Archive for July, 2011


Two CD-ROMs containing the private information of 34,000 investment clients of Morgan Stanley Smith Barney still have not been found, but the controversy over who’s to blame for the data breach continues to grow. In statements to, Morgan Stanley and the New York State Department of Taxation and Finance blame each other for the mess.

“We were notified by the state that the package appeared to be intact when it arrived at the facility, however the discs were not contained in it when it was given to the intended recipient” inside the department, Jim Wiggins, a spokesman for Morgan Stanley Smith Barney, told us.


If you use online or mobile banking, you may be interested to know six federal regulators teamed up recently to make your accounts more secure. New rules from the Federal Financial Institutions Examination Council (FFIEC) require banks to take extra steps to make sure that the person signing into your account is actually you.

The rules require banks to apply the same anti-fraud measures used for bank websites to mobile devices. They also include surprisingly frank descriptions of the big risks inherent to any mobile or online bank transaction.


By Eduard Goodman,

The news is bad: Your company suffered a data breach. Don’t make it worse by sending out a confusing, overly technical or outright alarming letter to your customers.

In 46 states, companies that have suffered a data breach are required to send letters to all affected parties whose personal identifying information has been compromised. These letters must comply with state laws, but compliance doesn’t mean the letters have to read like legalese or cause undue panic. The goal is to inform, educate and reassure your customers, not bore or scare them. You want—and need—them to read it, so how do you make the letter as helpful and appealing as possible? Check out these 4 tips:

  1. (more…)

By Matt Cullina, Identity Theft 911

Our nation’s 460,000 foster children already have a rough start on life.  So it’s especially heartbreaking when identity thieves cause additional problems for the children who exist foster care each year.

These young adults have a vision of becoming self-reliant productive individuals. But they’re stymied when their identities are stolen and their credit records are blighted. They can’t lease housing, secure education or auto loans, or open bank accounts.

Increasingly, identity fraud threatens all children. Victims 19 and younger accounted for 8 percent of identity theft complaints filed with the Federal Trade Commission in 2010, compared with 7 percent the previous year.

But foster children are particularly vulnerable.


By Brian McGinley

Data breaches are an everyday occurrence affecting millions of Americans each year.

Just ask crafters who shop at , Sony PlayStation Network gamers and investors at Morgan Stanley Smith Barney.

They’re all vulnerable to identity theft and other fraud because their personally identifiable information (PII), such as a birth date or Social Security number, for example, was exposed. That information could be used to commit financial fraud.

What should you do if this happens to you? The first step is to call your insurance company or bank to see if you qualify for . We’ll help you assess your risk and, if warranted, take steps to make you less vulnerable.


By Eduard Goodman

A day doesn’t go by when we don’t read news of a data breach at a major company, healthcare facility or financial institution. The breaches at Epsilon, Sony and now brokerage Morgan Stanley Smith Barney, are a good example.

We asked Eduard Goodman, Identity Theft 911 chief privacy officer and an expert on international privacy and data protection law, what to do when a data breach notification letter lands in your mailbox.

His short answer: Don’t panic. Just pay attention.


By Adam Levin

A few days ago, a friend of mine received several letters dated June 24, 2011 from Morgan Stanley Smith Barney, where he has kept brokerage accounts for himself and his children for many years. It began with the now familiar, “we care about you” phrase:

“At Morgan Stanley Smith Barney, client satisfaction and information security are critical priorities.”

Then it segues into the sickeningly familiar, “but perhaps not enough” phrase:

“We are writing to inform you of a recent security incident involving the sensitive information of certain Morgan Stanley Smith Barney account holders. Morgan Stanley was recently notified by the New York State Department of Taxation and Finance that two password-protected CD ROMs included in the package received from Morgan Stanley Smith Barney were missing from the package when it was delivered to the intended recipient within the Department. The CD ROMs included sensitive information about your account that was sent as a requirement to New York State after filing annual 1099 tax forms. The sensitive information on the password-protected CD-ROMs included names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and income earned on tax exempt bonds or funds you hold or held in 2010.”



Personal information belonging to 34,000 investment clients of Morgan Stanley Smith Barney has been lost, and possibly stolen, in a data breach. According to two letters sent to clients, and obtained by, the information includes clients’ names, addresses, account and tax identification numbers, the income earned on the investments in 2010, and—for some clients—Social Security numbers.

The data was saved on two CD-ROMs that were protected by passwords, according to the letters, but the CDs were not encrypted.

“There’s no evidence that there was any criminal intent here, or actual misuse of this information,” Jim Higgins, a spokesman for Morgan Stanley Smith Barney, said in a phone interview.


By Ondrej Krehel,

A forensic research firm recently . The team decrypted the encryption algorithm used on Apple’s iPhone iOS 4 operating system.

This means that sensitive user data—information about how, when and where the phone was used—can be lifted off the device or an iTunes copy of the phone’s backup. Previously such information was used by Apple and Apple alone.

The researchers at have said they’ll make “Phone Password Breaker” available to “established law enforcement, forensic and intelligence agencies as well as select government organizations” to make sure they don’t “fall into the wrong hands.” But we all know that if it can be done, it’s only a matter of time before the black hats figure out how to do it.



Last week I expressed my concern over efforts in Congress to delay, defang and ultimately defund the Consumer Financial Protection Bureau. I called upon consumers to rebel against being treated as little more than pachyderm toe-jam and to send a clear message in 2012 to those in Congress who have been the spear carriers for business.

[Article: The Elephants in the Room: The GOP's War on Consumer Protection]

My consternation over the GOP’s crusade to derail the first truly powerful and focused national consumer protection agency, however, pales in comparison to my concern over the failure of both parties to meaningfully address through federal legislation the issues of data protection and breach notification in the face of a raging pandemic of database compromise.

The numbers are staggering. Since 2005, the credit card data and personal identifying information contained in more than 500 million files have been accessed by countless unauthorized persons. According to the experts, database invaders can be divided into four categories: criminals, hactivists, the “because I can and it’s fun” crowd and warriors (those who hack on behalf of governments). This doesn’t necessarily mean that the sensitive personal information of every American is in the hands of those who operate either outside or on the fringes of the law. However, at the very least, tens of millions of us have won the victimization lottery—meaning, our information resides on multiple exposed databases.