IT insider admits stealing info for 2,000 bank employees
Article Author: Dan Goodin
A former IT worker for the Bank of New York has admitted to stealing personal information of 2,000 employees and using it to steal more than $1m from charity bank accounts, city prosecutors said.
Adeniyi Adeyemi, 27, used his position as a contract computer technician at the bank’s headquarters to steal the personal identifying information of 2,000 employees, most of whom worked in the IT department. Over an eight-year span, he used the information to set up dummy bank accounts in the employees’ names and then transfer stolen funds from at least 11 charities throughout the world.
Adeyemi used publicly available routing numbers for the charities to initiate wire transfers through financial sites such as ETrade and Fidelity and deposit them into the dummy accounts. To better cover his tracks, he then transferred the funds to a second layer of dummy accounts, according to a press release issued by the New York City District Attorney.
Adeyemi also used the stolen employee data to steal directly from his co-workers by changing the contact information with their banks and taking control of their online accounts. In all, his scheme netted $1.1m, prosecutors said. To prevent his scheme from being detected, he structured transfers to be just below the $10,000 threshold that requires financial institutions to report the transactions to authorities.
Adeyemi pleaded guilty to grand larceny, money laundering, and computer tampering. Sentencing is scheduled for July 21. ®
original story at The Register
Security budgets stable or increasing at financial firms
Article Author: Angela Moscaritolo
Compliance and insider threats drive growth.
Despite the global financial crisis, information security budgets at financial institutions generally are staying stable, many even have increased, according to a study conducted by accounting and consulting firm Deloitte.
The seventh annual survey of security spending and priorities at financial institutions worldwide, released Thursday, found that 56 percent of information security budgets have increased.
Additionally, the survey found there was a 20 percent drop this year in the percentage of respondents who said a lack of sufficient budget is a major barrier to information security (36 percent in 2010, compared to 56 percent in 2009).
Further, respondents at more than 70 percent of organisations said they are planning to implement at least one new security technology in the next 12 months. When it comes to security priorities, the largest percentage of respondents cited identity and access management (IAM), followed by data protection, security infrastructure improvement, regulatory and legislative compliance and compliance remediation.
Ed Powers, leader of Deloitte’s security and privacy practice for the financial services industry, told SCMagazineUS.com on Friday that regulatory pressure is driving much of the security activity within the financial sector.
“The regulators of most large financial institutions have been much more aggressive over the last 18 to 24 months in general, translating to much more pressure in existing regulations,” Powers said.
This year was the first time since the survey began that information security compliance came out as one of the top five security initiatives. Thirty-four percent of respondents said regulatory and legislative compliance is a top priority, while 33 percent said compliance remediation – based on the findings of internal and external auditors – is of most concern. Financial firms are hiring more internal auditors to resolve the findings of internal and external compliance audits, the survey found. Also, those surveyed said they expect more regulatory pressure in the future.
This heightened regulatory pressure has resulted in increased visibility at the board level for security and risk, especially with regard to customer data protection and sustained or increased budgets, Powers said.
Also, financial institutions of all sizes, but especially larger organisations, reported excessive access rights as a top security problem, the survey states. As a result, IAM has become a main priority for 44 percent of those surveyed.
IAM has undergone a change over the past few years, evolving from a means of efficiently provisioning user accounts to a mechanism for granularly controlling access to systems and data by managing what users have access to on a given system, Powers said.
Meanwhile, data protection has become a top priority for 39 percent of financial organizations surveyed, due in large part to an increased concern over insider threats, Powers said.
“There have been a number of pretty high-profile incidents that have helped to raise awareness around the threat posed by privileged insiders,” he added.
Financial organisations also recognise that external threats are becoming more targeted, organised and sophisticated, Powers said.
Organised criminals are targeting these institutions for financial gain, but there also is growing concern about the potential impact of cyberattacks on an organisation’s infrastructure.
Consequently, the survey found that security infrastructure improvement is a main priority for 36 percent of respondents.
See original article on Secure Computing Magazine
Council staff helping selves to data
Article Author: Sarah Bee
Official claims that “your data is safe with us” suffered another body blow at the weekend with revelations of a dramatic rise in hacking of the UK’s tax and benefit mega-database by council staff.
In most cases, councils appear to have concluded that the appropriate penalty for such unlawful prying into personal lives has been nothing more than a slap on the wrist.
The scale of the unofficial snooping came to light following a series of FoI requests by the Mail, which disclosed that there had been 124 security breaches by council staff last year – up sixfold from a mere 20 in 2008/9.
Town Hall snoopers have been looking at accounts belonging to friends, family and neighbours – as well as celebrities. Although some 26 employees were dismissed – and eight resigned during the disciplinary process – the majority were let off lightly: 37 received a written or verbal warning, while 43 suffered no penalty at all.
The database, maintained by the Department of Work and Pensions (DWP), is a monster: it records details of every individual issued with a National Insurance number: it includes details on the ethnicity, address, and tax status of 85 million individuals (both the living and the dead). The system also holds full income details for anyone in receipt of any form of benefit.
It can be accessed by workers at the 445 local authorities across the UK, as well as 80,000 DWP employees and 60,000 workers from other government departments.
Talking to the Reg this morning, Alex Deane, Director of Big Brother Watch, said: “These figures are a dismal indictment of councils and the people we pay to work in them.
“That the number of officers conducting this illegal snooping is on the increase is a real cause for concern. “This just goes to show that our private data is not safe with councils – the less they have of it, the better.”
We also asked the DWP to comment. In an earlier statement, a spokesman for the DWP was reported as saying: “DWP thoroughly deals with the risk to CIS by the small number of employees who commit unauthorised access.”
However, the DWP is understood not to hold details of the number of its own staff caught misusing CIS data.
This morning, a spokesman initially suggested that as the breaches were committed by Council workers they were not the responsibility of the DWP. However, they did promise to get back on the overall security issues which, as the legal data processor, they might possibly have some responsibility for.
full story at The Register
Hospital USB stick found in car park
Article Author: Jennifer Scott
An unencrypted USB stick containing medical records from a secure hospital in Scotland has been found in a supermarket car park.
The records came from the Tryst Park unit at Bellsdyke Hospital, near Falkirk, which treats people over 18 who have severe and enduring mental health problems.
It was found by a 12-year-old boy outside an Asda store in Stenhousemuir and is now back in the hands of the hospital, however a member of staff has been suspended in relation to the incident.
It is not clear what data was held on the USB stick but reports suggest it contained the criminal pasts of some of the more violent patients as well as details on staff at the unit.
Dr Iain Wallace, medical director of NHS Forth Valley, said in a statement: “We have clear policies in place on the safe use of portable data devices.”
“We are currently assessing the data on the memory stick which has been returned to us, and are in the process of contacting patients and their relatives to offer reassurance and to let them know we are doing everything possible to discover how this incident has occurred.”
This latest NHS data breach comes just a week after the deputy commissioner at the Information Commissioner’s Office (ICO) claimed the NHS was the worst offender when it came to data security.
David Smith claimed the organisation was responsible for a third of all data breaches in the UK – almost 300 recorded over two years – and that it could come under the spotlight from the ICO in the future.
Full Story here
Massive security breach prompts investigation
Article Author: Chris Williams
Exclusive to The Register: Police face accusations of incompetence after accidentally emailing a file detailing the results of thousands of criminal records checks to a Register journalist.
The author of the email at Gwent Police is now facing a gross misconduct investigation and potential sacking over the incident, which came to light this week. Read more