Ameriprise, 230,000 SSNs, Stolen Laptop

On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports.

The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current and former financial advisors, as well as the names and internal account numbers of about 158,000 customers.

Andrew MacMillan, Ameriprise spokesperson, said the culprits likely had no idea that the laptop contained sensitive information, and in turn, the potential risk of “any data being used or discovered is very low.” MacMillan noted that the laptop was protected by a password, but the data was not encrypted, a blatant breach of the company’s privacy regulations. Ameriprise has fired the employee involved.

Via CSOBlog.

Introducing Debix

debix.gifI’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board:

In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes to bicycles. Debix offers physical locks that put you in control of your electronic accounts.

Using patent-pending Debix Lock(TM) technology, Debix provides consumers with a familiar and convenient way to lock and unlock access to your most important on-line information making your passwords, social security number, and other personal information useless to identity thieves.

UDel breach twofer

The University of Delaware “UDaily” reports on two breaches:

[A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students.
A back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology some time between Dec. 16-18, and a police report was filed Dec. 19. […] [I]t is believed the theft of the hard drive was an afterthought. The hard drive contained personal information on a few individuals, and Jack B. Gingrich, a postdoctoral fellow in the department whose hard drive was stolen, has informed all those involved.

From the Do As We Say Dept.

Everyone knows that the Motion Picture Association of America is very much against unauthorized copying of movies. Then why is the MPAA admitting that it copied a movie, when it was specifically told not to by the copyright owner.

The movie in question is Kirby Dick’s This Film Is Not Yet Rated. According to the story on Los Angeles Times, Dick specifically requested via e-mail that the MPAA not make copies of the movie. In spite of the very clear wishes of the copyright owner, the MPAA goes ahead and makes additional copies for its internal use anyways.

Via Dan Kim, “MPAA Hypocrisy.”

Various Oregon credit unions, debit cards, organized fraud ring?

This one seems to have slipped below the radar.
From the January 25 Corvallis, Oregon Gazette-Times:

Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may have been compromised.
Fair Isaac would not return calls seeking an exact tally of customers affected, but at least 1,200 accounts of OSU Federal customers alone were flagged. If all of those cases turn out to represent actual identity thefts or account raids, that would make this a significant instance of electronic piracy; the total number of Oregon identity theft cases reported to the Federal Trade Commission in 2004 was 3,156.

Also in the article is this little teaser:

[T]he facts still emerging indicate that Corvallis may have been part of what is shaping up to be a national debit card and identity theft raid. The FBI is investigating where the thefts originated — a process that could take months or longer.

From earlier coverage we learn that

It’s not clear exactly what happened to trigger the alert, but officials at area financial institutions stress that their computer systems have not been breached.
The problem, they say, appears to have occurred at some other point in the electronic economy — perhaps at a retail business that accepts debit card payments or at a third-party vendor that processes the payments.
Fair Isaac Corp. did not return a phone call Monday seeking more details about the security breach.

Each of the effected institutions is replacing customers’ cards, showing that the “Alabama rule” is now the way it’s done.

NSA Wiretaps: General Hayden Speaks

In “Hayden Delivers Impassioned Defense of NSA,” Powerline excerpts Hayden’s Speech to the National Press Club (PDF). One section that jumped out at me was:

GEN. HAYDEN: You know, we’ve had this question asked several times. Public discussion of how we determine al Qaeda intentions, I just — I can’t see how that can do anything but harm the security of the nation. And I know people say, “Oh, they know they’re being monitored.” Well, you know, they don’t always act like they know they’re being monitored. But if you want to shove it in their face constantly, it’s bound to have an impact. [C]onstant revelations and speculation and connecting the dots in ways that I find unimaginable, and laying that out there for our enemy to see cannot help but diminish our ability to detect and prevent attacks.

It jumped out at me because I discussed precisely his issue about a month ago:

The first is enhancing terrorist awareness of their threat environment. This is important. As time passes, people become complacent. As they become complacent, their investment in security processes drops off.

In “Do Wiretap Revelations Help The Terrorists,” I analyze this line of thought, and believe that there’s much that Hayden couldn’t or didn’t talk about. Perhaps that’s a result of the wiretapping agency not being the agency that does other parts of counter-intelligence. Regardless, if you’re following the story closely, you ought to read his remarks.

Two On Vulnerability Disclosure

  • Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary and tertiary research uses of vulnerability data.
  • Speaking of secondary uses, don’t miss important research by Tom Ptacek about a design feature security bypass oh, heck, a battery died, and look what happens: “Authentication Bypass in Volvo 850 Stereo System v1994.” (Design note to self: When selling to Tom, ensure all batteries have a twenty-year lifespan so this doesn’t happen to us.)
  • Lastly, thanks to Pete Lindstrom who gave me a heads up about Notre Dame before Chris blogged it.

Notre Dame, SSNs+CC#s+Check Images,hacker

Not much detail on this one, but it looks like a box used for fundraising purposes got 0wned. The intrusion was detected by “security software” on January 13, but the intrusion itself is said to have occurred between November 22 and January 12. [I guess they run Tripwire monthly ;^)].
Information potentially obtained by the intruders includes images of checks sent by donors, along with credit card and SSN information.
Further details are available at the Fort Wayne News Sentinel and the student-run Notre Dame and Saint Mary’s Observer.
Updated to add: We wrote about check images facilitating identity theft in October, 2005.

Investing in Identity Theft: The Job Fair


For Aisha Shahid and dozens of others who went to an advertised job fair in Chattanooga and got offers of nightclub work in Atlanta, Memphis and Miami, the “dream jobs” turned out to be an identity theft scam.

A man who identified himself as record company and music group president William Devon took applications and personal identification numbers from more than 100 people January 13th and 14th.

At a reception for the applicants that Saturday night, Devon showed up briefly before he left and never returned. The applicants who thought they were hired discovered they had been duped.

The man took many of the applicants’ drivers licenses, birth certificates, Social Security cards and even a diploma.
Chattanooga police say they are investigating.

From “Job fair turn out to be massive ID theft” scam via Knoxville’s WBIR-tv. What’s fascinating to me is the effort needed to put on something that looks like a job fair (or even a booth in a job fair).

University of Kansas, 9,200 SSNs, IT Department

[Update: Fixed headline, thanks to to anonymous.]

Students who applied via the online application put out by the
Department of Student Housing were alerted through either an e-mail or
a letter that their private information might have been exposed.

According to a University Relations news release, a computer file with
names, addresses, birth dates, phone numbers, social security numbers
and credit card numbers was found accessible to the public on Dec. 16.
The lack of security affected students who applied and paid an
application fee online between April 29, 2001, and Dec. 16, 2005. (From “University warns of possible hacking,” via Internet Security News.)

“I can’t believe they forgot to get the mother’s maiden name! How are we supposed to steal identities with just names, birthdates and SSNs?”

The Trouble With Illicit

[Update: I meant to tie this more closely to “Illicit” book review, because I think this illustrates those hard choices.]

There’s some fascinating competing legal goals on display in the Washington Post story “Area Police Try to Combat a Proliferation of Brothels:”

“Sometimes it takes five or six interviews to break these girls [sic], to let them know we’re the good guys,” said Stack, noting that many have an inherent distrust of law enforcement officers. “We haven’t gotten any trafficking victims from these cases. It’s not because we haven’t spoken to them. It’s not because we’re not trying. It’s just very difficult to make these girls flip.”

The trouble is that there are perhaps three or four layers of law-breaking going on here: tax evasion, prostitution, illegal immigration, and human trafficking. Many of the women will be guilty of several of the first three. So it should not be a surprise that they don’t want to flip for the police.

Our decision to make prostitution illegal makes it inherently difficult to police the more serious crimes of human smuggling. I’m not going to say that prostitution is inherently victimless, but for upwards of thirty years, we’ve had calls to legalize it in the belief that the workers would do better…able to talk to the police:

On Nov. 15, two days before the indictment was unsealed, Montgomery police happened upon an armed robbery at a Wheaton brothel while looking for a carjacking suspect. Police said they found four members of the violent Central American gang Mara Salvatrucha, or MS-13. Two of the men were charged with raping the prostitute after robbing the other men in the brothel at gunpoint, police said. Stack and Wiley said that the brothels are robbed and extorted routinely but that most of those crimes probably go unreported.

(Via Marginal Revolution.)

Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas:

According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally about overseas cash withdrawals, they said.

Seattle police have been taking “a lot” of calls and reports involving Bank of America customers, said police spokeswoman Debra Brown. She could not provide a specific number of complaints, but said that while officers routinely get calls about financial fraud involving a variety of banks, people have been reporting an unusual number of Bank of America-specific thefts.

Bank of America has lost:

Correlation, of course, is not causation. There’s lots of data leakage, and these Bank of America customers could have come under attack in lots of ways. If only we had mandatory disclosure of these sorts of things, consumers wouldn’t be tempted by rotten inference, reporters could report quantified facts, and bloggers wouldn’t be drawing attention to such articles. Bank of American customers should be demanding more answers.