黑客入侵Target窃密 70万加人资料被盗

美国第3大百货连锁店Target于本月初证实﹐遭黑客入侵﹐有7,000万名顾客的个人资料被盗。

昨日该公司向受影响的客户发信﹐其中除了于去年11月27日至12月15日曾过境到美国Target购物的顾客受影响外﹐部分于上述日子未有到美国购物的加人﹐亦接到通知。该公司估计﹐今次事件中约有70万名加拿大人被盗资料。

加拿大Target公司承认﹐部分加拿大顾客的个人资料如姓名﹑地址﹑电邮及电话号码遭黑客窃取﹐但他们的信用卡及银行卡的资料则未受到影响﹐因为在加拿大的Target商店﹐使用付款系统有别于美国。

美 国警方逮捕两名嫌犯﹐两人涉及去年底Target数据失窃案。得萨斯州麦卡伦(McAllen)警局周一展示男子多米尼加国(Daniel Guardiola Dominiguez﹐左)与格雷西亚(Mary Carmen Garcia）的照片﹐两人周日在边境落网﹐执法人员查获96张伪造信用卡﹐不法之徒冒用Target失窃数据﹐制造这批信用卡。（美联社）

Target表示﹐现正陆续通知受影响的顾客﹐并承诺会提供1年免的信用卡监察服务﹐以及其他有关提防被诈骗的贴士。该公司现已聘请第三间机构调查今次事件。 info.51.ca

Target行政总裁Gregg Steinhafel表示﹐给受影响顾客的信件中表示﹐黑客入侵估计偷取了4,000万个信用卡及银行卡帐户资料﹐以及7,000万个顾客的个人资料。但受牵连的加人占总人数不足一成﹐数目料少于70万人。

在美国﹐警方相信早前美国Target顾客个人资料被盗后﹐已被不法之徒分拆﹐并卖往不同的地区。美国南得萨斯州便拘捕了两名墨西哥男女﹐并在他们身上搜出96张假信用卡。 无忧资讯

两人利用假信用卡在全国各地的连锁店购物逾万元﹐当他们于周日早上欲重新进入美国境时被捕。 无忧资讯

旗下拥有Marshall﹑T.J. Maxx及Winners的TJX Cos.﹐早于2005年7月﹐亦有4,750万个信用卡及银行卡帐户资被盗﹐事件直至2006年12月才被发现。直到2009年﹐该公司须支付975万元摆平事件﹐但他们仍坚持自己未有违反资料保安法。

泄62万病人资料 阿省卫生厅4月后才知

阿尔伯塔省卫生厅长霍恩(Fred Horne)周三说﹐1部手提电脑被盗﹐里面储存62万名病人的重要资料﹐事件4个月前发生﹐现在才向卫生厅报告﹐他实在“冒火”。

事件4个月前发生

病人资料包括﹕未经加密的姓名﹑出生年月日﹑医疗卡号码﹑帐单代码﹑帐单款额﹑诊症代码﹐所有病人在2011年5月2日到2013年9月19日期间﹐曾在全省各地的Medicare诊所看病。

霍恩指出﹐手提电脑在9月26日失窃﹐数天后﹐诊所经营者向阿省隐私专员克莱顿(Jill Clayton)和爱蒙顿警方报告﹐亦即10月1日。

阿省卫生厅长霍恩在省议会记者会上。

他又说﹐他和卫生厅到周二才获悉此事﹐他收到Medicentres公司副总裁的信。

霍恩在省议会记者会上表示﹕“作为本省居民的代表﹐我实在冒火﹐这样的事情早该报告﹐通知我或我的部门。

“阿省这样的一个省发生这样的事情﹐我认为难以置信。”

霍恩说﹐他要求克莱顿依据《医疗信息法》(Health Information Act)调查此事﹐找出真相﹑研究有没有触犯隐私条例。

Medicentres公司经营一连串家庭医生诊所﹐它的新闻稿说﹐迄今没有发现证据﹐证明有人套取或盗用失窃手提电脑的资料﹐但它敦促病人查看银行和信用卡帐单。

它说﹐案发以来﹐已有升级保安措施﹐还有审计﹐以保证保安措施更完善。

公司声明说﹕“我们向所有病人道歉﹐这次(保安问题)可能引起的忧虑。”

媒体问隐私专员﹐为何隐私专员办公室不在去年秋天通知厅长办公室﹐隐私专员办公室守纪与特别调查总监哈密尔顿(Brian Hamilton)解释说﹐法例规定克莱顿只能通知信息直接牵连的一方。

哈密尔顿说﹕“我们的做法﹐不会通知厅长﹐除非保安事件涉及该厅信息系统。”

他指出﹐克莱顿最早周四决定﹐是否启动调查。 - 多伦多 51 网

Security Framework Industry Standards

• ISO 27001/27002 
• NIST SP 800-53 
• SOX 
• PCI

Compliance != Security

The Security Framework for Information Technology

The Security Framework for Information Technology

Most of the damage to Information Technology (IT) security is not from outside malicious attacks, but rather from simple mistakes, unintended or unauthorized actions of legitimate users and IT engineers who are either untrained in security and/or who misunderstood the instructions from the management.

The two major issues mentioned replay themselves daily in the IT world.  Part of the reason this is happening is a lack of common, proven practices and guidelines developed for IT professionals.  Unlike the legal, financial, and medical fields, the IT field is still somewhat in its infancy. It has yet to develop the kind of respect from the business community that legal, financial, and medical professionals enjoy, despite the fact that IT professionals are increasingly tasked to handle and protect the core values of the organization—data and information that legal, financial, medical professionals, and management depended on.

There is no question how important the IT department is for any organization.  So what are the issues when it comes to poor security in most IT operations? Here are the main issues that I see:

Management vs. System users vs. IT professionals

No one needs to tell a brain surgeon what procedures to follow to perform an operation.  No one tells a Certified Public Accountant (CPA) how to conduct an audit for financial matters, and no one needs to ask an attorney to maintain attorney-client confidentiality during a trial.  And yet, when it comes to IT security, management, system users, and IT professionals are often at odd as to what is the best course of action in response to a given security concern.  The three groups almost always have their own ideas of how the security should function, when sometimes at least one, or two, or all three groups do not understand each other.  Even worse still, sometimes they don’t understand the security issues involved or the remedies available.  Management usually understands the high-level issues; users generally want convenience; and IT of course wants to please the first two while still doing their job.  However, they all do not have a common framework to follow, and most do not have a common policy to follow.  To make matters worse, everyone believes their way is the best, regardless of the real over-riding issues.

Standards

There is a total lack of standards when it comes to IT security.  As mention above, all three stakeholders have their own ideas regarding what the standards are.  And the three groups may even change the standards from time to time in response to a given situation, even though next time around it could be different.  Things are done to solve an “urgent” issue with an intention to revisit the actions taken later, when the urgency is over.  We all know how that goes.

Complexity of the Information Technology

Supporting the current IT infrastructure is exponentially more difficult than it was ten years ago.  While supporting the hardware aspect of IT has gotten dramatically easier, supporting the rest of the IT infrastructure is much more difficult today than it was in the past.  Most management and system users do not appreciate how difficult is to keep the IT operation running smoothly.  Management as well as system users only see the front end of the IT system; it is all Windows, GUI, point and click—but at the back end, IT is facing increasingly complex configurations and environments to make everything work.  Nearly all Operating Systems and most applications today use different security standards.

Consistency

Until just a few years ago, there was not a concerted effort in the IT industry and among IT professionals to focus on security. Even most training focuses on a micro-level that is specific to the given products and at times, a given task.  Very few IT professionals have a comprehensive knowledge of all the levels of IT security necessary for them to be able to perform their job consistently, each and every time.  Without a high-level IT security framework and/or IT security policy, the security tasks will be performed by an individual IT professional based on his or her unique experience. The results are often mixed and may or may not even be desirable. At best, even if the security tasks are performed by the same individual, the results can be inconsistent.

Policy

Most of the organizations today either still do not have a well defined security policy or none is ever developed at all.  Where there is  a comprehensive security policy, it is not well communicated and /or enforced because it lacks high-level framework to guide it.  Very often the policies address security issues at a micro-level that are hard for management, system users, and IT professionals to understand or enforce consistently.  For the organization that has a well defined security policy, very often there is not a well trained team (a workable team has to be composed of all stakeholders) to enforce and fine-tune it, and over time the system breaks down.

Framework

For an IT security system to work, more needs to be done.  A well defined framework needs to be developed involving all stakeholders, and it needs to be self-tuning over time to be useful.  Almost all of the organizations today stop short of having a good framework to enforce and fine-tune the IT security system.  Most understand the need for a well defined security policy, but unfortunately, most stop there after they have developed one.

Below is a high-level view of the Security Framework™ developed by Triware Networld Systems:

Training

One major difference between traditional, well respected professionals such as Medical Doctors, CPAs, Attorneys and the IT practitioner is the IT practitioners’ lack of a structured approach to learning their trade.  There is not a well defined curriculum developed for people who intend to go into IT fields.  Most IT trainings are mainly focused on product-specific and commercial aspects of the subject matter, combining marketing and product promotion as part of the training.  Traditional curricula that produce the skills demanded of most computer programmers and engineers are not suitable for keeping up with today’s IT demands.

In conclusion, in order for any IT security system to work, a well defined, organization-wide security framework needs to be implemented that involves all stakeholders, and the framework needs to be part of the organization’s core operations—its DNA— at all levels of the organizational structure.