Data Breaches Continue to Dominate 2015

By | September 11th, 2015|Breach, Business Security|

Last week Fortune.com claimed the “word” for 2015 was cybersecurity. It’s not too surprising, as headlines for the past two years have been fraught with news of big breaches and security hacks. Affected (and unaffected) companies are implementing new habits and establishing security standards to help mitigate their risk of being breached, while consumers attempt to recover and secure their personal information.

Data breaches plagued the United States in 2014. eBay was the largest breach last year, affecting roughly 145 million people. JPMorgan Chase and Home Depot combined exposed the personal information of 132 million people. Before the end of December, seven million other businesses were affected by breaches and hacks.

The Identity Theft Resource Center (ITRC) also weighed in on the cybersecurity conversation last week, revealing that as of September 1, there have been 533 data breaches this year. From these, more than 140 million records have been exposed. Compared to 2014, the number of breaches to date is exactly equal.

Of the 533 breaches, ITRC revealed some other interesting facts:

  • Business is the largest sector affected by this year’s incidents, making up 39.9 percent of the 2015 breaches. But, business has only exposed 0.7 percent of the records.
  • The medical and healthcare industry has exposed the majority of sensitive records, 109.7 million or 78.3 percent, and is the second largest affected market (34.8 percent).
  • The government and military sector is also responsible for a large chunk of records exposed, releasing more than 28 million records.
  • The remaining markets, education and banking/credit/finances, makes up the remaining areas, accounting for 17.9 percent of the breaches combined.

For the entire data breach summary, please visit ITRC’s website.

The cost of these breaches continues to swell. In a recent post, we discussed that the average cost of a data breach is now $3.8 million. Yet many companies feel the sting of cybercrime in a different area: reputation. Companies experience a severe loss of brand value and market image under these circumstances.

There are steps you can take to protect your business. Check out our previous blog post on the topic for tips to help secure your company: Safer Internet Day Recap: Top 5 Ways to Protect Your Business.

Do you have any additional insight or comments? Let us know on Facebook, Twitter or LinkedIn, and be sure to keep up with our Tumblr for up-to-date security news stories.

The Rising Cost of Data Breaches

By | August 20th, 2015|Breach, Business Security, Uncategorized|

Earlier this week, Target struck a deal with Visa to reimburse thousands of financial institutions around $67 million dollars for costs resulting from the company’s 2013 data breach. These costs included reissuing credit and debit cards and handling an increased number of customer inquiries. Target is expected to reach a similar deal with MasterCard.

Target’s Visa settlement is an interesting one. Historically, credit card companies and banks have considered reissuing cards and removing fraudulent transactions from consumer accounts a cost of doing business. This mentality is rapidly changing as high-profile, high-impact data breaches continue to occur.

Businesses are finding there is no escaping the increasing threat of data breaches and associated costs. A May 2015 Ponemon study found that the average cost of a data breach increased to $3.8 million this year, up from $3.5 million in 2014. These costs include the obvious ones – IT personnel to address the security flaw that led to the breach, hiring customer service representatives to address customer concerns, costs associated with notifying and providing identity protection to impacted individuals. There are also some not-so-obvious costs like lost revenue, class-action lawsuits and resignation of key employees.

It’s not all doom and gloom for businesses when it comes to data breaches. The same studies that look at the cost of data breaches have also found there are ways to minimize these costs:

  • The Ponemon study found a relationship between how quickly the business identifies and contains the breach and its financial consequences. The longer it takes a company to identity a breach, the more costly it will be to resolve.
  • Ponemon also found that business continuity management plays a key role in reducing the cost of a data breach. Having business continuity management involved in the remediation of the breach can reduce the cost of response by an average of $7.10 per compromised record.
  • Lost customer revenue is often the most severe financial consequence for a breached business. Businesses that plan ahead and have a clear customer response plan in place prior to being breached fare better than businesses that don’t. Identity protection should be a part of any customer response plan.

With the constant influx of new security threats and vulnerabilities, businesses need to be prepared to respond and address these threats and as data breach costs continue to rise, the stakes become even higher. Focusing on security, implementing business continuity management and having a breach response plan in place can take a bit of the edge off the financial sting of a breach.

Tips for Government Employee Data Security After The OPM Breach

By | June 8th, 2015|Breach, Uncategorized|

OPM BreachOn Thursday, June 4, the U.S. Office of Personnel Management (OPM) announced a cybersecurity incident affecting its systems and data that may have exposed the personal information of more than three million Federal personnel. As more information is unearthed about the cause and culprit behind this attack, employees may be wondering what can be done to mitigate the risk of identity theft. As unfortunate cyber security incidents like this are becoming more and more prevalent, it is becoming increasingly imperative for businesses and consumers to take every necessary precaution to protect personal information. In an effort to stay ahead of cyber criminals, we have created a list of precautions consumers should take to protect their identity:

  • Practice safe password habits. Do not reuse your password across multiple sites. Develop a password system that helps you remember the unique passwords you develop for each digital account you own. Passwords should be long, should not include any words found in a dictionary and should vary in character type (include special characters, capitalization and punctuation as password systems allow). Be sure to change passwords every six months and use two-factor authentication whenever possible.
  • Be on the lookout for phishing attempts via email, phone and social media. Be wary of unsolicited phone calls and email messages from individuals asking about personal information. If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
  • Monitor your identity. Use a service to monitor for suspicious activity of your personal information on the black market. Monitoring services will alert you if your personal information is being shared on the dark web.
  • Keep your devices secure. Do not use public Wi-Fi to connect to the Internet. Make sure to keep all devices up-to-date with anti-virus software.
  • Do not share personal information over email. Do not email sensitive information like your home address, social security number or bank account information.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (example: .com versus .net).
  • Monitor financial account statements. Immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report and review for errors and misuse. Consumers are entitled to one free credit report per year from each of the three major credit bureaus: TransUnion, Experian, and Equifax.
  • Place a fraud alert on your credit file. Let creditors know to contact you before opening a new account in your name.

OPM has partnered with CSID to provide identity protection coverage to affected individuals. If you believe you may have been affected by this incident, please visit www.csid.com/opm for more information.

IRS Breach Shows What Happens to PII After it is Sold on the Black Market

By | May 29th, 2015|Breach, Uncategorized|

IRS BreachThe IRS experienced a breach that is changing the way businesses and consumers think about personal information. Reporters attribute the IRS breach to a crime syndicate in Russia, who used personal information obtained elsewhere to exploit the Get Transcript feature on the IRS website. They successfully exploited 104,000 individuals and filed nearly $50 million in fraudulent tax funds.

“This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold on the black market,” said cybersecurity author Peter Warren Singer to The New York Times. “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”

As Singer points out, this breach demonstrates how cyber criminals can take stolen data and exploit an online system to pick the pockets of thousands of consumers. Major data breaches thus far have proven that cyber criminals have the know-how to exploit major retailers’ security systems; this breach proves these criminals have more sophisticated schemes in their back pocket to cash in on the information they’ve stolen without having to find a vulnerability in an organization’s security system.

This is costly to businesses as it highlights the limited control they have on security breaches. Maintaining a healthy, secure system helps businesses avoid data breaches, but cyber criminals are working around secure systems by taking advantage of customers’ personal information. Gizmodo reporter Kate Knibbs calls this a “domino effect.” The way it works is that cyber criminals hack into a business’ system and steal customer data. Using that customer data, which includes name, address, email credentials and Social Security number, cyber criminals can log in to another business to make purchases or otherwise financially exploit a business. The result? A business is hijacked without its security system ever being hacked into. Cyber criminals are finding these workarounds, making their schemes more sophisticated and harder to identify from the outside.

So what exactly can we do to mitigate the risk of these types of breaches? Businesses and consumers must develop better habits and methods to protect their identities online. Password reuse is one of the most damaging habits of consumers. In fact, six out of 10 admit to reusing passwords across multiple sites. Convenience typically wins over security when it comes to interacting online. Businesses must innovate convenient options for consumers to better protect their digital identities. In the meantime, monitoring customer and employee credentials is a business’ best bet for protecting their assets.

How does this breach affect the way businesses handle security? How can businesses and consumers prioritize security over convenience when it comes to protecting digital identities? Let us know what you think on Facebook, Twitter and LinkedIn.

Healthcare Data Breaches Have Grown 125 Percent in Five Years

By | May 26th, 2015|Breach, Uncategorized|

Healthcare BreachThere has been a noticeable uptick in the number of criminal attacks against healthcare facilities in the last five years. Ponemon recently released its Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which shared a 125 percent increase in cyber attacks targeting healthcare data. The major shift in healthcare data breaches, according to the study, is that cyber criminals are intentionally targeting and exploiting healthcare data rather than accidentally coming across it during their exploits.

This shift in active pursuit of healthcare data shows that cyber criminals understand the value of healthcare data on the black market. Through our recent research, we have found that a medical identity, which includes a name, address, Social Security and health ID numbers, sells for $50 on the black market. A Social Security number sells for $1 and an active credit card sells for $3. A major contributing factor to the increase in healthcare breaches may also be due to the shift to digital healthcare records. Starting this year, healthcare facilities that do not show “meaningful use” of electronic health records are penalized, causing facilities to scramble to put records online.

The healthcare industry is a green market when it comes to following best security practices, which is why we’ve put together the top three ways healthcare organizations can keep their patient records secure:

  1. Educate employees. The most important part of having a secure network is making sure your employees are compliant with security standards. Educate employees on how medical identity theft happens and what to do from a HIPAA standpoint to keep patient data safe.
  1. Track, encrypt and password-protect mobile devices. Employees are connected via mobile devices more than ever, whether or not you have a formal BYOD policy. Be sure to create a policy that puts strict limits on how patient data can be viewed and shared on devices.
  1. Create an identity crisis response plan. If your healthcare data is breached, make sure to have a crisis plan in place, including communication with patients. Maintain the plan by training staff on relevant policies and procedures.

Are you surprised by the value of medical identities on the black market? How else can the healthcare industry get up to speed on best security practices? Let us know what you think on Facebook, Twitter and LinkedIn.

Overview of 2015 Verizon Data Breach Investigations Report

By | April 21st, 2015|Breach, Uncategorized|

Every year Verizon takes a thorough look at the global breach landscape in the company’s annual Data Breach Investigations Report. This year’s report offers a wealth of information on the threats, vulnerabilities and actions that plagued businesses in 2014. The report is long, but interesting and worth a read. To make it easier for you, we pulled what we feel are some of the most interesting findings below:

Compromised credentials remain the largest threat in 2014.
If this graph doesn’t encourage you to pick a good password, we don’t know what will. Credentials are like keys to your business. Passwords should never be reused and two-factor authentication should be used whenever possible.

Humans are the weakest link.
This year’s survey found that 23 percent of phishing email recipients open phishing messages and 11 percent click on attachments. When you consider that one employee clicking on the wrong link can compromise your entire business’ system, this is an alarming statistic. Verizon also conducted a test to see how quickly phishing links are clicked on. They found that nearly 50 percent of victims opened emails and clicked on phishing links within the first hour. Teaching employees about security best practices and how to identify suspicious links has never been more important.

According to the Verizon report, mobile malware is not a big deal… but it really is.
They found that only .03 percent of the tens of millions of mobile devices they looked at were infected with malicious malware. We don’t agree with this finding. Mobile malware is a huge problem. Over a 12-month period Kaspersky Lab found more than 3.4 million malware detections on devices of 1 billion users. As mentioned above, employees are the weakest link. All it takes is one employee downloading a malware-infected app on his or her phone to put a business at risk.

If you are concerned about your business and the security risks outlined in Verizon’s Data Breach Investigations Report, we recommend you check out our Resources Page. We have a lot of great information for businesses and consumers on how to mitigate the risk and impact of a breach.

As always, let us know what you think on Facebook, Twitter and LinkedIn.

Tips For Consumer Data Security After The Anthem Breach

By | February 10th, 2015|Breach, Uncategorized|

Anthem BreachAs the dust settles after Anthem Healthcare Insurance announced last week that approximately 80 million of its customers may have had their personal information exposed in a data breach, consumers are once again left wondering how they can protect themselves and their data in the wake of another high profile hack.

Though it’s being called the most massive breach yet, last week’s Anthem’s breach announcement comes not as a surprise, but rather a confirmation of the continuing expansion of online attacks and growing focus on medical ID theft that CSID has seen firsthand. Why? Medical IDs are an extremely lucrative source of income for identity thieves. According to the World Privacy Forum, a medical identity, including name, address, Social Security and health ID numbers – all information that was a part of Anthem’s breach – can sell for around $50 on the online black market. By comparison, a Social Security number currently sells for $1 and an active credit card can sell for $3.

Taking into account this unfortunate emerging cyber-crime trend, all consumers – including those directly impacted by the Anthem breach—should consider the following best practices:

  • Use a monitoring service to keep an eye out for signs of medical identity theft, including medical bills in someone else’s name or for medical services you did not receive.
  • Review your Explanation of Benefits (EOBs) to ensure the doctors listed and services provided are accurate. If you find an inaccuracy, contact your insurance provider right away.
  • Submit a benefits request to your insurance provider. The insurance provider will send a list of all benefits and services paid in your name. Review to ensure they are accurate. Some insurance providers have online systems with information.
  • Keep a close eye on your credit report for fraudulent activity, such as accounts you did not open. Under the law, you’re entitled to a free credit report from each of the three credit bureaus every year. You can visit AnnualCreditReport.com to obtain the most recent version of your credit reports. If you find an error on your credit report or an account that you do not recognize, please file a dispute with the credit bureau (TransUnion, Equifax, Experian) who generated the report and contact that bureau for more information.
  • Consumers may also place a fraud alert on their credit file, which tells creditors to double-check whenever someone applies for credit in your name. For example, when a credit card issuer receives an application for a new card, a fraud alert tells the company to contact you and make sure you’re really the one who submitted the application. You can place a fraud alert with each credit agency by following the links below:

Finally, Anthem has stated that they will be notifying affected customers and providing credit monitoring and identity protection services free of charge. Eligible individuals should definitely take advantage of this offering so that they can be closely aware of important changes to their personal records.

As always, let us know what you think on Twitter, Facebook or LinkedIn.

 

News Recap: 2014 – Year of the Data Breach

By | December 5th, 2014|Breach, Uncategorized|

60 MinutesThis week, 60 Minutes correspondent Bill Whitaker deemed 2014 “the year of the data breach” – and for good reason:

“The theft of 40 million credit cards from Target late last year was followed by news of a breach at Michaels stores involving more than two million credit cards. Then came P.F. Chang’s. And in September, Home Depot announced that 56 million of its customers’ credit card numbers were stolen,” he reported.

Whitaker dug into the tough questions around this year’s retail breaches with top experts to find out what’s causing the explosion in retail breaches, who’s behind them and how these breaches affect government, banks, retailers and consumers.

What’s causing breaches?
Mallory Duncan, who represented The National Retail Federation, shared the underlying problem leading to these retail breaches: outdated magnetic stripe credit cards.

“We have cards that were designed for the 1960s, ‘70s and ‘80s, but we now have hackers who are using 21st century tools to break in,” Duncan shared with Whitaker. In Payments 101: An Intro to Payment Security and Transaction Trends, CSID explains that the majority of consumers in the United States use magnetic stripe cards, which are capable of storing and transferring data within a magnetic stripe. This is the least secure kind of credit card, as you don’t need a PIN to process a transaction.

Who’s behind these breaches?
Whitaker explained that there are two kinds of criminals with separate motives involved in this kind of breach: the “sophisticated cyber thieves [who] steal your credit card information” and the “common criminals [who] buy it and go on shopping sprees – racking up billions of dollars in fraudulent purchases.” After the sophisticated cyber thief steals a “dump” or a big batch of credit card numbers, they will sell it to the common criminals online, Whitaker reports. He shares that many of the cyber criminal “masterminds behind the hacking and selling of stolen card data are sophisticated crime syndicates. Most are in Russia and Eastern Europe – primarily Ukraine – and out of the easy reach of American law enforcement.”

How do breaches affect others?
Out of all the players involved, including the retailers, banks and consumers, “the banks are the victims who are actually paying for the breaches, rather than the retailers that have had the information compromised,” said Barry Abramowitz, chief information officer for Liberty Bank in Connecticut. They are the ones that are stuck with the cost to replace millions of cards and monitor customer accounts for fraudulent activity.

Interested in hearing the whole story? Head over to CBS News to watch the 60 Minutes episode and let us know your thoughts on Twitter and Facebook. Be sure to check out our Tumblr for the latest industry news stories.

News Recap: US Postal Service Breach

By | November 14th, 2014|Breach, Uncategorized|

USPS BreachThis week, the United States Postal Service (USPS) became 2014’s latest data breach victim after a cyber attack targeting the organization’s computer systems resulted in the loss of employee information.

Devlin Barrett of the Wall Street Journal reported, “More than 800,000 people, including employees, top directors and regulators, could be affected by a computer systems breach that may have compromised data including names, Social Security numbers and addresses.” Barrett continued, “Employees, some retirees and staffers of the Postal Regulatory Commission, the U.S. Postal Inspection Service and the Postal Service Office of Inspector General have been affected… An unknown number of customers also could have been affected, though not to the same degree.”

Help Net Security shared a statement from the USPS, which said, “Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident. There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”

Ellen Nakashima of the Washington Post attributed the attack to hackers allegedly backed by the Chinese Government. Nakashima comments, “The Chinese government has consistently denied accusations that it engages in cyber theft and notes that Chinese law prohibits cybercrime. But China has been tied to several recent intrusions, including one into the computer systems of the Office of Personnel Management and another into the systems of a government contractor, USIS, that conducts security-clearance checks.” Nakashima also notes, “The intrusion into the USPS, officials said, was carried out by a sophisticated actor who did not appear to be interested in identity theft or credit card fraud.”

Does this particular incident have any unique implications impacting national security? While this breach did not necessarily result in the loss of consumer data, what safeguards or precautions should consumers be taking? Let us know your thoughts on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: White House Breach Uncovered

By | October 30th, 2014|Breach, Uncategorized|

News RecapThe story filling headlines this week surrounds a breach of a number of White House computers.

Ellen Nakashima of The Washington Post reported, “Hackers thought to be working for the Russian government breached the unclassified White House computer networks in recent weeks, sources said, resulting in temporary disruptions to some services while cybersecurity teams worked to contain the intrusion.” Nakashima quotes White House Officials saying, “In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network… We took immediate measures to evaluate and mitigate the activity… Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.” Unfortunately for the US government and other national organizations, this attack is not the first of its kind.

Adrian Diaconescu of Digital Trends commented, “Cyber security is becoming a bigger concern for government organizations around the world. Only weeks after a report surfaced that NATO’s PCs were breached by hackers… Hackers have also breached the White House computer network.” Diaconescu also shared that “White House officials are playing down the impact of security breaches. Reports suggested the latest breach was more of a nuisance than a real threat because no classified data was compromised, and the ‘intrusion’ was quickly contained. However, in the process of suppressing the threat, some network connections were briefly disturbed.”

From national organizations to ordinary citizens, what can be done to protect against threats? What do you make of this news from the White House? Let us know your thoughts on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

Load More Posts