The Cyber-Security Enhancement and Consumer Data Protection Act of 2006 would require disclosures on breaches involving more than 10,000 names or illegal/inadvertent access of any government database.

No word on whether the recent disclosures of comprehensive NSA phone record tracking have any bearing on this...

See the bill details here.

-- MDT

Labels: data breech, database

Recall this story from last summer about the Federal government's abandoned plans for The Matrix, (or The Multistate Anti-Terrorism Information Exchange) a proposed database that would aggregate public records and commercially obtained data (read, credit headers, cell phone numbers and whatever else commerical firms can get their hands on) and make the information available to local law enforcement.

While the Feds discontinued their plans for the database, much to the relief of privacy advocates, Florida, for its part is apparently continuing to develop a similar system that would be powered by Lexis Nexis's Seisint. It is worth noting that Seisint was affilicated by a major personal info heist that touched off last summer's tidal wave of data breach news coverage and increased governmental, media and consumer attention to the issues surrounding personal data security.

-- MDT

Labels: data breech, database, homeland security, Lexis Nexis, Matrix, Seisint, terrorism

But don't week for the fine folks at Choicepoint. According to this recent article from MSN Money, their revenue in 2005 exceeded $1 billion., with projections for 2006 looking to be up 7 to 9%. More on the FTC fine, via Business Week:

FTC Fines ChoicePoint Over Data Breach

January 26, 2006
BusinessWeek
By Harry R. Weber
AP Business Writer

The Federal Trade Commission said Thursday that data warehouser ChoicePoint Inc. will pay $15 million to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The FTC said it had fined the Alpharetta, Ga.-based company $10 million -- the biggest the agency has ever imposed -- and that Choicepoint would pay an additional $5 million that will be used to compensate consumers.

Company shares sank nearly 7 percent on a day it also reported a more than 29 percent decline in its fourth-quarter profit. Choicepoint had revealed last year that its massive database of consumer information was accessed by thieves. The data breach involved thieves posing as small business customers who gained access to ChoicePoint's database, possibly compromising the personal information of 145,000 Americans. The FTC said the number now stands at 163,000. The company discovered the breach more than four months before disclosing it to the public in February 2005. ChoicePoint has said authorities asked it to keep the information secret initially.

Authorities have said at least 750 people were defrauded in the scam that has fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business. The FTC said the number of victims now stands at about 800, but ChoicePoint has noted that charges brought in Los Angeles against one of the thieves involve only 16 victims. The company also is a defendant in several lawsuits and complaints arising from the breach, and several government agencies are investigating.

"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," Deborah Platt Majoras, chairman of the FTC, said Thursday in a statement. The $10 million fine is the largest ever levied by the FTC, Majoras said during a news conference. Previously, the largest FTC fine was for $7 million against medical device maker Boston Scientific Corp. related to competition issues, she said. "This is an important victory for consumers," Majoras said.

The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional every other year until 2026.

The company, which is also is the subject of a pending Securities and Exchange Commission probe, did not admit to any wrongdoing in the FTC probe. ChoicePoint collects data on individuals, including Social Security numbers, real estate holdings and current and former addresses. It has about 19 billion records, and its customers include insurance companies, financial institutions and federal, state and local agencies.

The SEC is examining stock trades by Derek Smith, ChoicePoint's chief executive officer, and Doug Curling, chief operating officer. Curling and Smith made a combined $16.6 million in profit in the months after the company learned of the data breach and before the breach was made public. ChoicePoint has said the stock trading was prearranged and approved by the company's board.

Company officials said Thursday they continue to cooperate with the SEC probe. They did not give details of the status of the probe. The settlement came hours after the company reported its fourth-quarter profit fell to $27.68 million, or 30 cents a share, in the quarter ended Dec. 31 compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago. The results missed Wall Street expectations.

Excluding one-time expenses related to the data breach announced in February 2005, ChoicePoint said it earned $39.74 million, or 44 cents a share. On that basis, analysts surveyed by Thomson Financial were expecting earnings of 45 cents a share. Revenue rose 11 percent to $257.85 million, compared to $232.46 million a year ago.

For all of 2005, ChoicePoint said it earned $140.66 million, or $1.53 a share, compared to a profit of $147.96 million, or $1.62 a share, for the same period a year ago. Twelve-month revenue rose to $1.06 billion, compared to $918.71 million in 2004.

ChoicePoint said it expects 2006 full-year internal revenue growth to be in the 7 percent to 9 percent range, exclusive of any acquisitions. ChoicePoint shares fell $3.10, or 6.7 percent, to $43.20 in midday trading on the New York Stock Exchange.

The original article appears here.

-- MDT

Labels: data breech, database

Interesting article forwarded to us by the National Council of Investigations and Security Services, our industry lobbying group:

Fears over identity theft overblown:

US study – From Yahoo News

Thu Dec 8,12:37 AM ET
A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.

The analysis, released late on Wednesday, also found that even in the most dangerous data breaches -- where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted -- only about 1 in 1,000 victims had their identities stolen.

ID Analytics, the San Diego, California-based fraud detection company that performed the analysis, said it looked at four recent data breaches involving a total of 500,000 consumers. It declined to provide the names of the companies involved in the breaches, but Mike Cook, ID Analytics co-founder, said one of them was a top five U.S. bank.

After six months of study, comparing compromised information against credit applications, ID Analytics said it discovered something counterintuitive: The smaller the breach, the greater the likelihood the information was subsequently used by fraudsters to hijack the identity of victims.

"If you're in a breach of 100, 200 or 250 names, there's a pretty high probability that you're identity is going to be used," said Mike Cook, ID Analytics' co-founder.

"The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically."

A study conducted earlier this year by Javelin Strategy and Research, which mirrored the methodology of an earlier Federal Trade Commission study, found that 9.3 million Americans said they had been victimized by identity thieves during the preceding 12 months.

ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders because the cards are usually quickly canceled -- and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

While the findings will provide some comfort to consumers whose credit cards are lost or lifted or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing Co.(NYSE:BA - news), some of ID Analytics' suggestions could be controversial.

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

That's likely to rankle consumer watchdogs, who are pushing Congress to enact a law, sponsored by Sen. Arlen Specter (news, bio, voting record), Republican of Pennsylvania, and Sen. Patrick Leahy (news, bio, voting record), Democrat of Vermont, that requires companies to implement tough data security standards and to notify consumers, law enforcement and credit-reporting agencies whenever there's a breach.

"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," said Cook.

"For instance, if they lose data, and they don't know where it is, we think too many notices may not be a good thing. They should probably monitor that and spend dollars on consumers who are actually harmed, rather than spending dollars on 10 million consumers" most of whom won't be affected.

Labels: data breech, identity theft

Late last week the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act (clever acronym alert - DATA). Amongst the elements in the bill, which is now headed towards a vote in the full committee, are:

* Direct the FTC to create rules requiring security for personal information. The FTC would have to take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures.

* Require entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.

* Require entities to appoint and identify a person in the organization that is responsible for information security.

* Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified.

* Define "breach of security" as the unauthorized acquisition of personal information where it is reasonable to conclude there is significant risk of identity theft.

* Provide for an FTC or independent audit of an information broker's security practices following a breach of security. It permits the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches.

* Prohibit costly and disruptive lawsuits by preempting state breach notification laws with private rights of action. It expressly preserves state consumer protection laws, as well as state trespass, contract, tort, and other state laws relating to fraud.

With the successful move out of the subcommittee has come another round of folks on both sides of the issue decrying the bill as going too far and alternatively, not going far enough. Meanwhile, Bob Sullivan at MSNBC's Red Tape Chronicles reminds us that 1 in 10 Americans received notification this year that their personal data could have been accessed illegally. And the Privacy Rights Clearinghouse cites eighty publicized data breaches since February. Heck just this morning. And, if you are a serious glutton for punishment, this story also received the Slashdot treatment over the weekend.

Of primary concern to your friendly neighborhood investigators at Caveat Research is the potential for the passage of this bill to impair ready access to the essential data we use in the course of serving our clients. The worry we face as an industry and as an individual company is that Congress, by seeking greater regulation of data aggregators, will impair the fundamental utility of the aggregators' legitimate services.

No one in our industry would seriously argue that the availability personal data should be and unregulated free-for-all. But rather, sensitive data should be restricted to those with proper licensing as well as an accountable and legitimate reason for requesting it. The National Council of Investigation & Security Services, the investigative community's congressional advocate describes the issue in this way:

...Social Security numbers should not be made accessible to everyone. We also believe that such personal data should only be made available for those with a legitimate need for it. We are asking members of the Energy and Commerce Committee to provide an exception from the limitation on the use of Social Security numbers for specific purposes as follows:

“to identify or locate missing or abducted persons, witnesses, criminals and fugitives, persons that are or may become parties to litigation, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, missing heirs and persons material to due diligence inquiries.”

Our role is risk mitigation in a business transaction. Without access to personal identifiers, such as social security numbers, we would face the nearly impossible task of separating one John Smith from the next and our essential role in facilitating business transparency would be undercut. Moreover the suggesed restrictions would in no way actively combat security lapses that brought aggregators into the public cross-hairs in the first place.

You can download the current version of the DATA bill here (PDF). The Senate is also considering a similar measure, the Personal Data Privacy and Security Act (notably, without a clever acronym) which you can review here (PDF).

-- MDT

Labels: data breech, identity theft

The National Council of Investigative and Security Services exists to represent and protect the interests of the investigative industry. NCISS's Chairman of the NCISS Legislative Committee, Bruce Hulme, sends out regular notices to their mailing list regarding the status of relevant bills being considered on the hill and in state legislatures from around the country.

In a recent mailing, he provided the text of a Congressional Quarterly article describing the recent trials and tribulations of our lobby in the wake of data piracy scandals at prime investigative vendors, Choicepoint and Lexis Nexis:

Private Eyes Try Getting Tough on Congress

By Shawn Zeller, CQ Staff
CQ WEEKLY - VANTAGE POINT
Aug. 1, 2005 Page 2089

In the popular imagination, American private investigators are the toughest of tough customers, impervious to saps, slipped Mickeys and seductresses. But private eyes now fear they may be meeting their match in Congress. The detective industry says legislation aimed at redressing identity theft and data breaches among companies collecting consumer data could put it out of business. The proposal, by Senate Judiciary Chairman Arlen Specter , R-Pa., would erect barriers to ready acquisition of Social Security numbers - and that, in turn, would enormously complicate missing-persons and witness-location work, mainstays of the detective trade.

The bill (S 1332), which Judiciary panel Democrats Patrick J. Leahy of Vermont and Russell D. Feingold of Wisconsin are cosponsoring, would bar the sale or purchase of any Social Security number without its holder's consent. Similar language is in a bill (S 1408) by Gordon H. Smith , R-Ore., that the Senate Commerce Committee approved last week. (Story, p.2125)

In May, representatives of the National Council of Investigation and Security Services - the private detectives "trade group" met with data brokers and agreed to lobby against provisions limiting investigators' ability to purchase the numbers. D.C. lobbyist Lawrence Sabbath is leading the charge. Sabbath singles out Rep. Pete Sessions , R-Texas, as the investigators' top ally. Sessions also helped bounty hunters and bail bondsmen to get business-friendly provisions in a House immigration bill this February - even though that language later died in conference.

Large database companies, such as LexisNexis Group and ChoicePoint, sell partial Social Security numbers to private investigators, but not to the general public. But the law surrounding their sale is murky, and some companies will sell full numbers to anyone.

Investigators also hired Washington PR man Joseph Ricci to boost their image in Washington. Last month, the investigators hosted an "ID Fraud Summit" at a hotel in Washington with representatives from the Secret Service and the Justice Department. Among the participants was John Stoll, who was convicted of child molestation in California and served 20 years in prison before a private investigator discovered information that exonerated him.

But consumer groups are mounting their own PR campaign in support of the Specter bill. They say uneven state licensing rules - some don?t require licenses at all - are reason enough to prevent the investigators from buying the numbers. They also point to cases such as that of Amy Boyer, a New Hampshire woman killed in 1999 by a stalker who obtained personal information about her from an Internet-based firm run by a P.I. in Florida.

Without a law closing off much of the traffic in identity data, advocates say the status quo will deteriorate. P.I.s "are virtually unregulated in too many states," says Edmund Mierzwinski of the U.S. Public Interest Research Group. "There's no question that there will be massive data misappropriations."

Another more recent article, which appeared in The Hill (and forward along by NCISS) provides further details about the investigative lobby's efforts to insert their voice into the valid and somewhat volatile debate over how best to address growing concerns about the security of sensitive data:

Data Protection turf war pleases lobbyists

By Elana Schor
The Hill
August 17, 2005

The many data-security bills wending their way around the Hill are sparking a turf war in the Senate but relief on K Street, where lobbyists in several industries welcome the crush of options as a much-needed drag on momentum.

While acknowledging the need to regulate trade in consumers' personal information to prevent identity theft, lobbyists say the universe of companies potentially affected by new data-security standards presents challenges that lawmakers have yet to address fully. By next month, two more congressional committees are likely to join the four already working on the issue.

''It's difficult to even define an industry here because you have so many different kinds of companies who have suffered breaches - data providers, banks, credit-card providers. It's difficult to decide who would have jurisdiction,'' said Abby Stewart, a lobbyist at Jefferson Consulting Group, which represents one of the businesses that recently has endured the public-relations nightmare of a personal-data breach.

The Senate Commerce Committee cleared the first hurdle just before the August recess, unanimously approving an anti-ID-theft bill that prevents the trading of Social Security numbers without their owners' consent and allows easy freezing of consumer-credit reports. But banking lobbyists, and Senate Banking Committee Chairman Richard Shelby (R-Ala.), were displeased with Commerce's quick movement.

"The Fair Credit Reporting Act is a Banking Committee issue, and Senate Commerce just ripped it out and put it in their bill," said one banking lobbyist who asked not to be identified. "his is the problem with all the bills; it's a huge jurisdictional fight."

Bob Davis, top lobbyist for America's Community Bankers, sent a letter to Commerce Chairman Ted Stevens (R-Alaska) and ranking member Daniel Inouye (D-Hawaii) urging them to withhold support for the bill over two provisions: credit freezing, which banks fear could inadvertently discourage consumers from signing up for new credit cards, and permitting state attorneys general to sue nationally regulated banks for noncompliance. Stevens and Inouye nonetheless endorsed the bill, which was introduced by Sens. Bill Nelson (D-Fla.) and Gordon Smith (R-Ore.).

Stewart echoed the banking lobbyist's sentiment when discussing the Senate Judiciary Committee, which postponed consideration of three separate data-security bills until the end of recess. "It's an intriguing concept that they would have jurisdiction at all," she said.

The lead Senate Judiciary bill, sponsored by Chairman Arlen Specter (R-Pa.) and ranking member Patrick Leahy (D-Vt.), attracts criticism from lobbyists because it could let states wriggle free from some aspects of new national data-security rules. Another Judiciary bill, written by Sen. Dianne Feinstein (D-Calif.), has a crucial cheerleader in ChoicePoint, the data broker that disclosed the first of this year's high-profile security breaches.

"We'd like to see a vehicle like that get through," said David Davis, vice president of government affairs at ChoicePoint, referring to Feinstein's bill. The company supports Feinstein's language about the definition of "real harm" posed to consumers, sometimes call the "California standard," which would trigger automatic notification of an ID-theft risk.

Davis praised Stevens's promise to hold up floor consideration of the Senate Commerce bill until chairmen can resolve their jurisdictional clashes but noted the realities of a legislative clock ticking down into] fall. "If all the stars were aligned, and Banking and Judiciary stepped back, then you would still have the House," he said.

ChoicePoint is one of only a few stakeholders actively pushing for a bill to pass this year. Most other lobbyists were not discouraged by the likelihood that Congress's crammed calendar would make consensus on data security unreachable before 2006.

So far only the House Financial Services Committee has tackled the question of who pays for consumer notification after a security breach, one of the most pressing priorities for banks and credit-card issuers. That committee's bill, introduced by Reps. Deborah Pryce (R-Ohio) and Mike Castle (R-Del.), requires the company responsible for the information exposure to foot the bill for "reasonable and actual costs."

One financial-services lobbyist said an accountability vacuum in the aftermath of a large-scale data compromise could be hazardous. "If there is a fear of liability, about what happened and who's paying, the flow of information gets severely restricted."

Giving too many concessions to banks and credit cards could alienate data brokers such as ChoicePoint and Lexis-Nexis, which was hacked by ID thieves in March in a breach the company first projected as one-tenth of its actual size.

In addition to requiring responsible companies to pay for notification, some lobbyists would like to see banks get reimbursed for the new credit cards that often must be issued after a breach.

In the House, the Energy and Commerce and Judiciary committees remain in the process of drafting their data-security bills. The former version will likely give blanket enforcement power to the Federal Trade Commission, an annoyance to banks that want their financial regulators to take on data-security duties to avoid creating new bureaucracy.

Yet another player in the game is the private-investigation community, which has formed a lobbying coalition and embarked on a vigorous publicity push to remind lawmakers that access to Social Security numbers does not solely affect public law enforcement.

Lawrence Sabbath, who lobbies for the National Council of Investigation & Security Services (NCISS), said the substitute amendment in Stevens's committee ironically could keep private eyes from tracking down the same fraudsters who perpetrate ID thefts. "They recognize that there are potential problems," Sabbath said. "There is some indication that that [Social Security] provision may not remain in the bill."

You can read more about the activities of NCISS and pending legislation of relevance to the investigative community here.

-- MDT

Labels: data breech, database, Department of Justice, identity theft

This is quite the story.... In Brazil, authorities rousted Kroll corporate offices and made several arrests on charges ranging from conspiracy to illegal phone-bugging and bribery in relation to a scandal that threatens to overtake the head of the Brazil's central bank, their minister for communications, and the chief one of the country's largest telecommunications firms and a Citigroup-affiliated investment banker. Meanwhile, Kroll other company executives flee the country to escape prosecution.

Just another ho-hum day at the office for the worlds "largest and most flamboyant" investigative firm, I guess.

Via the Sydney Morning Herald:

The Brazilian connection

Sydney Morning Herald
June 25, 2005

By Brazilian standards, Operation Jackal was carried out with clockwork precision. On a steamy spring day, 90 agents of the elite Policia Federal burst into a dozen homes and offices in four cities, seizing documents and computer hard drives, and arresting some of the country's most prominent businessmen.

The raids last October were the climax of a seven-month investigation into the activities of Kroll Inc, the largest and most flamboyant of the world's "risk management" companies, whose activities range from rescuing hostages to tracking down stolen treasure - and, so the police allege, illegal industrial espionage.

As the story unfolded, some of the biggest names in Brazilian business and politics were dragged into the affair - the head of the country's central bank, the minister for communications, the boss of the country's third-largest telecommunications company, an investment banker with links to America's giant Citigroup.

As the investigation widened, more than a dozen people were arrested, including executives and employees of Kroll who were initially accused by the police of crimes including conspiracy, illegal phone-bugging, and bribery. They included its joint chief executives, Eduardo Gomide and Vander Aloisio Giordano.

The boss of Kroll's Brazilian operations, its president, a 35-year-old US-educated businessman named Eduardo Sampaio, escaped the dragnet. Not long after news of the police investigation had broken four months earlier, Sampaio left the country and - to the surprise of Australia's risk management community - arrived in Sydney to take up a position as head of what is now called the Marsh Risk Consulting Group, Kroll having been taken over in the meantime (see story page 46).

However, two weeks ago, charges were formally laid against Sampaio, six other Kroll executives and contractors, and 19 other people in what has blown up into the Brazil's biggest corporate scandal.

Sampaio refused to discuss the case with the Herald on three occasions, but the worldwide boss of Marsh/Kroll consulting, Andrew Marshall, confirmed that criminal charges had been laid against Sampaio and other Kroll executives. The charges included breaches of data privacy laws, and paying public officials to obtain information - but not wire-tapping. The charges will be vigorously defended, Marshall says.

Sampaio was a high-flyer in the Brazilian business community, known on the lecture circuit as a campaigner against fraud and corruption. He graduated with an MBA from Baruch College City University in New York and, after internships with Wall Street firms, including Merrill Lynch and PaineWebber, joined Kroll and was appointed Brazilian president in 1998. In Sao Paolo, South America's biggest city and Brazil's commercial capital, he was a member of the British Chamber of Commerce ethics committee and of Transparencia Brasil, an NGO dedicated to combating corruption.

Sampaio arrived in Australia in August, two months after the scandal broke, to take up his new job running the risk management division of Marsh Ltd, a wholly-owned subsidiary of the American Marsh & McLennan corporation, and Australia's largest insurance broker with 1100 employees, and branches in every state.

The seeds of the complex scandal were planted seven years ago when the Brazilian Government broke up and privatised the old government telephone monopoly, Telebras, with riot police firing rubber bullets and using tear gas on protesters in the streets of Rio de Janeiro.

One of the companies spun off from the privatisation was Brasil Telecom, the country's third-largest fixed-line operator, headed by feisty Italian chief executive Carla Cico, who is among those charged.

For several years, Brazil's biggest corporate battle has been fought for control of Brasil Telecom between its controlling shareholder, CVC/Opportunity Partners (a $700 million venture capital fund registered in the Cayman Islands, in which Citigroup had a stake) and the Italian telecommunications company, Telecom Italia, which has been trying to increase its stake in the company.

Cico says Brasil Telecom suspected Telecom Italia had sabotaged its share price by forcing it to pay too much for a takeover target, and around 2001 hired Kroll to get the evidence to support a court case. And here the plot thickens and the stories diverge dramatically.

The police stumbled into the scandal during an unrelated investigation into suspected corruption in the Brazilian subsidiary of the collapsed Italian dairy giant Parmalat. Last March, they were bugging the phones of two former Kroll investigators - Tiago Verdial and William Goodall, a former agent of the British secret service, MI6 - who had been probing Parmalat.

During their discussions, police say they taped references to illegally intercepted emails and other communications obtained in Kroll's other investigation into Telecom Italia. Goodall fled, Verdial was flown from Rio de Janeiro, imprisoned in Brasilia, and is awaiting trial - and the police began investigating Kroll's investigators.

Last July, the story was leaked to Brazil's biggest newspaper, Folha de Sao Paolo. The dynamite was in the names on the emails, because they included two of the most senior political allies of Brazil's left-wing president for the past three years, Luiz Inacio Lula da Silva - a former shoe-shine boy and trade union leader known to his supporters as "Lula".

One is Luiz Gushiken, now Brazil's Communications Minister, a close confidant of Lula for 35 years and - when the spying allegedly took place three or four years ago - a senior official in Lula's Workers' Party. Gushiken told reporters that email correspondence between him and Telecom Italia had been illegally obtained and "showed flagrant disregard for Brazil's constitution".

The other alleged victim was Cassio Casseb Lima, now the president of the Brazilian central bank, Banco do Brasil. When his emails were intercepted he was an adviser to Telecom Italia.

Romero Menezes, the high-ranking federal police official who co-ordinated Operation Jackal, says that during the raids in Sao Paolo, Rio de Janeiro and the political capital, Brasilia - including one on Kroll's headquarters - a large amount of material was seized.

This included "sophisticated electronic eavesdropping equipment", along with records including computer hard drives containing thousands of emails which had allegedly been "purchased" from junior employees of banks and other institutions for $100 to $200 a time.

Kroll - which was in the throes of being taken over by the US insurance broking giant Marsh & McLennan at the time - said the raids on its offices had been done in "a climate of panic and total intimidation". It took out advertisements in Brazil's leading newspapers to deny the police allegations that it was involved in bugging and hacking - the company says that it was, in fact, anti-bugging equipment that was seized.

Company spokeswoman Jodie Rosenbloom said: "We categorically deny we have done anything wrong. We always act within the laws of Brazil and all of the countries in which we do business ... the allegations against [Kroll's employees] and our company will eventually be proved false."

In response to the Herald's inquiries, Kroll's Andrew Marshall says Sampaio played no part in the Telecom Italia investigation - although he was president of the company at the time. He says Sampaio's transfer to Australia was planned before the police raids.

Marshall says that no arrest warrant has been issued for Sampaio. "The Brazilian authorities are simply requesting that Eduardo and the others come in and make statements," he says. "He may go back to Brazil to contest the matter - that is something that is up to him."

Marshall says he does not believe the charges will affect Sampaio's ability to run Kroll in Australia: "In the UK or the US or Australia, if charges are hanging over your head, it is a very big, bad thing," he says. "But it doesn't work the same way in Brazil, although it is very stressful for Eduardo. I realise that it sounds deeply bizarre, but it could take a decade to go through the Brazilian court system."

If an arrest warrant is issued - the case is before Federal Judge Silvio Luiz Ferreira da Rocha in the Fifth Criminal Court in Sao Paolo - Sampaio will have the option of returning to Brazil to contest the charges in court, or extradition. Brazil and Australia signed an extradition treaty in 1996.

In April, the scandal claimed another high-profile victim when the federal police arrested banker Daniel Dantas, president of CVC/Opportunity Partners and controlling shareholder of Brasil Telecom, accusing him of criminal conspiracy, breach of confidentiality and corruption. He has also now been charged.

Citigroup announced that it had fired Dantas and was suing him for $US300 million ($389 million) in the New York District Court, alleging fraud and deception in the operation of the venture capital fund.

The extraordinary case even threatened to damage US-Brazil relations - already strained because of US mistrust of Lula's populist policies - when Gushiken and other senior government officials suggested Kroll's alleged spying may have had a political dimension, and threatened to shut down the company's local operations.

The original article appears here.

-- MDT

Labels: bribery, data breech, Kroll, Parmalat

Over the weekend Mastercard announced that company data, including names account numbers and expiration dates for potentially 40 million of its card-holders (that's one-in-seven) had been compromised. The security breach arose via illegal access to the database of CardSystems Solutions Inc., a transaction processor for credit card companies.

Those numbers would have made this incident the largest such data security failure yet witnessed by an incredulous public as well as increasingly irritated state and federal regulators. The credit card giant has subsequently announced that it anticipates that only 200,000 customers face serious risk of fraud.

How comforting.

-- MDT

Labels: data breech, database

Not so long ago Orson Swindle at the SEC promised hell to pay if companies don't get their act together regarding data security. It seems Ohio Attorney General, Jim Petro agrees, as Ohio has become the first state to sue DSW Shoes in relation to their recent data theft.

Via ConsumerAffairs.com:

Ohio Sues DSW Over Customer Data Theft

June 7, 2005

Ohio Attorney General Jim Petro has asked a court to order shoe retailer Designer Shoe Warehouse (DSW) to individually notify each customer whose personal information may have been stolen recently from DSW computer files. Ohio is the first state to sue the retailer over one of the biggest security breaches of its kind in the nation.

"DSW has acknowledged that a security breach led to the loss of more than one million customers' checking and credit information, yet the company has not individually notified each customer to warn them about this mishap," Petro said.

"As we have said repeatedly, we see no reason why DSW, working with the credit card companies and the underlying issuing banks, cannot arrange for direct notification of every affected consumer."

The full article can be found here. An the Ohio Attorney General's Office press release regarding the suit can be seen here.

-- MDT

Labels: data breech

Ham-fisted management of customer data continues, this time at Citibank, which announced yesterday that data relating to almost 4 million customers had gone missing.

The unencrypted (what are they thinking?) CitiFinancial electronic back-up tapes en route to credit agency Experian dissappeared and have not been seen or heard from since its shipment on May 2. Citigroup has begun notifying effected customers of the security breach.

Meanwhile, Exerian continues to push for electronic data transfer with all of its major data contribiutors. CitiFinancial was scheduled to make the switch to electronic transfers in July.

Via The New York Times:

Personal Data for 3.9 Million Lost in Transit

June 7, 2005
By TOM ZELLER Jr

In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.

Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since. The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division. The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised...

...Citigroup executives say the box containing the tapes was handed over to U.P.S., along with other items for shipping, on May 2, under "special security procedures" that the bank required of the courier. One of those special procedures, said Citigroup's chief operations and technology officer, Debby Hopkins, included scanning the bar code on each package, rather than scanning only the single bar code on the shipment manifest, which is a summary document listing all the packages being moved in one shipment.

According to Ms. Hopkins, just the summary document was scanned for the box, which was picked up in Weehawken, N.J., so U.P.S. was unable to track where in the delivery chain the box was lost. It was not until May 20 that an employee of Experian, the credit reporting agency that was to receive the tapes, called CitiFinancial to report that they had not arrived at Experian's data-processing center in Allen, Tex. An investigation by U.P.S. failed to locate the package.

CitiFinancial has notified the Secret Service, which is called whenever there is a compromise of financial data. The agency is investigating the incident, and CitiFinancial has begun sending letters to all 3.9 million customers advising them of the loss and offering them 90 days of free enrollment in a credit-monitoring service. Other institutions with data-loss problems have also offered free credit-monitoring services, some for as long as a year.

A spokesman for U.P.S., Norman Black, would not go into specifics on where or how the security system broke down, but said the courier was continuing its investigation. Mr. Black said blame ultimately lay with his company. "They tendered us a package and expected it to be delivered in the reliable way that we always do," he said, "and we had to go back to them and tell them that we can't find it." Mr. Black said that an exhaustive search of all U.P.S. facilities nationwide had turned up no sign of the package. "It's rare that it gets to the point where we can find no trace of it," he said.

A spokesman for Experian, Donald A. Girard, said he had never seen an instance of a shipment of this kind simply disappearing, although he added that he and other credit agencies had been encouraging financial institutions to convert from tapes to encrypted electronic delivery of data. "Experian has been actively working for quite a while with all major data contributors to convert to electronic data transference," Mr. Girard said, "to mitigate risk in this process."

Ms. Hopkins of Citigroup said that most of the company's divisions already did this, and that the CitiFinancial unit is scheduled to convert to such electronic transfers in July. She also said that the missing tapes, which were not encrypted, were created using mainframe-type computers and highly specialized hardware and software that would make.

Full article here.

-- MDT

Labels: data breech

Following is a chronology of recent data breaches courtesy BeSpacific.com and cataloged by the Privacy Rights Clearinghouse. One positive thing, at least for our industry, is that this list manages to put the recent thefts from data brokers such as Lexis Nexis or Choicepoint in the greater context of what is apparently the leaky sieve model of privacy found in corporate America and academia.

Last week the wonderfully named Orson Swindle, a commissioner at the Federal Trade Commission since 1997 provided his impromptu thoughts on the situation at a recent cyber-crime conference:

"Everybody's screaming, all the political figures up on Capitol Hill, about identity theft," he said. "It's not identity theft, it's the theft of information... While politicians raise hell about identity theft, what we're really talking about is the failure to protect valuable currency.... Corporate boards better start paying attention, because they haven't been."

Also, according to Swindle, the pattern of corporate data breaches "Indicates to me the industry has, to a great extent, been irresponsible, and somebody has got to pay." He suggested the first people to pay might be corporate lawyers. The lax data protection, according to Swindle, is being driven in part by those general counsels who sit around and say, "be careful about what you promise in privacy and information security because you might get sued for it."

DATE	NAME	TYPE OF BREACH	NUMBER
Feb. 15, 2005	ChoicePoint	ID thieves accessed	145,000
Feb. 25 , 2005	Bank of America	Lost backup tape	1,200,000
Feb. 25, 2005	PayMaxx	Exposed online	25,000
March 8, 2005	DSW/Retail Ventures	Hacking	100,000
March 10, 2005	LexisNexis	Passwords compromised	32,000
March 11, 2005	Univ. of CA, Berkeley	Stolen laptop	98,400
March 11, 2005	Boston College	Hacking	120,000
March 12, 2005	NV Dept. of Motor Vehicle	Stolen computer	8,900
March 20, 2005	Northwestern Univ.	Hacking	21,000
March 20, 2005	Univ. of NV., Las Vegas	Hacking	5,000
March 22, 2005	Calif. State Univ., Chico	Hacking	59,000
March 23, 2005	Univ. of CA, San Francisco	Hacking	7,000
April 8, 2005	San Jose Med. Group	Stolen computer	185,000
April 11, 2005	Tufts University	Hacking	106,000
April 12, 2005	LexisNexis	Passwords compromised	Additional 280,000
April 14, 2005	Polo Ralph Lauren/HSBC	Hacking	180,000
April 14, 2005	Calif. FasTrack	Dishonest Insider	4,500
April 18, 2005	DSW/ Retail Ventures	Hacking	Additional 1,300,000
April 20, 2005	Ameritrade	Lost backup tape	200,000
April 21, 2005	Carnegie Mellon Univ.	Hacking	19,000
April 26, 2005	Mich. State Univ's Wharton Center	Hacking	40,000
April 26, 2005	Christus St. Joseph's Hospital	Stolen computer	19,000
April 28, 2005	Georgia Southern Univ.	Hacking	"tens of thousands"
April 28, 2005	Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp	Dishonest insiders	680,000
April 29, 2005	Oklahoma State Univ.	Missing laptop	20,000
May 2, 2005	Time Warner	Lost backup tapes	600,000
May 4, 2005	CO. Health Dept.	Stolen laptop	1,600 (families)
May 16, 2005	Westborough Bank	Dishonest insider	750
May 18, 2005	Jackson Comm. College, Michigan	Hacker	8,000
May 20, 2005	Purdue Univ.	Hacker	11,000
TOTAL			5,476,150

Yikes. Bad times. Read the rest of the Swindle article here and for more on pending legislation relating to personal data theft, try privacyrights.org.

-- MDT

Labels: data breech, identity theft

You don't know how long The Daily Caveat has been trying to find a way to work America's favorite blond, bubble-headed celebutante into our daily news. Finally the day has arrived. I don't think I can add much more to this crazy story beyond what you can read below:

Federal Investigators Remove PCs, Discs From Several Locations; LexisNexis Break-In Linked to Paris Hilton Phone Hacking

By Brian Krebs
Washingtonpost.com Staff Writer
Thursday, May 19, 2005

The federal investigation into the massive theft of sensitive personal records from database giant LexisNexis Inc. intensified this week with the execution of search warrants and seizure of evidence from several individuals across the country, according to federal law enforcement officials.

Three people targeted in the investigation confirmed that federal investigators had served warrants at their homes. The group included a minor who has been in contact with a washingtonpost.com reporter for three months and who said he was directly involved in the LexisNexis breach...

...The minor, whose identity is not being revealed because he is a juvenile crime suspect and because he communicated with a washingtonpost.com reporter on condition of anonymity, said federal officials "raided" his home this week and seized his computer. He said investigators "got everybody" involved in the digital break-in.

Nine people in all were served search warrants by investigators, according to a senior federal law enforcement official who asked not to be identified because of his role in this and other ongoing investigations. The official said several members of the group are also believed by investigators to be involved in the much-publicized hacking in February of hotel heiress Paris Hilton's T-Mobile cell phone account, but he did not specify which members...

...The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to...

...According to an account provided by the teenaged member of the hacker group -- and confirmed by the law enforcement source who insisted on anonymity -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.

According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said.

The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.

Much more intrigue at the WashingtonPost.com.

-- MDT

Labels: data breech, database, identity theft

Data aggregators are getting picked on a great deal these days for their security lapses, but the data thefts from Choicepoint and Lexis are only two have a half-dozen or so recent thefts, resulting either from fraudulent data purchase, physical theft of records or computer database hacking. Of all these potential avenues for mass theft of personal data, computer system security is arguable the most pervasive problem facing American industry.

Not only is this a basic security issue, but as we've seen in recent weeks, it is becoming a serious liability issue as well.

John Oltsik, the author of a January 2005 report on data security from the Enterprise Strategy Group. has summarized his findings in an article for ZDnet.com. Oltsik's report report includes data from a survey of security professionals at 229 U.S. firms and found that almost a quarter of these firms had experienced an internal security breach in the last year. An even larger number of respondants couldn't say one way or the other whether they had been breached or not.

From ZDnet.com:

Black Eye for Privacy

By Jon Oltsik, Special to ZDNet
Published on ZDNet News: April 4, 2005, 10:48 AM PT

First it was a security breach that left ChoicePoint's treasure chest of personal information (145,000 accounts) vulnerable to prying eyes. Less than a fortnight later, Bank of America backup tapes containing data on 1.2 million accounts went missing. More recently, someone hacked into a confidential database containing as many as 32,000 records at Seisint, a company owned by LexisNexis.

Bad guys are targeting corporate databases because, obviously, that's where the money is. But the bigger concern is that many of these confidential "bet the business" databases (and other critical systems) still remain woefully insecure.

The Enterprise Strategy Group recently surveyed 229 U.S.-based security professionals from organizations with more than 1,000 employees. The majority of respondents (52 percent) came from organizations with more than $1 billion in annual revenue. Our goal was to get an objective metric of just how bad the internal security threat really is.

The results paint a frightening picture. For example, 23 percent of respondents reported their organization had suffered an internal security breach in the past 12 months, while 27 percent didn't know if it had or not. Note to self: Make sure the people you do business with know whether they've been hacked or not.

Read the rest of the article.

Also an executive summary of the ESG research report can be found here.

-- MDT

Labels: data breech, database, identity theft

From the L.A. Times:

Executives at besieged information broker ChoicePoint Inc. have said they had no idea how vulnerable the company was to the identity thieves who recently tapped into personal data on 145,000 Americans, igniting a national furor over privacy. Chairman Derek Smith told CNBC last week, for instance, that management "never realized the sophistication organized crime" would demonstrate in order to access ChoicePoint files.

It is disturbing that Choicepoint, one the biggest vendors in our industry and a company whose services are used to root out fraud and ensure transparency in countless business transactions would be caught flat-footed by fraudsters themselves. Smith's statement on CNBC seems especially thin considering that this is most certainly not the first time something like this has happened to the company.

More from the L.A. Times:

Court documents in the 2002 case of Bibiana and Adedayo Benson -- who were convicted and sentenced to federal prison -- shed light on what it took to steal data from ChoicePoint and open fraudulent credit card and bank accounts in the names of unknowing victims.

The case, which led to at least $1 million in losses, attracted no public attention at the time. Like the most recent security breach, it involved con artists using simple and time-tested methods to hoodwink the data broker.

According to the court records, Bibiana Benson applied for a ChoicePoint account in the name of Christine Lorraine Burton on April 2, 2000.

To get the account, Benson needed two things: Burton's Social Security number and a professional or business license. ChoicePoint requires a copy of "business or professional licensing," according to its current application form, because information obtained from its databases may be used only for "business reasons."

Benson had the Social Security number. (The documents don't say how she obtained it, but authorities say there was evidence her brother was involved in identity theft before the ChoicePoint infiltration.) The California real estate broker's license in Burton's name was a fake. Benson faxed the license to ChoicePoint along with the application form.

And the Bensons were off to the races and racking up about a million in fraudulent transactions. And the best bit...this went on for over TWO YEARS.

To read the rest, click here.

In fairness to Choicepoint and to LexisNexis as well, data aggregators are not the only firms who have faced these types of data leaks. Whether it be due to electronic security breaches, employee error or plain old con artistry many other firms have recently faced similar issues, including Bank of America, DSW shoes and online payroll service Paymaxx. But Choicepoint is a different deal. Americans have an innate suspicion a company that earns a profit by collecting and selling personal data.

No one was given a chance to "opt out" of Choicepoint's files. There is no national "Do Not Aggregate me" list to join. So, when a security breach happens the American public and their elected representatives are not going to concern themselves with how much Choicepoint aids in business transparency, they are simply going to seek a reckoning. Choicepoint by its own hand has opened the door to being judged not just for what they've done but for what they are.

The services provided by Choicepoint do a great deal of good in preventing fraud. It seems very clear however, that the company, in its great rush to commodify and product-ize personal data has let slip the basic "know your customer" protections and fundamental subscriber vetting that should be the bedrock of such services. In doing so the have put at risk all the positive benefits their services provide to the business community.

-- MDT

Labels: data breech, identity theft

Thanks to House of Butter for the text:

DAYTON, OH, March 09, 2005 - Reed Elsevier today announced that LexisNexis, its global legal and business information business, has identified a number of incidents of potentially fraudulent access to information about U.S. individuals at its recently acquired Seisint unit. The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. LexisNexis has notified law enforcement authorities and is proactively assisting in law enforcement investigations of these incidents. LexisNexis is also working with customers to enhance security procedures.

These incidents were identified as part of an ongoing extensive review of the verification, authorization and security procedures and policies across the risk management businesses. LexisNexis has accelerated this review to determine the extent of any other incidents.

Information on approximately 32,000 individuals may have been fraudulently accessed in these incidents. LexisNexis very much regrets this and will be notifying all the individuals concerned and providing them with ongoing credit monitoring and practical support to ensure that any identity theft is quickly detected and addressed. Any further instances that emerge from the ongoing review will likewise be handled as quickly and as sensitively as possible. The information accessed includes names, addresses, social security and drivers' license numbers, but not credit history, medical records or financial information.

LexisNexis has already taken, or will take actions to enhance security to enable it to maintain its position as an industry leader in the responsible use of data and the protection of individual privacy. These actions include: enhancing ID and password administration procedures and requirements for customers; dedicating additional resources to protection of consumer privacy; working with customers to reinforce the importance of consumers' privacy; and working with law enforcement for further insight and assistance on new practices and techniques for thwarting criminal activities.

The financial implications are expected to be manageable within the context of LexisNexis' overall growth. The demand for risk management solutions is expected to remain strong and the outlook for Seisint and the LexisNexis risk management business remains very positive. In relation to this, Reed Elsevier today reaffirmed its 2005 and longer term financial targets of at least 5% organic revenue growth and double digit adjusted earnings per share growth at constant rates of exchange.

LexisNexis products that use U.S. public and non-public records provide critical fraud detection and identity authentication solutions to law enforcement, homeland security, commercial and legal customers that help to safeguard citizens and reduce consumers' financial losses, such as credit card and insurance fraud. In addition, these services provide benefits for consumers in facilitating the conduct of transactions for goods and services.

Labels: data breech, identity theft

In what has to be considered another black eye for our industry, mega-legal services provider and data aggregator, Lexis Nexis announced that sensitive information relating to 30,000 people "may have fallen into the hands of thieves." The New York Times has the story.

Lexis joins the ranks of such varied firms as: Choicepoint, Paymaxx, DSW, Bank of America and T-Mobile that have faced similar breaches over the last few months.

-- MD

Labels: data breech