Yesterday, it was announced that McDonalds Corporation experienced a significant data breach where customer data was compromised via a third-party vendor. Basically, the attackers were able to access the sensitive McDonald’s customer data through a couple levels of subcontractors that manage the company’s email marketing campaigns.

A company called Arc Worldwide manages McDonald’s promotional e-mail campaigns — which as you can imagine is very extensive and customer data heavy. Well it turns out that a subcontractor to Arc Worldwide that distributes the actual email campaigns was hacked. So, it was a sub of a sub that was breached. The good news was that no social security numbers or credit card information were stolen.

Full Article…

In the latest aftershock to a massive data breach that took place in 2008, card payment processor Heartland Payment Systems yesterday announced a settlement agreement with Discover Financial Services in which Heartland will pay Discover $5 million.

The drama began Jan. 20, 2009 (coincidentally, the day of President Obama’s inauguration), when Heartland announced that malicious software had compromised its data the year before. Visa and MasterCard had alerted the payment processor of suspicious activity on some of its card transactions. Data exposed through the breach included card numbers, expiration dates, and in some cases, the names of customers who used debit or credit cards at Heartland’s network of 250,000 businesses.

In August 2009, the hackers who perpetrated the data breach, American Albert Gonzalez and two Russian accomplices, were indicted in federal district court in New Jersey on charges that they carried out the largest hacking and identity-theft caper in U.S. his

Full Article…

Welcome to the Monday Morning News Kick Off post on the ITAC blog. As always, we have compiled all the key identity theft, data breach and cyber security stories you need to kick start your week on the right foot. For this Monday, we have a number of different stories ranging from new data breach legislation to a piece about child identity theft.

Child-Identity Theft Increases
Imagine applying for that first job, that first exciting credit card, that freshman-year college loan. Now, don’t. For more young adults, plans and hopes are being dashed because they are unwitting victims of identity theft at the hands of someone they know, usually their parents. It often happens when victims are too young to do anything about it, so it’s a crime that can go undetected for years. Read the full AJC story here.

Conn. AG Wants Teachers Board to Explain Lost Data
Connecticut Attorney General Richard Blumenthal says the state Teachers’ Retirement Board owes its members identity theft protection and an explanation after waiting six months to inform them of a lost flash drive containing retirement data. Blumenthal said Wednesday he is urging the board to give more than 58,000 members identity theft protection for two years and more details of how the drive vanished and exactly what information it contained. Read the full AP story here.

Bill Would Target Data Breaches
Two Senate lawmakers introduced a bill last Wednesday that would require financial institutions, retailers, federal agencies and others to do more to safeguard sensitive information and to investigate security breaches. The bill offered by Sens. Tom Carper, D-Del., and Robert Bennett, R-Utah also would require these entities to notify consumers when there is a “substantial” risk of identity theft or fraud becauase of a security breach involving their sensitive information. It would apply to retailers who take credit card information, data brokers who compile private information and government agencies that hold nonpublic personal information, according to a news release. Read the full National Journal article here.

AMR Breach Puts 79,000 Employees at Risk
In one of the largest data breaches in recent months, AMR, the parent company of American Airlines, said it’s in the process of notifying more than 79,000 current, former and retired employees that a hard drive containing their most sensitive personal information was stolen from its corporate headquarters in Fort Worth, Texas. The Associated Press reported the breach earlier this month. AMR (NYSE: AMR) officials told the AP that the purloined drive contained images of microfilm files that stored data such as employees’ names, address, birth dates, Social Security numbers and what it described as “limited” bank account information. Read the full eSecurity Planet article here.

Happy Monday!

As we enter 2010 it is clear that companies and consumers alike are not being well-served when it comes to handling data breaches.  From the viewpoint of businesses, the vague, overlapping, and ineffective patchwork of regulations is not only difficult to manage, it actually acts as a deterrent to reporting data breaches.  And for consumers, the lack of clear regulatory oversight means that millions of people are never informed that their personal information has been compromised.

The fact that the Federal Trade Commission (FTC) has delayed the implementation of its Fact Act Red Flags Rules regulations not once, or twice, but three times, sends the wrong signals to compliance officers.  How can regulations be taken seriously if they are delayed over and over again?

The Federal Government’s New HITECH Act, which went into effect on September 23, 2009, strengthens the rules designed to protect the privacy and security of health-related data.  However, vague wording in the regulations written by the Office of Health and Human Services (HHS) has opened the door to under-reporting of data breaches, which will in turn put breach victims at undue risk of medical identity theft.

Further, 45 states now have 45 different data breach reporting laws on the books.  The result of this hodgepodge system makes complying with the law unwieldy for organizations that attempt to put homegrown data breach management systems in place.  (Full disclosure:  my firm does provide an easy to deploy, on-demand compliance solution – but that is another topic for another day.)

Congress has been working on and off for three years on this issue, but to date, it has failed to come up with a reasonable law that would ease the burden on businesses and provide reasonable protections for consumers.  Virtually all of the draft bills being bantered around would be weak and ineffective.

The fact is, as Javelin Strategy and Research noted in its research report  published on October 27, 2009, consumers who are victims of a data breach are four times more likely to become victims of fraud.  Data breaches have serious consequences, and should be taken seriously by all concerned.

Here’s hoping that in 2010 both regulators and businesses will be able to come to terms with regulatory standards that are easy to meet, lower corporate risk, and actually help to protect people from identity theft.