Honda Canada Data Breach

DataBreaches.net reports that Honda Canada has notified about 280,000 customers of a data breach.  Their personal data has been compromised.  The breach was discovered in March, but the company only began notifying customers earlier this month.

An undated alert posted on the company’s Web site said the customer names, addresses, vehicle identification numbers, and a small number of Honda Financial Services account numbers were accessed without authorization.  The Executive VP of Honda Canada said the reason for the delay in notification was due to the company needing time to figure out the scope of the breach.  Attackers breached a web server that allows customers in Canada to set up customized “MyHonda” and “MyAcura” web sites.  Data from these personal sites is what appears to have been illegally accessed.

Honda’s IT staff discovered the breach while looking into unusual activity on the web server hosting the MyHonda and MyAcura sites.  The system was immediately taken offline while the cause and scope of the breach was investigated.

Honda suspects that the data that was exposed is unlikely to result in identity theft because it did not include details such as Social Insurance Numbers, driver’s license information, birth dates, phone numbers or credit card numbers.  The note on the web site warned affected customers to be on the lookout for phishing campaigns referencing their Honda vehicle ownership.

Honda has “taken several steps” to ensure such an incident doesn’t happen again.  What those steps are remains unknown at this time.

Beware Email Frauds

The FBI is warning against common “News of The Moment” scams, where hot topics are abused to spread malware.  This sort of attack will often use cross site scripting (XSS), which allows an attacker to execute code on the target website within a user’s browser using crafted values in the target site’s URL, web forms, or in cases where sites allow users to place material directly in posted content.  These scams are not likely to go away anytime soon, and are increasing in their sophistication and cleverness.

Recently, social networking site users have fallen victim to “self” infecting XSS attacks where they actually perform the attack themselves by following directions to view the latest Osama bin Laden video.  Before users can view the video, they must complete a “5 second security check.”  Instructions to follow a few keyboard shortcuts allow users to cut and paste malicious code directly into their browser’s URL without any indications it is a viral scam.

They are also warning on scams misrepresenting the Financial Crimes Enforcement Network of The United States Department of the Treasury.  Perpetrators will commonly use the names of various government agencies or officials to legitimize their scams.  Most recently, there have been several complaints in which victims reported receiving an e-mail or phonecall claiming to be from the U.S. Department of the Treasury stating their lost funds, which were stolen and diverted to a foreign account registered in their name, have been recovered.  The e-mail advised them to cease all money transactions, especially overseas, and to respond to the e-mail so the lost funds could be returned.

The e-mail further stated the US government is making adequate arrangements to ensure outstanding beneficiaries receive their funds.  The e-mail is signed by James H. Freis, Deputy Director of the Financial Crimes Enforcement Network, and requires victims to provide personally identifiable information that could potentially result in identity theft.

The U.S. Department of the Treasury posted a scam alert on their website on April 13, 2011, stating they do not send unsolicited requests, do not seek personal or financial information from members of the public by e-mail, and recommend that recipients do not respond to these messages. The alert further provides links for victims to report solicitations claiming to be from the U.S. Treasury.

Why / When / How To Implement DLP?

This Data Loss Prevention question was posed on the Security Basics mailing list.  I thought that I would share in case others that have not subscribed to this good list can find it and do so, and those with similar questions can see what I and others have said about it.

—–Original Message—–

Hi,

 I would like to have your opinion about when/which organizations need a DLP solution? How the need depends on organizations work  area, country,region or culture ? How to implement the solution and handle the data classification and coorperate with data owners, business  departments.

Regards

http://www.securityfocus.com/archive/105/518147/30/0/threaded

—–My Response—–

Continue reading