Archive for May, 2011
BofA Breach: ‘A Big, Scary Story’
An internal breach at U.S. financial giant Bank of America shows how some corporations do not focus enough attention on mitigating internal fraudrisks.According to news reports, a BofA employee with access to accountholder information allegedly leaked personally identifiable information such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With that information, the fraudsters reportedly hijacked e-mail addresses, cell phone numbers and possibly more, keeping consumers in the dark about new accounts and checks that had been ordered in their names.
Some 300 BofA customers in California and other Western states have reportedly had their accounts hit, and 95 suspects linked to the breach were arrested by the Secret Service in Feb.
BofA says it detected the fraud a year ago, but only recently began notifying affected customers of the breach.
“As we communicated to impacted customers, this situation involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” says BofA spokeswoman Colleen Haggerty. “Keeping customer information secure and confidential is one of our most important responsibilities, and Bank of America sincerely apologizes for this incident, and regrets any inconvenience it may cause our customers. We work hard to prevent fraud, and our customers who experience fraud on their accounts related to this incident will be reimbursed if they report it promptly to us.”
Privacy expert and attorney Kirk Nahra calls the BofA incident “a big, scary story,” and says account-management checks should have picked up on the fraud before more than $10 million was drained from customer accounts. “Money was missing, so there should have been some trigger just identifying that there was a problem,” he says. “It’s just weird that the problem wasn’t picked up on sooner.”
Protecting PII: A Widespread Concern
Julie McNelley, an Aite analyst, says the BofA breach underscores concerns consumers should have about sharing their personal information with any company, not just a financial institution. “It’s a huge issue for all types of consumer information that is stored, and it’s being heavily targeted by all kinds of breaches,” McNelley says. “Organized crime either had an employee planted or reached out to an employee and got them in on the hack. We’re seeing this more and more.”Despite growing concerns about internal threats, McNelley says banking institutions and other organizations can implement strategies to detect employee fraud. In some cases, they can even predict high probabilities for employee fraud.
McNelley’s must-haves include:
- Background checks. “When it comes to screening employees during the hiring process, a layered approach is necessary,” McNelley says. Background checks are the norm, and public records could provide tell-tale signs about a certain candidate’s propensity to commit fraud. Especially, if a bank employee committed fraud while working for another institution, banking networks will often include background information about these employees’ previous work histories.
- Prosecution. Be sure to press charges against employees who commit fraud. Many banking institutions are reluctant to prosecute because of bad publicity, but doing so establishes a public paper trail for other institutions to follow.
- Behavior Monitoring. Implement and engage in behavior tracking. “When you have a teller who is accessing five times more accounts than any other teller in your bank, that could be a red flag that something is going on,” McNelley says.
BofA Cleans the Mess
Going forward, BofA says it’s working internally and with its customers to clean up the mess. “We take personal data protection very seriously,” Haggerty says. “This includes safeguards ranging from background checks during the hiring process, monitoring employee access to customer personal data, and very clear policies that prohibit the improper use of customer data. In the event of a privacy compromise or fraud, we have in place aggressive account monitoring and refund policies for unauthorized transactions after an incident occurs to protect our customers. Customers impacted by this specific incident will also receive two years of free credit report monitoring.”As for the length of time it took BofA to notify affected customers about the breach, McNelley says she sees no red flags going up. “BofA was probably trying to figure out how far-reaching the fraud was and was working with law enforcement, so they had to keep some of it contained until they knew what they were dealing with.”
Nahra, on the other hand, says he finds the delay somewhat perplexing. “I’m a little surprised, given at how sophisticated some of the big institutions are at picking up on fraud and irregularities,” he says. “I don’t know how this person did it. If he downloaded a lot of information to a thumb drive, you can track some of that. On the access points, you always want to look at how you can control access to information in the first place.”
But access control, Nahra allows, is a touchy issue for banks and other entities, since it’s difficult for corporations to limit employee access, especially to customer information that enhances the relationship and allows employees to better know and serve customers.
“We have a tension between privacy and security everywhere,” Nahra says. “If I set up my bank website and make it incredibly hard to break in to, that means it makes it incredibly hard for the consumer to use. You’ve always got this tradeoff.”
Computerworld – The apparent ease with which hackers have breached Sony networks in recent days shows how much work is still needed to fully secure the company’s networks, analysts say.
Sony, along with three external security firms, has been working frantically to shore up its systems since the company in mid-April uncovered two breaches that compromised data on nearly 100 million members of its PlayStation Network and Sony Online Entertainment network.
About 10 days ago, Sony announced that it had fixed all problems with its PSN and SOE networks and restored partial services.
Since then, there have been at least three separate — and relatively minor — attacks reported against Sony systems.
The relative ease in which hackers were able pull off the most recent intrusions is surprising given the heightened attention to security that at Sony since the widely publicized PlayStation Network hack.
“The original attacks [on the PlayStation Network and Online Entertainment networks] were probably quite targeted and quite skilled,” Chester Wisniewski, senior security advisor at security firm Sophos. “Now it seems to be that every random hacker out there has jumped on the bandwagon” to attack Sony.
Wisniewski cited an attack against Sony BMG’s site in Greece where hackers uploaded a database containing non-sensitive user information to a public site.
The attack was not sophisticated and involved a pretty simple exploit of an SQL injection flaw, analysts said. “I’m surprised they wouldn’t have cleaned up something like this by now,” Wisniewski said.
The attacks suggest that Sony may have more work to do securing its networks than it might have bargained for, said Phil Lieberman, CEO of Lieberman Software.
The company’s hard-line stance on copyright protection has earned it several enemies within the hacker community. Many of them are taking advantage of the publicity surrounding the Sony intrusions to try and further embarrass Sony, he said.
“Taking a baseball bat to a hornet’s nest is never an advisable strategy. Sony’s strategy in defending its intellectual property was heavyhanded and has triggered the ‘nuclear option’ with those that it engaged,” Lieberman said.
While Sony focused heavily on protecting IP and enforcing copyright protections, the company appears to have done little to protect its massive presence on the Internet, Lieberman said. “I think Sony’s beginning to understand that they horribly underinvested in security. It’s simply not in their DNA.”
Jason Maloni, senior vice president of the crisis and litigation team at Levick Strategic Communications, said that Sony’s ongoing security travails is sure to be taking a heavy toll on both its reputation and on consumer confidence in the company.
Maloni was part of a crisis management team that helped Heartland Payment Systems respond to a disastrous 2008 breach that exposed data on close to 100 million debit and credit cards.
Though the breach was one of the largest ever, Heartland strategy was “to run towards the light” rather than remain mostly quiet as Sony has, Maloni said. From the start Heartland was open about the breach, the scope of the intrusions, its causes and what it was doing to address them, he added.
Sony, in contrast, has been less open about the breach and its plan for fixing the underlying weaknesses in its networks. The company has also done a relatively poor job in setting user expectations after the breach, Maloni said.
“They should have started setting expectations very low. They should have done a better job [talking about] the perpetrators of the breach and how they were the true bad guys,” he said. “I don’t think Sony got out early enough, to spell out what it was doing and that has left a bad taste.”
Maloni believes that if the problems persist, Sony will take more of a hit to its reputation than other companies that suffered major breaches, such as TJX and Heartland. Those companies may have gotten a bit of pass because they were one among the first companies to suffer really major data compromises, he said.
But consumers since then have become less tolerant because they expect companies to learn from previous breaches, Maloni said. He expects that users will soon be asking: “what was Sony doing when all of these other companies were getting breached.”
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar’s RSS feed . His e-mail address is firstname.lastname@example.org.
Sony BMG Greece hit by hacker
Sony BMG Greece hit by hacker
Database containing about 9,000 user records accessed, posted online; fourth recent attack on Sony sites By Jaikumar Vijayan May 23, 2011 03:41 PM ET
Computerworld – For the fourth time in about a month, hackers have broken into a Sony network.
In the latest intrusion, hackers hit the Web site of Sony BMG in Greece and pilfered a database containing the usernames, real names and email addresses of people who had registered with the site, according to security firm Sophos.
The stolen data was passed on to Hacker News, which posted a copy of it on PasteBin.com, Sophos said.,
Chester Wisniewski, senior security adviser at Sophos, today said that the intrusion was made possible by a SQL injection flaw that allowed the intruders to inject malicious code into the Greek Sony BMG site.
According to Wisniewski, the attacker appears to have used an automated SQL injection tool that searched for vulnerabilities in the site
“This looks like it was an old-school hacking,” Wisniewski said. “It surprised me that Sony missed this one, considering how easy it was to find. This was not sophisticated at all.”
The breach didn’t require strong hacking skills, he added.
It was the third breach of a Sony system in recent days.
Last Thursday, Sony disclosed that an intruder has broken into So-net, a Japanese Sony ISP subsidiary, and stole about $1,200 worth of virtual tokens.
That same day, security firm F-Secure announced that it had discovered a phishing site being hosted on a Sony server in Thailand.
Those attacks were far smaller in scope than intrusions last month into Sony’s PlayStation Network and Entertainment Online sites that compromised data on almost 100 million account holders.
The April attacks prompted Sony to shut down both networks for several days while its internal security team worked to fix the problems with the help of consultants from three external security firms.
The company restored limited service on both networks about 10 days ago. Sony has yet to fully restore all previously available functionality.
X Factor Breach
‘X Factor’ hopefuls lost personal data in hack – Simon Cowell’s singing competition suffered a database security breach
Security News Daily, By Matt Liebowitz, May 4, 2011
The auditions for the upcoming season of the Simon Cowell-hosted singing competition “The X Factor” got off to a rocky start after the show’s network, Fox, revealed that cybercriminals hacked into a database containing the personal information of 250,000 potential contestants. Online thieves may have potentially made off with the names, emails, ZIP codes, phone numbers, genders and dates of birth of the quarter-of-a-million “X Factor” wannabes, according to an email from Fox about the security breach obtained by the Daily Star. Although the show promises to vault its winner to celebrity stardom, this data breach is not the kind of widespread public exposure these would-be singing stars were hoping for. Fox’s email tells “X Factor” hopefuls that no financial information was accessed in the hack, and warns them to be cautious of phishing scams that may arise now that their sensitive information is in untrusted hands. http://www.msnbc.msn.com/id/42908950/ns/technology_and_science-security/t/x-factor-hopefuls-lost-personal-data-hack/
Second Major Data Breach To Hit Gaming Community In Recent Weeks
The Guardian, May 13, 2011
Hackers have accessed 25,000 customers’ details from video game developer Square Enix in a similar invasion that Sony PlayStation suffered. Hackers have broken into the vaults of the Japanese video game developer, Square Enix, accessing the details of 25,000 customers in the second major data breach to hit the gaming world in recent weeks. The software house, which is behind some of the world’s most successful computer game franchises, including Final Fantasy, Deus Ex and the Tomb Raider series, said the intruders could have stolen customer email addresses after cracking security on two of its websites. It said no credit card details were exposed, but admitted the CVs of 350 people applying for jobs in its Canadian offices could also have been downloaded. http://www.guardian.co.uk/technology/2011/may/13/hackers-details-video-game-developer
Best Buy Customers Beware: Another Email Security Breach
The Consumerist, By MB Quirk, May 2, 2011
Remember just a few weeks ago when that email breach hit Best Buy, Kroger, TiVo, Walgreens and on and on? Well it seems the breach-y good times aren’t over yet, at least for Best Buy. The company has sent out another warning email to customers about a new leak which indicates that a third party finagled itself into a former Best Buy partner’s system, snatching up email addresses. Hopefully, that’s all they got. http://consumerist.com/2011/05/best-buy-customers-beware-another-email-security-breach.html
Huntington bank sues ex-workers
Associated Press, May 8, 2011, By Brandy Brubaker
A lawsuit filed by Huntington National Bank claims six former employees stole more than 2,000 customer records before they quit to go work for the competition. The bank filed the lawsuit in federal court against former vice president Sandra D. Kokoska, former assistant vice president Kimberly A. Barnum, and mortgage department employees, Stewart P. McCaw, Lisa A. Musgrave, Carrie J. Swaniger and Marcie A. Lipscomb. The lawsuit alleges that the former employees committed a “brazen and egregious theft of trade secrets” when they abruptly resigned April 14 and opened a new loan origination office for MVB Bank in Cranberry Square, Morgantown, on April 18. Huntington claims that the defendants spent weeks leading up to their resignations downloading and printing confidential customer records from the bank’s secure database — records they then used to solicit Huntington’s existing and prospective customers. “These customer records did not merely include customer names, addresses and telephone numbers,” the lawsuit said. “In addition, the defendants took with them what is presently known to be over 2,000 customer Social Security numbers, dates of birth, bank account numbers, and other highly confidential, personal information of Huntington’s customers, the unwitting victims of this theft.” http://www.dailymail.com/ap/ApTopStories/201105080424
Netflix Fires Call Center Worker for Stealing Data
IDG News Service, By Robert McMillan, May 04, 2011
Netflix has fired a call center worker for stealing credit card numbers from customers of the online movie service. The unnamed employee was fired after Netflix learned about the data theft on April 4, the company said in a letter to the office of the New Hampshire Attorney General that was published online this week. The worker “accessed over approximately the past two months, without authorization, the credit card information of some Netflix customers who spoke with the individual over the telephone,” Netflix Senior Counsel Sharon Williamson wrote. The employee obtained customer names and credit card numbers, she wrote. Netflix is investigating the incident and has notified police. On Wednesday, Netflix declined to say how many customers were affected or whether any incidents of fraud had resulted from the theft. “We do everything we can to safeguard our members’ personal data and privacy, and when there’s an issue like this we deal with it swiftly and decisively,” said Steve Swasey, a Netflix spokesman. http://www.cio.com/article/681426/Netflix_Fires_Call_Center_Worker_for_Stealing_Data
Laptop stolen from contractor’s car affects 1,700 who sought to adopt children through Catholic Social Services
Data Breaches.net, May 4, 2011
A stolen laptop containing personal and protected health information of 1,700 clients of Catholic Social Services in Anchorage has resulted in a notification to the U.S. Dept. of Health & Human Services and affected clients. According to a notice on the CSS’s web site dated March 30: on February 2nd, CSS learned of a theft that had occurred on February 1. A laptop used by a contractor of the Pregnancy Support and Adoption Services program had been stolen from the contractor’s vehicle. According to CSS’s report to HHS, the contractor was Trisha Elaine Cordova. The laptop contained personal information on individuals who had requested a home study in order to adopt a child from 2008 – 2010. Information in the studies may have included some or all of the following for each individual: name, address, phone number, email, date of birth, driver’s license, health, family history, financial status, and recommendation for readiness to adopt. CSS noted that they did not expect the thief to be apprehended as the theft took place out of state, although they did not indicate where it occurred. http://www.databreaches.net/?p=18121
LastPass CEO Explains Possible Hack
PCWorld, By JR Raphael, May 5, 2011
The CEO of password management company LastPass says it’s highly unlikely hackers gained access to his millions of users’ data–but that he doesn’t want to take any chances. Speaking exclusively with PCWorld, LastPass CEO Joe Siegrist explained how his company came to the conclusion that its servers, which provide cross-platform password storage for millions of customers, may have been accessed by an outside party. Just one day earlier, LastPass announced via its blog that it had noticed a “network traffic anomaly” and was implementing additional security as a result. LastPass CEO Joe SiegristSiegrist now says he may have been “too alarmist” in assuming the worst, but that–even if it ended up hurting his company’s image–he wanted to act quickly and make sure everyone was informed. Given the proximity of the event to Sony’s Playstation Network hack, after all, security was certainly high on many users’ minds. http://www.pcworld.com/article/227268/lastpass_ceo_explains_possible_hack.html
Central Oregon Community College Hackers May Have Compromised Student Information
DataBreaches.net, May 7, 2011
1110 KBND points us to a statement on the Central Oregon Community College web site:
Central Oregon Community College officials have identified some information on the COCC web site that may have been exposed as part of the recent unauthorized intrusion. COCC has taken down the web site while it works with law enforcement officials and industry security experts. It has been replaced by a single page with links to sites of importance to COCC students, faculty and staff but that are not part of the COCC web site. Email access is available via this temporary page. Comprehensive student and employee information is NOT contained on the COCC website. The college is analyzing information to see if there is any additional cause for concern of personally identifiable information being accessed or any additional data bases which might have been exposed. The information identified was from students who applied to the COCC nursing program for the current year, and for COCC Foundation scholarship for the next year. Neither set of applications include social security numbers or credit card numbers. They do include email addresses and COCC ID numbers. http://www.databreaches.net/?p=18164
Computer with private Reid Hospital information taken in home burglary
May 9, 2011, PALLADIUM-ITEM
A computer stolen from the home office of a Reid Hospital employee in early April may have contained files with personally identifiable information on approximately 20,000 Reid patients. Craig Kinyon, Reid president/CEO, said the computer was password protected and was one of numerous items stolen in the break-in, which indicates the information was not the target of the thieves. The information included reports on some Medicaid and some Medicare patients who received services from 1999 to 2008. These reports include patient names and Social Security numbers or Medicare numbers. http://www.pal-item.com/article/20110509/NEWS01/110509027/-No-heading-
Assurant reports breach in customer account information
Kansas City Star, May 9, 2011
Assurant Employee Benefits said Monday that 1,007 customers in the Kansas City area have been notified that their personal information inadvertently was made available to another business client administrator. The insurer said human error caused those customers’ names, addresses, dates of birth, social security numbers and types of coverage to be available to a business client other than the employer of those policy holders. Bradley Peak, Assurant vice president of products and marketing, said the information never was accessed and that the company human resource officer who incorrectly received access to the information immediately reported it. Access to the information was terminated as soon as the mistake was discovered, Peak said. Melonie Jones, Assurant’s chief privacy officer, said the company takes the security of customer information very seriously and “will continue to monitor and improve our accuracy in the customer advocacy area.” http://economy.kansascity.com/?q=node/10727
Personal Information Stolen from Reedsport Clinic
KEZI News, May 10, 2011
REEDSPORT, Ore. — A Reedsport clinic is alerting patients about a recent data breach. Police are looking for a hard drive containing patient information from Dunes Family Health Care. The organization that downloads and stores the clinic’s electronic records says it went missing on March 11. The clinic sent notices to more than 16,000 current and former patients Tuesday about the data breach. http://kezi.com/healthwatch/211967
Database of Fox Employees’ Passwords and Emails Leaked
By Adrian Chen, Gawker
Fox Broadcasting employees might want to change their passwords: A database of about 300 employees and associates’ email addresses and passwords, apparently stolen from a Fox.com database, have been leaked by a hacking group that previously stole thousands of X Factor contestants’ personal information. The group Lulz Security has taken credit for the hack. Last night, Lulz Security took over and defaced the LinkedIn accounts of 16 Fox Broadcasting employees and the Twitter accounts of two Fox affiliates, apparently to prove the leak’s validity. “Fox News 15 has decided to rape its own face. A sad day for our 25 viewers,” read one tweet. They then tweeted a list of emails and passwords, which are mainly employees of Fox Broadcasting and local affiliates of Fox and other networks. http://gawker.com/5800366/database-of-fox-employees-passwords-and-emails-leaked
Wyndham continues to identify and notify hotel guests impacted by past breaches
Data Breaches.net, May 12, 2011
Wyndham Hotels and Resorts, which reported a hacking incident in 2008 and hacking incidents in 2009 and 2010, has recently notified the New Hampshire Attorney General’s Office of an update to its report of June 2010. That report did not and does not appear on the state’s breach report list, so I’m not sure what it said, but by letter dated April 29, 2011, Wyndham indicated that it had identified an additional 42 New Hampshire residents who were affected by prior incidents and who would first be notified, even though Wyndham does not believe it is required to make such notifications. http://www.databreaches.net/?p=18223
Laptop with financial information stolen from the home of Ohio Auditor’s Office employee
May 12, 2011, By Reginald Fields, The Plain Dealer
A state-owned laptop containing some financial audits of public offices in northwest Ohio was stolen this week during a burglary at a house in Findlay. It was the home of a regional auditor for the state Auditor’s Office. The employee, whose identity has not been released, was suspended for 15 days because a password that opens access to the financial records was attached to the computer, a violation of the office policy. The Auditor’s Office said the public offices whose information was contained on the computer are being notified, according to a news release from Auditor Dave Yost’s office. The release said there was very little personal information included in the files on the laptop. A police report was filed on Tuesday with Findlay Police. In 2007, a data backup cartridge that contained sensitive information, including some Social Security numbers, for 1.3 million individuals, business and other entities was stolen from a car owned by a state intern. After that incident, Ohio spent about $1.8 million for new software to better encrypt information on state computers and other electronic devices and add tracking devices to state computers so information could be deleted remotely. http://www.cleveland.com/open/index.ssf/2011/05/state_laptop_with_financial_au.html
Deputies: Man Used DMV Database In ID Theft
KPTV, May 13, 2011
PORTLAND, Ore. — Personal information belonging to more than a million Oregonians could be in the hands of criminals, deputies say. Sheriff’s detectives arrested Tim Nuss on April 28 in east Multnomah County. They say he had access to an old Oregon Department of Motor Vehicles database. Spokesman David House says the DMV database was once sold to marketing companies, but the department stopped selling the information in the late 1990s. House says the sold data include the names, addresses, birth dates, gender and ages of people who registered with the DMV, but no financial information. Police aren’t sure how Nuss was able to get a hold of the database, but Portland police say in previous cases, criminals have sold or traded the database using USB drives or CDs. Acting on a tip, deputies moved in on Nuss, who was staying at the Travelodge Motel near Troutdale. Inside the motel room, investigators found a laptop, four printers and the material used to produce fake checks and Oregon temporary driver’s licenses, investigators say. http://www.kptv.com/news/27891554/detail.html
Sony Network Breach Shows Amazon Cloud’s Appeal for Hackers
Bloomberg, May 16, 2011, By Joseph Galante, Olga Kharif and Pavel Alpeyev
For three pennies an hour, hackers can rent Amazon.com Inc.’s servers to wage cyber attacks such as the one that crippled Sony Corp.’s PlayStation Network and led to the second-largest online data breach in U.S. history. A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers, the person said. The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon’s cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. to Eli Lilly & Co. Last month’s attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009. “Anyone can go get an Amazon account and use it anonymously,” said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City, California-based company that helps customers manage data internally and through cloud computing. “If they have computers in their back bedroom they are much easier to trace than if they are on Amazon’s Web Services.” http://washpost.bloomberg.com/Story?docId=1376-LL6ADK1A1I4H01-2SQO34LJ7UG2BG65RG4703C98L&wpisrc=nl_tech
There’s No Data Sheriff on the Wild Web
New York Times, By Nick Bilton, May 7, 2011
A company suffers a catastrophic attack on its servers. Gone are names, e-mail addresses, home phone numbers, passwords, credit card numbers. Everything ends up in the hands of hackers. What federal law covers such a breach of consumers’ privacy? None. This lack of federal oversight has incensed privacy advocates for years. But the last several months have been an online consumer’s worst nightmare. About two weeks ago, hackers dived into Sony’s PlayStation 3 game system, resulting in the loss of up to 77 million customers’ personal and private information and over 12 million credit and debit card numbers. Epsilon, an e-mail marketing company, lost millions of customers’ e-mail addresses to hackers in early April; Apple, Google and Microsoft have all been quietly collecting location data about mobile customers without their knowledge. And last year, AT&T was attacked through a bug in its iPad software, resulting in the loss of 100,000 customer e-mail addresses. Each company was blamed for failing to properly protect consumer information. But for redress, consumers must rely on states, and serious punishment or fines rarely happen. “There needs to be new legislation and new laws need to be adopted” to protect the public, said Senator Richard Blumenthal, Democrat of Connecticut, who has been pressing Sony to answer questions about its data breach and what the company did to avoid it. http://www.nytimes.com/2011/05/08/weekinreview/08bilton.html
White House Unveils Cyber-Security Proposals to Guard Critical Infrastructure
eWeek, By Fahmida Y. Rashid, May 13, 2011
The long-awaited cyber-security proposals from the White House address who protects critical infrastructure and calls for a federal data-breach-notification law. The Obama administration has unveiled a cyber-security plan to provide protection for critical infrastructure, data-breach-notification laws and cyber-defense. The plan closely endorses the bill sponsored by Sen. Harry Reid of Nevada that is currently under consideration in Congress. The White House proposal addresses how to protect critical infrastructure, including electric grids, financial systems and transportation networks, from cyber-attackers. The Department of Homeland Security would take the lead role in working with states and businesses to respond to cyber-attacks and provide immunity to organizations that share cyber-security information, according to a fact sheet posted May 12 on the White House blog. The administration struck a balance between securing critical infrastructure and not making decisions for the companies who actually own and operate the infrastructure. Companies retained a lot of authority to draw up their own cyber-security plans and implement them. The plan summaries have to be publicized and if it doesn’t seem comprehensive enough, DHS can modify it, according to the proposal. “Fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cyber-security,” said White House cyber-security coordinator Howard Schmidt. http://www.eweek.com/c/a/Security/White-House-Unveils-CyberSecurity-Proposals-to-Guard-Critical-Infrastructure-237236/