Posted on March 12, 2010 by Mark McCreary

Latest TJX Breach Lesson: Crime Does Not Pay

A co-conspirator in the TJX breach, Humza Zaman, saw the next 46 months of his life laid out before him in Boston yesterday, as he was sentenced in federal court for his role in the TJX breach. He was also fined $75,000.  He will also have  three years of supervised release, must disclose his conviction to future employers, but he will not be prevented from using computers.

Zaman’s role appears to be limited to money laundering activity while he was employed by Barclay’s Bank. Zaman, apparently feeling he was only doing favors for Albert Gonzalez (by all accounts, the mastermind behind the data theft), would meet and mule large amounts of cash that he received from “an unknown man of apparent Eastern European descent.”

The writer of the “sniffer” computer program that was used in the data theft, Stephen Watt, was sentenced last December to two years in prison.

Lex Luther Albert Gonzalez is awaiting sentencing and faces a minimum sentence of 17 years in prison.

Wired has a much more thorough reporting of the prosecution side of the TJX breach, which is worth a read by not only business folks, but people that may get drawn into similar schemes.

Updated: Special thanks to the German Privacy Foundation for noting that I had punishments for Mr. Zaman and Mr. Watt flipped in certain portions of the original posting.  It is nice to have such friendly and professional communications from our friends in Germany.

Tags: , , , ,
Posted on March 11, 2010 by Mark McCreary

Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action

Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.

In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).

The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.

Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.

There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.

A copy of the opinion can be found here.

Tags: , , , , ,
Posted on March 11, 2010 by Mark McCreary

HSBC Reports Information of 24,000 Account Holders Stolen

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account.  You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness.  But wait, France still has copies of the information.  Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

Tags: , , , , ,
Posted on May 7, 2009 by Mark McCreary

Data Breaches Worse Than Thought

There is a very interesting article posted at Nextgov.com regarding major data breaches and thefts.  The article can be found here.

The author, quoting James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, makes the point that the list of breaches would be much larger if smaller breaches were reported.

So how many breaches go unreported?  Well, nobody knows for sure but the number would almost certainly be staggering.  With new federal requirements poised to go into effect, we may start to have a better idea of just how many breaches occur.  At the very least, we may have a way to track those breaches that are actually reported.

Tags: , ,
Posted on April 15, 2009 by Mark McCreary

Stolen Personal Data Continues to be Lucrative

Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information.  Symantec reports that the income received by sellers of stolen personal information continues to be high. 

Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.

A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information.  Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.

However, the most interest statistic may relate to so-called phishing scams.  A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months. 

Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible. 

What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.

Issues from businesses are dramatic:

- Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software

- Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)

- Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Tags: , , , , , , ,
Posted on April 7, 2009 by Mark McCreary

Welcome to the Privacy Compliance and Data Security Blog

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

Tags: , , , , , , , , ,