Two missing discs = 25 million records gone

EDITORIAL/NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843971 E-mail: [email protected] Web: www.computerfraudandsecurity.com

Editorial Two missing discs have culminated in the British Prime Minister, Gordon Brown, having to issue a public apology of regret. It is thought that the personal details of half of the population of the UK could be on the two discs, which were displaced on 18 October. The HM Revenue & Customs, which is the source of the blunder, can only hold its hands up and apologise. There is no defence. The public now await whether the hunt for the missing data will be fruitful. Disc after disc has vanished from corporations and public sector organisations throughout the world, during the past year. Like many items, which are transported, they go missing. It was only a matter of time before a disc containing data on this scale also disappeared. Sarah Hilley

Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Alan Stubley Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices:
969 for all European countries & Iran US$1051 for all countries except Europe and Japan ¥128 900 for Japan (Prices valid until 31/12/2007) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 E-mail: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065 Printed by: Mayfield Press (Oxford) Limited

2

Computer Fraud & Security

little bit like those packs of cigarettes being traded in prison movies,” wrote Ollmann on his blog. He also discovered large batches of logins and passwords for sale, which are used to break into other websites. A batch of 7000 login names, passwords and email addresses from a porn website were available for US$250. “The value was based upon an attacker’s ability to recycle the login credentials for breaking in to other (unrelated) websites,” said Ollman. “You see, despite all the warnings and guidance security experts from around the world have been extolling for over a decade, people still insist on using the same old passwords on multiple websites,” he said. “It’s not surprising really – just about every site you visit nowadays wants to offer you some custom service or offering – but to do so they want to know who you are, so you have to login with some ‘unique’ credentials – so, in the end, we’re all overloaded with having to remember another bunch of passwords etc. The attackers know all this too.” Website: www.technicalinfo.net

IDs sell for much more than credit card numbers Two missing discs in underground = 25 million records gone dentity profiles fetch more than

I

credit card information, an IBM researcher has found.

Gunter Ollmann, Director of Security Strategy at IBM, discovered that 2000 credit card records are worth the same as 40 standard identities. By analysing sites selling identities, Ollmann delved into what is popular in the underground. The credit card details for sale included card number, name, issue/ expiry date, CVV2 code and magstripe data while a standard identity offered name, address, phone number and date of birth. A complete identity covers all that comes with a standard identity but also includes mother’s maiden name, bank account number and account password. Five complete identities are worth about the same as 2000 credit cards. Cracks and keygens to the latest software are also exchanged. “It’s a

B

ritish police are on the hunt for two password protected discs containing records of 25 million people lost by the tax and customs government department.

The missing child benefit database records include names, addresses, dates of birth, child benefit numbers, National Insurance numbers and bank or building society numbers. The Metropolitan Police are on the search for the two discs, which went astray in transit from HM Revenue & Customs’ headquarters in Newcastle to the National Audit Office (NAO) in London. Police searches have also focused on TNT – the courier used to transport the discs. The data went missing on 18 October, but the loss was announced more than a month later on 20 November.

December 2007

NEWS/IN BRIEF

Information Commissioner to do spot-checks in future – now waiting on audit outcome

U

Britsh Prime Minister Gordon Brown said he profoundly regrets the incident.

British Prime Minister Gordon Brown has said he profoundly regrets the loss of discs and apologised for the “inconvenience and worries” affecting families. Chancellor Alistair Darling admitted the debacle in an emergency statement to the House of Commons. There has been no evidence to suggest the discs have fallen into the hands of criminals but Darling urged people to be on the look out for unusual activity. He admitted it was an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.” He said a junior officer breached procedures when the data was sent by courier. Mr Darling told MPs: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. “The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.” He said banks asked for as much time as possible to prepare for the deluge from the public. Anyone who is a victim of fraud as a result is protected under the Banking Code. Paul Gray, Chairman of HMRC, the department which lost the discs, has resigned. Gray wrote in his resignation letter: “I am announcing today that I will be standing down as HMRC chairman as a result of a substantial operational failure in the department.” He added: “This is not the way I would have planned to organise my departure from HMRC.” The discs

December 2007

K Information Commissioner Richard Thomas says he will wait to hear the outcome of the Pricewaterhouse Coopers audit before taking further action. But the Prime Minister Gordon Brown has said the ICO will now have the power to do spot checks on government departments to make sure processes are in line with the Data Protection Act.

“This is an extremely serious and disturbing security breach,” said Thomas. “This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. “I am pleased that HMRC reported this breach to my Office and that the Chancellor has announced an independent review by Pricewaterhouse Coopers. The Chancellor has agreed that the full report will be made available to my Office and we will then decide what further action may be appropriate. Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO.”

likely contain information on every family in the country with a child under 16 – nearly half of the UK population. Darling said they should never have been sent in the first place. Pricewaterhouse Coopers will conduct an independent review of the incident. Opposition Conservative politicians have said the incident means there should be a rethink on the implementation of the ID Card Act. Website: www.hmrc.gov.uk

In Brief Public worry about ID theft Seventy percent of adult Internet users say fear of identity theft has changed their online habits, according to a survey. Almost twothirds of 2000 people interviewed said they thought organisations should protect their identity more online. The survey carried out by YouGov for CA also found that out of all online service providers more people trust banks (60%) than other organisations. Newcastle University scientists create graphical passwords Scientists at Newcastle University have created graphic-based passwords for mobile hardware with plans to expand them to software. Lecturer Jeff Yan said many people find it hard to remember a complicated password so use easy words, which create a risk. The new method involves users drawing an image on a grid, which helps them remember a startpoint. The method recalls the strokes and the number of times the pen is lifted. AIB sent out payment slips to wrong addresses Allied Irish Bank (AIB) inadvertently sent 15 000 payment advice slips to the wrong addresses due to a technical problem. A statement from AIB said: “A technical problem occurred in the issuing of these advice notices to some AIB customers that made international payments between the 13 and 15 November 2007. This affected 15 000 payment advices, which were sent in error to the wrong customers.” The bank said no customer accounts had lost money. Symantec to acquire Vontu Symantec is to acquire Vontu, which specialises in data loss prevention products, for US$350 million. The deal is expected to be completed by the end of the year after regulatory approval.

Information Commissioner Richard Thomas said he will await the outcome of an audit before deciding further action on the HMRC missing disc debacle.

Computer Fraud & Security

3