By

Updated every Tuesday evening, circa 11 p.m. ET. Links may require registration/subscription.

Exposures

Almost 574,000 debit and credit card details were exposed to hackers in a breach of servers owned by Network Solutions LLC, a Herndon, Va., domain registrar and Web site-hosting provider.

Network Solutions discovered a malicious program on its servers in early June, and the hackers had access to the card data for about three months altogether, The Washington Post's Brian Krebs reported in his "Security Fix" column Friday. The card data came from people who shop at the e-commerce stores hosted by Network Solutions. Of its 10,000 e-commerce customers, 4,343 were affected by the breach, the company said.

Susan Wade, a spokeswoman for Network Solutions, told Krebs that it has offered to handle notifications for its clients, which under various state laws must notify their customers. It has also offered to pay for 12 months of credit monitoring for the affected individuals.

Network Solutions is still trying to determine how the malicious program got on its servers.


National Australia Bank Group's Bank of New Zealand lost a customer after telling him to resolve on his own a disputed charge.

The problem began when a woman, identified only as Mrs. Hansford, mistyped her card number when spending about $13 on photo prints online; the charge was posted to another customer's account, The New Zealand Herald reported July 22.

When the second customer, who asked the Herald not to name him, called to complain, he said the bank told him it was his responsibility to resolve the dispute with the person who initiated the transaction. After getting that response, he said, he closed his account.

Hansford said she was upset with the bank because, if the unidentified man "was a nasty individual, he could have been at my front door and he could have been quite angry." BNZ offered her $1,319 to compensate for the incident, but she said she did not accept it.

The bank told the Herald that incidents like this are rare and that its staff has since been told not to reveal personal details when resolving disputes.


Michael Jackson's death cast a spotlight on security problems at the Los Angeles County coroner's office, where his death certificate was opened more than 300 times before being made public.

The office was already under investigation by a county auditor, and the Los Angeles County Sheriff's Department has also been asked to investigate, the Los Angeles Times reported Monday.

Ken August, a spokesman for the California Department of Public Health, told the Times that the incident was still under investigation and how many people, if any, viewed Jackson's death certificate inappropriately had not been determined.

In a separate incident this year 15 Kaiser Permanente Bellflower Medical Center employees were fired or resigned after it was found that employees had inappropriately viewed the medical records of "Octomom" Nadya Suleman.

Though a breach of death certificate data is not considered as damaging as a breach of other personal health and financial information, the incident renewed concerns about inappropriate access to such data, the article said.

Super Secure

The nuclear fallout shelters of yesteryear are being converted into the data centers of today.

Continental Airlines Inc.'s investment in 2,000 square feet of space in an underground bunker run by Montgomery Westland, a disaster recovery company, paid off during Hurricane Ike last year, when power went out in the airline's offices, but its planes were able to stay in the air, Computerworld reported Tuesday. The bunker was built by a millionaire during the Cold War.

Many banks were forced to temporarily shut down after Hurricane Katrina devastated the Gulf Coast in 2005.

Similar secure facilities are offered by Cavern Technologies in an abandoned mine near Kansas City, Mo.; by Iron Mountain Inc. in an abandoned mine in rural Pennsylvania and others, the article said. Though such facilities offer many practical benefits, such as a cool environment for computer equipment, their primary benefit is security, the article said.

And for companies concerned about more than just the weather, online retailer Montgomery Ward leases space in an office building built with bulletproof windows.

Spooky Software

Smart phone users in the United Arab Emirates were prompted to install a software update that turned out to be a spying program designed for intelligence agencies.

The spookware was installed on BlackBerry phones after users followed a link sent by text message to customers of the phone carrier Etisalat of Abu Dhabi, the Associated Press reported July 22. Etisalat, which is majority owned by the United Arab Emirates government, did not respond to AP inquiries before the article ran.

Research In Motion Ltd., the maker of the BlackBerry, said that, though the software claimed to be an official update, it was not. The program was designed by SS8 Networks Inc. in Milpitas, Calif., which supplies technology to intelligence and law enforcement agencies. The AP said it got no response from SS8.

The AP said that Etisalat routinely blocks certain Web sites to comply with government censorship rules, but it did not give a clear reason to users for asking that they install the spying application. Security experts told the AP that the software might have been intended to record calls or capture personal records from the phones.

ATM Attack

Two suspects have been arrested in what police said is a multistate card-skimming scheme.

Mihai Ittu and Stefan Iancu face multiple counts of identity theft, credit card misuse and theft of more than $500, the Frederick News Post in Frederick, Md., reported July 22. They are being held in Oklahoma on similar charges and also face such charges in California, it said.

Frederick police found a skimming device, used to steal data from automated teller machine card stripes, on an ATM in May. The device was believed to have been planted on the machine the previous month along with a hidden camera to record PINs, which are not stored on cards.

Card details stolen from Maryland ATMs were used in several states, the article said. Police in other states said they have identified other suspects in the scam as well.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.