Big Finnish

Data breaches are not always perpetrated against U.S. companies from abroad — sometimes it goes the other way.

Finnish police say the computer systems at a Helsinki business were compromised in an attack launched from outside the country, the Finnish television operator YLE reported Friday. Some of the intrusions appears to have originated from an Internet Protocol address in the U.S., though other attacks appear to have come from Romania. Police said the physical location of the actual hackers could be either of those places, or none of the above. "The actual location could be anywhere," Inspector Jukkapekka Risu told YLE.

The hackers stole card numbers from 100,000 card accounts, including 10,000 for which the hackers were able to nab full card data, YLE reported. Police did not say which business was targeted, though they said the business had not properly protected the data. The article said this is the largest breach of its kind in Finland — earlier breaches exposed only a few hundred card accounts.

"The security breach, which originated abroad, targeted this server and they were able to download large amounts of data," Risu said.

The breach was discovered by the Helsinki processor Luottokunta during what it described as a routine security check.

"The cards themselves were not compromised, but information about transactions in which the cards were used came into the hands of the hackers," Henry Kylanlahti, the processor's card security services director, told YLE.

Bogus Employer

The owner of a Hudson, N.H., technology consultancy went above and beyond what his bank requires to protect his data — but he still lost nearly $100,000 to fraudulent automated clearing house transfers.

Cynxsure LLC received a call from its bank, Swift Financial of Wilmington, Del., on Feb. 10 asking about 10 unusual ACH transfers, security writer Brian Krebs reported in his "Krebs On Security" blog Tuesday. Though the bank attempted to reverse the transactions, it failed, leaving Cynxsure on the hook for all of the stolen funds.

The bank contacted Cynxsure's owner, Keith Wolters, to report an unauthorized batch of ACH transfers that "effectively added 10 new individuals to the company's payroll, sending each slightly less than $10,000," Krebs wrote. "None of the individuals had any prior business with Cynxsure."

Wolters said he was meticulous about security. He kept a dedicated computer for online banking, and through his own initiative he kept his passwords in an encrypted file accessible only through a fingerprint reader. When Wolters scanned his fingerprint, the computer automatically filled out the passwords — a system he said was meant to thwart keylogging programs.

Krebs noted that the ZeuS Trojan, a hacker favorite, could still nab passwords as they are sent to the Internet, but Wolters said multiple antivirus scans have each concluded that his system was clean.

"We've put a lot of time and effort into making sure something like this couldn't have come from our side," he told Krebs. "We're not going to be one of those companies that goes quietly into the night."

Wolters said his company is preparing a lawsuit against Swift, and suggested that the problem came from within the bank. Swift declined to comment for Krebs' story, citing the potential litigation and customer privacy concerns.

Krebs located one of the people who inadvertently helped steal the money. Merit Moll of Collowhee, N.C., said he received the money after responding to a job ad online and, as the "employer" instructed, wired most of it to Ukraine. When Moll realized that he had been tricked into helping a scammer, he instructed his bank to send all of the remaining funds — $1,000 — to Cynxsure, though Wolters told Krebs he has yet to receive even that much.

P-to-P Problems

The Federal Trade Commission has identified nearly 100 companies where personal data has been exposed over file-sharing networks.

Data such as Social Security numbers, driver's license numbers and other personal information have been found on networks more commonly used to download music, The Washington Post reported Tuesday. The FTC did not criticize file sharing, since the practice could have business-related uses, but cautioned that users should be mindful about data stored on their computers.

"Peer-to-peer file-sharing programs have legitimate uses but — particularly when people don't understand their vulnerabilities, as our sweep showed — they also have vulnerabilities," David Vladek, the director of the FTC's Bureau of Consumer Protection, told the Post.

The FTC's warnings echo those of consumer advocates who have long warned that file-sharing programs may expose data without the user realizing it. Vladeck said the FTC conducted its investigation to "raise awareness" about the vulnerability and its potential for exposing a company's clients to identity theft.

Hit It With a Truck

"Brute force" attacks may work for cracking simple passwords, but they are less effective at cracking open automated teller machines.

One robber learned the hard way that ATMs are extremely difficult to break into. The unidentified suspect apparently drove a stolen truck through the front of an East Peoria, Ill., gas station, dislodging an ATM that was bolted to a wall, the Journal Star in Peoria reported Friday.

The robber then took the machine to a nearby event center, propped the ATM up against an outside wall and repeatedly rammed it with the truck.

The ATM remained intact, but the wall cracked — setting off an alarm. The robber escaped in another stolen truck, leaving behind the unopened ATM.

Exposure

Valdosta State University in Georgia said a server with the personal data of 170,000 individuals was improperly accessed.

The university could not confirm that any data was stolen, but the intruder had access from Nov. 11 to Dec. 11, when the breach was found, the tech security publication SC Magazine reported Monday. The server, which has since been removed, held personal data such as grades and Social Security numbers of students and faculty.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.