It won’t surprise many computer security experts, but the U.S. Homeland Security Department (DHS) has proven again that humans are the “weak link” in the data security chain.

In an effort to test computer security in federal agencies, DHS dropped thumb drives and CDs in the parking lots of various federal buildings and office buildings housing government contractors. Among the people who picked up the devices and disks,, 60 percent plugged the them into office computers. If the drive or CD case had an official logo, 90 percent were plugged in. Had they carried auto-loading malware, entire government networks might have been compromised.

A full report on the Homeland Security study will be published this year, according to Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center.

The drumbeat for Congress to adopt a federal data security law got a little louder when Federal Trade Commissioner  Edith Ramirez told a House subcommittee that Congress should pass a federal data security law during hearings on Wednesday.

Tuesday, the PCI Council’s special interest group that deals with the issue released a much welcomed “information supplement” that aims to clarify outstanding issues. The 39-page document is not officially part of PCI DSS, but its recommendations likely will  eventually be part of the rules in the future.

??More than 30 so-called participating organizations of vendors, merchants, processors, and others working with the PCI Council developed the guidelines, which do not endorse any specific technology or provider, according to the PCI Council.

The Data Security/Compliance firm Trustwave has circulated a mini-Q&A which notes that the Citi breach likely was accomplished by someone who gained access to the Citi customer portal with valid credentials, the took advantage of flaws in the web application to gain access to the records of other customers. While the stolen data did include card account  numbers, that was probably the least valuable part of the electronic haul.

According to Trustwave: “The real concern is have the Citi customers been targeted with other types of attacks using the name, addresses, email, etc, info that was breached.”

Combined with a card number, this information could be used for targeted “spear-phishing” ploys that persuade customers to volunteer additional data that can be used to gain access to bank accounts and other lucrative information.

The targeting of non-card data (as in the Sony and Epsilon breaches earlier this year), the use of valid customer credentials to hack into customer records through web applications for the purpose of spear-phishing attacks, represent a distinct shift in tactics on the part of hackers, who are acting on a common weakness in web based applications, like customer portals.

Says Trustwave: “Credential attackers are becoming the new way that attackers are getting access to the real data they are looking for. As companies are only testing their systems for security issues from an unauthenticated point of view, they are not identifying critical vulnerabilities that an attacker with a user name and password to a customer portal can exploit.”

Despite the fact that 36% of PCI DSS-compliant merchants reported data breaches in the past 24 months, those who met the data security standard still fared better than non-compliant merchants, according to a new report. The document also said the number of merchants reporting a data breach in the previous 24 months rose 7.6% from 79% in 2009 to 85% this year. The report, “2011 PCI DSS Compliance Trends Study,” was produced by the market research firm Ponemon Institute and commissioned by data security firm Imperva.

Based on a survey of 670 U.S. and multinational information technology professionals, the report found that 64% of PCI-compliant merchants said they did not suffer a data breach involving credit card data over the past two years, compared to 38% of non-compliant businesses.