Massachusetts Data Privacy Law Blog

Last Thursday two masked men, operating a stolen jeep, pulled up next to a courier's white van that was parked outside a MA RMV location, jumped out of the jeep and stole five bags from the courier's van. This is according to witness' accounts reported to police.

According to the MA Department of Transportation Press Secretary the private courier worked for the Registry of Motor Vehicles and the five bags contained documents not money. The documents included:

"Personal customer information is contained in the types of paperwork stolen. The records included names, dates of birth, addresses and license numbers. The types of paperwork stolen do not include the social security numbers of Massachusetts residents," she said.

As reported by the Gloucester Times

Apparently between 500-600 customers were affected.

The police are saying it was a targeted theft, but that maybe the men thought the bags contained money. These guys used a car that had been recently stolen and had a second get-a-way car parked nearby.

This seems like a lot of work to go through to steal 500-600 people's registry transaction paperwork. The "they thought the bags had money" theory seems more likely.

But... if the bad guys had this thing so planned out, why didn't they know that the bags didn't contain money? Does the courier usually have the Registry's money, but only had the paperwork on this particular morning? That is an important question.

The other important question is: exactly what information was taken? Was there something about the information that would be valuable? The registry took care to say that no "social security numbers" or "credit card information" was taken. But if the stolen information was in the right (wrong) hands, what could they do with it?

Usually a theft like this involves access to inside information. It's not like these guys would sit outside the Wilmington branch of the RMV every day to learn the courier's schedule. That might happen in the movies, but in my experience, criminals are just too lazy to do that leg work. They will either know someone on the inside who can tell them the schedule, or one of them IS on the inside and works for either the RMV of the courier service. Either way, the information should have included the fact that no money would have been in those bags or we have yet another example of "world's stupidest criminals."

From a data security standpoint, this crime should serve as notice to those companies still using data in paper form that they are not immune from being "hacked." This incident is technically a data breach, right? And since it involves a State agency, different rules apply.

Executive Order 504 requires Massachusetts State Agencies to protect "Personal Information." Because M.G.L. 93H and 201 CMR 17 do not apply to public entities, this order seeks to close a loophole with one big exception: penalties for non-compliance... or lack thereof.

Since it appears that the courier was a private company and the RMV is a State agency, they would have had to execute a contract with specific language regarding the protection of Personal Information of Massachusetts residents. Exec Order 504 commands it.

So, what at first blush appears to be a couple of bungling idiots taking the wrong bags (or the right bags on the wrong day) may turn into an "investigation" into the lack of protection afforded 500-600 Massachusetts' residents personal information.

Did the contract between the RMV and the courier have the appropriate language?

Did the courier have the appropriate protections in place?

How much will this incident cost the courier? The State? There are procedures under Exec Order 504 that must be followed.

Until I hear that this courier usually carried money I will presume that the theft of information was the goal of the bad guys' actions. I mean, these guys stole a car just hours before this crime, had a second car ready to go, wore masks, and pulled this off at 9:00am? If you go to all that trouble and don't know exactly what's in those bags you deserve to serve time for stealing paper...

Early this week I got the opportunity to be interviewed by Colin O'Keefe of LXBN TV on the subject of the Stratfor data breach and their emails ending up on WikiLeaks. In the interview, I explain the back story here, what type of information is showing up on WikiLeaks and how these types of cases are investigated and prosecuted. 

Of course, the day after this interview we find out that "Sabu" of LulzSec fame was cooperating with the FBI for nine months and served up, among others, the individual allegedly responsible for the Stratfor incident. Much more on this later...

If 2011 was "The Year of the Data Breach", then 2012 is fast becoming "The Year Anonymous Became Public Enemy # 1!"

Anonymous, Anonymouse, and "tools", are all terms I have used to describe this decentralized group of computer operators who use their skills to harass, embarass and otherwise annoy. If you think they're going away anytime soon, think again.

Let's have a look at just this month so far, and see what these folks have been up to:

I would put these in order, but does it matter... (These all happened in the last 16 days)

  "they" is Anonymous

• Boston, West Virginia, and Salt Lake Police Departments - they just don't like cops
• Basically the whole City of Oakland's leadership - they didn't like Occupy Oakland's end
• Federal Trade Commission - they don't like ACTA, an international anti-counterfeiting treaty, and the FTC supports it
• Croatian President's website - this Preseident does like ACTA, therefore, they don't like him
• United Nations - apparently because it was easy, but maybe they don't like the whole world
• CIA - any guesses why they did this one?
• Mexican Chamber of Mines (Camimex) - they don't like the working conditions of miners
• Syrian (soon to be ex-) President Bashar al Assad - any questions?
• New Zealand Foreign Minister's email - they don't like recent NZ legislation on illegal downloading
• Microsoft's India Store - apparently by a Chinese contingent of Anonymous, but no real reason
• Brazilian banks: Banco do Brasil, Bradesco, Itau, HSBC - must be members of the 1%
• Law Firm that was defending the Marine found guilty in the Iraqi town of Haditha killings - he didn't go to jail, the attorneys did their job... if Anons disagreed, wouldn't the judge have been a better target?
• Westboro Baptist Church - go get 'em fellas... (and ladies)
• NASDAQ, Chicago Board Options Exchange - damn the financial system, let's take it down
• Combined Systems, US Corporation - makers of tear gas that was apparently shipped to Egypt
• Symantec - high tech security company, Anons stole the souce code for PC Anywhere
• State of Alabama - apparently AL has some "racist legislation" regarding immigrants
• FBI - UK (Met Police) PHONE CALL!!! - the investigators tapped by the "investigees"
• And apparently today they are launching "Operation Global Blackout", which is supposed to cause havoc all over the Internet - maybe this site is currently down...

 So, there's a snap shot of the last two weeks or so. If you think these are all harmless pranks, think again. The State of Alabama hack resulted in 46,000 citizen's personal information, including Social Security numbers being stolen. Where are they now? Do you think the thief cares?

Also, remember back to the Strategic Forcasting (Stratfor), I wrote about it here. Back in December, Anonymous both claimed and denied responsibility. Recently, however, clients of Stratfor have been receiving emails that are clearly "phishing" attempts. These emails purport to be from Stratfor informing the recipient that they need to click a link in order to assist with the "healing process" (my words, not theirs) of their data breach (link claims to load some protection program for the client). The link is actually to a malicious program designed to steal things like banking credentials.

So, it could be that Anonymous is pulling a Taliban (poppies are illegal where we're in power, but we own them all when we're not), and using the stolen information for financial crimes (not merely for protest purposes). Many times they post the information publicly to prove they did it. Along comes the wolves, and, well, Houston, we have a problem. (If a guy buys a gun, and then leaves it on a sidewalk, loaded, is that a problem?)

But ah ha, the US Senate recently released a long awaited piece of legislation, The Cybersecurity Act of 2012! Thank heavens...

Let me have just two more minutes of your time so I can give you the headlines of this piece of legislation:

...the Cybersecurity Act of 2012 would do the following:

Coordinate Cybersecurity Reseach and Development

Determine the Greatest Cyber Vulnerabilities

Protect Our Most Critical Infrastructure

Protect and Promote Innovation

Improve Information Sharing While Protecting Privacy and Civil Liabilities

Improve the Security of the Federal Government's Networks

Clarify the Roles of Federal Agencies

Strengthen the Cybersecurity Workforce

In the last 16 days, hackers have operated without abandon and caused mayhem. Let's hope that the next 16, and the 16 after that and the 16 after that, and so on, and so on... will get this bill on our President's desk so these folks can have a new target (whitehouse.gov) and make themselves public enemy number one.

PS - if you have Symantec's PC Anywhere... I'd be nervous.

So, I went to Zappos.com for the first time today. I thought I would see what they had to say about this weekend’s announcement that just about everyone who shopped there has had their information stolen (well, 24 million people, which may or may not be “everyone” who shopped there, but man, that’s a lot of people).

What did I find? Nothing, nada, zilch, zip. Not a single mention could I find. I even used their search function and typed in “data breach”, which resulted in the site showing me a watch for $90.

I checked out their “blogs” section thinking that maybe they’d put something up there… nope, just the announcement of the winner of the “Ultimate Tee Shirt Design Contest.”

I heard from media reports that all affected accounts would need a new password, so I clicked on “new password” – no mention of the breach there either.

Lastly I scrolled down about a quarter mile and found the “privacy policy” link. For sure there will be some mention there… ah, no. But wait – look over on the right, a picture of a lock and the words “shopping with confidence.” And even better a link to “Learn how we protect your personal data…”

Here’s a quote from that section:

“Zappos.com servers are protected by secure firewalls—communication management computers specially designed to keep information secure and inaccessible by other Internet users. So you're absolutely safe while you shop.”

So, if I didn't watch the news or read the Internet, would I know? 

But wait just one minute. According to a Fox news account from two days ago, there was a posting that said “security email” – it’s right here: http://blogs.zappos.com/securityemail And in that email was the announcement that the customers would start getting an e-mail in a couple of hours.

And in that posting there was a link to this: http://www.zappos.com/passwordchange

Look, I’m no expert computer designer, but I’m not a neophyte either… I simply could not find any way to access those pages. If it’s there, it certainly not prominent. I challenge someone, anyone, to find it from their homepage.

I have never shopped at Zappos, so I would not expect an email notification from them. In the email to their employees dated Jan 15^th they inform them that “in the next hour or so we will begin the process of notifying the 24 million people involved…”

My wife shops there, a lot it appears, even has a “zapp app”… but lo and behold…no email… nothing, nada, zilch, zippo… OK, 24 million people is a lot to email, well, not according to certain Spam operators...just maybe 48 hours is not enough time. Since she heard about it on the news she decided that she better take action. 

My wife used her fancy-dancy "zapp app" and clicked "change password" - she was brought to a page that listed Ugg boots for sale... She eventually went to the Zappo site and tried to log in with her old credentials...

Here’s the message my wife got when she tried to log in:

We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password. By resetting your password, you'll have a more secure experience on our website.

“…a recent security update…”, that’s how it’s being phrased… lovely. I think it’s only fair that you prominently post relevant, important, accurate information on your home page. Sure, it’s embarrassing when something like this happens, but you can’t hide from it.

According to a simple Google search, there are a lot of media outlets covering this story. The media is reporting all over the place that it was a “cyber hacking incident” and not a “mistake” or a “lost piece of equipment.”

But what if you don’t consume news like I do, or preferred to watch the Packer’s game on Sunday afternoon (what was THAT all about – 15-1-and done?)

If you didn't read the news about this incident and relied on Zappos to provide you with the relevant information you would be told that a "recent security update" requires you to use a new password. No worries my friend - remember, at Zappos you can shop with confidence. They have really cool firewalls...

So, what is it? Were the servers in Kentucky hacked into by criminals? If it's my information involved, that's a WHOLE different story than a "recent security update."

Lots of people use the same email address and password at several different retail outfits. Right now there is someone, or someone(s), with my wife's email address and password for Zappos. How hard would it be to figure out that maybe she shops elsewhere with the same info - oh, and at that other site, she has her credit card information saved there to "make the shopping experience that much faster..."

Incidents like this are going to happen, but to keep the integrity of the online commerical world intact, they have to be handled properly.

Chaos reigns in the early moments of a data breach. Getting it right requires ADVANCE preparation because YES, it can happen to you. Do you think they had a "data breach response policy manual?"

Me either.

PS - how about a WISP? I'll be curious to see how our AG handles this one.

If I were a C-level person, meaning Chief Executive Officer(CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Bottle Washer (CBO)... I would certainly bring up certain questions regarding my company's data security and what will, can or even could happen if the hackers get in. Sure, all these folks want to talk about is money, but look what can happen if you either a) trust your IT people without question or b) ignore the issue.

Strategic Forecasting Inc., known better as "Stratfor", was the latest hacking victim over the weekend. This company's product is essentially cyber security. These guys are supposed to be the real deal; with major governments and corporations from around the world being member clients of this "Stratfor." I mean, when the US Military is buying your newsletter and research papers on cyber security, it must be pretty good, right? (well, there was that whole Iran drone theft problem)

So, how embarrassing is it that group of hackers can break into a company whose purpose is to teach others how to secure their information. Well, it appears someone did just that and stole a lot of information; and if current media reports are correct, it's A LOT of information. There is some question as to exactly what was taken and Stratfor is asserting that the "confidential client list" was not taken (of course they are).

To add insult to injury, it appears that Stratfor stored credit card numbers of their members in plain text (not encrypted) even though (according to a Threat Level story) they seem to have had a product in place that would have encrypted the credit card information had they not "turned it off" or otherwise disabled it. Oh, it looks like they had those CVV numbers as well... (3 digits on back of some card) - usually a no, no.

There I am at Christmas dinner, the CIO of a major cybersecurity company and I get THE call. What??? Really??? I better have those Christmas present receipts, because it looks like I'm gonna have to start returning some of the more expensive items I bought...

I just can't get my head around how this can happen. OK, since I'm not a computer expert hacker guy, I will just accept that if your computer is connected to the Internet it's never completely safe. I will even accept the fact that most company seem to store purely internal information that can be accessed via the Internet. I cannot accept the fact that a company will store credit card information without encrypting it AND store the CVV numbers, (which is usually a violation of the credit card company's PCI-DSS regulation), all accessible via the Internet.

Many media stories have the group Anonymous claiming responsibility, but others quote Anonymous as denying responsibility. So, whodunnit?

What if, just ponder the thought, that those who actually did this are "pretending" to be the loose knit group of hackers known as Anonymous. Would I know how to make a hack look like it was them? Probably. Maybe the real goal of this hack was much more nefarious. A major world power (see: China), who has teams of hackers working round the clock could certainly design an operation that makes it look like someone else did it.

The real goal of the operation was probably to steal information, and not the credit card numbers. But to fool people, you take the credit card info, use it to donate some money, go all twitter-crazy, make outlandish statements about "world order" and whatever other quotes you can find in Orwell's "1984." Sure, I bet you could make it look like Anonymous did it.

At the same time, this Anonymous thing is so amorphous, it could be anyone with the right skills.

With four days left in 2011 and the hacks still coming, will this be the Year of the Data Breach? Or will this trend continue into 2012? Well, check out the recent story that "computers traced to China breached the US Chamber of Commerce...", apparently the US Chamber has quite a library of valuable information. The hackers had access to those files and sensitive information for over a year.

Ya, we're going to see more of this next year, for sure...

Our society is a lot more “cash-less” now than it has ever been, yet we're getting robbed more often. When I was in college studying economics, one professor taught us “macroeconomics”. Macroeconomics is the study of the economy as a whole. For example the amount of actual currency out in the world would be one element. We learned that the introduction of the ATM dramatically increased the amount of currency in the economy because people didn’t have to go to banks to get cash anymore. They had access to it 24/7.

With the introduction of debit cards people don’t even bother going to the ATMs anymore, they just swipe their cards for purchases as small as $1.59. So, I guess those kids in college studying economics now are getting a different lesson.

I bother you with such drivel because our society has essentially gone cash-less. And since that has seemingly happened, we are, as a whole, getting robbed everyday. The interception (stealing) of credit and debit cards are a real cost to our economy. Imagine that 80,000 people who went to buy a submarine sandwich were robbed of their cash as they stood at the counter ordering. Crazy thought right? It just happened…electronically.

The United States Department of Justice recently announced the indictment (courtesy of Wired - pdf) of four Romanian Nationals. Three are in custody and one is on the lam. They are accused of operating a rather sophisticated credit card theft ring that was able to steal upwards of 80,000 card numbers resulting in millions of dollars in losses. Here’s how they did it:

According to the press release and numerous articles on the story (here, here, here), the Romanian hackers managed to infiltrate the credit card processing machines of approximately 150 Subway stores and “other” unnamed retail establishments. (Nice PR work by the “other” companies to keep their name out of it) These establishments use was are called POS or “point of sale” machines to capture your credit or debit card information. The machines are supposed to merely pass through the information to a card processor who in turn either approves the account for the transaction or denies it.

Somewhere along this communication line, the card data was being copied and then sent to the hackers. Once they had the data they either sold the information or used it to make other, fraudulent, credit cards and use them. Remember the last time you stopped at a store and used their oh so convenient card machine? If you used a debit card you put your PIN in, right? And if you used a credit card, you signed the machine with that “pen” that was attached to it, right?

The big question is how does a group of 20-somethings from far flung Romania do this? Well, they need a little help… the machines have to be somehow connected to the Internet and in this case there is some discussion that the owners or servicers of some POS machines may install certain helpful "remote access" software so that they could “service” or “repair” the machines without having to actually visit the machines.

What actually happened here has yet to be completely revealed. The Government is being rather silent on just how these industrious youths pulled it off. Probably because these POS machines are everywhere. There is a discussion about “infecting” the POS terminals to capture the data, and “scanning” the Internet to find vulnerable unnamed remote access systems. No real discussion about why such systems are vulnerable. I guess we’ll have to wait for the lawsuits to get that data. And as for which Subway stores were affected? According to the indictment, they included locations in New Hampshire, New York, Florida, California, so, just about everywhere. The case is being prosecuted out of the NH US Attorney's Office and the Boston Office of the Secret Service is investigating - so it sounds close to home.

Did the people whose accounts were stolen get their money back? Probably, but the banks are still out the money, who then in turn find a way to offset their losses by, maybe, instituting a $5/month debit card fee perhaps? And that's the real cost to the economy. Nothing is free, not even "zero liability" card protection from a certain, very large, bank.

Oh, and that guy who’s on the lam? He’s from Rimnicu Vilcea… “hackerville!” (Fabulous story about that place here)

PS – I presume that once this criminal investigation is done, the “data breach notifications” begin? Good luck fellas… You’ll need more than Jared for this one.

UPDATE: I no sooner logged off from writing this than I bumped into Paul Roberts' story about yet ANOTHER credit card hack related to retail... this time it's Restaurant Depot and they're saying about 100,000 cards. Is there anywhere safe to use your card?

UPDATE: Thanks to a reader, I was informed that the "hack" described here wasn't a hack at all but rather a technician on vacation in Russia doing his job. You can read all the details here. I did originally put the term "hacked" in quotes because there was no confirmation. I stand by the fear mongering about the National infrastructure, however, because if your operation is attached to the Internet, it's subject to risk.

A fascinating news story is being generated out of Illinois. A water plant has apparently been “hacked”. The water plant uses computers and software to control the flow of water. Those computers use what is called a SCADA network, supervisory control and data acquisition, to manage the systems that control various industrial processes.

According to the few sources reporting this (CNN, Wired, Krebs), a water pump was burned out by hackers. They seem to have manipulted the SCADA system and caused the pump to malfunction. 

This is big news because these SCADA networks are everywhere in our “infrastructure”. They are used to operate nuclear power plants, electric grids, and a whole host of other industrial processes. You may recall a story a while back about a computer virus known as Stuxnet being used to destroy the centrifuges used by Iran to make enriched uranium for nuclear bombs. That virus effectively told the SCADA system to speed up the centrifuges while at the same time having the system report “all normal” to the operators. The centrifuges spun so fast that they effectively destroyed themselves. The SCADA system, if operating properly, would have kept that from happening.

There has been a lot of talk in Washington about “cyber war” and “cyber terrorism”. The fear is that some dangerous person or persons would be able to access our “infrastructure” and cause a nuclear power plant to “meltdown” or have an electric grid shut down a whole city or some other impact that causes either horrific injuries and death or significant economic harm.

In order to access our “infrastructure”, the bad guys would probably need to get to the SCADA systems controlling it. That’s why this “incident” in Illinois is so troubling. If true, this may be the first time that a SCADA network in the United States has been effectively breached or hacked (at least the first we’ve heard about publicly).

How this one came to light is that a state “cyber fusion” notice dated November 10, 2011 was somehow obtained by a guy named Joe Weiss, who apparently works for a company that deals with security for SCADA systems. Mr. Weiss went public with the information via a blog post. In his post you can read between the lines that he’s a little upset that the Feds aren’t all over this.

He reports that someone stole usernames and passwords from a SCADA software vendor and used the stolen credentials to hack into the water plant’s SCADA network, meaning whoever they are probably have more than just this one… (someone better go chat with the “vendor” – soon)

Mr. Weiss also reports that the IP address of the hacked was traced to Russia. This may be too simplistic a conclusion because, like license plates for cars, IP addresses can be manipulated for the purpose of evading identification.

According to a CNN report, officials at the Department of Homeland Security are “looking into it” and have not concluded that it was in fact a hack that caused the issues at the water plant’s SCADA network.

This might all sound like tech-babble, but if it turns out that an industrial SCADA network was breached from outside the United States, then this is a very, very, very big deal. Our authorities should consider this a shot across our bow from somewhere.

I give Mr. Weiss a lot of credit for making this public. If nothing else it will hopefully spur our Congress to deal with these digital world issues as soon as possible.

PS - on the Washington thing... this is what makes me mad: Congress is all over "online piracy", oh dear, someone watched Shrek 3 without paying for it... but they aren't even close to dealing with the nation's cyber infrastructure. Get your priorities straight!!!

It was my intention to refrain on commenting on the current “Occupy Boston” situation down at Dewey Square. I walk by it each morning and each evening on the way into and home from work. I am acutely aware of the situation down there. I am not saying that I agree with what they are doing, nor am I saying that I disagree. I do understand that this "movement" is legit and widespread. I’m a firm believer that change, real change, happens from within. I signed up for my student loans that are now killin me. It's not the loan, its the cost of tuition boys...  Did the protests of the 60’s force change in society or did a certain segment of that society get on the “inside” and start changing the culture from there? Probably both, but which one was more effective?

There, I did it, I commented, but why?

Over the weekend, it was announced that Internet sites associated with law enforcement (Boston Police Patrolman’s Association, International Association of Police Chiefs, Alabama law enforcement) were hacked into by persons unknown as a form of “support” for those involved in Occupy Boston. Once your little “sit-in” drifted into my world, I have to write about it. This story is getting a little press, but not enough if you ask me. These persons “unknown” appear to be from that shadowy collective who call themselves “anonymous”, or as I like to say “anonymouse”, as in mice. Little annoying creatures who sneak around the edges of the world always running away. I've seen the data dump from BPPA, so unfortunately, its real.

Stories: 1, 2, 3, 4, 5

“Lookit”, hack a website, put a message on it, a la graffiti, and that’s it. Burrowing into the site until you get individual police officers personal information and then putting it out in the wild is unacceptable. Those approximately 141 people who were arrested by the Boston Police we warned several times prior to being arrested. There is nothing kind about an arrest. By its nature it’s a very confrontational event, therefore, force is usually employed. Did some of the police get a little rough? Probably. Did some of the protesters get a little rough? Probably. People have to understand that the police have to win, that’s why they are out there, period. There’s no discussion on the street. The discussion happens in court, that’s why we have them, to resolve the situation in a just manner.

Let's recap the weekend down at Occupy Boston:

Two individuals were arrestedthis weekend at the Occupy Boston location for dealing drugs. The drug was heroin, arguably one of the worst substances on the planet. These two 20-somethings apparently were living in one of the tents and had a 6 YEAR OLD BOY with them. Obviously, with stuff like this going on in the “occupods”, the police will have to now keep an extremely close eye on the situation. Could the police patrol inside the encampment? According to the protesters they are on public land, so sure, the police could certainly patrol the encampment and actually sit outside certain tents if they so chose. That’s the nature of public land…

Also this weekend, there were about 22 incidents of graffiti on various buildings in the financial district of Boston. A “spokesman” for Occupy Boston has said that they didn’t ask for, nor support the hack into law enforcement’s computers. They will also deny being involved in the graffiti events. Hey boys and girls, sometimes when you start a fire you can’t control it… but you started it, so you own it.

The situation down there will only get more and more tense. There have been hundreds of arrests across the county since this thing started. Certainly people can and will protest the arrests, claim police brutality, and say that they are only engaging in their Constitutionally allowed rights.

What about the rights of the men and women of the Boston Police? Do they have rights? They sure do and when some moron or morons hack into websites to steal their personal information and put it out in the wild, those rights are being violated, period. I have written about this type of violation before, and with just as much vigor. Of course, this one is real close to home, as I worked side by side with the Boston Police for years.

I sincerely hope that no harm comes to any officer or other member of the law enforcement community as a result of this childish act.

 Someone or someones are becoming a real pest for Sony. It's like that bee that seems determined to get into your soda can. Do you swat it and risk a sting? Let it get in the can? Neither one is a great choice. I say swat it and run the risk...

Sony is reporting that a "massive attempt" to access their gaming network was conducted by parties unknown. Apparently about 93,000 of these attempts succeeded, so Sony locked down those accounts.

I have a crazy idea... what if the people who broke in the first time used the old info and thought, "what the heck, let's try to use that info to get back in..." Meaning, they stole usernames and passwords back in April. The Sony "gamers" were back online sometime over the summer. Maybe some of those geniuses used the same username and passwords....? I don't know, but I do know that poor Sony's stock has taken a beating this year. Hang in there fellas, I will still buy your TVs even if the screen can melt!? (see story here)

As interesting as another hack attack at Sony may be, (not), today I will provide a few tidbits about another kind of data breach. Someone accessing your network to steal information is a rather rare event, losing data due to a lost or stolen hard drive, laptop,  USB memory stick or other mobile data storing device is far more common.

Let's take the law firm employee whose job it was to take home a portable hard drive so that they would have a safe off-site back up of very important data. Seems like that might be an ok idea, so long as that employee doesn't misplace it, or leave it on a train? BINGO, left on a train. I know theses things can happen, but when your job is to be the safe keeper of the data, think you might pay a little closer attention to its whereabouts? The firm was involved in a medical malpractice case where numerous patients were suing a doctor who had allegedly performed unnecessary procedures on them. Would you consider these patients' medical records important? Ah yea... sort of "key", right? What do you think was on the drive? The Baltimore Sun is covering it.

This next one is special because of the timing. A company called United Healthcare has a medicare program and has personal information for their patient members. United Healthcare also has a company called Futurity First Insurance Group who does marketing and sales for United Healthcare (sales and marketing offered by "insurance group" - ya, I noticed that too).

Anyway, "Futurity" had a hard drive with United Healthcare's patient information including names, social security numbers and in some cases dates of birth and medical information. A treasure trove for the wrong people. Futurity sent the hard drive to a "vendor" for repair. We don't know when any of that happened, but we do know that apparently on JUNE 28th the drive was stolen.

Does the vendor tell anyone? Not until AUGUST 12. They tell Futurity.

Does Futurity tell anyone? Not until SEPTEMBER 14. They tell United Healthcare.

Does United Healthcare tell anyone? Not until this past Tuesday, OCTOBER 11.

What are the key dates here? JUNE 28 and OCTOBER 11. About 105 days between the loss and the proper notification. This that's enough of a headstart for the "wrong people"?

The proper tracking of hard drives should be an essential part of a company's security program. If United Healthcare or Futurity had a tracking mechanism in place they may have asked about the drive long before they were told it was stolen. My guess is that they had no idea where it was or what was on it. Since you can't "SEE" the data, it's just a metal box, right? No so fast kemosabe. There was some key information on both those devices, wasn't there?

It is apparently going to take a long time to change the culture of security with regard to personal information. It's not a metal box, it's people's personal information. Just because we can reduce the size of millions of pages of data down to something the size of a pen doesn't mean it's any less valuable or important.

There are products and services out there to help, you just have to want to use them. What's going to make companies want to use these products?

How about the Office of Civil Rights (OCR)? It's the enforcement arm of the Health and Human Services (HHS) Department of the United States Government, and it's OCR's job to enforce HIPAA. HIPAA has a few rules about data protection and data storage. I am fairly confident that United Healthcare will be getting a letter from OCR eventually. And what follows will likely be an unpleasant experience for United Healthcare, Futurity and the "vendor", because they're all in the soup now.

I have a a simple question for you. Do you think either one of these hard drives was encrypted? Well, let's just say that if they were, you're not reading this story.

I spent the early part of the week in "The City" attending a conference. New York City is "the" city, isn't it? I mean the New Yorkers think it is and after trying to navigate Penn Station at rush hour, on crutches, carrying luggagge; ya, it's THE city, it's crowded, hot, and annoying - a real city. But I digress...

Here's the Big One: 4.9 million records are missing from a facility in Texas. Apparently, some backup tapes containing medical information on patients who received treatment as far back as 1992 has gone missing. The patients are apparently all current or retired military who received care at military facilities in San Antonio. Reuters is reporting that the tapes were stolen along with other items from an employee's car.

Here's the Big Question: Will the information ever resurface or be found?

There have been millions upon millions of people's information lost or stolen this year. This happened last year, the year before that and before that, etc. Some of it does surface, but we don't hear about those stories too often, do we?

According to various sources, including a report earlier this year by Javelin Strategy & Research (as reported by the Washington Post), over eight million Americans were the victim of identity theft last year. That's on top of about eleven million cases of identity theft the year before.

OK, millions of records lost or stolen and millions of cases of identity theft. Are they connected?

The answer is not that simple. There is an on going trend of lawyers filing class action lawsuits on behalf of those people whose information was lost or stolen. The defendants in those suits, Sony for example, ask the question (legally) of the victims: "how were you harmed?" The courts have to find that the "victim" have standing in court in order to allow the lawsuit to proceed forward, so they ask the victims: "tell me, how were you harmed?" You see "harm" is required in order for the plaintiff to have "standing." The answer given almost every time is: "I am afraid of becoming a victim of identity theft." Well, sorry Charlie, (remember Charlie the tuna?) that fear is not a cognizable harm, so this lawsuit it over.

The funny thing about identity theft is that once it starts to happen, all the effort is to stop it and then undue the harm done to the unwitting victim. What about figuring out the source of the problem? How did the information to commit identity theft become available to the bad guys, who are the bad guys and how did they get the information?

Figuring out what is called the "point of compromise" can be an extreme challenge for law enforcement. They are not usually concerned with how the bad guy got the information, just that he/she used it, illegally. With resources being what they are, local law enforcement tries to simply solve the crime, not solve all society's issues. They figure out who used the information and then charge him/her. Figuring out how they got the information in the first place is just not really in the budget.

I have had some experience at the Federal law enforcement level, which has significantly more resources. One experience involved an employee at a restaurant who was carrying a "skimmer" to work and when you paid your bill with a credit card it was also being run through the skimmer. Once the number was in the skimmer, the device was brought back to a location which was equipped with a card encoder. Basically, they were able to make duplicate copies of all the credit cards. Not great copies, but useful enough to steal money fairly easily.

Just figuring out that particular point of compromise was a challenge. First the victims had to report the crimes and if they live in different jurisdictions, the connection among the victims can be difficult to establish. Then realilzing that they all ate at the same restaurant on the same day... it just doesnt' happen. In the above scenario, many of the victims used the same bank so the bank noticed that the common link between the fraud reports and their expenditures just prior to the fraud. "Hey, look at this, these people all ate at the same restaurant on the same day..." Viola!!

So I get a notification in the mail saying that my information was lost... I contact a lawyer and become part of a class action lawsuit. All the "victims" of the data breach want their day in court, so the lawsuit gets filed. This all happens in the immediate aftermath of the breach. No one's identity has been used, however, so none of the "victims" have lost any money or otherwise been harmed (other than the hassle factor). Lawsuit over.

Fast forward 4 years and all of a sudden you get a notice in the mail from a debt collection agency looking for $4,250.00 from unpaid credit card debt... You have just become the victim of identity theft.

The statute of limitations on bringing suit vary by jurisdiction and by allegation. Some are as short as one year. So if you didn't sue the offending party within one year, you cannot sue, period.

Now, for you lawyers reading this...sure, we can debate when the clock starting running. Did the statute of limitations time start running at the moment the breach notifcation went out? Or did it start to run once the "victim" realized that they had actually become the victim of identity theft. But here's the thing, it doesn't matter unless you can get to the heart of the matter: WHERE DID THE BAD GUY GET THE INFORMATION? Which breach? When?

Because in the end, if you don't know where the bad guy got the information, who are you going to sue?

Achilles, son of Thetis and Peleus, hero of the Trojan War, and most handsome of all heroes assembled by Plato to fight Troy, is well known to this day. Not necessarily for his achievements in life, but rather because of part of his anatomy. Achilles’ mom, Thetis, took her son to the River Styx and dipped him in the water believing that this would make him immortal. She held him by the heel, thus his heel did not experience immortality and became his weakness. He was killed when a poisoned arrow pierced his heel.

We have all heard of "Achilles' heel" and most know it to mean a weakness, a major weakness, that once discovered by an opponent, will lead to our downfall. 

It appears abundantly clear to me that the existing computer infrastructure of the United States is turning into our Achilles heel.

We created the Internet, right? We embraced it immediately, right? We cannot live without it, right? We have completely and absolutely lost control of it, haven’t we?

I recently read an article that said nearly half a billion, (that’s a B, folks), electronic records have been compromised in the last six years.

I usually write about data breaches because they are an easy topic to write about and because there are so many. While on the topic of data breaches, here’s a list of schools that suffered data breaches recently:

University of Wisconsin, Purdue, UNLV, North Carolina State University, California PolyTech @ Ponoma, Missouri State University, University of Hawaii, and the famous little school down there in New Haven, CT, YALE.

I have long said that the identity of a student is very valuable. Now it turns out that 43,000 YALE staff, faculty, alumni, and others who were “affiliated” with the University back in 1999 have to look over their shoulder for a while. How’d you like to be able to assume the identity of a Yale graduate? Think you could make that work for you?

This post is not about any one data breach, it’s about them all. We are at a critical juncture in history. Our country has totally committed to the Internet. It has become an integral part of every business, every family, every school, everything… It was truly amazing to watch the Internet grow up. Making it work was always rule number one. Making is secure was irrelevant. This needs to change.

What will trigger this change? I am hopeful that change is already underway. Our military gets it, they know that the Chinese have been invading us, virtually, for a long time now. They’ll likely be able to lock down their data and so long as they don’t make the same idiotic mistake of putting a Private so close to an extreme amount of critical, classified, data, (see generally: Bradley Manning), they’ll hopefully achieve their security goals.

If the military gets it, who’s left? Well, we have the rest of Government, the business community and individuals. 

Will increased regulation be the key? Will a requirement to notify people in the event of a data breach be enough incentive to take security seriously? This author says its time for a wake up call.

We will have to wait and see if: 1) any meaningful regulations are made law, 2) enforcement of the regulations actually occurs, 3) if the justice system takes the offenders to task for their hacking activities, 4) if the European Union simply shuts the United States off because they are disgusted with our data privacy controls.

We are in the age where privacy has become diluted, the effects of which could be profound.

Returning to our friend, Achilles... did you know that without your Achilles' tendon you can't walk? I do. Your foot just sort of tangles from your leg. I just had surgery to reattach mine, which I hope explains where I have been for the last few weeks.

Of course, I take a vacation and lots of “stuff” happened. Let’s take a trip around the world and see what has transpired…starting in Vegas, baby, Vegas…

LAS VEGAS – Two conventions recently took place in Las Vegas. One was the “Black Hat” convention, the other, DEFCON. Invitees to these events are computer hackers. I think the FBI should have just surrounded the city and shut down all the computer systems. I am pretty sure that a lot of the hacking around the world would have stopped, well, until the first ACLU lawyer showed up. Are these hackers good or evil? Your guess is as good as Wayne Newton’s, but none of the attendees ever admit to being the bad hacker, do they?

WORLD WIDE – It was revealed recently that for the last five years a comprehensive cyber espionage effort has been underway. 70 organizations, both public and private, across 14 countries were subject to hacking by an unknown “nation-state”. I’ll give you one guess which “nation-state” is suspected, oh, and it was called “Operation Shady Rat" and the United Nations was one of the victims.

JAPAN – Citi, Citigroup, whatever you call that behemoth, suffered another data breach, this time in Japan. Over 90,000 people information was allegedly stolen and then sold. How’d they figure out it was sold?

SOUTH KOREA – South Korea has about 48 million citizens. Last week 35 million had their personal information stolen. At the same time several million South Korean national ID numbers starting popping up on the Chinese Internet. I use the term “Chinese Internet” because they have their own, don’t they? Think these two incidents are related?

NORTH KOREA – This one is special… Kim Jong Il has a group of specially trained hackers playing South Korean based video games to get “points” and then has this crew sell the “points” for real cash. According to a New York Time article they have accumulated over $6 million in two years. They’re not really playing the game, they are really hacking into these online gaming sites and stealing the “points” to sell for real cash.

UK – A man walks into a pub… usually the start of a bad joke; this time the man leaves behind a USB memory stick with over 16,000 people’s information on it. The man was a contractor for a housing authority, he gets fired and get this, the housing authority gets in trouble with the British data privacy enforcement organization, the ICO. The memory stick was turned into police shortly afterwards.

US – Anonymous, Anti-Sec, LulzSec, whatever they call themselves, I call them “tools.” This time they called their operation “Shooting Sheriffs Saturday”. The tools targeted rural sheriff departments in the southern United States. Impressive target, you masters of the digits, why not try the local nursing homes while you’re there. Seriously though, I hope that no one gets hurt because of the release of this information. There was a lot of info stolen and published including personal information of police and also confidential informants. To top it off, any credit card info they found, they used to make donations to the ACLU, Bradley Manning defense fund (Wikileaks source), and other odd places.

MA – Belmont Savings Bank has been dealt a blow by the Massachusetts Attorney General. The $7,500.00 fine was levied because a Belmont employee didn’t follow an established procedure of putting an unencrypted computer tape with 16,000 people’s account information in the vault. Nope, she left it on her desk and apparently the cleaning crew threw it out. The bank’s trash gets incinerated. I’m not sure I see the issue, AG Coakley…

BOSTON – To bring it all the way home, another major hospital is reporting lost patient information. Brigham and Women’s reported that an external hard drive with 638 patients’ information is missing. Dates of treatment, diagnosis and other medical records information was on the drive.

Well folks, that’s a short trip around the world via data breach stories. Some of this stuff you just can’t make up.

As we approach our nation's 235th birthday we should reflect on our amazing accomplishments. Well, how about just one, the Internet. A marvelous creation that allows for the instantaneous delivery of information anywhere in the world. It started out as a knowledge base for our universities, then the obvious military applications (and money) came along and then the commercial use.

I remember pre-Internet days, although it gets harder each year to remember life "before" the Internet. I don't recall if I was a news junky in those "pre-Internet" days, and although a curious lad, it was probably a little more difficult to get the information that today is available in my pocket (see: smartphone).

Since I am a news junkie, let's see what I found recently:

Let's start with LulzSec. Even though in my last post I hoped never to speak their name again, they have seemingly imploded. Ryan Cleary was arrested in England. A search warrant was executed on a house in Ohio that was purportedly the home of a teenage member of the "pinheads" (LulzSec). And I'd like to thank Paul Roberts over at Threatpost for the regular intel on the issues in cyberspace. I recently met Paul, very knowledgeable.

OK, just when you thought that law enforcement was taking them to task, I read a story out of Arizona where the wife of a police officer received a threatening phone call, a bomb threat. In that same story another police officer had a bogus facebook page set up by someone. There were also personal emails of police officers released. Think these events have something to do with the "pinheads"? Ya, me too. These stories came out as we discovered that a second round of private data belonging to Arizona law enforcement was released. A group named "AntiSec" took responsibility for the second release. How creative... wasn't that the name of the "operation" undertaken by the "pinheads" and the group Anonymous? Their new logo is a combination of LulzSecand Anonymous, so we may or may not be dealing with the same folks.

Of course, we're not dealing with Mr. Cleary anymore now are we? Eventually these folks will all "face the man". I sincerely hope that each one will face severe punishment. This is a clear opportunity to exhibit deterrence.

Along those lines, my last post was picked up by "databreaches.net". That's a site that does a great job compiling all the data breaches that are occurring around the globe. The author thought that I was angry in my tone (I was), seemed to agreed with the reasons for that, but seemed to think that I thought that other victims (non law enforcement) of data breaches are less important. You can read it here. 

My opinion is as follows: if someone's information is stolen and then released to the world and as a result some harm comes to them it's wrong. There are a lot of things wrong in our world, but they have to be scaled. A punch in the eye hurts, but murder is permanent. Loss of your credit card data is annoying, getting a replacement card solves it. Loss of your personally identifiable information is scary and creates worry, but there are ways to mitigate the potential damage. Being identified as a political dissident and then subjected to murder, torture or other physical harm is absolutely wrong on the highest scale.

You see, I draw a distinction between those harms that are able to be repaired or mitigated and those harms which are permanent. This is an important difference.

Moving on, Citi bank says that of the 360,000 plus cards numbers stolen, 3400 of them were used to the tune of $2.7 million for an average of about $800 each. What happened to the other 350,000 plus card numbers? Hopefully they turned them off because at these rates if it continued would have resulted in losses over $200 million (think the APR might go up next year?)

And in case you were wondering your chances of suffering a data breach...we have the Ponemon study that says being a victim of a data breach is "a statistical certainty". Dr. Larry Ponemon is THE standard for these things. I trust his numbers, they are based in significant research (his number showed that 90% of 583 respondents reported that they have had a breach in the last 12 months - this is a loss of data and in many cases was attributed to a rogue insider).

And helping along Dr. Ponemon's findings, (and probably why there are so many breaches), researchers have discovered a potentially "indestructible botnet". These are the tools needed to be an effective bad guy in the cyber world. Great, they created the TERMINATOR of cyber space.... and I am sure that "they'll be baaack".

And to bring it back home to Boston, Massachusetts... where our country started... Yes, it started here. Have you heard about the Suffolk Resolves? Sure, Philly played a role, but really it started here... And so did a class action lawsuit against AOL for violating numerous federal privacy based statutes*. Why I think it's "newsworthy" is because the lawsuit also alleges violation of the Massachusetts Privacy Act and a violation of the Massachusetts Consumer Protection Act. This is a first, but we'll have to wait and see if it's even a real case. The plaintiff lives in Mississippi, her lawyers work in Boston (classic!).

If allowed to proceed it would mean that a private citizen is seeking to "enforce" the Mass Data Privacy law before the State Agency obligated to do so, has done so. I say "enforce" because a citizen cannot "enforce" the data privacy law, rather they can claim that a company in violation of the data privacy law is also in violation of our consumer protection laws which is "enforceable" by private citizens.

Happy Birthday America !!!

*The suit charges that the companies violated the Electronic Communications Privacy Act (Wiretapping Act); the Computer Fraud and Abuse Act; the federal Video Privacy Protection Act; the Massachusetts Privacy Act; the Massachusetts Consumer Protection Act; and based on tort claims of Trespass to Chattel; and equitable claims of Unjust Enrichment.

Last week I attended a conference sponsored by the International Association of Privacy Professionals. Their "Privacy Practical Series" is touring the nation and brings with it a wealth of information.

So, let's just check in and see what happened while I was away...

Oh, ADP confirmed their breach. Recall, they're the largest payroll company in the world.

We had another breach of a Internet based gaming system. SEGA announced the breach of about a million people's information including name, date of birth, e-mail address, and "encrypted" passwords. (Please tell me that they at least held some meetings after the Sony Situation)

And how about this one: There is a virtual currency called "Bitcoin" that is "traded" on an exchange called "Mt. GOX". No, I am not kidding... I spent an hour trying to find a way to explain to you how you earn "bitcoins" and where you "spend" them.  I still don't know exactly how you "earn" them, but if I want a piece of software or a game, someone will trade bitcoins for them. I get the basic premise, anything can have "value" within a subset of humans.

For example, there is an island in the South Pacific called YAP, whose money supply was based on rocks. The bigger the rock, the more valuable. Of course, if you take that rock to say, Hawaii, it's just a rock. These are "special" rocks and there are a fixed number of them and the inhabitant of YAP can get "stuff" because of their particular rock, but really, they're still rocks, except on Yap (PS - they switched to the US dollar - probably wanted to vacation in Hawaii).

Apparently this "exchange", called "Mt. GOX", was recently hacked (the name has a story too, it stands for "Magic The Gathering Online eXchange" you gotta read that stuff). Mt Gox will value the bitcoins against real currency, say the US Dollar. Before the hack, one bitcoin was worth $17.50 USD ($). After the breach one bitcoin was worth as little at $0.01 USD - kind of like taking that rock to Hawaii, right?

Someone or someones hacked into Mt Gox, got a hold of the account information for a lot of accountholders of bitcoins and dumped (sold) them, devaluing the rest of bitcoins in existence. Many others who were watching this took advantage of the situation by buying low and selling a little higher, and followed the market all the way to zero. The people who run Mt. GOX say that they're going to "rollback" those transactions. I say good luck. You think the profiteers didn't "exchange" their profits for real money and then withdrew it?

Why do I bother you with such drivel?   To point out how a data breach can cause real damage. What if they got into the New York Stock Exchange? Or NASDAQ (which they did, but in a different way) The results would be absolutely disastrous. Imagine a concerted effort to devalue our currency, or any real currency for that matter. One day your $4 buys a loaf of bread, the next day you need $40. You don't have to be a math major to see how bad it would be...

Which leads me to the final story of the weekend - the "merger" or "re-merger" as it may be of LulzSec and Anonymous. They have teamed up and declared "war"on the governments and banks of the world. They even named it: "AntiSec" for anti-security, I presume. Could this "dream team" somehow affect the world's various currencies?

I usually question businesses for their lack of attention to security, today I am asking the Governments of the world to find these punks. LulzSec took down the CIA's website, THE CIA!! LulzSec has a website (lulzsecurity [dot] com) where they post the stolen information. Now, I know that they can move the site from server to server around the world to avoid detection, but are we (see: Governments) admitting that we can't find them? Can't find the site?

I have met some federal agents who are fairly talented in the cyber world. I know that our Government has the resources to search the entire World Wide Web. Let's put those two together and find these criminals.

BUT WAIT!!! THEY DID FIND ONE!!!

Police in London arrested a 19 year old and are saying that he is a "leader" of LulzSec.

Of course, the LulzSec group is saying that some "poor soul" was "taken down" by the police, but they're still up and running.

Threatpost is also reporting the arrest in more detail.

I am very glad to hear that the FBI and New Scotland Yard are all over this. Of course, with such a decentralized group, they'll never disappear completely, but if the punishment is meted out appropriately perhaps it will deter the next 19 year old from thinking this behavior is "fun."

I suggest we all make a note to see how the justice system handles this individual.

It was a busy weekend for the morally questionable, yet technically literate, people of the world. Over the weekend it was revealed that the International Monetary Fund was hacked, suffering what they called a "major security breach." And just yesterday we found out that the United States Senate was breached by LulzSec, a self styled "gray hat" hacking group ("white hat" hackers are supposedly good, "black hat" hackers are supposedly bad, and "gray hat" are just that - in the gray area between).

Just this morning I read about a small-ish business in Rhode Island whose customers reported fraudulent charges on both their credit and debit cards. That breach involved 100 victims. It's not the size that drew my attention, it was the lack of size that did.

And to round out the 100 hours, Anonymous is claiming that they intend to hack into the Federal Reserve on Flag Day, which happens to be today, June 14th. You see, the group Anonymous has an issue with the world's financial institutions, more specifically, the "global banking cartel..." You can read all about it over at Forbes blog.

LulzSec claimed responsibilityfor the US Sentate breach. Anonymous has stated that they want to bring down the global financial cartel of which the IMF is apparently a member, but no claim of responsibility has been made by them.

A quick aside, the IMF is currently involved in the financial bailout of Ireland, Portugal and Greece. Three European countries who are in financial peril. Germany is footing a sizeable chunk of those bailouts through various means. Ireland, Portugal and Greece are required to provide tons of information to the IMF in order to receive the funds. Do you think that Germany was wondering where all that money was going? Did the IMF have that information? An attack of this scale should suggest that the culprit is someone with lots of time and money and information. See Generally: A Nation State. Maybe Germany would never do such a thing, but how about a certain Asian Country who would love to see the financials on every country in the world. (PS - it appears that this was a "phishing incident", meaning a likely e-mail delivery of the MalCode - don't we learn?)

With the major breaches taking place in New York and Washington, what got my attention was little ol' Rhode Island. 100 people's information was stolen and then used. They had all apparently shopped at two local establishments: White's of Westport and Bittersweet Farms. This one could certainly have been a "morally questionable" employee who was "skimming" patrons' credit / debit card info, or it could have been a more "technologically" based event (meaning a computer hack). The article reports that the people involved believe that anyone who used their card between February 1 and now should check their statements. Law Enforcement is saying that the 100 identified victims are likely the beginning.

The moral of this story is: YES, it can happen to you no matter who you are: The International Monetary Fund, the United States Senate, or Bittersweet Farms of Westport, Rhode Island.

Quincy, MA – The Patriot Ledger is reporting that between 15 and 20 Massachusetts banks are replacing their customers’ debit cards and refunding fraudulent withdrawals and expenditures because of the recent data breach at Michaels Stores. The affected stores, relevant here, were located in Hanover and Braintree.

Apparently, banks all over the country are doing the same thing as a result of the Michaels breach.

The banks are not happy about having to replace the cards, and with good reason. They’re not the ones who lost the information; the retailer – Michaels - lost the information. Not so much “lost” but “allowed it to be stolen” in a sense. At least that’s the banks’ position.

The Ledger quotes Tom Chew, Vice President of Hingham Institution for Savings, as saying:

“We end up eating the fraud. We think the retailer should have some responsibility. It was their lack of due diligence that allowed the whole thing to happen.”

The banks in fact do “eat” the fraud. If you shopped at Michaels with a debit card between February 8^th and May 6^thand your card was “skimmed” or copied, it may have ended up being used in Las Vegas or somewhere in California. If you, as the customer, notice that fraudulent expenditure, and you report it to your bank, the bank will put the money back into your account and issue you a new card. All on their dime.

Ok, why doesn’t the bank just sue the retailer? Because they lose. Remember TJX? There were 45 million cards involved there. Many banks did sue TJX. The lawsuits in the TJX mess involved numerous allegations, numerous parties and numerous legal issues. Some parties settled, some appealed, but in the end the banks didn't prevail. Why was it all so legally complex?

You see, in order to take credit cards at your place of business, and become a "merchant", you must have a contractual relationship with an “acquirer.” The merchant does not contract with VISA (for this example). The acquirer has a contractual relationship with VISA. VISA has a contractual relationship with the bank, known as the “issuer.” The bank and the retailer/merchant do not have a contractual relationship. The bank and the acquirer do not have a contractual relationship. VISA runs the whole shebang. VISA makes the associated electronic communications between the merchant/acquirer/issuer. [ Visa Visual Transaction.pdf. ]

A little Contracts 101: If I hire you to paint my house and give you money and you don’t paint my house, I can sue you for the money. If I hire you to paint my house and give you money and  you give that money to another guy because you owed him money, and the house doesn’t get painted… I can’t sue that second guy. We don’t have a contract. I have to sue the first guy. Maybe the first guy sues the second, but I can’t (at least not “on the contract”).

A little Contracts 201: There is a concept called “3^rd party beneficiary” in contract law. If two people make a contract for the benefit of a third, that third party has certain rights under that contract even though he is not a “party” to the actual contract. This 3^rd party has to be the “intended beneficiary”, meaning one of the purposes of the contract is to benefit the 3^rd party. If it is an “unintentional benefit”, then the 3^rd party has no rights. Back to my house: if I hire the first guy to paint my house, give him the money, and he gives the money to the second guy…and the second guy signs a contract with the first guy to paint my house, then I am an intended 3^rdparty beneficiary and if he doesn’t paint my house I can sue him, even though we don’t have a contract.

The banks and the merchants do not have a contract. The banks and the acquirers do not have a contract. The banks contract with VISA. The acquirer contracts with VISA. The merchant contracts with the acquirer. In the wake of the TJX disaster, the banks tried to sue the merchants and their acquirer. You see, the acquirer has an obligation to make sure their merchants are following VISA’s operating regulations. Part of those regulations involve strict security measures. If the merchant wasn’t following the security measures, then the acquirer arguably breached their contract with VISA. The banks insisted that they were a 3^rd party beneficiary of the contract between VISA and the acquirer because the security measures being enforced were for the benefit of the bank. (And p.s., if you’re confused here, multiply this by 1,000 to get the feeling of studying contracts for the Bar exam). 

The banks lost that argument in the TJX litigation, but the devil is in the details.

Before the TJX mess, there was a case in Pennsylvania: Sovereign Bank v. B.J.’s Wholesale. Very similar fact pattern: credit card data stolen from B.J’s, banks repay losses and replace cards. Banks sue merchant and acquirer. I say “before” because the BJ’s incident happened before TJX, but the cases were argued and decided in reverse order.

The TJX decision said no 3^rd party beneficiaries because the VISA contract expressly said (paraphrased) "there are no 3^rd party beneficiaries to this contract.” (decision of Judge Young at the district court level, PDF)

The Pennsylvania decision(pdf) said there may be 3^rd party beneficiary rights for the banks because the VISA contract was silent on that issue (you see, VISA is believed to have changed the contract after the BJ’s case to make sure there were no 3^rd party rights).

If you ask me, having Hingham Institution for Savings have to pay back the customer for the money withdrawn in Las Vegas and issue a new card as a result of a breach at Michaels seems unfair. What did the bank do wrong? On the other hand, the small business merchant may be driven out of business because of the huge bill, leaving the consumer empty handed. Many different banks may be involved with one merchant’s breach which arguably puts the banks in a better position to absorb the costs. Who can/should absorb the fraud costs better and keep us spending?

Minnesota passed a law that clearly says that a breached merchant must pay for the costs associated with replacing the cards, and other “associated costs.” Several other states tried to pass similar laws, all were defeated. Notably, former Governor Ahhnold Schwarzenegger vetoed California’s version. The small business lobby must have some sway, fight for the little guy and all that (doesn't gel with the rest of The Terminator's decisions).

As of July of 2011, the “Durbin Amendment” goes into effect. That section of the Dodd-Frank Act will allow the “debit card interchange fees” charged by banks to be “regulated” by the Federal Reserve Bank. In effect, it will lower the rates. The banks argued that those fees helped to off-set the costs associated with fraud occurring at the merchant level. The merchants argued that many of their transactions lost money due to the fees and tight profit margins on small purchases. In the wake of the negative press surrounding financial institutions in America and the Government’s “bailout” of banks, the “small businesses” of America won that battle. (The Dodd-Frank Act is 2,319 pages long, I would insult you to link to that, but for those eager beavers: click here)

Is it “fair” for the banks to have to pay for the merchant’ mistakes?

Is it “fair” for the banks to charge $0.44 for a $15.00 transaction? If the retailer is netting 4% profit, that sale is worth $0.60 to them.

Is it "fair" that VISA, MasterCard, AMEX, and the rest of the credit card world doesn't have to pay for these fraudulent situations? They're making arguably about 3% of EACH transaction - how many in a year? In 2006, someone says 21.6 billion.

The answer probably lies in the theory of “equity”: he who benefits should share the risk of loss.

Now, let’s see: the merchants make a sale, the banks have a happy customer, they both benefit, right?  And what about VISA, MasterCard, American Express and all the other credit card brands? Aren’t they benefitting from these transactions? You can bet your bottom dollar they are… (in fairness to the credit card industry, their security requirements, PCI-DSS, are robust and effective, but not uniformly employed).

Two year old children have a hard time sharing, apparently so does big business.

It appears that one of the State of Massachusetts Agencies has suffered a data breach.  The Executive Office of Labor and Workforce Development (EOLWD) released a statement today announcing the possible breach.

Hiawatha Bray of the Boston Globe is covering it, as well as the Boston Herald.

It appears from the statement that a virus was discovered on or about April 20, 2011 and steps were taken to eliminate the virus. Computer security firm, Symantec, was involved.

Those steps appeared not to have worked. Yesterday, May 16, 2011, the EOLWD learned that  the virus had not been eliminated, but rather "persisted" and caused a "data breach."

The data involved appears to include Personal Information of unemployed individuals and employers who filed their required paperwork manually. The virus seems to have captured the information as it was being manually typed in at the infected work stations.

The statement says as many as 1,500 computers were affected and possibly up to 1,200 companies who filed their paperwork manually. The State is not saying how many individuals information was involved because:

"There is no mechanism available to EOLWD to assess the actual number of individuals affected but any claimant who had their UI file [sic] manually (about 1,200 out of 180,000) may have had identifying information transmitted through the virus. For a claimant to have been impacted, a staff person would have had to key in sensitive information at an infected work station."

The period of time that "filers" should be concerned is April 19, 2011 to May 13, 2011.

MGL 93H obligated state agencies to develop certain protocols for data protection. Executive Order 504 does this and has some significant requirements. I can't help but wonder if a thorough review of those requirements would be enlightening.

They're calling it a virus, but I did a little research into the named "malware", "QAKBOT". It has been around since 2007 and has many variations which makes it difficult to pin down and get rid of. Here's the interesting part, it's considered "Low Risk" by Symantec, the company who was providing security to EOLWD. Symantec also called it "easy to contain". Guess they're going to have to revisit that opinion.

UPDATE: 5/18/11

We now know that 210,000 people's information is alleged to be compromised as well as possibly 1,200 company's information. Guess they found a "mechanism" to assess the actual number of individuals affected.

 If you have shopped at this store recently, you should read this blog post and all the available press releases issued by Michaels.

May 4th press release

May 10th press release

According to the company's May 10th press release, Michaels stores located in Burlington, Braintree, Everett and Danvers have had their machines compromised. They are saying that their "PIN pads" have been "tampered with".

Bank of America has reached out to some customers and informed them that they are replacing their cards. According to the Chicago Tribune, 2 "staffers" at the LA Times were contacted by Bank of America and asked to call them at an "800" number. When they called, they were allegedly told by the B of A representative that their "card was part of a mass compromise". A Bank of America spokesperson is now saying that the rep on the phone is "mistaken" about the "mass compromise" and no further comment.

The news of problems with Michaels credit/debit card PIN pad machines was first disclosed by them on May 4, but appeared at that time to have been limited to the Chicago area. It is now being reported that at least 90 individual PIN pad machines have been "tampered with" in 20 states.

Michaels last listed 80 different stores in 20 states where they have confirmed that the machines have been tampered with.

Brian Krebs over at his blog, KrebsOnSecurity.com, reported yesterday that a named police officer told him that withdrawals from the compromised accounts are taking place in Las Vegas and other West Coast locations, and exceed a million dollars. The withdrawals are in the $500 range and are made at ATMs. That means that the bad guys are making new cards with the stolen information, and are probably frustrated by the $500 per day limit on the accounts.

Please allow me to put this in context... The machines involved here may look like the ones pictured here:

I don't know the exact type that Michaels uses (happy about that right now), but what I do know is that if the device was physically tampered with then the bad guys either have a very very fast car or there are a whole lot of them. 20 states? 80 different locations?

What may come out is that the bad guys actually swapped out the real machine with a fake one. The fake one has been redesigned to copy all the credit card/debit card and PIN information being transmitted on the machine. In the old days the bad guys had to come back for the machines. I am aware of certain technology that now allows the information to be transmitted from the compromised device to the bad guys location "wirelessly." Usually they have to be somewhat nearby, say 1000 feet or so. For this one, I have no idea how the scam works.

The scope of this thing is scary. How long would it take to visit the 80 stores in 20 states? Just for fun, I used Google Maps... I put in 2 locations that I know are connected by one highway: Kirkland, WA and Braintree, MA - the highway is Interstate 90 and the distance is 3,086 miles. They say you can drive is in about 2 days and 2 hours, guess Google doesn't sleep.

Seriously, either there are a lot of bad guys in on this operation or the data has been available to the bad guys for a long time at some locations. Unraveling this will take a significant amount of time, thankfully the United State Secret Service have been alerted and are likely running the show now. This is in their wheelhouse. Hopefully when it's all over the USSS will tell us the whole story. Ya right.

This is the nightmare scenario for Michaels. I hope they had a "data breach scenario binder ready." They have to:

1) stop the bleeding, end the breach

2) figure out which numbers were swiped

3) notify VISA, MasterCard, American Express, Discover, Bank of America, Bank of -------, Fred's Credit Union, you get the picture (remember, 20 states, 80 locations)

4) read the applicable statute in the 20 states and make the associated notifications

5) contact their insurers, who are circling their wagons

6) hire a public relations firm

7) call Sony, Epsilon, RSA, TJX, Heartland for advice

8) contact their lawyers - fellas, over here in Boston I know a guy who knows this stuff

As this whole thing gets unraveled, I will see what Michaels' obligations may be under Massachusetts Data Privacy Law, and let you know my results. I will then have to figure out a way to put up a "pay wall" for members of Michaels legal team who will certainly try to read it...

Sony has a new problem: a recently disclosed second data breach. A Part Deux, if you will.

It's not actually part two because it happened at either the same time or just before the "other" one. Of course, we're just hearing about it now... That seems to be their method.

24.6 MILLION, (with an M) people's information stolen... That brings the total from the Sony breach to over 100 million people's information. That's a third of the county. I sincerely hope that there is some overlap between PSN (PlayStation Network) and SOE (Sony Online Entertainment). OK, I know, of the 77 million in the original breach or "OB" only 36 million were US citizens. Of the next 24.6 million in the new breach or "NB" we don't know yet how many were US citizens. We do know that 12,700 credit card numbers, debit card numbers, and financial account numbers from the NB belonged to non-US citizens in places like Germany, Spain, Austria and Netherlands. (Good luck in Germany, Sony, their data breach laws are b-brutal)

I have a new question for Sony: Do you have any other online gaming systems?

Just curious. 

100 million... that's a big number... and I got to thinking about my Kindle. How many Kindles are out there? This gentleman suggests over 5 million heading into 2011. Remember way back when it was cold and snowy I told you about my Kindle? I got it from Amazon and during the "setup" I had to give them a credit card number. I wonder how that number is doing today? Is it warm and fuzzy all wrapped up in unbreakable encryption? Or is it getting chilly sitting on a server in plaintext just waiting for a visit. I really don't know. Am I entitled to know? Can I call  up Amazon and ask them about their security apparatus?

I spent a lot of time reading their "Privacy, Security and Accessibility" webpage.

In relevant part, at least as relevant a part that I could find:

How Secure Is Information About Me?

• We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
• We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.

It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer. Click here for more information on how to sign off.

I can read those words, but what do they actually say? Oh, wait, this is for those people using Amazon's website... but what about me? A Kindle user...

Found it: "Managing your Kindle on Amazon.com"

Doesn't help me, lots of information, but nothing about credit cards... except this: they say that they use something trademarked as "1-Click" to make the credit card purchases.

Is it ok to access free unsecured wifi on the MBTA commuter rail and make a wireless purchase via my Kindle and my credit card?  Can someone on the train intercept my data?  Is it "encrypted" during that process?  Maybe the Kindle doesn't transmit any data via wifi, just my "request" for a new purchase.  The rest of the transaction happens at Amazon.com.  OK, that's just a guess, but a logical one.  What about their servers?  Can someone get my credit card number from them? A re they encrypted in a "separate table" like Sony's...  Can someone "hack" my Kindle and then "get on their servers" and then "get my data"?

I don't know the answers to those questions, nor does Amazon's website help me answer those questions, and you know what? I'm ok with that. I don't need Amazon's security protocol out in the public domain for every Tom, Dick and script kiddie to read.

I just need to TRUST them, and you'd like to think that we can TRUST them. Incidents like these at Sony where 100 million people's information is taken is shaking that TRUST, now isn't it?

Why can't we get a straight answer to a simple question?

SONY, DID YOU LOSE CREDIT CARD INFORMATION? Yes or No?

Everyday you don't answer that question creates a real probability of fraud being perpetrated on the banks.

First it was, "no evidence to suggest" that the credit card data had been stolen.

Then is was, "the credit card table was encrypted, but we still don't think it was taken"

Now there are stories all over the Internet that are saying that Hackers have 2.2 million credit card numbers WITH their associated CVV (that little 3 digit number on the back that you need sometimes)

Your author got an email from a person who said they were a Sony PS3 user and they told me that their credit card was fraudulently used shortly after the date of the breach.

MASSIVE AMOUNTS OF MISINFORMATION

Ordinarily I provide links to the stories that either support my facts, or are the source of information. There are far too many today, and I can't tell which ones are accurate or which ones are merely repeating the information from a different source. If you want to read about the alleged "Hackers" just go to "google news" and you'll see that some 5,000 stories are floating around. Let me sum them up for you:

Someone supposedly was on a "chat forum" where hackers tend to "chat". Apparently one of the hackers was claiming they had the credit card data, 2.2 million card numbers, and were offering it for $100,000.00 - they even allegedly offered "the list" back to Sony for the same price, but were turned down. (Sony denies this happened)

Now there are also stories about fraudulent charges showing up on credit cards that are owned by PlayStation users. The source of these stories seem to come from "gaming forum" websites where video game players "chat". I guess a few people having been "chatting" and "Tweeting" that they're credit card had been used to buy various things fraudulently. One of the strange stories is that the fraudulent charges have been in Japan, Germany and the United States. And I must note that the charges seem to involve a physical presentment of a card.

Here's my take:

I can't see why the alleged hackers would discuss the matter publicly. From a law enforcement standpoint, if  you "chat" online, I will likely find you in a matter of hours.

There are generally two kinds of thieves in a situation like this... ones who use the credit card info and ones who sell it. So far the rumors out there have both events happening.

Sure, credit card data is easily moved around. The data could certainly fly from California to Romania to Japan to Germany, etc. But to have fraudulent transactions conducted in various countries around the world with a very short time frame is highly unlikely. This is especially true because the "victims" are claiming that cash withdrawals happened, groceries in Germany were purchased, and "something" was bought at a "store" in Japan. Simply unlikely.

I don't know if the credit card data was stolen or not. I will take Sony at their word that it was stored in an encrypted table. I don't know if the "key" for that encryption was stolen along with everything else. And finally, I don't know for sure if any or none of the stories about hacking and credit card fraud are true.

What I do know is that Sony had credit card data and with that data you can identify the banks involved. (remember, it's not actually stolen in the physical sense, its copied - meaning Sony still has the credit card numbers) If Sony would reach out to the banks involved, which they should have already done, the banks could flag those accounts. The banks may then issue new cards to the affected card holders. New cards ain't free ladies and gents, so don't count on that happening, not just yet.

But, I have a solution:

** IF SEVERAL OF THOSE BANKS INVOLVED CAN CONFIRM  FRAUDULENT CHARGES AND THE ACCOUNT HOLDER WAS A PS3 USER, WE KNOW THAT THE CARD INFO IS OUT THERE AND THE ENCRYPTION HAS BEEN BEATEN**

Cross reference the banks involved with the PS3 users. At some point the coincidence theory fails and the truth emerges.

Fraudulent charges happen everyday. With 77 million peoples info involved, and an unknown amount of credit card numbers involved, the truth cannot be discerned from the "victim" reports. They could be coincidence or lies. I take $600 out of my account and then claim I was a victim... not too difficult is it.

I return to my original question: Were the credit card numbers taken or not? Every day of delay in answering that is potentially costing the banks real dollars in fake fraudulent claims.

Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

The regulations (201 CMR 17) say a definite YES.

The law (MGL 93H) seems to say otherwise…

Read on, my friends:

 Section 5 of the Massachusetts Data Privacy Law states:

MGL 93H Section 5.

“This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.

Let’s break this down: “this chapter does not relieve a person…from the duty to comply with…[other] law[s]…” That makes sense, lawmakers didn’t want to make a law that allows someone to be immune from other laws. Okay, so the MA Data Privacy law requirements do not forgive other obligations – got it.

Then we see the infamous intro: “provided however.” In law school the “provided however” essentially meant that whatever you were reading was about to take a sharp left …oh dear… watch out, we’re turning….

… “provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter IF…”

OK, the legislature has now identified a group (those subject to federal laws) and is granting them “compliance”… IF – if what?

… “IF, the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further…”

So, if I am an entity that is subject to a federal law and comply with that law I am deemed in compliance with the Massachusetts law if I notify the affected Massachusetts residents when a breach occurs. Check, can do. But we see that pesky “provided further” and our sharp left continues…

… “provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach.”

Seems simple enough, I have rules and regulations promulgated by the Feds that I have to follow if I suffer a loss of data, a breach; in order to satisfy the Massachusetts law I simply have to be in compliance with the Federal law and then make sure to notify the Massachusetts residents and also the MA Attorney General and the Office of Consumer Affairs.

And just to add one more twist to our journey, the good legislature uses “provided further” one more time:

… “provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.”

So, if I ignore the federal laws, I must follow this law – sound right?

Is the inverse true? If I follow my federal laws, do I have to follow this one? The language of the statute seems to suggest that if you follow your federal laws, and make sure that you notify the correct people, you’re all set, or “deemed to be in compliance.”

Let’s see what the legislators said during their debate of the bill: (from the legislative history)

May 9, 2007 ----- RODRIGUES AMENDMENT: Rep. Rodrigues offered another amendment.

Rep. Rodrigues said, this amendment specifically addresses those industries governed by federal statute and regulation. There are a couple that we know are custodians of much personal information and abide by very strong federal regulations in order to protect that information. This amendment would not exempt them from the requirements of notification, but if they are in compliance with federal law relative to notification, and all of the entities are notified that are required to be notified, they will be in compliance with this bill.

The House adopted the amendment on voice vote.

Seems very clear, doesn’t it?

I am a hospital that is subject to HIPAA regulations. Those regulations have strict rules regarding “personal health information” and those rules specifically address what to do if you suffer a data breach. This seems to be exactly what the legislators were talking about when they voted for the “Rodriques Amendment” and wrote section five, right?

Allow me to refer you to the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”) website, specifically the “FAQ’s” or “frequently asked questions” section:(pdf)

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

I want to be absolutely clear: the regulations in the code (201 CMR 17) are comprehensive and require significant effort to follow. The law, MGL 93H, says there must be regs, the OCABR created the regs. The regs require companies to have written policies, encryption technology, locking file cabinets, etc. It's not a short list.

The law also has this “exception” built into it, doesn’t it?

Why does the OCABR believe that a HIPAA compliant business must comply with their regs?

 I have researched the possible legal outcomes of this, so stay tuned for the conclusion.

******************************************

In my hypothetical, a bad guy puts a "skimming device" on an ATM at a suburban bank, a couple hours later he comes back and retrieves it. He knew when to put it on - he conducted surveillance to figure out the busiest times and busiest days. During his "hit" 155 people used the machine resulting in 155 people's ATM card and PIN number captured by the bad guy.

SKIMMING - an overview

As I briefly touched on a few months back, skimming occurs in the criminal sense when a device made to look exactly like part of an ATM machine is placed over the actual part. I am talking about the card reader. That little slot where you put your ATM card. You put your card into that slot in order to access the machine, and your funds. The "skimmer" is also reading your card info. Generally the bad guy will need another piece of equipment to complete the act, a tiny camera that focuses on the key pad to record you entering the PIN code.

To recap, the bad guy puts a device on the ATM that "reads" your card. He also places a tiny camera somewhere in the area of the ATM to retrieve your PIN. Later on, he retrieves both items. The device he retrieves has a memory chip that recorded all the card numbers that were used. The camera recorded all the PINs that were entered. A time/date stamp on both devices enable the bad guy to match up the ATM card number with the PIN.

 ENCODING - an overview

OK, now what... the bad guy goes into a retail store that sells "gift cards". You've seen them... you can get iTunes cards in varying amounts, or Walmart gift cards, Target giftcards, just about any type of card you want. These cards sit on the shelf waiting to be "activated". There is no money on the cards until you take them to a register and have them "activated". BUT they have a magnetic strip that is ready to RECEIVE information...any information... including the newly obtained information from our friend, the bad guy.

With some readily available equipment, he can "encode" the stolen ATM/PIN information onto ANY card with a magnetic strip, yup even a calling card for Africa. It doesn't matter what kind of card it's encoded on, once he's done encoding, he's not going to a department store to "present it" - - - he's going to another ATM to use it... the ATM doesn't know it's a Walmart card... it only knows that it's a card with a magnetic strip.

He goes, he withdraws and, like Charlie Sheen, he wins.

SOLVING THE CRIME - an overview

So, the bank... it figures it out**(see below)... recalls the surveillance tapes, and sure enough, there's our bad guy putting it on the machine and taking it off. The bank people will have the start and end of the "skim", a picture of the bad guy and likely a list of all cards used during that period.

But is that a data breach that requires notification?

Hold onto your hats ladies and gents.... probably not.

You mean to tell me that the bank down the street is KNOWN to have been compromised and you don't have to tell the public or even the 155 poor souls who used the machine?

THE LAW: MGL 93H - Data Breach Notifications

The Massachusetts Data Breach law says that the data involved has to be (for this example) a combination of "NAME" and a financial account number. If the ATM only reads the card number... and that's all the bad guy was able to obtain... then, well, no name - no notification.

In fact, the bad guy doesn't even care what your name is... he just wants a working ATM card with the right PIN.

Sure, your name is encoded on the card's magnetic stripe - but here's the funny part: there are at least 2 "tracks" on your card's magnetic stripe. Usually there are 2: Track 1 and Track 2. Based on some technological limitations, only one track can contain alpha-numeric characters, letters, and numbers. This track will have the cardholder's name and card number. The other track, without letters, contains your card number. (both have other info as well)

So long as the bank can say that only the track without the name was the one read, then no notification is legally required.

This leaves a compelling question: do the banks HAVE TO notify the Attorney General and the 155 hypothetically affected card holders?

Based on sources that I cannot disclose, some banks take the position that the only information read from an ATM "skimmer" is from the track without the name. Their position is that the compromised information came from that track and therefore no notification is required.

But how do they know? Do they actually KNOW that the skimmer only captures the number and not the name? Or is it a convenient conclusion to reach.

No company wants to go public with a data breach story. It is bad for business, just ask Epsilon.

I guess that reaching the convenient conclusion is good for business, but is it the right thing to do?

I spent a little time researching skimmers. You have to be careful, you are dealing with a very nasty group of people when looking for ATM skimmers. Most of them lie, some are undercover law enforcement, and some will really sell you a "skimming kit"...  I found one person claiming to sell a skimmer that reads both "Tracks" - it says it's a "hand skimmer" which wouldn't work on an ATM... but it appears the technology is available...

I cannot say with any certainty that a bad guy's skimmer will read both tracks and therefore have your name AND account number. What I can say is that if the bank in my neighborhood was found to have had a skimmer on it, I would want to know because ATM skimmers are like termites, where there's one, there are likely more.

FULL DISCLOSURE: This is a hypothetical situation created to discuss a potential serious data breach that goes undisclosed and unreported. I cannot say what any bank would do in any given situation like this - I would hope that at the very least the cards compromised would be replaced by the bank. I can say with relative certainty that a criminal investigation would follow any ATM skimmer being discovered and under Massachusetts law that investigation takes precedence and will delay any notification... but not indefinitely.

** "skimming" incidents are discovered in various ways: Sometimes a technician working on the ATM will discover it, sometimes a customer will notice it and sometimes after a group of affected card holders have their accounts drained, the bank will cross reference those cards recent usage and discover that they all used the same ATM on the same day/time, etc.

P.S. Skimming is a very popular crime. Brian Krebs of "KrebsOnSecurity.com" has a series of articles on the topic. 

A recently disclosed “massive data breach” has affected some seriously large companies. Epsilon is a company who will manage e-mail communication for your company. They will maintain a list of your customers and arrange for direct e-mail communication on behalf of your company.

Epsilon is also a company who provides a lot of different "marketing" programs with names like "Abacus" that scare me...and try decyphering their privacy policy, or at least figuring out which one applies to you.

Apparently Epsilon has lost a lot of email addresses that they were holding on behalf of some significant companies. Their "press release" is awfully short, but that's because they're probably still figuring out what the heck happened.

Epsilon has been breached by entities unknown. I found a list of companies with whom Epsilon was / is doing business and whose customers are involved in the breach: (provided by Mike Lennnon of SecurityWeek )

• TiVoJpMorgan Chase
• Capital One
• Citi
• LL Bean Visa Card
• Best Buy
• Walgreens
• Brookstone
• Marriot Rewards
• Ritz-Carlton Rewards
• Home Shopping Network
• The College Board
• Disney Destinations
• US Bank
• Kroger Supermarkets
• McKinsey & Co.
• Barclays Bank

So what, it’s just your e-mail address, right? Wrong. It’s more than you e-mail address, it’s a trusted relationship that has been breached. The customers involved here had “requested” to receive e-mails from the companies that Epsilon worked for… meaning that you might expect the email or, at least, wouldn’t assume any email from these companies to be “spam”.

 Oh look honey, an offer from the Ritz… we are such good customers that they sent us a special deal… I just have to click here………………………………

Who knows where that click will take you, but I thought that I would take this opportunity to define “PHISHING” for you in case you don’t know how it works.

Wikipedia defines it for us: http://en.wikipedia.org/wiki/Phishing as does probably a half million other websites.

Fish in water

Phish in cyberspace

Let me see if I can distill it down to a simpler concept. Someone sends you an email with a link that you may be expecting, you click on the link and you are taken to what appears to be what you expected, except it’s not. The bad guys went “phishing” for someone. If the bad guys have a solid email address for you and know that you have a trusted relationship with a particular company, it’s called “spear phishing” because it’s actually targeted for you in particular.

You fish for anything swimming by, you throw your spear at one fish in particular, see?

In this breach, one potential outcome may be an email from the Ritz-Carlton Rewards or Marriot Rewards offering a special deal because you are such a good customer. If you haven’t been there in a while or ever, you may suspect something is amiss. If you are a regular customer, and unaware of this data breach,  you may follow the link to the “deal”.

The bad guys around the world sit around all day thinking up ways to “trick” us into giving them certain information. How do you get someone’s social security number? Oh, I know, let’s pretend to be the IRS sending a “confirmation of tax return” email. How do you get their bank login information? I know, send them a link that takes them to a page that looks identical to the real bank…and then the unwitting person give us their account number and password… wow, that was easy.

This is no joke, the bad guys will actually make a fake website that looks just like the real one. There are ways to figure out that it’s a fake, but these are not commonly known. If I told you about security certificates would you know what I was talking about? How about “shortened urls”? Or how about just looking at the address bar at the top of your browser? Things that aren’t commonly known or done.

There are many of us out there who know about these scams and there are a lot more people who have some familiarity with these scams. There are also a significant amount of people out there, certain relatives of mine for example, who have no idea about all this “stuff”. Those are the people who can be tricked by a “copy” of a bank website.

Having your email address lost to “spammers” is not the end of the world. I used to, and still do, create email addresses for the purposes of making purchases online. Sure, send me whatever you want, I’m never going to read it anyway. If you are in a business relationship with a company and communicate with that company via email, it is a completely different situation.

Remember snail mail? An actual paper letter is delivered to your house; amazing concept, I know. There are thousands of people in the United States who after receiving an offer for something that was never going to come true, were tricked into providing some bad guy with something. You think that’s over? Try again… the United States Postal Service Investigators are actively pursuing fraudulent schemes – see the latest ones here.

 “There’s a sucker born every minute” is a quote attributed to P.T. Barnum, but even that fact is in dispute. (see here)

What is not in dispute is that even the most obvious scams will work on a certain percentage of the population and this fact is why this massive data breach should be of major concern to the population.

P.S. Will the new Federal Data Privacy law apply to Epsilon? That answer is not as clear as you may think.

P.P.S. if you really want to know about online crime and current schemes, you have to read Brian Krebs' blog - www.krebsonsecurity.com He is very knowledgable and easy to read - plus has a ridiculous network of "sources". Of course, he's not a local guy, so you'll need to come back here for the local spin.

UPDATE: (thanks to databreaches.net for an updated list of affected companies, WOW!)

• Kroger
• JPMorgan Chase
• Capital One
• Citi
• New York & Company
• US Bank
• Barclays Bank of Delaware (and Barclay’s L.L. Bean Visa card)
• Brookstone
• McKinsey Quarterly
• TiVo
• College Board
• Walgreens
• Ameriprise
• Marriott Rewards
• Ritz-Carlton Rewards
• Disney Destinations (The Walt Disney Travel Company)
• Benefit Cosmetics (see below)
• Home Shoppers Network (HSN)
• AbeBook
• Best Buy
• Best Buy Canada Reward Zone
• Robert Half International (copy of email sent to DataBreaches.net by recipient)
• Borders (reported by Brian Krebs, but haven’t seen confirmation yet)
• City Market (Kroger)
• Dillons (Kroger)
• Food 4 Less (Kroger)
• Fred Meyer (Kroger)
• Fry’s (Kroger)
• Hilton Honors (reported by Brian Krebs, but haven’t seen confirmation yet)
• Jay C (Kroger)
• King Soopers (Kroger)
• QFC (Kroger)
• Ralphs (Kroger)
• Smith Brands (Kroger)
• Verizon (reported by Brian Krebs, but haven’t seen confirmation yet)
• Visa (Barclays Bank of Delaware)

Today, the Masschusetts Attorney General issued a press release stating that they had reached a settlement with The Briar Group, LLC which owns and operates several restaurants and bars in Boston including: The Harp, The Green Briar, Ned Devine's, MJ O'Connor's, Solas and more.

I would be surprised if a Bostonian hasn't been to at least one of their locations.

Apparently, the Briar Group's computer system was somehow compromised by the installation of what the Attorney General called "malcode". This "malcode" was apparently installed on their computer system in April of 2009 and remained on their system until December of 2009.

During this nine month gestation period, the "malcode" allowed hackers access to customer's credit and debit card information including names and account numbers.

According to the AG, the Briar Group has agreed to pay $110,000.00 in a civil penalty and agreed to:

• be in compliance with the Massachusetts Data security regulations;
• be in compliance with the Payment Card Industry Data Security Standards;
• "establishment and maintenance of an enhanced computer network security system;
• develop a security password management system; and
• implementation, maintenance and adherence to a Written Information Security Program. (WISP)

The Attorney General points out that the "data breach occurred prior to the effective date..." of 93H / 201CMR17 (the Massachusetts Data Law with the stinging penalties) but the data security standards laid out in the law and the regulations were used in the settlement.

This is all "hot off the presses", but I have some concerns... This company has, according to their website, 12 venues. That is 12 locations taking credit cards. From my old days (10 years) bartending for competing restaurant "groups" in Boston, I can tell you that the number of credit card transactions processed across 12 locations during a nine-month period is PROFOUND!

To drive home the point: let's just say 100 per day per location which is likely way too low. The total is then over 300,000 transactions. (12 locations times 100 times approximately 250 days)

Now, I don't know if this breach affected all 12 locations, nor do I know if each and every transaction was susceptible to the "malcode", but I do know that the retail industry, and in particular, the hospitality industry, is, and has been, ripe for this type of breach.

Do we know the extent of this breach? Do the people whose cards were exposed already know? How many banks were forced to reissue cards because of this? Will anyone be held criminally responsible, or does this just end up a dead end in Romania... 

I commend the Attorney General, and AAG Scott Schafer, for making this news public and for also taking the time and effort to hold this company accountable. Perhaps other restaurant groups out there will have a hard look at their systems so that another nine month long data breach doesn't expose half a million people's credit cards to the hackers.

I think I will use cash tonight.