Security

Read all 'India' posts in Security
March 31, 2009 7:08 PM PDT

Symantec investigating customer credit-card data theft

by Elinor Mills
  • 3 comments

Updated at 9 p.m. PDT with more details from a Symantec representative.

Symantec is investigating allegations that a call center in India leaked credit card numbers of its customers to someone who then sold them to BBC News reporters posing as criminals.

The security company has informed U.K. privacy authorities and attorneys general and officials in eight U.S. states and Puerto Rico of the allegations that three U.K. customers had credit card information leaked and that about 200 U.S. customers may have been affected because of interactions with the call center, Symantec spokesman Cris Paden said Tuesday.

"We nailed it down to one agent at the call center" who handled the Symantec customers, he said. That agent was put on administrative leave pending the outcome of the investigation, Paden added.

In addition to Puerto Rico, the states contacted were New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia, and North Carolina, Paden said.

It was unclear exactly how the data of the three U.K. customers got from the call center into the hands of the man who the BBC News said sold the credit card numbers. Nor was it clear whether any data from the U.S. customers was leaked. Paden said there is no evidence that any U.S. data was exposed.

In a letter to New Hampshire Attorney General Kelly Ayotte dated March 24, the security vendor said it is "investigating a potential security incident involving a small number of customers' credit card information."

The letter said Symantec was sending a notice to a customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach, as defined by New Hampshire statue, had occurred.

The company added that even though it has no evidence that credit card information of any U.S. resident was actually compromised, it is offering its customers one year of identity protection services through Debix as a precautionary measure and reviewing its "security processes and third-party vendor protocols."

The BBC News reported on March 19 that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit card numbers, at $10 a card, from a man who claimed to have gotten them from a call center. They filmed the interaction. The man denied any wrongdoing, the BBC said.

When the reporters contacted some of the card owners, three of them said that they had bought Norton software from Symantec over the phone using their credit cards.

Symantec has set up an e-mail address for customers who want more information: global_purchase_query@symantec.com.

The BBC recently got flak for purchasing a botnet and using it in some tests to show the dangers that Web surfers face.

The IDG News Service is believed to be first to report on the Symantec letters.

Updated April 1to clarify which media outlet is believed to have first reported the news.

Topics:
Privacy and data protection,
News
Tags:
BBC,
Symantec,
undercover,
investigation,
call center,
India,
credit cards
Share:
Digg
Del.icio.us
Reddit
November 12, 2008 12:34 PM PST

Report: Insiders a greater threat to data leaks

by Robert Vamosi
  • 4 comments

IT professionals surveyed worldwide said they think their own employees pose a more serious security threat than outsiders, and often it's because of personal use of corporate assets, according to the third and final report based on a 2008 survey (PDF) commissioned by Cisco Systems and released Wednesday.

Other findings include: One in five Brazilian IT professionals said they think their employees are less diligent around protecting corporate data. And in China and in India, IT professionals are most concerned with data thefts through the use of USB devices including thumb drives and iPods in the workplace.

A Cisco survey found that of employees who have lost company-issued devices or have had them stolen, one in four employees have done so more than once within the past year.

(Credit: Cisco)

According to the survey, IT professionals said about 10 percent of their employees are losing corporate devices like laptops and USB drives with valuable data more than once a year.

"There's either a negligent behavior or careless recklessness in which they handle data maybe because they didn't realize it was there or maybe there's an education gap," Fred Kost, director of security solutions for Cisco, told CNET News in an interview. "The storage capacity of some of these devices and the types of access they have access to is becoming a critical issue for companies."

The report also cited the growing risks of portable hard drives as opposed to lost or stolen laptops. One in three IT professionals said USB drives (including iPods) were their top concern, more so than e-mail (23 percent), lost devices (19 percent), and verbal communications with outsiders (8 percent).

Surprisingly, 1 in 10 end users in the Cisco survey admitted stealing data or devices and then selling them for profit, or knowing of co-workers who have done so.

Yet there are also nonmalicious reasons to explain how corporate data gets leaked into the wild.

"If you think about the device leaving the enterprise, going into their home environment, the personal environment, maybe letting their children use it; that puts the corporate data at risk," said Kost. He said data leakage could occur when the kids are using the device to surf some Web 2.0 application. "And what about the end of life, when they go to give the device up on one of the e-waste recycling days? There's another chance for somebody to get that corporate data."

Kost repeatedly mentioned the increasingly blurred lines between business use and personal use and how some of that is OK. But long-term personal use of a corporate asset could become a problem.

"Say they have their iTunes library on the device they use for work, now they have to give up their work device, and they have to figure out what to do." In the study, less than 10 percent of the employees did keep their work devices. Of those who did, 60 percent said it was because there were personal files on the device. "It's not malicious," Kost said, "it may just be the only computer in the household."

The Cisco study was conducted in late July through early August by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.

The first report on cultural attitudes toward security was released in October.

Of those who kept a work device, Cisco found that 60 percent did so for personal needs.

(Credit: Cisco)

Topics:
Privacy and data protection,
News
Tags:
security,
Cisco,
Fred Kost,
privacy,
data leakage,
USB,
China,
India
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET