Saturday, March 29, 2008

Lifelock is getting sued, again!

Lifelock -- the identity theft service founded on an identity theft tale that was later deemed not to be very credible -- is now facing another law suit. This one, which is of the class action variety, alleges that their advertising is misleading and they don't necessarily protect a person from all the different varieties of identity theft.

From the press release on the Hagens Berman LLC site:

Today an Arizona consumer filed a proposed class-action lawsuit against LifeLock, a heavily promoted company that claims to protect consumers against identity theft. The lawsuit alleges that the three-year-old company defrauds customers by offering services it cannot legally perform, and by touting a $1 million guarantee that the suit alleges is wildly misleading.
The suit also alleges that Lifelock doesn't protect a person from all the forms of identity theft citing a case where -- Lifelock's flamboyant CEO (Todd Davis) who plasters his social security number everywhere as a marketing tool -- had his own identity stolen.

The press release didn't mention that the case was dropped after Davis employed a PI, along with a film crew to obtain a confession from the identity thief. Reportedly, the reason the case was dropped is because of a legal term called, "coercion."

One point of contention in the law suit is that the $1 million guarantee Lifelock promises is deceptive and laden with fine print:

Its advertisements prominently feature a supposed $1 million guarantee. In one commercial, Todd Davis, a founder and CEO of LifeLock, announces to a crowd of individuals, "If anything happens for any reason while you're a client of LifeLock, we will cover all losses and all expenses up to one million dollars." On its Web site, LifeLock makes similar statements, claiming that it will "do whatever it takes" to restore a member's good name.

According to the complaint, the fine print says otherwise: LifeLock will not pay any losses directly to the consumer and does not cover consequential or incidental damages to identity theft. The guarantee is limited to fixing failures or defects in the LifeLock services and paying other professionals to attempt to restore losses.

In this first paragraph of this post, I mentioned that Lifelock is getting sued again. Recently, one of the big three credit bureaus (Experian) filed a law suit for the costs of placing and replacing alerts on people's credit files.

In this post, I covered that the fact the credit bureaus are also in the identity theft protection business and that other companies (Debix, TrustedID) offer essentially the same service that Lifelock does.

This brings about speculation that both of these actions against Lifelock have the potential to set legal precedents and might bring about additional actions in the future. There has also been speculation that there is a "turf war" going on between Lifelock and the big three credit bureaus.

There is no guarantee what will become of all of this. The sad fact is that identity theft is a growing problem. Because of this, there are a lot of people getting involved in the identity theft protection business. The last time I checked, the industry was showing double-digit growth. This alone is quite remarkable considering the current state of the economy.

Given the fact that this is an "unregulated" industry involved in assisting victims of crime, everyone involved in it needs to take a hard look at the product they are offering to ensure it passes the "smell" test.

If they fail to do so, they will probably subject themselves to bad press, litigation and potentially government intervention (regulation).

They need to remember that identity theft victims are people, who fell victim to a crime that happened because their information was stored in too many places and WAS NOT protected properly. Of course, saying that, the people buying and selling information make a lot of money from doing it, also.

The sad truth is everyone is making money from this except the identity theft victim.

The post, I did on the first Lifelock law suit contains links to free resources to protect yourself and recover from identity theft. It also highlights a few of the organizations that are actively trying to do something about the overall problem identity theft has become without making a profit off it.

That post can be seen, here.

How did hackers plant malware at Hannaford Bros. and steal 4.2 million payment card numbers?

Hannford Brothers, the latest retailer to be compromised in a large scale data breach is reporting that hackers using malware breached their systems.

The next million dollar question (literally) is how was the malware (sometimes referred to as crimeware) dropped on their system? A lot of people are looking at this carefully because the company had been certified as meeting PCI (Payment Card Industry) data protection standards.

Ross Kerber at the Boston Globe, who gets the hat tip for breaking this latest development in the story wrote:

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

In contrast, Hannaford says it did not store customer information. The hackers who struck Hannaford mined a stream of data that the merchant and banks were not responsible for protecting under industry rules, industry specialists said.
Because hackers, criminals and misfits rarely give up their latest hacks, we'll have to be content with speculation from the experts.

Jaikumar Vijayan at ComputerWorld was able to get some expert speculation from "Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass." Bill Brenner at SearchSecurity.com wrote about increasing speculation that a dishonest insider planted the malware on Hannaford's network.

The insider theory intrigues me because it seems that most security breaches can be traced to a social cause. A dishonest human --who has been given access to a system -- can defeat a lot (most) computer security.

Going further into all the speculation has come about from the Hannaford announcement, I decided to see what the blogosphere had to say.

Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .

The post points out some interesting thoughts, such as that credit card numbers are useless without names (Hannaford claims no names, or social security numbers were stolen) and that the breach was most likely discovered at financial instiutions when customers complained about fraudulent transactions on their cards.

rmogull summed up his "admitted" speculation with:
In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.
There are also some interesting comments with more speculation at the bottom of the post. From what I can gather a lot IT types read this blog.

In the end, as long as there is lack of transparency in data breaches, the best anyone can do is speculate. The reasons for a lack of transparency in data breaches are a mile long, encompassing everything from protecting ongoing investigative efforts to avoiding the financial pitfalls of all the litigation that arises after a data breach.

Of course, in more simple terms, it might also mean that no one is really sure?

Given that, I wonder if anyone can be really sure that their personal information is safe? Your guess is probably as good as mine!

Previous posts on this blog about the Hannaford Data Breach:

Security vendor removes Hannaford as a client on their site after data breach is revealed!

Hannaford Brothers data breach might reveal current security standards are outdated