In a bizarre twist, Gonzales was purportedly on the U.S. Secret Service pay roll — making $75,000 per year — as an informant. Wow. We all know that the Intelligence Community often needs to be “in bed” with shady characters, but this one takes the cake. Our big question was Gonzales on the pay roll when he committed these data breaches? Could this mean that the Secret Service helped fund his criminal activity?

Regarding the Gonzales sentencing, as part of our outlook for 2010, we anticipated longer sentences for identity fraud criminals. Gonzales offense was enormous, hurting many victims and expending countless law enforcement resources. We advocate they throw the book at him.

We welcome any thoughts and feedback.

U.S. Cybersecurity Czar Says “There is No Cyberwar”
Obama’s new cybersecurity czar doesn’t much like the term “cyberwar,” calling it a “terrible metaphor” and a “terrible concept.” But just in case his dislike of the term didn’t get through, Howard Schmidt flat-out stated that “there is no cyberwar” during a Wired interview at the RSA Security Conference in San Francisco. Schmidt noted that the real cybersecurity threats are online crime and espionage. His words seem to stand in contradiction to a statement last week by Michael McConnell, former director of national intelligence, who told Congress that the U.S. was already in the midst of losing a cyberwar. Schmidt seemed more than willing to downplay McConnell’s Cold War mentality. Read the full Popular Science article here.

Homeland Security Chief Napolitano Seeks Citizen Cybercrime Fighters
Uncle Sam wants to recruit you to help fight cybercrime. Department of Homeland Security Secretary Janet Napolitano is calling on anyone with good ideas for boosting public awareness about the importance of making the Internet safer to step forward. “We are challenging our nation’s best and brightest to utilize their expertise and creativity to devise new ways to engage the public in the shared responsibility of safeguarding our cyber resources and information,” she said. Read the full USA Today article here.

Heartland Breach Still Hitting Banks
Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: “Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised.” The warning continues: “It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor. Read the full Finextra article here.

Westin Hotel in LA Reports Possible Data Breach
People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles last year and used their credit or debit card to eat there should keep a close eye on their bank statements. Hotel officials disclosed Friday that the hotel’s four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers’ debit and credit cards. The Westin Bonaventure is in L.A.’s downtown financial district, near the Los Angeles Convention Center and the Staples Center. Read the full Computerworld article here.

Are You Sure You’re Prepared for a Data Breach?
We’ve all seen the sobering stats: Nearly 500 major data breaches have been reported in the United States since the beginning of 2009, impacting more than 220 million records. And that doesn’t even account for the many breaches that weren’t publicly reported. So chances are that your company will be hit by a breach, if it hasn’t already. In fact, some would say it is almost as inevitable as the finger of blame being pointed squarely at you, the company’s senior security professional and chief scapegoat, when a breach strikes. Read the full SC Magazine article here.

BBB Small Business Advice: Reduce the Damage Done by a Data Breach
While the volume of data breaches declined in 2009, data breaches at businesses—as opposed to the government or non-profit sector—are on the rise. Better Business Bureau recommends that small business owners take steps to protect their data and also develop a plan of action in order to react quickly and reduce the damage if a data breach does occur. There were more than 498 reported data breaches in 2009, according to the Identity Theft Resource Center. While this is an improvement from the 657 breaches in 2008, unfortunately, the share of data breaches occurring in the business sector, specifically, increased to 41 percent. Read the full Better Business Bureau post here.

Happy Monday!

Leader of ID Theft ring That Ensnared Bernanke Gets 17 Years
A ringleader of a $1.5 million identity-theft ring that left Federal Reserve Chairman Ben Bernanke as one of its victims has been sentenced to 17 years in prison and ordered to pay back $1.4 million. Leonardo Zanders paid pickpockets and professional office employees to steal identifying information that he and others used to steal cash from bank accounts, authorities said. One of those pickpockets grabbed a pocketbook from Bernanke’s wife at a D.C. Starbucks. He then used her driver’s license and checkbook to cash $900 in checks from their bank account. Read the full Washington Examiner article here.

Survey: Data Breaches From Malicious Attacks Doubled Last Year
Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey to be released on Monday. The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey conducted by the Ponemon Institute and sponsored by PGP Corp. The cost per compromised record involving a criminal act averaged $215, about 40 percent higher than breaches from negligence and 30 percent higher than those from glitches, the survey found. Read the full CNET article here.

Heartland Moves to Encrypted Payment System
Responding to its widely reported and massive data breach that took place a year ago, Heartland Payment Systems will be moving to an end-to-end encryption system for payment transactions, according to Chairman and CEO Robert Carr. “End-to-end encryption is a good way to mitigate the risk of having the kind of compromise that we and hundreds of other companies have had,” Carr said in an interview. The company, which handles more than 4 billion transactions annually for more than 250,000 merchants, will be using Thales nShield Connect hardware security module along with Voltage Security’s SecureData encryption software as the basis of this capability. Read the full PC World article here.

Social Networking Site Breach Exposes Most Popularly Used Passwords
An analysis of more than 32 million exposed passwords revealed “123456″ as the most commonly used security code when logging into online accounts. Social networking services and customized widget company, Rockyou.com, suffered a data breach in December 2009. The breach included millions of people’s email addresses and passwords for Rockyou.com (and in many cases passwords and login details for associated social networking sites). The hacker responsible for the attack subsequently posted the full list of passwords on the internet. Read the full Independent Media article here.

Informing Victims of Identity Theft
Until recently, information assurance (IA) personnel and attorneys specializing in this area of the law have had to search for the appropriate governing laws for each jurisdiction. In this column, I review a valuable resource for locating the laws that apply to disclosure of personally identifiable information (PII) in each state in the United States and internationally. The first victim-notification law in the U.S. that required organizations to notify data subjects when PII records were compromised was State Bill (SB) 1386, the California Database Breach Act that came into force in 2003 and which was under review in 2009. Read the full Network World article here.

Happy Monday!

In other Heartland-related news, the lawyers representing financial institutions in the data breach lawsuit against are calling a recently proposed $60 million settlement offer from the company as way too meager. In a statement released on Wednesday, the lawyers said the proposed settlement would only pay banks and credit unions “pennies on the dollar,” while releasing Heartland and other potentially liable parties from further legal action. Read more here from the Credit Union Times.

So, we believe that the real lesson learned here is protect yourself from data breaches. Indeed this is a very simple concept and perhaps easier said than done. But there are the many tools, technologies and process to protect customer data. And, wouldn’t you rather make this investment, as opposed to paying out a settlement?