Casad Company Inc. Suffers Data Breach

Forgot Password

Please note that changing your password will affect all of your ASI accounts, including ASICentral, ESP, Connect and the Online Learning Center.

Enter your email address and we’ll send you directions to change your password.

  Would you like to chat with an ASI representative?

  Would you like to check our knowledge base?

Article source: http://www.asicentral.com/news/newsletters/promogram/august-2015/casad-company-inc-suffers-data-breach/

,

No Comments

A rare detailed look inside the IRS’s massive data breach, via a security …

Michael Kasper thought he was ahead of the game when he sat down to do his taxes this year. It was a Friday in February, more than two months before the mid-April filing deadline, and snow still covered the front lawn of his home in Poughkeepsie, in upstate New York. “I had all the papers,” he recalled. “I had the W2 and the 1099s stacked up, and I typed them all in.”

But a few hours after he tried to submit his tax return online, he got an email saying it had already been filed—a week earlier.

The story of Kasper’s tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year. And the hackers didn’t use sophisticated malware or social engineering tactics—the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds.

The IRS has divulged few details about the data breach, but thanks to some amateur sleuthing by Kasper, who is a software engineer with a specialty in computer security, we’re able to fill in some of the blanks.

Protecting taxpayers from themselves

The Monday after trying to file his tax return, Kasper called the IRS’s identity theft hotline. As he would later tell a Senate committee hearing (pdf) on the breach, the operator he spoke to agreed that this looked like a case of fraud. Someone had filed a tax return under his name, presumably in order to intercept his tax rebate. And whoever it was, their plan was working: The IRS was due to send out the rebate that very same day, and it was too late to stop it.

Michael Kasper testifies at a Senate committee hearing about the IRS data breach(US Senate)

Kasper asked for more details. Perhaps the bank account number listed on the fraudulent return would lead him to the thief, or at least confirm that it was a scam.

But the operator wouldn’t tell him. To comply with a law protecting confidentiality, the IRS doesn’t divulge the details of a fraud to anyone—including the taxpayer affected by it—until it has conducted its own internal investigation. A fraudulent return could include the personal information of another innocent taxpayer, John Koskinen, the IRS commissioner, explained at the Senate hearing (video, at 1:40:40). In fact, the IRS will leave not only the person affected by the fraud in the dark, but also law enforcement agencies and any banks where fraudulent funds have been sent.

Fighting bureaucracy with bureaucracy

Kasper felt this concern for privacy was protecting the criminals who had stolen his identity. Frustrated, he went to the “Get Transcript” service on the IRS website, which allows taxpayers to retrieve the details of their past tax returns. He figured it might lead him to the crook. But when Kasper attempted to use the service, he found that another email address was already registered to his Social Security number. He called the IRS again. Once more, though the people he spoke to seemed to agree that the address was fraudulent, they wouldn’t, for privacy reasons, tell him what the email address was.

 The crooks somehow knew Kasper’s Social Security number, his date of birth and his real address. They even knew his salary. 

But Kasper found a way to bypass the IRS’s stringent privacy rules with a little bit of bureaucracy—and a check. For $50, he was able to request a paper copy of his 2014 tax return, sent to his home address, which the scammers had not tried to change. By mid-March he had the fraudulent document in his hands.

This form, which had been filled out by strangers and submitted under Kasper’s name, looked very much like the return he himself had filed for the 2013 tax year. The crooks somehow knew Kasper’s Social Security number, his date of birth, and his real address. They knew his marital status. They even knew his salary. It was all right there on the photocopied form.

The only major differences between the 2014 return and the one Kasper had filed a year earlier were an additional $6,000 added to his withholdings—and a bank account number he’d never seen before.

How it happened

Not until May 26 did the IRS announce a major data breach. Hackers had used the “Get Transcript” page to steal data—specifically, the contents of previously-filed tax returns—on thousands of taxpayers, and then used that information to file the new, falsified returns. At first, the IRS said more than 100,000 people’s records had been stolen. This month it revised the figure up to 334,000.

Logging in to “Get Transcript” is a two-step process that requires a lot of personal data. In the first step, a user has to provide a Social Security number, date of birth, tax filing status, and street address, according to the IRS statement. The second step is a common identity-verification method known as Knowledge-Based Authentication, or KBA, and it involves a series of multiple-choice questions that ask the user about his or her credit history. These questions can range from “On which of the following streets have you lived?” to “What is your total scheduled monthly mortgage payment?”

How had the intruders obtained all that data for 334,000 people? Names, addresses, and Social Security numbers could very well have come from previous high-profile data breaches, such as those at the health insurers Anthem and Premera Blue Cross. Indeed, Kasper was one of millions of Anthem customers whose personal data had been compromised. Personal data and identities from such breaches are also frequently sold on the “dark web.” But to break through KBA without also having credit information on hand—data that came from a bank or a credit bureau—would be difficult.

Difficult, but not impossible, Kevin Fu, a computer science professor at the University of Michigan, told Quartz.

“Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” Fu said. “For instance, you can make a pretty good guess on who owns their mortgage when [the KBA tests] present you with four banks and only one of them happens to be in the city that person lives in.”

All the same, while that approach makes sense for the thief who is looking to defraud only a handful of taxpayers and can manually answer KBA questions, it wouldn’t be practical to do it 334,000 times. Such a criminal would have to, for example, write some computer code to find all of the banks near each taxpayer’s address, read the multiple-choice options of the bank question, cross-reference the two, and hope for a hit.

 At least 15,000 of the falsified documents made it through, leading to $50 million in refunds 

A clue to the method the attackers used is that although they successfully stole 334,000 people’s tax information, they tried to steal it for another 281,000, according to the IRS, and got foiled at the final verification step. That could indicate that the hackers had credit data on only some of their victims, or that they found a pattern in the multiple-choice KBA questions that they were able to correctly predict about half the time. (For example, the correct answer to a given KBA question can frequently be “none of the above.”)

In any case, once the hackers had successfully obtained taxpayers’ personal data, they now had to use it to create new tax returns. Comparing Kasper’s real return to the fraudulent one submitted under his name, it seems clear that this process—which involves filling out PDF forms and submitting them online—would have been automated too.

Finally, they would have submitted the fake tax returns to the IRS, then waited. If a taxpayer had already filed a return when the fraudulent one was submitted, the fraudulent one would be rejected. If accepted, it would still have to pass a series of fraud-detection filters. When the IRS first announced the data breach in May, it said that 15,000 of the falsified documents got all the way through, leading to $50 million in refunds. Whether that number will rise after the IRS’s extended analysis is still under review, according to the agency.

But how did the criminals then collect the $50 million? In January of this year, the IRS started limiting how many separate tax rebates could be direct-deposited in the same bank account. To get around the limit, the hackers would have had to open thousands of bank accounts. There doesn’t seem to be a reasonable way for even a sophisticated criminal to do something like that. This part of the operation remains unclear; we still do not know how the crooks got paid.

In the case of Michael Kasper, however, we do know where the money went. Sort of.

The Nigerian connection

Back in March, Kasper looked over the fraudulent tax return that had been filed under his name. There was a bank account number on it that was not his, and next to it, a routing number. Kasper found out that the routing number belonged to a bank in Williamsport, a city of about 30,000 in central Pennsylvania.

After a few phone calls, Kasper reached Barbara Austin, the head of account security at the First National Bank of Pennsylvania. She told him that in February the IRS had deposited $8,936, with Kasper’s name and Social Security number as a reference, into an account in someone else’s name. Most of that money, Austin said, was now gone. And although Kasper had filed a fraud report with the IRS more than a month earlier, no one from the government had contacted Austin about the deposit.

Kasper then contacted the Williamsport police. Within a couple of days, a detective named Donald Mayes had checked with the bank and identified the owner of the account. Her name was Isha Sesay—a small-framed, 21-year-old resident of Williamsport.

 “By the end of February 2015, Sesay’s account would have a balance of $4.58.” 

Sesay told Mayes (according to an arrest warrant that would later be filed, and an email Mayes later sent to Kasper) that she’d been hired on Craigslist as a personal assistant. Her only duties were to open a bank account, into which funds would sporadically be deposited, and to wire some of those funds to places like Nigeria.

For her trouble, Sesay would be allowed to keep a portion of the deposits. She admitted to Mayes that the job seemed “odd,” but explained that she needed the money. Bank records obtained by the police indicated that Sesay had indeed written a check for $7,000 to cash, but she could not provide any documentation of the wire transfers she claimed to have made with that cash.

Sesay’s bank records also indicated that she used the leftover $1,936 for rent and daily living expenses. “By the end of February 2015,” Mayes wrote in the arrest warrant, “Sesay’s account would have a balance of $4.58.” The account was then closed.

A woman who answered a call from Quartz in early July at the phone number listed on Sesay’s arrest warrant made only one brief comment before hanging up. “Isha is dead,” she said.

Mayes told Quartz Sesay is still living, as far as he knows. She waived her right to a preliminary trial, Mayes said, and was released on $8,500 bail. He added: “She’ll end up taking a plea and probably won’t go to trial.” In addition to the fraudulent tax refund, police found that Sesay had also received a deposit linked to a romance scam. She is charged with receiving stolen property.

It seems most likely that Sesay was merely a small part of a much larger operation. In his email to Kasper, Mayes noted: “You still have to contend with the fact that she may be telling the truth and that someone else has obtained your personal information.”

Dubious solutions

Michael Kasper received his actual tax refund on May 12, along with a letter confirming that this was a case of identity theft. “But I don’t know if they ever tried to prosecute anyone,” he said, “or identified whether it was from overseas or what.” And the IRS was not interested in what Kasper had found out about his case.

“I even tried to call them back and say, look, somebody’s been arrested, here’s some additional information,” he said. “And they literally would not take that information when I called. They said, ‘We do not accept tips on identity theft.’”

The IRS has yet to confirm or deny whether the fraud committed against Kasper was part of the larger scam. However, like the 334,000 victims of that scam, Kasper has received a special “Identity Protection PIN” from the IRS, which he will have to use to confirm his identity on future federal tax returns. He argues it’s not a secure solution.

“I already know that whoever got my tax transcript can also get my identity PIN the same way,” he said. “They have the same authentication on the website to get the identity PIN as they do for the ‘Get Transcript.’ So I don’t know what’s going to stop someone from filing again as me next year.” Fu, who has gone through the login process for retrieving an IP PIN, told Quartz the process is indeed similar, and possibly even slightly less secure.

The IRS did not comment on that, but did send Quartz a statement outlining the security benefits of IP PINs. For one, it said, access to an IP PIN itself “does not expose taxpayer Personally Identifiable Information.” (It doesn’t grant access to other personal data, in other words.) Also, taxpayers who use IP PINs will be sent a new one in the mail each year, “prior to each tax season—making it much harder for an identity thief to access this information.” That is, hackers would have a small window—between the end of the tax year and the moment a taxpayer files a return—to try to steal the IP PIN. The statement added: “In addition, we carefully monitor IP PIN traffic in order to respond swiftly to any potentially suspicious activity.”

The IRS commissioner, John Koskinen, suggested at June’s Senate hearing that the agency will bring back the “Get Transcript” page with stronger authentication, but did not say whether KBA will be reviewed across the board. A Government Accountability Office (GAO) report in January, before the fraud was announced, had noted the limitations (pdf) of the KBA process.

Koskinen also said that, in cases where someone like Kasper needs a copy of a fraudulent document filed under his name, the IRS has set up “a situation where we can simply redact any third-party information on a return and give the taxpayer a copy of the fraudulent return so they’ll know exactly what was in there.”

Kasper suspects that means the IRS would remove the only information that led him to Williamsport, and that helped the police there find Isha Sesay. “It would not surprise me at all if they do that,” he said.

Left behind

For the IRS, the fraud problem far exceeds the $50 million lost in this one incident. According to the GAO’s January report, the IRS prevented the loss of $24.4 billion to fraud in 2013, but still lost a total of $5.8 billion that year. And although the agency currently has 81,000 full-time employees and an operating budget of $10.9 billion, it initiated only 4,297 criminal investigations in 2014—some 1,000 fewer than the previous year. Meanwhile, the number of sophisticated computer attacks nationwide continues to rise.

At the hearing, Koskinen listed several reasons the agency is not excelling in the realm of computer security. Its systems are antiquated, he said. Some of its applications “have been running for 50 years.” Some of the software used at the IRS is no longer supported by the people who made it. And the agency simply doesn’t have the funds in place, he said, to recruit top talent from the private sector.

He added: “It’s a difficult challenge competing with organized criminals who have resources.”

As of mid-August, the IRS still had not contacted the First National Bank in Williamsport, nor the police there who solved Kasper’s case.

Article source: http://qz.com/445233/inside-the-irss-massive-data-breach/

,

No Comments

SEC Won’t Recommend Enforcement Action Over Target’s Data Breach

The U.S. Securities and Exchange Commission won’t pursue an enforcement action against Target Corp. after hackers stole data on 40 million credit and debit cards during the 2013 holiday shopping season, according to a regulatory filing.

The agency finished its probe during Target’s second quarter this year, which ended Aug. 1, the Minneapolis-based retailer said in a regulatory filing Tuesday. The Federal Trade Commission and state attorneys general are still investigating the breach.

Hackers stole credit- and debit-card data, as well as personal information, for as many as 110 million Target customers during the 2013 holiday season. The retailer has reached a settlement with Visa Inc. over the attack and will pay as much as $67 million to banks that issue Visa cards, a person familiar with the matter said at the time. Target also agreed to pay $10 million to customers whose personal information may have been taken.

Molly Snyder, a spokeswoman for Target, wasn’t immediately able to comment on the filing.

The SEC has the authority to impose penalties on companies that don’t disclose the magnitude of data breaches or fail to properly detail their policies and procedures in protecting consumer data. Erin Stattel, an SEC spokeswoman, declined to comment on the case.

The Federal Trade Commission also has the authority to oversee corporate cybersecurity practices. In an Aug. 24 ruling, the U.S. Court of Appeals for the Third Circuit, in a case involving Wyndham Worldwide Corp, said the FTC could sue the hotel chain for failing to secure its computers from hackers.

Wyndham argued that the company was itself a victim and was being penalized unfairly.

According to the FTC, the agency has already settled 53 data-security cases against companies including SnapChat Inc., Reed Elsevier Inc. and Credit Karma Inc.

Article source: https://bol.bna.com/sec-wont-recommend-enforcement-action-over-targets-data-breach/

,

No Comments

Pentagon unveils data breach rules for defense contractors


The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents.

The regulations, published in the Federal Register on Wednesday, require contractors and subcontractors to report “cyber incidents that result in an actual or potentially adverse effect” on either the contractor’s information system and data, or its ability to “provide operationally critical support.”

The new rules are intended to create a single pathway for all Defense Department contractors to report cyber incidents, “minimiz[ing] duplicative reporting processes.”

While the Office of Management and Budget (OMB) has been working to shore up cybersecurity in the federal acquisition process, these regulations have their genesis in much earlier legislative efforts.

The proposed rules fulfill a provision of the 2013 National Defense Authorization Act, which required the Pentagon to develop breach-reporting procedures within 90 days.

The new regulations also satisfy a provision of the 2015 National Defense Authorization Act requiring contractors to report cyber incidents. It also mandates that the agency develops clear policies for acquiring cloud computing services.

The separate OMB guidance, open for comment until Sept. 10, would require federal contractors across agencies to report not only known breaches but also any suspicious activity that could result in an “adverse effect” on either an IT system or its data.

The deadline for submitting public comments on the Pentagon proposal is Oct. 26. 

Article source: http://thehill.com/policy/cybersecurity/252025-pentagon-unveils-data-breach-rules-for-defense-contractors

,

No Comments

Inside the IRS’s massive data breach

Michael Kasper thought he was ahead of the game when he sat down to do his taxes this year. It was a Friday in February, more than two months before the mid-April filing deadline, and snow still covered the front lawn of his home in Poughkeepsie, in upstate New York. “I had all the papers,” he recalled. “I had the W2 and the 1099s stacked up, and I typed them all in.”

But a few hours after he tried to submit his tax return online, he got an email saying it had already been filed—a week earlier.

The story of Kasper’s tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year. And the hackers didn’t use sophisticated malware or social engineering tactics—the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds.

The IRS has divulged few details about the data breach, but thanks to some amateur sleuthing by Kasper, who is a software engineer with a specialty in computer security, we’re able to fill in some of the blanks.

Protecting taxpayers from themselves

The Monday after trying to file his tax return, Kasper called the IRS’s identity theft hotline. As he would later tell a Senate committee hearing (pdf) on the breach, the operator he spoke to agreed that this looked like a case of fraud. Someone had filed a tax return under his name, presumably in order to intercept his tax rebate. And whoever it was, their plan was working: The IRS was due to send out the rebate that very same day, and it was too late to stop it.

Michael Kasper testifies at a Senate committee hearing about the IRS data breach(US Senate)

Kasper asked for more details. Perhaps the bank account number listed on the fraudulent return would lead him to the thief, or at least confirm that it was a scam.

But the operator wouldn’t tell him. To comply with a law protecting confidentiality, the IRS doesn’t divulge the details of a fraud to anyone—including the taxpayer affected by it—until it has conducted its own internal investigation. A fraudulent return could include the personal information of another innocent taxpayer, John Koskinen, the IRS commissioner, explained at the Senate hearing (video, at 1:40:40). In fact, the IRS will leave not only the person affected by the fraud in the dark, but also law enforcement agencies and any banks where fraudulent funds have been sent.

Fighting bureaucracy with bureaucracy

Kasper felt this concern for privacy was protecting the criminals who had stolen his identity. Frustrated, he went to the “Get Transcript” service on the IRS website, which allows taxpayers to retrieve the details of their past tax returns. He figured it might lead him to the crook. But when Kasper attempted to use the service, he found that another email address was already registered to his Social Security number. He called the IRS again. Once more, though the people he spoke to seemed to agree that the address was fraudulent, they wouldn’t, for privacy reasons, tell him what the email address was.

 The crooks somehow knew Kasper’s Social Security number, his date of birth and his real address. They even knew his salary. 

But Kasper found a way to bypass the IRS’s stringent privacy rules with a little bit of bureaucracy—and a check. For $50, he was able to request a paper copy of his 2014 tax return, sent to his home address, which the scammers had not tried to change. By mid-March he had the fraudulent document in his hands.

This form, which had been filled out by strangers and submitted under Kasper’s name, looked very much like the return he himself had filed for the 2013 tax year. The crooks somehow knew Kasper’s Social Security number, his date of birth, and his real address. They knew his marital status. They even knew his salary. It was all right there on the photocopied form.

The only major differences between the 2014 return and the one Kasper had filed a year earlier were an additional $6,000 added to his withholdings—and a bank account number he’d never seen before.

How it happened

Not until May 26 did the IRS announce a major data breach. Hackers had used the “Get Transcript” page to steal data—specifically, the contents of previously-filed tax returns—on thousands of taxpayers, and then used that information to file the new, falsified returns. At first, the IRS said more than 100,000 people’s records had been stolen. This month it revised the figure up to 334,000.

Logging in to “Get Transcript” is a two-step process that requires a lot of personal data. In the first step, a user has to provide a Social Security number, date of birth, tax filing status, and street address, according to the IRS statement. The second step is a common identity-verification method known as Knowledge-Based Authentication, or KBA, and it involves a series of multiple-choice questions that ask the user about his or her credit history. These questions can range from “On which of the following streets have you lived?” to “What is your total scheduled monthly mortgage payment?”

How had the intruders obtained all that data for 334,000 people? Names, addresses, and Social Security numbers could very well have come from previous high-profile data breaches, such as those at the health insurers Anthem and Premera Blue Cross. Indeed, Kasper was one of millions of Anthem customers whose personal data had been compromised. Personal data and identities from such breaches are also frequently sold on the “dark web.” But to break through KBA without also having credit information on hand—data that came from a bank or a credit bureau—would be difficult.

Difficult, but not impossible, Kevin Fu, a computer science professor at the University of Michigan, told Quartz.

“Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” Fu said. “For instance, you can make a pretty good guess on who owns their mortgage when [the KBA tests] present you with four banks and only one of them happens to be in the city that person lives in.”

All the same, while that approach makes sense for the thief who is looking to defraud only a handful of taxpayers and can manually answer KBA questions, it wouldn’t be practical to do it 334,000 times. Such a criminal would have to, for example, write some computer code to find all of the banks near each taxpayer’s address, read the multiple-choice options of the bank question, cross-reference the two, and hope for a hit.

 At least 15,000 of the falsified documents made it through, leading to $50 million in refunds 

A clue to the method the attackers used is that although they successfully stole 334,000 people’s tax information, they tried to steal it for another 281,000, according to the IRS, and got foiled at the final verification step. That could indicate that the hackers had credit data on only some of their victims, or that they found a pattern in the multiple-choice KBA questions that they were able to correctly predict about half the time. (For example, the correct answer to a given KBA question can frequently be “none of the above.”)

In any case, once the hackers had successfully obtained taxpayers’ personal data, they now had to use it to create new tax returns. Comparing Kasper’s real return to the fraudulent one submitted under his name, it seems clear that this process—which involves filling out PDF forms and submitting them online—would have been automated too.

Finally, they would have submitted the fake tax returns to the IRS, then waited. If a taxpayer had already filed a return when the fraudulent one was submitted, the fraudulent one would be rejected. If accepted, it would still have to pass a series of fraud-detection filters. When the IRS first announced the data breach in May, it said that 15,000 of the falsified documents got all the way through, leading to $50 million in refunds. Whether that number will rise after the IRS’s extended analysis is still under review, according to the agency.

But how did the criminals then collect the $50 million? In January of this year, the IRS started limiting how many separate tax rebates could be direct-deposited in the same bank account. To get around the limit, the hackers would have had to open thousands of bank accounts. There doesn’t seem to be a reasonable way for even a sophisticated criminal to do something like that. This part of the operation remains unclear; we still do not know how the crooks got paid.

In the case of Michael Kasper, however, we do know where the money went. Sort of.

The Nigerian connection

Back in March, Kasper looked over the fraudulent tax return that had been filed under his name. There was a bank account number on it that was not his, and next to it, a routing number. Kasper found out that the routing number belonged to a bank in Williamsport, a city of about 30,000 in central Pennsylvania.

After a few phone calls, Kasper reached Barbara Austin, the head of account security at the First National Bank of Pennsylvania. She told him that in February the IRS had deposited $8,936, with Kasper’s name and Social Security number as a reference, into an account in someone else’s name. Most of that money, Austin said, was now gone. And although Kasper had filed a fraud report with the IRS more than a month earlier, no one from the government had contacted Austin about the deposit.

Kasper then contacted the Williamsport police. Within a couple of days, a detective named Donald Mayes had checked with the bank and identified the owner of the account. Her name was Isha Sesay—a small-framed, 21-year-old resident of Williamsport.

 “By the end of February 2015, Sesay’s account would have a balance of $4.58.” 

Sesay told Mayes (according to an arrest warrant that would later be filed, and an email Mayes later sent to Kasper) that she’d been hired on Craigslist as a personal assistant. Her only duties were to open a bank account, into which funds would sporadically be deposited, and to wire some of those funds to places like Nigeria.

For her trouble, Sesay would be allowed to keep a portion of the deposits. She admitted to Mayes that the job seemed “odd,” but explained that she needed the money. Bank records obtained by the police indicated that Sesay had indeed written a check for $7,000 to cash, but she could not provide any documentation of the wire transfers she claimed to have made with that cash.

Sesay’s bank records also indicated that she used the leftover $1,936 for rent and daily living expenses. “By the end of February 2015,” Mayes wrote in the arrest warrant, “Sesay’s account would have a balance of $4.58.” The account was then closed.

A woman who answered a call from Quartz in early July at the phone number listed on Sesay’s arrest warrant made only one brief comment before hanging up. “Isha is dead,” she said.

Mayes told Quartz Sesay is still living, as far as he knows. She waived her right to a preliminary trial, Mayes said, and was released on $8,500 bail. He added: “She’ll end up taking a plea and probably won’t go to trial.” In addition to the fraudulent tax refund, police found that Sesay had also received a deposit linked to a romance scam. She is charged with receiving stolen property.

It seems most likely that Sesay was merely a small part of a much larger operation. In his email to Kasper, Mayes noted: “You still have to contend with the fact that she may be telling the truth and that someone else has obtained your personal information.”

Dubious solutions

Michael Kasper received his actual tax refund on May 12, along with a letter confirming that this was a case of identity theft. “But I don’t know if they ever tried to prosecute anyone,” he said, “or identified whether it was from overseas or what.” And the IRS was not interested in what Kasper had found out about his case.

“I even tried to call them back and say, look, somebody’s been arrested, here’s some additional information,” he said. “And they literally would not take that information when I called. They said, ‘We do not accept tips on identity theft.’”

The IRS has yet to confirm or deny whether the fraud committed against Kasper was part of the larger scam. However, like the 334,000 victims of that scam, Kasper has received a special “Identity Protection PIN” from the IRS, which he will have to use to confirm his identity on future federal tax returns. He argues it’s not a secure solution.

“I already know that whoever got my tax transcript can also get my identity PIN the same way,” he said. “They have the same authentication on the website to get the identity PIN as they do for the ‘Get Transcript.’ So I don’t know what’s going to stop someone from filing again as me next year.” Fu, who has gone through the login process for retrieving an IP PIN, told Quartz the process is indeed similar, and possibly even slightly less secure.

The IRS did not comment on that, but did send Quartz a statement outlining the security benefits of IP PINs. For one, it said, access to an IP PIN itself “does not expose taxpayer Personally Identifiable Information.” (It doesn’t grant access to other personal data, in other words.) Also, taxpayers who use IP PINs will be sent a new one in the mail each year, “prior to each tax season—making it much harder for an identity thief to access this information.” That is, hackers would have a small window—between the end of the tax year and the moment a taxpayer files a return—to try to steal the IP PIN. The statement added: “In addition, we carefully monitor IP PIN traffic in order to respond swiftly to any potentially suspicious activity.”

The IRS commissioner, John Koskinen, suggested at June’s Senate hearing that the agency will bring back the “Get Transcript” page with stronger authentication, but did not say whether KBA will be reviewed across the board. A Government Accountability Office (GAO) report in January, before the fraud was announced, had noted the limitations (pdf) of the KBA process.

Koskinen also said that, in cases where someone like Kasper needs a copy of a fraudulent document filed under his name, the IRS has set up “a situation where we can simply redact any third-party information on a return and give the taxpayer a copy of the fraudulent return so they’ll know exactly what was in there.”

Kasper suspects that means the IRS would remove the only information that led him to Williamsport, and that helped the police there find Isha Sesay. “It would not surprise me at all if they do that,” he said.

Left behind

For the IRS, the fraud problem far exceeds the $50 million lost in this one incident. According to the GAO’s January report, the IRS prevented the loss of $24.4 billion to fraud in 2013, but still lost a total of $5.8 billion that year. And although the agency currently has 81,000 full-time employees and an operating budget of $10.9 billion, it initiated only 4,297 criminal investigations in 2014—some 1,000 fewer than the previous year. Meanwhile, the number of sophisticated computer attacks nationwide continues to rise.

At the hearing, Koskinen listed several reasons the agency is not excelling in the realm of computer security. Its systems are antiquated, he said. Some of its applications “have been running for 50 years.” Some of the software used at the IRS is no longer supported by the people who made it. And the agency simply doesn’t have the funds in place, he said, to recruit top talent from the private sector.

He added: “It’s a difficult challenge competing with organized criminals who have resources.”

As of mid-August, the IRS still had not contacted the First National Bank in Williamsport, nor the police there who solved Kasper’s case.

Article source: http://qz.com/445233/inside-the-irss-massive-data-breach/

,

No Comments

Data breach management – making use of legal privilege – Out

When data breach incidents occur, organisations will understandably be keen to identify the cause of incidents, close off any security vulnerabilities and put in place measures to limit any damage from a breach. However, sensitive internal communications and documents about the breach could be exposed to regulators or those pursuing civil damages claims if the material does not qualify for legal privilege.

In an environment where cyber attacks are increasingly prevalent and where the way businesses respond to incidents is as important as the actions they take to prevent them, businesses should seek the protection that can be gained through legal privilege.

Legal privilege and internal investigations

A document which is protected by legal privilege need not be shared with the regulators or enforcement agencies or a counterparty to litigation.

Privilege falls into two broad categories: legal advice privilege and litigation privilege.

Legal advice privilege is where confidential communications between organisations and their lawyers which relate to the provision of legal advice are protected and not subject to disclosure.

In a data breach context, companies that seek advice from their lawyer know that the advice they get will not be subject to scrutiny from data protection authorities, sector regulators or businesses or consumers that bring civil damages claims against them or criminal prosecutors.

Litigation privilege applies to communications and documents that have been prepared for the dominant purpose of defending legal proceedings.

Privilege can, however, be lost. If businesses sent documents on to third parties who are not linked to a data breach investigation, for example, this can cause privilege to be lost and the documents will then be vulnerable to disclosure.

Things businesses need to consider

When data breach incidents occur and businesses begin internal investigations they are unlikely to know precisely what conclusions they will reach. It is clear that documents created following a serious, adverse incident could have far reaching implications in any subsequent litigation or prosecution.

Businesses considering undertaking a ‘privileged’ investigation should seek legal advice as soon as possible after a breach.

In taking steps pre-incident to prepare for such a breach, businesses should have put in place an incident response plan and team. The team will comprise a network of experts from inside and outside an organisation, including legal, forensic and PR professionals, with each member bringing different skills to call upon in managing any data breach event.

Businesses should ensure that, in the aftermath of a breach, only this incident response team can access any documents created as part of an internal investigation. This might mean creating a closed worksite to prevent information being accessible to the wider workforce.

All communications concerning the data breach investigation should be marked ‘privileged and confidential’.

In addition, companies should give clear instructions to the incident response team that they must not circulate legal advice given to the business to a wide group of people. Businesses should also issue clear instructions to the team on who will be responsible for generating documents related to the investigation.

Changing data protection landscape

In the UK, the Data Protection Act requires that data controllers implement “appropriate technical and organisational measures” to ensure against the “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Businesses do not currently face an obligation to report personal data breaches to the Information Commissioner’s Office (ICO) under the Act, however ICO guidance recommends that business voluntarily notify it of serious breaches.

Some organisations do face data breach notification requirements in the UK. Public sector bodies, regulated financial services companies and telecoms operators are among those who are obliged to inform sector agencies about certain data breach incidents they experience.

A broader data breach notification regime is anticipated under new EU data protection laws that are currently being negotiated. The planned General Data Protection Regulation could see businesses having to disclose details of data protection breaches to data protection authorities within 72 hours of becoming aware of them.

The sanctions regime is also set to be overhauled, raising the potential for much stiffer penalties to be issued to businesses over data security failings.

The ICO can currently impose a fine of up to £500,000 for a serious breach of the Data Protection Act, but fines of as much as 2% of a company’s global annual turnover, could be levied under the new regime, according to the proposals being scrutinised by EU law makers.

These are game-changing reforms that are on the agenda. Businesses should be taking steps now to ensure that their response protocols for a data protection breach are robust.

With the new regime suggesting that data controllers will have to report the breach within three days, and the maximum fine being eye-watering, the first responses in the hours and days which follow a data security breach could be fundamental not only in terms of maintaining customer and client confidence but also to the potential defence of any civil litigation or criminal prosecution.

Laura Gillespie is an expert in dispute resolution and data protection law at Pinsent Masons, the law firm behind Out-Law.com. A version of this article was first published by Privacy Laws Business.

Article source: http://www.out-law.com/en/articles/2015/august/data-breach-management--making-use-of-legal-privilege-/

,

No Comments

Ashley Madison users sue website over data breach

<!–

var articlecredit = [];
var articlecaption = [];
var articleimage = [];

–>

LOS ANGELES — Eight people across the U.S. who registered to use Ashley Madison are suing the website for cheaters after hackers released personal and detailed information of millions of users, including financial data and sexual proclivities.

The lawsuits were filed between last month and Monday by Ashley Madison users in California, Texas, Missouri, Georgia, Tennessee and Minnesota. They all seek class-action status to represent the estimated 37 million registered users of Ashley Madison.

The lawsuits, which seek unspecified damages, claim negligence, breach of contract and privacy violations. They say Ashley Madison failed to take reasonable steps to protect the security of its users, including those who paid a special fee to have their information deleted.

Last month, hackers infiltrated Ashley Madison’s website and downloaded private information. The details — including names, emails, home addresses, financial data and message history — were posted publicly online last week.

“Needless to say, this dumping of sensitive personal and financial information is bound to have catastrophic effects on the lives of the website’s users,” according to a lawsuit filed Friday on behalf of an anonymous Los Angeles man who created an account with Ashley Madison in March 2012.

“As a result of (Ashley Madison’s) unfair, unreasonable and inadequate data security, its users’ extremely personal and embarrassing information is now accessible to the public,” according to the lawsuit, filed by the Baltimore-based firm of Hammond Law.

Lawyer Julian Hammond, who says his firm has litigated class-action lawsuits against companies like Google, Apple and Hulu, said the Ashley Madison breach is unprecedented in his experience.

The website’s users are worried not only about identity theft but about the embarrassment of the release of intimate sexual preferences. Even registering for the site without having an affair could put marriages in jeopardy.

A spokesman for Avid Life Media, the Toronto-based company that owns Ashley Madison, referred to previously released statements by the company calling the hack malicious and an “act of criminality.”

Avid Life on Monday began offering a $500,000 Canadian (US $378,000) reward for information leading to the arrest of members of a group that hacked the site.

“We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world,” the company said in a statement last week.

The U.S. litigation follows a $578 million lawsuit filed in Canada last week, also seeking class-action status. The hackers who took responsibility for Ashley Madison’s data breach have said they attacked the website in an effort to close it down as punishment for collecting a $19 fee without actually deleting users’ data.

On Monday, Canadian police said the hack has triggered extortion crimes and led to two unconfirmed reports of suicides.The credit-card information of U.S. government workers — some with sensitive jobs in the White House, Congress and the Justice Department — was revealed in the breach.

Article source: http://www.watertowndailytimes.com/curr/ashley-madison-users-sue-website-over-data-breach-20150827

,

No Comments

Indiana Attorney General Greg Zoeller gives MIE data breach update

By
Kayla Crandall -21Alive

August 26, 2015

Updated Aug 26, 2015 at 8:08 PM EDT

FORT WAYNE, Ind. (21Alive) — The hacking of Fort Wayne-based Medical Informatics Engineering continues to be a concern, and Indiana Attorney General has some input on what to do going forward.

Last month, MIE sent out letters detailing a major data hack of its servers that includes social security numbers, lab results, medical conditions, health plan information and more.

As the Indiana Attorney General said back in July, the data breach has affected 1.5 million Hoosiers and 3.9 million people nationwide.

On Wednesday after Zoller taught his first class at Ivy Tech Law School, he stopped by the station and gave some ideas on what to do and not to do in the wake of the data breach.

Zoeller says that now that the information is out there, people need to be a lot more careful with who they give their medical information too. He suggests that you guard your insurance cards and medical information like you would a social security card.

“Somebody could call you up and say, ‘I know your on this medication. I’m asking that you pay us this much for additional procedures,’ and they sound like they know all about your medical records,” Zoeller said.

“You’ve got to be careful.”

Attorney General Zoeller is encouraging Hoosiers to consider signing up for a credit freeze, as well as sign up for the free ID protection the company is offering.

If you’d like to sign up for a credit freeze, you can go visit the Attorney General’s website.

You can visit www.protectmyid.com/protect to sign up for MIE’s free credit monitoring with an activation code.

For more information on the data breach or questions about the free credit monitoring, you can call MIE at 866-328-1987.


What are your thoughts CLICK HERE to leave us a “QUESTION OF THE DAY” comment.

Want to be in the know for the next weather event, the next school closing or the next big breaking news story?

TextCaster alerts from 21Alive.com are your defining source for instant information delivered right to your cell phone and email. It’s free, easy and instant. Sign-Up Now!


Powered by Summit City Chevrolet

© Copyright 2015, A Granite Broadcasting Station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.

Article source: http://www.21alive.com/news/local/Indiana-Attorney-General-Greg-Zoeller-gives-MIE-data-breach-update--323027901.html

,

No Comments

Thomson data breach exposes hundreds of travellers

Category: Legal Technologies

25 August, 2015

A data breach by holiday company Thomson has left the data of hundreds of people exposed online.

The incident has led to the home addresses, telephone numbers and flight dates of almost 500 customers being revealed, according to the BBC. 

An email seen by the news provider shows that the personal details of 458 people from across the UK were shared online on August 15th, leading to an apology from the travel provider, which called the incident a “genuine error”. 

However, the company said that customers will not receive any compensation due to the mistake.

“We are aware of an email that was sent in error, which shared a small number of customers’ information. The error was identified very quickly and the email was recalled, which was successful in a significant number of cases.

“We would like to apologise to our customers involved and reassure them that we take data security very seriously,” the company explained in a statement.

One customer told the BBC that she was first notified of the breach when contacted by the news provider and said Thomson failed to explain that her details were in the public domain. As a result, she is now looking to cancel her holiday. 

It is not the first time a holiday agent has suffered a data breach, with the ICO fining Think W3 £150,000 for a data breach in December 2012. 

Stolen data included names, mailing addresses, mobile phone numbers, home phone numbers and card details. Of the records stolen, 430,599 were determined to be current, whereas 733,397 had expired. 

With holidaymakers collecting a variety of personal data, it is absolutely crucial that they keep this information as secure as possible and do not leave it open to hackers, or accidentally share it online. 

Any data breach can lead to a significant fine from the Information Commissioner’s Office (ICO). 

Article source: http://www.krollontrack.co.uk/company/press-room/legal-technologies-news/thomson-data-breach-exposes-hundreds-of-travellers630.aspx

,

No Comments

Target Reaches $67 Million Settlement With Visa Over Data Breach Claims

Terms Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.coms
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltds services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided “as is” without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.

The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a
    colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide
    information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
services.

If you do not want us to provide your name and email address you may opt out
by clicking here .

If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide ‘session-aware’
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) meaning more free content for
registered users.

We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked “Opt out of Registration Information Disclosure” on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to [email protected] with no
disclosure in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a users hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user’s experience of the site (for example to show information
specific to a user’s region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies – or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the ‘Log Off’ menu option
as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example,
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.

Surveys Contests

From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our
site, we ask them for the friends name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
[email protected]

Correcting/Updating Personal Information

If a users personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that users personal data provided to us. This can
usually be done at the Your Profile page or by sending an email to [email protected]

Notification of Changes

If we decide to change our Terms Conditions or Privacy Policy, we will
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at [email protected]

If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at [email protected] and we will use
commercially reasonable efforts to determine and correct the problem promptly.

Article source: http://www.mondaq.com/unitedstates/x/422796/data+protection/Target+Reaches+67+Million+Settlement+With+Visa+Over+Data+Breach+Claims

,

No Comments