Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple’s popular online music store.
In a lunchtime address to business and technology leaders in Massachusetts, Coakley said she was a victim of identity theft in recent months, and that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State’s strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino, California based Apple, which has steadfastly refused to comment, or report the breaches to Massachusetts regulators.
Coakley was speaking before an audience of technology and business leaders at an inaugural lunch for Massachusetts’ Advanced Cyber Security Center (ACSC). Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General’s account.
Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn’t aware of the larger pattern, but that it could be a reportable offense under the State’s data privacy law. She promised her office would be contacting Apple for more information that very afternoon – a statement that received hearty applause from the audience.
Despite the tough tone, Coakley’s speech was tailored more to a business audience wary of burdensome enforcement of State data privacy laws, including the State’s data breach notification law and 201 CMR 17, the Massachusetts Data Protection Law. That law took effect in March, 2010 but the first fine under the law was issued in March of 2011 to Briar Group, a Boston-area restaurant chain that showed gross negligence in securing its networks and handling customers’ credit card numbers.
Coakley said that companies that attempt, in good faith, to adhere to the State’s privacy laws have little to fear in the way of fines or prosecution. However, organizations that flaunt the law or ignore the need for data security should count themselves warned.
Describing her office as the first line of defense for consumers, Coakley said her office was pursuing a “common sense” approach to enforcement and notification. Large breaches, such as the hack of Massachusetts retailer TJX, warrant an all out effort to notify the public. In the case of smaller breaches, Coakley said her office wanted to work with victim organizations to make sure that holes in their defenses and IT security practice are addressed.
The Attorney General said her office has received around 480 data breach notifications so far in 2011, and 1,166 since the law took effect in March, 2010 – suggesting that the incidence of data breaches is holding steady, despite a tough economy. The vast majority of those breaches are small in nature. Eighty two percent of disclosed breaches affected fewer than 100 people, and just 4% affected between 1,000 and 10,000 people. Similarly, hacking incidents only made up a quarter of the reported breaches, with another quarter due to inadvertent human error, Coakley said.
The State’s breach notification law, dubbed 201 CMR 17, sets clear guidelines for the types of incidents that constitute reportable breaches. Any incident resulting in “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data” that creates a “substantial risk of identity theft or fraud against a resident of the commonwealth” need to be disclosed, as well as combinations of personal information, such as a name and credit card number, must be reported. That would seem to describe the use of Coakley’s credit card information on iTunes. However, its is unclear whether Apple actually holds the data used to process the transaction on iTunes, or whether the purchases are merely “pass through” transactions about which Apple has no knowledge or visibility, according to a source within the Attorney General’s Office.