Ex-coder Convicted for Con
Reuters reports that former Goldman Sachs programmer Sergey Aleynikov has been convicted of offences under the Espionage Act for copying and removing computer code before taking up a new job at Teza Technologies. Giving evidence at the trial, Teva Technologies founder Mikhail Malyshev reportedly deplored Mr Aleynikov’s tactics, stating that “his firm barred employees from using proprietary code of any other company”. Mr Aleynikov had reportedly claimed that the code in question was open source and thus not subject to proprietary claims.
Reuters: Jury convicts ex-Goldman man in trade secrets case (9 December 2010)
(Source: Reuters; Cornell University Law Schol)
User Database Breached
Gawker Media (Gawker) has advised its users to change their passwords after a database was breached. Although the database of user information had been encrypted, Gawker acknowledged that simple passwords were still “vulnerable to a brute-force attack”. Expressing embarrassment about the breach, Gawker has also provided extensive advice on ways users can protect their accounts and information.
Experts are also reportedly concerned that US government employees may have reused their Gawker password for official purposes, raising the possibility that “the passwords could be used in future targeted attacks against government employees to plant malware or steal other information”. The list of compromised accounts, showing user email addresses and passwords, is reportedly readily available on the internet. Users have reportedly been urged to have unique passwords for different sites, and are advised to avoid reusing work email addresses or passwords for unofficial purposes.
Gawker’s media release #1 (12 December 2010)
Gawker’s media release #2 (13 December 2010)
Computerworld: Hackers could use leaked Gawker info to attack government workers (13 December 2010)
(Source: Gawker; Computerworld)
Hackers are Lovin’ it
McDonald’s has announced that customer information maintained by business partner Arc Worldwide has been compromised by a malicious hacker. The information included names, addresses, phone numbers, birth date and gender, but did not include any financial data like credit card numbers. Arc Worldwide had been engaged to distribute promotional emails, and supervision and management of the database was outsourced to a service provider. This service provider was the subject of the breach. McDonald’s has also issued a set of frequently asked questions on the breach. According to Computerworld, a McDonald’s spokesperson could not advise whether customers outside of the United States were affected, nor when the breach occurred.
In unrelated breaches, Walgreen and Twitter have both reportedly admitted to security breaches. Walgreen reportedly stated that customer email addresses were compromised and may be used for phishing scams, whilst Twitter said that its users were spammed. Walgreen has reportedly assured its customers that “prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreen’s consumer data systems”.
McDonald’s media release (undated)
Computerworld: Hackers steal McDonald’s customer data (11 December 2010)
The Australian: Hackers breach email databases in US, including McDonald’s, Twitter and Walgreen (14 December 2010)
(Source: McDonald’s; Computerworld; The Australian)
Google Issues Apology for Privacy Breach
New Zealand Privacy Commissioner Marie Shroff has announced the completion of her investigation (14 December 2010) into Google’s unauthorised collection of information from unsecured wireless networks, concluding that it amounted to a breach of the Privacy Act 1993. In accordance with Ms Shroff’s orders, Google engineering and research senior vice president Alan Eustace has issued a formal apology to New Zealanders, stressing that the data collection was entirely accidental and that the company “did not want and have never used any payload data in our products or services”. Mr Eustace also apologised for Google’s failure to be sufficiently transparent.
Ms Shroff has welcomed Google’s apology and the company’s promises to improve staff training, privacy practices, and pre-launch procedures to ensure that new products are compliant. The company must also delete the information in question.
Privacy Commissioner’s media release (14 December 2010)
Google’s media release (14 December 2010)
(Source: Privacy Commissioner; legislation.govt.nz; Google)