Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Identity Theft

P.F. Chang's Goes Manual After Card Breach

Restaurant chain P.F. Chang's China Bistro confirms it suffered a data breach that compromised credit and debt card numbers used by an unknown number of patrons. While the breach continues to be investigated, P.F. Chang’s has announced that they will use a manual imprinting system to process credit cards.

Some experts see a connection to last December’s Target breach:

But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches.

But while the experts disagree about the details of this latest alleged breach, they agree it's time for retailers to tighten network security.

"It's really got the retail industry up in arms," says financial fraud expert
Avivah Litan, an analyst at the consultancy Gartner. "CISOs are scared of getting fired, they are afraid of the consumer reaction and they're just trying to get handle on all of this."


UPDATE (6/18/2014): Brian Krebs provides new information indicating that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11. If true, the breach would predate the attack that compromised Target.

At nearly nine months, that’s slightly longer than the
average amount of time before a breach is detected.


Peek Inside a Professional Carding Shop

Brian Krebs takes us into the world of the business that takes place after the credit card information has been stolen.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

Full article here.


Are Credit Monitoring Services Worth It?

More interesting insights from Brian Krebs as he discusses the effectiveness of credit monitoring/protection services.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Read the whole article

Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records

Wow. Just wow.

Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.

Experian came into the picture in March 2012, when it 
purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service.  According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity,
Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.

Much more here:


The Tornado That Ripped Through Sony

Sony recently announced that the company expects to spend at least $171 million as a result of the massive data breaches that have plagued it since April. As a point of comparison, the damage from last month's tornado that hit Minneapolis has been estimated at $166 million.

There is an analogy in there somewhere.

But unlike the good folks of North Minneapolis, many of whom lost everything, Sony had the ability to prevent the type of damage that resulted in the high costs. The hackers used a simple technique that has been around forever to gain access to the data, and security experts are suggesting that Sony didn't even meet the most basic security requirements such as encrypting user information. As the hackers who claimed responsibility for the attacks asked, "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Good question. Here's another:

What would the costs be if your organization suffered a data breach? For a quick and dirty estimate, try out the online Data Breach Calculator. If you want to take a more detailed look at the costs associated with data breaches, check out the Ponemon Institute's 2010 U.S. Cost of a Data Breach.


Audit Shows General Health IT Security Lacking

Pasted Graphic
Wrapping up this week's discussion on encryption, I present a May 17 report from the Department of Health and Human Services Office of the Inspector General (OIG).

The report analyzes specifications published by the Office of the National Coordinator for Health Information Technology (ONC), who is charged with leading the implementation of an interoperable health information technology infrastructure.

The specifications reviewed included both the interim specifications released in January of 2010 and the final rule released in July. With the increased adoption of Electronic Health Records (EHRs), IT security has become more important than ever. But the OIG suggests the ONC's security standards come up short in several key areas, such as:

  • Encrypting mobile devices,
  • Requiring two-factor authentication when remotely accessing an HIT system and
  • Keeping computer systems and their virus scans current.

In my opinion, the OIG's audit is absolutely correct. These are basic IT security considerations (or should be) that need to be factored into any comprehensive security plan.

But implementing such procedures is like herding cats in a thunderstorm . . .

Read More . . .

The Ins and Outs of Encryption

Yesterday I mentioned that encrypting data often is considered a safe harbor when a data breach results in the loss of information that would normally trigger breach notification requirements. Today, we discuss encryption in a little more detail.

Data at Rest and Data in Motion

When considering encryption from a technical perspective, the first step is to determine the environment in which the data exists. For example, data stored on external hard drives, USB sticks, or PDAs would be considered Data at Rest. Securing data at rest may require encrypting the entire medium it resides on, such as a hard drive or USB drive. This is called whole-disk encryption, and is often used on laptops checked out of organizations. Alternatively, data at rest may also be secured by encrypting a single folder or file. The appropriate encryption solution varies depending on its environment, the amount of data to be secured and the type of storage device on which it is stored.

If the data needs to be encrypted over a company network or the Internet, it is considered Data in Motion. Data in motion is most often secured by connecting over an SSL (Secure Socket Layer) protocol, recognizable to the end user by the "https://" displayed in the web browser.

NIST Standards

When considering the implementation of encryption from a legal perspective, your best bet is to start with the standards established by the National Institute of Standards and Technology (NIST):

Data at Rest: NIST 800-111. This publication discusses full disk encryption, virtual disk and volume encryption, and file/folder encryption.

Data in Motion: NIST 800-52.

Check out NIST's site for additional publications, including their recent Cloud Computing Synopsis and Recommendations draft.


Minnesota's Data Breach Notification Law


Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.

The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."

So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:

(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.

There's more to the law, but that's the gist of it.

But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.

So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.

Image credit: s-s at www.sxc.hu.