Security Bytes: Data breach affects 100,000 military personnel

Meanwhile: Phishers use a phone trick to dupe PayPal users; the PCI security standard will get more teeth and a survey illustrates an increase in security breaches

Breach affects 100,000 US Navy, Marine Corps personnel
The latest data breach to affect the U.S. military has left 100,000 Navy and Marine Corps personnel at risk for data fraud. According to the Reuters news service, personal data belonging to aviators and air crew was publicly available on a Web site for more than six months. The Navy has confirmed it's investigating how that was allowed to happen, but it's still unclear what the ramifications might be. Last December, the full names and Social Security numbers of active and reserve members who have served in the last 20 years appeared on the Naval Safety Center Web site, Reuters said. At the time that information appeared on the Web site, Navy and Marine Corps commands received the same data on 1,083 program disks that were mailed out as part of the service's Web Enabled Safety Program. Thursday, the Naval Safety Center learned of the problem and wiped the information off the Web site. Safety center spokeswoman Evelyn Odango told Reuters the problem appeared to be an errant file. "The information was inadvertently included in a file that was then posted on the Web," she said. "We found out about it through a Web site user and it was removed immediately."

Phishing scam uses phone trick to dupe PayPal users
UK-based antivirus firm Sophos said it has uncovered a new phishing scan that tries to trick PayPal customers into calling a phone number and giving up their credit card information. The email, which purports to come from PayPal, lures in victims by claiming that their accounts have been tainted by fraudulent activity. Unlike normal phishing emails, this one contains no Internet link or response address. Instead, it urges the recipient to call a phone number and verify their details. When dialed, victims get an automated voice saying: "Welcome to account verification. Please type your 16-digit card number." Once the credit card details are entered, the scammer is free to steal the information for their own gain, Sophos said, adding that if incorrect card details are entered, a request for re-entry is made, further enhancing the legitimacy of the fraudulent telephone number, which is still live. A screenshot of the phishing email can be seen on the Sophos Web site, which also includes a .wav file of the phone message.

PCI security standard getting more teeth
Every merchant that handles credit card data has spent the last year adjusting to the Payment Card Industry (PCI) data security standard. Now it appears that standard is about to be made tougher, with MasterCard International Inc. and Visa USA Inc. preparing to unveil new security rules in the next 30 to 60 days. Eduardo Perez, vice president of corporate risk and compliance at Foster City, Calif.-based Visa, told Computerworld that some of the new rules will better address the growing list of Web application security threats, while others will mandate that companies ensure the third parties that they deal with have adequate controls to protect credit card data.

Survey: 84% suffer security incident in past year
Security breaches are becoming more common in the business world than some might expect, according to the results of a survey conducted by New York-based CA Inc. The firm polled 642 large North American organizations and more than 84% of respondents admitted experiencing a security incident over the past 12 months. In a breakdown of the findings, CA said security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security. CA said the findings indicate that security isn't being taken seriously enough at all levels of an organization, especially in the financial service industry. Nearly 40% of respondents indicated that their organizations don't take IT security risk management seriously at all levels, while 37% believe their organization's security spending is too low. Only 1% said it's too high.

Read more on IT risk management