foundation for Taxpayer & Consumer Rights (FTCR), a non-profit California advocacy group, is publicizing their purchase of personal data, including social security numbers and home addresses, of high ranking Bush administration officials, as a means of demonstrating the need for stronger privacy legislation. However, states such as California, which recently passed the strongest financial privacy law in the country, are concerned that proposed amendments (H.R. 2622) to the Fair Credit Reporting Act may undermine these new protections.
California Identity Theft Laws, Compiled July 2003, by the Privacy Rights Clearinghouse.
ID Theft Continues to Increase: "The number of Americans who fell victim to identity theft in 2002 grew 81 percent over the year before. And incidents reported so far in 2003 suggest a major rise over last year...More than 13 million Americans have fallen victim to identity theft or fraud since January 2001," according to a new survey by Harris Interactive, designed by "Alan Westin, professor emeritus of public law and government at Columbia University." [Link]
From the New York Times: "William Sheehan does not like the police. He expresses his views about what he calls police corruption in Washington State on his Web site, where he also posts lists of police officers' addresses, home phone numbers and Social Security numbers."
From the press release by Rep. Matt Pierce: Effective July 1, Senate Enrolled Act 320 (Public Law 22) "provides a way for victims of identity theft to restore tainted credit histories, and expands the legal definition of the crime to make prosecutions easier."
Spammers' fake sites dupe consumers: "Customers of Best Buy, EarthLink and America Online are among recent targets of so-called phisher sites, bogus Web sites that fish for personal data such as credit card and Social Security numbers from unsuspecting consumers."
In a July 1 press release, Sen. Charles Schumer (D-NY) asked the "Federal Trade Commission (FTC) to issue a consumer advisory alert warning Internet users to carefully read the privacy policies of websites asking for personal information and to develop guidelines to ensure that these privacy policies fully disclose how that data will be used."
Doe v. Chao, 02-1377.
"The Supreme Court agreed Friday to join the debate over consumers' privacy rights in a case that will decide how the government can be punished for revealing Social Security numbers and other personal information."
On June 26, Sen. Dianne Feinstein (D-Calif.) introduced legislation, S. 1350 (the Notification of Risk to Personal Data Act) "to require businesses or government agencies to notify individuals if a database has been broken into and personal data has been compromised, including Social Security numbers, driver's licenses and credit cards. The bill is modeled, in part, on a California law that will come into effect on July 1."
Information Flows: The Costs and Benefits to Consumers and Businesses of The Collection and Use of Consumer Information, June 18, 2003.
On March 27, Sen. Biden introduced S. 731, the Secure Authentication Feature and Enhanced Identification Defense Act of 2003" (SAFE ID Act), to prohibit fraud and related activity in connection with authentication features.
Fact Sheet, Operation E-Con: Cracking Down on Internet Crime, released by the DOJ on May 16, 2003. "Since its inception, Operation E-Con has conducted over 90 investigations involving 89,000 victims and estimated losses of more than $176 million....To date Operation E-Con has executed over 70 search and seizure warrants that have led to 130 arrests and convictions and over $17 million in seizures and recoveries."
The FTC issued a press release today announcing the filing of 45 criminal and civil actions (state and federal) in conjunction with the SEC, the Postal Service and other state law enforcement agencies, in an aggressive and wide ranging campaign against "Internet scammers and deceptive spammers." Links are provided to the full-text copies of the eight lawsuits filed in district courts, and descriptions are provided concerning the specific scams.
PCWorld reports on a scam used against Bank of America customers which lured them via an unauthorized e-mail message to a fake site used to capture their personal data. The article also references a site that collects links to fake banks and examples of bank scam e-mails from around the world, called Scam o Rama.
The Federal Trade Commission’s Bureau of Consumer Protection announced its sponsorship of new workshops on "Technologies for Protecting Personal Information" to be held on May 14 and June 4, 2003. "The workshops are intended to explore the role of technology in helping consumers and businesses to protect consumer information." The agenda for the May 14 workshop is available here.
Judge Thomas W. Thrash Jr., U.S. District Court, Northern District of Georgia, granted EarthLink an injunction and a $16.4 million judgment against Howard Carmack, who engaged in ID theft and fraud to deliver over 800 million spam e-mails last year via the hundreds of accounts he established with the ISP. How much EarthLink can expect to collect....nil.
For reference, see the Computer Fraud and Abuse Act of 1986, 18 USC 1030.
In a related update, see this May 14 article from News.com, 'Buffalo Spammer' nabbed in New York which says that "New York state authorities have arrested the e-mail marketer "Buffalo Spammer," in the state's first criminal case against a junk mailer."
Building Trust on the Web, Consumer WebWatch's First National Summit on Web Credibility, April 24, 2003. Presentation topics include: Health Web Sites, Search Engines, Guidelines & Best Practices on the Web, Scams & Schemes: Why Don't Consumers Trust the Web?, and Toward a More Credible Web. See this link for Jim Guest's opening remarks.
The New York Times reports on a New Jersey program, beginning this summer, to implement digitized security features on the state's driver licenses to prevent theft and fraud. The features will include "holograms, a bar code and digital signatures."
The South Carolina Senate approved The Consumer Identity Theft Protection Act (S. 222) on April 16. The bill provides for the creation of an identity theft database by the Attorney General, expedited court proceedings for victims of ID theft, stricter verification of card holder identification by credit card companies, and blocks the distribution of inaccurate information about victims of ID theft by credit reporting companies. See also this article, New bill aims to protect SC consumers from ID theft.
From ABATechShow 2003, here is an updated version of my annotated bibliography (pdf) of federal, state, and advocacy resources on ID theft and fraud. Included are links to pending federal legislation, dozens of topical guides published by federal agencies and state AGs, and links to selected news about recent, high-profile cases of ID theft. Please feel free to contact me with any suggestions, links and other resources.
Internet News reported on April 3 that the FTC "has finalized its Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC's jurisdiction to develop and implement appropriate physical, technical, and procedural safeguards to protect customer information. The rule becomes effective on May 23."
In related news, this press release, The FTC Targets Security to Combat Identity Theft, provides links to testimony by Howard Beales, Director of the FTC's Bureau of Consumer Protection, before the House Committee on Financial Services, and to testimony by Betsy Broder, assistant director for planning and information at the FTC, before the Committee on the Judiciary, Council of the District of Columbia.
On March 31, Sen. Dianne Feinstein (D-CA) introduced S. 745, "A bill to require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes." Her press release states that the legislation seeks to establish a national standard for the protection of personal information, including social security numbers, drivers' licenses, health and financial data, using a mandatory opt-in and opt-out procedure.
In what can only be described as a huge step backward in the fight against ID theft, the Sacramento Bee reported that the California State University's computer system has for some years had a "glitch" that allows users to view the social security numbers and personal data of students and employees. State Senator Debra Bowen, a strong advocate for consumer privacy, is quoted as saying, ""Students and employees of the CSU have the right to expect their private information will be kept private and not be made accessible to everyone that can get into the system."
The Office of the Inspector General of the Social Security Administration recently issued a report, Federal Agencies' Controls Over the Access, Disclosure and Use of Social Security Numbers by External Entities (PDF), documenting problems with unauthorized access to, and dissemination of, social security numbers.
See also this March 6, 2003 speech by James G. Huse, Jr., Inspector General, Social Security Administration: Preventing and Detecting Social Security Fraud.
Johnny Sutton, United States Attorney, Western District of Texas announced March 14 that University of Texas at Austin student Christopher Andrew Phillips was charged with unauthorized access to the university's computer system and the theft of more than 55,000 records containing personal data. Sutton states: "At this point, there is no indication that the stolen data was further disseminated or used to anyone’s detriment." My previous postings on this hacking are here and here.
See also this Austin-American Statesman article that provides details on the twenty-year old computer science student who commited the largest data theft on record from a university, and the criminal complaint filed against him.
A survey of 1,000 adults conducted by FindLaw indicates that most American are aware of the growing rate of ID theft, and are taking certain precautions to protect themselves. These efforts include shredding credit card receipts and other financial documents prior to disposal, limiting access to social security numbers, and reviewing bank and credit card statements for fraudulent activity. See the press release here.
See also this USA Today article, Hackers evolve from pranksters into profiteers (requires registration), that provides tips on how to avoid ID theft, and also reviews recent high-profile incidences of hacking here and abroad and the costs involved to businesses and to individuals.
Subsequent to the hacking of UT Austin's computer system last week, resulting in the theft of personal data from more than 50,000 records as reported in my previous posting here, Texas lawmakers are giving closer consideration to a previously introduced bill banning the use of social security numbers on student IDs. The act, HB 1026, "relating to regulating the use of social security numbers by institutions of higher education," would take effect September 1, 2003. As of March 10 however, this bill has been left pending by the House Committee on Higher Education.
The statistics for ID theft are already registering signficant numbers for a year that is still in its first quarter. According to this press release from the University of Texas at Austin, the university's computer system was hacked, exposing some 55,200 records that included names and social security numbers of current and past students, faculty, staff and job applicants, in the largest known attack of its kind to date. For further information, see this press release from United States Attorney Johnny Sutton and a university sponsored website on Identity Protection Resources.
See also this article, UT redoubles vigilance after network intrusion, March 8, 2003 (now archived and requires a fee to access via the Austin American Statesman).
The National Consumers League, Internet Fraud Watch published two surveys on Web e-mail scams: Top 10 Internet Scams 2001 (includes data on Type of Complaint, Percentage of Total Complaints and Average Loss), and Ages of Consumers Who Filed Complaints, 2001 (includes Percentage of Total Complaints). The surveys are available in tabular format on this webpage.
The longest continuously running global e-mail scam, in operation since the 1980s, is the Nigerian e-mail fraud. Doubtless you have received such e-mails on a daily basis if you are not using blocking software. For more information, see this United States Secret Service site on what is known as Advance Fee Fraud (AFF) or "4-1-9" fraud, which refers to the section of the Nigerian Penal Code on fraud schemes.
See also this article from CNN today, Latest ID theft scam: Fake job listings. Monster.com e-mailed its users and stated "regrettably, from time to time, false job postings are listed online and used to illegally collect personal information from unsuspecting job seekers."
The Gartner Group released a news analysis on February 20, Stolen Credit Card Case Should Prompt Card Companies to Act, in reponse to the recent hacking of a database containing millions of credit card records. Their conclusion: "The theft of 8 million credit cards reveals serious flaws in card companies' disclosure processes. Credit card issuers should improve security and notification of consumers or face onerous legislation."
See also these two related articles from the USAToday, PNC Bank cancels check cards following hacker incident and Firms targeted by hackers keep vulnerabilities secret.
The Federal Trade Commission is sponsoring two free workshops, Technologies for Protecting Personal Information: The Consumer Experience (May 14, 2003), and Technologies for Protecting Personal Information: The Business Experience (June 4, 2003), according to this February 21 press release. See also the text of the Federal Register notice on these workshops, for which written comments must be submitted by April 23.
The Virginia House yesterday passed and adopted HB 2426 - Posting certain information on the Internet; prohibitions, in response to growing public concerns about privacy and ID theft. The bill "provides that beginning July 1, 2003, no state agency or court clerk shall post on a state agency or court-controlled website any document that contains the following information: (i) an actual signature; (ii) a social security number; (iii) a date of birth identified with a particular person; (iv) the maiden name of a person's parent so as to be identified with a particular person; (v) any financial account number or numbers; or (vi) the name and age of any minor child."
CNN reports on an announcement by Visa and Mastercard (which does not appear on either of their respective websites) revealing that a hacker accessed the records of up to 2.2 million accounts via a contractor (Data Processors International) that processes their credit card transactions. According to CNN "the affected accounts make up about one-third of 1 percent of the 560 million MasterCard and Visa cards in the United States." According to a Washington Post article, the exposed database contained 8 million records of customer data, including accounts from American Express as well.
Sen. Dianne Feinstein (D-CA), is the sponsor of S. 223, a bill to prevent identity theft, and for other purposes, introduced on January 28.
The UCLA Center for Communication Policy today released the third installment of their report, Surveying the Digital Future. The report addresses topics that include the following; Internet Users - Who is Online, Who is Not; Media Use and Trust; Consumer Behavior, Communications Patterns, Social Effects of the Internet (on family, children, friends, politics); the Internet at Work, and user satisfaction with the Internet. Results indicate that the majority of respondents believe the Internet is an important source of information, and spend more time online than watching television. However, levels of concern about ID theft are at an all time high.
Another recently released UCLA survey indicates that college freshmen spent less time studying and more time surfing the Net.
This USA Today article highlights how your employee data is increasingly vulnerable to ID theft. The means by which such information is obtained is not necessarily sophisticated or complicated, or accomplished electronically. For example, credit card receipts, 401K reports and direct deposit pay stubs thrown into the office trash are collected and then used to steal employee identities, so be careful what you throw away, and think about using a shredder for personal documents you discard.
The United States Sentencing Commission (USSC) is seeking public comment on proposed amendments to guidelines applicable to persons convicted of crimes related to the misuse of computers (i.e., hacking, cracking, writing and disseminating viruses, ID theft, web-related fraud, etc.). These new guidelines have garnered a new level of attention due to significantly increased incidences of computer related crimes. In addition, the commission is seeking comment on other proposed guidelines in response to three major post 9/11 laws: the Patriot Act, the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, and the Terrorist Bombings Convention Implementation Act of 2002.
This FTC press release provides an overview of their new 2002 National and State Trends in Fraud Identity Theft Report (in PDF). ID theft accounts for 43% of total complaints made, with fraud associated with Internet auctions accounting for 13% of complaints.
See also another new FTC report, ID Theft: When Bad Things Happen To Your Good Name, a step-by-step guide to prevent ID theft that also provides considerable useful documentation on services and resources available to those who are already victims of fraud.
For more information on this issue, the FTC participates in a program called Consumer Sentinel, along with state, federal and international law enforcement agencies and consumer advocacy groups, which produces, maintains and updates an ID theft and consumer fraud database. Some of the data is available to the public, such as fraud complaint and ID theft victims reported by state, as well as a chart of top complaint categories.
eMarketer has published an article, Personal Information: The Push-Pull Between Companies & Consumers, that incorporates survey data collected by a number of organizations including, Harris Interactive, ConsumerWebWatch, and PricewaterhouseCoopers. E-privacy and ID theft concerns dominate consumer perspectives when conducting online transactions. In a related article, MSNBC reports on extensive credit card fraud complaints involving PayPal, the dominant force in Internet transaction payment systems. PayPal is the subject of class action lawsuits, and merged with eBay in October, 2002.
Thought I would mention what looks to be an interesting conference in London on February 5., 2003: The Politics of Code: Shaping the Future of the Next Internet. Speakers, including Larry Lessig and Esther Dyson will address issues such as privacy, open source, digital rights, id theft, other legal-tech topics.
Key logging software has been around for quite awhile. Companies use it to 'virtually' stand over the shoulders of employees and read every letter typed on their keyboards. But this software is also used by hackers to commit identity theft, as was the case with nefarious installations on the computer systems of major universities throughout the country, as reported this past June.
Anti-key logging programs are available to detect monitoring (SpyCop and Anti-keyloggers are two examples). However, TechTV reports that a "black code" written into the key logging programs causes PCs to crash when the defensive software is detected.