December 23, 2024

Dropbox Got Up to 249 National Security Requests in First Half of 2014

Posted on September 12, 2014 by in Security

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Neiman Marcus Breach Not as Bad as First Thought

Posted on February 24, 2014 by in Security

Nieman Marcus Data Breach

In the world of security, these types of announcements don’t happen often. While still bad news, the recently-disclosed data breach at Neiman Marcus has impacted fewer customers than the company first thought.

 In early January, the high-end department store warned that customer credit and debit card information was compromised as a result of a cyber attack.

Neiman Marcus did not originally say how payment card numbers were affected as a result of the data breach, but on Jan. 23 said approximately 1,100,000 customer payment cards could have been potentially affected after hackers used sneaky point-of-sale (POS) malware to obtain details of customer payment cards.

Now, according to the investigation of the data breach, the number of potentially affected payments cards is lower, and is now estimated to roughly 350,000.

“The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16 -October 30 period,” Karen Katz, President and CEO of Neiman Marcus, wrote in a notice posted to the company’s Web site.

“We do know, and our forensic reports have confirmed, that malicious software (malware) was clandestinely installed on our system and that it attempted to collect or “scrape” payment card data from July 16, 2013 to October 30, 2013,” Katz said.

Fortunately, Neiman Marcus does not use PIN pads its retail locations, so PINs were never at risk, unlike the recent data breach at Target.

Neiman Marcus told SecurityWeek in January that it was warned by its credit card processor in mid-December about potentially unauthorized payment card activity that occurred following customer purchases at Neiman Marcus stores.

Of the 350,000 payment cards that may have been captured by the POS malware, Katz said Visa, MasterCard and Discover told Neiman Marcus that, so far, approximately 9,200 of were subsequently in fraudulent transcations elsewhere.

The Neiman Marcus Group operates 41 Neiman Marcus branded stores, 2 Bergdorf Goodman stores, and 35 Last Call stores.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed