This from Wall Street Journal:

“Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud.

Credit and debit card processor Global Payments has been hit by a security breach that has put some 50,000 cardholders at risk, Andrew Johnson reports on Lunch Break. Photo: Bloomberg News.

The breach at Global Payments, Inc. is the latest in a wave of data attacks that have heightened consumer concerns about identity theft. The card industry has been particularly vulnerable to those concerns amid a slew of big breaches in recent years as more Americans choose to pay with plastic rather than cash.”

The Wall Street Journal went on to say that “Global Payments didn't disclose what type of data had been accessed, but said it had notified ‘appropriate industry parties to allow them to minimize potential cardholder impact.’”

As these types of hacks continue to escalate, every company should ask, “How safe is our data?”

You can read the Wall Street Journal article here (subscription required).

From the Associated Press, as reported by Time.com.

“A sensitive conference call between FBI and British police’s cybercrime investigators was recorded by the very people they were trying to catch, officials and hackers said Friday.

Hacking collective Anonymous published a roughly 15-minute-long recording of a conference call apparently devoted to tracking and prosecuting members of the loosely-knit group.

The FBI said the information “was intended for law enforcement officers only and was illegally obtained.”

“A criminal investigation is under way to identify and hold accountable those responsible,” the bureau said in a statement.

It’s not clear how the hackers got their hands on the recording, which appears to have been edited to bleep out the names of some of the suspects being discussed.”

***

Are your phone calls secure?  What about your email?  Clearly, this story shows that all communications are vulnerable and that precautions should be taken.

What precautions are you taking?

You can read the entire AP/Time article here.

Shawn Henry, the FBI's executive assistant director and top cyber official recently stated in an interview that despite the growing prevalence of cyber crime against companies, most business owners and executives don't think that it will happen to their company.  Henry went on to tell of a company that went out of business after $5 million was looted from its bank accounts and of another business that had over decades worth of research and development valued at over $1 billion stolen, "virtually overnight".

Henry stated that most hackers fit into three broad categories, "namely nation states targeting research and development, intellectual property and corporate strategies of American companies, terrorists who have shown a growing interest in using cyber attacks against critical infrastructure, and organized criminals wielding botnets (or networks of zombie computers) to attack corporate computer networks."

Cyber crime is here and is rapidly growing. What have you done to protect your company? 

You can read more about the interview with Assistant Director Henry here.

As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper

Read the rest of this post, after the jump.

As attacks on corporate networks continue to escalate, we are seeing more and more instances of very sophisticated intrusions.  The recent discovery of the breach of the U.S. Chamber of Commerce illustrates that these types of attacks will continue to progress in both their frequency and sophistication.

It is being reported that the U.S. Chamber might not have been the ultimate target but instead was potentially being used as a gateway to the networks of its members.

What are you doing to protect your networks?  What are your trusted business partners doing? 

Here is more on the U.S. Chamber of Commerce attack as reported at TechTarget.com:

Spear phishing attacks likely key in U.S. Chamber of Commerce breach, experts say

Robert Westervelt, News Director
Published: 21 Dec 2011

A targeted attack responsible for the U.S. Chamber of Commerce breach, exploited serious weaknesses in the lobbying group’s security defenses, according to security experts, and could have been a staging ground for attacks on Chamber member organizations.

Investigators have not determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved in the Chamber’s Asian policy affairs, according to a report in the Washington Post.  Experts said that while it’s unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization’s systems.

“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,” said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they’re taking advantage of a piece of software that is otherwise silent but the user has activated it.”

The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber’s systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.

You can read the entire TechTarget article here.

When looking at the various legal issues relating to cloud computing, it is important to understand the technical details of the particular storage/service being considered.  While all may at some levels seem the same, working out the details of service level agreements, privacy and security provisions, and disaster recovery options requires knowing which of the several new computing paradigms are emerging from large commercial clouds are being used.

On variation that is prevalent involves virtual machine based utility computing environments such as Amazon AWS and Microsoft Azure. On a virtual machine, one must be aware of how and where data is transferred in the processing performed by the virtual machine.  Also, the particular potential security vulnerabilities should be addressed, as they are quite different from that of physically secured computing devices.  Indemnification may also be a difficult issue because of the ubiquitous nature of determining sources of error.

Another cloud computing variation involves new MapReduce programming paradigms coming from the Information retrieval field which have been shown to be effective for scientific data analysis.  In the MapReduce environment, problems are partitioned and de-aggregated by inputs and computation steps into a multitude of sub-problems. Eventually every sub-sub-sub-problem is resolved by a cloud resource, then the solutions are successively combined to create a final solution. As the MapReduce environment dynamically partitions and re-assembles, the actual locations and incidences of transmission are not know beforehand (and may be difficult to determine afterwards in event of an error). 

For any cloud computing project, the location, security and storage of the data may have legal significance, and the underlying cloud computing technology needs to be considered when framing the legal protections.  While a “cloud computing environment” may sound well defined, in many contexts additional disclosures are needed to see if a particular solution is appropriate for the nature of the data.