Risk Factor iconRisk Factor

Italy Posts All Taxpayer Income on the Web

In a move it said was a "simple matter of transparency and democracy," the Italian Revenue Agency on Wednesday posted without warning the details of the total revenue, income tax paid and other personal information of Italian citizens in 2005, including those of politicians, soccer players and TV personalities. The move was to an attempt to expose tax evasion by Premier Romano Prodi's outgoing government. According to an Italian government report from 2007, the amount of unpaid tax in the country is equivalent to 7% of gross domestic product.

Within hours, Italy's Privacy Authority ordered the tax agency to suspend the posting, saying it presented "clear and serious problems" under the country's privacy rules. However, before the information was removed from the web, much of the information had already been captured and circulated via peer-to-peer file sharing websites.

The Italian tax payers' association is advising people to download forms from its website to help them claim 500 euros in damages each from the tax authority.

Think of the firestorm if something like that happened in the US.

DNA Non-discrimination Bill Passes


The US House approved by a vote of 414-to-1 the Genetic Information Nondiscrimination Act prohibiting discrimination by health insurers and employers based on a person's DNA. President Bush said he would sign it.

According to the New York Times, "the legislation prohibits health insurance companies from using genetic information to deny benefits or raise premiums for individual policies. (It is already illegal to exclude individuals from a group plan because of their genetic profile.) Employers who use genetic information to make decisions about hiring, firing or compensation could be fined as much as $300,000 for each violation."

The Times story also has some words of warning, as well: "The health insurance measure would not go into effect until a year after it becomes law, and the employment measure would take effect only after 18 months. Even then, there may be reason to be cautious. The bill may be hard to enforce, some experts say, and it does not address discrimination by long-term care insurers or life insurers."

It also notes another interesting implication, however: "For health insurers, the bill may avert the need to compete in a complex game of calibrating policies to an ever-changing set of genetic risk probabilities. But as genetic tests provide ever more information at lower costs, the entire notion of insuring against unknown risk that has long defined the industry may be upended."

It will be interesting to see how electronic health records, DNA information recorded within them, and the data mining of millions of health records come into play over the next two decades in regards to the future of medical insurance.

Mortgage Data Disclosed


The Washington Post said that LendingTree, an online mortgage broker with more than 20 million customers announced this week a privacy breach that exposed personal data such as income and job information on an undisclosed number of users to five Southern California home loan lenders. LendingTree generates leads for lenders who pay for information about prospective borrowers.

According to the Post, LendingTree â''notified customers by letter last week that 'several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders.' â''

â''Based on our investigation, we understand that these mortgage lenders used the password to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers.â''

LendingTreeâ''s loan request forms contained data such as name, address, e-mail address, telephone number and Social Security number. The loan forms were from October 2006 through early 2008, the letter said.

LendingTree said it did not believe any identity theft or fraudulent financial activity resulted but suggested that customers who were notified obtain a free credit report.

Hannaford Tightens Credit Card Security


Supermarket chain Hannaford, which got hacked last December up until March of this year, has announced that it has increased the security of its credit cards. According to the Boston Globe, Hannaford "has started encrypting card numbers from the moment they are swiped at checkout counters. And it has tapped IBM to monitor security for its computer network around the clock.â''

Hannafordâ''s CIO Bill Homa said that while the company had been compliant with the credit card industryâ''s Payment Card Industry Data Security Standard (PCI), â''the standards were written mainly to secure data stored on retailers' internal computers and didn't anticipate that hackers might be able to intercept credit card numbers as they were transmitted to card processors for authorization.â''

Homa said one problem his company faced was that it was â''at the mercyâ'' of software vendors to provide updated security improvements. Hannaford, he said, wanted to put new security measures in sooner, but was forced to wait on its vendors.

Hannaford still does know if it was an intruder or an insider who was responsible for the breach. The investigation is continuing.

High Costs of Satellites Impeding Future Communications?


A report in the London Times says that the high cost of satellite launches are making communication companies "flinch" at investing in new satellites. New, larger satellites are required to handle the increasing volume of mobile traffic especially in Asia and India.

The report says that the new generation of communication satellites (which cost $650 million and up) weigh up to 8 tons, and only the Ariane 5 rocket is currently commercially available to carry the satellites up into high orbit. With a virtual stranglehold on the market, Ariane is demanding $120 million per launch.

There is concern that the high launch and development costs will begin to slow down the introduction of new or upgraded communication services. Satellite makers like at least two launch suppliers, and until there is a competitor to Ariane, they are reluctant to move ahead.

As explained in the report by Jean-Marie Robert, the head of telecom satellites at Thales Alenia Space, â''The way this industry works is that we build the satellite and the buyer then chooses the launcher they want based on price and reliability. But we need at least two launchers to have a competitive industry and to avoid expensive launches."

The high costs involved may also force space insurance rates to rise, further increasing the reluctance of communication companies to send up new satellites. Insurance costs have been rising, and the recent loss of the $150 million AMC -14 satellite which was to deliver television services to the US won't help.

2 Million University of Miami Patient Records Stolen

Last week, the University of Miami acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility, according to an article in ComputerWorld.

The tapes were stolen on 17 March, but it took until the 17th of April before the University posted an alert about the theft. In the post, the University said that it, "... determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written."

Furthermore, the University said, "Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment."

As far as I can tell, I guess we can now ring the bell.

Indictment in UCLA Medical Record Snooping

As I wrote about a few weeks ago, a a worker - since fired - was responsible for snooping through 61 electronic medical records at the UCLA Medical Center, 32 of which were those of celebrities including California first lady Maria Shriver and actor Farrah Fawcett.

News reports are coming out that the worker was indicted on one count of illegally obtaining individually identifiable health information for commercial advantage.

The ex-worker allegedly received $4,600 from an unidentified media outlet in exchange for providing the private medical information.

SSA Plans (Again) to Reduce its 36 Million Lines of COBOL

The US Social Security Administration (SSA) is planning, for the third time, to start reducing its dependence on mainframe systems and COBOL code, according to a story in Federal Computer Week.

Testifying before the US House Ways and Means Committee, SSA Commissioner Michael Astrue said that the SSA would hopefully soon start moving to "a unified information technology system to replace the current 54 separate COBOL-based systems." Those 54 systems consist of some 36 million lines of COBOL.

Assuming that all the stakeholders can agree and resources can be found, this will mark the third such attempt by SSA to try to modernize its systems in the past 25 years. The first attempt began in 1982 as a ten-year, $500 million System Modernization Plan (SMP). It was canceled in 1988 after modest improvements to SSA systems.

In 1992, SSA began another effort called the Engineered Disability System "collapsed" (Astrue's characterization) in 1999 after costing $71 million.

Given that the first "baby boomer" retired last year, and she will soon be followed 80 million more in the next 21 years, SSA better hurry up, and get it right this time.

Stolen Pilot's Laptop Causes Security Concerns


It was reported last week that a Mesa Airlines pilot's personal laptop was apparently stolen about a week ago while he was co-piloting a United Express flight from Birmingham, Alabama to Washington Dulles. What made the theft notable was that the laptop, which was thought to have been stolen from an overhead compartment, contained the security access codes that allow pilots to access gates and aircraft.

As a result, 17 airports (Dulles, Atlanta, Phoenix, Chicago O'Hare, etc.) had to immediately change their security codes.

The Transportation Security Administration (TSA) is now looking into changing the security requirements for pilots and others who carry this type of information along with them.

DNA Non-Discrimination Bill Moves Forward


I have been blogging recently about the expansion of government DNA databases and their potential uses. In a related story, last Thursday the US Senate unanimously voted for a bill that bars insurers and employers from discriminating based on a person's genetic makeup. It is expected that the US House of Representatives will pass the bill this week, and for President Bush to sign it soon thereafter.

The new law would keep insurance companies from denying health coverage or charging higher insurance premiums based on someone's DNA. It would also prevent employers from gathering DNA information or using DNA information to make job-related decisions, for instance in hiring or firing employees.

In a Wall Street Journal article on the legislation, it said that, "A survey by Johns Hopkins University's Genetics and Public Policy Center last year found 92% of the adults surveyed were concerned that genetic information could be used against them. Just 24% said they trusted health insurers with such information, and only 16% trusted their employers."

While not a perfect bill, it should help those who have genetically-related health problems and who worry, like the folks in my IEEE Spectrum story a few years back on electronic health records, that they or their children will be discriminated against.

BTW, a story in the Washington Post appeared earlier last week spoke of how the state and federal criminal justice systems are using DNA databases to solve crimes even if a suspect is not in the database. All the police need to do is to get a "close enough" match an existing DNA profile, which might lead to the identification of a relative of a person in the database.

More on how the US government is using DNA to attack crime can be found at the President's DNA Initiative website as well as in a weekend story by the LA Times on how California is aggressively using DNA as a crime-fighting technique.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More