More Saving, More Doing, More Hacking

Brian Krebs ( reported on September 2, 2014 that Home Depot, Inc. (HD.N) appears to have been the target of a massive debit and credit card breach involving nearly all of its U.S. stores. In this case as in the Target, Sally Beauty Supply, P.F. Chang’s and Harbor Freight, the first evidence of the hacking was when the stolen card information started showing up for sale in an online cybercrime store.

Krebs examined the zip codes given associated with the cards listed for sale and compared their locations with the locations of Home Depot stores. The zip codes are listed so that the criminals who purchase the hacked cards can steal locally, where they are less likely to be flagged by bank security systems.

As of this posting, Home Depot’s media relations team has only admitted a “possible payment data breach.” The special webpage set up by Home Depot explains:

We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately.

Like the breach reported about Albertsons, SuperValu, Inc., Cub Foods, ACME Markets Inc., Jewel Osco, Shaw’s, Star Market, Farm Fresh Supermarket, Hornbacher’s, Shop ‘n Save, Shoppers Food & Pharmacy, and Ab Acquisition LLC on August 14, 2014, the number of records may not be known for some time. See for an updated list of breaches.

More Saving, More PI

Massachusetts’ identity theft law (MGL c. 93H, 201 CMR 17.00) was designed to protect Massachusetts residents from having their Personal Information compromised. Personal Information is commonly referred to as “PI” for short. The definition of PI under this law is simple and most certainly includes the type of credit card information that hackers are interested in.

It takes only three ingredients to make PI in Massachusetts: 1) first and last name or first initial and last name; 2) of a Massachusetts resident; and 3) some identifying information such as a credit card number, a social security number, a driver’s license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information. This definition does not require that the PI holder have any password or security code associated with the financial account in order for the information to qualify as PI.

Aside from the security requirements of the payment card industry known as PCI, the Massachusetts law requires that companies handling credit card data and other PI institute a comprehensive written information security program or WISP. The compliance standards for a WISP are supposed to be more stringent as the company size, company revenue and the amount of Personal Information (PI) increases. The standards also require destruction or culling of PI that is not needed.

Bigger Should Mean Better

According to Reuters, Home Depot is currently valued at about $120 Billion. Under the logic of the compliance standards set forth in the Massachusetts regulations (201 CMR 17.00 et seq.), Home Depot should have the best information security available in the world. Moreover, the compliance standards specifically require “regular” monitoring and upgrading of information security safeguards.

How Can This Happen?

How can this happen again and again to the most sophisticated companies? The Massachusetts identity theft law is still the most rigorous in the country. When advising companies regarding the adoption of information security programs where those companies have operations in many states, the best practice is to make the program compliant with the strictest standards.

The Massachusetts law went into operation in 2010 and therefore Home Depot should have had a comprehensive WISP in place, not only for its Massachusetts customers but its Massachusetts employees (i.e., all MA residents with PI). The compliance standards also require that a WISP be reviewed at least annually.

It appears that the Target breach could have been avoided. It occurred when a hacker infiltrated a vendor’s computers with relatively unsophisticated malware. The vendor, a heating and air conditioning contractor for some of its stores, was given remote access to the Target computer network for the limited purpose of electronic billing. The malware jumped through internal safeguards and infected the point of sale (POS) systems, enabling the credit card data to be uploaded to the hackers. However, company officials were allegedly “asleep at the switch” when a number of internal security alarms were sounded, and failed to aggressively investigate. It will be interesting to learn in the coming weeks whether Home Depot made the same or similar mistakes.


Posted in Uncategorized | Comments Off

Chromebook – Sandbox or Litterbox in the Cloud

Google just announced (2011) a new computer/OS combination called the Chromebook.  Essentially it is a netbook computer running Google’s Chrome operating system.  The Chrome OS touts greater computer security resulting from its implementation of a “sandbox” which is designed to protect the computer from malware.  The computer has all day battery life, an 8 second boot up time, and a constant connection to the cloud via Wi-Fi and 3G.  Google has exuded confidence in the secure design and boasted that the computers don’t even need anti-virus protection.  Stephanie Hoffman at CRN described the benefits of a sandboxing feature:

“At its core, sandboxing isolates Web sites and applications and runs them in a restricted environment, which eliminates the potential to compromise a user’s entire system if exposed to malware.”

That being said, the French company VUPEN Security has already identified a vulnerability.  On May 9th it announced,

Hi everyone,
We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox.

No surprise to some

Some people like Costin Raiu, senior malware researcher for Kaspersky Lab are not surprised at all.  Continue reading

Posted in Cloud Computing, Information Security, Information Technology | Tagged , | Comments Off

LastPass Says Hackers May Have Stolen Password Data

According to Businessweek, “LastPass, a company that offers to safeguard and simplify managing subscribers’ online passwords, said hackers may have broken into its database and stolen information on as many as 1.25 million accounts.”  LastPass is the tradename of a Virginia company called Marvasol Inc.

LastPass touts itself as a safe and secure place for your most important data.


Kelly Jackson Higgins of Information Week states the obvious irony:

“The “last password you’ll ever need” now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company’s discovery of unusual network activity around one of its databases.”

Hiawatha Bray of the Boston Globe wrote a useful article on April 28th describing some of the steps people should take to protect themselves from identity theft in response to the recent hack of the Sony PlayStation Network.  She listed some typical advice:

  1. Use a a different password at every Internet site.
  2. Buy file encryption software to protect stored credit card data, Social Security numbers, and financial records.
  3. Write down which credit cards you’ve used to register at various online services.
  4. Check your bank and credit card statements online frequently.
  5. Consider putting a freeze on access to your credit reports (referencing a part of Massachusetts data protection laws).

In a twist of irony, Bray recommended using a password manager program, like LastPass.

“PlayStation Network users can start by changing their other passwords, and fast. And consider getting a password manager program, such as RoboForm or the one I use, LastPass. These programs automatically generate a new, tough password for every site, then save the passwords in encrypted files on your computer or smartphone, and on the Internet.”

Class action anyone?

Posted in Information Security | Tagged , | Comments Off

NSA Information Security Recommendations

The NSA has published a useful data sheet covering ways to keep home and small business networks secure.

Posted in Information Security | Tagged , | Comments Off

LocationGate – Where in the World Was Waldo?

Just look at his iPhone data

Apparently I am not the only person troubled by the recent revelation that Google and Apple collect location data from smart phones.  Mike Elgan wrote a thoughtful piece for Computerworld. Who owns your location? – Computerworld

The idea of tracking files existing on phones and on the computers used to synch data raises eDiscovery issues as well as obvious privacy and data security concerns.  Will employers be tempted to look at the data collected by company issued phones to see if their sales team or delivery drivers were on task?  Employers defending discrimination cases are always on the lookout for employee misconduct that would justify termination of employment on non-discriminatory grounds.  Did she lie to the boss about that sick day as shown by the trip to the Foxwoods Casino? 

Warrantless Searches

A January 2011 decision by the California Supreme Court held that police may make a warrantless search of a person’s cell phone incident to a lawful arrest – in California.  In the opinion, the court considers and dismisses the privacy argument:

Regarding the quantitative analysis of defendant and the dissent, the salient point of the high court‟s decisions is that a “lawful custodial arrest justifies the infringement of any privacy interest the arrestee may have” in property immediately associated with his or her person at the time of arrest even if there is no reason to believe the property contains weapons or evidence (Robinson, supra, 414 U.S. at p. 235).

Although the phone at issue People v. Diaz was not an iPhone or Android phone, the court declined to make a distinction between dumb and smart cell phones:

. . . even were it true that the amount of personal information some cell phones can store “dwarfs that which can be carried on the person in a spatial container” — and, again, the record contains no evidence on this question — defendant and the dissent fail to explain why this circumstance would justify exempting all cell phones, including those with limited storage capacity, from the rule of Robinson, Edwards, and Chadwick.

With an Android or iPhone in California, once a person is arrested this location data becomes the functional equivalent of having worn a GPS ankle bracelet for the police. 

Follow the Money

The “LocationGate” controversy over the collection of GPS data by Apple and Google is about money as well as privacy.  Elgan’s article discusses the monetization of this very private data without anything approaching informed consent by the user. 

The controversy has already prompted a lawsuit against each company.  The Google suit is fantastically seeking $50 million in damages according to a CNET article. The Apple suit seeks class action status.

Posted in Electronic Discovery, Information Security, Information Technology, Privacy | Tagged , , | Comments Off

An Open Letter to Massachusetts Attorney General, Martha Coakley

Recommendation for Enforcement of 201 CMR 17.00

Attorney General Martha Coakley
One Ashburton Place
Boston, MA  02108


Dear Attorney General Coakley:

Recently your office announced its first successful enforcement of Massachusetts’ year-old data security law (G.L. c. 93H; 201 CMR 17.00) against Briar Group, LLC.  For those of us in the state who have been trying to help organizations become compliant with this landmark set of regulations, the announcement of enforcement was welcome.  At long last the law actually has teeth as we predicted.

In seminar after seminar beginning in late 2008, my colleagues and I presented summaries of the law and tried to  keep up with the shifting regulations and twice delayed date of implementation.  We consulted with computer security experts about standards and urged our clients and potential clients to “get compliant” because of the risks to reputation, to the bottom line and of course, because of government enforcement.

Audiences and decision makers at first did not even know that their organizations created or held Personal Information (PI).  Even after realizing that the simple act of accepting checks from or employing Massachusetts’ residents implicated the new law, the general mood was that the threat of enforcement was remote; the economic climate was too severe to justify the cost of compliance.

I predicted to my audiences that enforcement would come and that this was a serious law.  I warned people that they did not want their organization to become the poster boy for enforcement; all it takes is the loss of a single laptop to start the enforcement gauntlet. 

To keep seminars lively I try to give examples and tell jokes. The best examples always have a twist of humor.  To spice up my warnings after your Senatorial election campaign, I started to imagine the perfect AG enforcement:

The New York Yankees! I described to several Massachusetts audiences that The New York Yankees would be the ideal target for an aggressive and public 93H enforcement action by our Attorney General.  There are surely some Western Massachusetts residents who are Yankees fans. What a perfect storm for the home team.  It had all the makings of a great story, heroes, villains, redemption and a real sign that 93H must be reckoned with. Who better to make an example of than those damn Yankees?

The website reported that on April 25, 2011, the New York Yankees misdirected emails containing 17,000 records of seasons ticket holders.  The Yankees reported the incident on April 27th but according to the New York Daily News there was no financial information included in the data breach. 

At first I thought this was a daydream come true until I saw the Post story.  As you know the 201 CMR 17.00 final regulations define Personal Information “data elements” to include financial account numbers:

Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. . . 201 CMR 17.02

Judging from the reactions of hundreds of people who listened to the hypothetical version of a New York enforcement effort, I humbly suggest that this data security breach is of importance to citizens of Massachusetts and should be formally investigated. If you are short handed I would be happy to pitch in, for the team.


Steven J. O’Neill, Attorney at Law

Posted in Information Security | Tagged , | Comments Off

Sony Playing with PI (Personal Information)

In yet another stunning data security breach, Sony announced that 77 Million customer records had been hacked on its Playstation network and Qriocity.  The information accessed by hackers reportedly includes names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and credit cards. 

On April 26th Sony published on its blog that the breach took place between April 17th and 19th. It said in part:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Clearly, the combination of a name and credit card information meets the definition of Personal Information (PI) under the Massachusetts data security regulations, 201 CMR 17.00.  In an interesting twist to the story, by April 28th major news outlets were reporting that Sony had encrypted the credit card data. 

More and more of us are receiving notices from our banks, merchants, and service providers that, “Oops we lost or failed to protect important financial and other information about you”  Sony’s notice follows the typical businesslike format of warning the victims of the breach to be careful and take their own steps to protect their Personal Information:

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742;; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285;; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289;; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Within one day of the announcement, a Playstation users from Florida had filed a class action lawsuit against Sony in the Northern California Federal District Court.  Stay tuned.

Posted in Information Security | Tagged , , | Comments Off

$110,000 Fine – MA AG Enforces Information Security Law

A Law with Teeth

Approximately one year after the new Massachusetts Information Security Law (201 CMR 17.00) took effect, the Massachusetts Attorney General simultaneously announced the filing and settlement of a Superior Court lawsuit. 

AG Coakley announced the settlement and $110,000 fine against Briar Group, LLC, owner of several Boston Area restaurants and bars.  The complaint alleged that Briar Group failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.

The Final Judgment by Consent alleged that Briar Group “failed to implement basic data security measures to protect consumers’ credit and debit card information,” including by not limited to the following:

a. failing to change default usemames and passwords on its Micros Point of Sale computer system;

b. failing to change passwords in its computer network for more than five years;

c. allowing multiple employees to share common usernames and passwords;

d. failing to modify passwords after termination or resignation of employees;

e. failing to adequately control the number of employees with administrative access to Briar’s computer network;

f. failing to properly secure its remote access utilities and wireless network;

g. continuing to accept credit and debit cards from consumers when Briar knew of the data breach and failing to alert its patrons to the data breach while malcode remained on its computer system;

h. storing payment card information in clear text on its servers; and

i. failing to comply with Payment Card Industry Data Security Standards (“PCI DSS”).

In addition to the fine, Briar Group was ordered to produce a Written Information Security Program (WISP) pursuant to 201 CMR 17.00 and take other steps to protect Personal Information (PI). 

Read the AG press release.

Posted in Information Security | Tagged , | Comments Off

BP’s Gulf Data Spill

BP loses laptop containing Personal Information of 13,000 Oil Spill Claimants

On March 1, 2011, BP lost a laptop computer containing Personal Information (PI) on 13,000 people who made claims against BP following the Deepwater Horizon oil spill in 2010.  It was reported by eWeek / Europe that the information included social security numbers and was contained in a password-protected spreadsheet but not encrypted.  Apparently, it was not until March 30th that BP notified the claimants that their information had been lost.

Social security numbers are one of the touchstone identifiers for PI.  Failure to encrypt this information on a portable computer would expressly violate Massachusetts’ Identity Theft regulations, if any of the claimaints were Massachusetts’ residents.  Regulation 201 CMR 17.04(5) absolutely requires: “Encryption of all personal information stored on laptops or  other portable devices.”

Posted in Information Security | Tagged , | Comments Off