Privacy Digest

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

"Crimeserver" Full of Personal/Business Data Found - Via Slashdot:

Presto Vivace sends news of a server found by security firm Finjin that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjin dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjin notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

(Read Original Article - Via Slashdot.)

Congress, can you hear me NOW? (commentary) - Via PogoWasRIght - Privacy News Headlines:

By Dissent:

A few nights ago, I played "catch up" on breaches after the Maryland Attorney General's office started making breach notifications publicly available on the web.

It is staggering how many breaches we never learn about because there is no central registry of breaches and most states do not make their breach notices publicly available on the web. Thankfully, three states do report on notifications received, and two of them upload the reports themselves.

Since the beginning of this year, Maryland has received approximately 64 breach notifications. New Hampshire shows 43 breach reports for 2008. Of the combined pool of 74 unique breaches, 44 breaches appeared on one of the two, but not both, states' reports. Clearly we need more states uploading their reports as some breaches may be state- or region-specific.  read more »

Which Gov Agency Should Be Your Computer's Firewall? - Via Threat Level:

First the NSA says it needs to examine every search and email on the internet to prevent an e-9/11 attack, then President Bush signs a secret cyber-security Presidential Directive to make that possible, while the Air Force has set up a cyber warfare division where cyber-security is played like a game of Space Invaders.

Not to be left out on the cybarmegeddon! action, the Department of Homeland Security plans to spearhead a "Manhattan Project" attempt to secure the internet. But there's no way FBI chief Robert Mueller is gonna let DHS honcho Michael Chertoff have all the bits, so this week he told a House committee that G-Men need to be living in the tubes, too.  read more »

Thieves pilfer backup tape holding 2M medical records - Via Computerworld :

University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17. Thieves removed a transport case carrying the school's computer backup tapes, she said.

For reasons Menendez could not explain, Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft. Officials from the transport firm couldn't be reached.  read more »

Backup Tapes With 2 Million Medical Records Stolen - Via Slashdot:

Lucas123 writes "A vehicle used by an off-site archive company to transport patient data was broken into on March 17. The University of Miami just made the theft public last week, saying the thieves removed a transport case carrying the school's six computer backup tapes. On those tapes were more than 2 million medical records. In fact, the archive company waited 48 hours before notifying the university itself. A University spokeswoman said the school has stopped shipping backup tapes off-site for now."

(Read Original Article - Via Slashdot.)

NIH to crack down on encryption - Via FCW - Federal Computer Week:

The director of the National Institutes of Health has notified employees to expect random computer audits as the agency works to ensure full compliance with its security policies. NIH discovered that a stolen laptop PC belonging to NIH contained medical data and Social Security numbers of 1,200 patients involved in medical research.

The theft of the unencrypted laptop was a major violation of NIH’s commitment to protect the confidentiality of patients, Dr. Elias Zerhouni, the agency’s director, said in a memo sent to all NIH employees.  read more »

The Cybercrime Economy - Via Security Blog - InformationWeek :

Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.

Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel on Wednesday, "better than many corporate business plans I routinely see."

The conference session, "Deconstructing the Modern Online Criminal Ecosystem," offered interesting insight into the way the Internet's black market works.  read more »

Glut Makes It a Bear Market for Online Thievery - Via Wired News: Security Blanket:

SAN FRANCISCO (AP) -- Fierce competition among identity thieves has driven the prices for stolen data down to bargain-basement levels, which has forced crooks to adopt mainstream business tactics to lure customers, according to a new report on Internet security threats.

Credit card numbers were selling for as little as 40 cents each and access to a bank account was going for $10 in the second half of 2007, according to the latest twice-yearly Internet Security Threat Report from Symantec Corp. released Tuesday.

Symantec detected 711,912 new threats last year, 468 percent more than in 2006, when it found 125,243 - and almost two-thirds of all 1,122,311 Symantec has cataloged since 2002.  read more »

More Snooping Into UCLA Medical Records - Via AP on New York Times:

LOS ANGELES (AP) -- California first lady Maria Shriver is among more than 30 celebrities and other high-profile patients who had their confidential records breached at UCLA Medical Center, medical officials said.

The woman responsible, whose name was not released, is the same employee who sneaked into actress Farrah Fawcett's medical records, officials told the Los Angeles Times on Sunday.

That worker was fired in May 2007 after UCLA learned of the widespread breaches, but patients were not notified, the hospital said.

In all, the woman improperly looked at 61 patients' medical records in 2006 and 2007, according to state and local medical officials. These included Fawcett, Shriver, and 31 other politicians, celebrities and other well-known people, the paper said. Names of the other patients were not disclosed.  read more »

Barack Obama's passport file is breached. - Via ABC News Nightline:

Barack Obama's passport file is breached.

(Read Original Article - Via ABC News Nightline.)

Supermarket Data Breach Still Unsolved - Via New York Times:

PORTLAND, Maine (AP) -- It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach -- which began Dec. 7 and ended March 10 -- occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

On Tuesday, many customers were not yet aware of the problem. Others who'd read or heard about it didn't seem alarmed.  read more »

Breach of MTV Computer Files - Via NYT > Business:

LOS ANGELES (Reuters) — Computer files with confidential data on about 5,000 employees at MTV Networks were breached by someone outside the company, the network told employees on Friday in a memo.

MTV later said in a statement that the security breach occurred after an Internet connection in an employee’s computer was compromised.  read more »

David U. Haltinner Sentenced to 50 Months of Imprisonment for Selling Approximately 637,000 Stolen Credit Card Numbers - Via PogoWasRIght - Privacy News Headlines:

Ed Yarbrough, U.S. Attorney for the Middle District of Tennessee and Sarah Beth Pulliam, Special Agent in Charge of the United States Secret Service Nashville Field Office, announced today that David U. Haltinner, 25, of Menasha, Wisconsin was sentenced yesterday to serve 50 months of imprisonment for aggravated identity theft and access device fraud.

Mr. Haltinner was arrested last May and pled guilty in October after he used an assumed online identity to sell approximately 637,000 stolen credit card numbers through a website frequented by individuals engaged in credit card fraud.  read more »

IRS Employee Pleads Guilty to Charge of Unauthorized Access to a Government Computer - Via PogoWasRIght - Privacy News Headlines:

Kevin J. O’Connor, United States Attorney for the District of Connecticut, today announced that CHRISTOPHER SUPPLE, 40, of Bridgeport, pleaded guilty yesterday, February 13, before United States Magistrate Judge Donna F. Martinez in Hartford to one count of unauthorized access to a government computer.

According to documents filed with the Court and statements made in court, on November 21, 2002, SUPPLE, an Internal Revenue Service Revenue Officer, used a computer to access taxpayer information regarding an acquaintance. In pleading guilty, SUPPLE acknowledged that he had accessed the computer information deliberately and without proper authorization.  read more »

Banks, Wall St. Feel Pinch from Computer Intrusion - Via Slashdot:

An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000.  read more »

MySpace's Leaked Photos More Popular Than Sweeney Todd - Via Threat Level:

The 17-gigabyte file containing half-of-million photos pillaged from MySpace accounts made the Pirate Bay's top -ten list of most popular downloads over the weekend, beating out pirated copies of No Country For Old Men,  Sweeney Todd and the sci-fi flick I Am Legend.

Sunday afternoon the file -- compiled using a still-unacknowledged hole in MySpace's architecture that exposed photos in private profiles --  was the 9th most popular download on the torrent site, with over 6,700 downloads in progress.  read more »

MySpace Photos Leaked; Payback for Not Fixing Flaw? - Via Freedom to Tinker:

Last week an anonymous person published a file containing half a million images, many of which had been gathered from private profiles on MySpace. This may be the most serious privacy breach yet at MySpace. Kevin Poulsen’s story at Wired News implies that the leak may have been deliberate payback for MySpace failing to fix the vulnerability that allowed the leaks.  read more »