Large scale data theft of U.S. information uncovered in India

Stealing personal and financial information in large quantities isn't just a problem in North America and the Europe Union. As more IT functions are outsourced to a variety of countries, this information might be getting compromised from just about anywhere.

Recently, it was disclosed in the Indian press that a large amount of data was stolen by an Indian BPO from a company in United States. It's amazing this story didn't get very much coverage in the West, despite the fact that the data was stolen from a company called Noble Ventures, which is based in Florida? As a slight disclaimer ComputerWorld (Norway) and CIO (Australia) did cover the story, but I was unable to find anything about it in the American press.

I suppose in this instance we will have to rely on the Indian media to provide some transparency to this event. Parth Shastri at TNN reports:

It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US.

Dave stole data worth Rs 1 crore (ten million) from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US.

Apparently this occurred after Dave got his contract cancelled with Noble Ventures Inc., who "provides customer database of 1.25 crore (ten million) US citizens to various marketing companies in the US and also has a client-base in other international markets," according to the TNN article.

Of even greater concern to me was the deduction (my speculation) that Dave had insider access to their systems after his contract was cancelled? From the article, it is unclear if this was because the access was never removed, or if he got it from another Noble Ventures employee, Milan Dabhi, who is based in the U.S. and allegedly Dave's accomplice.

In another article published by the IT Examiner in India a person claiming to be a spokesman for Noble Ventures, Sunny Vaghela with credentials as a cyber crime expert, claimed that the information was stolen, but never sold. The rationale for this was that Noble Ventures reported the theft to Indian authorities and a sting (?) was conducted.

From the IT examiner article:

He further added claiming the theft report of 12.5 million Americans’ personal and professional records to be untrue as he assumed of some kind of miscommunication between the reporters and the Police.

While I hope this is true, the logic in this is flawed (my opinion) because the information was stolen by someone, who had inside access prior to the discovery that the data was being compromised. How can it be determined that it was never sold to anyone else? Information is bought and sold in a lot of places, including underground Internet forums set up for illicit purposes. Additionally, no matter where it might have been sold, it is unlikely that anyone, who bought it illegally is going to stand up and be counted in this affair.

I went to the Noble Ventures site and they offer a lot of information for a price. Targeted data on executives, "heroes" (police and firemen), veterans and a slew of other marketing segments can be obtained. They even sell e-mail lists.

While I couldn't determine if this information was enough to open a line of credit, it could certainly be used to mount telemarketing scams, spam campaigns and even whaling (phishing) expeditions like the recent one we've seen targeting executives in the United States. Verisign just reported that 15,000 white collar types were speared in this expedition.

Please note that even though I am assuming no financial or SSN information was compromised -- if a dose of social engineering, phishing or malicious software is added to the equation -- getting the rest of the information to commit identity theft would probably be fairly easy.

Incidents, such as this, continue to point to the fact that there is too much information being stored in too many not very well protected places. In fact, this incident might point to the fact that the problem is getting worse.

We also need to remember that this information came from a U.S. company, and although I don't know where the server was physically located, it didn't have to be located in India for this to have occurred.

Information like this is protected by the FTC's Telemarketing Sales Rule.

Violations in the United States of this rule can be reported, here.

TNN story from India can be seen in full, here.

ComputerWorld, Norway story about this, here.

CIO Australia story, here.

The $54 million lost laptop law suit

Found this story on SANS Newsbites. Apparently, a former Best Buy customer is suing Best Buy after they lost her laptop and allegedly tried to cover up the matter.

After going to a link on Information Week, I discovered that the plaintiff in question, Raelyn Campbell started a blog to chronicle her battle with the retailer.

The blog states Raelyn's intention in her own words:

I have filed a lawsuit against Best Buy and launched this blog in an effort to bring attention to the reprehensible state of consumer property and privacy protection practices at America's largest consumer electronics retailer, with the hope that it might motivate Best Buy to effect changes and spare future consumers the experience I have been subjected to -- or worse.

Whether due to what seems to be a plague of bad customer service, inept employees or a combination of both, Raelyn charges that:

Her laptop went missing and the Geek Squad initially couldn't find it in their computer.

That later on, a computer entry mysteriously appeared which leads to speculation that the Geeks were covering their tracks.

She tried to settle for $5,000.00, but was continuously low-balled by Best Buy.

After she filed a law suit, Best Buy tried to offer $2500.00.

Raelyn declined this offer because (in her own words):

I advised Best Buy's lawyer that I would drop the suit if Best Buy would provide compensation for my expenses and time and address the shortcomings in its property and privacy protection practices.

Additionally Raelyn is charging that Best Buy broke D.C. law by not notifying her immediately that she could become an identity theft victim.

Her blog has a lot of links to other allegations of employee abuse at Best Buy, which can be seen, here.

Of note, this episode -- no matter whether you think a $54 million law suit is called for or not --brings up the very real problem of all the portable data we carry being exposed when we drop it off somewhere for repairs.

It's a far shot that a responsible business would knowingly employ personnel that steal, but dishonest employees are a reality in today's world. Since information isn't inventoried and can be copied, protecting it is a little more difficult than other assets such as money or merchandise. In fact, most of the time when information is stolen, no one ever probably notices it is missing (my opinion).

Since information is worth a lot of money, this poses a problem.

This leaves a lot of things to consider and my guess is that protecting information is going to be a hot subject for a long time to come.

There are a slew of comments on the blog, both bashing and praising Raelyn for this action. Please note on blogspot, Raelyn can control the comments and therefore is being transparent by publishing them all.

To end this post, I will refer to (what I consider) some sage advice and commentary from three SANS newsbite editors:

[Editor's Note (Pescatore): I was thinking of suing my employer for about that much for forcing to me to carry a laptop all the time. This does point out an issue where some companies have allowed employees to do business on personal laptops that get repaired at places that don't protect them very well, and then the business information ends up on eBay and thousands of customers have to get notified, etc. etc.

(Cole): This will continue to happen; so two key take aways. One, use folder level encryption with a strong passphrase so repair people will not have access to your data. Full disk encryption will not work, since the techs need to log into the system. Second, backup of all of your critical data on a removable drive.

(Schultz): It is easy to predict that lawsuits of this kind are going to proliferate in the future. Many organizations have been downright irresponsible in handling personal and financial information, let alone others' computers. The threat of a lawsuit is likely to force such organizations to radically tighten their procedures for handling such information and computing equipment.

If you are interested in reading more from the SANS people, I've provided a link to their SANS Newsbites page, here.

FTC tutorial on how to protect sensitive business information

The FTC has released a training tool designed to help businesses protect sensitive information, which might be stolen to commit identity theft or fraud.

After taking a look at it, I found it to be simple, straight forward and effective way for a business to evaluate how well they are protecting information.

From the FTC release on this new tool:

Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure.

The tutorial, “Protecting Personal Information: A Guide for Business,” at www.ftc.gov/infosecurity, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security.

The tutorial supplements brochures, slide presentations, and articles on information security already on the Web site and available from the FTC for free. The agency is encouraging businesses and other organizations to share this important information with employees who handle personal information such as Social Security numbers, credit card numbers, financial account numbers, and other sensitive personal information.

Interestingly enough, I just did a post on a new report released by the IT Compliance Policy Group. Their findings were the organizations that suffer the fewest incidents of information theft have a few things in common, which is they keep their programs simple, and pick out the most critical items with a focus on risk. The organizations with the fewest incidents of data theft inspect these critical items more frequently, also.

The FTC tutorial gives some great guidance on how to identify the most critical items that are risk focused in an organization.

Common sense often is the best way to approach ensuring competent security.

Materials can be ordered for presentation purposes by following the link listed in the press release.

FTC press release, here.

A video presentation of this infomation can be seen, here.