- Email: [email protected]
Eli Lilly pays for customer privacy betrayal
news was implemented to examine the target and the hacker’s tools. This case is a reminder that not all hackers are teenagers. In this case we see professionals abusing their authority and knowledge to gain unauthorized access to systems and steal money. Guardia Di Finanza’s officers mentioned in a press conference that the attackers hailed from different backgrounds and had different motivations, some had links with activist organizations.
Privacy News
Eli Lilly pays for customer privacy betrayal Eli Lilly has recently forked out $160 000 to eight states in the US as compensation for the violation of patient privacy that came to light in January this year. The settlement also demands that Eli Lilly reinforce its policies regarding privacy protection, training and monitoring. Eli Lilly will also implement automated checks of software that accesses consumer information databases. Safeguards must be reviewed annually for effectiveness by an independent third party.
According to Attorney General Lance, “Eli Lilly is to be commended for working with the states to develop and implement a plan that will serve as a model for the many companies now collecting large volumes of individual information that employees can access and send electronically.” Eli Lilly’s actions were questioned by the FTC when the email addresses of 669 patients were revealed in an email blast to customers. Eli Lilly delivered a service called Medi-messenger, which reminded patients to take their daily dose of Prozac, this service concealed the email addresses of other members of the list. But on doomsday for Eli Lilly privacy an email was sent out to announce the termination of this service, and within the ‘To’ field in the message, all the patients email addresses were included. Attorney General Tom Reilly said “This company failed to protect the private information of hundreds of consumers despite assurances outlined by Eli Lilly in a privacy statement available on its website. This case illustrates how important it is for companies to follow through on their privacy promises.” The FTC complaint in January outlined how Lilly’s claim of privacy and
ISSN: 1361-3723/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
confidentiality on the website was deceptive because the company did not implement appropriate security measures to prevent the email address disclosures. The eight states that are involved in the settlement are Massachusetts, California, Connecticut, Idaho, Iowa, New York, New Jersey and Vermont. Lilly said in a statement “As we have said from the onset Lilly sincerely regrets that one of our employees made a mistake. As a result we promptly put into place additional measures to prevent it from ever happening again”. The changes implemented by Lilly include appointing a director of global privacy, regular reporting to the FTC, and additional security techniques, which “place personal information from our customers in an environment as secure as Lilly’s trade secrets”.
Fraud News
Singapore bank hacked but consumers to blame In July, a computer hacker transferred and withdrew thousands of dollars from the
Development Bank of Singapore online bank accounts. DBS claims that its security wasn’t breached but that customer PC’s were breached to obtain PIN numbers and IDs. The hacker, who held an account with the bank, penetrated 21 online bank accounts all on the same day. DBS was alerted to the alarm by a customer complaining about missing funds, after further investigations it was discovered that a massive sum of money was transferred into one account. The amounts stolen by the hacker varied from S$200 to S$4999, as DBS limits fund transactions to S$5000. A DBS spokeswoman confirmed as reported by Reuters that the suspect didn’t hack into the Development Bank of Singapore’s system but managed to penetrate other DBS customers PC’s. The bank, which is Singapore’s largest has 370 000 online banking customers. A spokeswoman quoted that the suspect transferred all the funds then visited a branch, withdrew the money and fled the country. All the victim’s have been compensated but in the future DBS comments that consumers must be responsible for the security of their individual PCs and DBS may not provide compensation.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd
Privacy News
Eli Lilly pays for customer privacy betrayal Eli Lilly has recently forked out $160 000 to eight states in the US as compensation for the violation of patient privacy that came to light in January this year. The settlement also demands that Eli Lilly reinforce its policies regarding privacy protection, training and monitoring. Eli Lilly will also implement automated checks of software that accesses consumer information databases. Safeguards must be reviewed annually for effectiveness by an independent third party.
According to Attorney General Lance, “Eli Lilly is to be commended for working with the states to develop and implement a plan that will serve as a model for the many companies now collecting large volumes of individual information that employees can access and send electronically.” Eli Lilly’s actions were questioned by the FTC when the email addresses of 669 patients were revealed in an email blast to customers. Eli Lilly delivered a service called Medi-messenger, which reminded patients to take their daily dose of Prozac, this service concealed the email addresses of other members of the list. But on doomsday for Eli Lilly privacy an email was sent out to announce the termination of this service, and within the ‘To’ field in the message, all the patients email addresses were included. Attorney General Tom Reilly said “This company failed to protect the private information of hundreds of consumers despite assurances outlined by Eli Lilly in a privacy statement available on its website. This case illustrates how important it is for companies to follow through on their privacy promises.” The FTC complaint in January outlined how Lilly’s claim of privacy and
ISSN: 1361-3723/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
confidentiality on the website was deceptive because the company did not implement appropriate security measures to prevent the email address disclosures. The eight states that are involved in the settlement are Massachusetts, California, Connecticut, Idaho, Iowa, New York, New Jersey and Vermont. Lilly said in a statement “As we have said from the onset Lilly sincerely regrets that one of our employees made a mistake. As a result we promptly put into place additional measures to prevent it from ever happening again”. The changes implemented by Lilly include appointing a director of global privacy, regular reporting to the FTC, and additional security techniques, which “place personal information from our customers in an environment as secure as Lilly’s trade secrets”.
Fraud News
Singapore bank hacked but consumers to blame In July, a computer hacker transferred and withdrew thousands of dollars from the
Development Bank of Singapore online bank accounts. DBS claims that its security wasn’t breached but that customer PC’s were breached to obtain PIN numbers and IDs. The hacker, who held an account with the bank, penetrated 21 online bank accounts all on the same day. DBS was alerted to the alarm by a customer complaining about missing funds, after further investigations it was discovered that a massive sum of money was transferred into one account. The amounts stolen by the hacker varied from S$200 to S$4999, as DBS limits fund transactions to S$5000. A DBS spokeswoman confirmed as reported by Reuters that the suspect didn’t hack into the Development Bank of Singapore’s system but managed to penetrate other DBS customers PC’s. The bank, which is Singapore’s largest has 370 000 online banking customers. A spokeswoman quoted that the suspect transferred all the funds then visited a branch, withdrew the money and fled the country. All the victim’s have been compensated but in the future DBS comments that consumers must be responsible for the security of their individual PCs and DBS may not provide compensation.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd