04:17 PM
Tony Kontzer and Martin J. Garvey, with Steven Marlin
Tony Kontzer and Martin J. Garvey, with Steven Marlin
Connect Directly

Lost or Stolen Identities Make Waves

Recent incidents involving Bank of America and ChoicePoint have stirred legislative response and self-examination by industry participants.

In late February, Bank of America (Charlotte, N.C.; $1.11 trillion in assets) said it lost an undisclosed number of data-backup tapes while the tapes were being transferred. The tapes included Social Security numbers and charge card data for 1.2 million federal employees. According to Bank of America, specific hardware and software would be needed to read the data, and there's no evidence that data on the tapes has been accessed or misused. However, the bank wouldn't say if the data was encrypted.

This comes on the heels of the news that ChoicePoint (Alpharetta, Ga.), which maintains databases for identification and credential-verification services, may have revealed personal information about as many as 145,000 people in October when identity thieves used fake businesses to dupe the company into granting them access to consumer data. A similar scheme in 2002 allowed thieves to use data gathered from ChoicePoint databases to commit $1 million worth of fraud, the U.S. Attorney's Office in Los Angeles charged.

Rep. Bennie Thompson, D-Miss., and other democrats on the House Judiciary and Homeland Security Committees are pushing for investigations, including examinations of any homeland security risks raised by the ChoicePoint data lapses. Hearings are planned, and Sen. Dianne Feinstein, D-Calif., proposed a federal law similar to a California law that requires businesses to report data breaches.

When H&R Block (Kansas City, Mo.) CIO Marc West heard of Bank of America's troubles [Editor's note: For more on Bank of America's security efforts, see article, page 12.], he decided to check if the two companies had a relationship that might compromise any of H&R Block's 21 million customer records. There was none, but West wanted to be certain. "As good as we think we are, we need to make sure our business partners are equally good, because it's our customers' data that's at risk," he says.

H&R Block encrypts customer data before moving it to an off-site storage facility. "It's absolutely painful to do," West says, "but it's one way you know data's not going to get in someone else's hands." West says he's evaluating technologies to protect customer information, including Verdasys' (Waltham, Mass.) Digital Guardian platform, a desktop tool that monitors access to data and applications.

Gartner (Stamford, Conn.) analyst Avivah Litan believes companies push IT departments to deploy technologies too quickly for them to be properly evaluated for vulnerabilities, she relates. "CIOs have to be more aggressive in saying, 'I'm not going to do this project until I've had more time to consider security,'" Litan says. "There's too much information in these companies' hands - they're playing with people's lives, and they have to be more serious about that."

H&R Block's West says it is the CIO's job to make sure a company's information security efforts are coupled with an integrated risk management program. "It's very important that CIOs help drive the internal approach that security isn't just about technology," West says. "It really is about people, process and technology." -Courtesy of InformationWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.