Corporate identity theft has been around since the first phishing email hit an inbox. Every phishing email that falsely claims to be from an enterprise is in fact a form of corporate identity theft as the phisher is trading on the identity of the victim corporation as part of the underlying fraud. For years, mirror web sites and emails of corporations have been set up to induce individual victims to provide PII. Corporate identity theft is nothing new – we’re just seeing variations on a theme that are now garnering attention.
BTW–While the West Virginia case is an example of corporate identity theft, the Virginia case is not. The Virginia case is straight extortion aided by hacking to obtain the information allegedly held hostage.

There are so many security gaps on the state government level. Let’s hope the Administration’s plan deals with cybercrime in our own backyards.

Strong Business and Security Policies in an organization is where the solution starts and then backed by the right technology for access management enforcement. There is no quick fix but with the right solutions and a well planned out architecture, the mitigation for risk is available. The problem I see in many organizations is lack of support at the executive level to allocate resource and funding.

WEST Virginia? Please.

Yup, they’ve got great white water rafting, their infrastructure should be so good. BTW, the Treasury’s bureau of public debt is based in Parkersburg, WV. Feeling any better?

From Linked-In:

f attackers are getting into a system via application gateways (which are the target of choice nowadays) then the vendors need to take responsibility for securing their programs. I’ll let the rest of you debate just how customers might make that requirement known to vendors.

If attackers are exploiting bugs or holes in the operating system itself, then there is only one solution: stay up to date with patches. Microsoft is known to delay critical security patches (see [http://blogs.pcworld.com/staffblog/archives/005658.html|leo://plh/http%3A*3*3blogs%2Epcworld%2Ecom*3staffblog*3archives*3005658%2Ehtml/oB17?_t=tracking_disc ] amongst others). Obviously, for an organization that wants to be proactive about security — and who doesn’t? — there are only two solutions: put pressure on the OS vendor, or fix the problems yourself (ie. third-party support).

Fixing the problem yourself is practically impossible without source code. And if an organization is using Windows, they are unlikely to be able to bring enough pressure to bear against Microsoft (look at the million-dollar-a-day fines imposed by the EU and Microsoft’s attitude). Nor will such an organization spend the $$$ on a source license for the Windows code base and try to fix it themselves. One other route is to switch OS vendors. (I’m sure you can see where this is going.)

Choose a vendor that doesn’t lock you in to their platform. Instead of choosing .NET and being forced to use Windows, choose Java and enjoy cross-platform applications. Instead of choosing Windows, choose Linux and enjoy free source code — should your vendor not produce a patch quickly enough for your needs (very unlikely in the Linux environment) hire your own programmer and have them fix it. In addition, it’s the Linux community that is pushing the envelope in R&D, not Windows.

Take a look at top500.org to see which operating system the largest systems in the world are running. As of 11/2008, Linux in some form is on 454 of the top 500 systems.

Computer security requires staying ahead of the bad guys. One way to do this is to patch systems quickly when a vulnerability is found and to do so frequently (don’t wait until the first Tuesday of the following month). If your vendor doesn’t support your security efforts, should you support that vendor?

Identity theft is now arising in number of victims. People who buys and uses their credit cards over the internet have a major problem in identity fraud. Help yourself in protecting it against identity theft. You can still survive even being a victim of this crime.

From Linked-In:

Unfortunately this is not something that is on the rise and has been a huge problem for some time especially for the banking industry. It is only a big deal and a major problem now and getting awareness because of the notifications. The businesses have always been and still are on their own to fight the problem unlike consumers who have outlets that can assist them.

There are many tools that provide security against identity theft. However, organizations are slow to change, and in most cases do not act until a disastrous leak happens or a malicious intrusion is detected that could have been catastrophical.

Let’s be very clear. Cybercriminals have become more sophisticated in their abilities and tactics than ever before. Data breaches are possible anywhere, anytime, and blaming any particular state or entity for a compromise is akin to blaming a rape victim for an attack. Stating that “their infrastructure should be so good” assumes that all other states have better infrastructure and procedural security than WV. Personally, I doubt that is the case.

Instead, it would be more productive to focus on 1) tightening regulations around how data is maintained and secured, 2) removing the loopholes that permit exceptions to adherence with these regulations, and 3) applying for jobs with beleaguered government entities.

Yes, that last was on us as a security community. Let’s focus on how to help government achieve better security, rather than on vilifying it for a breach that could happen to any organization.