Breach affects 100,000 US Navy, Marine Corps
personnel
The latest data breach to affect the U.S. military has left 100,000
Navy and Marine Corps personnel at risk for data fraud. According
to the Reuters news service, personal data belonging to aviators
and air crew was publicly available on a Web site for more than six
months. The Navy has confirmed it's investigating how that was
allowed to happen, but it's still unclear what the ramifications
might be. Last December, the full names and Social Security numbers
of active and reserve members who have served in the last 20 years
appeared on the Naval Safety Center Web site, Reuters said. At the
time that information appeared on the Web site, Navy and Marine
Corps commands received the same data on 1,083 program disks that
were mailed out as part of the service's Web Enabled Safety
Program. Thursday, the Naval Safety Center learned of the problem
and wiped the information off the Web site. Safety center
spokeswoman Evelyn Odango told Reuters the problem appeared to be
an errant file. "The information was inadvertently included in a
file that was then posted on the Web," she said. "We found out
about it through a Web site user and it was removed
immediately."
Phishing scam uses phone trick to dupe PayPal users
UK-based antivirus firm Sophos said it has uncovered a new phishing
scan that tries to trick PayPal customers into calling a phone
number and giving up their credit card information. The email,
which purports to come from PayPal, lures in victims by claiming
that their accounts have been tainted by fraudulent activity.
Unlike normal phishing emails, this one contains no Internet link
or response address. Instead, it urges the recipient to call a
phone number and verify their details. When dialed, victims get an
automated voice saying: "Welcome to account verification. Please
type your 16-digit card number." Once the credit card details are
entered, the scammer is free to steal the information for their own
gain, Sophos said, adding that if incorrect card details are
entered, a request for re-entry is made, further enhancing the
legitimacy of the fraudulent telephone number, which is still live.
A screenshot of the phishing email can be seen on the Sophos
Web site, which also includes a .wav file of
the phone message.
PCI security standard getting more teeth
Every merchant that handles credit card data has spent the last
year adjusting to the Payment Card Industry (PCI) data security
standard. Now it appears that standard is about to be made tougher,
with MasterCard International Inc. and Visa USA Inc. preparing to
unveil new security rules in the next 30 to 60 days. Eduardo Perez,
vice president of corporate risk and compliance at Foster City,
Calif.-based Visa, told Computerworld that some of the new rules
will better address the growing list of Web application security
threats, while others will mandate that companies ensure the third
parties that they deal with have adequate controls to protect
credit card data.
Survey: 84% suffer security incident in past year
Security breaches are becoming more common in the business world
than some might expect, according to the results of a survey
conducted by New York-based CA Inc. The firm polled 642 large North
American organizations and more than 84% of respondents admitted
experiencing a security incident over the past 12 months. In a
breakdown of the findings, CA said security breaches have increased
17% since 2003. As a result, 54% of organizations reported lost
workforce productivity; 25% reported public embarrassment, loss of
trust/confidence and damage to reputation; and 20% reported losses
in revenue, customers or other tangible assets. Of the
organizations which experienced a security breach, 38% suffered an
internal breach of security. CA said the findings indicate that
security isn't being taken seriously enough at all levels of an
organization, especially in the financial service industry. Nearly
40% of respondents indicated that their organizations don't take IT
security risk management seriously at all levels, while 37% believe
their organization's security spending is too low. Only 1% said
it's too high.