Citigroup leaks customer data through P2P file sharing

Dow Jones Newswire reported on Friday, September 21st, that "The names, Social Security numbers and mortgage information of thousands of people have been leaked by an employee of Citigroup Inc.'s (C) ABN Amro Mortgage Group unit onto a popular peer-to-peer file-sharing network. The leak made the information available to millions of casual music-sharers, as well as would-be identity thieves." The said P2P network is Lime Wire software, which permits sharing of music, movies, and other files over its networks.

The data in question apparently leaked through the home computer of a Citi employee (one news story says it is a "former employee" ).  This again highlights the challenges that organizations face in trying to exert content control when their systems and networks are increasingly decentralized and de-perimeterized.

Read more


Play fair... or they'll come after your secrets

I’m not usually one for ‘this-could-happen-to-you’ stories, but I’m still having trouble getting over last month’s story about grocery giant Tesco having to turn over 11 million emails to the UK’s Competition Commission for their investigation into possible anti-competitive practices against its suppliers.

Read more

Role Management and eSSO vendors - a call for action

Part of a successful Identity Management (IdM) project is a successful role discovery and mapping phase. Many organizations -- after having mapped and optimized their business processes -- turn to role design and management solutions (VAUU RBACx, BHOLD, Oracle's BridgeStream, and others). While these solutions give a great initial insight into the existing role structure, they are not the only source of role interrelationship information. Role design can build


many other sources: demographics mined from helpdesk tickets from users requesting access, job descriptions, quality management systems (it certain cases this is wishful thinking...), and increasingly from Enterprise or Desktop eSSO solutions (PassLogix, ActivIdentity, CA). eSSO solutions store multiple login credentials for users to multiple applications. As such, extracting account linkage, mapping and correlating user IDs between user repositories based


access information built by end-users is much more reliable than any artificial role mining logic, usually based


Read more

Promote A Greener Way To Combat Identity Theft

Allow me to put on my "Good Housekeeping" trite advice hat for a second...

As the leaves turn an autumnal hue, many of our end users' thoughts will turn towards preparing their yard for the winter. Why not turn this into an opportunity for both environmental responsibility and security awareness by promoting composting?

Discarded credit card offers, bank statements, mixed with old leaves, kitchen waste and yard clippings will quickly become unreadable without them ever having to be left in the trash on the curbside. And come next year will they'll be a useful fertilizer for the lawn or beds.

Perhaps adding a horticultural element to a security awareness program will reach some people we've not managed to reach before. A good guide to composting can be found here. Just a thought, eh?

Google proposes global privacy standard... joining the crowd

A few weeks behind the likes of Microsoft,, and well behind many large corporations who have decried the need for a global privacy standards for years, Google has now suggested that a global privacy standard is necessary. This of course in theory is a great idea for corporations, it will make doing business at the international level easier and make regulations consistent around the world. But right now we've got a long way to go because almost every country in the world has a different (or as of yet undefined) understanding of what privacy means for their citizens.

They have also highlighted the idea of considering actual harm when regulating privacy. At first glance this does seem like a good idea, no harm no foul right? But the trouble arises when clever thieves often hold onto the information they've stolen (or bought from someone else) and use it months or years later when the victim may no longer be on their guard. Therefore it's very tricky to link actual consumer harm to a particular theft. In the end, it's the consumer who again ends up with the short stick, and no way to prove which company lost their information to cause this particular theft.

Read more

What is up with Gmail?

I have been a Gmail user for years. I've always been happy with it until recently. About a month ago, I started seeing a noticeable increase in the number of SPAM messages that made into my Gmail inbox. Granted, my Gmail address is out there; it's the address I use to order online merchandise, the one I use for mailing lists, etc. But Gmail had always done a decent job of keeping the SPAM volume low. I used to only get at most two SPAM a day. Something changed recently. I've been getting more and more SPAM everyday, over ten SPAM a day! I started seeing SPAM that would have been filtered out by any decent anti-spam tool. For example, I got an email today from "Ursula Diggs", 

Ursula Diggs           buy now Viagra (Sildenafil) 100mg x 60 pills $129.95

This mail was sitting in my Gmail inbox! Are you seriously telling me that Gmail can't recognize a piece of SPAM when it has "Viagra" neatly spelled out in the subject line?

Has Postini started to manage Gmail? I don't know. Hard to imagine that Postini would let something like this slip by. But what is the explanation? What is up with Gmail? Have they stopped working on the security features of Gmail, in anticipation of the Postini integration? 

I love to hear what think about this and what your experience is with Gmail.

Read more