Alerts 4 Aggressors

Just as consumers like receiving alerts when they are victims of fraud, fraudsters like to be notified when they have been spotted by consumers.

Such alerts are available to creators of the malicious programs that infect computers and steal bank data from consumers and businesses, Brian Krebs reported in his "Krebs on Security" blog Monday. One company, scan4you.biz, offers a service that runs such malware through antivirus programs at regular intervals, alerting its clients when the bug they submitted begins to show up on security scanners' radar. A similar service, avcheck.ru, also provides alerts but checks fewer antivirus products, Krebs wrote.

Not all virus-testing services are tools of the bad guys, Krebs wrote. Many offer a free service that also reports new viruses to the antivirus vendors so that the malicious programs will be detected by more security products on later scans.

A Penney Not Saved

The long list of retailers hacked by Albert Gonzalez — who was sentenced last month for data breaches at TJX Cos. Inc., Heartland Payment Systems Inc. and others — just got a bit longer.

Gonzalez and his accomplices also targeted J.C. Penney Co. Inc. and The Wet Seal Inc., though the companies' names were kept secret until recently because there was no evidence that any card data had been stolen, Wired.com's "Threat Level" blog reported March 30.

The companies said that they should not be named publicly because it would harm their brands. "Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers," Darcie Brossart, a spokeswoman for the retailer, told Wired.com after the companies' names were unsealed in court records at the end of Gonzalez' trial.

J.C. Penney said it could remain anonymous under the 2004 Crime Victims' Rights Act, but Assistant U.S. Attorney Stephen Heymann disagreed. Wired.com noted that this is a stark change in how prosecutors typically act toward victimized companies.

"It's a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor," it said. "For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security."

Prosecutors in New Jersey, where the case originated, had initially promised anonymity to J.C. Penney. "It was only when the Gonzalez case was transferred to Boston — and a new prosecutor — that the public gained an advocate," Wired.com wrote.

Locked and Loaded

Eight men, including a prisoner, are accused of committing up to $1 million in fraud by taking over private-label cards by phone.

Seven Cleveland residents and a prisoner serving time in Fort Dix, N.J., are accused of tricking credit card customer service representatives into adding them to numerous store card accounts, the Associated Press reported Friday.

The suspects — at least, those not in prison — used the compromised cards to purchase expensive items such as snowblowers, televisions and stoves, according to the Federal Bureau of Investigation. They allegedly resold the items.

The FBI conducted a raid on April 1 of a home the suspects allegedly used to store goods.

Pricey Problem

If a data breach at an organization in the U.K. can be traced to a mistake on the part of the breach victim, a company or group could be fined more than $760,000.

The rule was announced in January by the U.K.'s Information Commissioner's Office and went into effect Tuesday, the tech and security publication SC Magazine reported that day.

Though the regulator acknowledged that most breaches are accidental, the fines are meant to be imposed when "there has been a serious breach of one or more of the data protection principles" on the part of the breached entity and the exposed data is then used "to cause substantial damage."

Amichai Shulman, the chief technology officer at the security tech company Imperva Inc., told the magazine that the fine may encourage change at U.K. companies, but not the kind of change the regulator intends.

"The problem is the emphasis on being honest upon discovery of a breach which could actually encourage organizations to have lax protection policies and robust CYA policies," and to avoid disclosing such incidents, Shulman told SC Magazine. "Penalties may be necessary but governments should try to be on the constructive side."

Jamie Cowper, the European marketing director for the security tech company PGP Corp., told SC Magazine that the fine may be productive if the ICO also takes effort to educate organizations on how best to improve security. "It is clear that the ICO is going to have to couple this new policy with a fresh awareness campaign if organizations are to truly recognize the financial sense of investing in proven technologies such as encryption," he said.

In the Navy

The Washington Post's "Federal Diary" column took the U.S. Navy to task for taking 17 months to disclose a data breach.

In May 2008, the personal information of 244 employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., was sent to three employees whose security access had previously been suspended, the article said. According to e-mails reviewed by the Post, the Navy was aware of its responsibility to inform breach victims in a timely manner, but did not send them a letter until Oct. 9, 2009. The breached information included names and Social Security numbers, according to one of the e-mails.

Rodney Raether, the president of the National Association of Government Employees, wrote Navy officials stressing the importance of timely disclosure for any government employee. Since security clearance can be affected by an employee's credit rating, which in turn can be hurt by an identity theft, "employees are at risk and face loss of reputation and then face the loss of their security clearance" if they are not protected against such incidents, Raether wrote.

The Navy told the Post that initially there was not thought to be a breach because the information would have been accessible to the three employees normally, but the newspaper noted that this response contradicts the language in the e-mails written shortly after the incident.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.