March 14, 2006
Publication Note: In the News will not be published on Friday, March 17, 2006. We will resume publishing the weekly edition on Monday, March 24, 2006.
Debit Card Ring Busted in New Jersey
New Jersey law enforcement officials announced yesterday that they have arrested 14 people in connection with the theft and unauthorized use of hundreds of thousands of debit card numbers. According to the prosecutor, the 14 stole debit card information from the office-supply chain OfficeMax, the North Carolina State Employees' Credit Union, and other businesses. Prosecutors began investigating the case in June 2005 after receiving a tip from an informant. According to the prosecutors, the gang of 14, some of whom were arrested in December, had ties to criminal gangs living overseas. "This was a sophisticated network," the chief prosecutor said. "These guys have been around. It looks like they figured this was a safer way to generate cash, safer than dealing drugs or other crimes." “Prosecutor: Debit card crime ring busted,” http://news.com.com/Prosecutor+Debit+card+crime+ring+busted/2100-1029_3-6049290.html.
Prosecutors did not apparently place an estimate on the size of the losses. In an article yesterday in Digital Transactions News, security expert Avivah Litan estimated that information about 600,000 cards from at least 20 banks was stolen and that losses could exceed $1 billion. As more details become available, we’ll see how close those estimates are. “Losses Could Top $1 Billion from Debit Card Hack, Hurting PIN Debit,” http://www.digitaltransactions.net/newsstory.cfm?newsid=880
Company Pays Fine of $1.1 Million for Using Mined Data to Send Spam
Datran Media Corp. has agreed to pay $1.1. million to the State of New York to settle charges that it used unauthorized data “mined” from various sources to send unsolicited e-mail messages advertising discount drugs, diet pills and other products. According to the allegations, Datran received six million e-mail addresses from Internet “customer acquisition” companies. Those companies enticed consumers to provide their name, address, and personal financial data in exchange for a chance to win a prize, such as an iPod. The companies pledged that they would not share the information with any third parties. The State of New York alleges that Datran was aware of those pledges when it obtained the information and used the email addresses to send spam. “Firm to Pay $1.1M to Settle E-Mail Case,” http://www.washingtonpost.com/wp-dyn/content/article/2006/03/12/AR2006031200491.html.
March 15, 2006
Judge Will Order Google to Release Limited Information
A United States District Judge has indicated that he will order Google to comply with a subpoena from the Department of Justice for information including website addresses returned in Google searches and search queries. The judge announced his intentions at a hearing yesterday, after the government stated that is would sharply limit its request to a sample of just 50,000 website addresses and 5,000 search queries. The government had originally subpoenaed a week's worth of search queries and a random sample of 1 million Web sites. It remains to be seen, however, how much information the judge will order. The judge said he was disposed to give the government “some relief” since it had narrowed the scope of its request and agreed to compensate Google for the cost of responding. But the judge also indicated that in drafting his order he would “pay particular attention to” the concerns of the public that their web searches could be subjected to government scrutiny. “U.S. Limits Demands on Google,” http://www.nytimes.com/2006/03/15/technology/15google.html
OfficeMax Says Audit Shows It Has Not Suffered a Data Breach
OfficeMax says that an independent audit of its systems confirms the results of an internal investigation that indicated there has been no breach of OfficeMax’s customer data. Earlier this week, a New Jersey prosecutor who brought indictments against 12 people for stealing debit card information said that OfficeMax had been the source of some of the stolen information. “OfficeMax: No evidence of security breach,” http://news.com.com/OfficeMax+No+evidence+of+security+breach/2100-1029_3-6049758.html?tag=cd.top
Security Guard Charged with Stealing Employee Information
A former security guard at General Motor’s Warren Technical Center has been arrested for stealing GM employees’ Social Security numbers and using them to hack into a company database. The suspect had been employed by a private firm that provided security services at the tech center. The suspect allegedly used the information to hack into a database containing information about employees who had company cars. The suspect is alleged to have sent the employees email messages surveying their thoughts on the vehicles. A sheriff’s spokesperson said there was no indication the suspect did anything else with the information. “Man Charged With Hacking Into GM Database,” http://www.theglobeandmail.com/servlet/story/RTGAM.20060314.gtgm0314/BNStory/Technology/?page=rss&id=RTGAM.20060314.gtgm0314
Spyware Used in Industrial Espionage
A couple in Israel has pleaded guilty to developing and selling spyware that was used to carry out industrial espionage over a two year period. The spyware was allegedly sold to private detective firms who would surreptitiously install it on the computer system of the target company. The spyware would capture documents and send copies of them to a site where there were made available to competitive firms. “Spyware-for-hire couple plead guilty,” http://www.theregister.co.uk/2006/03/15/spyware_trojan_guilty_plea/
March 16, 2006
The Threat from RFID Viruses
BusinessWeek Online is running a story that discusses the possible implications of a report earlier this week that a research team at a Dutch university has developed a virus that can infect radio frequency identification (RFID) tags. RFID tags are used widely to track inventory, shipped packages, and library books, and have been proposed for implantation in humans to provide instant access to medical records.
BusinessWeek gives an example of how a hacker might employ a virus to wreak havoc on a company’s database:
A hacker goes into a store, buys a can of soup with an electronic tracking tag glued to the side, and takes it home. There, he attaches a different tag, this one with malicious code. He goes back to the store and lets the item get scanned anew at the cash register. This time, the code jumps from the tag onto the store's computer system, changes product prices and skews sales data, and creates an entrance for an outsider to gain access to the store's internal databases.
While people in the RFID industry dismiss the claims, security consultant Bruce Schneier is not surprised by the findings of the Dutch research team. BusinessWeek quotes Schneier: “It’s possible RFID can’t be hacked, but that would be the first time in the history of computing that a computer was created that can’t be hacked.”
BusinessWeek notes that as RFID tags are increasingly used in credit card transactions, there is a growing incentive for hackers to exploit vulnerabilities in RFID technology. “What's Lurking in That RFID Tag?” http://www.businessweek.com/technology/content/mar2006/tc20060316_117677.htm
House Committee Considers Data Security Bill
Legislative efforts to address data security are picking up steam in Congress. Yesterday, the House Financial Services Committee debated a draft of a bill that would, among other things, allow a victim of identity theft to freeze his or her credit report, preventing it from being shared by a consumer reporting company without the consumer’s express permission. Members of the Committee also debated the standard for when a company must notify customers of a data breach. Members voted to change the standard agreed upon committee staffers last week. That standard would have required notification if the breach was likely to result in "substantial harm or inconvenience" to the consumer. The committee voted yesterday to delete the word “substantial,” significantly lowering the standard.
An amendment to the bill approved in committee yesterday also provides that it will supersede the standards for notification under the Gramm Leach Bliley Act. This was a blow to the financial services industry, which argues that the security standards under the Gramm Leach Bliley Act already provide sufficient protection of the industry’s customers. The issue of whether the bill would preempt state breach notification laws is still being debated. The Committee will vote on a final version of the bill today. “US House panel weighs consumer data security bill,” http://today.reuters.com/investing/financeArticle.aspx?type=governmentFilingsNews&storyID=2006-03-15T235725Z_01_N15413862_RTRIDST_0_CONGRESS-FINANCIAL-DATASECURITY.XML. See also, “Data Security Debate Begins, Panel Expected to Vote Today,” http://www.americanbanker.com/article.html?id=20060315L0BVYK3M&from=washregu (subscription required)
Homeland Security Department Flunks Information Security Standards Again
For a third straight year, the House Government Reform Committee has given the Department of Homeland Security a failing grade for information security. The overall grade for the federal government was D-plus. The agencies were measured against their compliance with the Federal Information Security Management Act, which establishes a variety of computer security standards. “DHS Gets Another F in Computer Security,” http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.