Month: July 2014

NY AG Releases a Report on Data Breaches

2013 was a record-setting year for data security breaches in New York, according to the Attorney General’s Office in a report published today.   7.3 million records of New Yorkers were exposed in more than 900 data security breaches, at a cost to New Yorkers of $1.37 Billion.  The Report noted that the massive number of affected New Yorkers in 2013 was largely driven by two retail “mega-breaches,” at Target and Living Social.  The report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches. The Report used information provided to the Attorney General’s Office pursuant to the New York State Information Security Breach & Notification Act, General Business Law §899-aa.  The law, which few people know about, requires any person or commercial entity conducting business in New York State, who owns, licenses, maintains, or disseminates as a third party computerized data that includes private information to disclose all breaches of the security of the computerized data system containing private information – even of one person – to the State Police, Department of Consumer Protection, and the Office of the Attorney General.  The law also provides for a “notification obligation” to any New Yorker whose private information was acquired (or reasonably believed to...

Read More

Hotel Business Center Computers: Not To Be Trusted

I was reading the latest edition of Krebs on Security today. Brian Krebs writes that “the U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.” That hackers can get access to hotel computers, and compromise them to lure unsuspecting guests to divulge passwords and other sensitive information, is not surprising given the soft security at hotel business centers and the misplaced trust of the frenzied traveler. According to Krebs, “the keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts … the suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.” The moral is that if a skilled attacker has physical access to a system, there is no security at all for the computer. Krebs cited, and then I read, “10 Immutable Laws of Security,” published on Microsoft‘s TechNet blog. These 10 laws are worth reciting: Law #1: If a bad guy can persuade you to run his...

Read More