Thieves target guests at metro water park hotel

Thieves snuck into hotel rooms at a Twin Cities water park on two different weekends and stole guests' electronics, according to Brooklyn Park police.

Police said the thieves hit three rooms at the Grand Rios Hotel on March 27 and three more rooms on April 3.

The Altman family from Brook Park said the crooks stole two lap tops, a cell phone, power cords and a wireless mouse from their room.

The family said hotel management is working to replace their electronics, but the family is still upset.

Tina Altman said, "That still doesn't replace all the pictures of my boys, all their information everything on them laptops."

Police said there was no forced entry in any of the thefts, so they have not ruled out the possibility the crimes were an inside job.

Kevin Altman said, "I'm pretty mad, especially when we found out there are multiple other ones, and it's still happening. It's just not right."

Police said there were several room breakins last summer, with no arrest.

Police say management made security changes after those thefts.

5 EYEWITNESS NEWS was not able to reach hotel management for comment Tuesday. kstp.com

Stillwater man's web post links at least 60 ID theft victims

After a Stillwater man's bank alerted him to fraudulent charges, he posted a warning to a Facebook page and within minutes dozens of others reported they were dealing with the same thing.


Ted Koslowski started the Stillwater fan page, which now has more than 8,000 fans.

Tuesday he posted a notice saying, "Just got a call from Lake Elmo bank. Apparently a popular local business had its customers credit card info stolen and its effect has been widespread."

He went on to say his personal checking account had been hit with fraudulent charges from California and Russia.

He told 5 EYEWITNESS NEWS more than $1,000 was siphoned from his account in a matter of hours. There were charges from electronics dealers, pet stores and gas stations.

After his Facebook post, at least 60 other people responded that they too were being hit with fraudulent charges.

There does not seem to be a common denominator indicating that all of the victims frequented the same store or made similar purchases. But authorities are in the very early stages of their investigation.

The case is developing so quickly that Washington County deputies had not yet filed their initial police report when 5 EYEWITNESS NEWS reported the story at 10 p.m Tuesday. kstp.com

Violation Of Sensitive Data Storage Policy Led To Exposure Of Info On 3.3 Million Student Loan Recipients

Removable media device stolen from Educational Credit Management Corp.'s (ECMC) headquarters contained Social Security numbers, names, addresses, dates of birth of people who had received federal student loans

A removable media device containing personal data on 3.3 million people was stolen from the Minnesota headquarters of federal student loan guarantor Educational Credit Management Corp. (ECMC) last week -- and the data should never have been copied onto the device in the first place.


ECMC, which handles and insures more than $11 billion worth of student loans for the U.S. Department of Education, discovered on March 23 that the device had been stolen. The firm is currently in the process of sending letters to all of the affected loan recipients, some of whom date back to as long as 15 years ago. Their names, addresses, Social Security numbers, and dates of birth were on the stolen device, but no bank account or financial data, according to ECMC.

David Hawn, chief business development officer for ECMC, said in an interview that storing such sensitive data on a removable device was a "very clear violation of our company policies and protocols." He would not specify whether the device was a USB stick, hard drive, or other type of device due to the sensitive nature of the ongoing investigation by law enforcement. Hawn also was not able to reveal whether the data was encrypted, either.

"This situation was unfortunate in that it had a human element to it...It really was a disappointment to all of us that this had occurred," Hawn says, and the company is in the process of doing a full-blown review of its internal security policies and plans to "make changes."

"We unfortunately learned about this the hard way, and we are working diligently to shore that up," he says. "Our systems security infrastructure is very robust, and in fact since this incident occurred, by way of precaution we have hired an external agency to perform various penetration tests on our firewalls -- all the testing has been negative."

Hawn says it doesn't appear the thief or thieves were targeting specific information in the crime. "There's nothing to suggest that they were aware of what they were taking," Hawn says.

And thus far, ECMC says there's been no evidence of any abuse of the data. The company is offering the affected victims free credit monitoring and reporting with Experian.

ECMC's problem isn't unique: Ipswitch File Transfer will release a study tomorrow that shows that 90 percent of IT and security professionals use thumb drives or external devices to move data. Few companies bother encrypting data on those devices, either, says Frank Kenney, vice president of global strategy at Ipswitch. "Encryption generally doesn't happen. It's rare," Kenney says.

"We were shocked by how many people are using [these devices] to share or move large files," Kenney says.

The data potentially exposed includes existing, ongoing, and older, inactive federal student loans as well, ECMC's Hawn says. "It did include, for archival purposes, a number of records" that date back to 15 years ago, he says.

ECMC serves as the guarantor for loans in Oregon, Virginia, and Connecticut, but borrowers in all states could be affected by the breach, according to one published report.

Potential victims of the breach can go to this page set up by ECMC to get more information on whether they are affected, and if so, what to do. darkreading.com

Beware of April Fool's Day - Spyware Infections Increase

With April Fool's on the horizon, along with it comes an increase in spyware and malware infections, causing havoc for computer users, not to mention time in lost productivity, additional expenses, and worst of all the inconvenience and frustration it causes.

Be super careful and vigilant during this time. Simple tips to follow:

• Don't open emails from people you don't know, especially if they have files or attachments.
• Awareness of what software you're using. Be familiar with its delivery of its warnings and alerts. "Scareware" tactics try to fool you into something that could be malware, wreaking havoc with your computer or worse yet, hijacking your computer.. Don't be "fooled" by them.
• Give social networking sites like Facebook, ,Twitter, My Space, etc a break for a week or so. If it's important or they miss you, tell them to call instead.
• Think before you click!!! Use extra caution before visiting new websites you haven't been to before. Even seemingly "innocent" websites could be booby-trapped with malicious software.
• Run multiple layers of security software. A single solution may not be enough.

Syware and malware authors have become more creative, more sophisticated. Every day, thousands of new infections are being created, greatly reducing the effectiveness of free or even off the shelf antivirus protection, rendering existing anti-spyware and anti-virus solutions in effective.

Small Businesses Need a Disaster Plan

Disaster preparedness often gets pushed down the priority list for small businesses -- often until disaster strikes and it's too late. To protect your employees and data in the event of a catastrophe, experts advise that business owners think of everything that can go wrong, and prepare for it. Protecting valuable data is of particular concern.

Small business owners in the Upper Midwest have just gone through a disaster preparation drill as the Red River rose and threatened to repeat last year's catastrophic flooding. The region dodged a bullet this time, but more floods may well come, and other parts of the country could see tornadoes and hurricanes.


Disaster preparation is one of those tasks that many small business owners say they'll get around to, soon. But it often gets pushed down the priority list, especially when a company is focused on bringing in new business or improving cash flow.

Many owners also believe disaster won't strike them. They might believe their companies are safe because they're far enough away from a river.

John Stern's clothing store in Fargo, N.D., is on high ground, and it escaped the 2009 floods. But he's learned that a disaster doesn't have to be a big event like an overflowing river. About 10 years ago, the problem was also a flood, when the rain-soaked ground sent water lapping near the entrance to his store. He had to close Straus Clothing for three days.

Now, "we're prepared if it happens," Stern said of a disaster. He has his company's data backed up and "we take the discs home every night." The store has back-up batteries in case the power fails. And it has sandbags.

What follows is a guide to disaster preparation for small businesses:

Figure Out What Your Needs Are

How complex your disaster plan is will depend on the time and resources you have to dedicate to it. People whose work is to help companies prepare for disasters often advise owners that they need to first plan for their most important assets: their employees and their data, including e-mail, financial books and customer lists.

After that, each owner must decide what they need to do to get the business up and running after a disaster. That might seem overwhelming, so it's a good idea to get help. If you have employees, ask them to brainstorm with you. They know how the business operates and can give you advice. Or ask a friend who owns a similar business.

Stern said he's learned to "think of everything that can go wrong and prepare for it."

Owners who need help figuring out what they need to do for disaster planning can also get help online. The Institute for Business & Home Safety's site, http://www.disastersafety.org, and the federal government's guide at http://www.ready.gov/business go into some detail. The Small Business Administration also has information at http://www.sba.gov/beawareandprepare/business.html.

Protecting Your Data


With the widespread availability of data backup, no company should have to lose its information. And many companies routinely back up their information to guard against the most likely high-tech disaster: a crashed hard drive.

At the least, companies should back up their data on discs, as Stern's store does, or an external hard drive. It's wise to have multiple copies of the data, to be really safe. Most important is to take whatever storage medium you use off the premises each night.

Similarly, companies that use laptops can easily protect their data -- employees just take them home.

Many companies now back up data remotely, using Web-based services. Dean Rangone, owner of allRisk, a Somerdale, N.J., firm that does post-disaster cleanup, noted that with this method, "you're going to be able to access your information from anywhere in the world."

If you choose remote backup, don't use a service that's just across town. That company could also be shut down by the same disaster. You might want to think in terms of thousands of miles away. Remember the Northeast blackout of 2003? Eight states lost power.

Staying in Touch with Employees and Customers

Employers need to be sure that staffers and their families are safe. And that they can get in touch with them.

First, there should be a list of phone numbers, home addresses and e-mail addresses for everyone in the company that all managers and staffers have access to. And, since that information tends to change frequently, that list needs to be current at all times.

There is advance warning for some disasters, including hurricanes. A whole new set of contact information will be needed for staffers who are evacuating. If they're not sure where they'll be staying, then they should supply names, phone numbers and e-mail addresses of friends or relatives.

You also need to be sure your customers can reach you. Rangone suggests having your business phone lines routed to cell phones. That way, your customers won't be left wondering what happened.

Coming Up with a Plan -- And Then Plans B and C

As businesses learned in the aftermath of Hurricane Katrina, even the best of disaster plans can go awry. So, owners need to think about the "what ifs." What if there is a widespread power outage? What if cell phone service goes down? What if the disruption to your business is going to last weeks or months?

So you can come up with a plan for getting your company running again, but be ready to change it, depending on the type of disaster, how serious it is, and where your employees are. After Katrina, many businesses whose premises were intact weren't able to get their staffers back for some time, because so many homes were damaged or destroyed. It's likely that few expected to be shut down for a long time.


Once you know how bad the situation is and where your staffers are, you can start recovering.

Leslie Luke, group program manager with the San Diego County Office of Emergency Services, noted that "it doesn't have to be a catastrophic event to have to evacuate out of their buildings." A fire or building collapse could shut down your business too. newsfactor.com

JC Penney tried to block publication of data breach

IDG News Service - Retailer JC Penney fought to keep its name secret during court proceedings related to the largest breach of credit card data on record, according to documents unsealed on Monday.


JC Penney was among the retailers targeted by Albert Gonzalez's ring of hackers, which managed to steal more than 130 million credit card numbers from payment processor Heartland Payment Systems and others. Gonzalez was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

In December, JC Penney -- referred to as "Company A" in court documents -- argued in a filing that the attacks occurred more than two years ago, and that disclosure would cause "confusion and alarm."

However, it was already suspected JC Penney was one of the retailers after the Web site StorefrontBacktalk was the first outlet to accurately report in August 2009 that JC Penney was among the retailers targeted by Gonzalez's group.

New Jersey, where the Gonzalez case started, agreed to keep JC Penney's identity secret but the case was moved to Massachusetts where authorities decided otherwise, prompting JC Penney's motion.

Disclosing Company A's identity "may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise from a policy of disclosure as espoused by the government in this case," wrote JC Penney attorney Michael D. Ricciuti.

In a Jan. 12 filing, U.S. prosecutors argued for disclosure. "Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen," the government wrote. "The presumption of disclosure has an additional significant benefit, though, besides the right of the card holder to know when he has been exposed to risk."

The U.S. Secret Service had told JC Penney that its computer system had been broken into. The retailer's system had "unquestionably failed," but the government said the Secret Service did not have evident that payment card numbers were stolen, U.S. prosecutors wrote.

Another retailer, The Wet Seal, said in a statement issued Monday that it had also been targeted by Gonzalez's gang around May 2008. The Wet Seal has been referred to as "Company B" in court documents.

"We found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken," the company said.

Other retailers affected by the breach included TJX, 7-Eleven, Hannaford Brothers, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. computerworld.com

The 10 Riskiest Cities for Cybercrime

The threat of falling victim to cyber-crime is so ubiquitous today, and some of America's biggest cities are even more prone than elsewhere in the country, according to a well known producer of cyber-security software.

Norton from Symantec, a popular antivirus provider, teamed up with the research organization Sperling BestPlaces to discern which cities were the riskiest hot spots for cyber-security, publishing the results March 22 in The Norton Top 10 Riskiest Online Cities report. The 50 cities identified in the report make up a laundry list of the most famous places in the country.

The top 10 listed are:

•Seattle

•Boston

•Washington, D.C.

•San Francisco

•Raleigh, N.C.

•Atlanta

•Minneapolis

•Denver

•Austin, Texas

•Portland, Ore.

Other notable cities in the remaining 40 include Honolulu (11), Las Vegas (13), San Diego (14), New York (24), Los Angeles (30), Houston (32), Phoenix (34) and Chicago (35). Rankings were determined from Symantec data on cyber-crime, third-party data on online behavior and demographic data from Sperling.

These cities have been ranked based on the numbers of malicious attacks received; potential malware infections; spam zombies; bot-infected machines; and places that offer free Wi-Fi, per capita. They were also ranked based on the prevalence of Internet use; computer use, based on consumer expenditures for hardware and software; and risky online activity, like purchasing via the Internet, e-mail and accessing financial information.

Seattle ranked in the top 10 of all categories, which is how it wound up as No.1 riskiest city in the survey.

"When you look at the data, they are way ahead on all these measures, so you've got a concentration of heavy usage of technology engaging in the kinds of activities that we know increase your risk of being a victim of cyber-crime," said Marian Merritt, Norton Internet Safety Advocate.

But Merritt said people who don't live in one of the riskiest cities shouldn't ignore basic Internet safety procedures.

"Even if your city's not on the list, you as a citizen could be the kind of person who still engages in all the things that would have made your city rank higher," she said. "Even if you live in a rural environment but you're somebody who's constantly on the Internet and you have high-speed connections when you do online banking, you'll be encountering more risk than other people."

A city's concentration of busy Internet users had a lot to do with where it wound up on the list. Detroit came in at No. 50 because people there apparently don't have the Web-centric capabilities and usage patterns in the same high numbers compared to a city like San Francisco, which came in at No. 4.

"[Detroit is] the 50th -- the lowest ranking for cyber-crime. They're also low with access to the Internet. They're not spending as much on computer equipment. There's a whole bunch of factors that made them fall to the bottom," Merritt said.

She added that a city's digital safety environment might be something the municipal government would want to consider in projects to expand wireless capabilities to underserved communities.

"There's a responsibility to make sure that people who get new access to technology or services like broadband understand that there are risks and how to mitigate them," she said. govtech.com