Creative Commons License


» NASA Data Breach Discovered by Hackers

Members of two hacker collectives, Team r00tw0rm and Team inj3ct0r, identified an SQL injection vulnerability on one of the subdomains owned by NASA and hosted on the By leveraging the security hole, the hackers obtained a 6 gigabyte database, but refused to disclose the name of the flawed subdomain to give the agency time to patch it up.

A sample of the database reveals information such as usernames, email addresses, names, IDs, login dates, passwords, and other data.“Complete Database is in GB’s, well we aren’t leaking it. We may keep all parts in our private home! Yet only little bit dump or few columns data is released just to inform NASA that being National Aeronautics and Space Administration you must also keep your servers up to date!”the hackers said.

They claim they informed NASA a few days ago, but since the organization failed to respond, they leaked part of the database to attract the agency’s attention.

More from ITN

Posted on March 22, 2012 at 05:59 PM | Permalink

» When to Consider Bankruptcy

Filing for bankruptcy is a process that many debtors turn to once they realize that they need help with a large debt load. Bankruptcy is a legal procedure that you can use to have your debt discharged right away. While there are some times that bankruptcy is not your best option, there are a few times where bankruptcy is definitely the best option to pursue. Read more...

Posted on March 8, 2012 at 06:10 PM | Permalink

» Data breaches take months or years to be discovered

Over 90 percent of data breaches are the result of external attacks and almost 60 percent of organizations discovered them months or years later, Verizon said in a report released at the RSA security conference on Wednesday.

Called the Verizon 2011 Investigative Response Caseload Review, it compiles statistics from 90 data breach cases investigated by the company's incident response team last year, and provides a preview of Verizon's larger annual report that will contain data collected from additional sources like national CERTs and law enforcement agencies.

The report concludes that 92 percent of data breach incidents have had an external cause, which conflicts with the findings of other security vendors, according to whom most data breaches are the result of internal threats.

More from IDG

Posted on March 8, 2012 at 05:48 PM | Permalink | Comments (0)

» Business Identity Theft A Growing Concern

You've heard of identity theft — someone using a person's credit information or a Social Security number for ill-gotten gains. Well, experts say similar crimes are also affecting businesses.

Business identity theft involves posing as a legitimate business in order to get access to credit lines or steal customers. Experts believe that the practice has become more prevalent in the past two years.

"Business identity theft is incredibly underreported," says Hugh Thompson, who teaches at Columbia University and chairs an annual conference on security. No federal or state statistics track the problem. And Thompson says few victims are willing to report it.

"There's a big stigma attached with it," he says. "Imagine you're a company trying to portray an image of being solid and reliable out to your customers. It's not something that you want to readily admit to."

Business identity theft takes many forms. Posing as a look-alike or sound-alike business to lure customers is one of them. But in many cases, shady operators go after information to tap into business' credit and reputation. They change a business's contact information, for example, then use it to obtain credit cards or order goods, skipping town before bills arrive.

More from NPR

Posted on March 8, 2012 at 05:45 PM | Permalink | Comments (0)

» EU May Propose 24-Hour Breach Notification, Data Privacy Rules

Companies operating in the European Union may be required to disclose data breaches within 24 hours if proposed new rules are approved.

The European Commission will propose several changes to the data protection and privacy rules to protect individual rights and ensure a high level of data protection on Jan. 25. The proposed changes will simultaneously simplify and toughen the current mishmash of rules and policies currently used by the European Union's 27 member countries.

Along with the data breach notification rule, the commission's proposal includes stricter sanctions and would provide national data-protection officials with authority to levy administrative sanctions and fines, such as fining companies a percentage of their global revenue for violating the rules. The proposed changes would overhaul the EU's 17-year-old data protection policies addressing online advertising and social networking sites.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," EU Justice Commissioner Viviane Reding said at a conference in Munich on Jan. 22, according to Bloomberg.


Posted on January 27, 2012 at 09:32 AM | Permalink

» Symantec Warns pcAnywhere Users Due to Source Code Theft

Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.

The saga over Symantec's stolen code took another twist as the company acknowledged that pcAnywhere customers are at risk for man-in-the-middle attacks and new exploits.

The breach actually occurred on Symantec servers in 2006, and attackers stole source code to several Norton security products and the pcAnywhere remote access tool, Symantec confirmed last week. At the time, the company assured customers that there was no risk to the products because the source code was so old and the company had made security improvements over the past six years.

However, upon further investigation, it appears that pcAnywhere customers are at risk, especially if they are not following "general security best practices" to protect the endpoint, network and remote access, as well as properly configuring the remote access tool, Christine Ewing, director of product marketing in the endpoint management group, wrote on the Endpoint Management Community blog Jan. 24. Those customers are susceptible to man-in-the-middle attacks, which can reveal authentication and session information.

"Customers of Symantec's pcAnywhere have increased risk as a result of this incident," Ewing wrote.

The encoding and encryption elements within pcAnywhere are vulnerable to being intercepted in man-in-the-middle attacks, according to a whitepaper addressing the issues in the remote access tool released by Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they would be able to launch unauthorized remote control sessions and access other systems and sensitive data. If the key is using Active Directory credentials, the attackers would be able to access other parts of the network.

The company released a patch fixing three vulnerabilities in the latest version of pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release additional patches during the week for older versions of pcAnywhere, including versions 12.0 and 12.1. Symantec is also expected to patch more issues in version 12.5. Symantec will keep updating the software until "a new version of pcAnywhere that addresses all currently known vulnerabilities" is released, Ewing said.

Customers should disable pcAnywhere because malicious developers would be able to identify vulnerabilities within the source code and launch new exploits, Symantec said in the whitepaper. The remote access tool should be disabled unless it is vitally needed for business use, and in those situations customers should use the latest version of pcAnywhere with all the relevant patches and "follow the general security best practices," Symantec said.

"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said.

Since pcAnywhere is available as a stand-alone product, bundled with other Symantec products and also as part of Altiris-based packages, customers should check to see if the tool is enabled. A remote access component called pcAnywhere Thin Host is also bundled with several backup and security products from Symantec.

The company again asserted that its antivirus and endpoint security products are not at risk. "Our analysis shows that due to the age of the exposed source Symantec antivirus or endpoint security customers, including those running Norton products, should not be in any increased danger of cyber-attacks resulting from this incident," Symantec said in a statement.

The theft was limited to the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton Antivirus Corporate Edition code "represents a small percentage" of the code that appeared in the prerelease source for Symantec Antivirus 10.2, which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced Symantec Antivirus Corporate Edition, was based on a separate code branch "that we do not believe was exposed," Symantec said. Customers running Symantec Endpoint Protection 11.x are at "no increased security risk" due to the code theft.

Customers should follow recommended best practices, such as making sure antivirus definitions are up to date and running the latest version of the software. If it makes sense for the organization, Symantec recommends upgrading to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but there is no rush.

"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," Symantec said.

Posted on January 27, 2012 at 09:29 AM | Permalink

» McAllen insurance agent indicted on charges of mail fraud and ID theft

From a Jan. 26 news release issued by the U.S. Attorney's Office for the Southern District of Texas:

McALLEN, Texas – A McAllen area insurance agent has been indicted on multiple counts of mail fraud and aggravated identity theft arising from a scheme to defraud several private insurance companies offering Medicare Advantage plans and other insurance products, United States Attorney Kenneth Magidson announced today.
San Juana Lopez, 59, of Edinburg, Texas, was charged with five counts of mail fraud and three counts of aggravated identity theft in a federal indictment, returned under seal Tuesday, Jan. 24, 2012. The indictment was unsealed this morning upon her arrest by federal agents at her residence and she is expected to make an initial appearance in federal court later this morning before U.S. Magistrate Judge Dorina Ramos.
According to the indictment, from 2007 through 2008, Lopez worked for a San Antonio, Texas, insurance agency, selling Medicare Advantage insurance plans. These plans provide Medicare beneficiaries with the option to receive their benefits through a wide variety of private managed care plans, rather than through the traditional Medicare program. The indictment alleges Lopez obtained identifiers of beneficiaries through a variety of illegal means and used the identifiers to enroll the beneficiaries in a Medicare Advantage plan offered by Care Improvement Plus - a Baltimore, Md., insurance company - without the authorization or knowledge of the beneficiaries. Lopez received thousands in commissions as a result of the false enrollments. 
The indictment further alleges that only a few days after being suspended by Care Improvement Plus, Lopez entered into a sales agent agreement with United Funeral Directors Benefit Life Insurance Company (United), of Richardson, Texas, which offered pre-need funeral contracts allowing insured individuals to pre-plan and pre-fund funeral expenses. According to the indictment, soon after becoming an agent for United, Lopez began enrolling numerous individuals in United’s pre-need funeral insurance policy without their authorization or knowledge. The indictment alleges Lopez used bank account information belonging to unsuspecting United clients, whom she had previously enrolled, to make premium payments on the false policies. Lopez received thousands of dollars in commissions from United in connection with the alleged fraud.
Each count of mail fraud carries a sentence of up to 20 years in federal prison without parole and a $250,000 fine upon conviction. Lopez also faces a mandatory two-year prison term for each count of aggravated identity theft which must be served consecutive to any prison sentence imposed on the underlying charges. 
The investigation leading to the charges was conducted by the U.S. Department of Health and Human Services–Office of Inspector General and the U.S. Secret Service. Assistant United States Attorney Greg Saikin is prosecuting the case.
An indictment is a formal accusation of criminal conduct, not evidence.
A defendant is presumed innocent unless convicted through due process of law.



Posted on January 27, 2012 at 09:25 AM | Permalink

» Malware Poses as Google+ Plug-In

Spammers are cashing in on the popularity of Google+ by sending out fake emails inviting users to try out Google+ Hangouts by downloading a malicious file posing as a Google+ Hangout plug-in.

The fraudulent email advertises Google+ Hangouts as “the most popular online meeting service,” which is apparently true, according to a recent article from Lifehacker.

The fake Google+ plug-in promises to make you “look and sound your best with high quality audio and video,” apparently an effort to fool G+ users into believing that the free Web conferencing feature can be juiced. Malware City reports that clicking the link won’t install a Google+ plug-in but downloads an executable file instead.

Despite concerns about privacy, there have been few threats that specifically target the Google+ network since its launch. The company has promised to prevent brand squatting and other nuisance behaviors, but G+ specific malware and attacks have been far and few between. That may change, however, as the size of the nascent social network continues to grow.

Posted on January 27, 2012 at 09:23 AM | Permalink

» ID theft scam in NY has victims in 30 states

Two New York women are accused of scamming $75,000 from victims in 30 states by posting phony Craigslist ads for nonexistent jobs and apartments.

A Long Island prosecutor has announced identity theft charges against the woman and her niece.
Nassau County District Attorney Kathleen Rice said Thursday a grand jury filed grand larceny and other charges against the pair earlier this week. Her spokesman said the women will be arraigned at a later date. Defense attorneys did not immediately respond to calls for comment.

Prosecutors say the pair posted online ads and then asked responders to provide personal information, including Social Security numbers.

The women then allegedly used the information to file more than 250 phony tax returns, obtain bank loans and credit cards in the victims’ names.

From AP

Posted on January 27, 2012 at 09:18 AM | Permalink

» Timeshare Marketing Scams

Timeshare owners across the country are being scammed out of millions of dollars by unscrupulous companies that promise to sell or rent the unsuspecting victims’ timeshares. In the typical scam, timeshare owners receive unexpected or uninvited telephone calls or e-mails from criminals posing as sales representatives for a timeshare resale company. The representative promises a quick sale, often within 60-90 days. The sales representatives often use high-pressure sales tactics to add a sense of urgency to the deal. Some victims have reported that sales representatives pressured them by claiming there was a buyer waiting in the wings, either on the other line or even present in the office.

Timeshare owners who agree to sell are told that they must pay an upfront fee to cover anything from listing and advertising fees to closing costs. Many victims have provided credit cards to pay the fees ranging from a few hundred to a few thousand dollars. Once the fee is paid, timeshare owners report that the company becomes evasive—calls go unanswered, numbers are disconnected, and websites are inaccessible.

In some cases, timeshare owners who have been defrauded by a timeshare sales scheme have been subsequently contacted by an unscrupulous timeshare fraud recovery company as well. The representative from the recovery company promises assistance in recovering money lost in the sales scam. Some recovery companies require an up-front fee for services rendered, while others promise no fees will be paid unless a refund is obtained for the timeshare owner. The IC3 has identified some instances where people involved with the recovery company also have a connection to the resale company, raising the possibility that timeshare owners are being scammed twice by the same people.

If you are contacted by someone offering to sell or rent your timeshare, the IC3 recommends using caution. Listed below are tips you can use to avoid becoming a victim of a timeshare scheme:

  • Be wary if a company asks you for up-front fees to sell or rent your timeshare.
  • Read the fine print of any sales contract or rental agreement provided.
  • Check with the Better Business Bureau to ensure the company is reputable.

To obtain more information on Internet schemes, visit

Anyone who believes they have been a victim of this type of scam should promptly report it to the IC3’s website at The IC3’s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Posted on January 26, 2012 at 02:47 PM | Permalink

» Six Charged in Scheme to Use Identities of Dead People to Get Tax Refunds

A 10-count indictment was unsealed today charging six people with various offenses related to a scheme to defraud the Internal Revenue Service (IRS) of at least $1.7 million in fraudulently obtained tax returns, often filed in the names of recently deceased taxpayers, the Justice Department and IRS announced today.

According to the indictment, between April 15, 2009, to at least August 2011, Muaad Salem, Fahim Sulieman, Hanan Widdi, Najeh Widdi, Hazem Woodi and Daxesj Patel and other unknown co-conspirators allegedly defrauded the United States by filing false and fraudulent tax returns, many in the names of recently deceased taxpayers, and directing refunds to controlled locations in the state of Florida.

The indictment further alleges that the U.S. Treasury checks generated by the false and fraudulent returns would then be sent by the U.S. mail to co-conspirators in Ohio who would sell and distribute the checks for negotiation at various businesses and banking institutions.

“The theft of anyone’s identity is a serious offense, but stealing the identities of the recently departed to defraud all the other taxpayers is particularly egregious,” said Steven M. Dettelbach, the U.S. Attorney for the Northern District of Ohio.

“Identity theft that leads to tax fraud threatens both individual U.S. citizens and the U.S. government,” said John A. DiCicco, Principal Deputy Assistant Attorney General of the Justice Department's Tax Division. “The Justice Department and the IRS will continue to cooperate in investigating and prosecuting these crimes to the fullest extent of the law. In our technology-driven society, this simply must be a top priority.”

  The following individuals were charged with conspiracies to defraud the United States and to commit mail fraud:

Muaad Salem, age 33, of Akron, Ohio;  

Hazem Woodi, age 31, of North Olmsted, Ohio;

Najeh Widdi, age 45, of Cleveland;

Fahim Suleiman, age 46, of Lutz, Fla.;

Daxesj Patel, age 35, of Canton, Ohio; and

Hanan Widdi, age 38, of Cleveland.

The six are also charged with three counts of mail fraud and two counts of aggravated identity theft. In addition to the other charges, Patel is separately charged with two counts of making a false claim against the United States and with making a false statement to law enforcement officials investigating the crimes.

“The IRS is aggressively pursuing those who steal others’ identities in order to file false returns,” said Steven Miller, IRS Deputy Commissioner for Services and Enforcement. “Our cooperative work with the U.S. Attorney’s Office will help protect taxpayers in Northern Ohio from being victimized by identity theft. The IRS is taking additional steps this tax season to further prevent, detect and resolve identity theft cases as soon as possible.”

“This case is an example of the FBI and IRS working together to aggressively pursue and investigate those organized criminal enterprises that commit identity theft and fraudulent activities in the United States costing the taxpayers of this country millions of dollars,” said Stephen D. Anthony, Special Agent in Charge of the FBI’s Cleveland office.

“IRS Criminal Investigation has made investigating refund fraud and identity theft a top priority,” stated Darryl Williams, Special Agent in Charge, IRS-Criminal Investigation, Cincinnati Field Office. “Filing fraudulent tax returns in the names of other individuals may result in significant harm to those individuals whose identities were stolen, as well as a monetary loss against the U.S. Treasury.”

Mail fraud is punishable by a maximum sentence of 20 years in prison; conspiracy to defraud the United States is punishable by a maximum sentence of 10 years; conspiracy to commit mail fraud, making a false claim against the United States and making a false statement are each punishable by a maximum sentence of five years in prison; aggravated identity theft is punishable by a mandatory sentence of two years incarceration to follow conviction on any other offense.

Defendants also face a fine of up to $250,000 for each count of conviction.

The case was presented to the grand jury by Assistant U.S. Attorney Gary D. Arbeznik following investigation by the Cleveland Division of the FBI, the IRS – Criminal Investigation, and the U.S. Postal Service.           

An indictment is only a charge and is not evidence of guilt. The defendants are entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt

From DOJ

Posted on January 26, 2012 at 02:46 PM | Permalink

» appears to be a scam

Watch out for 

Many complaints online for this company. My credit card company told me they are located in Great Birtain, although they clearly operate in the United States. 

I noticed that a lot of complaints online about filmlush are from people that enter in credit card information for a trial and then they cancel before the end of the trial, or never in click "submit" to finalize the offer but are still charged $39.95. 

Posted on January 25, 2012 at 11:29 AM | Permalink

» Top Data Breaches in 2011

2011 was a significant year for data security, with some of the biggest data breaches in our history reported. In 2011, 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.

Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.

The following half dozen are the most significant data breaches in 2011:

  1. Sony PlayStation (April 27) – Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.    

    The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes.  Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites.  One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In this case, the stolen passwords were unencrypted, meaning the criminal could potentially "break in" to other sites if the victims used the same password more than once.

  2. Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million.  The number of customer emails exposed may have reached 250 million.

    Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it’s from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say,  "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email tries to convince trusting readers to “bite” on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft. 

    The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.

  3. Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed.  An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients.   At least two lawsuits have been filed against Sutter Health.  One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.  

    The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

  4. Texas Comptroller's Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.

    A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed.  Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed.  The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.

    Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.

  5. Health Net (March 15) - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

    Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification. 

  6. Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.  Uniformed Service members, retirees and their families were affected.  Patient data from the military health system dating from 1992 to September 2011 could have been compromised.  It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information.  Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data.  The lawsuit would give $1000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.

    The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted? This breach also illustrates the triple impact of medical breaches. Victims not only suffer the exposure of their sensitive health information; they also are vulnerable to financial identity theft as well as medical identity theft.

    It is also significant that two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report. Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth. 


Posted on January 25, 2012 at 10:11 AM | Permalink

» Hackers steal $6.7 million from South African bank

A perfectly planned and coordinated bank robbery was executed during the first three days of the new year in Johannesburg, and left the targeted South African Postbank - part of the nation's Post Office service - with a loss of some $6.7 million.

Unfortunately, the Postbank's fraud detection system hasn't performed as it should, and the crime was discovered only after everyone returned to work after the holiday break. Apparently, it should not come as a surprise - according to a banking security expert, "the Postbank network and security systems are shocking and in desperate need of an overhaul."

The post office and the police have confirmed that the breach happened and that the National Intelligence Agency (NIA) is involved in the investigation. The bank has issued a statement saying that none of its customers' bank accounts were affected by the heist.


Posted on January 17, 2012 at 07:24 PM | Permalink

» Opt-Out of online behavioral advertising

The Network Advertising Initiative Opt-Out Tool was developed for the express purpose of allowing consumers to "opt out" of the behavioral advertising delivered by NAI member companies.

The companies that provide advertising for Websites typically gather data about consumers who view their ads. Often, that data is anonymous - linked only to a numbered "cookie" on a user's computer (a cookie is a small file of data that is stored by websites on your computer through your web browser). Advertising networks collect and analyze this data to make a variety of inferences about each consumer's interests and preferences. The result is a profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits. That profile enables the advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. The Network Advertising Initiative (NAI) refers to this practice as "Online Behavioral Advertising" or "OBA."

These third-party advertising companies employ cookie and 1x1 pixel.gif (web beacon) technology to measure and improve the effectiveness of ads for their clients. To do so, these companies may use anonymous information about your visits to many websites. This information can include: date/time of banner ad shown, their cookie, and IP address among the data that is collected. This information can also be used for online preference marketing purposes. Information about your visits to such Web sites may be used to provide ads about goods and services of interest to you (or that they think are of interest to you based on your past web browsing).

Using the Opt-Out Tool, you can examine your computer to identify those member companies that have placed an advertising cookie file on your computer. To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.

Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your Web preferences and usage patterns.

The opt-outs are specific to every browser so you must run the tool for every browser you use. The opt-outs will only remain in effect as long as the opt-out cookies it places into your browser's storage still exist. So if you get a new computer, uninstall your browser or delete all the browser cookies, you will have to run the Opt-Out Tool again.

Network Advertising Initiative Opt-Out Tool |  FAQ

Posted on January 12, 2012 at 09:33 AM | Permalink

» EFF Raises Privacy Concerns About AOL Instant Messenger

The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them. We met with AOL to discuss how these features work and why the company should take greater care with your data, and we’re happy to say that AOL is promising to make some important changes as a result, especially in response to our second concern.

However, we still recommend that AIM users do not switch to the new version, as it introduces important privacy-unfriendly features. Unfortunately, AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat.  


We appreciate AOL's willingness to discuss these changes with us and we're extremely pleased to see AOL taking some steps to safeguard their users' privacy and give better notice, which only becomes more important as the company moves toward providing more cloud-based services. Nevertheless, we think there’s more AOL should do to respect its customers' privacy and to fully inform them about, and get opt-in agreement to, these significant changes.

Bottom line: Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade. As always, we recommend users stay safer online by using chat clients that are compatible with OTR.

More at

Posted on January 5, 2012 at 10:42 AM | Permalink

» BBB Top Ten Scams of 2011

Better Business Bureau investigates thousands of scams every year, from the latest gimmicks to schemes as old as the hills. Our new Scam Source ( is a comprehensive resource on scam investigations from BBBs around the country, with tips from BBB, law enforcement and others. You can sign up to receive our Scam Alerts by email, and you can also be a scam detective yourself by reporting scams you’ve discovered. We’ve divided scams up into nine major categories and picked the top scam in each, plus our Scam of the Year. 

Top Job Scam 
BBB sees lots of secret shopper schemes, work-from-home scams, and other phony job offers, but the worst job-related scam can dash your hopes and steal your identity. Emails, websites and online applications all look very professional, and the candidate is even interviewed for the job (usually over the phone) and then receives an offer. In order to start the job, however, the candidate has to fill out a “credit report” or provide bank information for direct deposit of their “paychecks.” The online forms are nothing more than a way to capture sensitive personal data – Social Security number, bank accounts, etc. – that can easily be used for identity theft. And, of course, there is no job, either. 

Top Sweepstakes and Lottery Scam 
Sweepstakes and lottery scams come in all shapes and sizes, but the bottom line is almost always this: You’ve won a whole lot of money, and in order to claim it you have to send us a smaller amount of money. Oh, and keep this confidential until we’re ready to announce your big winnings. This year’s top sweepstakes scam was undoubtedly the email claiming to be from Facebook founder Mark Zuckerberg announcing that the recipient was the winner of $1 million from the popular social networking site. These kinds of scams often use celebrities or other famous names to make their offer seem more genuine. If you aren’t sure, don’t click on the link but instead go directly to the homepage of the company mentioned. If they are really giving away $1 million, there will be some kind of announcement on their website. But don’t waste too much time looking. 

Top Social Media/Online Dating Scam 
On the Internet, it’s easy to pretend to be someone you are not. Are you really friends with all of your “Friends” on Facebook? Do you have a lot of personal information on a dating site? With so much information about us online, a scammer can sound like they know you. There are tons of ways to use social media for scams, but one this year really stands out because it appeals to our natural curiosity…and it sounds like it’s coming from a friend. Viral videos claiming to show everything from grisly footage of Osama bin Laden’s death to the latest celebrity hijinks have shown up on social media sites, often looking as if they have been shared by a friend. When you click on the link, you are prompted to “upgrade your Flash player,” but the file you end up downloading contains a worm that logs into your social media account, sends similar messages to your friends, and searches for your personal data. The next time you see a sensational headline for the latest viral video, resist the urge to peek. 

Top Home Improvement Scam 
Always near the top of BBB complaint data are home improvement contractors who often leave your home worse than they found it. They usually knock on your door with a story or a deal – the roofer who can spot some missing shingles on your roof, the paver with some leftover asphalt who can give you a great deal on driveway resealing. Itinerant contractors move around, keeping a step ahead of the law…and angry consumers. The worst are those who move in after a natural disaster, taking advantage of desperate homeowners who need immediate help and may not be as suspicious as they would be under normal circumstances. A large percentage of BBB’s Accredited Businesses are home contractors who want to make sure you know they are legitimate, trustworthy and dependable. Find one at 

Top Check Cashing Scam 
Two legitimate companies – Craig’s List and Western Union – are used for an inordinate amount of scamming these days, and especially check cashing scams. Here’s how it works: Someone contacts you via a Craig’s List posting, maybe for a legitimate reason like buying your old couch or perhaps through a scam like hiring you as a secret shopper. Either way, they send you a check for more than the amount they owe you, and they ask you to deposit it into your bank account and then send them the difference via Western Union. A deposited check takes a couple of days to clear, whereas wired money is gone instantly. When the original check bounces, you are out whatever money you wired…and you’re still stuck with the old couch. 

Top Phishing Scam 
“Phishing” is when you receive a suspicious phone call asking for personal information or an email that puts a virus on your computer to hunt for your data. It’s almost impossible to avoid them if you have a telephone or an email account. But the most pernicious phishing scam this year disguised itself as official communication from NACHA – the National Automated Clearing House Association – which facilitates the secure transfer of billions of electronic transactions every year. The email claims one of your transactions did not go through, and it hopes you react quickly and click on the link before thinking it through. It may take you to a fake banking site “verify” you account information, or it may download malware to infiltrate your computer. 

Top Identity Theft Scam 
There are a million ways to steal someone’s identity. This one has gotten so prevalent that many hotels are posting warnings in their lobby. Here’s how it works: You get a call in your hotel room in the middle of the night. It’s the front desk clerk, very apologetic, saying their computer has crashed and they need to get your credit card number again, or they must have gotten the number wrong because the transaction won’t go through, and could you please read the number back so they can fix the problem? Scammers are counting on you being too sleepy to catch on that the call isn’t from the hotel at all, but from someone outside who knows the direct-dial numbers for the guest rooms. By the time morning rolls around and you are clear-headed, your credit card has been on a major shopping spree. 

Top Financial Scam 
In challenging economic times, many people are looking for help getting out of debt or hanging on to their home, and almost as many scammers appear to take advantage of desperate situations. Because the federal government announced or expanded several mortgage relief programs this year, all kinds of sound-alike websites have popped up to try to fool consumers into parting with their money. Some sound like a government agency, or even part of BBB or other nonprofit consumer organization. Most ask for an upfront fee to help you deal with your mortgage company or the government (services you could easily do yourself for free), and almost all leave you in more debt than when you started. 

Top Sales Scam 
Sales scams are as old as humanity, but the Internet has introduced a whole new way to rip people off. Penny auctions are very popular because it seems like you can get something useful - cameras, computers, etc. – for way below retail. But you pay a small fee for each bid (usually 50₵ to $1.00) and if you aren’t the winner, you lose that bid money. Winners often are not even the top bidder, just the last bidder when time runs out. Although not all penny auction sites are scams, some are being investigated as online gambling. BBB recommends you treat them the same way you would legal gambling in a casino – know exactly how the bidding works, set a limit for yourself, and be prepared to walk away before you go over that limit. 

Scam of the Year 
Yep, it’s us – the BBB phishing scam. Hundreds of thousands, perhaps millions, of people have gotten emails that very much look like an official notice from BBB. The subject line says something like “Complaint Against Your Business,” and the instructions tell the recipient to either click on a link or open an attachment to get the details. If the recipient does either, a malicious virus is launched on their computer…a virus that can steal banking information, passwords and other critical pieces of information needed for cyber-theft. BBB is working with security consultants and federal law enforcement to track down the source of these emails, and has already shut down dozens of hijacked websites. Anyone who has opened an attachment or clicked on a link should run a complete system scan using reputable anti-virus software. If your computer is networked with others, all machines on the network should be scanned, as well

Posted on January 5, 2012 at 10:38 AM | Permalink

» Hacking group releases 75,000 names of Stratfor subscribers

Hackers released another batch of data on Thursday pilfered from Stratfor Global Intelligence, a widely used research and analysis company whose website was attacked last weekend. The data purports to be the names and credit-card numbers of people who have purchased research from Stratfor plus hundreds of thousands of user names and e-mail addresses used to register with the website.

The hackers, believed to be part of the Anonymous movement, described the data on Pastebin, then provided several links to websites hosting the information. They noted that some 50,000 of the e-mail addresses released end in ".mil" or ".gov." The data comprises 75,000 names, credit card numbers and MD5 hashes, or cryptographic representations, of passwords for people who have paid Stratfor for research.

The group also said the data contains 860,000 user names, e-mail addresses and MD5 hashes for passwords for anyone who has registered on Stratfor's website.

From IDG News Service

Posted on January 3, 2012 at 05:42 PM | Permalink

» Privacy Rights Clearinghouse Launches Online Complaint Center

The Privacy Rights Clearinghouse (PRC) is proud to announce the launch of an interactive online complaint center designed to serve as a clearinghouse for consumer privacy complaints.  This builds upon our 19-year history of troubleshooting consumers’ complaints and questions regarding a wide variety of information privacy issues, including background checks, debt collection, data breaches, financial information, and online data brokers. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.

The impetus for the development of the online complaint center was the 2009 KnowPrivacy study, conducted by graduate students in the Masters program at the UC-Berkeley School of Information as well as the Law School at UC-Berkeley. The study found that consumers are concerned about data collection and want greater control over their personal information, but don't know whom to complain to. This presents a significant challenge given the important role that consumer complaints can play regarding the shaping of public policy.

The new online complaint center acts as a clearinghouse for privacy-related complaints by offering consumers a central point of contact. Complaints submitted to the PRC will be forwarded upon the consumer’s request to the appropriate governing body. Further, by acting as a magnet for privacy complaints, our goals are to:

  1. Empower Consumers. There are many avenues for consumers to voice complaints, but few that actually respond with personalized information. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem. We also offer individuals the opportunity to escalate the complaint to the media, public authorities, and, if appropriate, attorneys.

  2. Educate the Public Policy Process. As an education and advocacy organization, the PRC understands the important role consumer complaints play in fostering regulatory and legislative change. The online complaint center will enable us to identify trends and publish reports on key privacy-related issues that are of concern to individuals. By sharing this information with the Federal Trade Commission and other regulators at the state and federal level, public authorities can gain a richer understanding of the consumer privacy landscape. 

The online complaint center, available at, simplifies the complaint process into four main sections:

  1. Who are you? Consumers can choose to remain anonymous or provide their name and contact information. The only information we require is the consumer's email address and state so that we can properly respond to the complaint. Contact information will not be shared unless the individual chooses to share the complaint with government agencies, lawyers or the media.

  2. Whom/what are you complaining about? We ask the consumer to identify whom/what the complaint is about: a company or organization, a government agency or a person. If the complaint is about a company or organization, the site has an interactive “smart” feature that can auto-fill company information.

  3. What is your complaint? Consumers have the ability to describe their complaint in detail, attach supporting documents and add "tags" to categorize the complaint.

  4. Review and submit your complaint. Before submitting the complaint, consumers have an opportunity to review the entire complaint and make any necessary changes. There is also an option to print or email a copy of the complaint.

The PRC staff review all complaints and email a personalized response to the consumer within one to two business days. If the individual chooses to share the complaint with government agencies, we forward the complaint to the appropriate governing body.

The online complaint center also offers a registration feature. Those users who wish to register can login at anytime to update contact information, access previously submitted complaints, see staff responses to each complaint, and add new information to a complaint. Registration is completely optional and can be pseudonymous.

We invite you to celebrate a new year for privacy by exploring the online complaint center and sharing the site with your friends and family.  Any feedback can be emailed to



Posted on January 3, 2012 at 11:58 AM | Permalink | Comments (0)

» Bank of America data leak destroys customer trust

A BofA employee apparently leaked confidential information about his and hundreds of other customers' accounts to scammers, resulting in more than $10 million in losses. A BofA employee apparently leaked confidential information about his and hundreds of other customers' accounts to scammers, resulting in more than $10 million in losses.

More from

Posted on May 26, 2011 at 09:08 AM | Permalink

» Health Net loses sensitive data for 2M people

A health insurance company that provides coverage to 6 million people nationwide said Monday it is missing data servers containing the health records, financial information and Social Security numbers for nearly 2 million current and past clients.

Health Net Inc. said Monday it cannot account for several hard drives from a data center in the Sacramento suburb of Rancho Cordova.

The Woodland Hills-based managed care company would not disclose how many people could be affected, but the California Department of Managed Health Care placed the number at 1.9 million. In a news release, the department said nine server drives are missing and that it is conducting its own investigation into the company's security practices.


Posted on March 17, 2011 at 02:47 PM | Permalink

» Monitor your credit report

Federal law gives you the right to one free credit report from each of the three credit bureaus on an annual basis. Requesting your free credit reports on a regular basis can help you spot problems early, such as identity theft or erroneous debts. Don’t fall prey to the confusing ads for free credit reports that you see on TV. The official site for your free yearly credit report is Learn more

Posted on March 12, 2011 at 10:35 AM | Permalink | Comments (1)

» Don’t share sensitive information on social networking sites

People store massive amounts of personal information on such sites, including birth dates, place of birth, phone numbers, vacation plans and more. Not only is this information a gold mine for marketers and unscrupulous individuals, but it may also be used against you by current and future employers. Learn more

Posted on March 10, 2011 at 10:34 AM | Permalink | Comments (0)

» Request a copy of your medical records

The federal rule HIPAA gives you the right to access your medical records. Health care providers must give you a copy of their privacy notice. This includes doctors, pharmacies, dentists, and other healthcare professionals. It’s important to request copies of your medical records because you never know when your doctor or dentist might retire or close up shop. And it's prudent to watch for signs of medical identity theft. Learn more

Posted on March 9, 2011 at 10:33 AM | Permalink | Comments (0)

» Don't let debt collectors push you around: you have rights

The federal Fair Debt Collection Practices Act gives you rights when debt collectors call. We’ve heard of debt collectors contacting family members, neighbors, and employers, as well as threatening jail time. A collector should not discuss your account with third parties or use the phone to harass you. Request debt collectors contact you in writing. Learn more

Posted on March 8, 2011 at 10:32 AM | Permalink | Comments (0)

» When applying for a job, request copy of your background check

If you are applying for a job, potential employers must obtain your written permission before performing a background check. Under the federal Fair Credit Reporting Act, companies must tell you if they didn’t hire you because of the background check and give you information on how to request a copy of the report. Learn more

Posted on March 7, 2011 at 10:31 AM | Permalink | Comments (0)

» Cord Blood Registry Data Theft [UPDATED 3-7-11]

(Update below)

ScamSafe appears to be the first to report a serious data breach at Cord Blood Registry ( No mention has been found of this breach in the news or the Data Loss database.

The author received a notification letter as a customer of CBR dated February 14 2011.

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

CBR said in their letter to those effected: "CBR hired computer security experts to investigate the incident and they determined that there is no indication that the person information has been accessed or misused." This is a typical PR spin statement that companies who have suffered a breach use to make their customers feel better. Unfortunately it is, at best, meaningless. How could they really know whether the information was used to commit identity fraud? If they have a method, we're all ears.

There is no mention of the stolen computer and data tapes on the company web site or blog.

Cord Blood Registry® (CBR®) is the world's largest stem cell bank. The company is entrusted with storing more than 350,000 cord blood collections for individuals and their families. Headquarters are in San Bruno, California, and laboratory and storage facility is located in Tucson, Arizona.

UPDATE 3/3/11: Read the police report. The theft happened on December 13 2010. The CBR employee had the computer and data tapes in a backpack in the trunk of his car. He left it unattended at 11:35pm and returned around 15 minutes later and it had been broken into. The location of the theft is actually a large data center at 365 Main St in San Francisco.

UPDATE #2 3/3/11: This breach appears to effect virtually EVERY CBR customer (over 300,000). You can read the breach notification letter. For help call CBR at (888) 578-4480.

UPDATE #3 3/7/11: Read more about the breach at Network World and on

Posted on March 2, 2011 at 10:32 AM | Permalink | Comments (7) | TrackBack (0)

» Better Business Bureau Warns of Identity Theft on Facebook

The Better Business Bureau is asking local residents to be more careful about placing their age, birthday or other information on Facebook. They warn that users of the popular social networking site could become victims of identity theft.

The Metro Atlanta Better Business Bureau says identity thieves can guess the social security numbers of Facebook users with very little information. Fred Elsberry is president and CEO of the organization.

"The first three digits of your social security number is the zip code of where you live, or a code that says this is your hometown, so if you put your hometown in there they're going to be able to identify the first three digits."

Elsberry says identity thieves can also guess the next two digits, because they are determined by where you applied for your social security number. He says the last four digits are supposed to be random, but they tend to be in sequential order. Elsberry says those born after 1989 are especially at risk.

"The pattern is much more predictable there."

Elsberry says the good news is starting this year social security numbers will be more random. But he says if you already have one, your only option is to protect the one you've been given.


Posted on February 21, 2011 at 10:35 AM | Permalink

» Protect Your Credit Card from Being Compromised by These Cons

Credit card con-artists can be extremely crafty, something you know first hand if you've found yourself entangled in one of their scams. It's not just people on the news; many Americans find themselves scammed each year.

On this site below, you can find four examples of some disturbingly compelling credit card fraud.


Posted on February 21, 2011 at 10:33 AM | Permalink

» BBB warns of tax-time scams

The Better Business Bureau is warning taxpayers to beware of tax scams during this return-filing season.

If you get an email that claims to be from the IRS, telling you that you need to submit information for your W-2, it is a scam, the BBB advised.

The email tells the taxpayer to click on a link to input the information as part of an identity theft scam.

There are several IRS scams that make their rounds at this time of the year. Sometimes the email comes from the "Treasury Department" stating a refund or tax inheritance is waiting and the taxpayer needs to provide personal information.

Here are tips from the BBB to help you recognize a tax scam:

- If the IRS needs information, it will send a letter. You will not be asked to send information through email.

- Do not click on any links in unknown emails. It could infect your computer with viruses and spyware.

- Do not give out personal information, including Social Security number, home address and birth date to anyone who emails or calls you.

- If the email has a lot of punctuation and spelling errors, that's a "red flag" that it is probably not an official letter.


Posted on February 21, 2011 at 10:31 AM | Permalink

» FTC Offers Businesses Tips for Dealing with Medical Identity Theft

 The Federal Trade Commission, the nation’s consumer protection agency, has information for health care providers and insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if they become victims of it.  Here are the highlights of the FTC’s new publication, Medical Identity Theft FAQs for Health Care Providers and Health Plans: 

  • How would people know if they’re victims of medical identity theft?  They could be billed for medical services they didn’t receive, contacted by a debt collector about a medical debt they don’t owe, see medical collection notices on their credit report that they don’t recognize, be told by their health plan that they’ve reached their limit on benefits, or be denied insurance because their medical records show a condition they don’t have.
  • What should health care providers and insurers do if they learn that a patient may be the victim of medical identity theft?  They should conduct an investigation, understand their obligations under the Fair Credit Reporting Act, review their data security practices, and provide any necessary notifications that a data breach has occurred.
  • What should health care providers and insurers tell a patient who is the victim of medical identity theft?  They should:
    • advise victims to take advantage of their rights under the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.
    •  encourage victims or potential victims to notify their health plans.
    • tell victims to file a complaint with the FTC at or by phone at 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261; and to check out the information at
    • encourage victims to file a report with local police, and send copies of the report to their health plan’s fraud department, their health care provider(s), and the three nationwide credit reporting companies – Equifax, Experian, and TransUnion.  Information on how to file a police report and reach the credit reporting companies is at
    • encourage patients to look for signs of other misuses of their personal information by reviewing their credit reports.  The law requires each of three major nationwide credit reporting companies to give people a free copy of their credit report each year if they ask for it at or 1-877-322-8228.  If they find inaccurate or fraudulent information, they can visit to learn how to get it corrected or removed.
    • via

Posted on February 21, 2011 at 10:31 AM | Permalink

» Students' Personal Data Posted Online

Team 5 Investigates has learned that the personal information of as many as 1,300 current and former students at the Wentworth Institute of Technology was inadvertently put online.

School officials notified all affected students of the data breach, which was reported to WIT on Dec. 22.

The letter said that an "electronic file was accessible on the Institute's website that contained personal information for a group of current and former students, including full name, social security number, and date of birth. The file also included information such as allergies, medications, medical conditions and disabilities."


Posted on February 21, 2011 at 10:29 AM | Permalink

» Univ. of Iowa Hospital discloses potential data breach

The University of Iowa Hospitals has disclosed a potential data breach involving the EMRs of several University of Iowa football players. The University of Iowa Hospitals issued a statement on Jan. 28.

"Officials at University of Iowa [UI] Hospitals and Clinics in Iowa City [are] conducting an investigation after a proactive screening of the electronic medical records of 13 University of Iowa football players indicated that some of those records may have been accessed inappropriately,” according to the statement.


Posted on February 21, 2011 at 10:29 AM | Permalink

» Breach Hits 2,400 MediCal Beneficiaries

The San Francisco Human Services Agency has notified approximately 2,400 MediCal beneficiaries and the federal government about a breach of protected health information, including Social Security numbers.


Posted on February 21, 2011 at 10:26 AM | Permalink

» Viruses on smartphones: security's new frontier

Mobile phones are the new frontier for cyber criminals, according to the latest research from McAfee. That may sound like a scary headline, but as phones have become more sophisticated, so this new development became inevitable.

Traditionally, cyber criminals have concentrated on the biggest targets, too: so for computers Microsoft has always attracted far more attention than Apple, and on mobile phones Nokia’s Symbian OS was hacked most often. Now as Android has finally begun to take Symbian’s place and the iPhone’s dominance is well established, that operating system too is being examined more closely.


Posted on February 21, 2011 at 10:24 AM | Permalink

» ID Fraud: New Accounts Most at Risk

The latest consumer fraud trends suggest that financial institutions must provide increasing leadership in the fight against identity-related fraud.

According to new findings from Javelin Strategy & Research, consumers and law enforcement alike now turn to banks and credit unions for more sophisticated detection and prevention when it comes to the misuse of stolen identities to open new accounts.

In its annual Identity Fraud Survey report, Javelin finds that losses from new account fraud far exceed those associated with other types of ID fraud. Moreover, new account fraud is harder to detect.

"I think the weight of solving the problem will ultimately fall on the banks, because the criminals go where the money is. Criminals don't make money in identity fraud unless they turn it into cash," says James Van Dyke, president and founder of Javelin. "That's why it's important for banks to keep up-to-date on all of the types of fraud that are out there."


Posted on February 21, 2011 at 10:24 AM | Permalink

» Reading the Junk Mail Could Prevent Credit Card Fraud

Don’t throw out that junk mail after your daily trip to the mailbox – a quick check could reveal an identity theft crime committed against you.

One way thieves can hit you is by using credit card confirmations with your card number – but somebody else’s name. ID criminals are counting on the fact that you won’t check your junk mail, which is exactly why you should take a closer look.

One Texas man almost learned that lesson the hard way. Don Sickel, a resident of Grayson County, Tex., told KTEN News recently that he was about to throw away his junk mail when he had second thoughts. Opening his mail, Sickel noticed that a credit card had been opened in another person’s name – but with his credit card number.


Posted on February 2, 2011 at 09:31 AM | Permalink

» VA employees go dumpster diving to protect sensitive data

The Veterans Administration will go to extreme lengths to protect patient data, including dumpster diving, Chief Information Officer Roger Baker said in his regular press call on the VA data breach reports sent monthly with Congress

VA tracks patient food trays in its hospitals with meal tickets that include the name and last four digits of the patient's Social Security number, along with dietary information. Department policy calls for shredding the tickets when trays are returned to the kitchen, Baker said.

But the December 2010 data breach report showed that the Tuscaloosa, Ala., VA Medical Center did not follow this policy when its kitchen shredder broke down, Baker said.


Posted on February 2, 2011 at 09:29 AM | Permalink

» NC says disks containing personal information are missing

Computer disks belonging to the state Division of Services for the Deaf and Hard of Hearing may have been accidentally discarded, and state officials are warning clients that the missing disks may include some of their personal information.

The state Department of Health and Human Services is sending letters to people who applied for services from the Equipment Distribution Service from January 2005 through December 2008.

The disks were likely taken to a landfill during a recent office renovation, state officials say.


Posted on February 2, 2011 at 09:27 AM | Permalink

» Criminals Working for Debt Collectors May Be Stealing Your Identity

It is bad enough that many times consumers are illegal threatened and harassed by ruthless debt collectors. It appears that many debt collection companies do not perform criminal background checks on call center employees. Many of these employees have criminal records.

Even worse is the fact that many states do not require licensing or at the least background checks for debt collection employees. These collectors have open access to a consumers credit reports, bank account information and possibly other credit card information.

The state of Minnesota is one of the few states that do require criminal background checks on the collectors they employ. In the past they found that one in twelve collection employees had a criminal record, including: identity theft, rape, check forgery, and assault (source Star Tribune)

The state of Minnesota has put eight large collection companies on notice and is considering pulling their collection licenses because they have consistently failed to perform criminal background checks on employees.

The companies are Allied Interstate Inc, AllianceOne Receivables Management Inc, Bureau of Collection Recovery, I.C. System Inc, Financial Recovery Services Inc., NCO Financial Systems Inc, Receivables Management Solutions Inc, and Van Ru Credit Corp.



Posted on February 2, 2011 at 09:24 AM | Permalink

» Univ. of Iowa Hospital discloses potential data breach

The University of Iowa Hospitals has disclosed a potential data breach involving the EMRs of several University of Iowa football players. The University of Iowa Hospitals issued a statement on Jan. 28.

"Officials at University of Iowa [UI] Hospitals and Clinics in Iowa City [are] conducting an investigation after a proactive screening of the electronic medical records of 13 University of Iowa football players indicated that some of those records may have been accessed inappropriately,” according to the statement.

UI Hospitals and Clinics routinely screens for possible privacy violations to protect the confidentiality of all patients, including those with high public profiles, the statement read.


Posted on February 2, 2011 at 09:24 AM | Permalink

» ID theft ring targets Apple stores

NEW YORK -- Dozens of people have been charged in New York with forming an identity theft ring that used stolen credit card numbers to shop at Apple stores around the country.

A court document says the group used stolen account numbers to forge credit cards, then used the cards at Apple stores from New York to Wauwatosa, Wis. At least eight defendants were arraigned Tuesday.


Posted on February 2, 2011 at 09:23 AM | Permalink

» Facebook cyber attacks on social networking sites doubled in 2010

The attacks by spam, phishing and malware upon social-networking sites last year were twice the amount of attacks from 2009, as mentioned in the latest review on cyber threats.

The concerned report, the Sophos' Security Threat Report 2011 got released yesterday, and it has an explanation on about the swiftly rising number of social-networking sites, the most significant of which is, not surprisingly, Facebook, that have turned into the sitting targets of the cyber attackers.

When the users of the various social-networking sites were asked by Sophos if they had got any spam or phishing e-mails or any kind of malware attack in December last year, around 67% of the people complained of having received spam. This is a rise from the previous figure of 33.4% of April 2009.

Meanwhile 43% of the people reported phishing messages, which is a rise from the 21% of the previous year. And 40% of the people complained of having malware attacks which increased from 21.2% from the 2009.

Once a hacker breaks into someone's account, there's a whole treasury of personal information from friends to relation laid before him. Then he can use that personal information by selling it to advertisers or commit various criminal acts such as identity theft.


Posted on January 28, 2011 at 09:08 AM | Permalink

» Identity Theft: Thieves use unsecured wireless networks

SPRINGFIELD, Mo. -- A crime that you may have thought was a big-city problem is now in the Ozarks.  The Springfield Police Department says it's been inundated with cases of identity theft involving wireless networks.  Police say there's a simple way to protect yourself.

Most cases of identity theft may involve someone overseas stealing your information but it's also happening right here -- possibly in your front yard. 

"The bad guys are getting to your information because it's not locked down," said Springfield Police Dept. spokesman Cpl. Matt Brown.

If you have wireless internet, you could be at risk.  Criminals just drive down the street looking for unsecured wireless hotspots -- that is, Wi-Fi network signals with no password protection. 

"They're able to quickly within seconds get into system and start doing whatever they want to do," said Brown.

In fact, within minutes, a reporter was able to find dozens of unprotected Wi-Fi networks in one neighborhood.

There have even been cases locally of innocent people getting arrested for crimes as serious as child pornography. 

"We're seeing a pretty good spike where innocent citizens are having computer systems taken over by offenders searching child porn or stealing their identities," said Brown.

Here's the problem.  In the case of internet crimes such as child pornography, police may follow an IP address to your computer, so it looks like you're the one who committed a crime.  It could be someone in front of your house, using your internet access, and stealing your identity. 


Posted on January 28, 2011 at 09:07 AM | Permalink

» Bill Would Make Certain ID Theft Cases Easier To Prove - Colorado

A recent controversial decision by the Colorado Supreme Court has prompted newly elected state Rep. Mark Barker, R-Colorado Springs, to file HB11-1049, titled “Use of Personal Info to Defraud.” The bill was filed Jan. 12, and its intent is to clarify the statutory language involving identity theft following the recent high court decision involving Felix Montes-Rodriguez.

Montes-Rodriguez was convicted of criminal impersonation based on his use of a false social security number on an application for an automobile loan, and he admitted to using the false social security number. However, he contested the charge. He argued that he did not assume a false identity or capacity under the statute because he applied for the loan using his proper name, birth date, address, and other identifying information.


Posted on January 28, 2011 at 08:12 AM | Permalink

» Colorado dials up ID theft hotline

Increase in complaints prompted service, says Bureau of Investigation

Identity theft and fraud victims in Colorado can get help from a new 24-hour hotline at the Colorado Bureau of Investigation.

The state has been among the top 10 in the nation for identity-theft complaints in the past several years, and Fort Collins residents have increasingly fallen victim to Internet-based fraud.

“We’re seeing a tremendous increase,” said Sgt. Don Whitson with Fort Collins Police Services. “Just about every day, we find a different thing people tell us about how they got ripped off.”

Finances for the CBI hotline, as well as a victim’s advocate for such crimes, are provided through federal grants to the Colorado Division of Criminal Justice. It serves English- and Spanish-speaking callers.

CBI agent Ralph Gagliardi said the hotline offers advice for people seeking to protect themselves as well as those who suspect they’ve been victimized.

He declined to comment on whether the statewide numbers appear to be increasing, but he said perpetrators’ locations “run the gamut” from within Colorado to across the country and planet.

“Right now, the big things are the scams over the phones or Internet that the bad guys solicit or fish for the person’s name, Social Security number or date of birth, representing themselves as a bank or as the Census Bureau,”Gagliardi said.

People might not know their information has been stolen until they go to apply for credit or receive a bill for services they didn’t receive, he said.

The latest available data from the Federal Trade Commission indicates there were 4,775 complaints of identity theft in Colorado in 2009, with the ninth-highest rate in the country at 95 per 100,000 people.

Florida ranked No. 1, with 22,664 complaints at a rate of 122.3 per 100,000 people, according to the FTC website.

The CBI investigates and assists with investigations of large-ring operations and those crossing state lines, but ID theft and fraud cases typically are investigated by local agencies.

Whitson said such crimes are “under-reported, under-investigated and certainly under-prosecuted,” and the only way to decrease the frequency of such offenses is to increase punishment.

The effects of the crime are long term, Whitson said.

“You get punched in the head and it hurts and you go on,” he said, adding that having one’s “retirement liquidated” creates a lasting impact.

Fort Collins police have three detectives, a civilian and a sergeant handling financial crimes, and another detective is to be added in the next couple years through a tax initiative, Whitson said.

“We have all our resources maxed out, currently,” he said.

Whitson said even websites that appear legitimate — complete with the secure site icon on the user’s browser — can be fraudulent.

“You should never send anything over the Internet that you’re not willing to give up to some criminal,” he said. “There are a lot of g


Posted on January 28, 2011 at 08:10 AM | Permalink

» Error sends University of Missouri insurance mail to wrong addresses

COLUMBIA, MO -- Hundreds of participants of University of Missouri’s health insurance program are being told to be on the look-out for insurance fraud after several hundred insurance communications were mailed to the wrong person. Health benefit statements, health services letters and new ID cards were among the correspondence mailed to incorrect addresses between January 6th and 10th of this year. The mailings included personal information, including, names, member numbers and birth dates. However, the University said social security numbers were not included in the mailings. The University tells KRCG the error affected about 750 employees with about an equal number of pieces of mail. University of Missouri system officials blames the problem on Coventry Health Care, which administers the university’s insurance plans. Coventry said a computer malfunction aligned names with the wrong addresses. The incorrect mailings could put those affected in danger of medical identity theft, when a person uses another person’s insurance card to receive medical services. The World Privacy Forum says it has been trying to raise awareness about medical ID theft for years now.   The organization says there is no national standard for dealing with medical identity theft and that it is hard to fix once the damage is done. One concerning outcome of the crime is the altering of one’s medical history. "There are people we've talked with who, their imposter went in and had a hospital stay and put down that they were allergic to one drug, and then the real person is not allergic to that drug, but they're allergic to other drugs,” said Pat Dixon, the executive director of the World Privacy Forum in an interview with NPR. Kelly Stuck, who oversees faculty and staff benefits with MU, tell KRCG she believes the threat of medical identity theft is diminished because the incorrect mailings were only sent to other MU employees. University of Missouri said it immediately contacted Coventry on Jan. 14th after an employee alerted officials to getting correspondence intended for someone else. The university reports that it wasn’t until Jan. 20th that Coventry provided them with an explanation of what went wrong. Coventry said it implemented new safeguards to prevent a similar type of error from happening in the future. On Jan. 21st, MU mailed out its own letters to employees affected by the mailing error. The letter tells those affected to ask their health providers to confirm the identity of anyone trying to get medical services using their insurance cards. The letter also instructs to carefully review their Coventry correspondence to look out for any unauthorized insurance claims. At this point, Coventry is not reissuing ID numbers to those affected by the error because the Coventry ID number is a variation of the university-issued identification number, according to Stuck, who said that the University will closely monitor those ID numbers. In a press release, MU said that it has asked Coventry to take steps to recover the misdirected mail. 


Posted on January 28, 2011 at 08:08 AM | Permalink

» Facebook suspends developer access to users' phone numbers and addresses

It's the flip-side of enjoying instant communication with your friends.

Facebook has courted a fresh privacy row after allowing developers of apps access to sensitive information including telephone numbers and addresses.

The social networking site announced the change on its blog last Friday, saying: 'We are now making a user's address and mobile phone number accessible.'

Internet security analysts and privacy experts immediately advised people to remove their phone numbers and addresses from the site.


Posted on January 19, 2011 at 08:26 AM | Permalink

» IRS warns of agency impersonators

With tax season roughly three months away, the IRS is stepping up its awareness campaign in order to highlight common tax scams that occur during the season.

This week, IRS officials warned taxpayers to look out for con artists that use the agency's name in order to steal from others.

The government tax collection agency says these schemes are quite common in the months before tax day, and that anyone who receives unsolicited e-mails or phone calls on tax issues should ignore them, The Montrose Daily Press reports. These scams often target the financial and personal information of individuals, only to turn around and use this information to commit identity theft and other crimes.

The agency told consumers it does not use e-mails to communicate with taxpayers, and that those who receive emails from the IRS or the Treasury Department threatening action should disregard the messages, the news source says. In addition, taxpayers should be weary of following any links, as they could lead to websites that contain malware, which could potentially harm their computer.

The IRS says if any taxpayers experience a suspicious e-mail or phone call, they should call the Federal Trade Commission and report the scam.


Posted on January 19, 2011 at 08:21 AM | Permalink

» Hospital Security Breach Puts Patients' Records At Risk - Indiana News Story

A security breach at St. Vincent Indianapolis Hospital may have put the records of 1,800 patients at risk.Hospital officials said they learned in November that certain associate e-mail accounts were breached, which may have allowed patient names, dates of service and certain clinical information to be accessed.Those patients were sent a letter from hospital officials informing them of actions by a third party to inappropriately obtain e-mail log-ins.


Posted on January 19, 2011 at 08:21 AM | Permalink