Risk Factor iconRisk Factor

A tablet sits on display at a Uber Technologies Inc. office

FTC Puts Uber on a Short Leash for Security Breaches

It’s not nice―or smart―to deceive the U.S. Federal Trade Commission, especially while you’re in negotiations with the agency over penalties it’s going to impose for previously being dishonest.

Last August, the ride-hailing company Uber entered into a consent agreement with the FTC regarding its supposedly “securely stored” and “closely monitored” (pdf) customer and driver information. Uber bragged that it was using “the most up-to-date technology and services to ensure that none of these are compromised,” and promised that information was “encrypted to the highest security standards available.”

Alas, the FTC found these claims were more chimera than reality. As a consequence of its lackadaisical security practices, Uber experienced a data breach in May 2014 that allowed attackers to access the names and driver’s licenses of 100,000 Uber drivers, along with many of the drivers’ bank accounts and Social Security numbers.

Read More
Hands on a computer

Samsung Securities' $105 Billion Fat-Finger Share Error Triggers Urgent Regulator Inquiry

Last week, an employee of Samsung Securities Co., Samsung Group’s stock-trading entity and one of the largest trading companies in South Korea, accidentally issued shares worth some $105 billion to 2,018 of its employees who are members of its stock-owner program. The employees in the program were supposed to receive a dividend totaling 2 billion won (or about $0.93 per share they owned), but were mistakenly issued 2 billion shares instead. The amount issued was more than 30 times the total number of outstanding Samsung Securities’ shares.

Embarrassingly, Samsung Securities admitted that it took 37 minutes to fix what had occurred after it became aware of the problem. Even more humiliating, sixteen Samsung Security employees were able to still sell off some 5 million shares of their payout, despite repeatedly being warned not to do so by their managers. Perhaps the warnings were ignored because they were able to make about 10 billion won ($9.3 million) each. Four other employees tried to sell their shares, but their trades were stopped before being completed.

Read More
Photograph of a man exiting a building labelled with a Commonwealth Bank of Australia sign in Sydney, New South Wales, Australia.

Commonwealth Bank of Australia Tries to Explain Coding Errors Found After 4 Years

The Commonwealth Bank of Australia, the country’s largest bank, finally got around to explaining last week why two software coding errors first disclosed in 2016 laid hidden for more than four years. The errors allowed the approval of personal overdrafts for 9,577 of its customers that should have been declined, while also approving another 1,152 customers for higher overdraft limits than they were qualified for. Many of the customers were in financial distress, and the erroneous approvals allowed them to dig themselves into even deeper financial trouble. The interest rate the bank charged customers on an overdraft was a hefty 16.6 percent.

The coding errors were created in July 2011 when the bank introduced an automated decision tool to process customer overdraft applications, but the problems weren’t discovered until September 2015. During the calculations that decided whether a customer could actually afford an overdraft, one software error in the decision tool’s algorithm failed to count a customer’s rental expenses, while another error accessed a wrong data field that was used for determining a customer’s overall household expenditures. The result was that a customer’s true expenses where likely underestimated or under-assessed. The Australian Securities and Investments Commission (ASIC) fined the bank AU $180,000 for the coding errors on top of the AU $2.5 million the bank had to write off in customer loan balances.

How was the error discovered?

Read More
Illustration of the state of Maine made up of people, on a computer with a pointer arrow.

Maine’s New Unemployment System Frustrates the Public and State Workers Alike

Problems with unemployment insurance IT systems and rollouts are common, as exemplified by the difficulties experienced by Pennsylvania, Florida, and California, to name a few. In an attempt to reduce the frequency and cost of failure, several states, with encouragement and funding from the U.S. Department of Labor [pdf], have formed consortiums aimed at creating a core UI system that can then be minimally tailored to meet each state’s unique requirements.

One of the more noteworthy systems is ReEmployUSA, which was formed by Mississippi, Maine, Rhode Island, and Connecticut. The consortium was the brainchild of the Mississippi Department of Employment Security (MDES), which in 2012 finalized the modernization [pdf] of its UI system called Access Mississippi (Access MS). Mississippi offered Access MS to other states as a way to share development and support costs.

Eleven states initially expressed interest [pdf] in Mississippi’s proposal, with Maine and Rhode Island committing to the idea first, followed by Connecticut. The U.S. Labor Department provided $90 million to the consortium to use Access MS as a baseline to be reengineered into a common, cloud-based system that would allow all four states to use it with only 20 to 25 percent tailoring needed.

Read More
Photograph of a laptop with computer code on the screen, and a gavel and handcuffs on the keyboard.

Georgia’s Intrusive Computer Intrusion Bill

According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.

One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses. According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected.

Read More
A health service technician aboard the Coast Guard Cutter Healy, measures Petty Officer 2nd Class Robert Martin's heart rate during a physical health assessment

U.S. Coast Guard’s $67 Million EHR Fiasco

In late January, the U.S. House of Representatives’ Subcommittee on Coast Guard and Maritime Transportation held a hearing to review the United States Coast Guard’s $14 million, five-year electronic health record (EHR) system project.

The project, which began in September 2010, ballooned into a $67 million fiasco that the USCG finally ended in September 2015. But the Coast Guard didn’t officially confirm its termination until April 2016.  At the time, the USCG public affairs office vaguely explained that there were concerns about whether the project could be completed in a reasonable time and at a reasonable cost. A spokesperson also opaquely added that, “Various irregularities were uncovered, which are currently being reviewed.” Mention of “irregularities” raised a lot of questions that the Coast Guard refused to answer for the last two years.

Read More
People fill a DMV office in Minnesota

The Costly Fiasco of Minnesota’s Licensing and Registration System

How long should a state take to develop an information system to manage its vehicle and driver services’ transactions? For Minnesota, the wish is that it is only going to be the 11 years it is now scheduled to take.

The Minnesota’s Licensing and Registration System (MNLARS) project was initiated in 2008 when the Minnesota Legislature recognized that the current system that went live in 1982 was on its last legs. There was a slim hope that MNLARS would be operational by 2012 [pdf], but, alas, it was not. In fact, it took until April 2012 for the Minnesota Department of Public Safety’s Driver and Vehicle Services (DVS) to just reach a contractual agreement with Hewlett-Packard to begin developing MNLARS at an agreed cost of $41 million.

Read More
Close up of person typing on computer with data points over the image

2017 Was a Record Year for ID Theft in the U.S.

This will not come as a big shock: an estimated 16.7 million Americans were victims of identity theft last year, according to a survey published by the research and advisory firm Javelin Strategy & Research. And the company says this tops the previous record of 15.4 million compromised identities which occurred, not surprisingly, in 2016.

Javelin notes in its report that cyber thieves have changed tactics over the past year, which has made them more efficient and effective. They are now focusing on targeting cellphones and email accounts to obtain a person’s complete details, such as their name, address, and social security number, instead of trying to access individual pieces of personal information in order to piece together a profile.

This strategy is making it easier for cyber criminals to open fraudulent accounts and to exploit them for a longer period of time before they are discovered. The company estimates that fraud losses last year amounted to some US $16.8 billion.

Read More
Medical Marijuana spilling out of a jar

Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System

Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders. While Washington’s Liquor and Cannabis Board officials have insisted that the myriad software problems are being fixed or work arounds exist for most of them, it also has disclosed that the tracking system experienced a cyber intrusion.

In a letter to licensees, the Liquor and Cannabis Board stated that on 1 February someone downloaded a copy of the traceability database, which in turn affected key operations of the tracking system in a way the Board refused to disclose. The intruder was able to access information for four days of marijuana deliveries, including delivery-vehicle information together with type, license-plate number and VIN numbers. The Liquor and Cannabis Board said that since the latter information was publicly available and no personal information was accessed, there was no need for anyone to be concerned. Retailers and growers, however, were not exactly comforted by the Board’s reassurances.

Read More
The F125 frigate 'Baden-Wuerttemberg' sails in Cuxhaven, Germany

New German Warship Fails Sea Trials Due to Tech Woes

Reducing the size of a combat ship’s complement through advanced automation has been a goal of the world’s navies for decades [pdf]. However, as the U.S. Navy has already discovered, the German Navy is now finding out that this is easier desired than done.

In December, the German Navy refused to commission the lead ship of its new Baden-Württemberg class Type 125 (F125) frigate after it failed its latest at-sea trials. This was the first time that Germany’s navy has ever refused to commission a ship after delivery. The refusal was due in part to unresolved hardware and software integration problems affecting the Baden-Württemberg’s ATLAS Naval Combat System [pdf] and other ship systems, which have plagued the frigate’s sea trials since it entered them in April 2016.

The persistent problems with the €3 billion F125 program, which is meant to replace Germany’s Bremen F122 class frigates, have delayed the Baden-Württemberg’s planned commissioning from occurring first in 2014, then in 2016, and now to sometime late this year―assuming its problems can be resolved. In addition to the IT troubles, the ship reportedly has issues with its radar and the fireproof coating of its fuel tanks—and it’s overweight. It is critical that the ship’s problems be solved quickly since three other frigates in its class should all be delivered before year’s end.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More