[OPLIN 4cast] OPLIN 4Cast #286: Responding to a breach

Editor editor at oplin.org
Wed Jun 13 10:31:11 EDT 2012 

Email not displaying correctly? View it in your browser. 
<http://www.oplin.org/4cast/>
OPLIN 4Cast

OPLIN 4Cast #286: Responding to a breach
June 13th, 2012

<http://www.oplin.org/4cast/wp-content/uploads/2012/06/risk-fingerprint.png>Last 
week's revelation that millions of LinkedIn passwords had been stolen 
was just the latest in a long line of data breach stories. While public 
libraries don't store millions of passwords or credit card numbers, they 
do store a lot of patron data, and things as mundane as people's street 
addresses are beginning to be considered sensitive information by some 
security experts. With luck, your library ILS vendor has not made the 
same mistake that LinkedIn made and stored sensitive user information 
with relatively weak encryption. But if the worst should happen and your 
library system gets hacked, what's the best way to respond? Are there 
lessons to be learned from the misfortune of previous data breach victims?

  * Dissecting LinkedIn's response to the password breach
    <http://securitywatch.pcmag.com/social-networking/298920-dissecting-linkedin-s-response-to-the-password-breach>
    (PC Magazine/Fahmida Y. Rashid) "'We are contacting all members we
    believe could potentially be affected, starting with those who we
    believe are at the greatest risk. We have already initiated the
    outreach,' a LinkedIn spokesperson said in an email. She was unable
    to provide any other details. I was very concerned about LinkedIn's
    focus on members at 'greatest risk.' How do they define this?"
  * Zappos data breach response a good idea or just panic mode?
    <http://www.networkworld.com/news/2012/011712-zappos-data-breach-254971.html>
    (Network World/Ellen Messmer) "...online shoe and clothing retailer
    Zappos has taken assertive steps, including compelling customers to
    change passwords, plus temporarily foregoing 800-number phone
    service in an effort to redeploy customer-service representatives to
    respond to customer email."
  * Heartland CEO on breach response
    <http://www.bankinfosecurity.com/interviews/heartland-ceo-on-breach-response-i-1531>
    (BankInfo Security/Tracy Kitten) "...[Bob Carr, CEO of Heartland
    Payment Systems] says information sharing is key, especially among
    other payments processors. 'Don't minimize the impact,' Carr says.
    'Share information. ... The bad guys might be in somebody else's
    system, so it is good for everyone to communicate.' Although a great
    deal has changed since 2009, when Heartland's breach was exposed,
    Carr says open communications, especially for publicly-traded
    companies, will pay dividends in the long run."
  * Data breach response plans: Yours ready?
    <http://www.informationweek.com/news/security/management/231700195>
    (Information Week/Mathew J. Schwartz) "Timing-wise, for example,
    don't assume that immediately disclosing a breach
    <http://www.informationweek.com/news/security/attacks/230800152>
    should be the first step. 'I've seen organizations that totally
    jumped the gun-We've got to do it- and they've notified, but have no
    response mechanism in place for the individuals who have been
    affected, so it's adding insult to injury,' Brian Lapidus, chief
    operating officer of Kroll Fraud Solutions, tells me. 'We always
    tell our clients that if they're going to notify about the problem,
    say what the solution is at the same time, and give them avenues to
    call or contact you back.'"

*/Breach facts:/*

The three breaches mentioned above affected: 6.5 million LinkedIn users; 
24 million Zappos customers; and 130 million Heartland credit card 
accounts. [And one more fact: OPLIN's plan for Security Incident 
Response 
<http://oplin.org/content/information-technology-security-management#Security_Incident_Response> 
is included in our overall Information Technology Security Management 
plan.]
------------------------------------------------------------------------
The */OPLIN 4cast/* is a weekly compilation of recent headlines, topics, 
and trends that could impact public libraries. You can subscribe to it 
in a variety of ways, such as:

  * *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
    subscribing to the following URL:
    http://www.oplin.org/4cast/index.php/?feed=rss2.
  * *Live Bookmark.* If you're using the Firefox web browser, you can go
    to the 4cast website (http://www.oplin.org/4cast/) and click on the
    orange "radio wave" icon on the right side of the address bar. In
    Internet Explorer 7, click on the same icon to view or subscribe to
    the 4cast RSS feed.
  * *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
    OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
    http://mail.oplin.org/mailman/listinfo/OPLIN4cast.


OPLIN 4Cast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20120613/ad8bae3e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubrickheader.jpg
Type: image/jpeg
Size: 38379 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20120613/ad8bae3e/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: risk-fingerprint.png
Type: image/png
Size: 29448 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20120613/ad8bae3e/attachment-0001.png>

More information about the OPLIN4cast mailing list