FTC Warns 100 Organizations of Data Breaches

News
By
published

The FTC yesterday said that it had notified just under 100 organizations thought to be affected by a widespread data breach.

In an announcement made Monday, the Federal Trade Commission revealed that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer file-sharing networks. The Commission goes on to say that any users of those could use the information to commit identity theft or fraud.

The organizations involved include both private and public entities, including schools and local governments. These entities range in size from businesses with as few as eight employees to publicly held corporations employing tens of thousands.

The FTC has urged the affected organizations to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure that they are reasonable, appropriate, and in compliance with the law.

“It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

Check out the full announcement from the FTC here. A sample of the letters sent can be seen here (PDF). Screen grabs below for those of you with a distaste for PDF links (welcome to the club).

Jane McEntegart
10 Comments Comment from the forums
  • JohnnyLucky
    Does a week go by without news of some sort of security breach or hacking? It starting to sound as if it is business as usual. is there nothing that can be done to stop it?
    Reply
  • enderwiggen
    Get people to stop using 12345 or password as their password would be a nice start.
    Reply
  • redplanet_returns
    enderwiggenGet people to stop using 12345 or password as their password would be a nice start.
    and password as a password is not a password!
    Reply
  • batkerson
    The first thing anyone should do is remove the "admin" or "administrator" user name and replace it with something difficult that is unrelated to the business or to the word "administrator". (e.g., "boss" is not a good replacement). I'm constantly amazed how many companies, not to mention people, leave the "admin" user as "admin". That's getting the would-be hacker half way to breaching your security.
    My 2 cents. . .
    Reply
  • muffins
    12345? thats amazing, I've got the same combination on my luggage!
    Reply
  • dmoney_07
    What's with all the comments about username/password complexity. Security breaches are usually the result of a software exploit. Even with complex credentials, anit-virus software, host intrusion protection, network intrusion protection, or any other security solutions there will still be breaches. The reason for the increase in security breaches is just a reflection of the times. Criminals have found that stealing protected confidential information is a nice way to make a profit.
    Reply
  • babybeluga
    redplanet_returnsand password as a password is not a password!
    password12345, noob. You have to combine letters and numbers now!
    Reply
  • Shadow703793
    lol, now call me paranoid eh? My passwords consist of 5 numbers 5 symbols and 7 letters (not a real word :P ). And has password attempt limitations :D. And I never use the same password for everything either.
    Reply
  • CoderDunn
    muffins12345? thats amazing, I've got the same combination on my luggage!
    lmao Mel Brook's Space Balls, I love that movie

    "They've gone plaid!"
    Reply
  • neiroatopelcc
    JohnnyLuckyDoes a week go by without news of some sort of security breach or hacking? It starting to sound as if it is business as usual. is there nothing that can be done to stop it?Sure. Educate the users would be a start. But it's not that simple in reality. It costs money to create security, and it costs more to maintain it. On top of that it requires some amount of attention from the users, which at worst won't even want to know anything about it.
    So there are two major obstacles with security. 1) people can't be bothered (it is a complex subject and even more so to untrained personnel) and 2) it costs money and doesn't generate any. My boss (IT boss in a company with approx 450 employees and a bit over 20.000 people passing thru the oracle database every year) has the stance that security must not cost more than it does not to have it. In other words we don't want data redundancy if it costs more than downtime would, and we don't need more network security than the estimated worth of what's accessible. And in fact most of our security systems are focused on keeping our own users out of the system where possible, but not nessecarily stop virus outbreaks or outside interference.

    Anyhow, these letters here are sent to companies running p2p software right? that means companies where the users have installed and are running such software knowingly. You can't protect against that except by designing your internal policies so or remove the users who do it. No matter the firewall and protocol inspectors you cannot block people from using p2p. They could essentially just run their p2p trafic thru an encrypted proxy like internet cloaker. You can never protect against employees or customers who knowingly and willingly attempt to circumvent or disregard security. You can only be reactive to those events.
    Reply