My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

The Washington Examiner reported yesterday that:

The U.S. Naval Academy is changing its core curriculum for the first time in about 10 years by adding two cybersecurity courses …

The two new requirements come as the school is ramping up training in a field of growing importance to national security. …

"All along, our role has been to develop one or two courses that would give every academy graduate a solid foundation in cybersecurity," said Andrew Phillips, the school’s academic dean. "We spent over a year now collecting advice and feedback from the Navy and the Marine Corps and shopping our ideas around with anyone who might have an opinion and some expertise in this area."

It was interesting to read that the Navy is trailing the U.S. Military Academy and U.S. Air Force Academy, which have had cybersecurity as part of information technology requirements for more than a decade.

Maybe Leroy Jethro Gibbs and the crew over at NCSI convinced the Navy they should step into the modern era!

IT World Canada reported last week:

Malicious hackers who may be based in China managed to fool Canadian federal IT staff into providing access to government computers, leading to severe Internet restrictions at Treasury Board and the Finance Department. …

In what the CBC described as an “executive spear-phishing” attempt, hackers used bogus e-mails to pass themselves off as senior executives to IT staff at the two federal departments and request passwords, while other staff received e-mails with virus-laden attachments.

Although it appeared that the attacks came from Chinese servers, it was not certain that the cyber-attackers were Chinese.  The attacks could have originated elsewhere and been routed through Chinese servers.  Not surprisingly, Chinese government officials quickly denied any connection to the attacks.

Whether the attacks originated with a foreign government or not, this highlights the vulnerability of people, more than technology.  If indeed people divulged passwords to email requesters and opened attachments infected with viruses, it shows that people, not technology, are the weak link in cyber security.

Some information doesn’t go out of date quickly.  This afternoon I stumbled across a post by Wilma Colon-Ariza who published a helpful article entitled “Identity Theft and Phishing Scams” last January.  Its content is still timely.

She first notes:

The federal government reports that identity theft is now the fastest-growing financial crime. Every 79 seconds, a thief steals someone’s identity and opens accounts in the victim’s name.

I don’t know what the current statistics are, but guess they are worse.

After commenting on an “Identity Theft Prevention Act” which took effect in New Jersey, on January 1, 2006, Wilma proceeded to provide a very practical outline of how consumers can protect themselves against Identity Theft and Phishing attempts. 

Finally, if you become a victim of Identity Theft, you can refer to specific steps Wilma provided to get things back in order.

Thanks, Wilma, for an informative and practical post, even it took me a long time to read it!

Obama Eyeing Internet ID for Americans – Tech Talk – CBS News.

Do we really want the President – or any federal official – establishing our personal Internet ID’s?  Sounds like government over-reach to me.

This little video states a pretty good case for making sure those responsible for database administration shouldn’t have free rein over the information those databases contain.

That, and maybe the guy needs a bit of common sense …

According to a CNNMoney.com article today,

“An international cybercrime ring was broken up Thursday by federal and state officials who say the alleged hackers used phony e-mails to obtain personal passwords and empty more than $3 million from U.S. bank accounts.

“The U.S. Attorney’s Office charged 37 individuals for allegedly using a malicious computer program called Zeus Trojan to hack into the bank accounts of U.S. businesses and municipal entities.”

Isn’t it interesting that this sophisticated cybercrime tool was named for Zeus, the Greek "Father of Gods and men" and the Trojan Horse, which allowed Greeks to surreptitiously enter the city of troy and end the Trojan War?

It is as if God and the Greeks have ganged up on the rest of us!

I’m sure God and the Greeks aren’t really conspiring against us, but the Zeus Trojan case underlines the tragic reality that bad guys are  becoming extremely sophisticated in their attacks, and that the cost to us all is rapidly increasing.

The 2010 Independent Oracle Users Group (IOUG) Data Security Survey Report published by Unisphere Research, a division of Information Today, Inc., and sponsored by Oracle Corporation, uncovered the following troubling findings:

1. Fewer than 30 percent of respondents are encrypting personally identifiable information in all their databases.
2. Close to two out of five of respondents’ organizations ship live production data out to development teams and outside parties.
3. Three out of four organizations do not have a means to prevent privileged database users from reading or tampering with HR, financial or other business application data in their databases.
4. In fact, two out of three respondents admit that they could not actually detect or prove that their database administrators and other privileged database users were not abusing their privileges.
5. However, database administrators and other IT professionals aren’t the only people that can compromise data security from the inside. An end user with common desktop tools can also gain unauthorized direct access to sensitive data in the databases.
6. Almost 64 percent indicate that they either do not monitor database activity, do so on an ad hoc basis, or don’t know if anyone is monitoring.
7. Overall, two-thirds of companies either expect a data security incident they will have to deal with in the next 12 months, or simply don’t know what to expect.

More details in the report …