Privacy and Information Security In the News -- Week of December 5, 2005

December 5, 2005

A note about broken links:In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.

Spear Phishing for Big Fish

The Sunday New York Times has feature article on the use of “spear phishing” for industrial espionage. Spear phishing, like common phishing, relies upon e-mail messages to direct an unwitting victim to a bogus site where the victim is asked to provide sensitive information or where malware, such as a keylogger, is downloaded to the victim’s computer. But rather than being sent indiscriminately, spear phishing messages are targeted at victims who are known to have a relationship with the purported sender of the message. According to the Times, spear phishing is “linked to sophisticated groups out for financial gain, trade secrets or military information.” The article takes readers inside a notorious spear phishing scheme in which Trojan horse viruses were placed on the networks of about 60 Israeli companies engaged in a number of fields, including military contracting, telephony, cable television, finance, automobile, journalism and technology. Prosecutors have indicted employees of three of Israel’s largest private investigation firms and, says the Times, have some of Israel’s most prestigious companies under investigation. “Gone Spear Phishin’,”http://select.nytimes.com/mem/tnt.html?tntget=2005/12/04/business/yourmoney/04spear.html&tntemail0=y&emc=tnt&pagewanted=print

New Data Breaches Reported

Three incidents involving personal information have been reported in recent days. The three illustrate the varied ways in which confidential information may be at risk.

The University of San Diego notified approximately 7,800 faculty members, students, and vendors that computer hackers had broken into the university’s computers that contained personal tax data, including names, Social Security numbers, and addresses. It was not known how long the hackers had access to the data, but the data included information from 2003 and 2004. “7,800 linked to USD told of network security breach,” http://www.signonsandiego.com/news/business/20051203-9999-1b3breach.html

Firstrust Bank in Northeast Philadelphia informed all of its customers of a brazen theft of a laptop that held information on thousands of customers. The thief, posing as a member of a cleaning crew, convinced a security guard to give him access to the bank. Instead of heading to the basement, where the rest of the crew was, the thief went to the fourth floor, snatched a laptop, and left less than three minutes later. “Laptop containing customer information stolen from bank,”http://www.philly.com/mld/philly/news/13304542.htm

A small businessman in Huntsville, Alabama, was surprised with what he found in the dumpster he rents behind his store – “bags and bags” of customer records from the Compass Bank branch a block south of his store. The records included account numbers and taxpayer identification numbers. The bank said that it is its policy to shred paperwork and is looking into the incident. “Bank investigates bags of account information left in dumpster,”http://www.waff.com/Global/story.asp?S=4193650&nav=0hBE; “Man finds discarded bank records in his dumpster,”http://www.waff.com/Global/story.asp?S=4186002&nav=0hBE

December 6, 2005

Hackers Take Her Majesty’s Revenue and Customs for $52 Million

Hackers have hit the British government’s taxing authority for $52 million in fraudulent claims. Using the stolen identities of 1,500 government employees, the hackers were able to use the government’s online tax credit web portal to redirect legitimate tax claims to be paid into their own bank accounts. The hackers were also able to obtain employees’ National Insurance numbers, the equivalent of our Social Security number. “ID thieves try to steal millions from U.K. taxman,”http://news.com.com/ID+thieves+try+to+steal+millions+from+U.K.+taxman/2100-7348_3-5983318.html?tag=cd.top

To Prevent Identity Theft, Shift Liability to Creditors and Credit Reporting Agencies

David T.S. Fraser, who writes the Canadian Privacy Law Blog, has pointed us to a provocative article in Washington Monthly Magazine. In that article, Kevin Drum argues against detailed privacy legislation in favor of legislation that simply creates statutory damages for “acts associated with identity theft,” such as “granting credit without conducting adequate background checks, or issuing a faulty credit report.” Writes Drum, “[t]here’s no need to create mountains of regulations, which are uniformly despised by the credit industry. Instead, simply make the industry itself – and any institution that handles personal data – liable for the losses in both time and money currently borne by consumers. The responsible parties will do the rest themselves.” Drum argues that the provisions of the Federal Truth in Lending Act that limit a consumer’s liability for the unauthorized use of a credit card to no more than $50 caused credit card companies to develop “a wide range of effective anti-fraud programs.” He believes a similar approach should be taken to identity theft. Drum puts his faith in consumer class actions – which he calls an “inherently democratic remedy” – to create effective enforcement power to protect consumer information. “You Own You,”http://www.washingtonmonthly.com/features/2005/0512.drum.html

Proposals to Track Vehicles with GPS Lack Privacy Protections

Declan McCullagh, writing for ZDNet, decries efforts by the U.S. Department of Transportation to promote the use of global positioning units in automobiles to track vehicle movements. Promoted as a way of collecting “road user fees,” a GPS program “strips drivers of their privacy and invites constant surveillance by police, the FBI and the Department of Homeland Security,” writes McCullagh. McCullagh laments that “No rule prohibits that massive database of GPS trails from being subpoenaed by curious divorce attorneys, or handed to insurance companies that might raise rates for someone who spent too much time at a neighborhood bar. No policy bans police from automatically sending out speeding tickets based on what the GPS data say.” McCullagh argues that there are less intrusive ways to collect user fees. “E-tracking may change the way your drive,”http://news.zdnet.com/2100-1009_22-5982762.html

Survey Reveals State of Security Spending by Companies

A survey of 1,500 information security professionals suggests that security is underfunded and understaffed. Conducted by Secure Enterprise, a publication connected to Information Week, the study found that 44% of respondents said that their security groups were moderately understaffed and 21% said they were severely understaffed. Sixteen percent said their spending on security was less than 1% of their total IT budget, and the portion that said their security expense exceeded 16% of their budget actually declined to 7%. The survey does show one indication, however, that greater emphasis is being given to security management. The number of companies reporting that they have a chief security officer rose from 12% in 2004 to 18% in 2005, and the number who said they have a chief information officer grew to 22% compared to 12% in 2004. “Security's Shaky State,”http://www.informationweek.com/story/showArticle.jhtml?articleID=174900279&cid=RSSfeed_IWK_security

December 7, 2005

Banks To Be Held Strictly Liable for Data Breaches

Yesterday’s In the News linked to an article in which the author argues that financial institutions should be held strictly liable for losses resulting from a breach of data that results in identity theft. See “To Prevent Identity Theft, Shift Liability to Creditors and Credit Reporting Agencies,” In the News, December 6, 2005. Looks like South Korea is going to take that approach.

The South Korean Ministry of Finance and Economy says that banks will be required to compensate customers for damages resulting from data security breaches, regardless of whether a bank was at fault, by September 2006. According to a Ministry spokesperson, “The bill is aimed at pushing banks to accelerate their drive to creating a safer e-banking and e-commerce environment, to urge banks to keep customers’ money safe and secure, and protect customer’s financial privacy.” “Banks to Compensate Clients for Hacking Damage,” http://times.hankooki.com/lpage/biz/200512/kt2005120619435611910.htm

Lawyers Not Covered by Gramm Leach Bliley

The United States Court of Appeals for the District of Columbia has held that the Gramm-Leach-Bliley Act does not regulate attorneys or law firms. The Federal Trade Commission had taken the position that lawyers and law firms who do estate planning or prepare tax returns come within the definition of “financial institution” under the act and are subject to the act’s requirements to provide privacy notices to clients and to secure nonpublic personal information. The American Bar Association sued to challenge the FTC’s efforts to extend the act to attorneys. The Court of Appeals upheld a Federal District Court’s ruling that the FTC had overreached. The opinion can be found at: http://pacer.cadc.uscourts.gov/docs/common/opinions/200512/04-5257a.pdf

MP3 Players Seen as a Security Risk

A U.K. security firm warns that MP3 players brought into the workplace may pose a risk to a company’s information security. In addition to the potential that the players may introduce viruses, worms and Trojan horses to a company’s network, Pointsec Mobile Technologies says that the devices will be an easy way for employees to store – and steal – potentially sensitive corporate data. “Some users see them as ideal for carrying corporate information, which can be very sensitive and valuable and if lost or stolen can have serious ramifications to a company, such as customers’ personal details and accounts getting into a competitors hands, R & D plans being exploited by an opportunist, or passwords and PIN numbers being obtained by a hacker,” Pointsec’s managing director says. “Christmas MP3 players pose serious corporate security risks,” http://www.scmagazine.com/uk/news/index.cfm?fuseaction=details&nNewsid=531720.

Threat from Malware up 48% in 2005

The number of new malware threats increased 48% in 2005, according to Sophos, a security company located in the United Kingdom. Sophos’s research indicates that one in every 44 emails contained a computer virus in 2005. While there have been fewer large outbreaks of worms and viruses, hackers have increased the security risk by using Trojan horses, programs that work quietly to do their damage, for example by opening holes in a computer’s security defenses to enable it to be controlled remotely by a hacker. Sophos estimates that 60% of spam is generated by computers remotely controlled by hackers. Sophos says the increase in malware threats stems from criminal gangs looking to profit from hacking. “Cyber criminals fuel 2005 malware explosion,”http://www.scmagazine.com/uk/news/index.cfm?fuseaction=details&nNewsid=531721; “Security Threats Rise 48%,”

http://www.redherring.com/Article.aspx?a=14761&hed=Security+Threats+Rise+48%25

Students’ Psychological Evaluations Posted Online

In Salem, Massachusetts, school officials have begun contacting parents of students whose confidential psychological reports could be viewed online for several months. The reports go back 10 years. The files were accidentally posted online by the school psychologist. “Schools will contact parents about privacy breach,”http://www.ecnnews.com/cgi-bin/05/snstory.pl?-sec-News+1k589g0+fn-breachresponse-20051206-

December 8, 2005

AOL Study Offers View of Home Computer Security

America Online and the National Cyber Security Alliance have issued the results of their second annual report on the safety of home computers. To prepare the report AOL and the NCSA conducted in-person interviews of 354 home computer users and physically examined their computers. The study found that 81% of home computers lack at least one of the “core protections” (a recently-updated anti-virus program, a properly configured firewall, and spyware protection). Yet the study found that 74% of the respondents use the Internet to conduct sensitive transactions, such as banking, stock trading, and reviewing personal medical information. Sixty-eight percent said they keep sensitive personal information on their computer.

Even though over 80% of computers lack core protections, the study found that only 12% of the computers were infected with one or more viruses, compared to 19% in 2004. The percentage of computers with spyware or adware also declined, from 80% in 2004 to 61% in 2005.

The study found that more than half of the respondents (56%) had not heard the term “phishing” before and, of those who had, only 57% could accurately define phishing. Seventy percent of respondents who said they had received a phishing message conceded that it looked like legitimate e-mail when they first read it. Six percent said they had fallen for a phishing scam, while 18% said they had a friend or family member who had done so. Those numbers indicate why phishing is so lucrative. If you can spam 100,000 people with a phishing message and 6,000 respond with by giving you their personal information, that is a pretty good success rate. The release announcing the study can be found at http://www.staysafeonline.info/news/press_doc07_2005.html. The study itself can be found at:

“AOL/NCSA Online Safety Study,” http://www.staysafeonline.info/pdf/safety_study_2005.pdf.

Study Concludes ID Theft Fears from Data Breaches Overblown

Reuters reports that a study by a fraud detection firm suggests that fears of identity theft resulting from data breaches are overblown. The firm, ID Analytics, studied four recent data breaches involving information on about 500,000 consumers. It found that in breaches involving access to social security numbers and other sensitive information, less than 1 in 1,000 victims had their identity stolen. In instances in which only credit card information was stolen, not one victim was subsequently the victim of identity theft. The study suggests that the smaller the data breach the more likely it will lead to identity theft. “ID theft fears overblown, study says,”http://news.com.com/ID+theft+fears+overblown,+study+says/2100-1029_3-5986567.html

Sober Worm Slows E-mail Traffic; Prepares to Spread Nazi Propaganda

E-mail traffic has been slowed by a resurgence of the Sober X worm in an e-mail message purportedly from the FBI. Described as the “most prolific email worm ever unleashed,” the mail carrying the Sober worm last week caused delays on Microsoft’s Hotmail and MSN e-mail services. “Sober.X Worm Makes Return,” http://www.washingtonpost.com/wp-dyn/content/article/2005/12/07/AR2005120702471.html

The worm does not immediately cause any damage to an infected computer, but is instead programmed to spew out spam e-mails calling for the reinstatement of the Nazi party in Germany. According to IDefense, a U.S. security company, the worm is programmed to cause an infected computer to download instructions to blast out spam on January 5, the 87th anniversary of the founding of the Nazi party in Munich. “Latest Sober Worm to Spawn Nazi Hate E-mails,”http://blogs.washingtonpost.com/securityfix/2005/12/sober_worm_may_.html

Terrorists Not Currently a Threat to Launch Internet-based Attacks

The head of the FBI’s Cyber Division says that terrorist groups do not have the capability to launch Internet-based attacks on power plants, airports and other critical infrastructure in the United States. However, he believes that foreign governments are behind a number of intrusions into government computers that house military or technology secrets. “It is far cheaper for a county to steal information and use that information to develop technologies that have taken years to develop,” says FBI Assistant Director Louis Reigel, “so if a foreign country could do that, we’re actually seeing attempts to do that.” “FBI: We're not worried about terrorist cyberattack,”

http://news.com.com/FBI+Were+not+worried+about+terrorist+cyberattack/2100-7348_3-5986099.html?part=rss&tag=5986099&subj=news

December 9, 2005

PATRIOT Act Compromise Reached; Bipartisan Group of Senators May Filibuster

Republican House and Senate conferees have reached a compromise on provisions of the USA PATRIOT Act that are slated to expire on December 31. No Democratic conferee signed the conference committee’s report. Wisconsin Senator Russ Feingold – the only senator to oppose the original Act – has vowed to filibuster passage of the compromise and is looking for support from a bipartisan group of senators who held up passage of the bill before Thanksgiving. Among the compromises reached by the conferees, the Washington Post reports that FBI agents seeking to obtain business records, including library records, “would have to provide a judge with a ‘statement of facts’ showing ‘reasonable grounds’ to believe the records are relevant to an anti-terrorism investigation.” The compromise bill would also establish a procedure for recipients of national security letters to challenge them. Under current law, a recipient could go to jail for one year for disclosing the receipt of a national security letter. The compromise would eliminate that provision, but would retain a provision for a five-year prison term if the disclosure is made in an effort to obstruct an investigation. “GOP Accepts Deal on Patriot Act,” http://www.washingtonpost.com/wp-dyn/content/article/2005/12/08/AR2005120800892.html; “GOP Seeks Quick Passage of New Patriot Act,”http://www.washingtonpost.com/wp-dyn/content/article/2005/12/09/AR2005120900213.html

Store Employees Steal Identities to Earn Incentive Bonuses

Two employees of a Fashion Bug store near Cincinnati have been charged with six counts of identity fraud. The employees allegedly filled out credit card applications using identities stolen from employment applications. Police say at least 20 persons were victims of the fraud. According to police, the two said they did not intend to use the credit cards, but instead stole the information and applied for the cards to meet the goals set by Fashion Bug to receive incentive bonuses. Employees earned 50 cents to one dollar for every application they submitted. The Miami Township Police have referred the matter to the Federal Trade Commission. “Two Fashion Bug workers charged as credit stingers,” http://news.enquirer.com/apps/pbcs.dll/article?AID=/20051208/NEWS01/512080390/1056

Study Shows Executive Leadership Becoming More Involved in Security Issues

“Security has risen to the top of the corporate agenda as a strategic business process that affects what organisations value most: their mission, ability to execute, and accountability to shareholders.” So concludes a report prepared for the International Systems Security Certification Consortium based on a survey of 4,305 security professionals around the world. Among the study’s findings was that increasingly the chief executive officer and the board of directors are taking ultimate responsibility for data security. For example, 21percent of respondents said the CEO was ultimately responsible for security, up from 12 percent in a similar survey last year. The report explains the increased focus by the CEO and board as follows: “Both have ultimate oversight and responsibility for understanding all risk and deciding which risk to mitigate and what level of risk to accept. The changing regulatory environment is one of the primary driving forces causing this noticeable shift in accountability.” The study is available for download at https://www.isc2.org/cgi-bin/content.cgi?category=510, and is summarized at “Security pros storm boardrooms,”http://www.techworld.com/security/news/index.cfm?NewsID=4961&Page=1&pagePos=5&inkc=0

Note:Current and past issues of In the News are now available online at this link.

This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.