Tracy Ann Kosa, a privacy impact assessment specialist with the government of Ontario, gave a talk this week at the SecTor conference. The gist of her presentation was that security technologies, in particular surveillance, monitoring and database collection, while designed to increase security, actually degrade privacy.
You can read a summary of her remarks here at CSO Online.
Tracy Ann Kosa, a privacy impact assessment specialist with the government of Ontario, gave a talk this week at the SecTor conference. The gist of her presentation was that security technologies, in particular surveillance, monitoring and database collection, while designed to increase security, actually degrade privacy.
You can read a summary of her remarks here at CSO Online.
The health insurance information of hundreds of thousands of patients of Pennsylvania Medicaid have gone missing when an unencrypted USB flash drive was lost from the offices of AmeriHealth Mercy and Keystone Mercy Health Plan. The device had the personal records of 280,000 patients.
“We deeply regret this unfortunate incident,” said Jay Feldstein, president of the managed care plans for both insurers.
I bet.
How about standardizing on some hardware encrypted USB drives in the future?
The health insurance information of hundreds of thousands of patients of Pennsylvania Medicaid have gone missing when an unencrypted USB flash drive was lost from the offices of AmeriHealth Mercy and Keystone Mercy Health Plan. The device had the personal records of 280,000 patients.
“We deeply regret this unfortunate incident,” said Jay Feldstein, president of the managed care plans for both insurers.
I bet.
How about standardizing on some hardware encrypted USB drives in the future?
Small companies face potentially disastrous financial losses from online criminals who take over their online bank accounts and make unauthorized funds transfers, the FBI warned this week.
During the annual APWG eCrime Research Summit in Dallas this week, the FBI and FS-ISAC issued warnings to companies about the risks of online banking, and the growth in the sophistication of cyber crime on the Internet that targets small and mid-sized companies.
Cyber criminals are using sophisticated crimeware to infect the computers of finance professionals inside of companies. They can then steal usernames, passwords, and even circumvent 2-factor authentication tokens, to gain access to a company’s online bank account. Some companies have lost hundreds of thousands of dollars, and there are cases where companies or state government agencies have lost millions.
The full report can be found here, with an extensive list of things that companies can do to try to protect themselves. The thing that strikes me is that the list of things that companies should do to secure their online banking is a 5 page long list. That’s a ton of technical sophistication required by companies to protect themselves. We’ve clearly got a long way to go in order to make online banking both safe, and easy to use. Today, it seems you can have either safety or ease of use, but not both.
The last week has seen two more data loss incidents by NHS professionals, with both found to be in breach of the data protection act by the Information Commissioner’s Office (ICO).
Last Thursday, specialist healthcare recruitment agency Healthcare Locums (HCL) was found to be in breach of the act following the loss of personal data relating to doctors employed by the organisation. The ICO said it was first informed of the breach when HCL confirmed that a hard drive containing doctors’ security clearance and visa information had been sold on an auction website before being returned to the agency.
Further enquiries established that the equipment was last recorded as being transferred from HCL’s Skipton branch to its branch in Loughton earlier this year. However HCL had no inventory list for the transfer, so the organisation failed to realise the storage device had gone missing until it was reported by a member of the public. The device was eventually returned to the agency and wiped in June 2010.
Also on Tuesday this week, a doctor at North West London Hospitals NHS Trust was found to be in breach of the Data Protection Act by leaving medical information about 56 patients on the tube.
The incident, which was reported to the ICO by the trust in May 2010, occurred when a doctor printed out personal and diagnostic information about patients to use in audit work, undertaken at home outside of normal working hours. Shortly after leaving the tube station, the doctor realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport at the train’s termination point and retrieved by the doctor.
Sally-Anne Poole, enforcement group manager at the ICO, said: “Most of us can think of a time when we’ve found someone else’s personal belongings, like an umbrella, left behind on a train. But the last thing we should ever expect to find are highly confidential and sensitive papers detailing people’s medical history.
“We understand that many health professionals have busy lives and often take work home but simple steps like removing patient’s names from print outs can help minimise the potential for personal data to be lost or otherwise compromised. I welcome North West London Hospitals NHS Trust’s decision to report this breach to us and for the remedial action it has taken to put more effective data protection measures in place.”
Commenting on the HCL incident, Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said: “It’s difficult to know where to start with this one – the fact that the information wasn’t encrypted, the fact that its transfer wasn’t logged or the insecure method of transit used.
“Companies of all sizes regularly store and transfer highly sensitive information regarding their employees, but what matters most are the measures taken to protect the integrity of that data every step of the way. With that in mind, aside from a blatant disregard for the terms within the Data Protection Act, HCL’s biggest failure is toward those employees that entrusted personal information to the organisation.”
Looking at the North West London Hospitals NHS Trust’s doctor report, Oliver Hart, head of public sector at Sophos, said: “Today’s news that a doctor left printed personal information on 56 patients on a London tube train in May 2010 is yet another blow for the NHS, which is increasingly coming under fire from the ICO for leaked data.
“With budgets being cut, the NHS must take more care to protect data held within trusts so that it can avoid paying out unnecessary penalties. There are several ways of protecting data, including the ICO’s recommended approach of removing patient names from documents to sending encrypted data from one location to another.
“It is of paramount importance to educate users within the NHS of the risks of moving around patient and organisational information and how to protect such data. Having the right data protection software is vital but it also requires much more than just putting software in place. Alongside this, it is key to establish the right procedures and processes to protect the data, as well as educating users, across the organisation.”
Despite Government cuts announced this week, the privacy of citizens cannot be forgotten, according to Kevin Bocek, director of product marketing at IronKey. He said: “Over the past seven days, two incidents involving healthcare professionals show that there is still much work to be done in both the public and private sector. In both incidents, the most basic level of data protection, encrypting stored data, was not enforced.
“Unlike the more complex attacks on Britain, these incidents are simply preventable. If Government can cut over £80 billion in spending out of the system it must be able to ensure that the privacy and productivity of its citizens are protected to the most basic levels.”
This is the UK’s National Identity Fraud Protection Week in 2010.
94 percent of UK citizens feel that they are at risk of identity fraud
Only 44 percent say that they regularly check bills and financial statements
Only 55 percent verify emails or calls from organizations before responding
82 percent think that their employers do not take identity fraud seriously enough
Today the UK government published a 2010 National Security Strategy of the United Kingdom. The Prime Minister will give a press conference about this tomorrow.
Interestingly, the document does talk about cyber security and cyber terrorism as a top 4 threat to the UK.
The top 4 threats are:
1. International terrorism including chemical, biological, or nuclear attack
2. Hostile attacks on UK cyber space
3. A major accident or natural hazard such as an influenza pandemic
4. International military crisis
Researchers at Pennsylvania State University, Duke University and Intel Labs have published a paper this week called “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”
Their tool installs deep into the Android operating system, and profiles apps on the phone, looking for which ones send out a user’s private information to third parties. That information includes a user’s geographic location, unique phone id, phone numbers and SIM card serial numbers. They profiled 30 popular Android apps and found that half of them send a user’s geographic location to remote advertising services. 7 of the 30 send other private identifying information to the app developers.
None of the 15 apps mention data collection in their user license agreements!
Researchers at Pennsylvania State University, Duke University and Intel Labs have published a paper this week called “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”
Their tool installs deep into the Android operating system, and profiles apps on the phone, looking for which ones send out a user’s private information to third parties. That information includes a user’s geographic location, unique phone id, phone numbers and SIM card serial numbers. They profiled 30 popular Android apps and found that half of them send a user’s geographic location to remote advertising services. 7 of the 30 send other private identifying information to the app developers.
None of the 15 apps mention data collection in their user license agreements!