uncompiled.com

A theft of nearly $1 million from bank accounts of the University of Virginia’s College at Wise is being investigated by the FBI.

While the agency – as per their official policy – does not confirm or deny that such an investigation is underway, the college’s media relations director refused to divulge any details but confirmed an internal investigation, while also mentioning that as far as they can tell, no student data has been compromised.

Unofficial sources say that the cyber thieves managed to compromise a computer belonging to the university’s comptroller by infecting it with a data-stealing “virus”, which then forwarded them the online banking credentials for the accounts in question, reports Brian Krebs.

Once they were able to access the account, they initiated a single wire transfer that transferred $996,000 to an account opened at the Agricultural Bank of China.

Source

Heartland Payment Systems, which last year suffered the largest ever data breach involving payment card data, is downplaying reports out of Austin, Texas linking the payment processor to a data breach at a local restaurant chain.

Heartland CIO Steven Elefant told Computerworld by e-mail late Thursday that the reports out of Austin point to a “localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud.”

“The Heartland system at large and its merchants would not be compromised in any way by this type of attack, and the company is unaware of any broader issue,” he said.

He added that Heartland officials will work closely with business owners to help identify the source of the breach, and help with remediation efforts.

The Austin Statesman reported on Thursday that an “accounting network” at Tino’s Greek Cafe, a local restaurant chain with four locations in Austin, had been breached.

The story, which quotes a local police spokesman, said the intruders had hacked into the network connecting Tinos with Heartland Payment Systems. The spokesman is quoted as saying that somebody had hacked into a computer system “somewhere between Tinos’ point of sale and their credit card clearinghouse company.”

It’s unclear yet, if only customers have been affected by the incident, the spokesman is quoted as saying. The breach has apparently result in fraudulent charges appearing on the cards of several Tinos customers. Many of the charges have occurred at merchant locations around the country and beyond, and have been happening for several months.

The Statesman story points to one case where the city’s University Federal Credit Union contacted police after notice multiple unauthorized charges against the accounts of customers who had been to Tinos.

According to one source who requested anonymity, it’s quite likely that Austin police are confused about how the payment infrastructure works and are just assuming Heartland is involved. “As soon as they hear Heartland is the processor, they are most likely just assuming a larger problem,” he said.

“From the description of the attack, it sounds very localized and unfortunately it is not uncommon for restaurants to be attacked like this,” he said.

Source

Veterans Affairs Department employees continued to lose mobile devices in July, but the number of overall security breaches it experienced declined slightly from the previous month, according to VA chief information officer Roger Baker.

As the largest health care organization in the world, with thousands of contractors, VA experiences a variety of incidents each month. But with the exception of a few incidents every year, most of its security and data breaches are not significant, he during a press briefing this week.

VA must notify Congress monthly about both routine and major data breaches, a requirement imposed in the aftermath of several security break-downs during the past year. The public can now see those reports for itself, as the VA began on August. 11 to post them on the VA’s Web site.

“We gain a lot with transparency,” Baker said about making the report public. “When you see what normally happens and how they are handled, it lends a bit of confidence what we’re going to do when more serious ones occur,” he said.

For example, losing smart phones is a common security problem at VA, as it is elsewhere. In July, employees lost 13 Blackberry smartphones compared with 24 missing in June, he said.

However, it’s difficult to impose consequences for the losses. There isn’t a cost benefit to denying the issuance of another smart phone to physicians and other professionals who lose them because the devices are inexpensive relative to the productivity gains they provide, Baker said.

“I don’t take losing a couple of hundred dollars of taxpayer money lightly,” he said. “But compared with a doctor that we may be paying $300,000 a year, I don’t want them spending time trying to figure how to get a new Blackberry. I want them to have a new Blackberry in their hands so they can be certain of providing patient services.”

VA also has a policy of encrypting mobile devices to reduce the potential for the disclosure of personal information by making the device unusable when they are lost or stolen.

In addition to the lost Blackberries, VA also reported this month:
– 66 internal unencrypted email incidents in July vs. 74 in June in which employees did not follow VA policy to encrypt emails that contained sensitive patient information;
– 103 mis-mailing incidents in July vs. 119 in June, in which a veteran was sent the wrong information or was sent the information of other veterans;
– 6 laptops missing or stolen in July vs. 16 in June. Of those in the July report, five were encrypted and one was used for reading bar codes for ensuring the correct administration of medications, so it did not contain sensitive health information. In June, 11 of the 16 missing laptops were encrypted;
–10 mis-mailed pharmacy incidents out of 5.6 million pharmacy packages mailed in July vs. 7 incidents in June.

Source

American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current employees has been compromised after a hard drive was stolen from its Fort Worth headquarters.

No customer data was affected. The data was held by the company’s pension department.

The drive contained images of microfilm files, which included names, addresses, dates of birth, Social Security numbers and a “limited amount” of bank account information. Some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

The data spans a period from 1960 to 1995.

AMR also believes some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to 1995.

The company has sent letters to the people that were impacted by the breach. AMR is offering one year of free credit monitoring for those affected.

It has already stepped up protective measures at its headquarters, including increasing security and testing the vulnerability of its computers.

AMR said it’s still investigating the incident.

Source

Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus.

In a press release issued Wednesday, the university said its computer experts believe it is “highly unlikely that the virus put any of that information in the hands of unauthorized users.”

However, the release added, “records for many of those employed between 1999 and 2005 contained Social Security numbers as the ‘unique identifier’ in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.”
Jon Dolan, chief information security officer for OSU, said the university doesn’t want to unnecessarily alarm anyone.

“We really found no evidence of (information) being removed,” he said. The notification was the result of extra caution and to comply with the Oregon Consumer Identity Theft Protection Act.

“Since we can’t prove that (the data) wasn’t lost, we felt it was the best thing to do,” he said.

Letters explaining the situation, and what people can do to protect themselves from identity theft, were mailed out to affected employees Tuesday.

OSU was notified of the possible data breach on June 28 after an employee reported the anti-virus software on her computer was alerting her to a virus.

Dolan, who received a notification letter of his own, said Wednesday afternoon that only a few hotline calls had been received.
It is the first time the university has had this type of situation.

“We have never sent notifications on this scale,” Dolan said.

He only knew of two other similar incidents at the university. In one case, the data at risk had been collected by a student, and OSU assisted the student on how to notify affected people. In the other incident, two Social Security numbers were possibly exposed when a laptop was stolen.

Two years ago, hackers breached the computer system of the OSU Bookstore, which is a separate legal entity from OSU, and accessed credit card numbers, names and addresses. The store contacted about 4,700 customers that their information may have been compromised.

Source

More than 53,000 people, who did business with the University of Hawaii at Manoa parking office’s data base from 1998-2009, are being notified by mail that they may be affected by a computer security breach.

The FBI and Honolulu Police Department are investigating the breach that was discovered on June 15 during a routine audit. University officials say the unauthorized access to a computer server used by the Manoa parking office occurred on May 30.

Affected are 53,000 records, which included 41,000 Social Security numbers and 200 credit card numbers.

To protect personal information from further unauthorized access, social security numbers are no longer used for parking transactions, and are being purged from all current and past parking office databases, the university said.

The university said the main group of affected people included faculty and staff members employed in 1998; anyone who had business with the parking office between Jan. 1, 1998 to June 30, and who purchased parking permits, including staff of the East-West Center, UH Foundation, and Research Corporation of the University of Hawaii; and any campus visitor who had a vehicle towed or appealed a parking citation.

UH Manoa has also posted a list of frequently asked questions and answers on a website http://www.hawaii.edu/idalert/ . The questions and answers are re-printed below:

1. What happened?

A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?

Approximately 53,000 records were stored in the database. Of this total, approximately 41,000 Social Security numbers and 200 credit card numbers were exposed. The database contained data on two main groups of individuals:

>>UH Manoa faculty and staff member employed in 1998.

>> Anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009. This includes:

>> Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawaii.

>>Any campus visitor who had a vehicle towed or appealed a parking citation.

3. What information was in the compromised database?

The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information. Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?

At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?

A forensic computer expert has been retained to further investigate this matter. The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

6. What is the campus doing to prevent future security breaches?

Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

7. How will affected individuals be notified?

Letters to affected individuals were mailed on Saturday and should be received starting today. In addition, an e-mail notice will be sent to affected individuals at their most recent e-mail address on record.

8. What should affected individuals know and do?

Carefully monitor your financial information and take protective measures against identity theft, which include:

>>Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreport.com or by calling 877-322-8228.

>>Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.

>>Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of fraud alert or freeze. Please know that we are making every effort to ensure that this incident does not recur.

9. If I did not receive a notification letter, does that mean my information was not in the compromised database?

Not necessarily. The campus has been collecting addresses of affected individuals, but not all addresses could be located predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

10. How can I get more information?

On weekdays between the hours of 8:00 a.m. to 4:30 p.m., call (808) 956-6000, or go to the webpage at http://www.hawaii.edu/idalert/. Updates will be posted as new information becomes available.

Source

The results of a Cyber-Ark global survey show that 35 percent of respondents believe their company’s highly-sensitive information has been handed over to competitors. Thirty-seven percent of the IT professionals surveyed cited ex-employees as the most likely source of this abuse of trust.

While perhaps not surprising that disgruntled workers top the list, it’s noteworthy that 28 percent suspected “human error” as the next most likely cause, followed by falling victim to an external hack or loss of a mobile device/laptop, each at 10 percent. The most popular information shared with competitors was the customer database (26 percent) and R&D plans (13 percent).

There was little year-over-year change in the number of respondents who suspected the loss of intellectual property to a competitor, indicating that more needs to be done to protect companies’ most valued assets.

Additionally, to address vulnerabilities related to human error that could expose a proprietary database or financial information, organizations must employ additional layers of control such as the ability to grant privileges to sensitive data and systems on-demand. This limits “innocent” mistakes by allowing access to information only when users need it to perform a particular task or query.

The research also confirmed that snooping continues to rise within organizations both in the UK and the US. Forty-one percent of respondents confessed to abusing administrative passwords to snoop on sensitive or confidential information – an increase from 33 percent in both 2008 and 2009. When examining the information that people were willing to circumvent the rules to access, US respondents targeted the customer database first (38 percent versus 16 percent in the UK) with HR records most alluring to UK respondents (30 percent versus 28 percent in the US).

Despite the rise, there was also the admission that organizations are trying to better curb snooping and are installing stronger controls to prevent these incidents. Based on this year’s survey, 61 percent responded they could circumvent those controls – a decrease from 77 percent in 2009. Additionally, 88 percent of IT professionals believe their use of these privileged accounts should be monitored, however only 70 percent of organizations actually attempt to do so – with one-third turning a blind eye to what’s happening within their networks and therefore failing to meet regulatory and compliance requirements.

Insider sabotage, unfortunately and rather disconcertingly, has increased from 20 percent last year to 27 percent this year.

The survey found that 67 percent of respondents admitted having accessed information that was not relevant to their role. When asked what department was more likely to snoop and look at confidential information, more than half (54 percent) identified the IT department, likely a natural choice given the group’s power and broad responsibility for managing multiple systems across the organization. Of note, this is an up-tick compared to the 35 percent who identified the IT department as likely suspects in 2009, a number that had decreased from 47 percent in 2008. Respondents identified Human Resources the next curious at 11 percent, followed by administrative assistants.

Source

A former senior database administrator for GEXA Energy in Houston was sentenced to 12 months in prison for hacking into his former employer’s computer network.

Steven Jinwoo Kim, 40, of Houston pleaded guilty on Nov. 16, 2009, to one count of intentionally accessing a protected computer without authorization and recklessly causing damage. Kim was ordered to pay $100,000 in restitution to GEXA Energy and to serve three years of supervised release following his prison term.

According to court documents, on Feb. 5, 2008, GEXA Energy terminated Kim from his position as a senior database administrator and revoked all his administrative rights and access to the GEXA Energy computer network.

In pleading guilty, Kim admitted that in the early hours of April 30, 2008, he used his home computer to connect to the GEXA Energy computer network and a database that contained information on approximately 150,000 GEXA Energy customers.

While connected to the computer network, Kim recklessly caused damage to the computer network and the customer database by inputting various Oracle database commands.

Kim also copied and saved to his home computer a database file containing personal information on the GEXA Energy customers, including names, billing addresses, social security numbers, dates of birth and drivers license numbers. According to court documents, Kim’s actions caused a $100,000 loss to GEXA Energy.

Source

Heartland Payment Systems, the victim last year of a massive data breach of sensitive card data, vowed after that devastating event to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. That’s now taking shape, but slowly.

“We have a long way to go,” acknowledges Heartland CEO Bob Carr, pointing out the so-called E3 payment terminals, intended for small-to-midsize customers, are but the first step, “with more advanced technologies coming in the summer” intended for use between Heartland’s network and much larger merchants that would require more back-end integration into processing systems. “We’re not ready to help all of them yet,” he acknowledges.

There is as of yet no end-to-end encryption requirement for debit- and credit-card processing, though the Payment Card Industry (PCI) Security Standards Council, which sets technical standards used by payment processors and merchants, is expected to weigh in on that topic in its upcoming PCI standard this October.

Unwilling to delay action after last year’s devastating discovery of a data breach that has so far cost it well over $100 million in fines and associated costs, Heartland has spearheaded its own multi-million-dollar end-to-end encryption technology effort to keep cybercriminals at bay. (Hacker Albert Gonzalez was caught and confessed to hacking Heartland’s processing network and much more, and this March was sentenced to 20 years in prison.

“Every single breach I know of wouldn’t have happened if our end-to-end encryption solution had been there,” Carr says. He believes Heartland is the first to come out with a commercial deployment of end-to-end encryption with merchants.

Carr says the definition of end-to-end encryption may end up varying, but in the case of Heartland, it means protecting card data, particularly the track data, as it’s being swiped at the merchant to the entry point to Heartland’s network, and encrypted on through Heartland’s network. However, this encryption now stops at the card brand point, such as Visa and MasterCard, and isn’t encrypted on through to the banking points.

Carr thinks the most vulnerable points that hackers will try to exploit are in the interconnections between merchant and payments processor, but he acknowledges that as the industry evolves to better protect these routes, hackers will undoubtedly look for the weakest link in the chain.

The E3 terminals, built by Voltage Security and Uniform Industrial Corp., were custom ordered by Heartland, which isn’t requiring its merchants to use them, but strongly recommending them.

“They do have to buy the devices,” Carr says, noting they range between $300 to $500, which Heartland will finance for six months if merchants have cash-flow issues. But one incentive for using E3 is a guarantee from Heartland that if merchants using E3 are breached, Heartland will cover fines and forensic costs related to any breach tied to the stand-alone terminals. Heartland is also offering free help to smaller merchants in filling out PCI standard conformance forms, something that can be technically bewildering to them.

One looming issue in end-to-end encryption is interoperability if the industry adopts more robust processes for protection through encryption. But Carr is optimistic the industry will meet the challenge, saying the PCI Security Standards Council “is listening hard and being responsive.”

Source

University of Maine police are investigating the breach of two UMaine computer servers holding the names, social security numbers, and clinical information of students who attended the university’s Counseling Center from Aug. 8, 2002 to June 21 of this year.

According to a university press release, data linked to approximately 4,585 students, four to five percent of UMaine students over that time period, was exposed.

Dean of Students Robert Dana said at a Tuesday news conference there was “no indication” that data was viewed or downloaded from the servers, but officials are preparing for a worst-case scenario.

“This is an insidious affront to the rightful privacy expectations of our students,” Dana said. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. Because of this, we are engaging all possible resources to find the source of these attacks.”

Dana said colleges and universities are “prime targets” for hackers because of large bandwidth and high-speed connections.

Robotic computers, he said, make “literally thousands of attempts per day” on UMaine’s vast computer network, but safeguards, such as firewalls and alert systems, usually hold.

“It’s the Wild West out there and every day a new approach is invented to help control the frontier,” Dana said.

He said the first breach happened as early as March 4. Once the hacker gained access to the second computer, a second server, which carries the active version of the center’s 2002-2010 database, was compromised.

The police investigation started June 16, according to news release, after Counseling Center staff reported trouble accessing files. The UMaine police are working with the U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service.

“In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions,” Dana said.

The university is now working on a customized letter to each person in the database. The letter will detail how to access services from Debix, a credit-monitoring company hired by the university, according to the press release.

For at least the next year, the company will look for signs of identity theft in each affected person’s credit. They will provide immediate alerts if suspicious activity is detected and offer insurance against identity theft.

The company’s services will be provided by the university at no cost to affected individuals. Dana said the cost to UMaine would be in the “multi-thousands of dollars.”

Det. Sgt. William Flagg from the UMaine police, who is conducting the investigation along with Internet crime expert Officer Bill Mitchell, said the potentially anonymous nature of these crimes makes finding a specific suspect very difficult.

“This is not an investigation that is going to be measured in days or weeks. It will be measured in months,” Flagg said.

In the press release, the university said any student, current or former, who visited the Counseling Center since Aug. 8, 2002 should assume they are affected. Information on the breach and how to receive services is available at http://umaine.edu/informationcenter/.

Source