Risk Factor iconRisk Factor

Mortgage Data Disclosed

mortgage.gif

The Washington Post said that LendingTree, an online mortgage broker with more than 20 million customers announced this week a privacy breach that exposed personal data such as income and job information on an undisclosed number of users to five Southern California home loan lenders. LendingTree generates leads for lenders who pay for information about prospective borrowers.

According to the Post, LendingTree â''notified customers by letter last week that 'several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders.' â''

â''Based on our investigation, we understand that these mortgage lenders used the password to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers.â''

LendingTreeâ''s loan request forms contained data such as name, address, e-mail address, telephone number and Social Security number. The loan forms were from October 2006 through early 2008, the letter said.

LendingTree said it did not believe any identity theft or fraudulent financial activity resulted but suggested that customers who were notified obtain a free credit report.

Hannaford Tightens Credit Card Security

credit-card.gif

Supermarket chain Hannaford, which got hacked last December up until March of this year, has announced that it has increased the security of its credit cards. According to the Boston Globe, Hannaford "has started encrypting card numbers from the moment they are swiped at checkout counters. And it has tapped IBM to monitor security for its computer network around the clock.â''

Hannafordâ''s CIO Bill Homa said that while the company had been compliant with the credit card industryâ''s Payment Card Industry Data Security Standard (PCI), â''the standards were written mainly to secure data stored on retailers' internal computers and didn't anticipate that hackers might be able to intercept credit card numbers as they were transmitted to card processors for authorization.â''

Homa said one problem his company faced was that it was â''at the mercyâ'' of software vendors to provide updated security improvements. Hannaford, he said, wanted to put new security measures in sooner, but was forced to wait on its vendors.

Hannaford still does know if it was an intruder or an insider who was responsible for the breach. The investigation is continuing.

High Costs of Satellites Impeding Future Communications?

Sat-dish.gif

A report in the London Times says that the high cost of satellite launches are making communication companies "flinch" at investing in new satellites. New, larger satellites are required to handle the increasing volume of mobile traffic especially in Asia and India.

The report says that the new generation of communication satellites (which cost $650 million and up) weigh up to 8 tons, and only the Ariane 5 rocket is currently commercially available to carry the satellites up into high orbit. With a virtual stranglehold on the market, Ariane is demanding $120 million per launch.

There is concern that the high launch and development costs will begin to slow down the introduction of new or upgraded communication services. Satellite makers like at least two launch suppliers, and until there is a competitor to Ariane, they are reluctant to move ahead.

As explained in the report by Jean-Marie Robert, the head of telecom satellites at Thales Alenia Space, â''The way this industry works is that we build the satellite and the buyer then chooses the launcher they want based on price and reliability. But we need at least two launchers to have a competitive industry and to avoid expensive launches."

The high costs involved may also force space insurance rates to rise, further increasing the reluctance of communication companies to send up new satellites. Insurance costs have been rising, and the recent loss of the $150 million AMC -14 satellite which was to deliver television services to the US won't help.

2 Million University of Miami Patient Records Stolen

Last week, the University of Miami acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility, according to an article in ComputerWorld.

The tapes were stolen on 17 March, but it took until the 17th of April before the University posted an alert about the theft. In the post, the University said that it, "... determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written."

Furthermore, the University said, "Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment."

As far as I can tell, I guess we can now ring the bell.

Indictment in UCLA Medical Record Snooping

As I wrote about a few weeks ago, a a worker - since fired - was responsible for snooping through 61 electronic medical records at the UCLA Medical Center, 32 of which were those of celebrities including California first lady Maria Shriver and actor Farrah Fawcett.

News reports are coming out that the worker was indicted on one count of illegally obtaining individually identifiable health information for commercial advantage.

The ex-worker allegedly received $4,600 from an unidentified media outlet in exchange for providing the private medical information.

SSA Plans (Again) to Reduce its 36 Million Lines of COBOL

The US Social Security Administration (SSA) is planning, for the third time, to start reducing its dependence on mainframe systems and COBOL code, according to a story in Federal Computer Week.

Testifying before the US House Ways and Means Committee, SSA Commissioner Michael Astrue said that the SSA would hopefully soon start moving to "a unified information technology system to replace the current 54 separate COBOL-based systems." Those 54 systems consist of some 36 million lines of COBOL.

Assuming that all the stakeholders can agree and resources can be found, this will mark the third such attempt by SSA to try to modernize its systems in the past 25 years. The first attempt began in 1982 as a ten-year, $500 million System Modernization Plan (SMP). It was canceled in 1988 after modest improvements to SSA systems.

In 1992, SSA began another effort called the Engineered Disability System "collapsed" (Astrue's characterization) in 1999 after costing $71 million.

Given that the first "baby boomer" retired last year, and she will soon be followed 80 million more in the next 21 years, SSA better hurry up, and get it right this time.

Stolen Pilot's Laptop Causes Security Concerns

Laptop.gif

It was reported last week that a Mesa Airlines pilot's personal laptop was apparently stolen about a week ago while he was co-piloting a United Express flight from Birmingham, Alabama to Washington Dulles. What made the theft notable was that the laptop, which was thought to have been stolen from an overhead compartment, contained the security access codes that allow pilots to access gates and aircraft.

As a result, 17 airports (Dulles, Atlanta, Phoenix, Chicago O'Hare, etc.) had to immediately change their security codes.

The Transportation Security Administration (TSA) is now looking into changing the security requirements for pilots and others who carry this type of information along with them.

DNA Non-Discrimination Bill Moves Forward

DNA-2.gif

I have been blogging recently about the expansion of government DNA databases and their potential uses. In a related story, last Thursday the US Senate unanimously voted for a bill that bars insurers and employers from discriminating based on a person's genetic makeup. It is expected that the US House of Representatives will pass the bill this week, and for President Bush to sign it soon thereafter.

The new law would keep insurance companies from denying health coverage or charging higher insurance premiums based on someone's DNA. It would also prevent employers from gathering DNA information or using DNA information to make job-related decisions, for instance in hiring or firing employees.

In a Wall Street Journal article on the legislation, it said that, "A survey by Johns Hopkins University's Genetics and Public Policy Center last year found 92% of the adults surveyed were concerned that genetic information could be used against them. Just 24% said they trusted health insurers with such information, and only 16% trusted their employers."

While not a perfect bill, it should help those who have genetically-related health problems and who worry, like the folks in my IEEE Spectrum story a few years back on electronic health records, that they or their children will be discriminated against.

BTW, a story in the Washington Post appeared earlier last week spoke of how the state and federal criminal justice systems are using DNA databases to solve crimes even if a suspect is not in the database. All the police need to do is to get a "close enough" match an existing DNA profile, which might lead to the identification of a relative of a person in the database.

More on how the US government is using DNA to attack crime can be found at the President's DNA Initiative website as well as in a weekend story by the LA Times on how California is aggressively using DNA as a crime-fighting technique.

IRS IT Improvement Speeds Rebate Checks

Cash.gif

In a bit of good news, Government Computer News reports that a new Internal Revenue Service (IRS) computer program upgrade allowed the taxpayer rebate checks to be sent out a week earlier than expected. The initial schedule called for the checks to be sent this Friday, 2 May, but now they are going out today.

Some 130 million taxpayers are expected to receive a total of $110 billion starting now and running into July. The checks, which will be (depending on income) $600 per taxpayer, $1200 per couple and $300 per child, will be sent out according to the last two numbers of a person's Social Security number.

The IRS is also warning of likely scams in regard to the rebates as well. As noted on the IRS website:

"Some people have received phone calls about the economic stimulus payments, in which the caller impersonates an IRS employee. The caller asks the taxpayer for their Social Security and bank account numbers, claiming that the IRS needs the information to complete the processing of the taxayer's payment. In reality, the IRS uses the information contained on the taxpayer's tax return to process stimulus payments, rather than contacting taxpayers by phone or e-mail."

"An e-mail claiming to come from the IRS about the '2008 Economic Stimulus Refund' tells recipients to click on a link to fill out a form, apparently for direct deposit of the payment into their bank account. This appears to be an identity theft scheme to obtain recipients' personal and financial information so the scammers can clean out their victims' financial accounts. In reality, taxpayers do not have to fill out a separate form to get a stimulus payment or have it directly deposited; all they had to do was file a tax return and provide direct deposit information on the return."

So, spend wisely and avoid the scammers.

And kudos to the IRS.

Hey, I Just Won a Million Pounds!

Happy-Guy.gif

It must be my lucky day! I just got an email saying I won a £1,000,000.00 GBP. All I had to do to collect was to provide a few personal details at the "winners' " website.

Earlier in the week, I got an emails from people in the Republic of Western Sahara, Scotland, South Africa and the Philippines all having money burning in their pockets that they were wishing to share with me.

I must be one lucky guy, eh?

My collection of unique phishing emails now approaches 120. I got a new one this morning that was in Italian - my first - stating (if my translation was correct) that my account at some website had some incorrect data and I needed to immediately sign in and fix it.

I am curious - does anyone have a real funny or different phishing email to share?

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More