BlueCross BlueShield and Virginia DepEd Breaches

Oct. 6, 2009

BlueCross BlueShield Assn. (Chicago, IL)

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number.

187,000

Oct. 15, 2009

Virginia Department of Education (Richmond, VA) (877) 347-5224

A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009.

103,000

http://www.privacyrights.org/ar/ChronDataBreaches.htm

6 Ways We Gave Up Our Privacy

by Bill Brenner, Senior Editor, CSO

October 12, 2009

Editor's note: Tomorrow, we continue this report with a podcast featuring Chicago-based business consultant Mark Cummuta, who specializes in compliance, security and CIO challenges.

Privacy has long been seen as a basic, sacred right. But in the Web 2.0 world, where the average user is addicted to Google apps,GPS devices, their BlackBerry or iPhone, and such social networking sites as Facebook and Twitter, that right is slowly and willingly being chipped away. In fact, some security experts believe it's gone already.

Adding to this sobering reality is that public and private entities have a growing array of tools to track our movements, habits and choices. RFID tags are on more of the items we take for granted. Those discount cards you use at the grocery store offer companies an excellent snapshot of the choices you make. And in the post 9-11 world, the government has greatly expanded its power to spy on you with such laws as The Patriot Act.

"Your credit card company and your loyalty card program memberships track your purchases, travels, expenditure levels, and blend that into offers that meet your lifestyle profile," said John Zurawski, vice president of Authentify Inc. "Firms sell GPS devices specifically to be hidden in vehicles permitting anyone to track your movements. The RFID Tollway passes states offer to speed you through their toll roads know where you've been and how fast you drove."

Based on an informal survey of privacy and security experts, here are six examples of how we've willingly allowed our privacy to be taken away, and how we might be able to get some of it back.

1. Google
Google apps such as Gmail and Google calendar allow individuals and organizations to bring order to the hectic process of scheduling and communicating. But when you input company agenda items into the applications along with other proprietary information and potentially embarrassing things like an upcoming doctor's appointment, you're giving up privacy to Google, said Chicago-based business consultant Mark Cummuta, who specializes in compliance, security and CIO challenges.

"When Google first started, it said it would only use that information internally, to get a sense of the things you like and talk about," he said. "All that information used to be gathered in a way where you explicitly gave permission, through things like surveys. But Google can easily poke around without seeking permission, and they don't explain to you how they know what they know."

2. Social networking
It's getting increasingly harder NOT to find someone on LinkedIn, Facebook, Twitter or all of the above. Then there's Myspace and a lot of lesser-known social networking sites. If you use these programs -- and you probably do -- chances are pretty good that you give up a lot of your privacy every day, willingly and even happily. Security experts have spent a lot of time ringing the alarm bell over this lately, because bad people can easily take the personal tidbits you post and use it against you, for everything from marketing to blackmail.

"Privacy is evaporating because Facebook, Myspace, Twitter and blogs are raising a generation of kids and adults who have no concept of privacy or the ability to truly understand that nothing digital is ever forgotten or destroyed," said Raj Goel, owner of security compliance consultancy Brainlink International Inc. "Ten years from now, kids will be Googling their mommy's spring break pictures and their daddy's Facebook profile, if they don't do so already."

3. RFID tags and loyalty cards
In this fast-paced world, people use special transponders to blow through highway toll stations without stopping and pay for gas without having to swipe a credit card. Then there are those cards you present at the grocery store for discounts. All have technology that can be used to track your movements and habits, right down to the time of day you typically go through a toll plaza each morning on the drive to work.

"Let's add RFID chips, the Real ID Act and the PASS Act to the list as well. How about chips in passports? We're lulled into a false sense of security and people aren't realizing that they are simply giving those rights to privacy away," said Julie Davis Friend, president of Gemstone Partners, a firm that advises organizations on issues surrounding identity theft and new legal requirements."

4. The Patriot Act
Given all the debate about the evils of The Patriot Act and how it gave the government a ridiculous amount of power to spy on people, we often forget that citizens were perfectly comfortable giving away privacy in the immediate aftermath of 9-11, when people were consumed with the desire to stop the next terrorist attack from happening. [See also: Eight Years After 9-11: Better Security or Just Luck?] Many a security expert will argue that the law did indeed improve our safety and prevent more attacks. In other words, enacting it was the right thing to do. But it's also universally accepted that civil liberties were eroded under the law.

Notes Zurawski: "The Patriot Act granted broad powers to law enforcement to enter your home with 'probable cause' and no warrant."

5. GPS
GPS navigation used to be a luxury item. Now most of us use the technology. It's relatively inexpensive to buy a GPS device that's bolted to the dashboard. Higher-end cars come with built-in GPS. And there are plenty of free navigation apps available for the BlackBerry and iPhone. The flip side to fewer people getting lost is that the providers of those systems can track your whereabouts without breaking a sweat.

6. The Kindle
Here's one you may not have seen coming. The increasingly popular Kindle allows us to tear through books on the go. But the device also "keeps track of what you read, how quickly you read it, what you may have read over several times, and can delete content you've paid for without your knowledge should it become 'necessary,'" Zurawski said.

Getting back some privacy
The good news in all of this is that there are steps people can take to protect more of their privacy. Educating younger folks on what they are giving away is a good place to start, those polled said. Businesses should steer clear of something like Gmail if they have sensitive data to send someone. And consumers can demand that government agencies crack down on the privacy-stealing practices of private-sector companies.

"The FTC could take on Facebook, Myspace and other sites that target kids the same way they expanded HIPAA's scope and brought online health care databases under their purview," Goel said. "When my goverment grows up, I want them to be the FTC -- the only national agency that's done anything meaningful about consumer privacy and security in the past decade."

© CXO Media Inc.

http://www.csoonline.com/article/504793/6_Ways_We_Gave_Up_Our_Privacy

53 arrested in international cybercrime case

Story By Mary Manning
http://www.lasvegassun.com/news/2009/oct/07/3-las-vegans-arrested-international-cybercrime-cas/

Indictment:

http://media.lasvegassun.com/media/pdfs/blogs/documents/2009/10/07/indictment1007.pdf

Three Las Vegas residents were among 100 people indicted in what the FBI is calling the largest group ever arrested in a cybercrime case.

In the multinational investigation in the United States and Egypt, authorities uncovered a sophisticated "phishing" operation that collected personal information that was used to defraud American banks.

Authorities, including Metro Police and the FBI in Las Vegas, were arresting 53 people named in the 51-count indictment returned last week by a federal grand jury in Los Angeles, the FBI said. Arrests today occurred in Nevada, Southern California and North Carolina.

The three Las Vegas residents arrested were identified as 21-year-old Shontovia Debose, 20-year-old Tramond Davis and 21-year-old Raymond Valentino Mancillas III.

The three were arrested without incident, said Joseph Dickey, a spokesman for the Las Vegas office of the FBI. Davis and Mancillas were arrested at their homes and Debose was taken into custody at the parole and probation office west of downtown Las Vegas, he said.

In addition, authorities in Egypt have charged 47 people linked to the phishing scheme.

Operation "Phish Phry" marks the first joint cyber investigation between Egyptian law enforcement and United States officials, the FBI said.

Phish Phry also marks the largest cybercrime investigation in the United States, with 53 people charged here, the FBI said.

Operation Phish Phry began in 2007 when FBI agents, working with United States financial institutions, took steps to identify and disrupt sophisticated criminal enterprises that targeted financial businesses in the United States. Investigations here and in Egypt led authorities to cooperate in the investigations.

Phishing involves a technique that sends e-mail messages that appear to be official correspondence from banks or credit card vendors. In illegal phishing schemes, bank customers are directed to fake Web sites appearing to be linked to financial institutions. There, customers are directed to enter their account numbers, passwords and other personal identification information. The customers do not realize that the sites are not those of legitimate financial institutions, the FBI said.

Those involved in the scheme based in Egypt collected bank account information, then members of the conspiracy hacked into accounts at Bank of America and Wells Fargo.

The United States ring was allegedly operated by Kenneth Joseph Lucas, Nichole Michelle Merzi and Jonathan Preston Clark, all of California, the FBI said.

The Las Vegas members of the ring set up bank accounts where the funds stolen from compromised accounts could be deposited.

Those arrested in Las Vegas will have their initial appearance in U.S. District Court in Las Vegas on Wednesday afternoon.

People who get e-mail that looks like it is from a bank or other financial institution but turns out to be fake can file a complaint online, the FBI said. The Internet Crime Complaint Center is at www.ic3.gov.

Book Insidious

Taken from http://www.mementosecurity.com/insidious/#

Insidious – How Trusted Employees Steal Millions
and Why It’s So Hard for Banks to Stop Them
By BC Krishna and Shirley Inscoe

A compelling exploration of a complex problem
Insidious is no ordinary business book. It takes an unconventional and occasionally irreverent look at a problem most companies don’t want to even talk about—employees who steal. With more than three decades of fraud experience between them, authors Shirley Inscoe and BC Krishna bring you a uniquely informed and objective perspective on the perennial, deeply damaging, and growing problem of employee fraud.

Historically, embarrassed silence greets any discussion of employee fraud. But industry work groups and visionary banks are starting to speak up—motivated by escalating losses, high-visibility fraud events, and a marked rise in employee fraud. Insidious takes this discussion to a new level by providing one of the most provocative and wide-ranging explorations of employee fraud to date.

Why now?

The time is right for Insidious. Economic uncertainty has created a perfect storm that allows employee fraud to thrive like never before. Many financial services organizations are in transition—struggling or merging. More employees are in desperate financial straits. Morale is low. In short, the three sides of the notorious Fraud Triangle —opportunity, motivation, and justification—are stronger than ever. And even entry-level employees have unparalleled access to the data and systems they need to commit fraud—often in just a few keystrokes. No wonder employee fraud is on the rise.

Sophisticated fraud schemes fuel higher losses

Employee fraud is no longer the domain of the disgruntled loner. Highly skilled and often ruthless collusive gangs are recruiting bank employees to participate, willingly or not, in elaborate high-loss fraud schemes. Employee fraud often enables cross-channel fraud schemes that tap deep into the core systems of banks and credit unions—creating losses that are often not even attributed to employee fraud.

Voices from the frontlines of fraud
Insidious goes behind the scenes at banks and talks to the analysts and investigators who know firsthand why employee fraud is so hard to stop—and who share their stories from the frontlines of fraud. It highlights dozens of real-world fraud schemes that generate stomach-dropping losses, send customers fleeing, and damage reputations for years.

To bring you new insights on fraud, Inscoe and Krishna talk to dozens of sources, well-known as well as unconventional. You’ll hear reputational damage experts, executives at banks of all sizes, industry pundits, theoretical mathematicians, the Bureau of Engraving, and many others. You’ll find out just how easy committing fraud is by doing it yourself. And Insidious concludes with an interview with a former bank vice president on the eve of reporting to Federal prison for stealing—providing a rare first-person account of why good employees (often even top performers) go bad.

Insidious takes a Socratic approach
In a dozen chapters, Insidious asks the hard questions:

• Why do employees steal?
• Why do they get away with fraud?
• Why is employee fraud particularly damaging to banks?
• What capabilities do analysts and investigators need to fight fraud?
• What can banks do to start addressing the problem?
• How can banks know they’re making progress?

Beware of consultants bearing silver bullets
For answers, Insidious looks beyond the usual prescriptive solutions. There are no Ten Steps You Need to Take to Wipe Out Employee Fraud. And it doesn’t presume to provide a failsafe, one-size-fits-all solution to employee fraud. Instead, it explores the overall approaches and strategic moves that can help banks and credit unions create an organizational environment that discourages fraud—and that identifies fraud earlier and more often when it does happen.

Ultimately, employee fraud is an inherently human problem that generates painful damage—financial, reputational, and more. And everyone suffers when an employee goes bad, from banks and credit unions, to honest colleagues who resist the temptation to steal, to the fraudsters themselves.

The time to stop employee fraud is now
Insidious is a must-read for financial services executives, investigators, analysts, and other fraud fighters. This unusual, powerful book will leave you inspired, informed, and uniquely empowered to boost the effectiveness of your own efforts to fight employee fraud.

Though Insidious focuses on employee fraud at banks and credit unions, its findings and insights resonate with brokerages, retail organizations, pharmaceutical groups, and other organizations susceptible to employee fraud.

Hotmail, Gmail passwords exposed; Most common password?

123456 is the most common password!

http://www.wired.com/threatlevel/2009/10/10000-passwords/#comments

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.

Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.

Many of the top 20 passwords used were Spanish names, such as Alejandra and Alberto, suggesting that the victims were in Spanish-speaking communities. Nearly 2,000 of the passwords were only six characters long. The longest password was 30 characters — lafaroleratropezoooooooooooooo.

The 10,000 passwords and user names, believed to be booty from a phishing attack, were posted over the weekend to the clipboard site PasteBin. The site owner has since removed the list, but Bogdan Calin ofAcunetix grabbed the passwords before it disappeared.

The list included only online account addresses that began with “A” or “B,” suggesting that the list was only part of a larger cache of credentials. On Tuesday, the BBC reported that it had viewed a second list of more than 20,000 account credentials that included Gmail, Yahoo and AOL accounts, and that Google had uncovered a third list containing an unknown number of accounts.

Some of the accounts on the list of 20,000 names the BBC saw appeared to be old, unused or fake, though many were genuine. The list also included Comcast and Earthlink accounts.

Both Google and Microsoft, which own Gmail and Hotmail, MSN and Live.com respectively, have taken measures to block use of the exposed accounts until the legitimate users can reset their passwords.

FTC Takes Additional Safe Harbor-Related Enforcement Actions

Posted at 3:53 PM on October 6, 2009 by Hunton & Williams LLP

FTC Takes Additional Safe Harbor-Related Enforcement Actions

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titledFTC's First Safe Harbor Enforcement Action.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard. To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains alist of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current. If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers. In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.

The Hunton & Williams law firm's Privacy and Information Management practice includes attorneys who provide services related to privacy law and information security. Our lawyers practice in all areas of privacy and information security, including: state and federal privacy law compliance; EU data protection compliance, including global data transfer mechanisms such as the U.S. Safe Harbor program and model clauses; HIPAA compliance, including the Privacy Rule and Safeguards Rule; GLBA compliance, including the Privacy Rule and Safeguards Rule; FCRA compliance, including disclosure of consumer reports, Affiliate Marketing Rule compliance, and Red Flags Rule compliance; e-commerce issues such as CAN-SPAM, TCPA, mobile marketing, other direct marketing and behavioral advertising; response to and preparation for information security breaches, including breach notification; workplace privacy, such as employee monitoring; identity theft; records management, records retention, and records disposal; online privacy such as COPPA compliance and website privacy notices; e-discovery; and FTC or other government enforcement actions.

© Hunton & Williams LLP 2009 - Attorney Advertising. Case results depend upon a variety of factors unique to each case. Case results do not guarantee or predict a similar result in any future case.

Unless otherwise noted, attorneys not certified by the Texas Board of Legal Specialization.

http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/

Another possible data breach of Veterans data

The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.

http://www.bloggernews.net/122474