[ISN] Hackers invaded state Web sites 72 times in five years

InfoSec News isn at c4i.org
Mon Feb 28 05:38:13 EST 2005


February 26, 2005

Raising new concerns about identity theft, a report released this
month by a legislative committee found that information on Web sites
of state agencies and authorities has been hacked at least 72 times in
six years.

The report - "Tip of the Iceberg: New York State Government's Losing
Battle Against Hackers" - is from the Assembly's Committee on
Oversight, Analysis and Investigations.

It looks at break-ins and Web site defacements that occurred between
1999 to early December 2004 in the computer systems of entities such
as the state's Department of Motor Vehicles, the Department of
Education, the Department of Correctional Services and the New York
Power Authority. Web site defacement occurs when information on a
particular site is replaced by a message or image posted by a hacker.

Identify theft can occur when personal information, such as Social
Security and credit card numbers are stolen for fraudulent use. The
Federal Trade Commission said identify theft has been its top consumer
complaint for five years.

"We rely on business and government when we give them personal
information ... that they'll keep it safe and secure," said State Sen.  
Jeff Klein, D-Bronx, who headed the Assembly's oversight committee
that wrote the report before he was elected to the State Senate last
year. "Unfortunately, the state and private companies are not keeping
that information safe, which can lead to ID theft."

For example, the report said that in September a computer virus
crippled the internal systems of the state education department and
brought its computer network to a halt.

The worst case occurred, Klein said, when the Web site of the State
Division of Military and Naval Affairs, which tracks information on
where the state's National Guard troops are stationed, was defaced.

But William Pelgrin, director of the state Office of Cyber Security
and Critical Infrastructure Coordination, said that no consumer
information was compromised in any of the incidents in the Assembly

"The report has a lot of information that is misleading and
inaccurate," Pelgrin said. "They took some of the data and
misinterpreted it."

As for the defacement against the military and naval affairs Web site,
Pelgrin said the federal government has jurisdiction over that network
and the incident involved other issues, such as outsourcing.

Pelgrin said he does not want to minimize any defacement.

"But just because we're taking them seriously doesn't mean we're not
secure," he said, adding that the sites are constantly monitored.

Separately, another security breach was brought to light this month
when ChoicePoint announced that as many as 145,000 consumers .  
including about 9,370 in New York, may have had their personal
information stolen when security in its database was breached by a
fraud ring. ChoicePoint is based in Alpharetta, Ga., and collects data
to verify identification and credentials for business, government and
other entities for purposes including employment background checks.

Klein introduced legislation that passed the Assembly last year that
would require governmental agencies and businesses to notify consumers
when security breaches occur. Currently, California is the only state
with such a law.

Assemblyman James Brennan, D-Brooklyn, who succeeded Klein as chairman
of the Committee on Oversight, Analysis and Investigations, will
re-introduce the bill in the Assembly this year.

The "Tip of the Iceberg" report recommends that

* Klein's bill to require victim notification in the case of a cyber
  security breach become law.

* A full explanation of the 72 intrusions cited in the report be
  provided to the Legislature.

* Minimum standards should be set for State Information Security

* The state Division of Military and Naval Affairs reassess its
  relationship with its Web hosting provider because of the hacking

Klein said state cyber security officials say no information has been
taken but it is hard to be sure.

"That's why it's so important we have some type notification in
place," he said.

More information about the ISN mailing list