FYI - The Federal Bureau of Investigation (FBI) arrested one of it “Most Wanted Cyber Fugitives” earlier this week in Tijuana, Mexico, nearly five months after his indictment. He allegedly stole the identities of 40,000 people and then used their information to siphon funds from their brokerage or bank accounts to pay for expensive electronics, which led to losses in the millions of dollars.  http://www.scmagazine.com/fbi-arrests-most-wanted-cyber-fugitive-in-tijuana/article/381914/

FYI - Windows vulnerability identified as root cause in Home Depot breach - In a detailed account of Home Depot's breach, The Wall Street Journal disclosed that the compromised credit cards and emails could have been stolen as a result of a Windows vulnerability in the retailer's main network. http://www.scmagazine.com/home-depot-breach-caused-by-windows-vulnerability/article/382450/

FYI - Efforts to protect US government data against hackers undermined by worker mistakes - A $10bn-a-year effort to protect sensitive government data, from military secrets to social security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. http://www.theguardian.com/technology/2014/nov/10/us-government-hacking-cybercrime-workers-crime

FYI - Postal workers union files charges following USPS breach - The American Postal Workers Union (APWU) has filed charges to the National Labor Relations Board against the Postal Service for failing to consult with the group following its recent data breach. http://www.scmagazine.com/postal-workers-union-files-charges-following-usps-breach/article/382916/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Home Depot hackers stole 53 million email addresses - US retail giant Home Depot says hackers who stole payment-card details of millions of customers also stole 53 million email addresses. http://www.bbc.com/news/world-us-canada-29946792

FYI - USPS investigates breach, more than 800K employees possibly affected - The United States Postal Service (USPS) announced on Monday that an investigation is underway – led by the FBI and joined by other federal and postal investigatory agencies – with regard to a cyber security intrusion into some of its information systems.
http://www.scmagazine.com/usps-investigates-breach-more-than-800k-employees-possibly-affected/article/382421/
http://www.computerworld.com/article/2845621/government/us-postal-service-suffers-breach-of-employee-customer-data.html

FYI - Feeling safe in your executive hotel suite, Mr CEO? Well, DON'T - Corporate bosses clobbered on luxury venue networks by 'Darkhotel' - Corporate bosses are coming under attack from a shadowy new group that spreads malware by hijacking the networks of luxury hotels. http://www.theregister.co.uk/2014/11/10/corporate_bosses_clobbered_as_they_sleep/

FYI - BrowserStack HACK ATTACK: Service still suspended after rogue email - Admits breach, but only within email address list - Browser testing service BrowserStack has temporarily suspended its services while it recovers from a "hack attack" by someone apparently bent on discrediting the security of the widely used tool. http://www.theregister.co.uk/2014/11/10/browserstack_hack_attack_service_still_suspended_after_rogue_email/

FYI - Wildfire breach affects 15,000 - British Columbia's provincial government is notifying 15,000 individuals after a privacy breach in its Wildfire Management Branch. http://www.scmagazine.com/wildfire-breach-affects-15000/article/382519/

FYI - Four NOAA websites compromised by an internet-sourced attack - Four NOAA websites were compromised in recent weeks by an internet-sourced attack, according to a National Oceanic and Atmospheric Administration (NOAA) statement emailed to SCMagazine.com by Scott Smullen, deputy director of NOAA communications and external affairs. http://www.scmagazine.com/four-noaa-websites-compromised-by-an-internet-sourced-attack/article/382918/

FYI - Visionworks notifies 75K Maryland customers of missing database server - Texas-based eye care services provider Visionworks is notifying as many as 75,000 customers who received services at its Jennifer Square location in Annapolis, MD that an investigation is underway to locate a missing database server potentially containing their personal information. http://www.scmagazine.com/visionworks-notifies-75k-maryland-customers-of-missing-database-server/article/382915/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 9: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.
 
 Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:
 
 1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.
 
 2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.
 
 3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.
 
 4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.
 
 5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SERVICE PROVIDER OVERSIGHT
 
 Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:
 
 ! Exercise appropriate due diligence in selecting service providers,
 ! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
 ! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.
 
 Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.
 
 Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
 ! Service provider references and experience,
 ! Security expertise of TSP personnel,
 ! Background checks on TSP personnel,
 ! Contract assurances regarding security responsibilities and controls,
 ! Nondisclosure agreements covering the institution's systems and data,
 ! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
 ! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

INTERNET PRIVACY - (At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.
 
 A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).
 
 B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.
 
 1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).
 
 2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)