Articles from last posting
US senator's personal data exposed by Bank of America: What next?
The perils of not keeping commercial web sites up to date
Canadians to get 'smart' debit cards in 2007
'Diva of Disgruntled' exposes patient data to get back at ex-employer
It is likely to become a common occurrence, and graphically illustrates why information security management is not about technology, and all about dealing with unruly people, many of whom are lacking in scruples.
A low level Web designer who was terminated from her employment in June 2003 at the Kaiser Permanente Medical Group in Oakland, California (for reasons as yet undisclosed), posted sensitive patient data on her web blog, claiming she was simply acting as a whistleblower in exposing lax security by her erstwhile employer. Kaiser denies knowledge of any such breach, but investigations are ongoing.
The malicious ex-employee was persistent, and re-posted the data after the relevant ISP recently took it down. The federal Office of Civil Rights told Kaiser of the breach in January 2005. Kaiser is in the process of advising affected patients, about 140 in all. It is unclear why it took them so long to get the ISP to remove the blog.
What is clear is that a disgruntled ex-employee can do untold damage to a company and its reputation - sometimes out of sheer spite. If the 'leak' is untrue, and based on false information, then it is critical that swift action, including all legal means at your disposal (involve in-house immediately- do not keep them in the dark: that is what you pay them for)) be taken with all due haste. Senior management, PR and media relations people need to do effective and transparent damage control, and must be seen to step up to the plate to keep stakeholders in the loop.
If the information revealed is true - that security breaches are indeed rampant, or processes and procedures inadequate to protect stakeholder data - then sympathy for the errant data custodian will be thin on the ground, and the whistleblower will be commended for his/her action. Depending on where the company is located, there may be additional legal and regulatory consequences.
In Canada, statutes such as the PIPEDA privacy act specifically prohibit companies from taking action against 'good faith' whistleblowers 'employees' who reveal lax privacy/security practices. The prohibition is extended to contractors.
In this case, whether Kaiser has revealed patient data, or not- as alleged by the daring Diva - it is hard to justify action that exposes innocent people to identity thieves, or to simple embarrassment.
I have maintained for some time that real or imagined gaps in information security will remain a tool in the arsenal of the disgruntled employee - they may hack back in and thrash your most treasured database, or just 'out you' to the authorities.
These are contingencies that need to be addressed, and counter-measures should be put in place to stem the tide of any resulting damage to brand and reputation.
UPDATE: US senators debate faith of data miners
According to recent reports, the SEC is investigating stock sales by ChoicePoint's CEO and President in the months after the company discovered the recent, highly publicized security breach last fall, but before the news was made public.
The implication- denied by ChoicePoint - using the (failed) Martha Stewart defense of pre-authorised trade- is that they cashed out before the bad news hit (the stock has indeed taken a hit). The FTC is also on the job, although they have acknowledged that it is unclear what agency- if any- has jurisdiction over the largely unregulated sector.
Additional reports also suggest that the breach may have been worse than initially revealed by ChoicePoint. In a Choicepoint SEC filing, it seems that its estimate of the number of individuals affected by the breach is artificial in that it used the commencement date of Californian legislation mandating the reporting of security breaches (see the archives) - namely July 1, 2003 - as the date from which they calculated the number of victims- and not before.
As we reported last time, US senators personally affected by the ChoicePoint breach, called for Senate hearings on what needs to be done to close the loophole for data miners. Last week, the US Senate Banking Committee started to examine the issues, and called witnesses to provide testimony.
These data mining companies hold enormous wads of data on the vast majority of US citizens- and undoubtedly many others besides- data they happily sell to all and sundry, including US government agencies anxious to augment their records to assist in the fight against terrorism. |
However, Acxiom, the other huge US data mining company, has suffered data security breaches in the past, and, absent some regulatory oversight, there is little cause for confidence that data supplied by these companies to be relied upon by front line security workers at airports (under the airline Secure Flight -CAPPS 11- programme) is accurate and/or up to date.
It just never ends....
Last week was full of news that definitely did not gladden the hearts of the spin doctors and lobbyists for the powerful data miners. LexisNexis, a large data-warehouse firm owned by Reed Elsevier PLC (amongst other things, they provide legal research services to the legal profession)- announced that 32,000 files had been accessed by a hacker. Lawyers will not be forgiving if it comes to light that any of their sensitive data has been exposed.
Executives for ChoicePoint and Bank of America (the subject of another recent breach) are expected to testify before the Committee this week. Suggestions mooted to date by senators include giving the FTC power to establish security guidelines for data miners that senior executives would have to sign off on.
The data miners will not go down quietly, or without a fight, but it will be hard to stop the momentum, especially with consumer safety the issue. |
Meanwhile,
according to the Las Vegas Review-Journal, thieves stole a computer from the Department of Motor Vehicles office in Las Vegas containing the sensitive data of 8,737 people, including Social Security numbers, signatures and pictures of residents. They also made off with
1,700 blank licenses and license-making equipment. Initial reports suggested that the license data was encrypted- but later it emerged that this was not the case.
Banks in New Zealand pull the plug on internet banking
Westpac Bank and other major banks in New Zealand have responded to concerns that their internet banking customers are using spyware infested PCs to access their accounts- and have shut them out until they clean up their acts.
No doubt lawyers representing the plaintiff in a well publicized case against Bank of America - where the plaintiff alleges that the bank failed to warn him about malware and related threats (his log in information was stolen and substantial funds transferred out) - will take solace from this move by the NZ banks and use it to argue that pre-emptive measures to protect customers can be, and are taken- elsewhere.
The Bank of America is not standing still- and has announced plans to move employees and corporate customers -as will ETrade- to token based (two- factor) authentication for online banking. We previously reported Australian banks taking a step in similar waters.
When will ordinary banking customers get the benefit of such increased security measures? Probably only when they start- in large numbers- to feel real pain from ID theft incidents, and not before.
|
