Sega investigates data breach as hackers strike again

International Business Times

Sega said issued a warning to users on Friday that personal data may be at risk after being infiltrated, joining the growing numbers of high profile hacking targets.

In a span of just a few weeks, several multinational companies and even government agencies have fallen victim to cyber crime.

Joining those ranks, Sega said that it has launch an investigation and took steps to secure data.

“Over the last 24 hours we have identified that unauthorized entry was gained to our Sega Pass database,” the company said.

“We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.”

Passwords were encrypted and no financial data was accessed, it said.

Several other companies have fallen victim lately as well.

On Wednesday the public website of the CIA went down, with the hacker group Lulz Security saying it had launched the attack.

Although the group fashions itself more as pranksters and activists than people with sinister intent, its members have been accused of breaking the law and are wanted by the FBI and other law enforcement agencies.

Lulz broke into a Senate website over the weekend and released data stolen from the legislative body’s computer servers.

In May, the group posted a fake story on the PBS website saying that rapper Tupac Shakur was still alive and living in New Zealand.

The group denied any involvement in the Sega case,  however, asking Sega to instead contact them to help “destroy the hackers that attacked you.”

But it does underline mark an uptick in crime over the Internet

The last high-profile victim was the International Monetary Fund this weekend, who’s computer network was breached by what was believed to be a government backed effort.

Just last week banking giant Citibank confirmed that credit card data of about 200,000 of its North American customers have been hacked. The event marked the largest attack on a bank in the US to date.

The week before US military contractor Lockheed Martin was compromised as hackers used Lockheed’s own “secure id” technology to access its networks.

Google has accused Chinese hackers of targeting the Gmail accounts of U.S. government officials.



After ID theft, life ‘forever and ever’ intertwined with criminal’s

By Maks Goldenshteyn


BREMERTON — On a cool May night nearly seven years ago, a thin coating of dew settled over Jessica Smith’s Ford Focus, making it difficult for the car prowlers to peer inside.

They found what they were looking for while wiping down her passenger-side window, much like they had done to other cars parked at the Vineyards Apartments, near the Kitsap County Fairgrounds.

A shattered window put Smith’s khaki purse and the valuables inside within arm’s reach. There were credit cards, a checkbook and a military identification card issued to Smith because her father had served in the Navy.

Then a 20-year-old waitress, Smith discovered the broken glass the next morning. She found her server book and apron on the passenger seat covered in glass shards, but no purse.

Her thoughts fell on the $250 insurance deductible. And two weeks shy of her 21st birthday, she wondered if she’d be able to secure a new ID in time to celebrate at the bars.

Smith canceled her checking card with Kitsap Credit Union immediately, but not before someone withdrew a couple hundred dollars at a gas station.

Another week went by before she reported her Bank of America card stolen, an account she had forgotten about. By then, $250 had been withdrawn from the Port Orchard branch, with Smith’s now-expired military ID used to verify the thief’s identity.

Both banks reimbursed her for the losses and she thought it was the end of it.

But it wasn’t until Smith was pulled over for speeding four years later that she realized that was just the beginning.

The officer inquired about a felony.

“I’ve never been arrested,” Smith remembers saying.

“You have a felony.”

“For what? I’ve never been arrested,” she said.

“For someone who’s never done anything wrong, to have a police officer tell you have a felony, and to treat to you like a criminal, that’s really violating,” she said.

The only blemish on Smith’s record was a citation for minor in possession of alcohol. She entered a deferred prosecution agreement and was never convicted.

But when the Kitsap Sun requested a copy of Smith’s criminal history from the Washington State Patrol last week, an eight-page report belonging to a different woman was faxed over.

It belongs to the very offender who was caught with Smith’s military ID card a few months after her purse was reported stolen in 2004. Shown on the history are the woman’s six arrests, at least seven felony convictions and eight misdemeanors.

Smith said the damage inflicted on her credit led to bankruptcy. When filling out job applications, she endures the embarrassment of warning employers about what might turn up in a background check — and convincing them she hasn’t done anything wrong.

“I have to go through the trouble of saying, ‘you might find a felony on my record, but it’s not me.’”


More than a decade has passed since the first identity theft laws were established. While some experts attribute the increased awareness to an apparent decline in identity theft complaints, most agree that methods used to commit the crime have grown in complexity.

But not in the case of Jessica Smith, whose life took a turn after a simple car prowl.

In July 2004, two months after Smith’s car was broken into, the owner of a Manette restaurant reported that her business had been burglarized and that a business checkbook was stolen.

By the time authorities were notified, seven checks were forged and passed. Two of them were made payable to Jessica Smith, with her military ID number written on it.

A detective with the Kitsap County Sheriff’s Office called Smith to ask about the forged checks. She told him she wasn’t involved.

In September of 2004, detectives learned that the checks were cashed at Clearwater Casino by someone posing as Smith while using her military ID card — one check for $646.79 and the other $1004.65. A third check for $574.50 also cashed at the casino was written out to Smith.

All three were typed and appeared to have been endorsed by the same person, according to a Kitsap County Sheriff’s Office report.

The crimes committed against Smith may not have been sophisticated, but they would complicate the rest of her life.

Four months after Smith’s purse was stolen, a woman claiming to be Jessica Smith was pulled over just before midnight while driving east on Sixth Avenue in Bremerton.

The state trooper noticed that the car’s back license plate was partially obscured by black spray paint.

A female driver told the trooper she had no identification with her. Asked for her name, the driver replied: Jessica Smith. The trooper asked for her middle initial and a date of birth, questions the driver answered correctly.

“She was very slow with her responses and appeared to have to think about her answers,” the trooper noted in her report.

But the Social Security number the woman provided didn’t match the one belonging to Jessica Smith. Further, the real Jessica Smith was 5 feet 5 inches tall and 21 at the time. The woman in the car looked to be in her mid-30s and was much taller.

The trooper asked for her date of birth again. The driver said she was born in 1981. The trooper asked for her age. The driver said she was 24. The trooper pointed out that if she if she was born in 1981, that would make her 23.

“Well, what I meant was I am gonna be 24,” the woman posing as Smith replied.

While questioning a second passenger in the car, the trooper spotted a large black purse on the back seat. A pocket on the outer part of the purse contained a military ID card. The trooper also found a number of new syringes and a small red baggie with a white powder residue — probably methamphetamines, based on appearance and smell.

There was also opened mail that never reached its intended destination.

The woman claiming to be Jessica Smith had a washed check in her pocket, further cause for suspicion. She told the trooper she had spilled a soda on the floor of a restaurant, and that’s when she found the check and took it with her.

She was arrested and taken to Kitsap County jail.

At 7:30 the next morning, she was booked. She signed the documents as “Jessica Smith” and listed Smith’s date of birth as her own. After her booking, the inmate was fingerprinted. The fingerprint card and pink disposition form — used to detail arrest information — were also signed by a Jessica Smith and sent to the State Patrol.

It wasn’t until four hours later that the Automated Fingerprint Identification System returned a match: the prints actually belonged to Barbara Reedom, a 34-year-old from Bremerton with a criminal history.

But by then, Smith’s name and date of birth had been processed by the State Patrol, irrevocably linking Reedom’s criminal past with Smith, said State Patrol criminal history manager Deborah Collinsworth.

“We certainly want those arrests to go quickly,” said State Patrol spokesman Bob Calkins, “because you don’t want to book them for DUI and run their finger prints and sit on them while they make bail and it turns out they’re wanted for murder.”

The name Jessica Smith now appears as an alias in Reedom’s criminal history, along with three other names she’s used.

Reedom could not be reached for comment.

While state law allows individuals to contest the accuracy of their own criminal records and even delete certain elements if warranted, Smith isn’t able to — the crimes aren’t hers.

“You could expunge that out of her file, but this person could use her name again and you’d want the linkage,” said Don Pierce, executive director of the Washington Association of Sheriffs and Police Chiefs.

“Forever and ever, Barbara Reedom is going to be linked to Jessica Smith,” said Kitsap County Sheriff’s Deputy Scott Wilson. “There’s not a whole lot we can do about that.”


Incidents of criminal identity theft — when an individual lists another person’s name and date of birth as their own at the time of their arrest — has prompted agency officials to enhance an existing initiative for identity theft victims, called the Compromised Identity Claim (CIC) program.

Among the new tools is a letter from the State Patrol verifying that the individual is who they say they are. The agency is also offering a specialized ID card that carries the applicant’s information and thumbprint.

When someone requests Smith’s information, Reedom’s criminal history turns up instead. Calkins, the State Patrol spokesman, suggests that Smith create a new record for herself and add her fingerprints to the file. She’d have to drive to Olympia to do so.

“When someone runs that name and (date of birth),” he said, “they’ll get both names and will be prompted to say, ‘oh gee, one of these has a criminal record and one of these doesn’t. I wonder which one it could be?’”

People with common names are also often the victims of a compromised identity when individuals with the same name and date of birth commit crimes, Collinsworth said.

State Patrol officials couldn’t say how many people have been affected — the agency doesn’t track identity theft statistics.

While no central repository for identity theft crimes exist, figures provided by the U.S. Federal Trade Commission and Kitsap County Prosecutor’s Office suggest a decline in the overall number of identity thefts reported in Kitsap County.

At least 48 identity theft-related crimes were referred to the county Prosecutor’s Office in 2002, the first year the county began keeping track. Last year, the number of cases fell to 14.

The FTC, a federal watchdog agency that collects information from law enforcement agencies around the country, has seen a 20 percent reduction in the number of complaints it received from 2008 to 2010. Officials aren’t sure what’s behind the decrease.

The most common type of identity theft in Kitsap continues to be the unauthorized use of someone else’s credit card, constituting 12.4 percent of the 1,156 complaints received from 2005 to March 2010.

Asked if identity theft may be in decline, Bremerton police Detectives Sgt. Kevin Crane and Rodney Harker are split — Harker has noticed a decline, Crane hasn’t.

Kip Branch, a detective with the Washington County Sheriff’s Office in Oregon and president of the Northwest Fraud Investigators Association, warned against reaching any conclusions from the drop-off in complaints sent to the FTC.

When law enforcement agencies first started tracking identity theft a decade ago, they insisted on creating a separate case number for each incident, Branch said.

That practice overwhelmed the agencies, so they cut back to a one victim, one report system.

“We don’t see as many reports come across our desk as we used to, but in those reports, there are many more incidents,” Branch said.

While he’s noticed a decline in some identity theft activities, Branch says more complicated operations like skimming have emerged in their place.

That’s where suspects glean debit and checking account information from ATM machines by outfitting them with a tiny skimming device that captures data embedded on the card. A small video camera placed above the ATM keypad captures footage of pin numbers as they’re entered. Gas station card readers are also popular targets.

“When no one’s looking, they’ll grab their equipment and take off and hit another machine,” Branch said.

The data is often sold to buyers across the country or overseas. Thieves can encode blank cards with new information and use it to buy products.

Database intrusions are another example. Third-party payment processors working with major banks have database information stolen either by their own employees or hackers. That information is broken into chunks and sold online. Criminals can encode new credit cards with the information.

“It’s certainly out there,” Branch said. “You will hear far less about database intrusions because the financial institutions are not interested in talking about that.”

When Branch began assembling his interagency F.I.T.E Team — Fraud and Identity Theft Enforcement — in Washington County around 2002, an overwhelming majority of the identity thieves he encountered were drug users. That’s no longer the case.

“A lot of people organizing this are people using it as a business. It’s a different environment than what we had back then,” Branch said.


Reedom had been evicted from her apartment around the time of her arrest in 2004. During the eviction, deputies located several pieces of identification, Social Security cards and credit cards.

One of the IDs belonged to the victim of another vehicle prowl. Deputies also found a piece of paper with six names written on it, along with corresponding dates of birth, driver’s license numbers, Social Security numbers and addresses.

A day after her arrest, Reedom spoke with Kitsap County Detective Timothy Keeler in his office. The signatures on Reedom’s jail documents and the ones on the back of the stolen checks appeared to match, according to court documents.

Reedom told Keeler she got hold of Smith’s ID card at a party a week and a half earlier and claimed she had only used it once — while getting booked at Kitsap County jail.

Keeler asked about the matching signatures. Reedom said someone else must have endorsed the checks with a signature similar to hers. She denied passing the forged checks.

Reedom pleaded guilty to second-degree identity theft, three counts of forgery and unlawful possession of a personal identification device. On Oct. 7, 2004, she was sentenced to seven months in prison for those crimes. Two weeks later, she received a 50-month sentence for the narcotics violation and driving without a license. Reedom stayed in prison from Oct. 22, 2004 until Oct. 10 of 2005 — serving a shorter sentence because she agreed to participate in drug treatment.

The real Jessica Smith learned of her impostor’s identity when she received restitution papers in the mail.

In September, Smith decided to see if Reedom had a Facebook page. An older woman with a prominent gold crown on one of her front teeth stared back.

Smith, who now works at a beauty supply store and is attending cosmetology school, says much of the anger she once felt toward Reedom has dissipated.

But one of Reedom’s Facebook posts has stayed with her.

On Sept. 21, 2009, Reedom wrote: “Life is good! In college, employed, great friend, great kids, beautiful granddaughter, bank account (with a good looking balance) who could ask for anything more? Oh yea … Can’t wait for Friday Saturday and Sunday!!!!!!!!!! :) .”

“I would totally forgive this girl,” says the real Jessica Smith, “because everyone makes mistakes.”

“But I should be able to move on with my life, too.”


Kroll Releases Top Ten Data Security Trends for 2011

(The Hosting News) – The 2010 calendar year brought with it an onslaught of new regulatory requirements, technological advances and increased scrutiny in data privacy and security matters that have laid the groundwork for a significant shift in how businesses handle data security in the year ahead. Today, Kroll’s Fraud Solutions division has released its data security forecast for 2011, highlighting the key areas where businesses will see the most noteworthy changes with regard to new data security regulations, breach vulnerabilities and protective measures.

“There is no question that the events of 2010 will impact how organizations approach data security in 2011,” said Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions division. “Expected changes run the gamut from how organizations prepare for and respond to a breach to the types of breaches they will confront. Organizations can stay ahead of the curve by making sure that they are up to speed on the changing risks – from the top of the organization down.”

Kroll’s 2011 Data Security Forecast includes:

1.    More small scale data breaches will make headlines. Now that healthcare entities are required to report breaches affecting 500 or more individuals, expect to see an increase in the number of smaller scale breaches reported. Further, as all companies increase data security measures, system audits will bring to light breaches that may have been overlooked in the past. This is not to say that the era of the massive, Heartland or TJX-style breach is over, but they may be matched by small-breach frequency.

2.     “Low-tech” theft, where data is stolen through non-electronic means, will increase. Data thieves look for the path of least resistance, focusing on areas of least attention to the organization. Because most organizations are focused on improving technology and moving from paper to electronic records, we can expect to see more low-tech data theft on the horizon – such as the bank teller convicted of identity theft for writing down customer information on sticky notes and using it to open credit accounts.

3.    The continuing crisis of lost devices will dominate the data theft landscape. As consumers, we are heavily dependent upon our portable devices – Smartphones, netbooks and laptops. Organizations rely on these devices as well for anytime, anywhere connectivity. Yet, stolen or missing devices continue to be a major source of data breaches. In fact, the US Department of Health and Human Services breach list indicates that 24 percent of reported breaches were due to laptop theft — more than any other specific cause. Expect to see an increasing number of instances and warnings of mobile vulnerabilities and scams. We’ve already seen an increase in smishing (SMS or text phishing).

4.    Data minimization will increasingly be seen as an essential component to data security plans. Companies that have spent years amassing as much consumer information as possible are starting to view this model as more of a boondoggle than a bounty. If the information is of no use, it represents a liability. In 2011, we will see organizations increasingly turn to data minimization– limiting the data collected and stored, and purging old data on a regular schedule – as a means to reducing their risks.

5.    Increased collaboration and openness will increase organizational vulnerability to data breach. Interoperability is a requirement for healthcare entities switching to electronic health records, but other sectors (e.g., educationand government), are also increasing initiatives to share and utilize data on a massive scale. By nature, data in transit is data at risk. In other words, the exchange of data opens organizations up to new vulnerabilities – from lackluster data security measures at a partner institution to increased propagation of data.

6.    Organizations will increase implementation of social networking policies. For many consumers, social applications have come to define their lifestyles, and they are increasingly bringing their private lives into the workplace. In fact, mobile devices have created a world of “24/7” employees, erasing the already fine line between work and home. Employers will need to focus and develop an organization-wide strategy for social networking policies as they relate to data security to ensure that employees do not open the company up to undue risks.

7.    Data encryption will be seen as a “golden ticket” to compliance. Encryption is often incorrectly positioned as a complete solution to data security. After all, it is one of the best defenses against malicious attempts to hack electronic data, and given the new data protection laws in Massachusetts and Nevada, encryption is fast becoming an essential part of organizations’ compliance checklists. But, to truly ensure all of the bases are covered, companies will have to remember two caveats: compliance doesn’t equal data security and encryption doesn’t equal a total solution – it is only one tool in the data security arsenal.

8.    Third parties will face more stringent breach notification requirements. HITECH is placing Business Associates under increasing scrutiny, as businesses rely more and more on third party data collection. Expect to see more organizations, even those outside the healthcare industry, placing stringent contractual obligations on their third parties to protect company data.

9.    Privacy awareness training will gain prominence as an essential component of breach preparedness. Technology fixes like encryption are effective, but expensive, and electronic monitoring alone won’t catch all instances of PII misuse. With comprehensive privacy awareness training, employees can act as privacy advocates who know how to recognize security hotspots, understand legal obligation, and use vigilance whenever they deal with PII. This is the kind of security equity that no technology can buy.

10.    The possibility of a federal breach notification law is high for 2011. While it’s difficult to go out on a limb and claim we’ll definitely see a law in 2011, there are some compelling reasons why an overarching federal law is on the horizon:

  • States are moving forward, creating a confusing tapestry of conflicting law. A federal law would cut through the noise.
  • Congress has enacted considerable legislation recently – namely HITECH – that opens the door to further legislation.
  • Through grants and other funding sources, the federal government is continuing an aggressive path to encourage the growth of technological initiatives (such as the ONC Beacon grants and the USDOE’s Race to the Top). These new initiatives require new ways of thinking about data security and privacy.

For more information on data security issues, visit or check out the new Kroll blog “A Dialogue on Data Security.”

About Kroll Inc.

Kroll, the world’s leading risk consulting company, provides a broad range of investigative, intelligence, financial, security, and technology services to help clients reduce risks, solve problems, and capitalize on opportunities. Headquartered in New York with offices in more than 55 cities in over 27 countries, Kroll has a multidisciplinary team of more than 3,000 employees and serves a global clientele of law firms, financial institutions, corporations, non-profit institutions, government agencies, and individuals. Kroll is an Altegrity company.


NSA allies with Internet carriers to thwart cyber attacks against defense firms

By , Published: June 16
Washington Post

The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say.

The novel program, which began last month on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation’s largest defense firms. Such attacks, including one last month against Bethesda-based Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets.

“We hope the . . . cyber pilot can be the beginning of something bigger,” Deputy Defense Secretary William J. Lynn III said at a global security conference in Paris on Thursday. “It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.”

The prospect of a role for the NSA, the nation’s largest spy agency and a part of the Defense Department, in helping Internet service providers filter domestic Web traffic already had sparked concerns among privacy activists. Lynn’s suggestion that the program might be extended beyond the work of defense contractors threatened to raise the stakes.

James X. Dempsey, vice president for public policy at the Center for Democracy & Technology, a civil liberties group, said that limiting the NSA’s role to sharing data is “an elegant solution” to the long-standing problem of how to use the agency’s expertise while avoiding domestic surveillance by the government. But, he said, any extension of the program must guarantee protections against government access to private Internet traffic.

“We wouldn’t want this to become a backdoor form of surveillance,” Dempsey said.

Officials say the pilot program does not involve direct monitoring of the contractors’ networks by the government. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats.

The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is moving its headquarters to Falls Church. The contractors have the option, but not the obligation, to report the success rate to the NSA’s Threat Operations Center.

All three of the Internet carriers declined to comment on the pilot program. Several of the defense contractors declined to comment as well.

Partnering with the major Internet providers “is probably the technically quickest way to go and the best way to go” to defend dot-com networks, said Gen. Keith B. Alexander, who heads the NSA and the affiliated U.S. Cyber Command at Fort Meade, testifying before Congress in March.

The premise of this strategy is that combining the providers’ ability to filter massive volumes of traffic — a large Internet carrier can monitor up to 100 gigabits per second — with the NSA’s expertise will provide a greater level of protection without violating privacy laws.

But the initiative stalled for months because of numerous concerns, including Justice Department worries that the program would run afoul of privacy laws forbidding government surveillance of private Internet traffic. Officials have, at least for now, allayed that concern by saying that the government will not directly filter the traffic or receive the malicious code captured by the Internet providers. The Department of Homeland Security is a partner in the pilot program.

“The U.S. government will not be monitoring, intercepting or storing any private-sector communications,” Lynn said. “Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks.”

But civil liberties advocates are worried that a provision in the White House’s recent legislative proposal on cybersecurity could open the way to government surveillance through public-private partnerships such as this one. They are concerned that the proposal would authorize companies to share vast amounts of communications data with the federal government.

“The government needs to make up its mind about whether it wants to protect networks or collect intelligence,” Dempsey said.

Although this NSA technology is more sophisticated than traditional anti-virus programs, it still can screen only for known threats. Developing detection and mitigation strategies for emerging new threats is more difficult.

The program also does not protect against insider threats or employees who deliberately leak material. Nor will it protect a network from penetration by hackers who have compromised security software, enabling them to log in as if they were legitimate users. That is what happened recently when security firm RSA’s SecurID tokens were compromised, enabling hackers to penetrate Lockheed Martin’s computers. Lockheed said no customer, program or employee personal data were compromised.

The pilot program has been at least a year in the making. Providers and companies were concerned that they would be vulnerable to lawsuits or other sanctions if they allowed the government to filter the traffic or shared network data with the government. The NSA, meanwhile, was concerned about the classified data getting into the hands of adversaries.

The Internet carriers that are part of the pilot are not being paid to prepare their systems for it, an effort that industry officials said costs millions of dollars. The providers will work with the companies they currently serve. In some cases, they already provide a similar service of filtering for malicious traffic using their own threat data.

Lynn’s speech also appeared to outline key elements of the Pentagon’s cybersecurity strategy, an unclassified version of which is due out soon. The strategy, said experts and analysts who have been briefed on it, focuses on building defenses and a framework for deterrence. It also makes clear the military’s prerogative to use cyberwarfare and other traditional military means if the United States is attacked or becomes engaged in hostilities with an adversary.

“First we must raise the level of protection in government and military networks,” Lynn said Thursday. “We must ready our defense institution to confront cyberthreats, because it is clear any future conflict will have a cyber dimension.”