Staples Breaches Privacy Laws – Again

CBC reports that Staples Business Depot has breached Canadian privacy law by not wiping customer data from laptops and storage devices that are returned by customers before reselling them, according to Canada’s privacy commissioner.  Banking information, tax records, social insurance numbers, health card and passport numbers, as well as academic transcripts were among the information found during an audit by the office of Privacy Commissioner Jennifer Stoddart on 54 of 149 data storage devices destined to be resold by Staples.

Staples has 300 stores across the country.  Customer data was found on devices from 15 of 17 stores audited in B.C., Alberta, Manitoba, Ontario, Quebec, Nova Scotia, and Newfoundland and Labrador.  The privacy commissioner cannot impose sanctions, but recommended that Staples implement controls to ensure personal data is not disclosed.  In a statement Tuesday, Staples said it co-operated fully with the privacy commissioner’s office and responded “positively” to all recommendations.  Contrary to what is in the report, Staples claims that its practices “meet the level requested by the Privacy Commissioner.”

Stoddart said her findings were “particularly disappointing” given that her office had already investigated previous complaints against Staples involving returned storage devices in 2004 and 2008.  Both times, Staples had committed to corrective action.

What can we learn here?

  • As a consumer, if you return an item to Staples (or other vendors) that could contain personal or sensitive information, find out what their data policy is IN WRITING.
  • If you are uncertain about their ability or interest in carrying out what the policy says they do, don’t return the device.
  • Encryption would have really helped here.  Encrypt your personal data.  It also helps protect your data if your PC is stolen.
  • Weigh the cost of the storage device against the risk of the data being exposed, then decide if YOUR policy should be a drill bit and sledge hammer.
  • It is your data and your money.  Spend it wisely.
  • I love power tools!

Staples hasn’t learned a damn thing, because they just keep on doing what they have been doing.  Except the fact that the Privacy Comissioner is a well meaning tiger, but has false teeth.

One desk drawer in my office at home holds a number of hard drives.  They are there because they have either failed, alerted me to their imminent death, or because I no longer have a subsystem for connecting them to a modern PC.  Some are SCSI drives from when I used to have a rack of servers, some are old IDE drives, some are SATA or even USB or firewire.  The latter 3 types might have been stuck in the drawer while still being under manufacturer’s warranty, but the manufacturer wants you to send the drive to them for testing, examination, refurbishing or replacement.  Each one will eventually get cooked by me with a degausser, get drilled out by me, and/or physically obliterated by me with a 25 lbs sledge.  As soon as I get my tools back from my kids, or locate a working degausser…

T&T Supermarkets Breached – 58k Records Exposed

CTV is reporting that the website of Canada’s largest Asian supermarket chain has been hacked.  BC-based T&T Supermarket Inc, with three locations in Toronto has advised the public of “unauthorized and illegal intrusions” on its website  in a press release.  The breaches occurred June 6, 7, 11, and from June 14 to 17.  The personal information of up to 58,000 customers in its database may have been compromised, and the personal computers of some customers could have been exposed to malware.

The compromised data includes usernames, passwords, first and last names, ages, genders, email and street addresseses, cell and other phone/fax numbers.  Information submitted to T&T by job applicants may also have been accessed.  Those who visited the site during June 6th to 17th to place product orders for in-store pick up or apply for jobs may have been redirected to a non-T&T website hosting Fake A-V, instructing them to click a button on the screen to start a malware scan, which could have activated a malware download.

T & T has 20 stores in British Columbia, Alberta and Ontario.  Loblaw Companies Ltd. bought the chain for $225 million in July 2009.  T&T is urging anyone who receives communications purporting to be from T&T not to provide any personal information under any circumstances.  T&T will be contacting customers that may have been affected, but will NOT request personal data, especially sensitive information like credit card numbers.  The company has temporarily suspended its website, retained security experts to conduct a complete investigation, and expects to improve its information security based on their recommendations.

If you believe that you may have been affected, run a reliable commercial anti-virus product on all of your systems, and change any usernames or passwords for unrelated services or accounts elsewhere. All customers are also encouraged to have a heightened awareness of email, telephone and postal scams where personal information is being requested.  Affected individuals can email or call 1-855-926-2342 for assistance.

Michaels Breach – More Law Suits, Police Seek Help

Police in Beaverton, Oregon are investigating 50 fraud reports related to the Michaels Crafts breach that reportedly compromised thousands of debit cards in 20 states.  Police are asking for the public’s help in identifying four suspects caught on camera using “white cards” at Oregon bank machines, created from card details skimmed at Michaels stores.   Police say that the suspects are from a larger organization which allows multiple crews to work numerous areas and move around quickly.

The law suits around this breach continue to fly in, and Michaels replaced all of its US Point Of Sale terminals by May 6 to contain the risk of continued compromise.  The law suits focus on the time taken to notify customers of the breach, inadequate protections of data, and violations of various regulatory acts.

Forty-six states currently have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state’s attorney general’s office.  Texas, the state where Michaels is based, has breach notification statutes on the books.  However, the law says that companies should notify the public “as quickly as possible”, and most other states do not specify a timeframe for “reasonable notification”.  This case and others  like it could set legal precedents about what is considered reasonable notification timelines until a national act is passed.  I will continue to watch this issue with interest.

Credit Union Times

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

LulzSec Hacks Arizona Law Enforcement Agency

LulzSec has announced the publication of a trove of over 700 leaked documents from an Arizona law enforcement agency on the notorious Pirate Bay file sharing site.  Arizona’s Department of Public Safety confirmed that it had been hacked.  The LulzSec press release included with the dump sounds more “hacktivistic” than usual, exposing a political agenda, opposing Arizona’s SB1070, the state’s broad and controversial anti-illegal immigration measure.

Amongst countless mundane documents covering hours worked, officers’ personal information and other stuff of minimal interest are a few fascinating stories of law enforcement activities, such as an encounter with off-duty Marines patrolling the U.S.-Mexico border with assault weapons, and tirades about illegal Mexicans and drug dealers.

LulzSec, Anonymous Declare War On Us All

Lulzsec and Anonymous are declaring open war on all governments, banks and big corporations, worldwide.  They are attempting to unite all hackers to fully expose corruption and “dark secrets”.

“Whether you’re sailing with us or against us, whether you hold past grudges or a burning desire to sink our lone ship, we invite you to join the rebellion.  Together we can defend ourselves so that our privacy is not overrun by profiteering gluttons.  Your hat can be white, gray or black, your skin and race are not important.  If you’re aware of the corruption, expose it now, in the name of Anti-Security.  Top priority is to steal and leak any classified government information, including email spools and documentation.

Prime targets are banks and other high-ranking establishments.  If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood.”

Don’t be fooled by this diatribe.  The highlighting is mine, but the intentions are clear.  This is online terrorism, and it is totally illegal.  This sort of behavior is itself corrupt.  I’m all for making a difference, I support bringing about positive change, but there is a time, a place, and a proper methodology to follow.  This just isn’t it for me.  I’m not posting links to this, you can Google it up easily enough if you are that interested.

So far, they have not done anything that I have seen that rings true to this “eat the rich” campaign.  They have broken the law, caused large companies reputational and financial hardship, and have expsoed countless individuals to unnecessary risk by posting personal and account information publicly.  What information do those “Prime Targets” hold?  So much for Robin Hood.  Stealing from the poor to hurt the rich??

TNW has posted a handy little widget available if you would like to check all of the LulzSec released files for your email address to see if your accounts have been exposed.  If your email is there, your other information may be as well.

Would You Pay Extortionists?

CmdrTaco posts on SlashDot:  “A friend works as CIO at a medium sized publicly traded company. The company was contacted by a hacking group and told to pay $100,000 to prevent their company from being hacked/attacked. They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists. Seeing that most publicly known hacks are costing companies this size nearly a million dollars, Is this supporting terrorists or supporting stockholders?”

What do you think about it?

I’m assuming that there actually was a threat, and not just an email saying “pay up, or else the network gets it.”  How credible was the threat?  Word will undoubtedly spread that they are easy marks, and they can expect repeat visits from the potential attacker and his friends looking for easy hand outs.  I’m also suspicious as to the real where-abouts of the 100k.  Who collected it?  Was it an insider?