Friday, October 16, 2009

Which Story to Post? Payroll company loses PII, and Underreporting losses

It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.

The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story

There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.

This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.

The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story

Thursday, October 15, 2009

Extroadinary Quote

"The more people who have your data, the greater likelihood that either they're going to lose it or a rogue employee will abuse it," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

We could use more people like Fred Cate

Wednesday, October 14, 2009

IRS Personal Identity Security Issues

The Internal Revenue Service says that efforts to help protect taxpayers from identity fraud, spearheaded by the agency's Online Fraud Detection and Prevention Office, are paying off. The agency points to more than 3,000 suspected phishing and fraud-related Web sites being shuttered since the office opened in 2007. However, Government Computer News reports that the IRS also struggles with internal data security, and that hundreds of taxpayers were affected by 149 breaches last year. A Government Accountability Office report said the "IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft," which the IRS attributes to weakness in authorization and authentication.Full Story

Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.