From hbrown at knology.net Wed Sep 3 20:26:42 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 03 Sep 2008 15:26:42 -0500 Subject: [Dataloss] Clarkson University Potsdam NY exposes 245 employees PII Message-ID: <48BEF302.5060706@knology.net> http://tinyurl.com/6dyfah On Tuesday, August 26, a non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach. The file containing personal information was a record of employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a p-card must provide their social security number and date of birth on the application form. Following the incident on Tuesday, all affected individuals were contacted and briefed on the situation. The shared server was only available on the Clarkson network and was not available to the general public. Following the breach a full investigation was launched with forensic computing to determine all users who had accessed the S drive during the vulnerability. The only unauthorized access to the personal information was made by the student who found the vulnerability. On Monday, August 25, routine work was being performed on the S drive causing access privileges to be reset to default values, allowing anyone with an active directory user account access to the server. The Integrator talked with President Collins and Kelly Chezum, the Assistant to the President for Strategic Advancement, concerning the unauthorized access. President Collins said that because of "fast thinking, [we were] able to track everything" and that access was limited to one individual. Chezum reported that as an affected individual she "feel[s] pretty confident my personal information is fine." From lyger at attrition.org Thu Sep 4 02:04:57 2008 From: lyger at attrition.org (lyger) Date: Thu, 4 Sep 2008 02:04:57 +0000 (UTC) Subject: [Dataloss] CA: Burglars steal Oakland school computers storing personal data Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/09/03/MN8F12NM56.DTL Thieves stole 10 desktop computers containing employees' personal information Tuesday night from the Oakland school district's main office on 2nd Avenue, district official said today. The computers were located in the 2nd floor Human Resources Department and appear to be the only equipment stolen. The burglary is believed to have occurred at about 11 p.m., with the suspects scaling a rear wall and using wire cutters to get through a metal window screen, said district spokesman Troy Flint. Workers arriving this morning discovered the theft. Most of the equipment stolen were Dell desktop hard drives. District officials were still determining what information was on each computer, but said that they contained personal information provided to the district when employees are hired. It was unknown today how many employees' records were on the computers. [...] From macwheel99 at wowway.com Thu Sep 4 02:41:21 2008 From: macwheel99 at wowway.com (macwheel99 at wowway.com) Date: Wed, 3 Sep 2008 21:41:21 -0500 Subject: [Dataloss] CA: Burglars steal Oakland school computers storing personal data In-Reply-To: References: Message-ID: <20080904022534.M12564@wowway.com> If the school has some kind of backup system for computer records, and are able to restore a backup to replacement Dells of compatible hardware, OS, and software, then they ought to be able to tell from the backup what was involved. School budgets typically do not allow for insurance against theft of school property & it could be many months before they can get the money to have hardware to restore a backup to. Maybe they can rent one Dell to backup one at a time to restore one of the 10, get the info, then restore second of the 10 & so forth. If their backup system involved one computer's data being backed up to another computer, in pairs, then the backups are gone away with the stolen computers. Any reasonable person could conclude that all the employees data that was SUPPOSED to be managed by the HR dept, was in fact on the gone computers, minus anything on any computers not taken. There are several ways to reconstruct a list of all your employees. Most every modern organization has tons of computer generated reports ... there's probably several that list all the employees ... we just had an end fiscal month ... do schools have fiscal months? If all the computers gone, then simply ask the bank for a statement of money issued to what people in a recent payroll run, and you got a pretty good list of your employees. If there's some kind of insurance for the employees, then the insurance company will have that list. Aside from the state of California having strict rules about notification of the breached employees, there are also IRS regulations about keeping good records in case of an audit. Where I work, we were recently audited by the IRS. They wanted to see details from 2004, which fortunately were still on- line, and easy to re-sort into whatever format the IRS people desired. Had they wanted 2003, those records on paper in the attic. The school district should have something similar, going back several years. Digging through such records is what will take time, since they probably packed away assuming extremely unlikely ever need again. Al Macintyre > http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/09/03/MN8F12NM56.DTL > > Thieves stole 10 desktop computers containing employees' personal > information Tuesday night from the Oakland school district's main > office on 2nd Avenue, district official said today. > > The computers were located in the 2nd floor Human Resources > Department and appear to be the only equipment stolen. > > The burglary is believed to have occurred at about 11 p.m., with the > suspects scaling a rear wall and using wire cutters to get through a > metal window screen, said district spokesman Troy Flint. Workers > arriving this morning discovered the theft. > > Most of the equipment stolen were Dell desktop hard drives. District > officials were still determining what information was on each > computer, but said that they contained personal information provided > to the district when employees are hired. It was unknown today how > many employees' records were on the computers. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your network > and monitor your traffic to find the data needing protection before > it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- WOW! Homepage (http://www.wowway.com) From hbrown at knology.net Thu Sep 4 13:46:08 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 04 Sep 2008 08:46:08 -0500 Subject: [Dataloss] fringe Federal law and ID theft prevention Message-ID: <48BFE6A0.2010403@knology.net> A ~2300 word "posting" with at least 20 different related links.... http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S5427 On December 4, 2003, the President signed into law the Fair and Accurate Credit Transactions Act ("FACTA"). FACTA was enacted by Congress to provide consumers with increased protection from identity theft. The regulations directed six agencies to jointly "establish and maintain guidelines?[that] identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft."[1] Accordingly, the six agencies published the final regulations on November 9, 2007, and those regulations became effective January 1, 2008.[2] However, compliance with the regulations is not mandatory until November 1, 2008.[3] The final regulations contain three parts. First, they require covered entities to create a written identity theft program designed to detect, prevent, and mitigate identity theft in connection with certain covered accounts (the "Red Flag Rules" or the "Rules"). Second, the regulations impose requirements on consumer reporting agencies related to discrepancies between an address contained in a request for a consumer report and the address in the consumer reporting agency's file. Third, the regulations impose requirements on debit and credit card issuers to implement procedures to assess the validity of address changes under certain circumstances. From mhill at idtexperts.com Thu Sep 4 17:02:56 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Thu, 4 Sep 2008 13:02:56 -0400 Subject: [Dataloss] fringe Federal law and ID theft prevention In-Reply-To: <48BFE6A0.2010403@knology.net> References: <48BFE6A0.2010403@knology.net> Message-ID: I want to add one thing to this very informative article from Jones Day written by Kevin Sykes that I believe is an important part of the administering of the "Identity Theft Prevention" program under the Red Flag Rules. As a consultant who has assisted many companies in their ID Theft program, training their employees on the program and the reality of identity theft is an absolute must for all businesses. I think its .90(e) in the rules. We read article after article on this webboard about data breaches and the loss of PII and it seems the human element plays a VERY big part. To not train ALL your employees, I think would be leaving your business open to even more liability. Yes, even the warehouse personnel as well. Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 www.idtheft101.net ----- Original Message ----- From: "Henry Brown" To: Sent: Thursday, September 04, 2008 9:46 AM Subject: [Dataloss] fringe Federal law and ID theft prevention A ~2300 word "posting" with at least 20 different related links.... http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S5427 On December 4, 2003, the President signed into law the Fair and Accurate Credit Transactions Act ("FACTA"). FACTA was enacted by Congress to provide consumers with increased protection from identity theft. The regulations directed six agencies to jointly "establish and maintain guidelines?[that] identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft."[1] Accordingly, the six agencies published the final regulations on November 9, 2007, and those regulations became effective January 1, 2008.[2] However, compliance with the regulations is not mandatory until November 1, 2008.[3] The final regulations contain three parts. First, they require covered entities to create a written identity theft program designed to detect, prevent, and mitigate identity theft in connection with certain covered accounts (the "Red Flag Rules" or the "Rules"). Second, the regulations impose requirements on consumer reporting agencies related to discrepancies between an address contained in a request for a consumer report and the address in the consumer reporting agency's file. Third, the regulations impose requirements on debit and credit card issuers to implement procedures to assess the validity of address changes under certain circumstances. From Derek.Rigsby at idcure.com Thu Sep 4 18:16:53 2008 From: Derek.Rigsby at idcure.com (Derek Rigsby) Date: Thu, 4 Sep 2008 12:16:53 -0600 Subject: [Dataloss] fringe Federal law and ID theft prevention In-Reply-To: Message-ID: <002101c90eba$692fdc60$3301000a@stonecreekfunding.com> Training new employees is important. They are a strange breed; not just your first line of defense against fraud but they are also the most likely person to steal the information that they have legitimate access to. Too often good employees see problems and potential holes in their organizations information security policy but do not know how or if they should bring them up to senior management. Education is necessary to combat fraud and identity theft but any company will need the buy in from senior management for any policy to be effective. The Red Flag Rule states that the policy must be administered by a board of directors, or in the case of smaller entities that may not have a board of directors, a member of senior management. Together proper education of all employees and senior management driving the operational and cultural changes necessary to implement a formal red flag policy is a step in the right direction. What is equally important and something I did not notice in the referenced document is the vendor integrity requirement of the law. A covered entity must ensure not only its own compliance, but also must consider the information security posture of any vendor, supplier or third party provider with whom it exchanges sensitive data or whom has access to sensitive data. All too often we hear about a loss of data where a third party vendor mishandled a consumer's PII. It is apparent in today's world that organizations need to train their employees regularly and have senior management coordinate the cultural and operational changes but it is equally important to know that vendors and suppliers are doing the same. If your organization does everything properly and one vendor or supplier does not share the same kind of reverence for protecting PII your company is still at risk. Derek Rigsby Vice President Product Development idBUSINESS / idCURE Denver, Colorado 720.278.0756 - Mobile Derek.Rigsby at idCURE.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Michael Hill, CITRMS Sent: Thursday, September 04, 2008 11:03 AM To: Henry Brown; dataloss at attrition.org Subject: Re: [Dataloss] fringe Federal law and ID theft prevention I want to add one thing to this very informative article from Jones Day written by Kevin Sykes that I believe is an important part of the administering of the "Identity Theft Prevention" program under the Red Flag Rules. As a consultant who has assisted many companies in their ID Theft program, training their employees on the program and the reality of identity theft is an absolute must for all businesses. I think its .90(e) in the rules. We read article after article on this webboard about data breaches and the loss of PII and it seems the human element plays a VERY big part. To not train ALL your employees, I think would be leaving your business open to even more liability. Yes, even the warehouse personnel as well. Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 www.idtheft101.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080904/4d337145/attachment.html From adam at homeport.org Thu Sep 4 18:39:27 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 4 Sep 2008 14:39:27 -0400 Subject: [Dataloss] fringe Federal law and ID theft prevention In-Reply-To: <002101c90eba$692fdc60$3301000a@stonecreekfunding.com> References: <002101c90eba$692fdc60$3301000a@stonecreekfunding.com> Message-ID: <20080904183927.GA24950@homeport.org> Hi Derek, Do you have any evidence for the claim that new employees are most likely to steal information? The ACFE (A'ssn Certified Fraud Examners) report usually points to longtime employees as the most likely to steal money. Adam On Thu, Sep 04, 2008 at 12:16:53PM -0600, Derek Rigsby wrote: | Training new employees is important. They are a strange breed; not just your | first line of defense against fraud but they are also the most likely person to | steal the information that they have legitimate access to. Too often good | employees see problems and potential holes in their organizations information | security policy but do not know how or if they should bring them up to senior | management. Education is necessary to combat fraud and identity theft but any | company will need the buy in from senior management for any policy to be | effective. The Red Flag Rule states that the policy must be administered by a | board of directors, or in the case of smaller entities that may not have a | board of directors, a member of senior management. Together proper education | of all employees and senior management driving the operational and cultural | changes necessary to implement a formal red flag policy is a step in the right | direction. | | | | What is equally important and something I did not notice in the referenced | document is the vendor integrity requirement of the law. A covered entity | must ensure not only its own compliance, but also must consider the information | security posture of any vendor, supplier or third party provider with whom it | exchanges sensitive data or whom has access to sensitive data. All too often | we hear about a loss of data where a third party vendor mishandled a consumer?s | PII. It is apparent in today?s world that organizations need to train their | employees regularly and have senior management coordinate the cultural and | operational changes but it is equally important to know that vendors and | suppliers are doing the same. If your organization does everything properly | and one vendor or supplier does not share the same kind of reverence for | protecting PII your company is still at risk. | | | | Derek Rigsby | | Vice President | | Product Development | | idBUSINESS / idCURE | | Denver, Colorado | | 720.278.0756 - Mobile | | Derek.Rigsby at idCURE.com | | | | | | -----Original Message----- | From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On | Behalf Of Michael Hill, CITRMS | Sent: Thursday, September 04, 2008 11:03 AM | To: Henry Brown; dataloss at attrition.org | Subject: Re: [Dataloss] fringe Federal law and ID theft prevention | | | | I want to add one thing to this very informative article from Jones Day | | written by Kevin Sykes that I believe is an important part of the | | administering of the "Identity Theft Prevention" program under the Red Flag | | Rules. As a consultant who has assisted many companies in their ID Theft | | program, training their employees on the program and the reality of identity | | theft is an absolute must for all businesses. I think its .90(e) in the | | rules. | | | | We read article after article on this webboard about data breaches and the | | loss of PII and it seems the human element plays a VERY big part. To not | | train ALL your employees, I think would be leaving your business open to | | even more liability. Yes, even the warehouse personnel as well. | | | | | | Michael Hill | | Certified Identity Theft Risk Management Specialist | | 404-216-3751 | | www.idtheft101.net | | | | | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From Derek.Rigsby at idcure.com Thu Sep 4 19:00:31 2008 From: Derek.Rigsby at idcure.com (Derek Rigsby) Date: Thu, 4 Sep 2008 13:00:31 -0600 Subject: [Dataloss] fringe Federal law and ID theft prevention In-Reply-To: <20080904183927.GA24950@homeport.org> Message-ID: <003201c90ec0$81b51dd0$3301000a@stonecreekfunding.com> Adam, Thanks for catching that misstep in my comments. My intention was to say "Training ALL employees on a regular basis is important not just new employees as they are hired". Derek Rigsby -----Original Message----- From: Adam Shostack [mailto:adam at homeport.org] Sent: Thursday, September 04, 2008 12:39 PM To: Derek Rigsby Cc: 'Michael Hill, CITRMS'; 'Henry Brown'; dataloss at attrition.org Subject: Re: [Dataloss] fringe Federal law and ID theft prevention Hi Derek, Do you have any evidence for the claim that new employees are most likely to steal information? The ACFE (A'ssn Certified Fraud Examners) report usually points to longtime employees as the most likely to steal money. Adam On Thu, Sep 04, 2008 at 12:16:53PM -0600, Derek Rigsby wrote: | Training new employees is important. They are a strange breed; not just your | first line of defense against fraud but they are also the most likely person to | steal the information that they have legitimate access to. Too often good | employees see problems and potential holes in their organizations information | security policy but do not know how or if they should bring them up to senior | management. Education is necessary to combat fraud and identity theft but any | company will need the buy in from senior management for any policy to be | effective. The Red Flag Rule states that the policy must be administered by a | board of directors, or in the case of smaller entities that may not have a | board of directors, a member of senior management. Together proper education | of all employees and senior management driving the operational and cultural | changes necessary to implement a formal red flag policy is a step in the right | direction. | | | | What is equally important and something I did not notice in the referenced | document is the vendor integrity requirement of the law. A covered entity | must ensure not only its own compliance, but also must consider the information | security posture of any vendor, supplier or third party provider with whom it | exchanges sensitive data or whom has access to sensitive data. All too often | we hear about a loss of data where a third party vendor mishandled a consumer?s | PII. It is apparent in today?s world that organizations need to train their | employees regularly and have senior management coordinate the cultural and | operational changes but it is equally important to know that vendors and | suppliers are doing the same. If your organization does everything properly | and one vendor or supplier does not share the same kind of reverence for | protecting PII your company is still at risk. | | | | Derek Rigsby | | Vice President | | Product Development | | idBUSINESS / idCURE | | Denver, Colorado | | 720.278.0756 - Mobile | | Derek.Rigsby at idCURE.com | | | | | From adam at homeport.org Thu Sep 4 19:31:29 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 4 Sep 2008 15:31:29 -0400 Subject: [Dataloss] fringe Federal law and ID theft prevention In-Reply-To: <003201c90ec0$81b51dd0$3301000a@stonecreekfunding.com> References: <20080904183927.GA24950@homeport.org> <003201c90ec0$81b51dd0$3301000a@stonecreekfunding.com> Message-ID: <20080904193129.GA28201@homeport.org> You're welcome! No argument that training is important-given the FTC requirements. At the same time, I'm curious--what do such programs entail? Do programs aspire to anything beyond "ensure we're training?" How are organizations testing their effectiveness? Adam On Thu, Sep 04, 2008 at 01:00:31PM -0600, Derek Rigsby wrote: | Adam, | | Thanks for catching that misstep in my comments. My intention was to say | "Training ALL employees on a regular basis is important not just new | employees as they are hired". | | Derek Rigsby | | -----Original Message----- | From: Adam Shostack [mailto:adam at homeport.org] | Sent: Thursday, September 04, 2008 12:39 PM | To: Derek Rigsby | Cc: 'Michael Hill, CITRMS'; 'Henry Brown'; dataloss at attrition.org | Subject: Re: [Dataloss] fringe Federal law and ID theft prevention | | Hi Derek, | | Do you have any evidence for the claim that new employees are most | likely to steal information? The ACFE (A'ssn Certified Fraud | Examners) report usually points to longtime employees as the | most likely to steal money. | | | Adam | | On Thu, Sep 04, 2008 at 12:16:53PM -0600, Derek Rigsby wrote: | | Training new employees is important. They are a strange breed; not just | your | | first line of defense against fraud but they are also the most likely | person to | | steal the information that they have legitimate access to. Too often good | | employees see problems and potential holes in their organizations | information | | security policy but do not know how or if they should bring them up to | senior | | management. Education is necessary to combat fraud and identity theft but | any | | company will need the buy in from senior management for any policy to be | | effective. The Red Flag Rule states that the policy must be administered | by a | | board of directors, or in the case of smaller entities that may not have a | | board of directors, a member of senior management. Together proper | education | | of all employees and senior management driving the operational and | cultural | | changes necessary to implement a formal red flag policy is a step in the | right | | direction. | | | | | | | | What is equally important and something I did not notice in the referenced | | document is the vendor integrity requirement of the law. A covered | entity | | must ensure not only its own compliance, but also must consider the | information | | security posture of any vendor, supplier or third party provider with whom | it | | exchanges sensitive data or whom has access to sensitive data. All too | often | | we hear about a loss of data where a third party vendor mishandled a | consumer?s | | PII. It is apparent in today?s world that organizations need to train | their | | employees regularly and have senior management coordinate the cultural and | | operational changes but it is equally important to know that vendors and | | suppliers are doing the same. If your organization does everything | properly | | and one vendor or supplier does not share the same kind of reverence for | | protecting PII your company is still at risk. | | | | | | | | Derek Rigsby | | | | Vice President | | | | Product Development | | | | idBUSINESS / idCURE | | | | Denver, Colorado | | | | 720.278.0756 - Mobile | | | | Derek.Rigsby at idCURE.com | | | | | | | | | | | | From lyger at attrition.org Fri Sep 5 21:10:45 2008 From: lyger at attrition.org (lyger) Date: Fri, 5 Sep 2008 21:10:45 +0000 (UTC) Subject: [Dataloss] DC organization discovers 163 local social security numbers online Message-ID: http://www2.morganton.com/content/2008/sep/05/east-burke-high-school-posted-163-staff-members-so/ For the past five years, East Burke High School's website exposed 163 staff members' Social Security numbers and other personal information on the Internet. [.] On Aug. 27, the group informed the school district about the problem. [.] Burke County Public Schools Superintendent David Burleson said it seemed likely the school uploaded the file to the web in 2003 when posting the 2003-2004 East Burke High School student directory. [...] From lyger at attrition.org Fri Sep 5 23:03:38 2008 From: lyger at attrition.org (lyger) Date: Fri, 5 Sep 2008 23:03:38 +0000 (UTC) Subject: [Dataloss] admin: Mail List Downtime Message-ID: The Data Loss Mail List, currently hosted by attrition.org, will be down on Sunday, September 7 from 7am EDT until 7pm EDT. During this time, we will be moving the list to be hosted by DataLossDB.org. There will be no need to unsubscribe or resubscribe to the list, but the email address to send posts and replies to the list will change to: dataloss at datalossdb.org We appreciate everyone's patience and support during this transition. If anyone has questions about the transition, please email me at lyger at attrition.org. Thanks, Lyger (Data Loss Mail List moderator) From lyger at attrition.org Sat Sep 6 01:26:20 2008 From: lyger at attrition.org (lyger) Date: Sat, 6 Sep 2008 01:26:20 +0000 (UTC) Subject: [Dataloss] KR: GS Caltex Leaked Personal Data of 11 Mln Customers Message-ID: http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090631088 Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of the nation`s largest oil refineries, was found on the street, police said yesterday. Police have not yet confirmed any damage caused by the leak, but this is considered the country's largest leak of its kind given the number of people involved. The Cyber Terror Response Center of the National Police Agency dispatched two detectives to GS Caltex headquarters in southern Seoul to investigate. The discs -- one DVD and a CD-Rom which are believed to have been thrown away -- were found early this month by an office worker in a backstreet.s trash pile near Gangnam subway station in Seoul. The DVD contained 76 files in a folder named .GS Caltex,. including the names, social security numbers, addresses, cell phone numbers, email addresses and workplaces of customers sorted by age. The CD-Rom is believed to be a sample of the DVD as it contains only a few people.s personal data. [...] From chris at cwalsh.org Sat Sep 6 18:53:34 2008 From: chris at cwalsh.org (Chris Walsh) Date: Sat, 6 Sep 2008 13:53:34 -0500 Subject: [Dataloss] UAE network intrusions in Feb and Aug yield credit card fraud - victims include US embassy employees Message-ID: Hackers break into UAE credit network to fund US purchases Hugh Naylor Last Updated: September 04. 2008 11:34PM UAE / September 4. 2008 7:34PM GMT Abu Dhabi // An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US. The scheme came to light after a number of employees at the US Embassy ? and a handful of other US citizens ? had unauthorised purchases show up on their credit and debit cards in recent months, prompting the embassy to issue a warning on its website. "To date, all of the reported fraudulent charges have been made from the United States," the message said. "We are aware of no fraudulent transactions originating in the UAE." MasterCard is co-operating with law enforcement officials and banks to investigate the issue, Chris Monteiro, the head of the company's worldwide communications, wrote in an e-mail. Visa, when contacted, did not respond to questions or comment on the case. However the manager of an anti-fraud division at a credit union in North Carolina, in the US, speaking on the condition of anonymity, said Visa had warned that there had been "a network intrusion" in the UAE between February and August. Visa told her that the intrusion had happened "at the processor level", which she said suggested that computer hackers had penetrated the electronic records of organisations that acted as middlemen between merchants and credit card companies such as Visa and MasterCard. [...] Full article is at http://www.thenational.ae/article/20080904/NATIONAL/726459427/1010&profile=1010 The embassy website message appears to be https://www.osac.gov/Reports/report.cfm?contentID=89435