Sunday, 24 November 2013

Vodafone Recycles Customer Data in Databreach

Vodafone is more than a little embarrassed this morning when a customer was contacted by a complete stranger saying she had her email and personal data. The stranger had bought a “new” iPhone and yet it was a refurbished model and Vodafone had failed to securely remove the old customer’s data.

As this is a clear data breach of personal data and I am sure the Information Commissioner's Office (ICO) would be interested. Vodafone don’t do this work in-house but are still responsible. They use one of many “professional” refurbishment businesses which have grown up very quickly to support our insatiable appetite for smart phones and the need to recycle them when we chose to change.

The speed of change is a challenge for the market. People, just like those in this story wish to change frequently and without hassle, in this case from Apple to Samsung. However the manufactures, networks and the whole supply chain who support them have been slow. Slow to understand the importance of personal data.

A director of one refurbishment company once said to me; “I don’t get all this fuss about data. It’s the same data when it’s in their hand or pocket”. He’s right to a limited extent however he’s missed the real issue. When the data is in our hand it’s in our control and we are responsible for it - a sort of micro-controlled environment. If we lose it or it’s stolen we can take remedial action. We can contact our bank, the network to block the phone or even remotely wipe the device with some providers.

When we trust responsible others including networks and “take back” service businesses we expect them to adopt a “duty of care”. We TRUST them with our data. In my view this is a wholly misguided trust. If the directors of these businesses “don’t get it” they can’t be trusted. If networks the size of Vodafone don’t have sufficient fail-safes in their procedures we clearly can’t trust them either.

It’s our data and we should either ensure it is safe ourselves or seek guarantees and evidence that it has been destroyed. As the CEO of Blancco (a Finnish company who provide secure erasure software for PC’s and Phones) once said; “It’s not about the data erasure. It’s about the data about the data erasure”. What he was saying is that we must prove the data has been destroyed and have evidence.

We simply can’t trust people sitting in factories doing repetitive tasks to get it right 100% of the time. At best it’s perhaps 98%. With over 60m phones in the UK alone changing every, say three years that could mean 400,000 phones with data on all out there somewhere!! I think, however this is a huge underestimation. In my view most phones never make it to the desk of the poor person whose job it is to wipe them. Most are shipped abroad, mainly to China, India and Africa. In these areas your data has a VERY sinister value. "EH from London" was VERY lucky. Her data didn’t find its way in to the wrong hands.

For close to 20 years now I have been trying to make people aware of the data they throw away. We have found Sir Paul McCartney’s bank details and missile launch codes on thrown away hard drives. Phone and hard drives contain a snapshot of our lives and we carelessly throw that data away on the trust and hope it will be managed correctly. We live in a blind faith that big companies and recycling centres will look after our data.

See the ordinal article in The Guardian at this link.

Jon Godfrey is a Director of Intelligent Lifecycle Solutions who provide services including the refurbishment and recycling of Hard Disk Drives, Mobile Devices and technology equipment.

http://www.lifecyclesolutions.net

Vodafone rings up complaints selling my old iPhone and data as new

A stranger phoned to say that she had bought my iPhone from Vodafone – and it still had all my data on it

- Anna Tims
- The Observer, Sunday 24 November 2013
- Jump to comments (1)

I signed a two-year contract with Vodafone and got a new iPhone, before deciding to switch to a Samsung. I was assured by the store that all my personal data would be removed from the iPhone before it was sold on as used.

A few weeks later I got an email from a stranger saying she had my iPhone with all my data, including my email account. Vodafone had repackaged my old phone and sold it as new!

Vodafone customer service insisted this data breach was "impossible" and refused to apologise. Three months on I have still received no explanation. To make matters worse, the new Samsung phone does not work. Vodafone will not provide a replacement, nor "courtesy phone" while it's sent off for three to four weeks for repair. EH, London

Almost as worrying as the data breach is the fact that a used phone was sold as new. Vodafone explains that its returns policy allows customers to change their mind within seven days and, if the seal of the handset is unbroken or there is less than five minutes' activity on it, it is wiped and resold as new.

Interestingly, once your complaint is forwarded under The Observer banner, Vodafone realises it has a case to answer after all. "For the process to fail in this way is extremely rare and our corporate security team is investigating," says a spokeswoman, who has also started an inquiry as to why customer services was so hopeless. The company has offered you a new phone and a reduced rental deal but, unsurprisingly, you prefer to seek another provider and so, in a magnificent gesture of contrition, it has released you from your contract without a termination fee.

Thursday, 21 November 2013

Compensation for Distress to an Individual Following a Breach

U.K. Court of Appeal’s Award of Compensation for Distress to an Individual Following a Breach of the Data Protection Act: Opening the Floodgates for Claims by Individuals?

World Data Protection Report

Author: Steven P. Farmer

This article was published in World Data Protection Report, November 2013, published by
Bloomberg BNA (www.bna.com).

While regulatory action by the U.K. Information Commissioner’s Office ("ICO") is relatively
commonplace and well reported following data breaches, particularly since the ICO was
granted powers to issue on the spot fines for serious breaches by data controllers of up to
£500,000 back in 2010, private actions for data breaches could be described as occurring
"once in a blue moon".

Nevertheless, in what is a rare and groundbreaking case, the Court of Appeal recently
awarded compensation to an individual for distress following a breach of Section 13(2) of
the Data Protection Act 1998 ("Data Protection Act").

In Halliday v Creation Consumer Finance Limited (2013) EWCA Civ 333, a claim for
compensation for an individual’s distress under Section 13(2) Data Protection Act was
considered. Significantly, the Court of Appeal clarified that, when considering compensation
for distress under the Data Protection Act, it should be borne in mind that it is "not the
intention of the legislation to produce some kind of substantial award".

Whilst this case would appear to provide useful guidance as to what will unlock a claim for
distress under Section 13(2), it can be argued that this judgment represents the narrowest
of victories for potential claimants who believe that they have suffered distress, and,
further, that it is unlikely to encourage a swath of fresh civil claims being brought by
individuals alone unless such distress is above and beyond mere frustration.

Wednesday, 13 November 2013

A New Team, Leadership and Culture the Intelligent Way

For me the last two weeks have been a bit of a rollercoaster ride. Tuesday evening last week we completed the all share purchase of Intelligent Storage Solutions Ltd. (ISS). ISS is a great, profitable and successful business. They have unique technical capability and compete with much bigger businesses. They have great people and a great future.

The last ten days has been quite humbling. Humbling because I had forgotten what it feels like to be part of a close nit positive team in a creative environment. Already the new owners and directors of ISS have been welcomed in to the family with open arms. Already we have formed a new team. We have formed trusts and even the basis of a business culture.

I can’t tell you how rewarding and exciting this feeling is. In a furnace of creativity and in just two days we agreed a short, medium and long terms strategy and the tactics we will apply to achieve our set goals. Already the culture of the business has been established. It might not yet be fully formed but it’s there and you can feel it. It’s a culture that includes humour and fun and is fearlessly positive yet doggedly determined. Some might argue there should be no place for fun in business; I disagree. I think the more positive a working environment one can create the more the team will perform. Perhaps not yet Pool Tables and Table Football (we don’t yet have the space that Google has) but the spirit is there already.

Of course there is a need for certain disciplines and a focus on the objectives at hand. Successful businesses don’t just play; they work hard and to understood focussed objectives. The positive wash-over of fun however pays dividends.

The result of this work? Amazing!! We agreed five new immediate businesses as targets. By Wednesday we had qualified the prospects, made contact and we have three client presentations arranged and we've already submitted one proposal. Of course that’s a long way to contracts signed but I couldn't have dreamt this progress so fast. I better go win this work!

Monday, 11 November 2013

$3,000,000 settlement reached in data breach lawsuit

It amazes me that such small almost incidental actions can result in huge corporation wide disasters. Yet, almost every day we see data breaches which are the result of small errors or carelessness. It might be a dropped USB drive or laptop left in a bar.
Closer to home for me is the massive quantity of discarded data left on unwanted devices. In studies carried out by academia I have seen over 50% of hard drives sold on eBay still containing data. I have also seen a large increase in both mixed work and home data suggesting that more and more users are using machines for both; either home (BYOD) machines used for work at home or work machines used for personal purposes. This mix of data type is a real challenge. I have seen some personal interest which includes a fascination with sadomasochism and extreme political parties on devices. I have seen details of affairs senior staff have been having with their employees. All sensational stuff but in the wrong hands it’s an open invitation for blackmail. Controlling what data is where is a difficult task at the best of times. It can slip through your fingers like sand and once outside of a controlled environment it can sit there like a time bomb waiting to be discovered. Bang does your sensitive data.

Author page »

How much of a headache can a couple of stolen laptops cause your organization? How about a $3 million headache?? That is the amount of a settlement proposed in an Unopposed Motion in Support of Preliminary Approval of Class Action Settlement in Resnick/Curry v. AvMed, Inc., No. 1:10-cv-24513-JLK (S.D. Fla.), a data breach lawsuit pending in the Southern District of Florida.

Background

Resnick involved the theft of two unencrypted laptops from a conference room in the defendant’s corporate office. Unfortunately, the laptops contained personal information of approximately 1.2 million customers/insureds (“the plaintiffs”). The plaintiffs filed a class action lawsuit claiming that AvMed failed to adequately secure the plaintiffs’ personal information.

The District Court dismissed the lawsuit in July 2011, finding that the plaintiffs had failed to show any cognizable injury. The 11th Circuit, however, reversed the trial court, holding that the plaintiffs had in fact suffered cognizable injuries.

Of particular note was the portion of the 11th Circuit’s opinion addressing the plaintiffs’ unjust enrichment count. The plaintiffs had argued that a portion of their insurance premiums was ostensibly for the defendant’s administrative costs in implementing safeguards that protected the plaintiffs’ information. The plaintiffs contended that, as evident by the stolen unencrypted laptops, a portion of those costs should be returned because their information was ultimately compromised and the defendant had not adopted reasonable security measures to protect their information. The 11th Circuit agreed, and held that the unjust enrichment count (among other counts) could proceed on remand.

The Settlement Terms

The $3 million settlement fund is to be disbursed as follows:

approved premium overpayment claims – class members can receive up to $10 per year for each year they paid the defendant for insurance before the data breach, subject to a $30 limit. These are the unjust enrichment damages.
approved identity theft claims – class members who suffered any unreimbursed monetary losses as a result of identity theft related to the breach are eligible to have those amounts reimbursed.
settlement administration expenses – these are the costs for providing notice to the settlement classes and the costs of administering the settlement. At first blush these may seem small, but remember that there are potentially 1.2 million individuals involved.
class counsel’s attorney’s fees and costs – $750,000 to class counsel (Edelson LLC, one of the few plaintiffs’ firms that has demonstrated a pattern of success in privacy and data security litigation).
plaintiff’s incentive awards – $10,000 to be split evenly amongst the class representatives.

Perhaps the most valuable part of the settlement for those of us who advise clients about privacy and data security legal matters is the portion relating to what the defendant has agreed to do in the future, which reads a little like an FTC consent order:

mandatory security awareness and training programs for all company employees;
mandatory training on appropriate laptop use and security for all company; employees whose employment responsibilities include accessing information stored on company laptop computers;
upgrading of all company laptop computers with additional security mechanisms, including GPS tracking technology (this latter part seems a bit much, its usefulness is questionable, and it could lead to other privacy issues related to employee location tracking);
new password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;
physical security upgrades at company facilities and offices to further safeguard workstations from theft; and,
the review and revision of written policies and procedures to enhance information security.

Lessons To Be Learned

Why are the prospective measures so important? They provide a roadmap for what companies should do to minimize the risk of similar litigation. They also make good business sense and are likely compatible with the expectations of a company’s consumers. They are safeguards all companies should consider. Had the two laptops in Resnick been encrypted, one has to wonder whether a lawsuit would have been filed at all.

Another lesson — what are you saying in your consumer-facing policies and notices about the security safeguards your company has adopted to protect consumer information? Such statements, though useful and sometimes required, could expose your organization to the same unjust enrichment argument that the plaintiffs made in Resnick.

Finally, this is the second data breach lawsuit that has resulted in a substantial settlement for the plaintiffs and both were filed in the Southern District of Florida. (The other was Burrows v. Purchasing Power, which I blogged about here, and resulted in a settlement of approximately $430,000). The settlements are in sharp contrast to the vast majority of cases that have been dismissed for lack of standing and damages. It will be interesting to see what impact these recent settlements will have on future data security and privacy litigation.

10/26/13 UPDATE: The Southern District of Florida wasted no time considering the unopposed motion seeking preliminary approval of the class action settlement. On October 25th, just four days after the motion was filed, the court granted it and set the Final Approval Hearing for February 28, 2014.

Sunday, 10 November 2013

Choose your Disposal Contractor with Care

The article below (courtesy of IT-lex Technology Law) should be a lesson to all those responsible for technology disposal whether is be Computers, Servers, Smart Phones or Tablets. In fact almost all technology types hold some level of risk. I remember as a technology buyer for NatWest nearly 20 years ago the bank bought several thousand plain paper fax machines (state of the art at the time!). What they failed to realise is they used a roll of inked film and a thermal print head. At the end of the roll, the bank where supposed to throw the old roll away and fit a new one. What they failed to consider is that the old role had a mirror image of every single piece of paper which had gone through the machine. A plain readable mirror of every payment request, bank details and signature. The used roles were worth a fortune in the "wrong hands".

The wrong hands are your "threat advisory". It's our duty and legal responsibility to ensure that data doesn't find its way in to the wrong hands. The devil is in the detail. In the article below Bow Valley Collage made a VERY common mistake. For now let's forget that they chose a "not-for-profit" although I have some concerns there too. The first mistake they made was making the decision based on price. As we see they didn't get the free service they were expecting. They thought they were doing a good thing for the community however the breach cost them £150k and they were very lucky. In many countries you could easily triple that in addition for a fine and penalty.

They also had no documented Contract, no agreed Procedures, no Certificates confirming the undocumented procedures had been carried out and no confirmation of physical destruction. In fact Bow Valley Collage made the same mistake which tens of thousands of organisations make every year. But this is just the tip of a complicated iceberg.

It seem many have a psychological link between the age and value of the equipment and the value of the data. They are happy to chuck it away. They have made the disposal equivalent of leaving their front door wide open or the equivalent of not having virus protection or a firewall. The data on that old fax machine or old server or your clunky old smart phone is the very same data on which your organisation depends on for its survival. The same data which you meticulously back up and protect in the even of a disaster. The same data which keeps you employed.

If you would like to see more about the detail of what to do rather than what not to do have a look at the ADISA web site. ADISA do an excellent and most important job raising critical issues for businesses. Critical reading for Data Controllers.

Remember this; Free might be the most expensive decision of your career.

College outsources data deletion, suffers huge data breach

IT-LEX Inc
USA
September 30 2013

Here’s a case of an institution that seemed to do everything right, yet still ended up on the wrong side of a data breach. Bow Valley College (in Alberta, Canada), planned to get rid of 12 of its servers. Aware of the environmental and privacy-related concerns that come with such an undertaking, it hired a local nonprofit, the Electronic Recycling Association of Alberta (ERA), to carry out the data wipe, as well as properly dispose of the servers afterwards. In an act of impressive due diligence, the college even “toured ERA’s facilities and was satisfied with the ERA’s processes.” You should be able to see where this is going, and if you can’t, read this old IT-Lex post for a hint. From the snIP/ITs blog:

Four months later, a purchaser of one of the decommissioned servers booted it up and found personal information (including SIN numbers, credit card numbers, and salaries) of 189,900 students and 3,500 employees of BVC [the college] spanning almost 20 years. Over the next few months, the Commissioner received complaints from 28 individuals affected. … [The college] reviewed all the information on … recovered servers to identify the affected individuals and sent out letters to each of them. It also sent emails, set up a telephone number and an email address for information and in some cases, set up face-to-face meetings. It advised affected individuals of their right to make a complaint to the Commissioner and apologized. BVC estimated that its cost to respond to this incident cost over $247,000.

The “Commissioner” referred to here is the Information and Privacy Commissioner of Alberta, who earlier this summer found that, despite touring the facility and seeking out a specialist third-party to handle the data deletion, the college had not done enough to prevent this data breach. In her opinion, the Portfolio Officer found that:

BVC had no signed contract or agreement in place with ERA. In addition, although BVC was charged for “pick-up” it received no invoice for data wiping charges, or certificates to confirm that the data was wiped, or written assurance that the devices were physically destroyed.

However, the Officer also found that BVC’s response after learning of the breach was sufficient to let it off the hook from further punishment: it had “made reasonable arrangements to prevent a similar recurrence”, and “apologized to the affected individuals.”

The lesson here is that data security is no joke, and even an entity like BVC, which seemed to be proactive and diligent in its work to appropriately clear its servers, can still be found lacking. Be extra careful when hiring third parties to clear your drives, and, of course, always try to have something in writing.

Tuesday, 5 November 2013

Bring-your-own-device migraine becomes a foreign intelligence concern

Fear of bugging prompts iPad ban in UK Cabinet meetings

by Lisa Vaas on November 5, 2013 @

Naked Security from Sophos

iPads were plucked from users' hands at a UK Cabinet meeting last week, because of fears that they might be bugged by foreign intelligence agencies.

The Daily Mail on Sunday reported that the Ministers were using the devices for a presentation by Cabinet Office Minister Francis Maude and Mike Bracken, who's in charge of the Government Digital Service.

The talk was on the topic of saving the economy close to £2 billion ($3.19 billion) a year within the next four years.

Typically, the Cabinet isn't particularly generous about applause for presentations, the Daily Mail said, but this time, when the talk wrapped up, Ministers clapped.

That's when the government's security team pounced, the Mail reports, whisking all iPads out of the room to avoid careless talk reaching the wrong ears.

It doesn't stop there, The Telegraph subsequently reported.

Given the security force's fear that foreign intelligence agencies have developed the ability to turn mobile devices into eavesdropping bugs without their owners' knowledge, all tablet computers - which, one assumes, covers all manufacturers' gadgets, and not just Apple's - are now banned from Cabinet meetings.

The Telegraph's Matthew Holehouse writes that Ministers in sensitive government departments have also been given soundproof, lead-lined boxes that they're required to store their mobile phones in while having sensitive conversations.

The concern, he writes, is that

China, Russia, Iran and Pakistan have developed the ability to turn mobiles into microphones and turn them into transmitters even when they are turned off.

The news comes fast on the heels of reports last week from Italian newspapers (including La Stampa) that delegates to the G20 summit near St. Petersburg, Russia, received USB sticks and mobile phone chargers boobytrapped with Trojan horse malware.

The devices reportedly were able to secretly tap emails, text messages and telephone calls.

According to Corriere della Sera, when he got back to Brussels, the G2 European Council President, Herman Van Rompuy, sent the devices over to his security managers.

They in turn asked for help from the German secret service.

Their analysis resulted in a memo going out to member states indicating that the USB stick and power cables were "suitable for the illegal collection of data from computers and cell phones" and that member states should "take every possible precaution in case these items have been used and if not to entrust the security structures for further inspection."

Russia has denied the allegations.

What are the lessons here for businesses? Typically, most don't struggle with the fear of a nation turning their employees' devices into surveillance bugs.

But with or without the threat of foreign intelligence spying on your organisation, iPads, or any other tablet for that matter, are in many ways just smartphones in a bigger form.

That means they carry the same risks to a company's network security.

Such devices also usher in the bring-your-own-device migraine.

Practical tips in these surveillance-happy times

The traditional, centralised approach of configuration management, software, patching and security is often impossible, if not irrelevant, on such platforms, as Sophos's Ross McKerchar has described in his article about handling smartphones in the workplace.

That article has tons of good advice on handling device security, including segregating a user's personal iPad or other device so that they don't have direct, unrestricted connectivity to crucial servers unless absolutely necessary; having clear policies on passwords and jailbreaking; evaluating the risk profiles of platforms (Android vs. Apple); educating users; and more.

But wait, there's more!

Ross followed up with this article, which delves into what an attacker might do with the juicy tidbits on a stolen or lost device. This includes the social engineering stunts that can be pulled, given that the device would likely contain the owner's address, date of birth and information that could then help to answer account security questions.

Still worried about your mobile phone being a bug? Advice for the truly surveillance nervous: Before you read either article, lock your cellphone in your car trunk.

Don't read the articles out loud, and try to avoid moving your lips while you read.

by Lisa Vaas on November 5, 2013 @

Naked Security from Sophos

US Study: Data Of More Than 16 Million Americans Compromised By Breaches Last Year

Tim Wilson November 04, 2013

If you've received one of those letters notifying you that your personal data was involved in a corporate security breach, then there's more than a 25 percent chance you will be the victim of fraud in the coming year.

That statistic is one of many revealed in the new study "Data at Rest Is Data at Risk: Confronting a Singular Threat to Three Major U.S. Industries" (PDF), which was published last week by Javelin Strategy & Research.

The study, which was sponsored by anti-fraud vendor Identity Finder, demonstrates a strong correlation between enterprise data breaches and consumer identity fraud. According to the study, more than 16 million Americans were notified of a data compromise affecting their personal information in 2012.

Among those consumers who were notified of breaches in 2012, Javelin found the following:

4.4 million Americans were both notified that their payment card information was compromised in a data breach and suffered fraud on their existing credit or debit cards.
1.26 million Americans were both notified that their Social Security numbers (SSNs) were compromised in a data breach and became victims of identity fraud.
270,000 Americans were both notified that their online banking credentials were compromised in a data breach and suffered fraud on their financial accounts, including checking and savings accounts.
324,000 Americans were both notified that their bank account numbers were compromised in a data breach and became victims of fraud incurred against their checking, savings, or other financial accounts.

"By breaching the data stores of businesses in the financial, health care, and retail industries, criminals can obtain the fuel they need to execute various fraud schemes, and these crimes have crippling consequences," said Al Pascual, senior analyst of security, risk, and fraud at Javelin. "Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers, and third-party businesses."

To protect consumers' and employees' personal information, Javelin and Identity Finder recommend that enterprises seek out and identify sensitive personal information wherever it resides in the corporate network. They also recommend that enterprises maintain strong practices in data classification and risk-based security strategies for sensitive information.

Infosecurity - One Quarter of Data Breach Victims Go on to Suffer ID Theft

Celebrity VIP; Sex, Vomiting and Cannabis all in Data Breach

Limo firm hacked; politician, Celeb data breached

An Internet security firm says a limousine software company has been hacked, exposing credit card numbers and potentially embarrassing details about close to 1 million customers, including politicians, star athletes and corporate executives.

Alex Holden, chief information security officer of Milwaukee-based Hold Security, says he discovered the breach at Corporatecaronline more than a month ago. He said he informed the owner of the Kirkwood, Mo.-based software company that customers' credit card numbers, pickup and drop-off information, and other personal details had been stolen.

"The privacy implications of this are very disturbing," Holden said Monday.

Car services buy software from Corporatecaronline and use it to streamline reservations, dispatching and payments. Owner Dan Leonard did not return a call to his company for comment Monday from The Associated Press.

Cybersecurity blogger Brian Krebs, working with Hold Security, first reported the hack on his website krebsonsecurity.com, including details dispatchers gave to drivers heading out to pick up celebrity passengers. For example, Krebs reported a chauffeur driving Tom Hanks to a Chicago restaurant for dinner was advised the client was a "VVIP" who required "No cell/radio use" by the driver.

A chauffeur meeting Latin American textile magnate Josue Christiano Gomes da Silva inside an airport luggage claim area with a printed sign was warned: "SUPER VIP CLIENT. EVERYTHING MUST BE PERFECT!"

Other customers include Donald Trump, who required a new car with a clear front seat; LeBron James, who was picked up at an entrance for athletes at a Las Vegas sports arena; and Colorado Sen. Mark Udall, who was traveling to Boston with golf clubs.

The stolen files also include records about what took place in the vehicles, including sex, vomiting and smoking marijuana, Krebs reports.

Rep. John Conyers, D-Mich., whose data was among those breached, declined to comment Monday. But his spokesman Andrew Schreiber said he was appreciative that the matter was brought it to his attention.

Other members of Congress also said they were uninformed.

"This is the first we have heard about this. We were never notified, but we are looking into the claim," said Leslie Shedd, spokeswoman for Rep. Lynn Westmoreland, R-Ga.

Holden said he found the information from Corporatecaronline customers stored on the same computer server where he earlier found stolen usernames and passwords from PR Newswire, Adobe Systems and about 100 other firms. He said most firms took immediate action when informed; Adobe and PR Newswire went public when they learned of the breaches, warning millions of customers affected.

Holden declined to name dozens of other companies whose customers' data also appeared to have been hacked.

"If we start mentioning the names, there might be widespread panic," he said, noting that those companies are trying to deal with the breaches. But Holden said he was concerned that Corporatecaronline was failing to act, and that he contacted credit card companies himself.

Corporatecaronline's website boasts of robust data protection. "The only point of access to the servers is through our firewall, which is managed by our data center, 24/7, 365 days a year," it says.

But Jonathan Mayer, a cybersecurity fellow at the Center for International Security and Cooperation at Stanford University, did some poking Monday and found the website runs on outdated software prone to vulnerabilities. He said it has code dating back to Macromedia, which was acquired by Adobe nearly eight years ago; Internet Explorer 4, which rolled out in 1997; and 13-year-old Netscape 6.

"The point here is that you don't have to be a big target to be at risk online anymore," Mayer said. "This is the new normal, and it underscores the need for improving the regulatory framework."

The FBI did not immediately return a call seeking comment.

Cybersecurity firm McAfee's chief technology officer Raj Samani said Monday the hack underscores how vulnerable customers can be, even if they're trying to use complex passwords and take precautions with their privacy.

"You can do anything you want, but in many cases you entrust your data with multiple third parties, and it's out of your hands," he said.

___

Associated Press writers Alan Fram in Washington and Raphael Satter in London contributed to this report.