[ISN] U.S. scrutinizes security hole at privacy site

From: InfoSec News (isnat_private)
Date: Mon Jul 09 2001 - 01:05:57 PDT

  • Next message: InfoSec News: "[ISN] FBI: From G-Men to G4-Men?"

    By Reuters 
    July 6, 2001, 4:25 p.m. PT 
    WASHINGTON--U.S. officials scrambled to assure businesses Friday that
    their confidential data had not been compromised by a government Web
    site that allegedly contained security holes.
    Ironically, the Web site encouraged businesses to sign up for a
    program that would beef up their own protections for sensitive
    personal data.
    A report that appeared Friday on Wired News said hackers could easily
    access proprietary information through a back door to the U.S.
    Department of Commerce's safe harbor Web site.
    A notice on the site said two pages had been taken down Wednesday
    while security provisions were examined.
    Commerce Department officials said they were still investigating the
    matter but that hackers had not altered any data accessible through
    the site.
    "As we continue to examine the situation, we're in the process of
    contacting all Safe Harbor participants to assure them that we have
    not found any compromised data," said Jeff Rohlmeier, an international
    trade specialist at the Commerce Department.
    U.S. and European Union officials developed the safe harbor program
    last year to enable U.S. firms to avoid prosecution under an EU law
    that prohibits the transfer of personal data such as customer lists
    from the EU to countries that do not meet its standards for privacy
    safeguards, including the United States.
    Firms that wish to sign up for the safe harbor must certify that their
    internal privacy practices measure up to EU standards. U.S. companies
    have been slow to sign up: As of July 1, only 72 businesses were
    listed on the site as participants.
    The security hole reportedly allowed visitors to a government site to
    access a database that contained information on participating
    businesses the Commerce Department said it would not make public:
    revenue, number of employees, and European countries in which the firm
    does business.
    Publicly held companies divulge this information in financial filings,
    but many private firms closely guard such figures.
    John Hollway, chief privacy officer for privately held pharmaceutical
    services company Acurian, said Commerce Department officials had
    contacted him about the possible security hole.
    While Hollway said he was concerned that hackers could have bumped
    Acurian from the certification list, he said he was not troubled by
    any data that might have been revealed.
    "I don't think it raised huge alarm bells," Hollway said. "Certainly
    there's an unfortunate irony that a privacy site is fingered as a
    place that could be hacked."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 01:39:53 PDT