jump to navigation

Dear OPM – Thanks for exposing my data!…”Clean up your own backyard!” (Elvis) October 20, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , ,
add a comment

Let me start with Elvis’ “Clean up your own Backyard”

“Back porch preacher preaching at me
Acting like he wrote the golden rules
Shaking his fist and speeching at me
Shouting from his soap box like a fool
Come Sunday morning he’s lying in bed
With his eye all red, with the wine in his head
Wishing he was dead when he oughta be
Heading for Sunday school

Clean up your own backyard
Oh don’t you hand me none of your lines
Clean up your own backyard
You tend to your business, I’ll tend to mine”

menendezToday I received a letter from the United States Office of Personnel Management or OPM informing me that my personal data had been stolen in a data breach.  As a quick reminder the OPM was the victim of a major data breach in which over 22.4 million current and former federal workers and military members’ personal information was stolen by the Chinese Government although the Obama administration did not formally accuse Beijing.

The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen?  According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more!  This information is much more personal and sensitive than just a social security administration.

I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability.  This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed.  According to OPM spokesperson Samuel Shumach:  (more…)

“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , , , ,
add a comment

PartIIfailedStaetI am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security.  In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity.  You can download the article on IDGA’s website or on my own website here.  This paper is part II of the “Failed State of Security” series.  Started after the Target data breach, this topic is one that has always been close to me.  In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.

Victim blaming is common in sexual assault, as well as other types of crimes.  A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized.   When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization.  Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers.  Did the company “cause” the breach?  Were they somehow complicit in the attack?  What do we mean when we say “cause”?  What is a causal fallacy?  These, and many more topics, are discussed in Part II of the “Failed State of Security” series.  I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime.  As always, I welcome any comments or debate on the topic…

With Privacy the Sum May Be Greater than the Parts February 17, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

Information Security can be described as the protection of data while privacy is defined as the appropriate use of data.  Volumes of data is collected on all of us every day.  Some of the data we voluntarily provide in exchange for additional benefits and services (airline mile programs, loyalty shopper programs, for example).  Other data we unknowingly provide such as shopping history. Regardless, we expect the custodians of the data to use it appropriately and maintain privacy.  Unfortunately, sometimes company’s pursuit of profits causes them to walk a very fine line as far as privacy is concerned.  The following is an example of where a company arguably violated the tenets of privacy while possibly not violating any laws.

According to a story reported recently, Target figured out a teenage girl was pregnant from her shopping history and inadvertently told her family.  The end result is that 1) Target knew (statistically they are right 90% of the time), and 2) Target, by sending pregnancy related coupons to the girl, informed her family that she was pregnant, without her knowledge or consent.  Here is how it happened. (more…)

%d bloggers like this: