Friday, January 30, 2009

E-discovery versus Web 2.0

I had a new blog item posted this week on Suite101.com about the concerns companies have that communications on new technology like texting, Facebook and even Twitter could be subject to e-discovery laws. Check it out.

Thursday, January 15, 2009

GigaOM Post

I've had the opportunity to also write for the popular technology industry site GigaOm. One of its properties, Earth2Tech, is devoted to green tech news. It posted Jan. 14 my report, "Solar's Dirty Side is Being Ignored, Report Says," about an environmental group's study of hazards related to solar panel manufacturing. It's a followup to a story I posted on Earth2Tech earlier, previewing the upcoming report, "Cadmium: The Dark Side of Thin Film?"
It's clear that green technology is an emerging field that offers new opportunities for me as a journalist.

Wednesday, January 7, 2009

IDG News/Network World

From August 2006 to November 2007, I was a writer for IDG News Service, the wire service for multiple IDG publications, and for Network World, one of the IDG titles. Here are a few samples of my work.

Before I was hired, most of Network World's reporters were based in Boston or scattered elsewhere in the U.S. I offered the advantage of being based in Silicon Valley. My editor said this was the type of story they were looking for from a Silicon Valley-based reporter: "Unauthorized iPhone Apps Market Fluorishes" Sept. 26, 2007

Network World has been active in making their Web site more dynamic, with multimedia features such as slide-shows. I covered a conference at the Computer History Museum in Mountain View, Calif. My story, "Deconstructing the PC revolution," was accompanied by a slide show of photos I took of computers that are literally museum pieces! Nov. 5, 2007

This is a major project story I wrote about an IT upgrade for the Bay Area Rapid Transit (BART) system in San Francisco: "Process makeover keeps BART on track" Oct. 12, 2007

One of my main beats at Network World, as well as at IDGNS, was storage technology. This article explored the problem many enterprises experienced of buying too much storage because much of the capacity was set aside for various groups but little used. "When in doubt, buy more storage" April 23, 2007

At IDG News, I was the lead reporter on coverage of the HP pretexting scandal. My experience included being prevented by handlers from trying to interview CEO Mark Hurd about the scandal at an HP conference in Houston. Some of the other stories:

"HP CEO calls pretexting probe a 'rogue' investigation" Sept. 26, 2006

"Dunn to 'set the record straight' in HP case" Sept. 21, 2006

I also covered a federal court hearing over a lawsuit against telecoms for cooperating with the Bush administration's warrantless wiretapping program. This analysis column was called "Reporter's Notebook: NSA suit like Alice's Wonderland" Aug. 16, 2007
To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302

Tuesday, January 6, 2009

Robert can take photos, too


This photo of Neil Young making a cameo appearance
at JavaOne made the front page of Software Development Times.
Photo credit: Robert Mullins


As a senior editor for Software Development Times, I, of my own volition, used my personal camera to take photos. Invariably, on production day for each of the print issues of SD Times, someone form the graphics department would e-mail me asking for a headshot of whomever was featured in one of my articles. I'd have to scramble and call the PR people at a company to send me a headshot, which may as well have been the guy's driver's license photo. Finally, I decided to take my own photos, when possible. Here are some photos and some related stories:
Sun Microsystems CEO Jonathan Schwartz

Showfloor at JavaOne 2008


Ian Murdock, VP of Developer and
Community Marketing, Sun Microsystems

Reuven Cohen co-hosts "unconference" on
cloud computing in San Francisco in May 2008


Participants at the "Cloud Camp" in San Francisco
line up to suggest breakout sessions for their
"unconference" on cloud computing in May 2008

The Firefox mascot greets visitors to Mozilla's
headquarters for a launch event for the
Firefox 3 browser in June 2008

The crowd at Google I/O Conf.
Moscone Center, San Francisco, May 2008
To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302

Monday, January 5, 2009

Coverage of software development

I had the opportunity to learn the ins and outs of the software development field while writing for Software Development Times in 2008. I had written a little bit about software development but my knowledge was an inch deep and a mile wide compared to the in-depth knowledge readers of SDTimes expected. But in a few months I was able to learn the inside scoop in stories such as these:

Java the Bloat
June 15, 2008

Sun-MySQL progress report

July 17, 2008

'We don't know what we should be teaching:' software programming for multicore

April 14, 2008

Dissident Icahn added to Yahoo board
Aug. 4, 2008

Android apps draw crowd at developer conference

May 30, 2008

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.

Blog for GigaOM, too

I've also had the opportunity to blog for GigaOM, the site run by veteran Silicon Valley technology writer Om Malik. After being introduced to one of their editors by a good friend, I submitted a post I wrote based on information I had obtained about a pending report on environmental hazards related to solar energy. Cadmium: The Dark Side of Thin-Film? was posted Sept. 25, 2008 on the GigaOM-related site Earth2Tech. The article generated considerable comment.

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.

I can blog, too, Pt. 1

I have extensive blogging experience, having been senior editor of a blog for my extended family since 2006. That's just for personal use, as is another blog titled "Mullico Musings", which offers my take on politics, current events and other personal interests. But I've also posted on commercial blogs, such as Suite101.com. It posts blogs on a variety of topics, mostly "how-to" type articles. I've written a few combining my personal interest in cars with my knowledge of technology. Here's one recently posted on hybrid cars:
Midsized hybrids segment grows:

On a related subject, I also wrote about Shopping for green cars besides Prius or Escape

And now for something completely different, Suite101 has blog pages devoted to cloud computing, to which I contributed this article Dec. 11, 2008: Cloud Computing Not the Answer for Every Business

As you can tell, I am a very versatile writer with an ability to write with authority on a wide range of topics. Besides covering the tech industry in Silicon Valley, I've also been a business reporter covering multiple industries. I can pick up on new beats quickly.
On a more practical matter, I am able to write with the distinctive "voice" of a blogger, which is different from the third-person observer voice of the traditional journalist. Also, I have learned how to maximize the opportunity to draw readers to a blog with the right amount of links and the highlighting of keywords searchers will be drawn to.
Lastly, I can also blog with a sense of humor, a la "The Onion," as in this post on the speculation about the health of Apple CEO Steve Jobs, rumors that were dispelled with a company pronouncement Jan. 5 that he is being treated for a "hormone imbalance."

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.

Robert Mullins coverage of network security, Pt. 4

I also had the opportunity to write for SearchSecurity.com for the story FACTA's red flags of identity theft, which was posted Feb. 26, 2008:



Later this year, new Federal Trade Commission (FTC) rules go into effect requiring businesses to recognize the "red flags" that tell them someone may be committing fraud.

Businesses that maintain personal financial information on customers -- from banks to auto dealers -- must have systems in place to spot red flags and intervene to stop a possible identity theft.

"If someone were to apply for credit and they put down their date of birth and then a Social Security number that does not correlate to the date of birth, that would be a red flag," said Paul Metrey, director of regulatory affairs for the National Auto Dealers Association (NADA), which hosts data security workshops for dealers.

Red flags

The following are examples of red flags, according to the FTC:

  • The majority of available credit on a card is used for cash advances or merchandise that is easily convertible to cash, such as jewelry;
  • A noticeable change in electronic fund transfer patterns on a deposit account;
  • Purchases in two distant cities on the same day;
  • Identification documents provided to open an account appear to have been altered or forged;
  • Customer can't answer challenge questions like identifying their mother's maiden name.

The Red Flag rules from the Federal Trade Commission (FTC), which take effect Nov. 1, 2008, are a follow-up to the Fair and Accurate Credit Transactions Act (FACTA) enacted in 2003. FACTA requires businesses to have systems in place to secure the personal financial information of customers and to securely dispose of that information when it's no longer needed.

Besides auto dealers, businesses subject to FACTA include debt collectors, mortgage brokers and even someone who obtains a credit report on a prospective nanny, according to the FTC.

"Whether someone hiring a nanny is aware [of FACTA], I don't think there are, obviously. But I think financial institutions are aware of it and they have to be," said Mary Monahan, senior analyst with Javelin Strategy & Research, which focuses on the financial services industry.

Keeping dealerships secure

Car dealers regularly work with finance companies, but there is no one data security plan for all of them, said NADA's Metrey. "The procedures you adopt should be appropriately tailored to the size and complexity of your operation."

For a small dealer, selling just a few cars per month, security could be as simple as advising the finance manager not to leave contracts on their desk when they leave the office.

For a large dealer group with multiple car make franchises, though, best practices include password-protected access to servers only for people whose job descriptions entitle them to access. A service department manager can access a customer's vehicle maintenance records, but not their finance records. Servers should be in a secure, climate-controlled room and not accessible via the Internet, NADA advises in a guide to dealers.

Don't reinvent the wheel

Privacy regulations have been imposed on debt collectors for years so new rules such as FACTA aren't all that new to them, said Leslie Bender, an attorney specializing in privacy laws who represents a debt collection industry group.

Debt collectors, who obtain personal financial records of debtors to collect money on behalf of client creditors, have been subject to the Fair Debt Collection Practices Act for about 30 years. They and vendors of computers, firewalls or document shredding services, are "light years ahead" of other industries on their security policies, said Bender.

"Debt collectors are attuned to protecting consumer data and don't just pitch it into the dumpster," she said.

But besides securing and properly disposing of records, financial institutions now also have to be further diligent under the Red Flag rules.

About the author:

Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.




Robert Mullins coverage of network security, Pt 3

The third in the series I wrote for SearchFinancialSecurity.com on high profile network security events, Lessons Learned: the Citibank ATM breach, was published Sept. 11, 2008:

The hacking of Citibank ATM networks, as well as exposing cardholder account numbers and personal identification numbers (PINs,) has given financial institutions new security worries and prompted them to review their security methods.

In a technology arms race between banks and thieves, financial institutions continually harden their networks in an attempt to thwart new attacks by crooks.

"These guys are trying to make a living as fraudsters and we're trying to stop them for a living," said Doug Johnson, vice president of risk management policy for the American Bankers Association (ABA).

The Citibank case

On Feb. 1, 2008, Citibank reported to the FBI that account and PINs had been pilfered from a server that handled transactions from Citibank-branded ATMs at 7-Eleven convenience stores. According to the FBI, the suspects, who are in custody, created new ATM cards encoded with the stolen account numbers and, with the PINs, withdrew cash from ATMs. Other court documents indicate the accused may have stolen as much as $3.6 million in various ATM fraud schemes.

The Microsoft effect

Experts say that the reason the Citibank accounts were hit follow the same logic behind Windows operating systems attacks -- they're both ubiquitous. Citibank is a global financial services enterprise with a vast IT infrastructure and 20,000 automated teller machines, while Microsoft's Windows runs on more than 90% of the world's personal computers and close to 70% of its servers. Increasingly, ATM networks are running on Microsoft's Windows operating system, which security experts say makes them more vulnerable than if they were run on a proprietary platform that would be harder for hackers to figure out. However, neither Citibank nor Microsoft would say whether Citibank's ATM network is Windows-based.

"You get more bang for the buck if you, as a hacker, invest in compromising Citibank's network because there's more of a network to attack, just like Windows," said Avivah Litan, an analyst at Stamford, Conn.-based Gartner, Inc.

Although Citibank wouldn't identify the processing firm, there are two companies that maintain the ATMs at 7-Eleven stores: Cardtronics, a Houston-based company that owns 5,500 ATMs in 7-Eleven stores and Fiserv Inc., of Brookfield Wis. Cardtronics maintains only 2,000 of the 5,500 ATMs it owns; Fiserv maintains the other 3,500. The publicly traded Cardtronics acquired the ATMs from 7-Eleven Financial Services, a division of the convenience store chain, in late 2007, according to an SEC filing.

Fiserv said through a spokeswoman that its servers were not hacked in the Citibank case. Cardtronics declined to comment for this story. In a July 2 news release it stated, "Cardtronics is not involved in this criminal prosecution and therefore does not anticipate that it will issue any statements with respect to this case."

PCI compliant ≠ secure

But Cardtronics added that all of its ATMs have encrypted PIN pads, triple data encryption and that its processing platform complies with the Payment Card Industry (PCI) data security standards.

However, being PCI compliant doesn't mean an ATM network is hacker-proof. "You can't say 'I'm PCI compliant,' and then wipe your hands and walk away," said Mike Urban, senior director of fraud solutions at Fair Isaac Corp., a provider of enterprise decision management automation in Minneapolis. "This is an ongoing security concern and should always be an ongoing concern."

Too many network administrators deploy only enough security to win PCI compliance, although that is changing, said Jim Pflaging, CEO of San Francisco-based SenSage, a provider of enterprise data warehousing tools.

Previously, some companies only met the minimum security standard. "They just want the [PCI] auditor to get out of their office," he said. Increasingly, though, others regard security as a form of risk management that is strategic to their business and go beyond the PCI standard.

ATM security evolving

Recently, ATM vendors have teamed up with security firms in order to develop new technology that will keep up with evolving hacker attacks. For instance, Wincor Nixdorf, a German ATM maker, partnered with Cisco Systems to develop the PC/E Platform Security Agent, which prevents software from being installed or modified without authorization. One theory behind the Citibank breach is that the hackers installed malicious software onto the servers to access the account numbers and PINs.

In another partnership, Diebold, Inc. is working with Agilis Software LLC. to secure its Opteva ATM line with anti-skimming technology. Skimming involves placing a fake ATM card slot over the real one in order to read card numbers and PINs as they go in.

But such point products don't provide a comprehensive security net, SenSage's Pflaging argued. However, data warehousing technology, which records every event on a network, can help identify patterns or connections between incidents that indicate potential thievery. For example, if an ATM card is used in Chicago and, moments later, in Moscow, that's a sign of trouble, Pflaging said. If a bank employee accesses the network and, soon after, moves a large file off the network, the action deserves closer scrutiny.

"You put your Inspector Clouseau hat on and you can start to look for all of these very unusual cases," Pflaging said, adding that it's possible criminals in the Citibank case could have been aided by someone inside Citibank "or someone who has somehow obtained the credentials of one of your trusted insiders."

Despite all these security breakthroughs, Windows-based ATM networks are a popular choice amongst financial institutions. According to Pflaging, Windows makes sense as an operating system because it's low cost and is easy for banks to manage, especially on global networks that span different countries, said Pflaging. "But, Windows is just an outright, big invitation to security hackers."

Even though Windows makes a big target, it can be secured, countered Gartner's Litan. "If you keep Windows locked down and you keep your network locked down, then it's no worse or better than any other system. It's just a question of locking it down and not allowing anyone to get in."

About the author:

Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.


Robert Mullins coverage of network security , Pt. 2

Four your consideration, another in the SearchFinancialSecurity.com series on high-profile security failures. This one, published Nov. 5, 2008, is titled Lessons Learned: The Countrywide Financial breach:

The FBI affidavit in the case of the data breach at Countrywide Financial Corp. reads like the script of a TV crime drama.

The FBI informant meets in a bar with two guys who have information to sell. One goes by the name of "Nico," the affidavit reads, while the other is introduced as "Rebollo." Rebollo is Rene Rebollo, who is now facing trial in federal court in Los Angeles for stealing mortgage customer data from Countrywide, while Nico, Wahid Siddiqi, is facing trial for fraud.

According to an FBI agent, Rebollo, on Sunday nights, went to the Countrywide Home Loan office at which he worked in Pasadena, California. Over a period of two years, when no one else was around, he'd regularly insert a flash drive into a computer and copy thousands of customer records. Siddiqi allegedly helped fence the data, selling it as sales leads to other mortgage brokers. In one deal witnessed by an FBI agent, Siddiqi showed another informant data on a compact disk running on a laptop computer.

"It's the bombest data," Siddiqi boasted, meaning they were promising leads.

Data breaches: Inside jobs or outside attacks?

The Countrywide case illustrates that no matter how much financial institutions invest in security, some breaches still occur. Industry analysts say it's because enterprises either use outdated technology or leave gaping holes in their security that can be easily exploited. Most troubling is the fact that, more often than not, data breaches are an inside job.

"There is a rampant access control and authorization control problem in the enterprise," including financial institutions, says Perry Carpenter, a research director at Connecticut-based Gartner Research Inc., specializing in security and privacy issues.

A study released Oct. 13 by the software firm Compuware Corp. and conducted by the Ponemon Institute stated that 75% of data breaches reported by enterprises were committed by employees; external hackers were the culprits in only 1% of cases.

"You have to extend trust to the people that are working for you, but the very fact that [employers] have to extend trust opens them up to vulnerability," Carpenter said.

Countrywide was conscientious enough to have a safety feature on its computers that prevented people from downloading files onto external devices such as flash drives. But, according to the FBI affidavit, Rebollo used the one computer in the Pasadena office that did not have that feature.

Countrywide, through a spokeswoman, declined to comment for this article. The company, which has since been acquired by Bank of America Corp., has offered two years of a free credit monitoring service to Countrywide customers whose records may have been compromised.

The security scandal comes amid other bad news for Countrywide, which has been accused of using unfair business practices to sell subprime loans to borrowers. Connecticut Attorney General Richard Blumenthal, who is already suing Countrywide over its loan practices, criticized it for allowing this breach.

"Countrywide consumers justifiably want an explanation for a long-term security failure that enabled an employee -- undetected and uncontrolled -- to download sensitive information over an extended period of time," Blumenthal stated in a Sept. 10 news release.

A Countrywide spokesman, quoted in a Los Angeles Times story that same day, disputed reports that as many as two million customer accounts were exposed, but added that Countrywide believes there have been no reports of identity theft or other fraud affecting its customers as a result of the breach.

Caught in the act

FBI documents describe a scheme in which Rebollo downloaded as many as 20,000 customer account records, including name, address, loan amounts and Social Security numbers, nearly each week between 2006 and 2008. He sold each batch of data, either on a thumb drive, compact disk or as an email attachment for $500. "Rebollo estimated that he made $50,000 to $70,000 over the course of two years by selling the Countrywide Home Loan data," an FBI affidavit states.

Rebollo initially cooperated with the FBI, meeting with agents July 15, 2008 and allowing them to take his desktop computer and a thumb drive from his Pasadena apartment as evidence. Two days later, though, Rebollo hired an attorney who advised him to revoke his cooperation, requiring the FBI to get a warrant. But despite knowing the FBI was on to him, Rebollo tried to sell more data. An FBI affidavit says Rebollo was on the phone July 23rd with an informant posing as a buyer and was negotiating yet another sale.

Rebollo is charged with exceeding authorized access to the computer of a financial institution, a federal crime that carries a maximum five-year prison term. His lawyer, Michael Severo, has not returned a call for comment. Saddiqi is charged with fraud related to his role in the scheme and is facing a maximum 15-year sentence. His attorney, Jeffrey Lipow, has also not returned a call for comment.

Lessons learned from the Countrywide breach

Although not privy to all the facts of the Countrywide breach, Gartner's Carpenter says the case illustrates the need for financial services firms and all other enterprises to have defense in depth protecting their networks and sensitive company data.

In a July 25 report to Gartner clients, Carpenter writes that enterprises need more than just technology to protect data; they also need management policies and a corporate culture that stresses integrity.

Besides password protection, enterprises should deploy network monitoring software that looks for suspicious data traffic, such as an employee in the office downloading large data files on a Sunday night. But that alone may not be enough for salaried employees who sometimes work odd hours. "It may not set off an alarm bell that they are there on a Sunday," he says.

Another vulnerability that may be overlooked involves software applications that access customer databases for various purposes, Carpenter added. An application may scour records to identify customers with the best FICO scores to market a credit card or another financial product to them. Usually, when an employee leaves a company, their password is revoked, but those applications also use passwords that could fall into the wrong hands.

"Over time, people learn about these accounts and it's more likely that if you steal that user ID and password, it's still going to be in effect a year after you leave," Carpenter says.

But more than technology, companies also need to keep employees honest, he concludes. Companies need to schedule regular security training to maintain employee awareness of the need to protect data for the benefit of customers, shareholders and the company. Even something as simple as posting signs about security procedures are another reminder. Steps not related to technology, such as job rotation, segregation of work duties and mandatory vacations, are also part of a layered approach to security.

One last bit of advice sounds counterintuitive: Carpenter advises against "password expiration," in which employees are required to create new passwords for network access at regular intervals. If passwords change frequently, some employees may have trouble remembering them, prompting some to write them down, which increases, rather than reduces, vulnerability.

About the author:

Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.


Robert Mullins coverage of network security, Pt. 1

Here are clips to one of the stories I wrote recently on the subject of network security. I've been chosen by an editor at SearchFinancialSecurity.com to write a couple of articles detailing security breaches at high-profile companies for a series called "Lessons Learned."
Lessons Learned: The Lending Tree breach was published Nov. 13, 2008. Because finding the article via the link requires a username and password, I've pasted it in for you below:


LendingTree's advertising slogan, "When banks compete, you win," is the subject of mockery in the wake of a security breach in which customer data was stolen.

"When banks get breached, you lose!" wrote a commenter on The Consumerist, a consumer protection website.

The case

LendingTree, LLC was forced to admit April 21, 2008 that former employees of the online mortgage broker had obtained customer passwords and shared them with non-LendingTree-approved mortgage lenders so those lenders could market their loans to those customers. Although the company sued the parties involved in the breach in a state court in California, multiple LendingTree customers have sued LendingTree in federal court for lax network security.

"We regret any inconvenience," stated "RL Harris" in an April 21 letter to customers, an apparent reference to Robert L. Harris, president of LendingTree. Harris disclosed that former employees shared customer passwords with non-approved lenders and that, with that access, the non-approved lenders could view the customers' applications for mortgages. He further stated that the unauthorized access began as far back as October 2006.

"The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information," he acknowledged. While such data can be a treasure trove for identity thieves, Harris sought to reassure customers: "We don't believe any identity theft or fraudulent financial activity resulted from this situation." LendingTree, through a spokeswoman, declined a request for comment for this story.

At the time the breach was reported, LendingTree, of Charlotte, N.C., was a unit of IAC/InterActiveCorp. It was spun off as its own publicly traded company, Tree.Com Inc., on Aug. 21.

Simultaneous to disclosure of the breach, LendingTree filed suit against five mortgage lenders in Southern California, which it accuses of fraud for using its customer records without permission. The companies are: Newport Lending Corp.; Southern California Marketing; Sage Credit Co.; Chapman Capital Inc.; and Home Loan Consultants.

The aftermath

At the same time LendingTree is the plaintiff in the California case, it is the defendant in a number of federal lawsuits filed by LendingTree customers outraged at their records being compromised.

In one such case, customer Marvin Garcia, of New York City, sued LendingTree in U.S. District Court in Manhattan July 29 accusing it of negligence, invasion of privacy and violation of the U.S. Fair Credit Reporting Act, which requires companies "to maintain reasonable procedures designed to limit the use of consumer reports [to] permissible purposes."

The suit, which has since been consolidated with other customer lawsuits in North Carolina, where LendingTree is based, also names the same non-approved lenders that LendingTree sued in California, stating: "The mortgage lenders used the passwords of LendingTree's customers to access the … customer loan request forms to market loans [to them]."

"Lending Tree knew or should have known that its network for processing and storing customer loan request forms…had security vulnerabilities," the lawsuit states.

In announcing the filing of the Garcia suit, his law firm, Meiselman Denlea, of White Plains, N.Y., criticized LendingTree for waiting so long before warning customers after it discovered the breach, and for only advising customers to get a credit check and monitor their credit reports going forward -- at their own expense.

Reputation risk cannot be ignored

LendingTree can be expected to take heat for this in the court of public opinion as well as in real courts, said Dana Wiklund, research director for global risk management at Financial Insights, a unit of the research firm IDC focused on the financial services industry.

"It opens up Lending Tree to reputation risk," Wiklund acknowledged. However, he added, this breach could have been a lot worse. So far, there's no evidence that the unauthorized access to customer records has resulted in any identity theft or fraud against those customers (although the customers' lawsuits argue they are still at risk). And while it's unclear exactly how many LendingTree customer records were exposed, he doesn't see this case being on the scale of other breaches.

"The fact that the data went to maybe other mortgage brokers and marketers is a big distinction from losing a tape with a million socials on it and finding out that some of these socials are popping up with international fraud rings," said Wiklund. He added that the mortgage brokers or lenders who gained the unauthorized access are likely one- or two-person shops whose only motivation was to try to drum up some business.

Nonetheless, he concluded, LendingTree is going to have to go back, see what went wrong and fix it.

Password protection

That LendingTree employees could access customer passwords and share them with outside parties is puzzling to Jeremy Duffy, a self-described technology privacy awareness advocate and host of an online "Computer and Internet Safety for Normal People" seminar. Duffy finds it hard to believe that employees could access even their own customers' passwords.

What needs to be determined is if the passwords were encrypted or not. If they were encrypted, Duffy said, "There would be almost no way for someone to know the actual passwords even if they could directly access the database." If they were not encrypted, but stored in plain text, "that allows anyone with database access to see the customer's actual passwords and that is a huge security issue."

Duffy recommends a simple test. If a user clicks on the "Lost Password" button on a log-in page and the site sends them an email with their password, the passwords are likely stored in plain text. If it sends back a randomly generated password for the user to go in and reset their password, it's probably encrypted.

LendingTree's privacy policy posted on its website states that the company uses "well-known and vetted security technologies." Web pages on which customers enter their personal information are delivered to their browser through HTTPS, a secure server communications protocol. Transmission between the browser and LendingTree's servers is encrypted using Secure Sockets Layer (SSL) technology.

Yet, the privacy policy begins with a telling caveat: "No data transmission over the Internet or information storage technology can be guaranteed to be 100% secure."

About the author:

Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.

To inquire about Robert Mullins' availability for full or part time work, please write me at mullico@gmail.com or call at 408-243-4302.