There is no shortage of news stories dealing with cybercrime this week. Today, Citigroup admitted that computer hackers breached the bank's network and accessed the data of about 200,000 bank card holders in North America, according to Reuters.
Sony has been trying to recover after a hacker took down its Playstation Network and exposed some 77 million users' personal and credit card information, reported The Atlantic.
That same hacker group, LulzSec, also targeted the Atlanta chapter of InfraGard, the FBI-affiliated group that aims to share information between the private and public sector. LulzSec said it obtained about 180 log-ins from InfraGard, which it acknowledged is not that many, but "we'd like to take the time to point out that all of them are affiliated with the FBI in some way," the group said in a note, reported PCMag. "Most of them reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too."
And, the story I wrote yesterday for Newswire mentioned defense contractor Lockheed Martin's admission that hackers breached its network in May partly by using data stolen from security-token maker RSA Security, which supplies coded security tokens to tens of millions of computer users. RSA was itself hacked in March and said yesterday that it has offered this week to replace or monitor all SecurIDs -- an offer several major customers, including Bank of America and SAP, immediately accepted, reported CNN.
Obviously, IT folks should be extremely concerned about this rash of hacking incidents hitting major corporations that one would assume have some of the strongest security measures in place, but apparently do not.
Some lawmakers are trying to make these corporations more accountable when such security breaches occur. The Personal Data Privacy and Security Act is a bill that has been introduced to Congress since 2005, but is yet to become law. The primary sponsor, Sen. Patrick Leahy reintroduced this legislation again this week to try to establish a national standard for data breach notification, according to a statement. The bill would require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.
"The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” said Leahy.
Corporate executives who do not adhere to this legislation could face criminal penalties if found to have willfully or intentionally concealed security breaches involving personal data.
Other provisions of the bill include:
* A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;
* An update the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and
* A requirement the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors.