Eleven people have been charged with hacking TJX and other major retailers. Three of the defendants are from Miami, the location of 1 is unknown and the rest are based outside the U.S. in locations including the Ukraine, Estonia, China and Belarus. The Department of Justice alleges that the defendants gathered the credit/debit card info by wardriving, which involves driving around with a laptop, antenna and wireless LAN adapter in order to identify and exploit wireless networks that have ranges outside of buildings. One of the potential protections companies can employ to combat wardriving is the WPA encryption standard. As previously reported, TJX was accused of not updating its systems appropriately to meet current standards. Further, a scan of 800 retailers conducted in New York earlier this year by AirDefense found that one-third of those retailers had no security on their wireless networks and another third had weak encryption, such as the flawed protocol TJX was accused of using.

The Identity Theft Resource Center (ITRC) has published its 5^th annual Aftermath study regarding the effects of identity theft on individuals. Here are a few of the details from the study. Over a five year period, the ITRC reports that 1/3 of identity thefts were perpetrated by someone known to the victim. The next largest number of thefts arose from lost or stolen wallets or PDAs. The cost to a victim of identity theft in 2007 averaged approximately $500 in out-of-pocket expenses for an existing account. If a new account was set up, the average out-of-pocket expenses rose to nearly $1,900. This is a rise of about $500 per victim since 2006. Additionally, only 10 percent of those surveyed discovered they had been a victim of identity theft after being notified by a business.

Click to read more ...

The 2008 State Liability Systems Ranking Study conducted for the U.S. Chamber Institute for Legal Reform has been released. The purpose of the study is to evaluate the fairness and reasonableness of the U.S. tort liability system. The states ranking the best were Delaware, Nebraska and Maine. Some of the worst-ranked states include West Virginia, Louisiana, Mississippi, Alabama and Illinois. Additionally, Los Angeles-California and Cook County, Chicago-Illinois were identified as the worst jurisdictions. The overall rating of the system measured primarily fair/poor but the margin was not vast as 41% of those polled ranked the state court liability system in America as only fair or poor and 55% ranked it as excellent or pretty good. The overall rating for 2008 is very similar to the findings in the 2007 study. Both 2007 and 2008 are markedly better than the overall rating in 2006. For more about earlier studies and worst courtroom data, see our previous posts.

We’ve discussed phishing on this blog in the past, but a recent headline brings the concern back to mind. As expected, identity thieves continue to invent new ways to trick their victims. In this latest attack, phishing is elevated to “whaling” as attackers target executives at large companies. The current scam involves emails with a realistic looking U.S. federal court seal and a link to a subpoena.

Click to read more ...

CNET reports on a global survey conducted by Frost & Sullivan at the behest of the International Information Systems Security Certification Consortium (ISC)² regarding information security. The survey included feedback from approximately 7,500 information security experts and, among its conclusions, reported that 75% of the respondents believe viruses and worms are a top security threat, followed by hackers and inside employees. Additionally, among the top priorities facing information security professionals are protecting a company’s reputation from damage, customer privacy concerns and identity theft. Further, the respondents communicating the most concern for security threats are in the financial sector, including banks and insurance companies.

Of note, the Identity Theft Resource Center reports in the 2008 ITRC Breach Report, as of 3/31/2008, that there were 167 reported breaches for this time period. Of these, approximately 25% were in the educational industry and nearly 14% were in the healthcare field. So, while the financial sector may be focused on security threats, the educational and healthcare industries shouldn’t be far behind. For more on security threats, check out the security section of our blog.