Effective
Professional
Affordable



InfoSec in the News
(Archives)

2007
 2006
2005
2004
2003
2002
2001 and earlier

Most of these news stories could have been prevented with an effective security awareness program or they promote the use of security awareness.
Also visit our News Archives for older stories

Subscribe to the following e-mail lists for even more stories:

SANS NewsBites

Security Wire Digest

28 December 2006 - Coast Guard Personnel Required to Complete Anti-Phishing Training
All Coast Guard personnel who use its computer network will be required to take training on how to avoid being victims of phishing attacks. The requirement follows the Defense Department's mandate that all personnel take spear phishing awareness training by January 17, 2007.
http://www.fcw.com/article97216-12-28-06-Web&printLayout

27 December 2006 - Utah Valley State College Data Breach
The names, SSNs and other personally identifiable information of approximately 15,000 Utah Valley State College (UVSC) students and faculty were inadvertently made available on Yahoo for about six weeks in November and December of this year. The data belong to students and faculty who participated in the college's distance education program between January 2002 and January 2005. UVSC removed the files from its servers as soon as it became aware of the situation. The school plans to notify all individuals affected by the data security breach.
http://www.sltrib.com/news/ci_4906175

27 December 2006 - Man Fired After Seeking Help to Change College Grades
A man who worked as communications director for US representative Denny Rehberg (R-Mont.) has been fired after trying to hire people to break into the computer system of his alma mater, Texas Christian University (TCU), and change his grades. Todd Shriber was concerned that his school records were not strong enough to ensure his acceptance to graduate school. Shriber's online request was met with responses from individuals who never intended to conduct the attack and warned him repeatedly that what he was asking them to do was in violation of federal law. The pair warned Shriber that the scheme had been detected and advised him to "duck and run" though they never attempted to infiltrate TCU's computer system.
http://www.dfw.com/mld/dfw/news/16327059.htm?template=contentModules/printstory.jsp

27 December 2006 - Indiana Hospital Notifies Patients of Data Theft
Deaconess Hospital in Indiana has sent letters to 128 patients, notifying them that their personal information was contained in a laptop computer that has been missing since late November. There is no
evidence the information has been misused; the data include Social Security numbers (SSNs). The hospital is mulling over security improvements, including encryption software and providing places to lock
up computers.
http://www.courierpress.com/news/2006/dec/27/patients-warned-of-possible-identity-theft/

26 December 2006 - Phishing Likely Behind Theft of Michigan County Funds
The theft of funds from Oceana County (Michigan) bank accounts is believed to be the result of a county employee responding to a phishing email and providing information needed to access the county's accounts. The theft was detected on November 7, 2006; within two days, affected accounts were closed and reopened with new numbers. The FBI is investigating and the Oceana county clerk and treasurer are implementing new security procedures. County Board members have expressed their displeasure with the situation, and listed examples of careless work behavior, including personnel leaving computers on when they leave the office during the day and using work computers for personal matters. The county staff was warned twice about phishing attacks earlier in the fall.
http://www.mlive.com/news/muchronicle/index.ssf?/base/news-0/116714610359880.xml&coll=8


23 December 2006 - Stolen Computer Tapes Hold Insurance Records
Computer tapes stolen during a burglary in Massachusetts are believed to hold personally identifiable information of approximately 42,000 New York City employees. The data include names and SSNs. The burglary took place at the offices of Concentra Preferred Systems, a vendor working with Group Health Insurance, Inc. Concentra also provides auditing for Aetna, who acknowledged approximately 130,000 customers across the country were affected by the breach as well.
- Link removed -

22 December 2006 - Data Security Breaches Top Execs' List of Concerns
According to a Harris Interactive poll conducted in September, corporate executives at large companies place data security breaches and terrorism at the top of their list of concerns. Just nine percent of the 197
senior executives surveyed said they are not concerned about data security. Executives say they are also worried about corporate malfeasance.
http://www.techweb.com/wire/196701706

22 December 2006 - Prison Sentences for Two Malware Gang Members
Two German men have received prison sentences for their roles in a scheme to manipulate PCs into dialing premium rate telephone numbers. The two are part of a larger gang that netted approximately 12 million Euros (US$15.75 million) in a 14-month period between 2002 and 2003 by infecting more than 100,000 computers with malware that dialed the numbers.
http://www.theregister.co.uk/2006/12/22/german_porn_trojan_duo_jailed/print.html

21 December 2006 - Boeing Taking Steps to Improve Data Security
Following the November 2005 theft of a laptop computer containing information on 161,000 current and former Boeing employees, the company instructed workers to remove sensitive data from laptop hard drives; managers were instructed to check that this was done. Employees were also told that if sensitive data are on a laptop, they should be encrypted. Boeing is moving away from using Social Security numbers (SSNs) as unique personal identifiers and has begun deploying software that will automatically encrypt data saved to company laptops' hard drives. Another Boeing laptop containing information of 382,000 current and former employees was stolen in early December; the employee from whom that computer was stolen was fired for violating company policy.
http://www.techweb.com/showArticle.jhtml?articleID=196701493

21 December 2006 - Nissan Customer Database Leak
Nissan has acknowledged that information from its customer database may have been leaked. The auto manufacturer plans to notify the approximately 5.38 million affected customers. Nissan plans to implement additional security measures in 2007, including physical security monitoring of secure areas and software to monitor databases and track all access to the databases.
http://www.forbes.com/markets/feeds/afx/2006/12/21/afx3276888.html

18 December 2006 - Government Agencies to Test Employees with Phishing Attacks
US military services and several agencies will use penetration testing software to "launch diagnostic phishing attacks against their own workers." The goal is to see how well government employees follow email security policies. The software can be used for general phishing attacks as well as spear phishing attacks, which are aimed at specific targets. Agencies planning on using the software include the National
Institute of Standards and Technology, the Department of Homeland Security, the Department of Veterans Affairs, and the Departments of Labor, Energy and Agriculture.
http://www.fcw.com/article97147-12-18-06-Web&printLayout

15 December 2006 - Microsoft Wins Summary Judgment Against Man for Selling Spam Lists
A UK court granted a summary judgment against a man who was selling lists of email addresses for use in spamming schemes. A lawsuit filed by Microsoft alleged that Paul Martin McDonald's sale of the lists violated the Privacy and Electronic Communications Regulations. A summary of the case indicates the judge found that "the evidence plainly established that the business of [McDonald's company] was supplying email lists of persons who had not consented to receive direct marketing mail and that it had encouraged purchasers of the lists to send emails to those people."
http://www.out-law.com/page-7580

15 December 2006 - Florida Motorists Win US$50 Million Class Action Settlement
A US District Court judge has approved a class action settlement granting US$50 million to compensate Florida motorists whose personally identifiable data were sold by the state to Fidelity Federal Bank and Trust. The bank used the data to send information about loans to people who had recently purchased cars. Each affected motorist will receive US$160. The sale of the data violated federal anti-stalking laws.
http://www.insurancejournal.com/news/southeast/2006/12/15/74964.htm?print=1

14 December 2006 - Stolen Laptop Case Held Papers with Sensitive Student Data
Papers in the case of a laptop computer stolen from the car of a school nurse contain personally identifiable information of as many as 600 St. Vrain Valley (CO) School District students. The data include names, birthdates, parents' names, Medicaid numbers, the school each student attends and each student's grade level. The school district indicated the affected students would be notified by Friday, December 15. The computer itself holds no information, as it is used only to access the school computer network. School district IT staff accessed the computer remotely and changed its password.
http://www.longmontfyi.com/Local-Story.asp?id=12861

13 December 2006 - Stolen Laptop Holds Boeing Employee Data
A laptop computer stolen from a Boeing Co. employee's car holds personally identifiable information of approximately 382,000 current and former employees of the aerospace company. Boeing plans to inform
current employees of the theft by email; former employees will receive letters. The data on the computer include home addresses, dates of birth and SSNs. Boeing has experienced several other data security
breaches in recent years, including three other laptop thefts that compromised information belonging to more than 160,000 employees. Boeing says approximately 250 of the company's more than 75,000 laptop
computers were stolen last year.
http://seattlepi.nwsource.com/local/295769_boeing13.html

13 December 2006 - Phishing Up 8,000 Percent in Two Years
The UK's Financial Services Authority (FSA) says the number of detected phishing schemes targeting bank customers has increased 8,000 percent over the last two years. Apacs security chief Philip Whitaker says the startling increase can in part be attributed to better detection. Losses from phishing schemes were estimated at GBP 4.5 million (US$8.82 million) for the year preceding October 2004; the estimated loss for 2006 is GBP 45.7 million (US$89.6 million). http://news.bbc.co.uk/2/hi/uk_news/politics/6177555.stm
http://www.theregister.co.uk/2006/12/14/phishing_fraud_uk/print.html

13 December 2006 - Florida Teen Arrested for Altering Grades in School Computer
A Florida high school senior and class president has been arrested for allegedly breaking into his school's computer system and altering students' grades. Ryan C. Shrouder allegedly used a school board employee's password to gain access to the system. He will be suspended and recommended for expulsion. Two other students have been suspended in connection with the case.
http://www.allheadlinenews.com/articles/7005847659

12 December 2006 - UCLA Database Breach Affects 800,000
The University of California, Los Angeles (UCLA) has begun notifying more than 800,000 individuals that their personal information has been compromised. UCLA computer security technicians became aware of the problem on November 21 after they noticed an "exceptionally high volume of suspicious database queries." A subsequent investigation revealed that attackers had been trying to access the information since October 2005 and that they were targeting SSNs. The FBI has been notified. UCLA CIO and associate vice chancellor says the database has been"reconstructed and protected" but did not provide details. Those affected include current and former students, faculty and staff, some applicants, and parents of students and applicants who applied for financial aid. The data include names, SSNs, dates of birth and addresses. http://www.msnbc.msn.com/id/16169453/?GT1=8816

7 & 6 December 2006 - Complaint Alleges Site Downloads Malware Surreptitiously
The Center for Democracy and Technology (CDT) and StopBadware.org plan to file a complaint with the Federal Trade Commission (FTC) alleging that FastMP3Search.com.ar installs malware on people's computers when they believe they are installing a plug-in to download MP3 files. The complaint alleges the download disables the Windows Firewall, changes homepage settings and otherwise affects users' computers. The downloads are made without users' consent and are difficult to remove.
http://www.scmagazine.com/uk/news/article/608841/anti-spyware-groups-target-sham-music-website/
http://news.com.com/2102-7348_3-6141621.html?tag=st.util.print

6 December 2006 - Sailor Draws 12 Years for Passing Classified Data to Foreign Governments
Naval Petty Officer 3rd Class Ariel J. Weinmann was sentenced to 12 years in prison for stealing a laptop computer and providing classified data to a foreign government. Weinmann was also dishonorably discharged; it was only through a plea agreement that he avoided life in prison without parole
http://www.msnbc.msn.com/id/16081717/

5 December 2006 - Student Charged with Stealing Data from Staff Computers
University of Wisconsin-Whitewater student Michael W. Mraz Jr. has been charged with two felony computer crimes and burglary for allegedly breaking into four university staff members' computers as well as installing keystroke logging software and gaining access to sensitive data. Mraz allegedly downloaded the software onto the computers from his flash drive. The data were allegedly collected between March 20 and May 10 of this year and include answers to an exam, discussions of student disciplinary situations and information about a police investigation. Mraz will be arraigned on December 15; he faces up to 19 years in prison if he is convicted on all charges.
http://www.gazetteextra.com/mraz120506.asp

5 December 2006 - Stolen Computer Holds WV Army Nat'l Guard Data
All members of West Virginia's Army National Guard 130th Airlift Wing have been notified that their personal information, including names, Social Security numbers (SSNs) and birthdates, was on a laptop computer stolen from a unit member. The FBI, the Office of Special Investigations and the Naval Criminal Investigative Service have been notified of the theft.
http://wowktv.com/story.cfm?func=viewstory&storyid=17093

4 December 2006 - Some websites reporting common error code contain adware
W eb surfers are accustomed to seeing a 404 error message when they try to reach a website that is not available. But now hackers are using that common occurrence to their advantage by creating fake sites containing the error message to load spyware and adware, security researchers said today. http://haymarket.ec-messenger.com/re?l=1hmcv1Ifvlxf5Ie

30 November 2006 - Stolen Computers Hold PA Driver's License Data
State officials in Pennsylvania acknowledged that two computers stolen from a driver's license office hold personally identifiable information of 11,384 individuals. The thieves also made away with a camera, a
printer and card stock and laminate to manufacture as many as 750 phony licenses. The compromised data include names, addresses, birth dates, driver's license numbers and some Social Security numbers (SSNs). The State plans to notify affected license holders by mail.
http://www.msnbc.msn.com/id/15974532/

30 November 2006 - TransUnion Credit Bureau Data Compromised
Someone managed to get login information for the TransUnion Credit Bureau and steal personally identifiable credit information, including SSNs, of more than 1,700 individuals. TransUnion is notifying the
people whose information was stolen.
http://www.kxan.com/Global/story.asp?S=5752352&nav=menu73_2

30 November 2006 - McAfee: Top 2007 threats will be money-makers
Researchers at McAfee Avert Labs predicted this week that the top security threats in 2007 will revolve around increased production of malware by organized criminals for monetary gain.
http://haymarket.ec-messenger.com/re?l=1hmc68Ifvlxf5Id

29 November 2006 - Attackers target teenagers through fake IM profiles
Malicious users are targeting young instant messaging (IM) aficionados through bogus profiles that redirect them to adult websites, where adware is installed on their PCs.
http://haymarket.ec-messenger.com/re?l=1hmc68Ifvlxf5Ig

22 November 2006 - Chinese malware stealing game usernames, passwords
More than half of all Chinese malware used last month was designed to steal usernames and passwords, according to new analysis.
http://haymarket.ec-messenger.com/re?l=1hmai7Ifvlxf5Id

21 November 2006 - Study: Almost half of firms late in patching laptops
Organizations, already knee-deep protecting the data in laptops are patching critical vulnerabilities in the mobile devices too slowly, a new study has suggested.
http://haymarket.ec-messenger.com/re?l=1hmai7Ifvlxf5If

15 November 2006 - Human error, zero-day targeted attacks make up latest SANS Top 20
Few would dispute the powerful link between social engineering and the success of a cyberattack in today's financially-driven threat landscape. So now, for the first time, the SANS Institute has named human error to its twice-annual Top 20 Internet Security Attack Targets list, a line-up that, until now, was reserved solely for technology. http://haymarket.ec-messenger.com/re?l=1hm90sIfvlxf5Il

14 November 2006 - Symantec opens phishing-reporting site to home users
Symantec's worldwide phishing-reporting network, previously restricted to member companies, will now be open to home consumers. http://haymarket.ec-messenger.com/re?l=1hm876Ifvlxf5Ih

14 November 2006 - Firms to spend more on data security, privacy, says Ernst & Young study
Three of four respondents to a recent survey said data security and privacy concerns will require further investment on their part. http://haymarket.ec-messenger.com/re?l=1hm876Ifvlxf5Ij

13 November 2006 - Security-related helpdesk calls and IT Security spending up - Cisco poll
Security-related helpdesk calls are rising sharply, with organizations planning to boost security spending next year to protect workers, new research shows.
http://haymarket.ec-messenger.com/re?l=1hm876Ifvlxf5Im

19 October 2006 - Spoofed Microsoft site promises Internet Explorer 7, but spreads trojan
Microsoft Internet Explorer users are being warned that one site claiming to host a new version of the web browser is not what it looks like.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061023/599722/

18 October 2006 - IFPI Files 8,000 More Filesharing Lawsuits Worldwide
The International Federation of the Phonographic Industry (IFPI) has brought 8,000 lawsuits against alleged illegal filesharers around the world, including the first such lawsuits ever in Brazil, Mexico and Poland. Many of the people facing lawsuits are parents of minors who have shared files in violation of copyright law. This brings the total number of lawsuits brought by IFPI outside the US to 13,000.
http://news.bbc.co.uk/2/hi/technology/6058912.stm

12 October 2006 - Cyber Thief Steals Data on Brock University Donors
A cyber thief broke into the Brock University computer system and accessed the personal data of approximately 70,000 individuals who have made donations to the Ontario, Canada school. The intruder had the passwords necessary to access the information. The intrusion occurred on September 22 and took just four minutes, according to Brock vice-president academic Terry Boak. The data include names, addresses, email addresses and in some cases, bank account and credit card numbers. Individuals whose financial account numbers were taken received phone calls within 24 hours of the school learning of the data theft; the others were sent letters notifying them of the breach. Boak said the school did not see the need to make a public statement about the breach, as those affected had been notified.
http://www.cbc.ca/technology/story/2006/10/12/tech-brock.html

12 October 2006 - Stolen Computers Hold UTA Student Information
Two computers stolen from the home of a University of Texas at Arlington faculty member hold personally identifiable information of approximately 2,500 university students. The data include names, Social Security numbers (SSNs), grades and email addresses of students who were enrolled in computer science and engineering classes between fall 2000 and fall 2006. A school spokesman said they are notifying affected students of the data security breach. The theft occurred on September 29th; the university has created a web page with more information for students. http://www.chron.com/disp/story.mpl/metropolitan/4253257.html

12 October 2006 - Vietnamese Authorities Fine Company for Software Piracy
A Daewoo Corp. affiliate in Vietnam has been fined for using pirated software. Daewoo Hanel Electronic Corp. was ordered to pay 15 million dong (US$934) for using pirated copies of Microsoft Windows, Microsoft office, Auto CAD and other software. According to the chief inspector of Vietnam's Ministry of Culture and Information, the pirated software was found in a raid on the company last week. A Daewoo Hanel executive said the software was already installed on the computers when they were purchased and the company did not know it was pirated. Vietnam hopes to join the WTO and has committed to cracking down on piracy. http://www.smh.com.au/news/Technology/Vietnam-fines-South-Korean-Daewoos-affiliate-for-software-piracy/2006/10/12/1160246221290.html

11 October 2006 - Data Stolen From 2,300 British Computers Found in The United States
The Metropolitan Policy (Scotland Yard) are investigating the theft of credit card data and passwords from thousands of personal computers in the United Kingdom and potentially tens of thousands more around the world. The stolen data were discovered on computers in the United States. Police are informing the people whose data were stolen.
http://www.guardian.co.uk/uklatest/story/0,,-6139406,00.html

10 October 2006 - More Than Half of Higher Education Institutions had Security Breaches Last Yr
The Higher Education IT Security Report Card, which this year surveyed 182 higher education IT directors and managers across the US, found that 58 percent said they had experienced at least one security incident within the past year. Thirty-three percent said they had experienced data loss or theft; nine percent said student data was lost or stolen. The biggest roadblocks to effective security, according to respondents, are inadequate staff resources and funding.
http://www.fcw.com/article96412-10-10-06-Web&printLayout

8 October 2006 - UK TV Documentary Focuses on Data Theft in Indian Call Centers
Channel 4 in the UK ran a documentary showing stolen credit card information from Indian call centers. The National Association of Software and Services Companies (NASSCON) in India disputes the claims
of the TV sting. http://www.forbes.com/business/feeds/afx/2006/10/08/afx3074649.html

7 October 2006 - Missing Laptop Holds Marine Base Resident Information
An investigation has been launched into the disappearance of a laptop computer containing personal information of 2,400 residents of the Camp Pendleton Marine Corps base. Lincoln B.P. Management Inc., the company that manages housing on the base, reported the missing computer. Lincoln P.B. is notifying individuals affected by the data security breach.
http://news.yahoo.com/s/ap/20061007/ap_on_hi_te/missing_laptop

6 October 2006 - Missing Hard Drive Holds Air Traffic Controllers' Personal Data
A hard drive missing from the Cleveland Air Route Traffic Control center in Oberlin, Ohio contains the names and Social Security numbers (SSNs) of at least 400 air traffic controllers. A Federal Aviation Administration (FAA) spokesperson says the agency believes the drive was encrypted; the FAA is investigating the incident to determine if the drive was stolen. The president of the facility's National Air Traffic Controllers Association says he believes the thief was after the information and not the hardware, which is ten years old.
http://www.cleveland.com/news/plaindealer/index.ssf?/base/lorain/1160124449197870.xml&coll=2

5 October 2006 - Woman's Identity Stolen from Marriage License on County Web Site
A Florida woman discovered that her marriage license was viewable on the Orange County (FL) controller's web site after someone applied for a loan in her name, according to a local television report. The license
revealed the woman's name, date of birth and SSN, as well as those of her husband. The Orange County comptroller is reportedly paying a vendor US$500,000 to black out all SSNs on the web site by January 2008.
http://www.local6.com/problemsolvers/10003689/detail.html

4 October 2006 - Customer data stolen at Indian call centres
Employees in outsourced call centres are stealing sensitive customer data and selling it on the black market, an investigation has found.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061009/596745/

3 October 2006 - SANS Top 10: Laptop encryption, targeted attacks to become more common
Laptop encryption will be made mandatory at a number of government agencies and private organizations, predicts the latest installment of the SANS Institute's Top 10.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061004/596502/

29 September 2006 - Attacks on IM networks continue to rise
Researchers with Akonix Systems' Security Center said that they tracked the highest number of attacks on instant messenger (IM) networks in September than in any month of the year.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/596092

28 September 2006 - Six charged for phishing, spamming AOL users
Six men have been indicted on charges they spearheaded a phishing and spamming operation that targeted thousands of AOL users by installing malicious software and requesting private information, the U.S. Attorney's Office in Connecticut announced Wednesday.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/595597/

27 September 2006 - Laptop with personal info of 55,000 GE workers stolen
A laptop containing the names and Social Security numbers of about 50,000 General Electric (GE) employees was stolen from a locked hotel room earlier this month.http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/595224/

25 September 2006 - Scammers adding layers to image spam
Email users should be on the lookout for an advanced type of image spam featuring a new technical wrinkle, researchers said today. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060927/594610/

20 September 2006 - Life is Good Customer Data Compromised
A database containing the names, addresses and credit card data of more than 9,000 Life is Good customers has been compromised. The company acknowledged the intrusion on September 19, but did not say when it had occurred. A company spokesperson said affected customers were notified"within days" after the head of the company's customer service department detected the intrusion. Soon after that, access to the web site was shut down and security measures implemented. The incident is being investigated.
http://business.bostonherald.com/businessNews/view.bg?articleid=158367

19 September 2006 - Computers Stolen from Virginia Medical Center
Two computers stolen from the Radiation Therapy Department at DePaul Medical Center in Norfolk, Virginia contain data belonging to approximately 100 patients. The computers were stolen on August 28 and September 11. The hospital is notifying those affected by the breach. http://www.wtkr.com/global/story.asp?S=5423927&nav=ZolHbyvj

15 September 2006 - Gun Permit Holders' Personal Data Exposed
The names, addresses, Social Security numbers (SSNs) and other personal data belonging to approximately 25,000 gun permit holders in Berks County, Pennsylvania were inadvertently exposed on the Internet. The Berks County sheriff was attempting to make the list of gun permit holders more secure to comply with a court order. An outside contractor apparently failed to take steps to protect the information over the Labor Day weekend. County Solicitor Alan L. Miller says state law requires they notify all individuals whose data were exposed.
http://www.tmcnet.com/usubmit/2006/09/15/1898313.htm

18 September 2006 - Computer Stolen From Auditor's Car Holds Law Firm Pension Data
A laptop computer stolen from an employee of auditor Morris, Davis & Chan held unencrypted, personally identifiable pension plan data, including names and Social Security numbers (SSNs) of employees from San Francisco law firm Howard, Rice, Nemerovski, Canady, Falk & Rabkin. The breach affects approximately 500 individuals. All current and former partners, associates and employees of the firm have been informed of the breach, according to the firm's executive director.
http://www.law.com/jsp/legaltechnology/PubArticleFriendlyLT.jsp?id=1158311123646

18 September 2006 - DHS to Announce Appointment of Cyber Security Chief
There are reports that Greg Garcia will be appointed assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security (DHS). The position has remained vacant since its creation in July 2005; the DHS has had a difficult time finding qualified candidates who were willing to take a cut in pay and perks to work in the public sector. Garcia is currently vice president for information security policy and programs at the Information Technology Association of America. Donald "Andy" Purdy Jr. is currently serving as acting cybersecurity director.
http://www.foxnews.com/story/0,2933,214364,00.html
http://news.com.com/2061-10789_3-6116920.html

15 September 2006 - Authorities Recover Stolen Computer Holding VA Data
A desktop computer stolen from a Unisys Corp. in Reston, Virginia in August has been recovered; the computer held unencrypted insurance claim forms with names, addresses and personal identifiers that belong to approximately 16,000 patients treated by Veterans Affairs Department (VA) medical centers in Philadelphia and Pittsburgh. A man, Khalil Abdullah-Raheem, who worked as a temporary employee at Unisys, has been arrested in connection with the theft of the computer and charged with theft of government property. He was released after posting a US$50,000 personal recognizance bond. The FBI is analyzing the computer to see if the data were compromised; VA Secretary Jim Nicholson says the
computer was not targeted because of the information it contained.
http://www.gcn.com/online/vol1_no1/42012-1.html?topic=security

15 September 2006 - US Judge Orders Spamhaus to Pay US$11.7M Damages and Post Apology
A federal judge has ordered Spamhaus to pay US$11.7 million in damages to a company that the spam-fighting organization had blacklisted. The judge also ordered Spamhaus to stop blocking email from e360 Insight LLC in any way and to post an apology on its web site indicating e360 Insight is not a spammer. Spamhaus, which is based in the UK, has posted a statement on its website that says "default judgments obtained in US county, state or federal courts have no validity in the UK and cannot be enforced under the British legal system." Spamhaus says e360 Insight violates UK antispam laws and that it has no intention of removing that company from its blacklist.
http://www.msnbc.msn.com/id/14855085/

14 September 2006 - Nikon World Magazine Subscribers' Data Exposed
The names, addresses and credit card numbers of 3,235 subscribers to Nikon World magazine were accessible on the Internet for approximately nine hours last week. The problem was discovered on September 13 when an Alabama camera store employee attempted to subscribe to the magazine on line. The sensitive subscriber data were accessible from a link in an email from Nikon World. Nikon says it has contacted everyone whose data were compromised. The breach affects people who subscribed to the
magazine after January 1, 2006.
http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/15519104.htm

13 September 2006 - Microsoft Wins Civil Suit Against UK Spammer
Microsoft has won a civil suit against a spammer in the UK. A court has ordered Paul Fox to pay GBP45,000 (US$85,000) for violations of the terms and conditions of use of Microsoft's Hotmail service, which prohibit anyone from delivering spam to Hotmail customers. The case was not pursued under UK spam laws because they are limited in scope.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39283259-39020375t-10000025c

13 September 2006 - Earthlink Awarded US$11 Million Judgment in CAN-SPAM Case
Nevada-based bulk emailer KSTM LLC has been ordered to pay Earthlink US$11 million for sending spam to Earthlink customers. The judgment from a federal court in Atlanta also prohibits the firm from spoofing
the "from" fields in email, hiding the sender's identity, selling email addresses and accessing or obtaining Earthlink accounts. The suit was brought under the CAN-SPAM Act. Earthlink has won more than US$200
million in judgments against spammers over the last 10 years.
http://www.theregister.com/2006/09/13/earthlink_nevada_spammer_judgment/print.html

12 September 2006 - Missing Tapes Hold Data on British Columbian Citizens
Thirty-one computer tapes holding information about hundreds of thousands of British Columbia citizens are missing from a government facility in Victoria. The data on the tapes could be used to commit
identity fraud. A confidential government report about the incident obtained by the Vancouver Sun recommends not making the tapes' disappearance public knowledge. Canadian law does not require that
individuals be notified in the event of a possible data breach. The government became aware the tapes were missing in August 2005.
http://www.canada.com/victoriatimescolonist/news/story.html?id=e1b03e3e-d043-4e64-9a09-415a24636751&k=71796

11 September 2006 - Employee Files Found in Dumpster
Following the buyout of a telemarketing company, employees found personnel files and files containing consumer data dumped in the trash. The employee files included photocopies of driver's licenses and Social Security cards. The state attorney general's office plans to examine the discarded files. Federal law requires businesses to take measures to destroy personal data beyond simply tossing it in the trash.
http://www.theindychannel.com/news/9818472/detail.html
http://www.theindychannel.com/call6/9824917/detail.html

9 September 2006 - Pair Indicted for Filing Phony Claims with Stolen Patient Information
Isis Machado and Fernando Ferrer, Jr. were indicted on charges of conspiracy to commit computer fraud, conspiracy to commit identity theft and conspiracy to wrongfully disclose individually identifiable health
information as well as charges related to fraud in connection with computers and violations of the Health Insurance Portability and Accountability Act (HIPAA). Machado and Ferrer allegedly conspired to steal personal medical information belonging to more than 1,100 Cleveland Clinic Florida patients and using it to make more than US$2.8 million in phony Medicare claims. The Cleveland Clinic has sent letters to patients whose data were stolen. If convicted of charges against them, Machado and Ferrer could each face up to 10 years in prison and fines of up to US$250,000.
http://www.sun-sentinel.com/news/local/southflorida/sfl-dfraud09sep09,0,2612716,print.story?coll=sfla-home-headlines

8 September 2006 - Stolen Univ. of Minnesota Laptops Hold Student Data
On August 14 or 15, two laptop computers were stolen from a campus office at the University of Minnesota. The computers hold data belonging to 13,064 current and former students who entered the
university as freshmen between 1992 and 2006. The data include names, birthdates, high schools attended, test scores and academic probation information. The computers also contain the Social Security numbers (SSNs) of 603 of the students. The school is making efforts to contact affected individuals to inform them of the data breach. The data were stored on a hard drive, which is "not standard operating procedure," according to a university spokesperson.
http://www.twincities.com/mld/pioneerpress/news/local/15475291.htm

8 September 2006 - Bank of Montreal Laptop Stolen
A laptop computer stolen from an Ottawa branch of BMO Bank of Montreal holds personally identifiable data belonging to approximately 900 bank clients. The computer was stolen in May; police were notified of the theft on May 18. A bank spokesperson said there has been no evidence that the information has been used fraudulently. BMO Bank of Montreal has advised the affected customers to monitor their accounts for
suspicious activity.
http://ottsun.canoe.ca/News/OttawaAndRegion/2006/09/08/pf-1814249.html

7 September 2006 - Missing Laptop Prompts Security Review
A laptop computer stolen from the car of a Florida National Guard soldier contained no classified information, but did hold personally identifiable information belonging to as many as 100 Florida National
Guard soldiers. The computer was stolen on September 5. The incident has prompted the Florida National Guard to conduct a security review.
http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20060907/BREAKINGNEWS/60907027/1086

6 September 2006 - Subliminal messages sent by spammers in latest pump-and-dump scams
Spammers are using an animated graphic to display a "subliminal" message to potential stock investors. Find out about more, and view the graphic for yourself.
http://s592.link.sophos.com/subliminal?pl_id=9

6 September 2006 - Top ten malware threats and hoaxes reported to Sophos in August 2006
Which malware made the top of the charts in the last month? Find out how many new threats the experts at SophosLabs analyzed last month, which threats are trying to clog up firms' email inboxes, and ensure that your computers are properly defended.
http://s592.link.sophos.com/topaug06?pl_id=9

2 September 2006 - Stolen Laptop Holds Chicago City Employees' Data
A laptop computer stolen from the home of a contractor for the city of Chicago holds personally identifiable information, including names and Social Security numbers (SSNs), belonging to thousands of city employees. Nationwide Retirement Solutions (NRS) is notifying people whose data were on the computer by mail and will offer them one year of free credit monitoring along with US$25,000 of identity theft insurance. The computer was stolen in April 2005; local police and the company were notified promptly. However, the division of NRS that investigates computer thefts did not learn of it until July 2006. Since the theft, NRS has deployed encryption on all laptop computers.
http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758

2 September 2006 - Indian Call Center Employee Arrested on Charges of Fraud
Sulagna Ray, a call center employee in eastern India, has been arrested for allegedly using credit card information she obtained though her work to buy goods for herself over the Internet. Ray worked for Jaishree Infotech selling Dish TV to people in the US.
http://timesofindia.indiatimes.com/articleshow/1950763.cms

1 September 2006 - GAO Report Finds Security Problems at FDIC
A report from the Government Accountability Office (GAO) says that while the Federal Deposit Insurance Corp. (FDIC) has addressed 18 of 24 security weaknesses found in a previous audit, the agency still "has not consistently implemented information security controls to properly protect the confidentiality, integrity and availability of its financial and sensitive information systems." The report also identifies 20 additional security problems FDIC needs to fix.
http://www.fcw.com/article95904-09-01-06-Web

23 August 2006 - Hundreds of Workers Punished for Data Privacy Breaches
Nineteen Centrelink staff members were fired; ninety-two resigned and more than 300 face salary reductions, after allegations of privacy breaches, including looking at records of neighbors and friends,
surfaced. Centrelink is an agency of Australia's Department of Human Services. A two-year investigation uncovered nearly 800 instances in which Centrelink employees gained "inappropriate access" to welfare
records since 2004. Nearly 600 staff members are believed to have performed the inappropriate searches. Employees were warned twice last year that an investigation into inappropriate access to records was underway.
http://australianit.news.com.au/articles/0,7204,20224186%5E15306%5E%5Enbv%5E,00.html

23/22 August 2006 - Beaumont Hospital's Home Care Patients Data on Stolen Computer
A laptop computer stolen on August 5 from the car of a nurse in Detroit holds personally identifiable information, including names, Social Security numbers (SSNs) and medical insurance information of more than 28,000 Home Care patients of Beaumont Hospitals. There is no evidence that the data on the computer have been misused. Although the laptop was encrypted and password-protected, the nurse's access code and password were stolen along with the computer. Authorities have disabled the login connection for the computer. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002685
http://www.clickondetroit.com/news/9716061/detail.html

22 August 2006 - Stolen Laptop Holds Info on 612 Aflac Policyholders
A laptop computer containing personally identifiable information belonging to 612 American Family Life Assurance Co. (Aflac) policyholders was stolen from an agent's car. The company notified those affected by the data security breach in a letter dated August 11, 2006. The stolen laptop is equipped with tracking technology. Aflac has established a call line for affected customers with questions about the theft. Local law enforcement is investigating.
http://www.charleston.net/assets/webPages/departmental/news/default_pf.aspx?NEWSID=103737

22 August 2006 - US Army Plans to Encrypt Data on Notebook Computers
The US Army is following the lead of the Veterans Affairs department (VA) by piloting a program to encrypt data held on notebook computers. Army CIO Lt. General Steven Boutelle said a forthcoming policy would
require Army personnel to provide an accounting of mobile devices, including notebook computers. Each device will be labeled, identifying it as mobile or non-mobile. Personnel will also be instructed not to remove mobile devices from secure areas unless the data on the devices are encrypted.
http://www.gcn.com/online/vol1_no1/41759-1.html?topic=security

21 August 2006 - SEC Suing Couple for Alleged Stock "Pump-and-Dump" Scheme
The US Securities and Exchange Commission (SEC) is suing a Connecticut husband and wife for using spam to artificially inflate the price of stock they had purchased; they then allegedly sold the stock when its value temporarily shot up. Jeffrey Stone and Janette Diller Stone allegedly made US$1 million with their scheme, typically called a"pump-and-dump" scheme.
http://www.theregister.co.uk/2006/08/21/sec_spam_scam_suit/print.html

16 August 2006 - Microsoft Reports Organized Crime Groups Targeting On Line Gaming
Microsoft's Dave Weinstein, a security engineer, says, "Those of you who are working on massively multiplayer online games, organized crime is already looking at you." They make money by hacking into computers, stealing account information, and then selling off virtual gold and weapons.
http://www.foxnews.com/story/0,2933,208392,00.html

14 August 2006 - Personal Bank Account Data For Sale in Nigeria, Cheap!
Personal financial information belonging to thousands of UK residents is being sold in Nigeria; the information was gleaned from the hard drives of used PCs sent from the UK. People in West Africa are
reportedly buying Internet banking account details for under GBP20 (US$37.75). The UK television program Real Story found PCs containing sensitive information from all over the world in Nigeria's capital, Lagos. People are still being encouraged to give away their used PCs, but also to make sure the hard disks are wiped of personal data or removed from the computers altogether. The UK's Information Commissioner's office says companies are legally obligated by the Data Protection Act to remove customer data from their computers when they no longer require the information.
http://news.bbc.co.uk/2/hi/business/4790293.stm

14 August 2006 - Dollar Tree Customers Report Debit and Check Card Fraud
The US Secret Service and Visa are investigating reports that ATM card information and PINs were stolen from people who shopped at Dollar Tree stores in states on the US's west coast. The stolen information was apparently used to create phony cards that were used to steal hundreds of thousands of dollars from victims. The data were apparently stolen in March and April, but were not used until several months later. When debit cards are used, the money is immediately deducted from accounts. Customers have just 60 days to call their banks and straighten out the situation, or lose their money. Credit card fraud presents less financial risk for consumers.
http://redtape.msnbc.com/2006/08/there_is_a_new_.html

10 August 2006 - IG Report Finds eMail Security Problems at IRS
A recent report from the Treasury Inspector General (IG) for Tax Administration indicated that nearly 75 percent of 96 IRS employee email inboxes reviewed contained messages that violated the department's
personal use policy. The IG's report recommends that the IRS monitor email content. The audit also examined 28 of the IRS's 228 email servers and found a total of 687 vulnerabilities. The report recommends
reducing the number of email servers. There was also evidence that devices had been configured to act as unauthorized email servers. The report says system administrators should be responsible for ensuring
that only authorized email servers are used.
http://www.fcw.com/article95629-08-10-06-Web&printLayout

24 July 2006 - IRS Warns Taxpayers of E-Mail Scam Using US Treasury Payment Systems
Fake e-mail messages containing several misspellings and purporting to be from a fictitious IRS organization are circulating. They claim that someone has enrolled the recipient's credit card in the US Treasury's Electronic Federal Tax Payment System and has tried to use the credit card to pay taxes. The messages instruct recipients to click on a link to recover the money, but the link takes them to a malicious Web page that tries to gather sensitive personal information. This scam is one of more than 100 since last November. in which perpetrators have tried to impersonate the IRS in attempts to fool victims into divulging personal and/or financial information or into downloading malicious code.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001961

22 July 2006 - Fake Google Web Site Hides Trojan Horse
A fake Google Tool Bar can turn victims' machines into zombies if it is downloaded. E-mails direct users to the Web site that perfectly mimics the real Google download page where the victim is offered the fake tool.
http://www.cio.com/blog_view.html?CID=23222

20 July 2006 - The State Of Spam
Nearly five billion pieces of spam are blocked every day between the efforts of AOL and Microsoft which represents 95 percent of SPAM traffic, but that still leaves about 5 percent that gets through. The
Messaging Anti-Abuse Working Group says spam accounted for about 80 percent of all the e-mail traffic on the Internet during the first three months of 2006. IBM is reporting that phishing now accounts for one in
every three hundred email messages. The article includes lots more information about spam and phishing and what can and cannot be done to fight back.
http://www.informationweek.com/security/showArticle.jhtml?articleID=190600156

19 July 2006 - Hackers Striking Databases In Record Numbers
A firm that monitors security at 1,300 client organizations reports its clients' databases are experiencing more than 8,000 SQL Injection attacks per day. That is nearly a six-fold increase from earlier in 2006. Attacks were detected coming from computers in Russia, China, Brazil, Hungary and Korea. These attacks are specifically crafted for the target organizations.
http://www.infoworld.com/article/06/07/19/HNsqlattacks_1.html

15 July 2006 - FBI: Cybercrime losses down last year
The financial losses related to cybercrime are going down, and the number of businesses willing to report these crimes is going up, according to a new survey co-sponsored by the FBI.
http://www.scmagazine.com/us/news/article/569885/fbi+cybercrime+losses+down+last+year/

13 July 2006 - CIO Resigns After Security Breaches at Ohio University
Citing the need for "a new energy level and skill set," the CIO of Ohio University has submitted his resignation. William Sams will remain at Ohio University until a replacement has been hired. Two IT staffers were recently placed on administrative leave following the disclosure of several data security breaches that exposed the personal information of 137,000 students and alumni.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001777

13 July 2006 - VA IG Report Critical of Department Data Security Policies
A report from the US Department of Veterans Affairs office of the inspector general says VA officials acted "with indifference and little sense of urgency" in the wake of the theft of a computer and storage device containing data belonging to millions of veterans. The report is critical of employees at all levels within the VA; it also says VA policies in place at the time of the theft did not adequately protect sensitive data. The report says notification of the theft was passed from one desk to another, delaying the Department's response; the report also indicates that a VA official wanted to rewrite the theft notification to make the possibility of data misuse seem less likely than it actually was.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39374813-39000005c

12 July 2006 - IT Spending to Grow Significantly
Analyst firm Accenture reports IT security spending will grow significantly this year. http://www.scmagazine.com/us/news/article/568708/it+security+spending+set+grow+significantly/

12 July 2006 - Vladimir Putin death spam helps spread Trojan horse
Sophos experts have warned of a spam campaign that poses as a breaking news report about the death of Russian President Vladimir Putin, but is really an attempt by hackers to infect computer users with a Trojan horse. http://s573.link.sophos.com/putin?pl_id=9

12 July 2006 - Gmail Phishing Scam
A recently detected phishing scam targeting Gmail users pretends to offer a US$500 cash prize. Recipients are directed to a web site where they are asked to register to receive the prize. They are also asked to pay a membership fee of less than US$10. The phony registration site actually hosts malware.
http://www.theregister.co.uk/2006/07/12/gmail_phish/print.html

11 July 2006 - Gmail phishing email lures the unwary with $500 cash prize
A widespread phishing email campaign that tries to trick users out of money by pretending to be a random cash prize from Gmail, Google's popular free email service, has been spammed out to internet users.. http://s573.link.sophos.com/gmailphish?pl_id=9

5 July 2006 - Sophos Security Threat Management Report 2006
Sophos's new in-depth report explores the year's most pressing security issues, and reveals Trojans are now the internet criminal's weapon of choice. If you're a security professional, protecting your company from malicious attack, or just responsible for looking after the data on your own PC, then you need to read this detailed report into the latest virus, spyware and spam trends.
http://s573.link.sophos.com/secrepmid06?pl_id=9

27 June 2006 - Unlucky 13 sacked by Merrill Lynch over porn
U.S. financial giant Merrill Lynch dismissed 13 staff members at its Dublin office after they had sent pornographic material through the company email system. This followed the suspension of 20 staffers the
previous week following an internal investigation.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060628/566397/

27 June 2006 - Police bust M00P international virus-writing gang
Authorities in the UK and Finland have arrested three men in connection with an international malware crime ring. Find out more about the malware they are alleged to have written, how hackers abuse zombie computers, and why the gang may have christened themselves "M00P".
http://s562.link.sophos.com/m00pgang?pl_id=9

26 June 2006 - DVLA Employees Disciplined and/or Fired Over Porn E-mail
More than 100 employees of the Driver and Vehicle Licensing Agency (DVLA) were disciplined for sending
pornographic email; fourteen were fired for "gross misconduct." The sending of such email violates DVLA's code of conduct.
http://www.theregister.co.uk/2006/06/26/dvla_email_smut_affair/print.html

26 June 2006 - USB Drives Pose Insider Threat; SecurityFocus
Workers have become more wary of putting giveaway CDs in their company's computers, but USB flash drives are another story.
http://ses.symantec.com/jp/symes1474.cfm?JID=8&PID=898884

26 June 2006 - Lost Memory Stick Holds Phishing Investigation Dossier
A police officer with the Australian High Tech Crime Centre (AHTCC) lost a memory stick that contains sensitive financial data belonging to thousands of Australians. The lost memory stick holds a dossier on
Russian phishing scams. The data on the stick were being used in an investigation; several arrests were made with the help of the data, but since the loss of the stick, no arrests have been made. While officials
searched fruitlessly for the memory stick, the people whose data were compromised were not informed of the loss. The officer who lost the device violated AHTCC rules regarding data transport.
http://australianit.news.com.au/common/print/0,7208,19588463%5E15306%5E%5Enbv%5E,00.html

26 June 2006 - Cosmetic company's stock price rises sharply following pump-and-dump spam
A spam campaign is attempting to make money for criminals by inflating the stock price of a cosmetics company. Find out more about the spammers are trying to influence the share price, and be aware of the risks of falling for unsolicited stock market advice. http://s562.link.sophos.com/stockspam?pl_id=9

23 June 2006 - Personal info of 26,000 Agriculture Department employees compromised
The U.S. Department of Agriculture (USDA) announced this week that the identities of about 26,000 employees and contractors may have been compromised by the illegal hijacking of the agency’s computer systems earlier this month.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060626/566300/

24 June 2006 - Audit Indicates Security Didn't Top List of Concerns at Ohio University
An independent audit has turned up evidence that Ohio University's Computer Services department failed to take appropriate security precautions to protect the data on its systems despite a generous budget
and average annual surpluses in excess of US$1 million. Ohio University has been in the news lately because of no fewer than five security breaches of its systems that exposed personal data belonging to thousands of students and alumni. Last week, university trustees voted to spend up to US$4 million to improve the school's computer systems.
http://www.smh.com.au/news/Technology/Audit-Ohio-U-Cyber-Security-Low-Priority/2006/06/24/1150845411386.html

23 June 2006 - FTC Says Laptops Stolen from Car
The US Federal Trade Commission (FTC) has acknowledged that two laptop computers containing names, Social Security numbers (SSNs) and some financial account data belonging to approximately 110 individuals, were stolen from a locked vehicle. The computers are those of staff attorneys and are password protected. The agency "is developing a new information security policy that would require an employee to remove any personal identifying data in the machine before it leaves an agency office. If the personal data were needed for an investigation, an FTC manager would have to approve allowing the laptop to leave the building."
http://news.com.com/2102-1029_3-6087218.html?tag=st.util.print

23 June 2006 - Stolen Laptop Holds Student Data
A laptop computer stolen from the car of a San Francisco State University faculty member held data, including some SSNs, belonging to nearly 3,000 current and former students. A university spokesperson
declined to elaborate on the disciplinary measures taken, and said it is "very common" for faculty to have student data on their computers. The school stopped using SSNs as personal identifiers one year ago.
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/23/BAGQLJJ2LB1.DTL&type=printable

23 June 2006 - Man Sentenced to 21 Months for Running Phishing Site
Jayson Harris has been sentenced to 21 months in jail for operating a phishing site that pretended to be an MSN billing web site. Harris, who will also pay about US$57,000 in restitution, pleaded guilty to two counts of wire fraud and fraud. He will also be subject to three years of supervised release following completion of his jail time. http://www.vnunet.com/vnunet/news/2158925/phishing-site-operator-gets-21

23 May 2006 - CSIA study: Less than a fifth feel protected on internet
Fewer than one in five Americans feel that existing laws are enough to protect them on the internet, a new survey revealed.
http://www.scmagazine.com/us/news/article/560588/csia+study+less+fifth+feel+protected+internet/

22 May 2006 - Personal info of 26.5 million veterans lost
Electronic data containing the personal information of as many as 26.5 million veterans and some spouses has been stolen from the home of a Department of Veterans Affairs (VA) employee who violated agency policy by leaving the office with the information.
http://www.scmagazine.com/us/news/article/560359/personal+info+265+million+veterans+lost/

22 May 2006 - Iowa Phisher Gets 21 Months in Jail
An Iowa man, guilty of using phishing schemes to dupe as many as 250 MSN customers into giving up their personal information, was sentenced Friday to 21 months in prison.
http://www.scmagazine.com/us/news/article/560357/iowa+phisher+gets+21+months+jail/

18 May 2006 - Zombie king suspect alleged to have sent 18 million spams per day
South Korean authorities have arrested a man suspected of running a 16,000-strong network of zombie computers. http://www.sophos.com/pressoffice/news/articles/2006/05/krzombie.html

17 May 2006 - Spyware Infections Up 50 Percent Over Last Year
According to the annual Websense Web@Work survey, the number of organizations reporting their systems have been infected with spyware is up nearly 50 percent. Seventeen percent of companies with more than 100 employees reported their networks have been infiltrated by spyware, such as keystroke loggers. One likely reason for the increase in spyware infestations is the increasing availability of spyware toolkits on the Internet. The study also says that 44 percent of IT decision makers do not believe their employees can distinguish phishing sites from legitimate ones.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39360278-39000005c

17 May 2006 - People Selling Pirated Software on eBay Sued
Three lawsuits filed in Los Angeles federal court target five individuals who allegedly offered pirated software for sale on eBay. The Software & Information Industry Association (SIIA) is spearheading an effort to crack down on people selling pirated software by purchasing their goods in on line auctions and suing them without warning. http://www.smh.com.au/news/breaking/companies-crack-down-on-ebay-pirates/2006/05/17/1147545358529.html

17 May 2006 - New York's Anti-Phishing Act Heads to Governor
The New York State legislature has approved the Anti-Phishing Act of 2006. If Governor George Pataki signs the bill into law, it would allow the New York attorney general, industries and non-profit groups to bring civil actions against phishers.
http://www.bizjournals.com/albany/stories/2006/05/15/daily32.html?from_rss=1

16 May 2006 - Malware displays fake virus warnings to sell software
The FakeVir-O Trojan horse displays a message, encouraging computer users to visit a website selling software which claims to protect against spyware.
http://www.sophos.com/pressoffice/news/articles/2006/05/fakeviro.html

13 May 2006 - DISA Offers Free Anti-Spyware Software to All Gov Employees
The Defense Information Systems Agency (DISA) has licensed anti-spyware software for all US government employees and armed forces personnel to use on their home computers. The free software is seen as, one measure to protect government systems from malware as many employees bring work home. The employees can download the software directly to their home computers, or they can take home a CD containing the software; it will update automatically.
http://www.news.navy.mil/search/display.asp?story_id=23639

12 May 2006 - Former Dept. of Education Employee Gets Five Months in Prison for Accessing Supervisor's Computer
Kenneth Kwak has been sentenced to five months in prison for using remote control software to access his former supervisor's computer without authorization. Kwak read his supervisor's email and kept an eye
on his surfing habits; Kwak shared what he discovered with other employees. Kwak was at the time a computer security specialist at the Department of Education. Kwak will serve five months of home confinement once he has completed his prison sentence. He has also been ordered to pay US$40,000 in restitution to the US government and will be on parole for three years.
http://news.com.com/2102-7350_3-6071928.html?tag=st.util.print

10 May 2006 - Hong Kong Court Says ISPs Must Divulge Names of Suspected Movie Downloaders
A Hong Kong court has ordered four Internet service providers (ISPs) to reveal the identities of 49 people who are suspected of illegally downloading several movies. While last year a man was sentenced to
three months in jail for making movies available on the Internet with BitTorrent technology, this is the first legal action taken by film companies in Hong Kong against suspected downloaders.
http://australianit.news.com.au/articles/0,7204,19088317%5E15319%5E%5Enbv%5E,00.html

8 May 2006 - Trojan Goes After Online Game Account Information
The PWS.Win32.WOW.x Trojan horse program seeks user names and passwords for the online game "World of Warcraft." Once attackers have the means to access an account, they have the ability to transfer virtual goods to another account. Although the game's publisher has forbidden the sale of virtual goods for money there is a black market for them on the Internet. The program spreads through peer-to-peer file sharing, pop-ups and email attachments and tries to disable security software on computers it infects.
http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835

4 May 2006 - Idaho Power Drives Sold on eBay Not Adequately Scrubbed
Idaho Power Co. is trying to track down old company hard drives that were sold on eBay without going through prescribed scrubbing procedures. The data on the drives includes memos, customer correspondence and confidential employee data. Idaho Power recycles old drives through a salvage vendor. The power company has launched a private investigation into why scrubbing procedures were not followed. Idaho Power requires that their discarded drives be destroyed or scrubbed to US Department of Defense standards. Companies that do not properly scrub memory devices risk violating regulations in addition to the embarrassment of exposing confidential data. According to a Gartner survey, approximately 30 percent of organizations use third party companies to dispose of PCs and servers they are no longer using. Idaho Power says it will now destroy old drives rather than recycle them.
http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html

27 April 2006 - Stolen Aetna Laptop Contains Data on 38,000 Members
Aetna Insurance has acknowledged that a laptop computer stolen from an employee's car contains personal data belonging to approximately 38,000 members. Those affected are employees of two companies who asked not to be named until all of their affected employees are informed of the laptop's theft and its implications. Aetna plans to send letters to inform all those affected. Aetna said the employee who left the computer in the car was not following company policy.
http://news.zdnet.com/2102-1009_22-6066078.html?tag=printthis

27 April 2006 - BSA Ups Maximum Reward for Tips About Unlicensed Software at UK Businesses
The Business Software Alliance (BSA) has increased its maximum reward for information regarding the use of illegal or unlicensed software in UK businesses. The BSA has launched 420 investigations from tips
received on its hotline. People providing the BSA with tips about unlicensed software could receive as much as GBP20,000 (US$36,513) through the end of June.
http://management.silicon.com/itdirector/0,39024855,39158440,00.htm

27 April 2006 - RIAA and MPAA Ask University Presidents for Help in Fighting Piracy
The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have sent letters to 40 US university presidents informing them of problems with pirated digital content on their schools' local area networks (LANs) and asking they take action to halt the copyright violations. The RIAA and the MPAA say students are trading files across school LANs rather than sending them over the Internet. LANs in universities often serve tens of thousands of people.
http://news.com.com/2102-1025_3-6066118.html?tag=st.util.print

19 April 2006 - Studies Say HIPAA Privacy Rule Compliance Not Improving
According to a survey from the American Health Information Management Association (AHIMA), compliance with the Health Insurance Portability and Accountability Act (HIPAA) patient privacy rules appears to be on the wane. Of 1,117 hospitals and health systems responding to the survey, 91 reported HIPAA compliance last year while 85 percent said they were in compliance this year. The top reasons given for declining compliance were "lack of