It continues to be a busy week in the realm of IT security. Late this afternoon, ComputerWorld reported that Honda Canada was notifying 280,000 of its customers that personal information including their "names, addresses, vehicle identification numbers, and in the case of a small number of customers, their Honda Financial Services account numbers," had apparently been compromised by a hacking attack. However, their Social Security numbers, driver's license information, birth dates, phone numbers and credit card numbers were not accessed.
ComputerWorld reported that Honda had discovered the breach in late February, but only began notifying its customers earlier this month. Honda's missive to its customers told them to beware phishing campaigns that might use their Honda-related information.
There was no explanation as to why Honda took so long to let its customers know about the breach. I suspect the Canadian privacy commissioner will be asking for such an explanation very soon.
Then late this evening, the Sydney Morning-Herald reported that at least 8,000 customers of Commonwealth Bank of Australia (CBA) had their MasterCard and Visa credit cards immediately canceled as result of a data breach being uncovered at an as of yet unnamed merchant. The breach caused a smaller number of customers of Westpac Bank and its St. George's Bank subsidiary to have their credit cards canceled as well.
The Morning-Herald stated that the breach was discovered "through an Australian merchant acquired by another bank." No further details were given about this cryptic explanation.
Then there was news earlier this week that an employee of Bank of America leaked confidential information to a loosely-organized gang of check scammers, 95 of which have been arrested by the US Secret Service so far. The employee provided the scammers with customers' full banking record, including "names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, email addresses, mother's maiden names, PINs and account balances," the LA Times reported Tuesday.
The Times article says that the BoA employee leaked customer information as far back as at least last September. The employee and the others were arrested in February, but apparently the bank has only recently begun to notify the affected customers of the fraud. BoA and the Secret Service are saying little about the incident, saying that the investigation is still on-going.
The Times says that at least $10 million was stolen in the scheme.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.