Educause Security Discussion mailing list archives
"Porn-surfing hits taxpayer IDs"
From: Jere Retzer <retzerj () OHSU EDU>
Date: Wed, 14 Jun 2006 12:44:17 -0700
From today's Oregonian. Here is another threat/risk to consider. Does anyone know about other incidents of trojans stealing personal data? I'm also looking for safeguards to build into web-based applications used to access sensitive data to prevent malware on individual PCs from harvesting the data. Thanks Article from the Oregonian follows: Porn-surfing hits taxpayer IDs Security breach - More than 1,300 people face identity theft after a state employee let in data-stealing spyware Wednesday, June 14, 2006 JOE ROJAS-BURKE The Oregonian Oregon Department of Revenue officials thought they were tightly secured against data theft. An elaborate firewall around their computer system fended off hackers. Virus detection software, updated every two hours, constantly screened incoming e-mail and downloads for malicious programs. But the technology did not stop an employee from using an office computer to surf porn sites and download a Trojan horse, a hidden spyware program not yet known to intrusion-detection software. The Trojan installed itself Jan. 5 and for the next four months secretly captured and relayed data to the hackers who created it. More than 1,300 taxpayers are now at risk of identity theft. The Department of Revenue, which disclosed the security breach Tuesday, said the confidential data consisted of Social Security numbers, names and addresses but included no tax records or financial or credit card information. In the struggle against online data thieves, the incident highlights the weakest link in the most advanced security systems: individuals who break security rules and intentionally or unintentionally expose computer systems to data thieves. "No matter how hard you try, no matter how many policies you have in place, no matter how many times you've trained your people, these things will happen," said Jim Hudson, president of Amcrin Corp., a security firm in West Linn. "Everybody who handles confidential data should have a plan on how to handle this risk," Hudson said. Like many institutions, the Department of Revenue appears to have been caught flat-footed. On Tuesday, officials had not finalized a plan for responding to the security breach, which they discovered May 15 while searching the computer hard drive of an employee who had been caught downloading pornography at work and fired. The department has not decided whether to pay for credit monitoring or other protective services, which banks and other private institutions often provide to customers after a data theft. "We are trying to figure out how that would be done and what the cost would be," said Don O'Meara, administrator of information processing for the Department of Revenue. He said the department intends to inform each affected taxpayer and began mailing notices Monday. The vulnerability to such an attack surprised the department's technology staff, O'Meara said. In addition to the firewall with frequently updated intrusion-detection software, the department routinely blocked employee access to thousands of porn and other Web sites known for transmitting malicious spyware. The department updated the list of blocked sites every 24 hours, but like fast-multiplying germs, the Web sites overwhelmed its defenses. "There are so many new sites, we couldn't keep up with them," said Rosemary Hardin, a department spokeswoman. "We maybe had a false sense of security," O'Meara said. The risk to the affected taxpayers is difficult to estimate. The creators of Trojan horses typically unleash them in hopes of capturing log-in names and passwords to bank and credit card accounts to steal from directly, Hudson said. The Trojan horse gathered the equivalent of 7,000 text pages of data. But O'Meara said his staff spent weeks poring over the data and found no tax files or financial information. He said it was limited to Social Security numbers, names and addresses. He said the department is taking steps to heighten security and also has banned employees from accessing Web sites for personal use.
Current thread:
- "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- <Possible follow-ups>
- Re: "Porn-surfing hits taxpayer IDs" Joel Rosenblatt (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Brendan Callahan (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Pace, Guy (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Graham Toal (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Chris Green (Jun 15)
(Thread continues...)