U.S. scrutinizes security hole at privacy site

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6477431.html?tag=mn_hd

By Reuters 
July 6, 2001, 4:25 p.m. PT 

WASHINGTON--U.S. officials scrambled to assure businesses Friday that
their confidential data had not been compromised by a government Web
site that allegedly contained security holes.

Ironically, the Web site encouraged businesses to sign up for a
program that would beef up their own protections for sensitive
personal data.

A report that appeared Friday on Wired News said hackers could easily
access proprietary information through a back door to the U.S.
Department of Commerce's safe harbor Web site.

A notice on the site said two pages had been taken down Wednesday
while security provisions were examined.

Commerce Department officials said they were still investigating the
matter but that hackers had not altered any data accessible through
the site.

"As we continue to examine the situation, we're in the process of
contacting all Safe Harbor participants to assure them that we have
not found any compromised data," said Jeff Rohlmeier, an international
trade specialist at the Commerce Department.

U.S. and European Union officials developed the safe harbor program
last year to enable U.S. firms to avoid prosecution under an EU law
that prohibits the transfer of personal data such as customer lists
from the EU to countries that do not meet its standards for privacy
safeguards, including the United States.

Firms that wish to sign up for the safe harbor must certify that their
internal privacy practices measure up to EU standards. U.S. companies
have been slow to sign up: As of July 1, only 72 businesses were
listed on the site as participants.

The security hole reportedly allowed visitors to a government site to
access a database that contained information on participating
businesses the Commerce Department said it would not make public:
revenue, number of employees, and European countries in which the firm
does business.

Publicly held companies divulge this information in financial filings,
but many private firms closely guard such figures.

John Hollway, chief privacy officer for privately held pharmaceutical
services company Acurian, said Commerce Department officials had
contacted him about the possible security hole.

While Hollway said he was concerned that hackers could have bumped
Acurian from the certification list, he said he was not troubled by
any data that might have been revealed.

"I don't think it raised huge alarm bells," Hollway said. "Certainly
there's an unfortunate irony that a privacy site is fingered as a
place that could be hacked."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.