ZIP Codes Are … PII?!

Mr. ZIP (or Zippy to his friends) was born back in July 1963 and the soon-to-be 50-year-old is finally getting some privacy … in Massachusetts at least.

The Massachusetts Supreme Court recently determined that under Mass. Gen. Laws, ch. 93, § 105(a), “personal identification information” includes a consumer’s ZIP code and decided that collecting such personal information is a violation of state privacy law for which the consumer can sue.

> Read More

Uncle Sam Has Yet Another Data Protection Bill

The latest attempt at creating a US Federal data protection / data breach notification law was recently introduced in the Senate. The “Data Security and Breach Notification Act of 2012” (S.3333) was submitted by Sen. Pat Toomey (R-PA) with the support of Sens. Olympia Snowe (R-ME), Jim DeMint (R-SC), Roy Blunt (R-MO) and Dean Heller (R-NV).

> Read More

Change Your LinkedIn Password – Now!

LinkedIn – the online professional networking site which I suspect many Optimal Security blog readers use – has apparently been hacked, resulting in something like 6.5M SHA-1 hashed passwords being posted in a Russian hacker site. This evolving situation will certainly be updated through-out the day (and beyond), so I don’t want to recap the facts as we know them at the moment.

> Read More

Illinois’ New Data Protection Law

News today, courtesy of Brendon Tavelli at Proskauer’s Privacy Law blog via the always excellent Office of Inadequate Security, of a new data breach notification bill just signed by Governor Pat Quinn of Illinois. Interesting to me both personally (Go Illini!!) and professionally, this bill (HB 3025) amends Illinois Public Act 097-0483 (the Personal Information Protection Act) and brings the state in-line with a small but growing number of states which mandate what information must be contained in a breach notification as well as the cooperation between the “data collector” and anyone holding or storing the data.

> Read More

Key Steps to Navigate Around New Facebook Privacy Settings

What’s all the fuss about the latest changes on Facebook? Simply put, the changes mean that nearly everything that you place on your Facebook page can now potentially be made available to anyone surfing the Internet.

The latest Facebook changes are purported to be an enhancement to make the social networking site easier for people who are looking for you using a search engine like Bing or Google to find you on Facebook. 

> Read More

Sesame Street Simple Facebook Guide to Surviving Malicious Attacks

It certainly seems that not a week goes by without hearing about yet another attack on Facebook users. Last week it was a phishing scam driven by a botnet, and this week, we have two new and different phishing scams — one cleverly tricking users into revealing their passwords and another installing malware that quietly waits for the user to start a banking transaction only to steal their login credentials.

> Read More

Where the Money Is

Willie Sutton is reputed to have said (although he didn’t, actually), when asked why he robbed banks, “Because that’s where the money is.” So, we’re not really surprised to learn that a new scam is on to liberate the contents of ATMs, and by more sophisticated means than the skimmers I’ve written about previously.

> Read More

Beware of ATM Card Skimmers

I ran across an interesting post in the Consumerist about a guy who found a card skimmer attached to his local ATM. Apparently, he was alert enough to notice that something wasn’t quite right, and pulled it right off the machine … and discovered that it was designed to read the info off a card as it was being inserted,

> Read More

Healthcare 2.0? The Security Skinny on Obama’s Stimulus Package

On Tuesday February 17th, President Obama signed the economic stimulus package that carves out $19B for modernizing health information systems.  The transition from paper to electronic or e-records in the healthcare industry has been happening for some time.  Although in small numbers, the process has been slow to ramp up based on technology considerations and the know-how needed by the organizations’ staff to work the new systems.

> Read More

Heartland Data Breach: A Wish List from a Customer Whose Loyalty may be Waning

The reported number of institutions impacted by the Heartland Payment Systems data breach continues to increase – it has already affected over 600 financial institutions. While we’ve heard plenty about the number of those impacted and have looked at the malware used to conduct this breach  – what hasn’t been discussed is the impact from the customer perspective.

> Read More

The People in the Equation: Avoiding Malicious Scam Sites

Here’s another entry in one of my fundamental observations about computer security: in the end, it comes down to applying human intelligence.

A friend who works in the banking industry pointed this lovely advert out to me …

Needless to say, this made it onto the pages of,

> Read More

Transparency in a New Threat Environment

The last couple of weeks have been troubling, albeit not entirely surprising, to those of us in the security field who closely follow high-impact security breaches.

On January 20 credit card processor Heartland Payment Systems announced a massive external breach of its systems that is shaping up to be one of the largest exposures of personally identifiable information ever.

> Read More