Where to begin?
Yesterday, there were reports from Reuters and others that Automatic Data Processing Inc.(ADP), the largest payroll processor in the world, had found that a data breach had affected one of its corporate clients, which it did not name.
The Reuters story says that ADP has some 550,000 clients, and supposedly does the payroll for about half of the employees of the largest US companies.
A statement by ADP says that:
"Automatic Data Processing, Inc., today announced that it is investigating and taking measures to address the impact of a system intrusion that occurred with one client at Workscape, a recently acquired benefits administration provider. The intrusion, which occurred on a non-payroll legacy platform that is no longer sold by ADP's benefits administration business, was detected by the ADP security team during routine system monitoring."
ADP says that because that it is working with law enforcement, it can't disclose anymore information at this time. However, "Protecting ADP clients and their data from malicious activity has been, and always will be, a top priority for ADP."
Next up to bat in this week's IT security death match was the CIA. The CIA's web site was taken down by the hacking group LulzSec late Tuesday afternoon from 1748 to about 2000 EDT, according to a story in the Washington Post. The Post story said the web site was hit by a denial of service attack. LulzSec also was able to gain access to the US Senate web site earlier in the week, but was repulsed when it apparently tried a second time.
LulzSec has also reportedly set up a telephone hotline to solicit who should be hacked next.
This incident is followed by various reports today that the actual number of customer credit card accounts accessed in the Citigroup hack attack last month numbered 360,083, not the 210,000 or so Citigroup originally implied.
According to this AFP news story, Citigroup says that it has reissued credit cards to 217,657 customer accounts, and says that the reason it didn't mention the higher 360K number was that some of those accounts hacked were inactive accounts (it won't say how many, however) or the customers were already scheduled to get new credit cards anyway.
I guess this is Citigroup's "no harm, no foul" hacking disclosure rule. Those in the US Congress looking at making the reporting of security breaches mandatory may want to look at Citigroup's breach disclosure logic a bit more.
There was an interesting story earlier this week by the New York Times discussing how easy it was for Citigroup to be penetrated by hackers. The ease with which Citigroup was breached is one of the reasons why the Financial Times of London is reporting today that US government agencies like the Department of Homeland Security along with federal law enforcement are instructing banks on how to improve their security. The FT broke the original story on the Citigroup breach.
Lastly, there is the news reported yesterday via the London Sun that a laptop containing the unencrypted "details of 8.63 million people plus records of 18 million hospital visits, operations and procedures" went missing three weeks ago, and was only being reported now.
The Sun article says that the laptop is one of 12 (out of an original 20) that are either lost, misplaced or were stolen (no one seems to know) from "a store room at London Health Programmes, a medical research organisation based at the NHS (National Health Service) North Central London health authority."
This story at ZDNet UK says the NHS has confirmed that a laptop has gone missing, but won't say much more about it since it is still investigating the issue. However, the NHS North Central London health service did issue a statement that said:
"One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected, and our policy is to manually delete the data from laptops after the records have been processed."
The health authority admitted that it didn't know if that policy was actually followed in the case of the missing laptop (or the others still missing, presumably). If it wasn't, and someone was really interested in gaining access to the unencrypted information on those 8.6 million plus patients, password protection isn't going to stop them for long.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.