What to do with leftover customer data?

Posted by Caitlin on July 1st, 2009

Thanks for visiting the NextAdvisor Daily blog. You may want to subscribe to our RSS feed.

Verified Identity Pass was a privately owned company that offered a service called Clear, which was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance. On June 21, Verified Identity Pass announced that, for financial reasons, it would be ceasing operations. The abrupt closure has raised serious concerns about the customer data collected by the company. Stored information includes fingerprints, iris scans and digital images for roughly 260,000 customers. While this registered travel program was privately owned, it was authorized by the TSA, which required the service to record full legal names, home addresses, dates and places of birth, genders, heights, driver's license numbers, passport details and other information for all customers.

Bennie Thompson, the chairman of the House Committee on Homeland Security, has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of all this data. The TSA is in the process of putting together a response to this question, and in the meantime, claims that Clear is appropriately safeguarding the collected data. Verified Identity Pass assures customers that their information is being stored in conformance with the TSA's security and privacy requirements. But the data has yet to be deleted, leaving open the possibility that it could be sold or passed on to a third party, if the intention is to use it for another registered travel program.

As long as our personal information is out there, beyond our control, it is wise to invest in identity theft protection.

• T-Mobile denies data breach despite hacker claims
• Hackers gain access to sensitive data from 100,000 websites
• Is your state putting your identity at risk?
• Reports of TJ Maxx, Marshalls 15% discount related to massive data breach appear on the web
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers

Data Breach Alert: Stolen laptop puts Cornell students at risk

Posted by Caitlin on June 29th, 2009

Earlier this month, a laptop was stolen from Cornell University. The stolen laptop contained names and Social Security numbers for 22,546 current and former students and 22,731 faculty and staff members. In violation of Cornell's policy, the laptop was left in a physically insecure environment, and the names and Social Security numbers were not encrypted. New York State Police have launched an investigation to find the thief and recover the laptop. Cornell is offering free credit monitoring and identity theft restoration services to those whose identities have been compromised.

Lost or stolen laptops are a major cause of data breaches. Even if the missing computer does not contain a database of sensitive personal data, in the wrong hands, it can be scoured for useful information that puts the owner at risk. For tips on how to mitigate this risk, see our "How to deal with a lost or stolen laptop" guide. And see our reviews and comparison chart for more information about credit monitoring or identity theft protection services.

• Stolen laptop returned to lucky professor
• Data Breach Alert: Stolen laptop exposes identities of 20,000 Kraft employees
• 25 million identities left unprotected in the UK
• Data Breach Alert: Stolen laptop impacts Virginia school employees
• Data Breach Alert: Utah hospital loses thousands of patient records

New security patch protects BlackBerry business users

Posted by Caitlin on June 10th, 2009

Research in Motion recently released a security patch to repair a vulnerability in the software on some BlackBerry smartphones. This particular vulnerability occurs in the PDF distiller program, and only impacts consumers that use BlackBerry Enterprise Server, versions 4.1 through 5.0. Unpatched, it could allow hackers to send BlackBerry users emails with specially crafted PDF attachments containing malware designed to steal data. The patch itself, along with further details, can be found on the BlackBerry support forum.

As smartphones become even more popular and increasingly powerful and complex, they will draw more attention from hackers and identity thieves. Until more robust security software is made available for smartphones, users should be vigilant when it comes to security patches like this one, and consider investing in an identity theft protection service.

• Your new Facebook friend just stole your identity
• Malicious hack impacts 2.2 million shortened URLs
• Mobile VoIP developments run rampant in 2008
• Data Breach Alert: Over 10 million eBay Korea users impacted in massive hack
• Hackers gain access to sensitive data from 100,000 websites

Data Breach Alert: More than 17,000 VCU students impacted

Posted by Caitlin on June 10th, 2009

Last week, Virginia Commonwealth University sent letters to 17,214 current and former students, notifying them that their names, Social Security numbers and test scores may have been exposed when a computer was stolen from the school library. VCU is offering the impacted individuals one year of identity theft insurance. Another 22,500 students have been notified that their names and test scores, but not their Social Security numbers, have also been compromised. VCU identified students by their Social Security numbers until January 2007, but now uses computer generated student identification numbers instead.

This breach draws attention to two areas of vulnerability in guarding one's own identity. When universities and other organizations rely on Social Security numbers for identification, those Social Security numbers are often recorded in databases that are not adequately secure. This places countless individuals at a greater risk for identity theft. Stolen computers are also a common source of data breaches and identity theft. Our NextAdvisor.com guide, How to deal with a lost or stolen laptop, details some of the ways you can prevent or mitigate the costs and risks associated with missing computers.

To learn about identity theft protection services, see our reviews and comparison chart.

• Data Breach Alert: Western Carolina University exposes hundreds of social security numbers
• Data Breach Alert: Stolen laptop leaves thousands of Connecticut State students exposed
• Data Breach Alert: Tens of thousands impacted in Antioch College data breach
• Data Breach Alert: 70,000 impacted in OSU server breach
• Data Breach Alert: College students receive social security numbers of classmates over email

Credit card processors' new approach to preventing data theft

Posted by Caitlin on May 28th, 2009

When credit card processors fail to adequately protect customer data, data breaches and identity theft occur. This fall, they'll be trying out a new strategy for protecting that data. Since processors are finding it impossible to thwart each and every hacker, they'll encrypt the data in such tiny segments that stealing it will no longer be cost-effective for criminals. Heartland Payment Systems, which recently announced a major data breach, will be introducing the new data storage system in October, with the hope that identity thieves will be deterred by the lack of easy profit.

This week, Consumerist posted an interesting interview with Evan Schuman, the editor and publisher of the blog StorefrontBacktalk.com, which sheds some light on the strengths and weaknesses of this new technique. The interview also makes it clear that while Heartland's strategy may be somewhat effective, only a significant investment in encryption technology by the credit card providers themselves will truly make our credit card transactions safe from identity thieves. And unfortunately, the credit card providers don't seem particularly eager to spend the money that would require.

In the meantime, the best way to stop hackers who attempt to steal your credit card data and open new credit accounts in your name is to make your own investment in identity theft protection or credit monitoring.

• NextAdvisor.com featured in Fortune Magazine
• Debunking the case against LifeLock
• Data Breach Alert: Millions at risk for identity theft due to supermarket chain data breach
• Is your state putting your identity at risk?
• 25 million identities left unprotected in the UK

One week of major data breaches

Posted by Robert Siciliano on May 8th, 2009

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Criminal hackers continue to step up to the plate. Security professionals are fighting, and sometimes losing, the battle. Here's one week's worth of hacks:

Lexis Nexis, which owns ChoicePoint, an information broker I recently blogged about that was hacked in 2005, was just hacked again this week. On Friday, LexisNexis Group notified more than 32,000 people that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter. (Check your credit reports and examine your credit card statements carefully!)

CNET reports that hackers broke into FAA air traffic control systems, too. The hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, for 48,000 current and former FAA employees. In a House Oversight and Government Reform Subcommittee testimony, it was stated, "FAA computer systems were hacked and, as the FAA increases its dependence on modern IP-based networks, the risk of the intentional disruption of commercial air traffic has increased."

Computerworld reports that a hacker has threatened to expose health data and is demanding $10 million. Good for him, bad for the Virginia Department of Health Professions. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data. "Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh," posted the hacker. Holding data hostage is nothing new, but it is becoming increasingly common.

The Register reports that botherders have taken control of 12 million new IP addresses in the first quarter of 2009, a 50% increase since the last quarter of 2008, according to an Internet security report from McAfee. The infamous Conficker superworm has occupied all the headlines, and makes a big contribution to the overall figure of compromised Windows PCs, but other strains of malware collectively make a big contribution to this number. McAfee's Threat Report notes that the US is home to 18% of botnet-infected computers.

While you can't do much about others being irresponsible with your data, you can protect your identity, to a degree. Consider investing in identity theft protection and always keep your Internet security software updated.

Robert Siciliano, identity theft speaker, discusses Ransomware.

Robert Siciliano is CEO of IDTheftSecurity.com , an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of 2 books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

• Identity Theft Expert Answers: Robert Siciliano of IDTheftSecurity.com
• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• Data Breach Alert: Harvard hack exposed more data than initially thought
• T-Mobile denies data breach despite hacker claims
• Data Breach Alert: Over 10 million eBay Korea users impacted in massive hack

Data Breach Alert: U.S. Postal Inspection Service and LexisNexis

Posted by Caitlin on May 6th, 2009

The U.S. Postal Inspection Service is in the process of notifying more than 30,000 people that their personal information may have been compromised in a data breach executed by businesses that are former LexisNexis customers. These thieves used personal information from LexisNexis and broke into mail boxes at commerical mail-receiving businesses in order to obtain fraudulant credit cards. The personal data was probably accessed between June 14, 2004 and October 10, 2007. At least 300 people have definitely been impacted, and the rest are thought to be vulnerable.

LexisNexis is offering all 30,000 individuals whose identities may have been compromised a free year of credit monitoring by ConsumerInfo.com.

See our reviews and comparison charts to learn more about credit report monitoring and identity theft protection.

• Data Breach Alert: Harvard hack exposed more data than initially thought
• Data Breach Alert: Thousands of Dominican University students impacted in secure file breach
• Data Breach Alert: Health insurer exposes personal information of 128,000 customers
• Data Breach Alert: Utah hospital loses thousands of patient records
• 1 million credit scores lowered by Sallie Mae

Employee turnover often equals business data breaches

Posted by Caitlin on April 8th, 2009

The phrase “employee turnover” is closely linked with the word “unemployment” in the minds of most workers these days, but on the employer side, data breaches are an equally worrisome issue. This is according to a recent national survey conducted by the Ponemon Institute, which found that employee turnover commonly results in significant business data losses.

The Symantec-sponsored report of these survey findings revealed that 59% of employees who left a company for any reason had stolen business data prior to their departure, even though 79% admitted that they violated company rules by doing so. Even more disturbing, 67% of these survey respondents actually used the data they stole, exploiting the former company's confidential information in order to secure a new job. 68% of respondents had future plans to use their former company's stolen data.

According to the survey results, most stolen data involved email communications. The survey revealed that 65% of respondents had taken email lists and 64% had pilfered old emails, while another 38% admitted to sending company data as email attachments to their personal accounts.

Other common types of stolen business information included computer history and hard copy files (62% of respondents), CDs and DVDs (53%) and small USB drives (42%). The rarest type of stolen company data was source code, which was taken by just 3% of respondents.

Unsurprisingly, the survey results also found that disgruntled employees were almost three times as likely to steal company information (61% ) than employees who liked and respected the companies they left (26%).

The report of these survey findings concluded with tips for preventing employee turnover-based data theft, advising companies to take steps that included:

• Conducting an assessment of potential data loss immediately after an employee leaves the company
• Creating or maintaining corporate policies, clearly stating that former employees will be no longer be allowed to access or use any proprietary or confidential company information once they leave
• Implementing a day-to-day monitoring system to keep track of every employee's access to network and system resources in order to discover data breaches at the time they occur and prevent any further damage from occurring

Data breaches can lead to identity theft, among other cyber crimes. To learn more about protecting yourself from data loss and identity theft, see our reviews and comparison charts for identity theft protection and online backup services. You may also be interested in NextAdvisor.com's guide on how to deal with a lost or stolen laptop.

• Data Breach Alert: Theft puts 13,000 Pfizer employees at risk
• Data Breach Alert: Stolen laptop exposes identities of 20,000 Kraft employees
• Data Breach Alert: Stolen laptop impacts Virginia school employees
• Data Breach Alert: MTV exposes personal data of 5,000 employees
• Data Breach Alert: Utah hospital loses thousands of patient records

Data Breach Alert: A series of data thefts impact Visa and MasterCard

Posted by Caitlin on March 3rd, 2009

Reports of more another breach have followed the news that 100 million transactions processed by Heartland Payment Systems had been exposed last month. Visa and MasterCard recently warned certain banks and credit unions that more customer data has been compromised, but will not disclose the name of the latest credit card processor to be infiltrated, nor will they say how many customers have been affected.

The Heartland breach was discovered only after a pattern of credit card fraud emerged, leading back to the credit card processor. This means that the stolen card numbers were actively in use by identity thieves. Security analyst Michael Argast says that the latest stolen data has most likely also reached the hands of criminals.

Impacted banks have begun issuing replacement credit and debit cards to MasterCard and Visa cardholders, and will continue to do so over the next few weeks. It is always a good idea to have a credit monitoring service keep an eye on your credit report and alert you of any suspicious activity.

An identity theft protection service will go a step further to protect you and to prevent fraudulent accounts from being opened in your name. To learn more about credit monitoring services and identity theft protection services, see our reviews and comparison charts.

• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• Data Breach Alert: Millions at risk for identity theft due to supermarket chain data breach
• TJ Maxx to send follow up fraud alert letters to victims
• Data Breach Alert: Theft puts 13,000 Pfizer employees at risk
• Data Breach Alert: Stolen laptop leaves thousands of Connecticut State students exposed

Confirmed: Data breach related 15% discount sale at all TJ Maxx, Marshalls stores on Thursday January 22, 2009

Posted by Joe on January 21st, 2009

We have confirmed that all TJX stores nationwide, including TJ Maxx, Marshalls, The Maxx, A.J. Wright and HomeGoods, will be holding a 15% discount sale tomorrow Thursday January 22, 2009. The sale is part of a customer good will effort following a massive data breach by the company that exposed millions of customer records to hackers.

The 15% discount sale will be open to any shoppers, not just those consumers that were potentially impacted by the breach. TJX will also honor any other discounts on top of the 15% (although this does not include employee discounts). TJX has previously stated that all stores will have extended hours between 8 a.m. and 10 p.m for the special sale day.

• More details about data breach related 15% discount sale at TJ Maxx and Marshalls
• Reports of TJ Maxx, Marshalls 15% discount related to massive data breach appear on the web
• TJ Maxx to send follow up fraud alert letters to victims
• TJ Maxx parent company offers 15% off to victims of massive data breach
• TJ Maxx may have know about identity theft threat two months earlier than reported