The Associated Press announced on Friday that old time retailer Montgomery Ward is the latest victim of a data breach, where at least 51,000 records were compromised. The unfortunate problem now is they failed to notify the victims, which is the law in 44 States.
Since Montgomery Ward declared bankruptcy in 2001 this announcement might sound confusing, but the company was resurrected in 2004 under the name, Direct Marketing Services Incorporated. Direct Market Services sells merchandise under the names Wards.com, SearsHomeCenter.com, SearsShowplace.com, SearsRoomforKids.com (and two more) online.
Allegedly, hackers gained access by going through another Direct Marketing Services site, HomeVisions.com.
When they discovered the hack in December, they did notify their payment processor, Visa and Mastercard, but failed to notify any individual customers. Of course, they now plan to do so after being asked about it by the Associated Press.
The hat tip in this instance goes to CardCops, which a group of cyber sleuths who track stolen payment card data in underground carder forums for financial institutions. CardsCops spotted a group of 200,000 card numbers for sale (including CVC data) on one of the forums (chatrooms) they were monitoring. After tracing some of these cards to their owners, they discovered that they were had one thing in common (Wards).
At this point, it is unclear on whether the official estimate of 51,000 missing records is correct, or the hackers misrepresented the number of cards available in their underground forum.
When asked for some commentary, Visa declined to comment, MasterCard stated they warned the issuing banks to watch for suspicious activity and Discover stated they issued new cards.
Wards is not alone in not notifying their customers, or the public promptly when a data breach occurs. Recently lamented about this in a post suggesting we are a long way from full disclosure in data breaches.
Even without all the known data breaches, there are many that are never discovered. Besides that, information is stolen all the time on a smaller scale by dishonest employees, phishing and (despite all the shredders) from the trash.
The sad truth is from the criminal perspective, stolen information that hasn't been detected is worth more than information that is known to be "hot."
If you would like to see more information on the known data breaches, the DLDOS database at Attrition.org is a good resource. PogoWasRight is also another place that covers the privacy concerns arising from this problem, which faces us all.
Showing posts with label pogowasright. Show all posts
Showing posts with label pogowasright. Show all posts
Sunday, June 29, 2008
Tuesday, August 21, 2007
The sad state of affairs in the information (identity) theft crisis
It shouldn't surprise anyone that data breaches are becoming more prevalent than ever, or that identity theft is up fifty percent since 2003.
Robert L. Scheier (courtesy of InfoWorld) wrote an article about this that is getting a lot of play in the press:
Whether information is being stolen by phishing, pharming, hacking, insider theft, or common dumpster diving - the problem seems to be growing by leaps and bounds.
An interesting aspect, which I've covered in previous posts is that criminals seem to be using technology as a marketing tool - just like their counterparts in more legitimate businesses:
In the most recent high profile data breach to hit the news at Certegy, a dishonest insider sold the information to a broker. Interestingly enough, as far as I know, this information broker has yet to be identified. The next question might be - who did the information broker sell the information to?
Recently, another data broker (InfoUSA) was pegged for selling marketing lists to sweepstakes scammers.
Perhaps PogoWasRight, who states "We have met the enemy and he is us" hits the reason for the problem right on the nose.
A lot of people are making billions, if not trillions of dollars making it easy to use information. So much information has been plastered in so many places, we seem to have lost track of it all.
This gives the criminals behind this phenomenon a lot of places to steal, or even buy everything they need to commit identity theft.
Another sad statistic is that these criminals seem to rarely get caught. Pretty sure the last statistic I saw was less than 1 percent. This makes it a pretty lucrative criminal enterprise to be involved in.
Despite this, we still don't have a law that addresses data breaches?
With the elections coming up, perhaps we should be asking our elected leaders, why this is the case?
The only way to turn this trend around is to make everyone involved in it, more accountable.
Interesting article by Robert L. Scheier, here.
The article mentions statistics gathered by the Privacy Rights Clearinghouse, which I quote frequently. Other places that gather information on this are PogoWasRight and Attrition.org.
And all of them will be the first to tell you - these are only the breaches we know about. The mysterious criminals stealing the information would rather not disclose, who they are stealing IT from. Of course, the people getting the information stolen from them would probably rather not make it public, either.
Robert L. Scheier (courtesy of InfoWorld) wrote an article about this that is getting a lot of play in the press:
Today's electronic world is a risky place for your personal data -- and it's not getting any safer. More than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005, according to The Privacy Rights Clearing House, a nonprofit consumer rights organization.
As fast as banks, merchants and consumers add new layers of security to their storage systems and network, say security analysts, new technologies -- or simply careless users -- create new security holes that aggressive and sophisticated identity thieves eagerly exploit. The result, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., is that "things will get worse before they get better."
Whether information is being stolen by phishing, pharming, hacking, insider theft, or common dumpster diving - the problem seems to be growing by leaps and bounds.
An interesting aspect, which I've covered in previous posts is that criminals seem to be using technology as a marketing tool - just like their counterparts in more legitimate businesses:
Criminals are also getting smarter. Larry Ponemon, chairman and founder of Ponemon Institute, which conducts research on privacy and security issues, calls it "inverted customer relationship management," in which criminals target the wealthiest individuals for their attacks.I found this particularly interesting because a reasonable person would have to question, who is selling them these lists?
Some are even buying marketing lists to piece together profiles of "who's got the Platinum [American Express card] and who's got the account with Merrill Lynch and who doesn't," says Litan.
In the most recent high profile data breach to hit the news at Certegy, a dishonest insider sold the information to a broker. Interestingly enough, as far as I know, this information broker has yet to be identified. The next question might be - who did the information broker sell the information to?
Recently, another data broker (InfoUSA) was pegged for selling marketing lists to sweepstakes scammers.
Perhaps PogoWasRight, who states "We have met the enemy and he is us" hits the reason for the problem right on the nose.
A lot of people are making billions, if not trillions of dollars making it easy to use information. So much information has been plastered in so many places, we seem to have lost track of it all.
This gives the criminals behind this phenomenon a lot of places to steal, or even buy everything they need to commit identity theft.
Another sad statistic is that these criminals seem to rarely get caught. Pretty sure the last statistic I saw was less than 1 percent. This makes it a pretty lucrative criminal enterprise to be involved in.
Despite this, we still don't have a law that addresses data breaches?
With the elections coming up, perhaps we should be asking our elected leaders, why this is the case?
The only way to turn this trend around is to make everyone involved in it, more accountable.
Interesting article by Robert L. Scheier, here.
The article mentions statistics gathered by the Privacy Rights Clearinghouse, which I quote frequently. Other places that gather information on this are PogoWasRight and Attrition.org.
And all of them will be the first to tell you - these are only the breaches we know about. The mysterious criminals stealing the information would rather not disclose, who they are stealing IT from. Of course, the people getting the information stolen from them would probably rather not make it public, either.
Saturday, July 07, 2007
Why the GAO report on Identity Theft might show that disclosure works!
I came across a thoughtful post about the recent GAO report on identity theft and data breaches written by Dissent, who blogs at the Chronicles of Dissent. This is a well-written analysis, and after reading it, I was inspired to think a few things through.
In Dissents own words:
Of note, Dissent is affiliated with PogoWasRight.org, which is affiliated with Attrition.org, one of the sources tracking the never-ending saga of data breaches.
I'm going to link to the full article, which I think is a valuable read for anyone interested in this subject. Then I will give my personal opinion.
Chronicles of Dissent post, here.
Identity theft seems to a growing problem, at least whenever anyone takes the time to track the statistics. If this is true, then why would known data breaches result in very few cases of identity theft?
The answer is simple, when a data breach is exposed, it isn't as easy to use!
When a data breach occurs, the human element (compromised) normally takes a lot of measures to protect their information. In fact, an entire industry (identity theft protection services) has come about, which is automating the process. This makes it harder, and probably, a lot more dangerous to use the information.
Everyone involved in studying this admits there are a lot of compromises no one knows about. These unknown compromises are probably, where most of the information being used to steal identities is coming from. After all, they don't want to waste their time on information that won't work, or even worse, put them at risk of getting caught.
One of the reasons the problem is growing is that not many of them are getting caught (my opinion).
At best, once a breach is known, someone is going to have to hold on to the information for later use (after people and organizations let their guard down).
Perhaps, these highly publicized data breaches have stopped the information from being used? If this is the case, it's certainly a good argument for mandatory notification.
In closing, our personal information has been put in too many places, that don't seem to be protected very well. The reason for this is pretty simple, also. There is a tremendous amount of money being made from selling it to market products.
As long as our information is being used for a profit and isn't being protected properly, it's only fair that those profiting should be held liable for all the notifications and clean-up.
Of course, I'm also in favor of going after the people compromising the information with a little more gusto. Since this costs money, I have no doubt, who should be helping to pay for that, also.
*Update to article 7/10/07 - Dissent owns PogoWasRight and is no longer affiliated with Attrition.org. He was kind enough to add a comment to this post, which can be viewed at the bottom of this post, here.
No one can ever be certain of anything until things become more transparent. This is why I often add that some of my thoughts are purely opinion, based on my observations of this phenomenon. I am always open to considering all points of view, and in fact, learn a lot by doing so.
(Courtesy of Flickr)
In Dissents own words:
The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737 (pdf)] was released today.
Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft ResourceCenter, and reports obtained from NY and NC under FOIA by Chris Walsh.
Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.
Of note, Dissent is affiliated with PogoWasRight.org, which is affiliated with Attrition.org, one of the sources tracking the never-ending saga of data breaches.
I'm going to link to the full article, which I think is a valuable read for anyone interested in this subject. Then I will give my personal opinion.
Chronicles of Dissent post, here.
Identity theft seems to a growing problem, at least whenever anyone takes the time to track the statistics. If this is true, then why would known data breaches result in very few cases of identity theft?
The answer is simple, when a data breach is exposed, it isn't as easy to use!
When a data breach occurs, the human element (compromised) normally takes a lot of measures to protect their information. In fact, an entire industry (identity theft protection services) has come about, which is automating the process. This makes it harder, and probably, a lot more dangerous to use the information.
Everyone involved in studying this admits there are a lot of compromises no one knows about. These unknown compromises are probably, where most of the information being used to steal identities is coming from. After all, they don't want to waste their time on information that won't work, or even worse, put them at risk of getting caught.
One of the reasons the problem is growing is that not many of them are getting caught (my opinion).
At best, once a breach is known, someone is going to have to hold on to the information for later use (after people and organizations let their guard down).
Perhaps, these highly publicized data breaches have stopped the information from being used? If this is the case, it's certainly a good argument for mandatory notification.
In closing, our personal information has been put in too many places, that don't seem to be protected very well. The reason for this is pretty simple, also. There is a tremendous amount of money being made from selling it to market products.
As long as our information is being used for a profit and isn't being protected properly, it's only fair that those profiting should be held liable for all the notifications and clean-up.
Of course, I'm also in favor of going after the people compromising the information with a little more gusto. Since this costs money, I have no doubt, who should be helping to pay for that, also.
*Update to article 7/10/07 - Dissent owns PogoWasRight and is no longer affiliated with Attrition.org. He was kind enough to add a comment to this post, which can be viewed at the bottom of this post, here.
No one can ever be certain of anything until things become more transparent. This is why I often add that some of my thoughts are purely opinion, based on my observations of this phenomenon. I am always open to considering all points of view, and in fact, learn a lot by doing so.
Tuesday, February 20, 2007
Another sad statistic, the Stop and Shop data breach
Last weekend, Stop and Shop (Quincy, MA) reported a data-breach at two of their stores in Rhode Island. After an initial investigation, they tracked the theft to two pin-pads.
Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).
Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.
Of course, implementing PCI data protection standards are not exactly 100 percent, either.
PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.
Consumer Affairs story, here.
Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?
Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.
Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.
This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?
Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.
Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.
*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.
The most recent news about legislation to protect the people being victimized by this growing problem isn't good.
A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:
The Leahey privacy bill: coddling the criminals?
Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).
Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.
Of course, implementing PCI data protection standards are not exactly 100 percent, either.
PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.
Consumer Affairs story, here.
Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?
Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.
Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.
This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?
Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.
Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.
*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.
The most recent news about legislation to protect the people being victimized by this growing problem isn't good.
A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:
The Leahey privacy bill: coddling the criminals?
Subscribe to:
Comments (Atom)
