"Porn-surfing hits taxpayer IDs"

[Jere Retzer <retzerj () OHSU EDU>]

From today's Oregonian. Here is another threat/risk to consider. Does anyone know about other incidents of trojans 
stealing personal data? I'm also looking for safeguards to build into web-based applications used to access sensitive 
data to prevent malware on individual PCs from harvesting the data. Thanks

Article from the Oregonian follows:

Porn-surfing hits taxpayer IDs
Security breach - More than 1,300 people face identity theft after a state employee let in data-stealing spyware
Wednesday, June 14, 2006
JOE ROJAS-BURKE
The Oregonian

Oregon Department of Revenue officials thought they were tightly secured against data theft. An elaborate firewall 
around their computer system fended off hackers. Virus detection software, updated every two hours, constantly screened 
incoming e-mail and downloads for malicious programs.

But the technology did not stop an employee from using an office computer to surf porn sites and download a Trojan 
horse, a hidden spyware program not yet known to intrusion-detection software. The Trojan installed itself Jan. 5 and 
for the next four months secretly captured and relayed data to the hackers who created it.

More than 1,300 taxpayers are now at risk of identity theft. The Department of Revenue, which disclosed the security 
breach Tuesday, said the confidential data consisted of Social Security numbers, names and addresses but included no 
tax records or financial or credit card information.

In the struggle against online data thieves, the incident highlights the weakest link in the most advanced security 
systems: individuals who break security rules and intentionally or unintentionally expose computer systems to data 
thieves.

"No matter how hard you try, no matter how many policies you have in place, no matter how many times you've trained 
your people, these things will happen," said Jim Hudson, president of Amcrin Corp., a security firm in West Linn.

"Everybody who handles confidential data should have a plan on how to handle this risk," Hudson said.

Like many institutions, the Department of Revenue appears to have been caught flat-footed. On Tuesday, officials had 
not finalized a plan for responding to the security breach, which they discovered May 15 while searching the computer 
hard drive of an employee who had been caught downloading pornography at work and fired.

The department has not decided whether to pay for credit monitoring or other protective services, which banks and other 
private institutions often provide to customers after a data theft.

"We are trying to figure out how that would be done and what the cost would be," said Don O'Meara, administrator of 
information processing for the Department of Revenue. He said the department intends to inform each affected taxpayer 
and began mailing notices Monday.

The vulnerability to such an attack surprised the department's technology staff, O'Meara said. In addition to the 
firewall with frequently updated intrusion-detection software, the department routinely blocked employee access to 
thousands of porn and other Web sites known for transmitting malicious spyware.

The department updated the list of blocked sites every 24 hours, but like fast-multiplying germs, the Web sites 
overwhelmed its defenses.

"There are so many new sites, we couldn't keep up with them," said Rosemary Hardin, a department spokeswoman.

"We maybe had a false sense of security," O'Meara said.

The risk to the affected taxpayers is difficult to estimate. The creators of Trojan horses typically unleash them in 
hopes of capturing log-in names and passwords to bank and credit card accounts to steal from directly, Hudson said.

The Trojan horse gathered the equivalent of 7,000 text pages of data. But O'Meara said his staff spent weeks poring 
over the data and found no tax files or financial information. He said it was limited to Social Security numbers, names 
and addresses.

He said the department is taking steps to heighten security and also has banned employees from accessing Web sites for 
personal use.