The external hard drive lost by Health Net, which contained customers' personal information, was not encoded and could be read by commercially available software, the state attorney general said today.

The hard drive was apparently stolen in May from Health Net's Shelton facility, rather than simply misplaced, Richard Blumenthal said. It contained personal medical and financial information of as many as 1.5 million customers in the Northeast dating back to 2002, including 446,000 in Connecticut.

But the hard drive might not have been stolen for the information. Laptops were also stolen from the Shelton facility sometime before the hard drive was taken.

Health Net reported those findings to Blumenthal as part of Blumenthal's ongoing investigation of the loss, which happened in May but was not reported publicly until last month. The new findings are based on an investigation prepared privately for Health Net.

Read the full article here in the Hartford Currant.

For the second time this month, PayChoice Inc., a large online provider of payroll processing services, has had to shut down its online portal because of a security breach.

The company said its Online Employer site was "briefly taken offline" Thursday as the result of a security breach discovered a day earlier. The company did not identify what the problem was, but said that it had deployed additional security measures to protect client data after it identified a "key mechanism" used by online attackers.

PayChoice, based in Moorestown, N.J, provides payroll processing services and technology. The company bills itself as the "national leader" in the payroll services and software industry and claims over 125,000 business customers.

A story in the Washington Post quoted from a letter PayChoice sent to its customers saying the breach appeared to be linked to the password reset function on the portal. Those responsible for the breach appear to have stolen login IDs and passwords belonging to customers by exploiting a weakness in the function, the Post reported. The company has disabled the change password capability on the site and modified all login IDs as a result of the intrusion.

The valid login credentials of an employee at one of PayChoice's customers was used to add fictitious employees to that customer's payroll in an attempt to have payments made to fraudulent bank accounts, PayChoice confirmed today.

Read the full story here on The Industry Standard website.

Justin Feffer, a senior investigator at the Los Angeles County district attorney's office, drove to a suspect's house last December for a search relating to an identity-theft case. First, he did what cops normally do: took down the license number on the truck in the driveway, noted that surveillance cameras hung from the eaves and the windows were covered in paper.

Then, he did something unusual for a local cop: He pulled out his iPhone and checked for any unencrypted wireless access points nearby. The iPhone check, says Mr. Feffer, helped avoid the predicament that befell two other law-enforcement agencies that raided the wrong house on successive days, because the real suspect in a child pornography case had been using an innocent person's unprotected wireless Internet connection. Mr. Feffer didn't find any wireless loopholes that could be exploited.

As a member of the Los Angeles district attorney's high-technology crimes unit, Mr. Feffer is part of a cadre of 21st century crime fighters who sift through digital evidence on computers, cellphones and other electronic devices. While the Internet has vastly expanded the reach of criminals, the digital fingerprints that these activities leave can be a powerful investigative tool -- for those with the knowledge and equipment to use it.

Read the full story here on the Wall Street Journal website.

In November 2008, the major pharmacy benefit management firm said it received an anonymous letter that included the names, Social Security numbers, birth dates and, in some cases, prescription information of 75 members. The writer or writers threatened to release millions of more records if the business failed to pay an unspecified sum of money.

In the last two months, based on new information from the extortionists, Express Scripts began notifying more than 700,000 victims of their personal information may have been compromised.

After initially notifying only the 75 victims from last year, the company in August was told by the FBI that “…the perpetrator of the earlier action had recently forwarded a letter and data file to a law firm,” according to the company's website.

Maria Palumbo, spokeswoman for Express Scripts, would not elaborate on the contents of the letter.

“The FBI is conducting the investigation that was opened last fall,” she told SCMagazineUS.com Thursday. “It is still ongoing.”

The website points out, however, that FBI special agents contacted Express Scripts immediately, and the news was not good.

Read the full story here on the SC Magazine website.

Katie Allison Granju, who writes a blog on parenting and current events, was worried a barbed post could get her sued. So she bought media liability insurance to protect her home and savings.

"You wouldn't publish a newspaper without liability insurance, so you should take the same precautions with blogging, if you have any kind of audience or readership," said Granju, 41, of Knoxville, Tenn.

U.S. lawsuits over Web postings jumped 70 percent in 2008 from 2006, when the social networking site Facebook Inc. was opened to anyone with a valid e-mail address and Twitter Inc. was first started. The data come from the Citizen Media Project, which is affiliated with Harvard Law School's Berkman Center for Internet & Society in Cambridge, Mass.

The cost of defending against legal action can range from $5,000 to at least $100,000 if the case goes to trial, said Ron Coleman, a trademark lawyer at Goetz Fitzpatrick in New York. Of the 256 lawsuits dating as early as 1994 through April tracked by the New York-based Media Law Resource Center, damages were awarded in 17 cases, totaling $43.9 million.

Visit the Honolulu Advertiser website for the rest of the article.

The lawsuit, filed in August of last year, alleged that Facebook and its Beacon affiliates like Blockbuster and Overstock.com violated a series of laws, including the Electronic Communications Privacy Act, the Video Privacy Protection Act, the California Consumer Legal Remedies Act and the California Computer Crime Law.

The proposed settlement, announced late on Friday, calls not only for Facebook to discontinue Beacon, but also back the creation of an independent foundation devoted to promoting online privacy, safety and security. The money for the foundation will come from a US$9.5 million settlement fund.

Read the full story here in the New York Times.

A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.

On the morning of Aug. 17, hackers who had broken into computers at the Sanford School Districtinitiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams. in tiny Sanford, Colorado

A school employee spotted the bogus payments on the morning of the 19th, when the school district learned that $117,000 had been siphoned from its coffers by cyber crooks.

Sanford Superintendent Kevin Edgar said the school successfully reversed two of the transfers totaling $18,000, but that rest of the stolen money remains in limbo.

"We've been told that if we do get any more of these reversed, it may take 30 to 45 days to get that money back," Edgar said. Meanwhile, the school district's bank is playing hardball, insisting that the school is at fault for the unauthorized transfers.

Read the full story here on the Washington Post website.

With a few keystrokes, computer security expert Esteban Farao can find all the wireless networks in use in a half-block radius from a Starbucks on Brickell.

Farao, of Coral Gables-based Enterprise Risk Management, said the security of any of those networks could be compromised -- a la Albert Gonzalez.

``It's a matter of time,'' Farao said, even for networks that are encrypted and password protected.

Gonzalez, of Miami, pleaded guilty last month to 19 felony charges in a Massachusetts indictment for tapping into the computer networks of T.J. Maxx, OfficeMax and other stores, stealing customers' data and selling it overseas. Federal prosecutors say he stole 40 million credit card numbers as a part of that scheme. He faces charges that he stole millions more from other companies.

Read the full story here on the Miami Herald website.

A hacker accused of stealing tens of millions of credit and debit card numbers in one of the largest computer break-ins in U.S. history pleaded guilty Friday to fraud, identity theft and other charges.

As part of a plea agreement with federal prosecutors, Albert Gonzalez, 28, of Miami, also agreed to forfeit more than $2.7 million, a Miami condo, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. He faces up to 20 years in prison and is scheduled to be sentenced Dec. 8.

A survey released today by Travelers reveals how the use of social media can expose businesses to risk. As the Travelers Global Technology business unit commemorates its 25-year anniversary, it conducted a national online survey of more than 2,000 adults to explore trends in social media and the potential risks to businesses.

A key finding in the survey shows that one out of eight respondents indicated that they post work-related information on social media Web sites. In fact, 30 percent feel it is acceptable to post information online about their employer as long as they believe it is true. Survey results also showed that more than 75 percent of those who post anything personal online said they were “not at all” or “not very concerned” about information posted online causing professional damage.

Read the full story here on the SmartBrief website.

Download the survey here from the Travelers website.

A lawsuit filed on Wednesday against some of the most shadowy Internet criminals — gangs based in Eastern Europe that electronically break into business computers, steal banking passwords and transfer themselves money — is being used to pry information from a group that is nearly as reclusive as the hackers: banks whose computers have been compromised.

The suit by Unspam Technologies, which organizes volunteers to track down information about spammers and other online rogues, was filed in United States District Court for the Eastern District of Virginia.

Click here to read the full story from the CNBC website.

Five Facebook users are suing the social network for doing what made it an online superstar -- letting members share aspects of their lives on the Web.

A lawsuit filed Monday in a southern California court accuses Facebook of being a data-mining operation that does not deliver on promises to give users strict control of data uploaded to profile pages.

Facebook has dismissed the lawsuit as being without merit and promised a legal battle. The suit asks for unspecified cash damages.

One of the parties to the suit is a woman who joined Facebook in an early phase when membership was limited to the college crowd.

Then-Harvard University student Mark Zuckerberg founded Facebook in 2004 as a way for college friends to remain connected as their lives grew apart.

Read the full article here on the Yahoo! News website.

The Act amends the California Code of Civil Procedure by expressly permitting discovery of electronically stored information (ESI), with the end goal of improving discovery measures during litigation and avoiding undue involvement by the court in resolving e-discovery disputes. All discovery requested or responded to in regards to ESI must now comply with the Act, which for the first time provides definitions of ESI. The Act defines ESI as “information that is stored in an electronic medium” and defines “electronic” as “relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.”

For the full review, please click here to visit the JD Supra website.

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.

The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor.

The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information.

Read the full story here on the PC World website.

A federal class action claims Express Scripts allowed unknown people to gain confidential information of its members. The lead plaintiff claims Express Scripts got an extortion letter in October 2008, threatening to publish confidential information of millions of Express Scripts members on the Internet.

The letter included confidential information of 75 members, including Social Security numbers and prescription information, the suit states.

Named plaintiff John Amburgy claims Express Scripts waited nearly a month to issue a vague statement on its Web site on Nov. 6, 2008 and a second statement on Nov. 11, that admitted some Express Scripts members had received similar letters. Express Scripts announced that it knows where the information was accessed but was still investigating how it was accessed, the suit states. But five months later, Express Scripts still has not announced how many members have had their confidential information compromised, the suit states.

Read the full story here on the Courthouse News Service Website.

Only those customers who weren’t reimbursed for fraudulent charges may sue the Hannaford Bros. supermarket chain over a data breach that exposed 4.2 million credit and debit card numbers to computer hackers, a federal judge ruled.

The decision by U.S. District Judge D. Brock Hornby on Tuesday dismissed all but one of the civil claims brought against Hannaford after the data breach was revealed in March 2008. But a separate lawsuit is still pending in Florida against Hannaford’s sister company, Tampa-based Sweetbay.

Between Dec. 7, 2007, and March 10, 2008, hackers accessed card numbers used at 165 Hannaford stores in the Northeast and 106 Sweetbay stores in Florida. At least 1,800 numbers were stolen and used for unauthorized purchases, Hannaford officials have said.

Electronic payment processing services for the transactions took place in Maine, where Hannaford is based. And lawyers agreed last month that Maine law should apply.

Read the full story here on the Bangor Daily News website.