ICBA Free Data Breach Toolkit Available - In light of the recent
data breach at payments processor Heartland Systems, ICBA and Visa
developed a communications toolkit to help community banks answer
customers’ questions following a breach of credit and debit card
account information. An important online resource, the free
comprehensive guide offers ICBA members customizable materials,
including cardholder letters, statement inserts, FAQs and media
statements. Requires ICBA membership -
Electronic Health Records - GAO - DOD's and VA's Sharing of
Information Could Benefit from Improved Management.
Rogue contractor admits Oz gov hack attacks - An Australian has
admitted causing AUS$1m in damage after hacking into the computer
systems of the Northern Territory Government and deleting records of
thousands of civil servants.
Law Enforcement Closing In On Heartland Breach Perpetrator - DoJ
reportedly pinpoint location of cybercriminal outside North America
- The Secret Service has identified the prime suspect in the
Heartland Payment Systems security breach, and the case has been
turned over to the U.S. Department of Justice, according to a news
President Obama's cybersecurity plan released - While campaigning,
President Obama addressed the importance of cybersecurity. On
Wednesday, he made good on at least some of his promises when his
administration posted to the White House website an outline for
protecting the nation's homeland security. The strategy includes a
six-step plan to safeguard information networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
MoD admits 440 computer data devices have been lost or stolen in the
past year - The Ministry of Defence admitted yesterday that 217 of
its laptops, 47 desk-top computers, 80 hard drives and 96 memory
sticks were lost or stolen during 2008, despite a high-profile
security crackdown launched last summer. The latest figures mean
more than 1640 of the department's computers and other information
devices have gone missing in the past five years.
Conficker seizes city's hospital network - Network-wide update ban
invites worm infection - Staff at hospitals across Sheffield are
battling a major computer worm outbreak after managers turned off
Windows security updates for all 8,000 PCs on the vital network, The
Register has learned. It's been confirmed that more than 800
computers have been infected with self-replicating Conficker code.
Insiders at Sheffield Teaching Hospitals Trust said they suspect
many more machines are affected but have not been reported to IT.
Payment processor Heartland reports breach - Heartland Payment
Systems, which processes payroll and credit card payments for more
than 250,000 businesses, reported Tuesday that consumer credit card
data was exposed in what may be the largest security breach ever.
Debit-card processor claims data breach part of bigger fraud -
Company found evidence of malicious software that compromised card
data on its network - Heartland Payment Systems, the Princeton,
N.J.-based provider of credit and debit processing, payment and
check management services, today disclosed that it has been the
victim of a data breach.
Clerical error foiled Sumitomo bank hack - The largest near heist in
banking history failed because the men accused of trying to carry it
out didn't properly fill in a single field in an electronic transfer
form. This is one of the extraordinary details that have emerged in
the trial of three men accused of having tried in September and
October 2004 to rob Japan's Sumitomo Mitsui bank of an eye-watering
£229 million ($318 million at today's exchange) from inside its
office, in the City of London.
NZ man finds US army files on MP3 playerJanuary 26, 2009 - A New
Zealand man has found confidential United States military files on
an MP3 player he bought at an op shop in the US.
Spammers hack into Government jobs website - The NSW Government
website used to advertise public service jobs has been hacked into
and the perpetrators have spammed the Government's database of job
seekers with phony vacancies in an effort to steal personal data and
possibly to spread viruses.
Monster.com Reports Theft of User Data - Monster.com is advising its
users to change their passwords after data including e-mail
addresses, names and phone numbers were stolen from its database.
Encrypted staff data disc lost - A computer data disk containing
personal details of around 2,000 members of British Council staff
has been lost. The loss, involving names, national insurance
numbers, salary and bank account details of the Council's UK staff,
is the latest in a string of cases of official information going
astray in recent months.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
FYI CLIENTS - The complete statement on Weblinking:
Identifying Risks and Risk Management Techniques can be found at http://www.fdic.gov/news/news/financial/2003/fil0330a.html.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
ENCRYPTION - HOW ENCRYPTION WORKS
In general, encryption functions by taking data and a variable,
called a "key," and processing those items through a fixed algorithm
to create the encrypted text. The strength of the encrypted text is
determined by the entropy, or degree of uncertainty, in the key and
the algorithm. Key length and key selection criteria are important
determinants of entropy. Greater key lengths generally indicate more
possible keys. More important than key length, however, is the
potential limitation of possible keys posed by the key selection
criteria. For instance, a 128-bit key has much less than 128 bits of
entropy if it is selected from only certain letters or numbers. The
full 128 bits of entropy will only be realized if the key is
randomly selected across the entire 128-bit range.
The encryption algorithm is also important. Creating a mathematical
algorithm that does not limit the entropy of the key and testing the
algorithm to ensure its integrity are difficult. Since the strength
of an algorithm is related to its ability to maximize entropy
instead of its secrecy, algorithms are generally made public and
subject to peer review. The more that the algorithm is tested by
knowledgeable worldwide experts, the more the algorithm can be
trusted to perform as expected. Examples of public algorithms are
AES, DES and Triple DES, HSA - 1, and RSA.
Return to the top of the
3. Determine whether:
• Authorization for physical access to critical or sensitive
information - processing facilities is granted according to an
• Authorizations are enforceable by appropriate preventive,
detective, and corrective controls; and
• Authorizations can be revoked in a practical and timely manner.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of
delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice
(§9(c)), and accessibility of or ability to retain the notice (§9(e)).