London firm at centre of hack redirecting 300,000 routers

London-registered company appears to be at the centre of a massive attack that's redirecting traffic from 300,000 routers, a security firm has said

First American Bank Reports Data Breach in Chicago Taxis

First American Bank has filed a complaint with the City of Chicago following reports of a data breach involving customer debit cards used in taxis in the city. The banking company, based in Elk Grove Village, is advising customers not to use debit cards, or any other cards, in local taxis and has filed a complaint with the City of Chicago Department of Business Affairs and Consumer Protection. The bank alleges that a data breach occurs when a card is used in city taxis, including American United, Checker, Yellow, Blue Diamond and others that utilize Taxi Affiliation Services and Dispatch Taxi to process card transactions. The bank said about 11 customers have been notified about charges on their accounts and that thieves have tried to make almost 500 fraudulent charges to cards, totaling $62,000. "It makes you nervous," said taxi rider Matt King. First American Bank reported knowledge of the breach to MasterCard just over two weeks ago, but transactions continue to be presented, according to a release from the company.

BoI customers hit as skimmers hack into their current accounts

A GARDA investigation is under way after hundreds of Bank of Ireland (BoI) customers had their accounts skimmed in two branches over the weekend

Probe confirms Karachi Stock Exchange insider security breach; many fired, put on Exit Control List

KARACHI: A detailed probe by a professional firm has confirmed that the security system of Karachi Stock Exchange (KSE) was breached through unauthorised access, a fact that was revealed by two whistleblowers of KSE, who have also been identified. The report finalised in December 2013 found that two undocumented Virtual Private Notebooks (VPNs) were operating for private trading.The breach was unearthed after two whistleblowers accused senior staff members including Managing Director Adnan Afridi of accessing sensitive trading data through a secret backdoor network, accessing e-mails of other staff members without authority. The KSE board asked Internal Audit Department to investigate the matter. The Internal Audit Department seized some of the computers of the IT staff and what they found on the computers was shocking. They found evidence of vendors paying for unreported foreign trips of IT staff including IT head Abdullah Jan Farooqi. But, in addition, they found back-door access to the stock exchange computer system from outside the KSE premises. Some KSE board members showed concern and termed the practice a breach of trust, which benefited the staff and outsiders to see, buy and sell orders of companies and individuals that were traded on the exchange. The board reacted by hiring a respected consulting company to investigate the matter. What they found was a litany of information that led to the unravelling of this fraud. The report found that former MD Adnan Afridi used to access trading data related to some specific UIN numbers and certain confidential trade related data was found on the system of an IT staff member, Farooq Daudpota. According to that report, Adnan Afridi and key IT staff members including its head Abdullah Jan had secret programmes running on the KSE main computers that gave them access to the trading of large investors including many foreign funds. Mr Afridi and Mr Jan and others could access the trading data live from the KSE and also from remote locations. The report expressed disappointment with the statements of IT General Manager Abdullah Jan Farooqi relating to the date when the first VPN was disabled.The report states that the investors whose account data is believed to be hacked through tracking of their UIN level data included: Citigroup Global Markets, Merrill Lynch International, Merrill Lynch Pierce Fenner & Smith, Mallen Securities, Auerbach Grayson, Deutsche Bank, Morgan Stanley, Dubai Investment Group, Bear Stearns, Prince Street, Old Lane, Safra, Solara, SG Securities, Arab Emirates Investment Bank, BNP Paribas, Allied Bank, Bestway Holdings and Al-Baraka Investment Company. Adnan Afridi reacted to these allegations by saying he was looking at the trading data of investors as there was no surveillance department of the KSE and he was the MD so he was doing the surveillance. But there are two facts that disprove this statement. First, the KSE did have a surveillance department so not only did Mr Afridi lie there was no need for him to do this job since an entire department existed to do it.Second, the report states that the MD looked at the UIN’s specific institutions and individuals, which means that there were only selected market participants whose trading the MD was interested in. A KSE trader said when the KSE was performing well, such reports could malign its name. Most importantly, questions were raised as to why the stock exchange’s management had been silent on this matter since the summer of 2013. KSE Managing Director Nadeem Naqvi told ‘The News’ that the inquiry was under way and hopefully by the end of this month they would get the final report. He claimed that the report did not accuse any person but action would be taken against those responsible after the final report was received.Replying to a question, he said that there was no breach of trust and no employee had accessed the network for taking any benefit. Actually the management had decided to establish an alternative network keeping in view the law and order situation of Karachi but the staff, without taking prior permission, started testing the system. This, he added, was out of the procedure but it was confirmed that the staff had not done anything secretly.Naqvi denied that he was protecting someone because some big shots of the stock market like Aqeel Karim Dhedhi were backing them. He said he was a professional and his loyalties were with the organisation, not with someone else. He confirmed that he remained the director of the AKD Securities, the company owned by Aqeel Kareem Dhedhi and due to some matters of the AKD Securities, the apex court had placed his name along with other directors on the Exit Control List (ECL). He said it was a misperception that the 2008 crisis was the result of the wrongdoings of the management.Apart from the claims and clarification of MD Naqvi, it is a fact that the KSE management had fired many employees of the IT section and the head of the IT section Abdullah Jan was sent on forced leave. Sources within the KSE are of the view that the present MD is reluctant to take action against those responsible for the big fraud because of their connections with some big shots of the KSE. That’s why neither he is forming any committee to probe the issue nor he is informing the regulator, the SECP. Former KSE managing director Adnan Afridi told ‘The News’ that he had access to the data after execution of trade and he did not have any access for live trading and this was not unauthorised. “As MD, I was authorised to watch the data for surveillance purposes. He added that he was not involved in any kind of irregularity and KSE was inquiring the IT department staff and not against him.” The head of KSE IT section Abdullah Jan first refused to comment on any matter but then he briefly gave his version. He confirmed that the KSE management had sent him on forced leave and an inquiry was under way against him.Mr Jan also confirmed that many employees of the IT section had been fired. He denied any unauthorised access to data.

UK man charged with hacking US Federal Reserve

A British man faces new charges in the U.S

Hackers arrested over data leakage

Authorities said yesterday that they have arrested three hackers suspected of leaking the personal data of 17 million people from 225 websites

Standing committee passes ‘Privacy Act’ to beef up regulations on personal data

To strengthen regulations on protecting personal information following a recent data leak by credit card companies here in Korea a new privacy protection bill is moving through the National Assembly. The bill, passed Wednesday by the Security and Public Administration standing committee, would require financial institutions and other public companies to use encrypted passwords to protect resident registration numbers.

Failure to adequately redact results in undertaking for Treasury Solicitor’s Department

In the UK, the Treasury Solicitor’s Department has signed an undertaking with the Information Commissioenr’s Office. As described in the undertaking, there had been a number self-reported breaches involving exposure of individuals’ information due to incomplete redactions or failure to fully check: The Information Commissioner (the ‘Commissioner’) was contacted by the data controller on 6 February 2012, 24 August 2012, 30 August 2012 and 3 January 2013 and was made aware of several separate breaches of the Act. Three of the self-reported breaches involved case files being sent to a claimant’s solicitor and then on to the claimant during the course of litigation with un-redacted third party personal data contained within them. These incidents resulted in the personal data being disclosed in error to third parties. The fourth and remaining self-reported breach involved a bundle of case papers relating to an unfair dismissal claim. These were sent to an individual during the process of the claim and contained personal data relating to another individual’s separate claim. This incident resulted in third party personal data being disclosed in error. Although the department had some measures in place, as evidenced by the fact that in the first three breaches, some data had been redacted, the ICO determined that there were gaps in the department’s procedures that needed further improvement. Under the conditions of the undertaking, the department must develop: (1) a clear, documented procedure for staff to follow when preparing information for disclosure is implemented within 6 months. This should incorporate a defined checking process with emphasis on the steps to be taken prior to release. The procedure should account for both sensitive personal data and personal data relating to third parties; (2) the communication requirements between Junior and Senior lawyers carrying out the disclosure process is defined by a structured, formal procedure with clear lines of communication and implemented within 6 months. The responsibilities of staff members should be clearly explained within this procedure; and

Asylum seeker data breach: no decision yet on whether to inform those affected

Australia’s top immigration bureaucrat has told a Senate committee he is yet to make a call on whether asylum seekers will be told that his department released their confidential personal details on its website. Martin Bowles, secretary of the Department of Immigration and Border Protection, characterised the data breach as “regrettable” but appeared to play down the current risk, saying there was “no evidence to suggest data on individuals is actually in the public arena at this stage”. Guardian Australia revealed last week that the personal details of a third of all asylum seekers held in Australia – almost 10,000 adults and children – had been inadvertently released by the department in one of the most serious privacy breaches in Australia’s history. A vast database containing the full names, nationalities, location, arrival date and boat arrival information was revealed on the department’s website, raising concerns about whether those identified could be placed at risk of retribution if they are returned to their countries of origin. The Labor frontbencher Kim Carr asked Bowles at a Senate estimates committee hearing in Canberra whether it was fair to characterise the publication of the details on the department’s website as a serious “stuff-up”. Bowles said it was a “regrettable incident” and “inadvertent breach of privacy” and he had commissioned an independent review into how it happened, its implications and how to prevent a reoccurrence, with interim advice expected to arrive this Friday. He would not say how many people had downloaded the relevant file, but indicated the department was preparing a list of IP addresses of web users who had accessed it.

Thesis on data breach disclosure wins XS4All prize

Dutch ISP XS4ALL and the law firm Brinkhof have awarded their annual Internet Thesis prize to a masters student researching required disclosure of data breaches

Study shows recycled computers give away personal information

A study commissioned in Australia by the National Association for Information Destruction (NAID), a non-profit, data protection watchdog agency, has found significant amounts of personal information left on recycled computers. For the organisations recycling their drives, this is a data breach problem. For individuals, their most private information is at risk. The NAID-ANZ Secondhand Hard Drive Study, completed in January 2014 and published 19 Feb., showed that 15 of 52 hard drives randomly purchased, approximately 30 percent, contained highly confidential personal information. While seven of the 15 devices were recycled by individuals, eight were recycled by law firms, a government medical facility, and a community centre. These study results come just before the new Privacy Act reforms will be effective 12 March, requiring organisations to safeguard people’s personal information. “The study is rather simple,” said NAID CEO Bob Johnson. “We randomly purchased 52 recycled computer hard drives from a range of publicly available sources, such as eBay. We then asked a highly reputable forensic investigator, Insight Intelligence Pty. Ltd, to determine whether confidential information was on those drives. The procedure used to find the information is intentionally very basic and did not require an unusually high degree of technical heroics. Had the data been properly erased, it could not have been found.” Information on the hard drives in the NAID-ANZ study included spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information. For example, Insight Intelligence found an entire email box with numerous emails and attachments relating to the inner most workings of a medical facility. Where the computer hard drives had been previously owned by an individual they contained their confidential personal details, including images of a highly personal nature and account information. “While it might be tempting to dismiss these results given the sample size,” said Johnson.“It is actually very disturbing. When you consider that the Australian Bureau of Statistics most recent estimates put the number of computers retired annually at over 15 million, the likely amount of private data put at risk in this manner is staggering. People from anywhere in the world can buy these drives online, and you can be sure the ‘bad guys’ amongst them know how to use the information for evil. With the viral nature of social media, one can only imagine what could happen if someone decided to share any highly personal images and videos they have found on these drives.” Also, where personal information was found, there were indications that someone had attempted to remove the information but failed to do so. Mario Bekes, Insight Intelligence’s managing director, said proper removal of data from computer hard drives requires more than just pressing the delete button. “Even if they try to do it properly, private individuals and businesses take a big risk by attempting to erase hard drives themselves,” said Bekes. “It is not really a do-it-yourself project.” Bekes also encourages consumers and businesses to be careful when selecting a recycling service. “It’s a noble idea to recycle a computer, tablet or smartphone,” said Bekes. “But it’s important to know the recycling company has the proper technical expertise and takes data destruction seriously. Unfortunately, many recyclers treat data removal rather casually.” “The effective disposal of confidential information is an issue that is easily overlooked,” said Johnson. “We consider it a public service to remind policymakers and consumers of this ongoing vulnerability. Unfortunately, those who capitalise on easy access to this information are already aware of it.” NAID has offered to provide a detailed report of the results, as well as the hard drives themselves, to the Office of the Australian Information Commissioner (OAIC) to facilitate an official regulatory inquiry. Should the OAIC decline, the association will ensure the hard drives are securely destroyed to protect those put at risk.

Neiman Marcus Missed 60,000 Alerts As Hackers Stole Credit Card Info

The hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation. The hackers moved unnoticed in the company’s computers for more than eight months, sometimes tripping hundreds of alerts daily because their card-stealing software was deleted automatically each day from the Dallas-based retailer’s payment registers and had to be constantly reloaded. Card data were taken from July through October. The 157-page analysis, which is dated Feb. 14, also shows that the Neiman Marcus breach is almost certainly not the work of the same hackers who stole 40 million credit card numbers from Target (TGT), said Aviv Raff, an Internet-security expert. “The code style and the modus operandi look totally different,” said Raff, chief technology officer of Israel-based Seculert, after Bloomberg News provided him with details of the malware reviewed in the report. “The attackers were using a specific code for a specific network, and the way they were writing their code doesn’t seem to be related to the way that the attackers on the Target breach were.” Ginger Reeder, a spokeswoman for Neiman Marcus, says the hackers were sophisticated, giving their software a name nearly identical to the company’s payment software, so any alerts would go unnoticed amid the deluge of data routinely reviewed by the company’s security team. “These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” Reeder says. The company’s investigation has found that the number of customer cards exposed during the breach was lower than the original estimate of 1.1 million. The maximum number of customer cards exposed, according to the most recent estimate, is less than 350,000, Reeder says. Approximately 9,200 of those have been used fraudulently since the attack, she says.

Police arrest two involved in Aviva data leak

Andrew Pearce reported on Feb. 13: Aviva has sacked two members of staff after customer claims information and car details may have been accessed or disclosed to third party companies. The insurer confirmed that when the “illegal activity” was identified, the Insurance Fraud Enforcement Department was immediately contacted. And the Insurance Fraud Enforcement Department (IFED) confirmed it is investigating two separate reports of theft of information following two referrals from Aviva.

Stradishall hacker Lauri Love re-bailed over the charge of hacking US Army and NASA computer systems

A baptist minister’s son charged with hacking into American computer systems has been re-bailed until May.

UK: Barclays cybertheft involved cooperation of employee

Details of the methodology used by a gang that allegedly engineered an attack on a Barclays Bank computer last autumn emerged in court this week. As reported late last year, eight men were arrested in connection with a £1.25 million fraud against the bank, with police confiscating cash, Rolex watches and credit cards thought to have been associated with the fraud. At the time, police said the gang attacked a computer in the Swiss Cottage (London) branch of Barclays, transferring money from the branch to accounts held elsewhere. In a trial at Southwark Crown Court this week, it emerged that a bank employee is alleged to have helped the gang attach a KVM (keyboard/video/mouse) adapter to the bank's PC, so allowing members of the gang to access the computer remotely. The gang is then alleged to have uses the employee's credentials to make a total of 128 transfers from six business accounts. The transfers were each under the £10,000 limit UK banks impose on inter-bank transfers before further checks - sometimes with the Bank of England - are carried out.

Global hackers hit Venezuelan government, servers ‘falling like dominoes’

Hackers around the world are setting their sights on Venezuela's government web properties following violent repression against anti-government protesters and instances of internet censorship.

Hackers post hundreds of thousands of user credentials on web

Swiss infosecurity and computer forensics company High-Tech Bridge carried out the research recently and found that 311,095 user credentials – comprising log-in and password pairs – for various services, websites and emails have been compromised on Pastebin. Set up in 2007, the website is primarily designed for storing text for a certain period of time, but has more recently been adopted by hackers to reveal, as just a few examples, compromised account details from Comcast, the FBI, Tesco and the Singapore government. The firm adds that each leak record on Pastebin contains 1,000 user credentials, but – intriguingly – suggests that most leaks are from hactivists who post personal data and passwords of law enforcement and security agencies, just to show that it is possible. Company CEO Ilia Kolochenko told SCMagazineUK.com that hackers primarily take to Pastebin to show off their expertise, rather than for direct financial gain, and often belong to hactivisim groups like Anonymous and LulzSec. “It's a proof of concept; they'd like to show that they've hacked someone.” The company went on to note: “The posts are in effect, adverts for the attackers' capabilities”.

NT government proposes identify theft, card skimming penalties

Proposed amendments to the Northern Territory’s Criminal Code would make it an offence to collect and store identification details about another person for the purposes of identity theft. Under current legislation, a person who obtains someone else’s ID details can’t be prosecuted until they commit a crime. Speaking in the NT parliament this week, Attorney-General John Elferink said that if a person has all the “pre-cursors” in place to commit a crime, they should be charged.

Well.ca loses customer credit card data in security breach

Well.ca, a Canadian online retailer for health and beauty products, has suffered a data breach, losing the credit card information of “a few thousand” of its customers.

Immigration Department data lapse reveals asylum seekers' personal details

The personal details of a third of all asylum seekers held in Australia – almost 10,000 adults and children – have been inadvertently released by the Department of Immigration and Border Protection in one of the most serious privacy breaches in Australia’s history. A vast database containing the full names, nationalities, location, arrival date and boat arrival information was revealed on the department’s website, raising serious concerns that thousands of asylum seekers have had confidential details made public. Every single person held in a mainland detention facility and on Christmas Island has been identified in the database, as well as several thousand who are living in the community under the community detention program. A large number of children have been identified in the release, which also lists whether asylum seekers are part of family groups. The breach raises serious questions about whether those identified could be placed at risk of retribution if they are returned to their countries of origin. The disclosure of the database is a major embarrassment for the federal government, which has adopted a policy of extreme secrecy on asylum-seeker issues. The asylum seekers named, range in age from newborns to people over 80. They come from countries including Sri Lanka, Afghanistan, Iran and Syria and arrived in Australia as late as September. Some have been in detention for more than 1000 days. Guardian Australia has chosen not to identify the location of the data and made the department aware of the breach before publication. The Department of Immigration has released a statement saying the information was never intended to be in the public domain.

Next Planned Sessions