Case 2: Privacy and Security Cases

Slides:

Advertisements

Similar presentations

Our Digital World Second Edition

Advertisements

Overview of HIPAA regulations Privacy policies Presence Regional EMS System 2014 HIPAA: Health Insurance Portability and Accountability Act 1.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

What is E-Commerce? Section 8.1. What is E-commerce? E-commerce is the exchange of goods, services, information, or other businesses through electronic.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

Risks and Revenues Virtual Business Copyright © Texas Education Agency, All rights reserved.

MEDICARE PART D Are We Ready? Are We Ready?. Medicare Part D Overview Medicare Part A and B covers individuals Age 65 and older Age 65 and older Those.

Online Social Networking. Agenda Survey Results What is Online Social Networking? Popular Online Social Networking Sites Privacy Settings for Facebook.

Introduction to Computer Ethics

Security of the Distributed Electronic Patient Record: A Case-Based Approach James G. Anderson, Ph.D. Purdue University.

 Why is this important to you?  How do digital footprints connect with digital citizenship?  Does everyone have a digital footprint?

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.

The Global Leader in Professional Networking April Kelly Building a Brand and Professional Networking.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

Internet Privacy Define PRIVACY? How important is internet privacy to you? What privacy settings do you utilize for your social media sites?

External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.

IDENTITY FRAUD Lesson 2-5. A Few Figures on Fraud… 1 in Americans are victims of identity fraud each year. $ Average out of pocket cost to.

Resource Development….. Are you using these resources? 1.

BUS 508 Week 4 Assignment Internet Technology, Marketing, and Security (Sony Corp) Check this A+ tutorial guideline at

Facebook privacy policy

Combating Identity Fraud In A Virtual World

ICT – Y10 GCSE – Unit 1 Revision Questions

Take Charge of your Finances

Antitrust Policy & Regulation

PCI-DSS Security Awareness

Case Studies: Microsoft and Apple (Gates and Jobs)

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Computer Ethics and Research

Learn how to protect yourself against common attacks

Protecting What’s Yours: Your Identity

Cabarrus County schools SECURITY, Social Media POLICY AND BYOT

Internet Payment.

Skills for Independent Living: Volume III - Health

Breaches by Merchant Type

Understanding HIPAA Dr. Jennifer Lu.

Chapter 5 Electronic Commerce | Security

Year 10 ICT ECDL/ICDL IT Security.

COMPUTER CRIME.

Forensics Week 11.

Today’s Risk. Today’s Solutions. Cyber security and

Call AVG Antivirus Support | Fix Your PC

Overview Social media applications inform, educate, and entertain people through online (multi-)media A social networking application allows users to create.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Information Security Session October 24, 2005

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Chapter 5 Electronic Commerce | Security

Network Security Best Practices

Introduction to Computers

Dunedin Chamber of Commerce Social Media & Marketing For Your Business

Information Systems for Health:

What Americans Like To Do With Their Time Off

MIS 5121 Real World Control Failure:

Are You Totally Protected?.

Applying FERPA in Real Life Settings

Start Commenting Trulia Voices Linkedin Answers Answers.yahoo.com

The Basics of Information Systems

Initial Business Plan for Investors

LO1 - Know about aspects of cyber security

Security in mobile technologies

Chapter 6 Review.

Mobile Security What is mobile secuirty & Identifying smartphone security holes& Sayed Hashimi Proposal Project.

The Basics of Information Systems

TALKING POINTS Introduce yourself

Presentation transcript:

Case 2: Privacy and Security Cases

Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security.

Cases on privacy A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996). A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).

A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression.

A privacy case on Google The FTC charged that Google had placed tracking cookies on users’ computers, in some cases working around the privacy settings of Apple’s browser

A Privacy case on facebook A German court ruled against Facebook Inc. for the way it uses members' email addresses to solicit new users. It also ruled Facebook can't force users to grant the social network a comprehensive license to their content. Facebook didn't adequately explain to users the workings of a feature called "Friend Finder." Friend Finder imports users' contacts to ask their friends to join Facebook.

A security case on KT 2 people hacked into the network system of KT Corp, leaking personal information of about 8.7 million mobile phone subscribers. Seven others were booked without physical detention on charges of buying the leaked data for telemarketing purposes. Police suspect the telemarketers used the data, which contained personal information on the subscribers, their phones and monthly plans, to contact customers whose contracts are close to expiration or considered likely to change phone plans. Officials estimate the suspects earned at least 1 billion won (US$877,000) from the illegal marketing

Other security cases in S. Korea Hackers struck the consumer finance firm Hyundai Capital Services Inc. and the National Agricultural Cooperative Federation, or Nonghyup, early last year, stealing customers' personal data and crippling online transactions. Personal information by 35 million users was leaked in August 2011, hit by hacking attacks on two popular portal Web sites operated by SK Communications Co., the worst ever online security breach in Korea.

A security case on HPA

How did they find it? The compromise came through a SQL injection attack on the company's website. Heartland immediately found out about it, and thought they had eradicated the malware. Roughly six months later, in mid-May 2008, the malware made the leap from the corporate network to the payment processing network, but HPS didn't know that at the time. Two weeks prior to the date the payment system was compromised, HPS was approved by their Qualified Security Assessor (QSA) as PCI compliant. In late October 2008, HPS discovered they "might have a problem" based on information provided by one of the major card brands. Three forensics firms hired by HPS analyzed their IT security network; all three said the HPS system was free of malware. In January 2009, HPS staff members found the malware.

Action by the company The company's lawyers recommended a minimal level of disclosure about the breach, but Carr decided against that policy. HPS had a tradition of open communications with employees and customers, and Carr decided that he wanted to maintain that policy and share information as fully as possible. "We did a good job of damage control," he said during his October 16 speech. The company paid a heavy price. The stock price fell 78% in the weeks after disclosure, and 5,000 of the company's 250,000 merchants left. HPS was delisted by Visa and MasterCard. Four months later, VISA reinstated HPS.

Lessons learned from the case "You can't just rely on firewalls." "Knowledge of security threats should not be viewed as a competitive advantage." When it comes to threats, companies should share information with peers and collaborate. HPS did not have an incident response plan in place at the time of the breach. It does now. The malware was able to move from HPS's corporate network to its payment processing system because of "human error."