REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
The Federal Financial Institutions Examination Council today
issued a revised Supervision of Technology Service Providers
booklet, which is part of the FFIEC Information Technology
Innocent Megaupload user asks court to release secret raid documents
- EFF argues he needs the documents to vindicate his Fourth
Amendment rights. The Ohio videographer who was chosen by the
Electronic Frontier Foundation as a representative of innocent
Megaupload users, has asked a Virginia federal judge to unseal
search warrants and other documents related to the January raid on
Megaupload's Virginia servers.
Largest U.S. energy marketing agency used outdated security patches
- The government's largest renewable power transmission agency used
a default password to protect its electricity scheduling database
and regularly failed to update security software, an Energy
Department inspector general found.
TSA fails again with adjustable boarding passes - Lets passengers
pick their own security rating - The reputation of possibly
America's least-favorite fondlers, the Transportation Security
Administration (TSA), has taken yet another hit with the discovery
that its shoddy security allows passengers in its PreCheck system to
pick their own security status.
FBI rolls out round-the-clock cyber crime team - The FBI has
introduced a team of specialists, which will be on call 24/7, to
investigate cyber threats affecting businesses, critical industries
and domestic security -- and possibly determine who's behind on
Hurricane Sandy could cause big mess in cyber space too - With
Hurricane Sandy on a collision course with the Northeast, cyber
crooks are likely to take advantage of the historic storm to make a
quick buck or steal personal information from the unsuspecting.
Feds charge 14 with making ATM cashouts appear like one - Fourteen
people have been charged with stealing more than $1 million from
Citibank ATMs in several Southern California and Nevada casinos.
Hurricane Sandy tests business continuity, disaster recovery - In
the aftermath of Hurricane Sandy, which disrupted power, internet,
phone and numerous other technical services for millions along the
East Coast, organizations are in an ideal mode to check the
efficiency or shortcomings of their “in-case-of-disaster” plans.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Judge dismisses brunt of Sony breach lawsuit - A U.S. District
Court judge in California has absolved Sony of several charges
levied against the electronics giant in a class-action suit that
followed the 2011 breach of its PlayStation Network (PSN) and
on-demand entertainment service Qriocity.
- Barnes & Noble halts use of PIN pad devices after data breach -
Payment terminals at 63 stores in eight states compromised; unknown
number of customers affected - Barnes & Noble has removed PIN pad
devices from all of its nearly 700 stores nationwide as a precaution
after detecting evidence of tampering with the devices at 63 of its
stores in eight states.
- Monster breach hits South Carolina taxpayers - The state of South
Carolina is engaged in an "unprecedented response" following a
massive breach in which hackers stole 3.6 million Social Security
numbers and 387,000 credit and debit card numbers, officials said
- Vermont credit union discards unencrypted data of 85,000 - Two
unencrypted backup tapes from Vermont's largest credit union, the
Montpelier-based Vermont State Employees Credit Union, are believed
to have been accidentally thrown away.
- South Carolina breach exposes 3.6M SSNs - Another 387,000 credit
and debit cards also exposed in Department of Revenue intrusion, but
most were encrypted - In the biggest data compromise of the year,
Social Security Numbers (SSN) belonging to about 3.6 million
residents in South Carolina have been exposed in an intrusion into a
computer at the state's Department of Revenue.
- Hackers crack Texan bank, Experian credit records come flooding
out - Names, numbers, finances, EVERYTHING... and they weren't even
customers - Hackers managed to get login credentials for Experian's
credit scoring reports after they broke into the systems of Abilene
Telco Federal Credit Union last year, it has emerged.
- Surrey shuts down electronic sign after hackers have their say -
Pranksters have been amusing and confusing Surrey drivers by hacking
into and changing the wording on electronic messaging boards.
- Israel police disconnect from Internet after cyber attack - The
police service of Israel goes offline after discovering malware
infection apparently designed to harvest information - Israeli
police disconnected their IT systems from the Internet last week,
after an apparent cyber attack designed to steal information, the
Times of Israel has reported.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
Institutions should develop procedures for notifying law enforcement
agencies and filing SARs in accordance with their primary Federal
regulator's requirements. Law enforcement agencies may serve as an
additional resource in handling and documenting the incident.
Institutions should also establish procedures for filing SARs in a
timely manner because regulations impose relatively quick filing
deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer notification procedures in
their IRP. When an institution becomes aware of an incident
involving unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to determine
the likelihood that such information has been or will be misused. If
the institution determines that sensitive customer information has
been misused or that misuse of such information is reasonably
possible, it should notify the affected customer(s) as soon as
possible. Developing standardized procedures for notifying customers
will assist in making timely and thorough notification. As a
resource in developing these procedures, institutions should
reference the April 2005 interpretive guidance, which specifically
addresses when customer notification is necessary, the recommended
content of the notification, and the acceptable forms of
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our coverage of the
FDIC's "Guidance on Managing Risks Associated With Wireless Networks
and Wireless Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should
institute policies and standards requiring that information and
transactions be encrypted throughout the link between the customer
and the institution. Financial institutions should carefully
consider the impact of implementing technologies requiring that a
third party have control over unencrypted customer information and
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular independent
security testing performed on its wireless customer access
application. Specific testing goals would include the verification
of appropriate security settings, the effectiveness of the wireless
application security implementation and conformity to the
institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out?
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive