Hackers Identify Privacy Vulnerabilities in Photo Sharing Websites

Posted on August 12, 2010 by Hunton & Williams LLP

BBC News is reporting that privacy was a major topic at this year’s Hackers on Planet Earth (“HOPE”) conference that was held in New York in July.  Participants spoke to the BBC about privacy vulnerabilities that they have discovered on various Internet sites.  For example, one participant discussed how GPS data embedded in digital photos users post online, combined with other information available in the photos and on the Internet, may reveal the exact locations where the users work, live and travel, as well as users’ real-time locations.  Participants explained that their goal is to identify the privacy vulnerabilities and provide information to others on how to protect their privacy online.  Hear the full interview.

Tags: , ,

Hacking Overtakes Theft and Loss as Leading Cause of Reported Security Breaches

Posted on March 12, 2010 by Hunton & Williams LLP

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

Notwithstanding the study’s findings, it remains impossible for an independent party to provide definitive numbers on breaches, or to assess accurately the causes behind all data security incidents.  Although the vast majority of states require some form of notification of security breaches, formal notification requirements are rare outside the United States.  Even in the U.S., many breach notification laws require notification only of certain types of breaches, such as breaches of data stored in electronic format.  Moreover, as the ITRC report points out, not all of the laws require reporting of the cause of the breach, and the percent of breaches for which no cause was reported exceeds the percent attributed to hackers.  Perhaps most importantly, many breaches—especially those caused by hackers—go undetected.  And under many laws, even those that are detected need not be reported if the breached entity determines that the breach poses no risk of harm to the affected individuals.  As of this writing, the ITRC’s tally for 2010 counts 146 breaches exposing over 2.8 million records.
Tags: , , , ,

Class Action Lawsuit Against Heartland Dismissed

Posted on December 14, 2009 by Hunton & Williams LLP

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers.  Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat.  Later, in 2008, the hackers used the injected code to steal millions of payment card numbers.  Heartland did not discover the theft until January 2009. 

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking.  For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.”  The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.” 

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.” 

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”
Tags: , , , , , , ,

U.S. Cyber Security Draws the Attention of the White House and Congress

Posted on April 16, 2009 by Hunton & Williams LLP

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.

The Obama Administration has taken these threats seriously.  On February 10 it initiated a 60-day review of federal cybersecurity efforts to protect vital U.S. computer networks (the Review).  The Review staff has engaged in significant and broad outreach to the government, the private sector and non-governmental organizations.  As the work of the Review draws to a close, its director, Melissa Hathaway, has intimated that it will not result in the naming of a cyber security advisor at the White House level.  This is an important, if controversial, signal.   However, on April 2, 2009, Senator Jay Rockefeller (D-WVA) and Senator Olympia Snow (R-ME) proposed legislation that would establish just such a position, invested with sweeping powers.  The legislation would empower government to set and enforce security standards for industry, and broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control critical infrastructure, such as electricity and water distribution.  Such new powers raise serious questions for industry and civil liberties.

The Centre for Information Policy Leadership has played a prominent role in these efforts.  Centre Senior Policy Advisor Professor Fred H. Cate has consulted on several occasions with the Review committee, and Paula Bruening served on the Commission. On April 5, Paula was featured as a guest on National Public Radio’s Diane Rehm show, along with Jim Lewis, director of the Commission’s  study, and Paul Kurtz, a cybersecurity consultant and former senior director, Office of Cyberspace Security at the National Security Council. During the hour-long discussion,  guests explained the nature of these cybersecurity threats, considered the challenges faced by government and industry, the consumer’s role, issues of civil liberties, and proposed possible ways to move forward.  To view the discussion, click here.
Tags: , , , , , ,