"Patients' Data Stolen, Hospital Says " [New York Times]
(Photo: alexstaubo)

Bob writes:

I purchased a shirt from MLSGear.com a few months ago. I just received a letter from Mark Abbott, President of MLSGear.com letting me know that their third party ecommerce vendor got hacked and my data may have been accessed...or not.

Anyway, it seems they canned their third party ecommerce vendor, and they are offering free credit monitoring services for the next year.
I wish my data was not compromised to begin with, but I will take the monitoring service. I am glad they are standing up and taking the responsible action. (would they if there were no laws?)

In recognition of that, the major credit card companies in July will begin requiring retailers and other merchants that accept payment cards to either install a firewall in front of all Web-facing applications or submit custom application code to an outside security firm for a vulnerability review.

"Soccer league's online shoppers get kicked by security breach" [Computerworld]

According to the register, for once this doesn't appear to be a fraud-based crime:

The company [Fidelity] is unaware of any identity theft or fraudulent financial activity resulting from the theft. Rather, it believes the stolen records were used for marketing purposes.

"IT pro admits stealing 8.4M consumer records" [Channel Register]
(Photo: Getty)

According to AirDefense, about 85% of the 2,500 wireless devices that it discovered in retail stores, such as laptops and barcode scanners, were vulnerable to wireless hacks. Out of the 4,748 access points that were monitored for the survey, about 550 had poorly named SSIDs that could give away the store's identity.

An analyst points out that AirDefense has a business interest in finding and pointing out security holes, but that doesn't make the findings imaginary. Even the analyst admits it's a real problem in retail today:

"Wireless security continues to be the major hole that allows criminals access to retailer systems," she said. "It's very difficult to lock it down" for retailers.

What are the odds that the Gap takes this "very seriously?" Let's find out:

"Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously," Gap CEO Glenn "Stop The Bleeding" Murphy, said in a statement.

While they're taking it seriously, you should be paying attention to your credit report if you applied online or by phone for store positions with the company's Old Navy, Banana Republic, Gap and Outlet stores from the United States, Puerto Rico and Canada between July 2006 and June 2007.

The Gap has declined to divulge the name of the firm that lost the laptop. The Gap thinks that the data was not the target of the theft, and that someone just wanted a new computer.

Gap is offering a year of free credit monitoring services and fraud resolution assistance, along with a 24-hour help line at 1-866-237-4007.

Gap: Stolen laptop has data of job applicants [CNNMoney]

And just in time for the 5th anniversary of September 11th comes yet another database for hackers to play with, this time courtesy of NSA . That's not the National Security Agency. The National Surveillance Agency, whose motto is "Extractum Quislibet Infideli."

Suspect someone of being a no good terrorist? Just go on over to NSATT.org and type their name and state in. You will then be able to search through the NSA records to see if they are likely to be baby killing Islamic fascists. You can also find out their full address (handy!) and the first five digits of their social security number. The last four have been blocked out for the prospective terrorist's security, leaving a mere 10,000 possible combinations to brute force your way through.

I decided to play around with it.

I tried typing in my name. Luckily, my family is not suspected of terrorism, despite numerous trips I've made to the Middle East. I tried Ben's name. Surely, he's a terrorist. But I was disappointed. I tried Gina Trapani of Lifehacker — without a doubt, the sweetest girl in the entire universe. No dice. But then I set my sights higher and tried Gawker overlord Nick Denton.

Holy crap! Now, I have no idea if this is the Nick Denton. But it certainly raises some startling questions, doesn't it? Is The Consumerist a terrorist front? Am I, unwittingly, a member of Al Qaeda?

The answer to all these questions, of course, is no, followed by "don't be retarded". 8 emails and 9 phone calls over a 6 year period to people who happen to be Native Muslims does not a terrorist make, let alone make them a "high terrorist threat."

This strikes me as a security and privacy nightmare. And, of course, there's no link at all to remove yourself from being searched by anyone with a mind to. Of course, there is a link to report someone as a terrorist. Handy, that.

I'm not sure what's worse: the government quantifying our terrorist threat level by phone calls and emails to Arabs, or then allowing anyone to just happily search through the results and try to hack it. But then a larger question emerges: is this site even affiliated with the government? According to the website, no. "The Agency is an independent, non-government organization and is in no way affiliated with any branch of any government or any company that provides telephone or telegraph communications services." So how the hell are they getting their information?

Are you or a loved one a filthy terrorist, according to the NSA? Do you have any idea what's going on here? Let us know in the comments.

UPDATE: Okay, yeah, totally fake. Which actually makes it a lot more entertaining.

Consumer Affairs is reporting that ChargeBack Bureau, a company that lives by the motto "the customer is always right," is selling itself as a blacklisting service to merchants. It's aim is to help companies deny service to customers who have denied credit card charges in their database. "Know your customers before you sell them something!"

Like all databases, it's a Russian hacker's wet dream: it contains names, addresses, emails and past transactions. This, of course, is generated without customer consent. But at least you get an email saying you've been entered into a negative customer database! Naturally, there's no obvious way at the website to get your name out of the database... but as an honest customer, that's nothing you need to worry about. Right?

They even claim to be able to "give merchants the location of the IP address from which an order is made!" Fun! They are also kind enough to share their database with credit agencies.

It's a beautiful service. After all, challenging a credit transaction is your legal right... but now, finally, companies have a way of getting back at you! We wonder how long it will take for them to expand their services to cover customers who cause other kinds of trouble

If you see the banner to the right on a site you're considering buying from, steer the right fuck clear. It means the company you're thinking of ordering from is going to try to extort you if a transaction goes south.

"Blacklist" Helps Merchants Spot Assertive Consumers [Consumer Affairs]

comment on this post

That's exactly what happened to Elixeo, back in the day, before anyone took identity theft seriously. Thanks to a little creative people engineering, though, he was able to send that bandito packing. Find out how, after the jump...

Click here to jump.

Elixeo writes:

"A few years back, long before identify theft was so prevalent I was mugged in Los Angeles. It was a pretty traumatic experience. I had been out at my favorite club and rather than drive home I decided to take a bus. While I was waiting for the bus a car stopped and offered me a ride. It was a stupid thing to do but heck I was drunk so I decided sure why not. As soon as I got in they pulled a knife on me and told me to stay calm. They drove me to an alley, told me to empty my pockets and hand over my suit jacket and then lie flat on my stomach on the pavement. I did as I was told and when one of the guys caught me trying to get a look at their license plate he charged me with the knife and I took off running. As I said it was pretty traumatic but a friend talked me into going back to the scene of the crime to see if we could find anything. I was resistant but agreed. I was shocked to find my suit jacket and my wallet with all my credit cards and driver license still in it! All that was missing was my money or at least that was all I thought was missing. It wasn't until months later I discovered the seriousness of what it was they got away with. I had filed my income tax and received a letter from the IRS stating that I could not file two tax statements and that if my intention was to file an amendment I would have to complete different forms. Still clueless to what was going on I called the IRS. The woman I spoke to researched the situation and advised me that they had received my and my wife Guadalupe Flores' statement in February. I informed the young woman that I was not married and that I had not in fact filed the tax statement. As I was explaining that my statement was the valid statement it occurred to me that the item that was missing from my wallet other than my money was my social security card. Back in those days I think it was fairly common for someone to carry their Social Security number in their wallet.

I explained to the lady what I believed had transpired and she stated that she would make a note of it and move the bogus tax record out of my history and process my form. I asked her if she could provide the address from the bogus tax form so I could report the person to the police and she explained that it was confidential information. I was incredulous. If the record was supposedly mine why couldn't I have the information. She explained that she now knew it was not my information and therefore she could not divulge it. I then asked if they planned to pursue the person and report the incident to the police. She explained that they did not have a procedure to do such a thing and that if I wanted to report it to the police I was welcome to.

So I called the police and explained the situation and they explained that without information on who and where the person was they couldn't do anything about it. The officer I spoke to at the time agreed that stealing something was illegal but he wasn't sure how to pursue the use of someone else's social security number. I was flummoxed.

I contacted the IRS again and asked if I could have my SS# changed. The woman I spoke to was sympathetic but she confided that I was just asking for trouble. She explained that she had seen situations where for various reasons individuals changed their SS# and it was nearly impossible to sort things out when it came time for them to claim social security benefits. Although the funds from the old SS# were supposed to be transferred to the new one it never went as it was supposed to so it was her recommendation that I just leave things as they are.

Now here is the real twister to the story. The guy using my social security number was a model citizen (or model illegal citizen). I mean the guy filed his taxes every year and he usually beat me to it. Oh yes, by the way, each year I would file my taxes and each year I would have to go through the entire thing all over again. This went on for four or five years. As I said identity theft was not all that common at the time so no one was willing or able to help me and believe me, each year at tax time I would try all over again (the whole thing started around 1984).

It finally got resolved in a very unusual manner. I was purchasing a car and the dealership was running a credit check on me. I hung out in the parking lot looking at cars while he did his thing and in a relatively short period of time he came rushing out exclaiming what an excellent credit rating I had and how it was one of the best he had seen. Needless to say I was flattered and then he said "the real clincher is that you have worked at Such and Such Hardware store for the last 8 or ten years" or something like that. He was holding the printout in his hand and I quickly reached for the paper as I asked if I could look at it. I must have had an odd look on my face because he suddenly got suspicious and snatched the print out away. "Why? What's wrong?" he asked. Nothing really, I just want to see it I explained. He wasn't entirely buying it and he said something about how he wasn't supposed to let me see it but he grudgingly obliged. I looked at the sheet and was floored to see that in addition to Mr. Flores filing taxes in my name he also had a number of credit cards with exceptionally high limits and excellent payment history. This guy actually had better credit than I did! I saw that he worked at a Hardware store in Los Angeles ( I had since moved to Santa Barbara). I took my new car home and although I was excited about the car I was even more excited about finally tracking this guy down! I briefly toyed with the idea of charging a few things on some of the cards he was managing and see if he would pay. It occurred to me that he was such a model citizen that he would probably report me and I would end up in jail.

When I got home I called the Hardware store and asked if Elixeo Flores was there. They said yes and asked if I wanted to talk to him. I said no, thanked the person and hung up. I then called the police with the information. I won't go into the detail of that conversation but essentially what they said was that they couldn't help me.

So after thinking about it for awhile I called the Hardware store and asked to talk to the owner. I explained to the gentleman that the person in their employment was not in fact Elixeo Flores but someone else using my social security number. I explained that he must be a valuable employee since he worked for them so long and that it was in everyone's best interest for him to cease using the social security number and not pass it on to anyone else or I would see to it that he was put in prison for tax fraud and eventually deported. The owner assured me that all would be taken care of and to my good fortune he was right.

The following year I was able to file my taxes without incident and a credit review confirmed that all of the other credit cards had been terminated. As awful as the experience was I can't imagine how much worse it could have been if the person using my card had not been as conscientious as he was.

Elixeo F"

This morning, I got a VM from CitiCard asking me to call in regarding a security problem with my card. Not trusting a random VM, I went to the Citi website and called the number for reporting fraud. Turns out the VM was legit. My card has been "compromised" - employees can't tell me why, of course - and I'm getting a new card and new account. They are over-nighting the new card to me. Was told by customer service rep that she had dealt with "several" calls like mine today.

There is no fraudulent activity on my account.

Why won't Citi tell us where the breach occurred? If certain retailers repeatedly cause these breaches, I'd like to know so I can avoid using my card there in the future. If Citi causes them - I'd like to know that too.

We don't want to jump the gun here: this could just as easily be a merchant whose computer was stolen. Still, we get twitchy when the words "Citibank" and "compromised" are put in the same sentence. If this is another massive security breach, we want to be in on the ground floor.

Any other Citibank customers who have had their cards compromised? Mail us.

In this case, it's Verizon again. Fresh from their 2005 adventure in allowing customers to view other customers' records through their website, two laptops have been stolen housing an undisclosed number of employee records. Employees were notified on March 1st, but there's no word yet on when the thefts actually took place. We hope it was more timely than McAffee's recent disclosure of employee records loss, where they sat on news of the theft for three months until an internal investigation was completed.

What is going on with companies that we trust to keep our transactions and personal details private time and time again betraying that trust with their own incompetence? Do the slate of news stories about record theft and loss indicate a problem that has been long existing but is simply being reported more now? Or is this indicative that companies, entering a new age of technologically-savvy thieves and online commercial transactions, are simply not up to speed in how to do business in a new world of commercial transactions?

What do you think? Let us know in the comments.

Link: Laptops Containing Verizon Employee Data Are Stolen
Related: McAfee Loses Employee Data in Airplane Seat Pocket