Prince Williams and Kate Middleton’s Wedding over, but Facebook scams continue to spread

The Royal Wedding is finally over. While thousands of people were present at The Westminster Abbey in London, there were millions who so wished to be there. Well, some really smart hackers are trying to cheer people who couldn’t make it for the wedding by offering them to play a new game on Facebook that may sound fun but actually steals user’s personally identifiable data (PII).

Here’s a typical message that is currently being spread by well-meaning users across the social network:

In honor of the big wedding on Friday, use your royal wedding guest name. Start with either Lord or Lady. Your first name is one of your grandparents’ names. Your surname is the name of your first pet, double-barreled with the name of the street you grew up on. Let’s do this! Post yours here. Then cut and paste it into your status.

Regally yours,

Lady Edith Spanky-Rushmoor

Do you see the problem?

By playing the game, you might be unwittingly making life easier for identity thieves and hackers.

Look at it this way. Think of all the websites which ask you to give it a “secret question” which can confirm your identity in the event of you forgetting your password.

If you tell everyone your Royal Wedding Guest name then you are giving away information which might help someone break into, say, your email account.

So, here’s an advice from Graham Cluley, Senior Technology Consultant at security firm, Sophos:

Firstly, don’t post this kind of personal information onto the internet – the few seconds worth of amusement you may get by telling people your Royal Wedding Guest name are not worth the potential pain of having your identity stolen.

Secondly, when websites ask you for a “secret answer” to reset your password… lie. You don’t need to tell the truth when you’re asked by a website what your mother’s maiden name was, or the name of your favourite TV show. So, say something random but memorable that no-one is likely to guess like “Xena Warrior Princess” or “Artichoke Sandwich”.

Sony PlayStation Hack is the Fourth Largest Hack in History

Last week’s hack on Sony’s PlayStation Network has been listed as the fourth largest data breach ever in history, exposing the personally identifiable information (PII) and possibly credit card data of about 70 million users, according to DataLossdb, an open source foundation that monitors data breaches across the world.

IT security firm, Sophos, is warning users of Sony’s PlayStation Network that they are at risk of identity theft after hackers broke into the system and accessed the personal data of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the online gamers’ personal information.  According to Sophos, users should take immediate action to ensure that their online identities are secure, and that fraudsters cannot take advantage of stolen credit card information.

Sony is yet to provide the exact details of the attack and says it is still unsure if the credit card details were breached but at the same time says it doesn’t rule out the possibility that your credit card details could already be in the hands of the attackers.

“If you’re a user of Sony’s PlayStation Network, now isn’t the time to sit back on your sofa and do nothing.  The fraudsters won’t wait around – for them this is a treasure trove ripe for exploiting. You need to act now to minimize the chances that your identity and bank account become casualties following this hack,” said Graham Cluley, Senior Technology Consultant at Sophos.  “That means, changing your online passwords (especially if you use the same password on other sites), and considering whether it would be prudent to inform your bank that as far as you’re concerned your credit card is now compromised.”

Sony has warned that hackers have been able to access a variety of personal information belonging to users including:

• Name
• Address (city, state, pin code)
• Country
• Email address
• Date of birth
• PlayStation Network/Priority password and login
• Handle/PSN online ID

In addition, Sony warns that profile information – such as history of past purchases and billing addresses, as well as “secret answers” given to Sony for password security may also have been obtained.  Sony also admits that it cannot rule out the possibility that credit card information may also have been compromised.

“The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is very disturbing,” continued Cluley.  “If Sony loses your credit card information, it’s no different from you losing your credit card – you should cancel that card immediately.  Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.  All in all, this is a PR and security disaster for Sony.”

German software major, Ashampoo, suffers attack, user data compromised

German software company Ashampoo has been the target of a latest hacking attempt. Hackers gained access to one of Ashampoo servers. The company discovered the break-in and interrupted it instantly. The security gap through which the hackers gained access was closed immediately. However, hackers did manage to steal personally identifiable information including customer names and e-mail addresses. Billing information (e.g. credit card information or banking information), however, is not affected, because this data is not stored on the company’s system.

According to Rolf Hilchner, CEO Ashampoo, “Like many other companies we are targeted by organizations of hackers that try to break into IT systems in order to steal data. Unfortunately, one of our security systems fell victim to such an attack recently. An unauthorized access to one of our servers took place. However, subsidiary companies of the Ashampoo group are not affected by this incident.”

“Hackers often follow the pattern that they make people insecure e.g. with a confirmation of an order whose attachment is then opened or rather executed. Generally it is always important that you stay suspicious of unknown senders and that you do not respond to requests that tell you to open attachments,” Hilchner said in a note to its customers.

“Please make sure that there always is an anti-virus program installed, whose security signatures are up to date. System checks should be carried out regularly. Furthermore, do never use your access passwords repeatedly (eBay, Amazon etc.) and make your password as complicated as possible, for example by using special characters, numbers as well as uppercase and lowercase. Please change your passwords regularly,” he further suggested.

U.S. Social Security Administration sells off sensitive data of 36,000 people

The U.S. Social Security Administration has published the names, birth dates, and Social Security numbers of more than 36,000 living people who mistakenly ended up in its Death Master File, which collects names of recently deceased individuals and is sold to the public.

From May 2007 through April 2010, SSA’s publication of the DMF (Death Master File) resulted in the breach of personally identifiable information for as many as 36,657 additional living individuals erroneously listed as deceased on the DMF.  SSA made these individuals’ SSNs; first, middle, and last names; date of birth; and State and ZIP codes of last known residences available to users of the DMF before learning they were not actually deceased.

A report issued by the SSA’s Office of the Inspector General explained the irregularities in SSA that led to the breach. According to the report:

SSA did not implement a risk-based approach for distributing DMF information, attempt to limit the amount of information included on the DMF version sold to the public, or explore alternatives to inclusion of individuals’ full Social Security number (SSN). SSA continued to publish the DMF with the knowledge its contents included the PII of living number holders. As such, we believe SSA should take additional precautions to limit the number of reporting errors and the amount of personal information published in the DMF—particularly the version sold to the public. We made two recommendations for corrective action.  The Agency disagreed with both recommendations.

This is the second big breach reported due to negligence of the U.S. authorities after the State of Texas exposed PII of over 3.5 million people.

Sensitive data of 3.5 million people exposed by Texas

Susan Combs, Comptroller for the state of Texas has announced a massive data leak that resulted in 3.5 million peoples social security numbers, names, addresses and in some cases their birth date and drivers license number being exposed.

Unlike private companies who have had large releases of PII (Personally Identifiable Information) recently, the state of Texas is not providing credit monitoring or other services for the victims of their mistake. They are simply providing sage advice…

The Comptroller’s office discovered on the afternoon of March 31st, 2011 that they had inadvertently placed the private information of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an internet accessible server.

The data was not encrypted, which is a breach of policy, as well and having bypassed several other policy rules within the state designed to protect people’s PII.

While most organisations deploy encryption on the company laptops, they often ignore servers and databases where they storage critical data as they think it is safe as the servers hide behind a firewall. Which, evidently hasn’t been sufficient to safeguard data.

As we saw with Epsilon and many others before is that sensitive data must be protected regardless of the media or location it is stored.