What’s a Presidential candidate to do, other than issue statements and demand investigations?

The State Department said on Friday that it was investigating several incidents in which the passport files of all three presidential contenders were improperly accessed by employees.

The breaches involved electronic files that contained personal information about Senators Barack Obama, Hillary Rodham Clinton and John McCain. A State Department spokesman declined to say what was in those files, but he said they were likely to contain biographical information and passport applications.

Mr. Obama’s passport file was breached on three separate occasions earlier this year and as recently as last week, by three employees working for independent contractors who did not have authorization to access the information. The breaches occurred on Jan. 9, Feb. 21, and March 14, according to The Associated Press.

The State Department’s computer system had flagged each incident, but senior department officials were not informed until they looked into the matter, after receiving inquiries from a reporter on Thursday, a department spokesman said. “That information didn’t rise up to senior management levels,” the spokesman, Sean McCormack, said at a Friday news conference. “That should have happened.”

Two of the employees were fired, Mr. McCormack said. The Associated Press reported that they had worked for Stanley, Inc., a company that provides administrative support and services to government groups and is based in Arlington, Va. Stanley signed a five-year, $570 million contract with the State Department earlier this week to work on the department’s passport database.

The third employee also accessed Mr. McCain’s file, but was only reprimanded and remains employed.

More updates here and here. Watch several news reports here.

The State Dept. called it “imprudent curiosity.” The Obama campaign called it “an outrageous breach of security and privacy.” Caught between adjectival phrases, Secretary of State Rice apologized to Senator Barack Obama.

More coverage at Hot Air. As the Washington Post reports,

Two State Department employees were fired and a third has been disciplined for improperly accessing Sen. Barack Obama’s passport file, the State Department announced last night.

Senior department officials said they learned of the incidents only when a reporter made an inquiry yesterday afternoon. They said an initial investigation indicated that the employees — all of whom worked on contract — were motivated by “imprudent curiosity.”

Bill Burton, spokesman for Obama’s presidential campaign, called the incidents “an outrageous breach of security and privacy.” He said this is “a serious matter that merits a complete investigation,” adding that the campaign will “demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

Undersecretary of State Patrick F. Kennedy, in a hastily arranged conference call with reporters, said he asked the State Department inspector general to open an inquiry into the matter and acknowledged that it might need to be expanded.

He also said he would brief Obama, who is locked in a tight race for the Democratic presidential nomination with Sen. Hillary Rodham Clinton, today on the matter.

Kennedy said that he did not know yet whether any laws were broken or whether the employees shared the information with others. He said that the incidents, which occurred at three offices, on Jan. 9, Feb. 21 and March 14, should have been “passed up the line” much sooner and that officials were seeking to determine why they had not been disclosed earlier.

Secretary of State Condoleezza Rice, who was briefed yesterday afternoon, requested a “full investigation,” department spokesman Sean McCormack said.

The Toronto Star reports on the massive hacking attempts of Ontario porn company, SlickCash, on Facebook’s servers.

A Canadian company specializing in Internet porn is being sued by Facebook amid allegations it hacked the popular social networking website’s computers and tried to access the personal information of users, court documents show.

A numbered Ontario company, which does business online under the name SlickCash, along with several people in the Toronto area, are named in an amended complaint filed by Facebook in San Jose, Calif.

The hugely popular information sharing website alleges that, for two weeks last June, the defendants attempted to access Facebook’s servers at least 200,000 times.

“Each of these requests sought to direct Facebook’s computers to send information on other Facebook users back to (the company’s Internet Protocol) address,” the court documents say.

“These requests for information from Facebook generated error messages and were detected as unauthorized attempts to access and harvest proprietary information.”

It wasn’t clear from the documents what information was accessed, but the complaint alleges “the defendants knowingly and without permission took, copied, or made use of, data from Facebook’s proprietary computers and computer network.”

Facebook, with an estimated 34 million users worldwide, allows members to post photos alongside personal information like a birth date, hometown, e-mail address, phone number, and workplace.

As The Register notes, the lawsuit brings more attention to the vulnerability of members’ data on Facebook.

It’s not terribly clear what data was accessed, much less the goals of the alleged attack. Court papers (PDF) allege the defendants uploaded scripted commands to a server run by a firm called Accretive to “gain unauthorised access and launch malicious code” on Facebook’s site.

Facebook encourages users to post personal information such as birth date, hometown, email address, work details and even phone numbers online. This information is shared with a user’s “friends” and, in a lot of cases, other on any network a user cares to join. The social networking utility boasts a membership of 34m users.

Any amount Facebook might hope to gain from this suit is surely outweighed by the damage to its already poor reputation for privacy. More than anything else the lawsuit emphasises that Facebook is an insecure place to post personal information. Since Facebook’s business model, such as it is, relies of people coughing up this information that’s hardly a good thing.

As reported by Information Week:

A Salesforce.com employee bit on the bait of a phisher, and now the Web-based CRM software provider is warning customers not to fall for the same cybercriminal tricks.

On its Trust.Salesforce.com Web site this week, Salesforce.com posted a “letter about security” to customers alerting them to be cautious of “phishing and malware scams on the Internet,” which are on “the rise.”

In fact, the company revealed that a Salesforce.com employee had been a recent victim of a phishing scam that tricked the worker into disclosing a password, providing the phisher with information on a customer contact list. That contact list information included “first and last names, company names, e-mail addresses, and telephone numbers for Salesforce.com customers and related administrative data” belonging to Salesforce.com, according to the letter.

The letter, which was signed by Salesforce.com executive VP Parker Harris, also revealed that “a small number” of Salesforce.com customer users subsequently have become victims of a phishing — being fooled into disclosing passwords after receiving “bogus e-mails that looked like a Salesforce.com invoice but were not.”

In addition, “a few days ago, a new wave of phishing attempts that included attached malware — software that secretly installs viruses or key loggers — appeared and seemed to be targeted at a broader group of customers,” the company disclosed in the notice.

“That’s why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness.”

The incident brings to mind that we must all be wary and take precautions. As always, Privacy Maven recommends the helpful resources of the Anti-Phishing Working Group to stay apprised of current phishing scams.

Consumer Affairs reports on details emerging:

New information from a lawsuit against the TJX Corporation over its breach of customer information revealed that as many as 94 million Visa and Mastercard holders were exposed to hackers.

The new number was nearly double the initial estimate of 46 million affected customers that TJX reported in early 2007, when the breach was first revealed.

Visa officials estimated losses of $65 million to $83 million as a result of the breach, the largest and most exact number provided yet. The new information may officially mark the TJX affair as the biggest data breach in history.

The information came as part of a lawsuit filed by a coalition of banks against TJX, whom the banks hold responsible for not securing and protecting cardholders’ data as they performed transactions and made purchases.

The extent of the security lapse at TJX is staggering. eWeek reports on what has been uncovered thus far:

Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Oct. 25 and want a jury to evaluate TJX’s security professionalism.

New details that emerged from documents filed in federal court Oct. 25 include:
# A TJX consultant found that not only was TJX not PCI-compliant, but it had failed to comply with nine of the 12 applicable PCI requirements. Many were “high-level deficiencies,” the consultant said.

# “After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet” in California. More than “80 GBytes of stored data improperly retained by TJX were transferred in this manner. TJX did not detect this transfer.”

# In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber-thieves, where it remained undetected for seven months, “capturing sensitive cardholder data as it was transmitted in the clear by TJX.”

# In 2004, before the attacks began, TJX was issued a report on its security compliance that “identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies.”

Read the rest of the article for more details and links to previous coverage of the TJX data breach.

According to The Boston Globe:

Not Your Average Joe’s, a Massachusetts restaurant chain, said yesterday that thieves have stolen credit card data belonging to its customers.

The Dartmouth-based chain estimated less than 3,500 of the 350,000 customers it served in August and September had their credit card information stolen. The 14-restaurant chain said it is working with the US Secret Service and major credit card companies to determine how the data theft occurred and precisely how many customers were affected.

Today, the chain plans to post on its website a notice to customers about the security breach.

A laptop has been stolen from a vendor that manages the job applications for Gap, Inc., putting the personal information of 800,000 job applicants at risk. A statement has been posted on the Gap website:

Gap Inc. (NYSE: GPS) today announced that a laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc.

The company has begun notifying the job applicants whose Social Security numbers were included in the information on the laptop and is offering them a year of free credit monitoring services with fraud resolution assistance, along with a dedicated 24-hour helpline.

Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.’s brands between July 2006 and June 2007 was contained on the stolen laptop. Contrary to the company’s agreement with the vendor, the information on the laptop was not encrypted. The company has no reason to believe the data contained on the computer was the target of the theft or that the personal information has been accessed or used improperly.

“Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously,” said Gap Inc. Chairman and CEO Glenn Murphy. “What happened here is against everything we stand for as a company. We’re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.”

Consumer Affairs discusses the implications and consequences of such outsourcing:

Outsourcing of business processes such as billing, payroll, and employee data to third parties has been a primary cause of data breaches in recent years. Third-party companies that handle personal data often do not adhere to the privacy standards of the companies or government agencies they are contracted to, and simply passing data through multiple hands increases the risk that it may be lost, stolen, or misused.

TJX is offering settlement terms:

In an attempt to reach a settlement with customers over a massive data breach, TJX Companies is offering to reimburse people for the cost of replacing their driver’s licenses, three years of credit monitoring, and three-day, 15%-off sale. The company announced the plan in an online advisory, noting that it’s subject to court approval.

TJX, which is the parent company of retailers such as T.J. Maxx, Marshalls, and HomeGoods, announced early this year the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems over an 18-month period. It’s considered to be the largest customer data breach on record.

In August, the company reported in its second-quarter earnings that the company had to absorb a $118 million charge related to the massive security breach. For the second quarter, which ended July 28, the breach cost 25 cents per share — 10 times more than the 2 cents to 3 cents per share company executives estimated just three months ago.

The Motley Fool considers this a “crafty settlement:”

TJX’s settlement includes two interesting features. For customers that shopped at TJX department stores during the affected period, the company is offering vouchers to cover “costs as a result of the intrusion.” The vouchers are good for use at local TJX stores. As you might guess, a relatively small denomination voucher is a great way to get shoppers into a store and potentially spend more than the value of the voucher. Another piece of the settlement is a future event at TJX stores that will give across-the-board savings of 15%. Far from a specific “result of the intrusion” event, this sale will be open to all customers.

In May, 2006, the Veterans Administration (VA) fell victim to an enormous data breach, affecting more than 26.5 million veterans. Now more than a year later, the news from the Government Accounting Office (GAO) is not good. They assess that the VA is at risk for another data breach:

A GAO audit of physical controls at VA installations found more than 100 missing IT-related items, according to a report by government investigators released this week.

The VA suffered a massive data breach last May when a laptop was stolen from the Aspen Hill, Va., home of a department employee. The incident affected 26.5 million veterans and active-duty members of the U.S. Armed Forces.

The theft of any one of 53 missing computers noted by the GAO could result in another breach, according to the agency.

“Our assessment found that a weak overall control environment for IT equipment at the four locations we audited posed a significant security vulnerability to the nation’s veterans with regard to sensitive data maintained on this equipment,” Valerie C. Melvin, director of human capital and management information systems issues at the GAO, testified before the U.S. Senate Committee on Veterans Affairs on Wednesday. “Our statistical tests of physical inventory controls at the four locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data. The lack of user-level accountability and inaccurate records on status, location and item descriptions make it difficult to determine the extent to which actual theft, loss or misappropriation may have occurred without detection.”

As with last year’s incident, veterans are left to fend for themselves. It underscores the importance for all of us to be vigilant over our financial and personal records. There are several useful resources on the Internet, including the government website IDTheft.gov and Privacy Rights Clearinghouse.

In recent days, more and more worrisome details are emerging regarding the data breach at TD Ameritrade which has affected its 6.3 million customers. Initial reports were slim on detail, as evidenced in this brief CNN news report.

Now Information Week reports:

An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.

Information Week indicates the company has responded:

Kim Hillyer, a spokeswoman for Ameritrade, said in an interview that all of the company’s 6.3 million accounts that were opened before July 18 of this year were breached. She would not say when the company first learned that there had been a breach, only offering that “they had been investigating client reports of spam for some time.”

She said in the last few weeks they discovered that malicious code had been embedded in the system. She would not say what part of the system was infected or what kind of code it was. “We have been working with forensics,” she said. “They said they’ve never seen it before.”

Hillyer also said that while the investigation was ongoing, as new customers came on board, the company put their information in the compromised database. “We didn’t know what the cause of the leak was,” she added. “Anyone who opened an account after July 18, though, was not affected by this.”