Security Bytes: E-mail marketers smacked with lawsuits, fines

Also in the news, a company in hot water for improper outsourcing; cheap spyware kits for sale; and Protegrity buys a small file-level security vendor.

Florida state workers' payroll data at risk due to subcontracting
A Florida public-employee union is demanding the state drop a Cincinnati-based billing and human resource service after the state's payroll process was improperly subcontracted to a firm in India. There is no evidence that data has been stolen, according to a Computerworld report, but the subcontract violates Convergys Corp.'s $350 million agreement to manage the state's personnel systems.

In a March 16 e-mail, the state's Department of Management Services notified employees who worked for the state between Jan. 1, 2003 and June 30, 2004 that their data may be at risk. The investigation began after two former GDXdata Inc. employees exposed a company contract with an unidentified Indian company. Convergys had subcontracted Denver-based GDXdata to handle some payroll and human resource services, and that company then turned to the offshore service.

There is no indication any employee data has been misused for fraud or identity theft, the state reported last week. All affected employees will be provided with credit monitoring services, but a local chapter of the American Federation of State, County and Municipal Employees says that's not enough. The union is calling for the state to terminate its nine-year agreement with Convergys, which it said should have done due diligence when subcontracting such sensitive work. GDXdata has yet to comment publicly on its role in the case.

Major Internet privacy breach leads to lawsuit against Web site
New York Attorney General Eliot Spitzer expanded his data mining investigation to sue the owners of a Web site believed to have improperly sold up to 7 million e-mail addresses to e-mail marketers. The three companies that bought the lists in turn spewed out hundreds of millions of spam messages to users who'd been told by Gratis Internet their addresses would never be sold or rented.

The fraud case targets Gratis owners Peter Martin and Robert Jewell and accuses them of violating their customers' privacy in 2004 and 2005. Consumers who registered on the site for free iPods, DVDs and video games were told during sign-up that their information would not be sold or rented. However, Spitzer said the Washington, D.C.-based company never honored that promise. Gratis Internet has denied the allegations.

This lawsuit comes after the state settled another data mining lawsuit earlier this month for $1.1 million against Datran Media Corp. of New York, N.Y. That e-mail marketer had been accused of using about 6 million e-mail addresses mined illegally from other firms, according to published reports.

Internet marketer fined for spoofing e-mail addresses
The Federal Trade Commission levied its harshest fine yet -- almost $1 million -- against a San Francisco-based Internet marketer that violated the CAN-SPAM Act by tricking consumers into believing its promotional e-mails were from friends.

Jumpstart Technologies LLC must pay $900,000 in civil penalties and cannot continue to send misleading e-mails that appear to be personal messages from friends, but actually advertise FreeFlixTix or other products from business partners. Because the messages looked legitimate, they frequently slipped past spam filters that flag unsolicited e-mails.

The company obtained the addresses by offering free movie tickets in exchange for the names and e-mail addresses of five or more friends, according to a news release. The FTC also maintains the means used to extract those e-mail addresses were deceptive, requiring credit card information and promotional sign-ups. The agency noted that Jumpstart Technologies has not admitted any wrongdoing, but has agreed to the penalties as outlined in the settlement.

The company also violated CAN-SPAM by not always including an opt-out option in its e-mails. Even when one was included, consumers often received the spam beyond the 10-day window required by the law, the FTC said.

Russian Web site selling inexpensive spyware kits
Enterprise security vendor Sophos plc, whose U.S. operation is based in Massachusetts, is reporting a Russian Web site that sells a spyware kit called WebAttacker for less than $20 and even offers technical support for those who make an online purchase.

The kit includes scripts to infect computers via e-mail, which lead users to a compromised Web site, according to a Sophos statement. The company's labs have found these e-mails use current events -- such as the avian flu epidemic and former dictator Slobodan Milosevic's recent death -- to lure users in. The JavaScript code launches an exploit that attempts to turn off a computer's firewall and install a keylogger or bank-related Trojan.

"Making spyware available on the cheap like this means that technical skills have been removed as an entry-level barrier to the world of cybercrime," said Sophos senior technical analyst Ron O'Brien in a news release. "Now even dim-witted miscreants will be able to join the world of cybercrime."

Sophos recommends enterprises upgrade or maintain their enterprise security software -- particularly antivirus and antispyware tools that protect desktops and servers.

Protegrity buys data security provider OmniSecure
Stamford, Conn.-based data security provider Protegrity Corp. last week announced it will acquire privately held OmniSecure for an undisclosed amount. That 20-employee company is based in Zhu Hai, China but also operates from Santa Clara, Calif. headquarters, which will remain after the purchase. OmniSecure provides file-level encryption to protect sensitive data stored on servers, backup tapes and storage systems. Its flagship product, VPDisk, protects files at the kernel level.

Seven months ago Protegrity bought application service provider Kavado and integrated its technologies in its recent release of Protegrity's Defiance 4.0 Security Suite. The company, which has almost 100 employees worldwide, said in a news release that its most recent purchase will help it to expand its global reach, particularly in the Asia Pacific market.

Dig deeper on Information Security Laws, Investigations and Ethics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close