It’s as though this week was tailor-made for Bartkiewicz (pictured), who argues that companies in the cloud business–and their customers, too–are in denial about risk. And by risk I mean not the technological possibility that a service may fail to work as advertised, but in the financial liability sense.

In Amazon’s case, there’s not been any real discussion of financial liability. Even though several companies effectively had to pause operations during the period of its outage last week, the only compensation they seem to be getting, at least for the moment, is a credit on their bill for the time that affected systems were offline and an apology. Apologies and billing credits won’t work for large companies. In a case like that, someone, somewhere has to be on the hook financially in the case of failure.

Handing your data over to someone is in a way comparable to handing goods over to a shipping company who promises to get it safely from one place to the other. Something bad can happen along the way, and often does. Trains derail, ships sink or get attacked by pirates. This is why the insurance industry exists. Yes, data is slightly different because it can be copied, but you get the idea.

Anyway, as if on cue, I found in my in-box today a report from Bartkiewicz’s company, CyberFactors, which specializes in risk analysis related to cloud services. It made for very interesting reading: It has estimated the financial costs associated with the Epsilon breach, and the findings should get your attention. The security breach and release of customer data at the email marketing provider has exposed the company to liabilities that could be as high as $225 million. According to CyberFactor’s research, as many as 75 other companies were involved and the total number of affected email addresses may be as high as 60 million.

Dealing with the repercussions of the breach–informing customers about it, making changes to marketing strategies, and so on–could eventually cost those at the affected companies, which included household names like Best Buy, J.P. Morgan Chase, Citibank, Walgreen’s and the Walt Disney Company, as much as $412 million, pushing the aggregate cost of the incident to $637 million. Think about that. The exposure of an email database could wind up costing more than half a billion dollars.

Yet even that isn’t the worst of it. Once you take into account down-the-line costs, such as fines, forensic audits, litigation and loss of business, the total cost could exceed $3 billion. Roughly half of the total costs to the affected companies will occur in the first year after the breach, and the rest will come in the second and third years. Security breaches have a way of costing long after the incident itself fades from the headlines. Cloud companies, CyberFactors argues, are going to have to start thinking more like banks, insurance companies and hedge funds. The cloud is going to have to grow up.

Sony says that the credit card data associated with the accounts was encrypted, though there are anecdotal reports of credit card fraud occurring coincidental with the timing of the breach.

On top of that, regulators in places as varied as Connecticut and the U.K. and Ireland are demanding information, often the first step in investigations that lead to lawsuits. The office of Ireland’s data protection commissioner (cool title) says it wants a full report on the incident by the end of the week. The U.K.’s Information Commissioner’s Office is investigating. Perhaps Sony’s one lucky draw in all this, as Parmy Olson of Forbes notes, is that it won’t have to face the full fury of the European Union because authority for data privacy issues are reserved to individual member countries.

Meanwhile, the attorneys general of several U.S. states are starting to rumble, starting with Connecticut’s George Jepson, who said he is launching an investigation, while his counterparts in Missouri and Iowa are making the kind of public statements that are often a precursor to investigations of their own. A few lawmakers in Congress are tsk-ing disapprovingly too, mulling hearings and new legislation. Below is an appearance on CNBC by Sen. Richard Blumenthal, D-Conn., suggesting that the Department of Justice should launch its own investigation.

Thanks, Senator. However, my guess is that if the systems compromised are in the U.S.–and given the number of PlayStation Network customers there are in the U.S., how can they not be?–then one branch of Justice is already likely involved: The FBI. Hasn’t Sony already disclosed that it’s working with law enforcement? This isn’t exactly the sort of thing for which you call a local police agency.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.”

In an email that it is sending its 70 million-plus customers of the two services, Sony said it believes that the attackers obtained personal information associated with accounts, including names, addresses, email addresses, birthdates, usernames and passwords. It said there is “no evidence” that credit card accounts have been breached, but that it cannot rule out that possibility. “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” the statement says.

The attackers may have also seen purchase histories. Sony also says that a class of lesser accounts, known as sub-accounts, that are usually held by adults for their children, have been breached. “If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained,” Sony’s statement says.

It’s the latest in a long string of breaches involving customer data. Last year Silverpop Systems suffered a data breach that forced several large companies including McDonald’s and Honda to advise people who had signed for marketing messages from their Web sites to change passwords they use on other sites. As with those incidents, Sony is asking customers to change any passwords they may also use on other sites. (Lesson: Don’t use a single password on more than one site.)

The breach opens Sony’s customers up to the possibility of other kinds of attacks using their information. Armed with one set of information, say the knowledge that they have an account on Sony’s PlayStation Network, an attacker could send a customer an email pretending to be Sony seeking an updated credit card number or could send one pretending to be from the target’s bank asking for account information. As Sony puts it:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.

Sony says it has hired an outside security firm to conduct an investigation into the incident, though it declined to name it. Its gaming service still hasn’t been restored, though it said it expects to have it up and running again within a week. The incident has marred the releases of two eagerly anticipated games on the PS3, Portal 2 and Mortal Kombat, leaving those who bought them playing only in non-network mode.

Details on the attack are sparse as yet. Mullenweg hasn’t disclosed which sites were affected. He said that Automattic’s team has been reviewing systems logs and plugging holes that may have been used to gain access. “We closed the avenues of access and have introduced several more layers of security to prevent a similar issue in the future,” he told me in an email.

“We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited,” he wrote. The investigation is ongoing.

In the meantime, Mullenweg reminded his customers–and it bears repeating even if you’re not a customer–that passwords should be complicated and shouldn’t be used across multiple sites. He also suggests using tools like 1Password, LastPass, and KeePass to make it easy to keep track of different passwords.

Franken chairs the subcommittee on privacy, and says he wants to explore the situation, which could be the first hint that he wants to hold hearings.

He’s not the only person in Congress making noise about it. Sen. Richard Blumenthal, a Democrat from Connecticut, has asked Attorney General Eric Holder to investigate Epsilon for “possible civil and criminal liability.” There’s also talk of hearings on the matter in the House. On top of that, state attorney generals in Rhode Island, Iowa, Nevada and Oregon have started warning consumers in their state about the dangers of clicking links in suspicious emails that may emerge in the coming days. I’ve pasted Blumenthal’s letter below.

Shares in Epsilon parent Alliance Data Systems rose more than one percent today as concern among investors around the business unit that was responsible for 22 percent of its revenue last year seems to have abated for the moment. The company will report quarterly earnings on April 21, and we’re hoping management takes the opportunity to be forthcoming with more details about how the breach happened.

April 6, 2011

The Honorable Eric H. Holder, Jr.
Attorney General of the United States
United States Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530-0001

Dear Mr. Attorney General:

I am writing to formally request an expedited investigation into possible civil and criminal liability, and to highlight key issues to consider in the course of that investigation, concerning recent reports of a major data security breach involving Epsilon, an internet email marketing firm.

On April 1, 2011, Epsilon reported that it had experienced a security breach of its database of customer names and email addresses which it collects from various companies, including many retail and financial firms. The company has not specified how many consumers have been affected by the security breach. Epsilon has not provided a list of companies affected. While some of Epsilon’s client companies have notified their customers of the breach, other consumers may be unaware that their names, email addresses and other potentially identifying information may be at risk.

I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft. Despite claims by Epsilon that only the names and email addresses of individuals may have been compromised by this security breach, I ask that your review of this incident determine whether individually identifiable financial information has been compromised. Names and email addresses would allow unscrupulous actors to send emails to consumers – ostensibly from the retailers which whom the consumer does business – seeking private financial information such as credit card numbers or checking or banking accounts.

I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients. I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft.

Consumers deserve more complete information on the data breach, as well as the assurance that their personal financial information will be securely maintained. If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years.

Thank you for your attention to this important issue and for your continued work on behalf of the American public.

Sincerely,

Richard Blumenthal
United States Senate

I’ve just heard from someone who says they’ve received an email from Crucial.com, the Web retailer of computer memory owned by the chipmaker Micron, that data on its users was compromised. I’ve also heard form customers of Fred Meyer, Fry’s, Brookstone, 1-800-Flowers and the recruiting firm Robert Half International saying they’ve received similar emails.

However, now we’re getting into phase two of this mess. Whoever the original attackers are, they may be starting to carry out phishing attacks against the people whose information was taken from Epsilon. There’s been at least one report out of North Carolina of emails going to customers of a Chase Bank that aren’t really from that bank. Given that phishing attacks are a daily occurrence, however, it’s hard to specifically pin down this one as being related to the Epsilon breach. But the fact that it’s being mentioned at all indicates how much anxiety about phishing attacks has escalated in the days since the breach was disclosed.

It being the height of tax season, Intuit, maker of Turbotax, the most popular tax preparation software on the market, published a security alert to its customers today. Though it’s not an Epsilon customer, it said that–given that so many banks are among those affected–it thought it should offer some tips on how to detect a phishing attack and what to do and not do. Its advice bears repeating: When in doubt, don’t click on links in an email sent by a bank, retailer or other institution.

Meanwhile, shares in Epsilon’s parent company, Allied Data Systems, don’t seem to be feeling any further ill effects from all the negative attention. Its shares finished the day up 38 cents to close at $84.12, and the stock is up about 16 percent since the start of the year. The company was in damage control mode today, saying that it was working with federal authorities and outside computer forensics experts to investigate how the breach happened and who did it and to ensure that additional security measures are put in place to make sure it doesn’t happen again.

And even though Epsilon represented about 22 percent of Allied Data’s revenues last year, the company said that it expects the incident to have “minimal if any impact” on its overall financial performance for the foreseeable future, and that the breach affects only about two percent of Epsilon’s total client base. That may not sound like a large number, but when you consider that Epsilon has about 2,500 clients, and that two percent of that is 50 companies, most of them large, household name companies, it’s hard to minimize the number of people potentially affected. Allied Data’s biggest concern now, it says, is to regain the trust of its clients–that is, the companies on whose behalf it sends marketing email messages.

If you’ve ever given your email address to any of the companies named above, then you’re probably among those who received a warning message today saying that your name and email address had been compromised as the result of an attack by an unknown party on the database of Epsilon, an email marketing firm owned by Alliance Data Systems.

As I write this, I’m continuing to hear from people I know who are feeding me live updates on the companies, all of them apparently Epsilon clients, who are notifying their customers that their information has been taken. As of noon PT, people I know are saying they’ve received notifications from Hilton Hotels and Ethan Allen.

The breach looks to be very similar to one seen late last year at Silverpop Systems. That one ensnared outfits as varied as deviantart, the Web image-sharing community; the drug store chain Walgreen’s; and the automaker Honda. This one, however, looks much bigger in terms of the number of customers affected.

Shares in Alliance Data Systems, which is primarily known as a credit card payment processor that also manages loyalty programs for airlines, were off slightly in afternoon trading. The company reported $2.8 billion in sales in 2010, and according to its most recent 10-K filing, Epsilon accounts for 22 percent of that, which works out to a little less than $614 million.

There are more companies named as Epsilon customers in the 10-K. Last year, the company signed a deal with New York and Company, the apparel retailers, to provide what it describes as a “comprehensive database marketing solutions.” It signed a similar deal with Dell to provide a “strategic email marketing program.” The list goes on: Kraft Foods, hotelier La Quinta, Chico’s, AARP, Unilever, AAA of Northern California, Nevada and Utah. Its Web site lists even more.

It’s not yet clear exactly how many people’s data has been compromised, but given that only email addresses and names were taken, then the next shoe to drop is a series of attempts by the attackers to capitalize on it. What’s expected is a barrage of “spearphishing” attacks, which are similar to phishing attacks in that they involve emails that try to entice you to click on links that aren’t actually what they appear to be.

Whereas phishing attacks are lobbed out at random, spearphishing is a little more precisely aimed. Now that the attackers know the names and addresses of customers of certain banks and retailers and other companies, they may try to send these people messages that appear to come from these companies in order to convince them to click on links that at first look innocuous but aren’t. The range of things these attackers may attempt to do is rather wide. They might try to install evil software on your machine and turn it into a zombie that serves yet more spam to other people, or they may try to trick you into giving them access to your bank account.

Some years ago I very nearly fell for something like this. I got an email from my bank that had my name on it, had the correct last few digits of my account number, and a few other details that all looked right to me. It looked just like the emails I would get occasionally from that bank. It said there was a problem with a charge I had made on my debit card.

The message contained a link in the email and I very nearly clicked it. But at the last second, my better judgment kicked in and I decided instead to pick up the phone and call my bank. I found out it was a rather sophisticated attempt to do something evil, and I nearly fell for it. If you get any emails from any of these companies in the coming days that contain links or odd-looking attachments, you’re probably better off doing nothing and calling the company in question to double check that the message is legit, especially if the message is from a bank or other financial institution. The best advice I can give you in a case like this is to simply be on your guard.

Initially, it released no details about how the attack was carried out. Now, RSA–which is a unit of storage giant EMC–has gone into some detail concerning how its systems were breached, in a blog post by Uri Rivner, whose title is Head of New Technologies, Identity Protection and Verification. It all started with phishing emails. Over the course of two days, two groups of emails were sent to a small group of employees, none of them high profile, nor apparently especially senior. Though RSA doesn’t spell out who received them, the emails may well have gone to the human resources department or some other quiet corner of the company. The emails contained an Excel spreadsheet attachment entitled “2011 Recruitment Plans.” Naturally it was created to look just believable enough that one of the employees who received it fished it out of the spam folder to which it was initially directed and opened it. You can probably fill in most of the blanks from here.

The spreadsheet contained a Zero-day exploit that took advantage of a weakness in Adobe Flash, which has since been patched. Through that hole, attackers were able to install anything they wanted on the target machine. They chose a version of a program called Poison Ivy RAT, and in this case RAT stands for “remote administration tool,” a program that is used to control one computer from another in a different location.

Armed with remote access to the target machine, the attackers then set about gaining deeper access to RSA’s corporate network. Like a person masquerading as a real employee searching a company’s building for a set of master keys, these attackers carried out a series of attacks designed to escalate the level of access they had to the system. They gathered login credentials from the relatively low-level accounts they compromised at first, including usernames, passwords, and domain information, then went after higher-value accounts with more access.

Once that was done, they started working on the real job: Finding the data they wanted to steal, and then extracting it from RSA’s systems. They gathered what they wanted, collected it in a “staging area,” compressed it, and then downloaded via FTP.

Still unexplained at this point: What information was taken, and does it in any way affect the integrity of its own security products? When the attack was first disclosed, the company said that some information about its SecureID products was taken by the attackers. This has led to a lot of questions and speculation by security pros who naturally have to think about the worst-case scenario, and frankly, there are many for which the adjective “worst” would apply.

The big looming question is whether or not the attacker gained access to the seeds–the random keys embedded in each token–that are used to generate the constantly changing numeric codes that appear on the device’s display. For instance, in one scenario described by David Scheutz of the Intrepidus Group, the attackers might have found a list of seeds and token serial numbers. Once you have the serial number of an individual token, you can then create your own token that would allow you to impersonate that user on whatever systems they use.

That scenario, which is only one of four on Scheutz’s list, is potentially pretty scary. As of 2009, some 40 million RSA tokens were in use securing networks at companies large and small and at numerous government agencies. And aside from the hardware tokens, software that mimics them runs on some 250 million smart phones.

When it first revealed the attack, RSA said it was “confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” though it did say it thought the information taken would make attack easier. Hopefully RSA has more to say about all this in the coming days.

Separately, EMC said today it has acquired privately held NetWitness, which specializes in network security analysis. NetWitness provides “precise and pervasive network visibility” which gives companies the ability to detect and cope with “advanced threats” while automating the investigation process. NetWitness will operate within RSA. Financial terms have not been disclosed, but judging by the description of this attack, it seems like a timely acquisition.

Meted out by France’s Commission nationale de l’informatique et des libertés, or CNIL, the sanction is the agency’s highest ever and the first penalty levied against Google for data collection practices that have drawn complaints from dozens of countries.

According to the CNIL, though Google pledged to erase all the private data it collected, it “has not refrained from using the data identifying Wi-Fi access points of individuals without their knowledge.” Worse, the company continues to collect data on Wi-Fi access points via smartphones accessing its Latitude service, without clearly disclosing that to Latitude users. And, as it has done in other countries, Google refused to grant access to software used to harvest and store the information or an interview with the “rogue engineer” it claims is responsible for the whole debacle.

Google, of course, continues to play the penitent. “As we have said before, we are profoundly sorry for having mistakenly collected payload data from unencrypted WiFi networks,” Google’s Global Privacy Counsel Peter Fleischer said in yet another variation of the same statement the company has been issuing for nearly a year now.

PREVIOUSLY

• Lawmakers Would Like a Word With Google’s “Rogue” WiSpy Engineer
• Connecticut Won’t Press for Google WiSpy Data, Looks to Settle
• Well, Hell, If I Knew All I Had to Do Was Seize the Hard Drives…
• Look, Sergey, a Christmas Card From the Connecticut AG! Wait…
• Google Street View Privacy Debacle Far From Over
• FTC Closes Google Street View Probe
• Google CEO Apologizes for Street View Schmidtstorm
• Google CEO’s Advice to the Street-View Shy: The Video
• Schmidt: Don’t Like Google Street View Photographing Your House? Then Move.
• Mr. Schmidt, There’s an Inspector Lestrade on Line One
• State AGs to Probe Google’s “Deeply Disturbing Invasion” of Wi-Fi Data
• No Harm, Big Foul: Google Intercepted Passwords and Email Extracts
• Germany Questions Google’s Data “Mistake”
• Google Street View Cars Collected Wi-Fi User Data for Three Years

“Google has played an enormous role in advancing the Internet as we know it today, but Americans have a right to know the relative facts of its Wi-Fi data collection activity known to U.S. consumers, regardless of whether the FCC finds a technical violation of the law,” the letter reads, noting that a handful of probes by state attorneys general has yet to yield access to the consumer data Google harvested or an interview with the “rogue engineer” the company claims is responsible for collecting and storing it.

“Nine months after Google first admitted to collecting this data, we still don’t have answers as to how this privacy breach was allowed to take place and how many Americans were affected, let alone a credible assurance that it will not happen again,” it continues. “The lack of progress in this investigation is concerning, particularly in light of the progress made by authorities in other countries.”

And that’s a valid, and troubling, point. South Korea recently analyzed the harvested consumer data; why can’t the United States do the same? And how is it possible that the FTC concluded its investigation into this matter without talking to that rogue engineer?

“A serious inquiry into this matter requires a hearing from the engineer that Google claims is responsible for the data collecting activity. Google’s Street View Vehicles captured and stored over 600 gigabytes of data. It is difficult to understand how just one individual could have been responsible for a data collection operation of this scale.”

PREVIOUSLY

• Connecticut Won’t Press for Google WiSpy Data, Looks to Settle
• Well, Hell, If I Knew All I Had to Do Was Seize the Hard Drives…
• Look, Sergey, a Christmas Card From the Connecticut AG! Wait…
• Google Street View Privacy Debacle Far From Over
• FTC Closes Google Street View Probe
• Google CEO Apologizes for Street View Schmidtstorm
• Google CEO’s Advice to the Street-View Shy: The Video
• Schmidt: Don’t Like Google Street View Photographing Your House? Then Move.
• Mr. Schmidt, There’s an Inspector Lestrade on Line One
• State AGs to Probe Google’s “Deeply Disturbing Invasion” of Wi-Fi Data
• No Harm, Big Foul: Google Intercepted Passwords and Email Extracts
• Germany Questions Google’s Data “Mistake”
• Google Street View Cars Collected Wi-Fi User Data for Three Years

It’s not yet 100 percent clear if this breach is connected to the recent breach of the email marketing firm Silverpop Systems, but it sure looks that way. Honda was an enthusiastic Silverpop customer as recently as 2009, according to this press release. It’s the same company whose data was breached in thefts of customer data from McDonald’s and deviantArt. A similar incident was reported concerning the drugstore chain Walgreen’s, but it hasn’t been tied specifically to Silverpop.

The list contained the names, login names, email addresses and–get this–vehicle identification numbers of more than two million Honda owners. Another list, this one containing only the email addresses of nearly three million Acura owners, was also taken.

Honda has contacted all the customers via email. The worry is that affected owners, especially those on the list with the VINs, may be targeted for some kind of phishing attack. Imagine getting an email from someone pretending to be your local Honda dealer who correctly identifies the car you just bought and asks you to give up more personal information so that you can get “special offers.”

However, we’re starting to get more information about how the McDonald’s incident appears connected to hacking incidents at other sites. Chicago Business is reporting that the company responsible for McDonald’s email marketing is Silverpop Systems, and that it had been operating under a subcontract from Chicago-based Arc Worldwide.

So who else is a customer of Silverpop? Yesterday I received an email from someone who’s a customer of deviantArt, a social network where artists share their creations. DeviantArt has a base of 13 million users. Got an account there? You’d better change any passwords that overlap with other sites. The site advised customers that their accounts were compromised, and blamed Silverpop.

It could extend much further yet. Silverpop has more than 100 clients, and not all of them are publicly disclosed, though here are a few, found on its client quotes page and its case studies page: Stamps.com, Pitney Bowes/Mapinfo, Encyclopedia Britannica, Santander Consumer Finance and watchmaker Fossil. There’s no word how any of those other companies are affected, if at all.

Silverpop CEO Bill Nussey said in a blog message to customers that the FBI is investigating the incident, and that only a small percentage of Silverpop customers have been affected. He also said that Silverpop was “among several technology providers targeted as part of a broader cyber attack.” Stacy Kirk, a Silverpop spokeswoman, wouldn’t say anything beyond what’s in Nussey’s message.

I’m beginning to wonder if there’s some indirect connection between what happened to Silverpop and what happened to Gawker. I’m speculating here, but it’s no stretch of the imagination that numbering among deviantArt’s 13 million users are some of the 1.5 million people whose accounts were compromised in the Gawkergate affair. And the FBI is investigating both. Thomas Plunkett, Gawker’s technology chief, told me by email that there’s no evidence of a connection. Then again, as Business Insider tells it, he hasn’t yet had his meeting with the FBI.

Maybe I’m looking for connections that aren’t really there, but it’s really not hard to see how the breach at Gawker could turn out be the start of a domino effect that’s much larger than anyone has yet realized. There certainly is a lot of grumbling about changing passwords today.

If you know more more about any of this, get in touch!

Below is the email to deviantArt users.

From: deviantART.com (address deleted)
Date: Mon, Dec 13, 2010 at 5:54 AM
Subject: RE: Email Notice

Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed.

We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART’s servers.

As a member of deviantART, you certainly have a right to know when an incident of this kind occurs. Unfortunately spammers are an unavoidable part of living on the Web.

The likely result of this event might be an increase in spam to your email. Experts have told us that there is an increase in email scams out there on the Internet and you should be cautious. Only click links or download attachments from people you know, particularly if they ask for personal information, and be sure that your email service provider has adequate spam filters.

Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.

Google earlier this year said that the camera-equipped cars it uses to mark the location of wireless networks and take pictures for its Street View service had for years inadvertently collected data from publicly accessible wireless networks. Google initially said that no significant personal data was collected, but last month admitted that emails and passwords had also been copied.

On Wednesday, U.K. Information Commissioner Christopher Graham, the regulator in charge of data protection, issued a statement saying that, as a result of the “significant breach” of law, his office would audit Google’s data-protection practices in the U.K. and ask the Mountain View, Calif., company to sign an official commitment affirming that such breaches wouldn’t occur again. The U.K. regulator had earlier found that Google didn’t collect meaningful personal details.

Read the rest of this post on the original site

It seems like every day, a different Silicon Valley company is in the crosshairs of one of the alphabet soup of federal government regulators over a range of concerns.

Whether it is privacy issues at Facebook, search market share at Google (GOOG), iPhone hijinks at Apple (AAPL) or a hacking breach at Twitter, digital firms are ever more closely watched by agencies such as the Federal Communications Commission and the Federal Trade Commission.

But one of the more important digital inquiries these days is the hairy-eyeball once-over Comcast (CMCSA) is getting in the vetting of its deal to acquire NBC Universal.

The FCC, about a third of the way to its 180-day deadline, stopped the clock yesterday over incomplete answers to a request for information.

One of the many issues of concern is how Comcast is going to put content online when it owns a company that makes a lot of it.

The so-called “clock” has been stopped once already, over online distribution issues, according to a report yesterday in Broadcasting & Cable noting that “the commission also gave commenters a chance to weigh the impact, if any, of the April 6 BitTorrent decision that called into question the FCC’s ability to regulate broadband.”

While it’s only one of the areas of inquiry, it is perhaps the most important for Silicon Valley companies, which are also moving aggressively into the space, especially in the wake of the recent Google legal victory over Viacom (VIA) in the long-running YouTube copyright-infringement case.

While Comcast noted that the FCC delay is simply a technical filing issue, and most observers expect the deal to eventually be approved, it’s clear that the company is going to have to answer mounting questions about how it plans to conduct itself online.

We’ll soon be posting the full interview BoomTown recently did with Comcast COO Steve Burke at the eighth D: All Things Digital conference earlier this month.

Until then, here’s a video of Burke at D8 talking about the upcoming competition with Silicon Valley companies:

]]> http://allthingsd.com/20100625/feds-hairy-eyeball-on-digital-not-just-for-silicon-valley-comcastnbc-deal-continues-to-undergo-stop-start-vetting/feed/ 0 http://allthingsd.com/20100614/qotd-304/ http://allthingsd.com/20100614/qotd-304/#comments Mon, 14 Jun 2010 10:00:48 +0000 John Paczkowski http://digitaldaily.allthingsd.com/?p=42451

“AT&T says the person responsible for this went ‘to great efforts.’ I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails….So get real. You f–ked up, we helped you figure that out and informed the public. You should thank us.”

– Goatse Security responds to AT&T’s letter of apology to customers affected by its iPad security breach

]]> http://allthingsd.com/20100614/qotd-304/feed/ 0 http://allthingsd.com/20100611/att-responds-to-boomtown-privacy-breach-via-email-oh-the-irony/ http://allthingsd.com/20100611/att-responds-to-boomtown-privacy-breach-via-email-oh-the-irony/#comments Fri, 11 Jun 2010 14:53:59 +0000 Kara Swisher http://kara.allthingsd.com/?p=29397

Earlier today, I wrote a piece about how I was one of the 114,000 AT&T customers whose email and device identity numbers had been easily exposed earlier this week via a flaw in the way the company registered the Apple (AAPL) iPad 3G for cellular access.

In my post, I complained that I had yet to hear from the telecom giant about the security snafu and release of my personal email address, which AT&T (T) had yet to acknowledge to those impacted.

Well, the company does read tech blogs, so this morning, this communication from a PR honcho was sent to my work email, which is available on this site publicly.

Regrets? AT&T has a few:

Hi Kara:

I am writing to apologize that your personal e-mail address was made public. As you know, we fixed the flaw that caused this almost as soon as we heard about it from one of our business customers. But that doesn’t change the fact that your personal information was exposed without your permission. That is something we truly regret.

Nothing is more important to us than protecting the privacy of customer information. You should know that in this case, the only thing compromised was your email address and not, for example, the contents of your email or any other personal information. And as you also know, the problem only affected iPad 3G customers. No other mobile devices or customers were involved.

Thanks very much for your patience. Please let me know if there is anything we can do for you or if you have any questions.

Mark Siegel
Executive Director-Media Relations
AT&T
[Address redacted]
[Work phone number redacted]
[Mobile phone number}
[Email address redacted]

As you can see, I used my crack security system–DELETE!–to save Siegel any incursions into his privacy.

And while I do appreciate the reaching out, I still want to hear–as do others affected–officially from AT&T about exactly what’s what.

Siegel told me in a follow-up email: “We are finalizing our plans for communicating with customers.”

(Suggestion to make us happy: A free iPhone 4 might be a sweet gesture. Only kidding!! Sort of.)

In addition, I am not sure, as he wrote in the initial email, whether it is comforting or not that it was only my email and only my iPad 3G that were violated.

That’s sort of like telling me that only one room of my digital house was broken into, although nothing good was taken, so not to worry.

Actually, if that happened in real life, I would still call the police. That is, if the call on my iPhone didn’t drop.

Again, I kid! Sort of.

]]> http://allthingsd.com/20100611/att-responds-to-boomtown-privacy-breach-via-email-oh-the-irony/feed/ 17 http://allthingsd.com/20100611/online-privacy-follies-hit-home-boomtown-was-one-of-those-exposed-in-the-att-ipad-snafu/ http://allthingsd.com/20100611/online-privacy-follies-hit-home-boomtown-was-one-of-those-exposed-in-the-att-ipad-snafu/#comments Fri, 11 Jun 2010 07:15:42 +0000 Kara Swisher http://kara.allthingsd.com/?p=29352 Yesterday, it was revealed that AT&T–which usually and deservedly catches flak for its appalling dropping of voice calls–got caught up in a thorny security debacle related to the Apple iPad.

According to a report initially posted on Gawker Media’s Valleywag site, the telecom giant had a flaw that allowed a group of computer experts to expose the email addresses and identity numbers of 114,000 owners of the popular tablet device.

Including mine.

That would be my personal one from Comcast (CMCSA), which you can see here in an obscured list of others–including some prominent officials in government.

AT&T (T) had my email because it was used to sign up for mobile service for the Apple (AAPL) iPad’s 3G version, automatically appearing during registration.

Now the Federal Bureau of Investigation is looking into the AT&T breach, according to an article in The Wall Street Journal, in what seems to be an early probe.

Oooh, the Feds are involved now.

I wish I could say it will make a difference. Because it won’t.

In fact, coming on the heels of privacy controversies at Facebook and Google (GOOG), it’s just another log on the digital fire that has been burning up privacy for a very long time now.

And now more than ever, it is part of a massive confluence of trends, including:

Consumers more interested than ever in sharing information about themselves in order to make ever better social networking connections online; a plethora of innovative devices–mostly mobile–and Internet tools available to seamlessly and easily allow those consumers to do so; and, perhaps most of all, Internet companies intent on hoovering up as much information as possible, in order to garner more consumers and sell it to advertisers.

In large part, this is all well and good, creating a range of valuable and entertaining services at little or no cost and making the computing experience more personal and relevant.

Because of that, I have to admit I was less tweaked than I thought I would be, although I wish I were not.

New York City Mayor Michael Bloomberg, whose email was also compromised, expressed the feeling best.

“It shouldn’t be pretty hard to figure out my email address,” he was quoted saying in the Journal article. “To me, it wasn’t that big a deal.”

That’s because all of us are thinking less that such information is private or will remain that way for long.

See this handy illustration, below, from the Journal, about how the iPads were hacked so easily and you get the picture quickly.

And, indeed, I am one of those who puts a great deal of information about myself out there for many to see, from my email on Facebook to my locations on Foursquare to my thoughts on Twitter to photos and videos everywhere.

That said, like others, I have also begun to rethink some of this, recently removing my phone number and other personal information from Facebook and other places where I had stashed them in plain sight, making them harder to find.

Of course, I also know that retrieving much of my personal information is now a lost cause, like trying to unmix cream poured into coffee.

Still, companies, especially those entrusted with this information, should not be quite so sanguine as consumers have become.

I still haven’t heard from AT&T, for example, which is somewhat irksome since the company has known about the issue for days now.

And as each of these incidents occurs, you get the feeling of execs either too obtuse or thoughtless or, yes, cynical to make this a priority.

They should, since the avalanche of information being made available will only increase, with possibly dire circumstances if not handled well.

Hollywood actress Joan Crawford had it right in a famous quote: “Love is a fire. But whether it is going to warm your hearth or burn down your house, you can never tell.”

Substitute “Digital living” for love and it’s the very same message.

]]> http://allthingsd.com/20100611/online-privacy-follies-hit-home-boomtown-was-one-of-those-exposed-in-the-att-ipad-snafu/feed/ 2 http://allthingsd.com/20100303/combat-at-activision/ http://allthingsd.com/20100303/combat-at-activision/#comments Wed, 03 Mar 2010 13:00:57 +0000 Nick Wingfield http://voices.allthingsd.com/?p=21983 A skirmish of the corporate variety has broken out inside the company responsible for the blockbuster “Call of Duty” war videogame series.

“Call of Duty” publisher Activision Blizzard (ATVI) on Monday filed an annual report with regulators that said the company was “concluding an internal human resources inquiry into breaches of contract and insubordination by two senior employees at Infinity Ward.”

Read the rest of this post on the original site

]]> http://allthingsd.com/20100303/combat-at-activision/feed/ 0 http://allthingsd.com/20090811/ebay-bids-to-fix-a-security-hole/ http://allthingsd.com/20090811/ebay-bids-to-fix-a-security-hole/#comments Tue, 11 Aug 2009 15:47:47 +0000 Peter Kafka http://mediamemo.allthingsd.com/?p=9764 See? You don’t just have to be a buzzy social network to suffer through security problems. You can be a relatively staid Web 1.0 giant, too. eBay (EBAY) is warning developers who build programs that incorporate the online marketplace’s engine about a security breach.

In letters to sent Monday to 90,000 developers who work on eBay’s Developers Program, the company warns about a security hole that could cause problems, but hasn’t yet. It also takes pains to point out that the security flaw doesn’t affect eBay customers themselves. eBay says third-party software now accounts for 25 percent of its listings.

An eBay spokesman tells me that eBay came across the weakness itself not because a hacker had exploited it, and that the company is acting “out of an abundance of caution,” which is a term the eBay folks seem to favor (see email text below). “The information that *may* have been compromised consisted of basic contact information that could potentially be used in a phishing attack. At this point, we have not identified any unusual patterns in our developer accounts and we are notifying them and requesting they change their developer passwords out of an abundance of caution [sic].”

Here’s the complete text of eBay’s heads-up letter:

Hello [redacted], this is Kumar Kandaswamy, and I manage the eBay Developers Program. I’d like you to read this important message about account safety. The safety and security of the eBay Developers Program is a top priority. While we believe that people are basically good, we also must live with the reality that there are fraudsters out there who have made it their illicit “profession” to find ways to exploit others on the Internet.

Occasionally, fraudsters attempt to gain unauthorized access to the eBay Developers Program. eBay has recently identified a means by which someone could gain access to eBay Developers Program account information. This type of access DOES NOT allow the capture of financial or other sensitive information, such as credit card or bank account information or Social Security numbers.

Fortunately, we have not detected any unusual activity with any Developer account. Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers take the following steps:

* Take advantage of our new, stricter password standards and change your eBay Developers Program (developer.ebay.com) passwords. It is not necessary to change eBay (www.ebay.com) passwords. If you believe you or your customers have been the victim of fraudulent activity, contact us immediately at apifeedback@ebay.com.

Sincerely, Kumar Kandaswamy

]]> http://allthingsd.com/20090811/ebay-bids-to-fix-a-security-hole/feed/ 0 http://allthingsd.com/20090715/the-twitterhack-is-cloud-computings-wakeup-call-time-for-security-that-works/ http://allthingsd.com/20090715/the-twitterhack-is-cloud-computings-wakeup-call-time-for-security-that-works/#comments Wed, 15 Jul 2009 12:51:35 +0000 Peter Kafka http://mediamemo.allthingsd.com/?p=9256 One downside of being the world’s most talked-about start-up: You become an irresistible target for hackers.

Now Twitter, which has suffered multiple security breaches in the past, has been punctured again. Someone has gotten into the personal Web services accounts of co-founder Evan Williams, his wife and at least one other Twitter employee, and used that access to make off with a pile of confidential company documents. He’s now distributing them on the Web, and TechCrunch promises to publish many of them.

The media ethics colloquy is well underway and will go on for a while (Boomtown’s Kara Swisher is holding her session, appropriately enough, via Twitter). Beyond that, I’m pretty sure Twitter is going to be okay when this dies down.

Based on Williams’s description of the attack (see the bottom of this post), as well as both TechCrunch’s and the hacker’s descriptions of what got pilfered, this looks roughly akin to having your underwear drawer rifled: Embarrassing, but no one’s really going to be surprised about what’s in there.

The hack certainly will be worrisome for people who are using, or thinking about using, any kind of “cloud computing,” whereby work data/documents are stored on servers accessed via the Web. Google (GOOG) in particular is going to get some scrutiny, both because it’s Google and because it appears that a lot of this stuff was stolen after the hacker used Google’s “password recovery” system to root around. UPDATE: Twitter is now going out of its way to say that the attack isn’t Google’s fault, but Twitter’s fault for using passwords that are easy to guess.

Albert Wenger, a partner at Twitter investor Union Square Ventures, says in a post that his shop is currently considering moving its systems to Gmail and Google Docs, but notes the big problem: “The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by email) are accessible to the Internet at large.”

But cloud computing isn’t going away, so someone’s going to need to figure out how to make security better, yet still practical. There’s a reason no one follows the standard advice about having a different, impossible-to-remember password for every account you have. Wenger takes a stab at it in post–he suggests something tethered to a mobile phone. But whoever figures it out is going to have a lot of fans.

Williams’s description of the hack, via TechCrunch:

Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of twitter.com, and there were no user accounts compromised here.

Some notes:

- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.

[Image credit: Wikimedia Commons]

]]> http://allthingsd.com/20090715/the-twitterhack-is-cloud-computings-wakeup-call-time-for-security-that-works/feed/ 0