Welcome to the Data Breach Watch Blog

Announcement – 6:27 pm

Welcome to Data Breach Watch - your resource for data breach alerts, breach-related news and articles, and helpful resources. This blog was created to provide security and privacy officers, their teams, and other interested constituents, with up-to-date information, commentary and resources on data breaches. Despite advances in data security, breaches continue to be a growing problem for organizations. Use this blog to stay current and access useful resources.

Please subscribe to our RSS feed and contribute by leaving a comment.

Data breaches up 69 percent this year; businesses account for one third.

July 10, 2008 – 11:50 pm

By Rebecca Seaman

Data breaches are on the rise, despite preventative measures such as state notification laws. Specifically, the Washington Post reports that data breaches reported by businesses, governments and universities are up 69 percent this year. Businesses alone accounted for a 27 percent increase in breaches, or one third of all those reported.

This may not be as alarming a trend as it may appear on the surface. In fact, it may be that businesses are simply more aware of breaches now that they know what to look for and have a better understanding of how breaches occur. Likewise, with the implementation of state notification laws, businesses may feel more compelled to report a breach than they were in the past.

Linda Foley, founder of The Identity Theft Resource Center, a nonprofit organization in San Diego, points out that “Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.”

Regardless of how these breaches are occurring, businesses need to remain vigilant in preventing a breach, rather than focusing on damage control once a breach has occurred. Lost or stolen laptops remain the largest reported cause of business related breaches. They account for 20 percent of all reported cases, while hacking was the least cited. In other words, these breaches were largely preventable.  By making breach prevention a matter of policy (For example-evaluating risk and implementing tough cyber-security rules), businesses are less likely to experience a breach, and better prepared to manage one that does occur.

June 20, 2008 – 4:03 pm

 verizon.jpgby Doug Pollack

Verizon Business Security Solutions recently released a study titled “2008 Data Breach Investigations Report” that looks at the causes of data breaches and prescribes recommendations for improving data security policies that can lead to data breaches.

An article in CNET related to this study, “Reports examine causes and victims of data breaches“, notes that a key conclusion of the report is that “9 out of 10 corporate data breaches could have been prevented, had appropriate security measures been taken”.

Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions says of this report that  “it can help companies better understand data breaches – how they occur and the commonalities that exist. Most importantly, it urges organizations to be proactive in their approach to security — the absolute key to safeguarding data.”

Two key recommendation from the report follow:

  • Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement, implement, implement.
  • Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.

It is wonderful to see research on the topic of data breaches that outlines recommendations that can help companies avoid data breaches, while being better prepared to deal with them when they unavoidably occur.

FBI Prosecutes and Shuts Down “The Shadowcrew” Carding Forum

June 16, 2008 – 8:33 am

By Rebecca Seaman

While there are currently many Carding Forums operating on the web, the article Data Breaches: What the Underground World of “Carding” Reveals focuses on one particular organization whom the FBI managed to infiltrate and shut down: The Shadowcrew Criminal Organization. According to the Author; Kimberly Kiefer Peretti, this group“ Was a global organization of thousands of members that was dedicated to promoting and facilitating the electronic theft of personal identifying information, credit card and debit card fraud, and the production and sale of false identification documents”. The organization “Operated from 2002 until October 2004, when it was taken down by the USSS as the result of a yearlong undercover investigation known as Operation Firewall.”

The Shadowcrew website was a highly organized online meeting place where criminal hackers and other identity thieves would convene to post, trade and sell stolen account information obtained from large-scale data breaches. The online forum quickly made the data accessible to cyber thieves worldwide.

The Shadowcrew crime ring operated globally; emphasizing the new trend of organized crime being perpetuated in cyberspace. The FBI stated that during prosecution, “Shadowcrew defendants revealed that members from one country would conspire with members from another country to commit specific carding crimes. In addition, the FBI enlisted the help of several foreign governments during their investigation. These countries included Canada, Bulgaria, Belarus, Poland, Sweden, the Netherlands and Ukraine.

What were the costs to businesses and consumers as a result of the Shadowcrew Crime ring? The FBI’s investigation concluded that “Shadowcrew members collectively trafficked in at least 1.5 million stolen credit card numbers that resulted in over $4 million in actual losses to credit card companies and financial institutions. However, it is estimated by law enforcement authorities that, had the organization not been interrupted, the credit card industry could have faced hundreds of millions of dollars in losses.”

Notification not reducing ID theft

June 6, 2008 – 8:59 pm

iwlogo2_2006.gifby Doug Pollack

A study published this week by Carnegie Mellon researchers concludes that data breach notification laws that have been enacted in 43 US states do not seem to be causing a decrease in the rate of identity theft.

An article published in Infoworld reports that:

“‘There doesn’t seem to be any evidence that the laws actually reduce identity theft,’ said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper’s authors. Romanosky’s team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California’s SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen.”

The authors call for the federal government to pass a uniform breach notification law in order to eliminate conflicts that exist between state laws and to ensure an appropriate standard for effectively notifying individuals whose personal information has been compromised.

As noted by InfoWorld, however, as to what other factors may be contributing to the lack of reduction in the incidence of identity theft — “the fraudsters are also getting better at what they do”.

International Carding Forums: Large-Scale Data Breaches for Sale

June 4, 2008 – 12:26 am

seal1.gif By Rebecca Seaman

The Federal Bureau of Investigation recently released a report detailing a new trend in global organized cyber crime: Carding Forums. In these online forums where data is posted for sale much like one would post a sofa for sale on craigslist; the detailed financial and personal information of individuals who have fallen victim to large-scale data breaches is offered to the highest bidder. What is perhaps most alarming is the fact that this information can be breached/hacked and posted on the internet within hours or days; long before the organization whose records have been hacked is even aware of the breach.  

What is “carding” and how is it perpetrated? Kimberly Kiefer Peretti of the FBI explains “In its narrow sense, the term “carding” refers to the unauthorized use of credit and debit card account information to fraudulently purchase goods and services. In contrast to other types of identity theft, carding involves the large-scale theft of credit card account numbers and other financial information” obtained by, among other methods, “computer hacking, phishing, cashing-out stolen account numbers, and Internet auction fraud. The individuals who engage in these criminal activities are referred to as “carders.” 

According to Peretti, once individuals log into one of these sites, they post messages to various forums advertising the stolen data, and “Provide guidance to members on producing, selling and using stolen credit card and debit card information and false identification documents.” Individual members to the site were often known by several nicknames in the interest of anonymity. In addition to the forum’s many members, there are usually several site ‘administrators’, individuals near the top of the forum’s hierarchy. The administrators serve as a “Governing council of the criminal organization”. There are usually several ‘moderators’ as well- individuals who are experts in, and responsible for, one geographic location or subject content. 

In conclusion, it is important to understand that we are not just dealing with cyber thieves at home in the U.S; but that cyber crime rings are becoming increasingly organized and are operating on a global scale. This collaboration makes it possible for large amounts of data to become breached and disseminated quickly via the intranet. Any organization entrusted with the security of its client’s personal information needs to be aware of this new threat to their cyber security and be prepared to handle a breach of this nature.

Data breaches often lead to civil litigation

May 30, 2008 – 9:16 pm

masthead.gif

by Doug Pollack

Most of us by now have received at least one data breach notification letter that has stated that our personal information was lost or stolen. I received one just a month ago from a brokerage firm that I did business with years ago. Often, with high profile companies or very large breaches, these events can turn into a PR nightmare for the company.

A recently published article titled “Data Breaches Mean More Than Bad Publicity” in the New York Law Journal looks at an associated trend toward civil litigation targeted towards companies that experience a data breach.

“The negligent (or even innocent) loss of electronic data to cybercriminals inflicts billions of dollars of damage on our economy, as personal information has become a sought-after treasure trove for cybercriminals…These costs are likely to escalate as, in an increasing trend, corporations are also being pummeled with civil litigation related to data breaches.”

The authors also note the difficulties inherent with complying with the numerous, different and sometimes conflicting state data breach notification laws.

“Forensic investigations are also critical to guide a corporation through the maze of state data breach notification laws. Such laws will require varying levels of compliance, depending on the nature of the breach and of the entity’s operations. California’s data breach law, which has served as a model for many other states, demands that upon discovering a breach of personal information, a business ’shall disclose any breach of the security of the system’ to any affected persons ‘in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.’ ”

The authors conclude that companies must prepare for lawsuits that may accompany a data breach. But they also note that plaintiffs have a difficult time proving damages in many cases. Companies should be very diligent in managing their data breach response efforts in order to ensure that affected individuals do not suffer real harm.

“While the hurdles for plaintiffs remain high, these lawsuits have become a fact of life in today’s litigious society. Corporations suffering data breaches thus must now routinely face an onslaught of civil litigation in addition to the negative publicity and regulatory scrutiny coming from data breaches and their announcements. “

Importance of Prompt Breach Notification

May 24, 2008 – 4:03 pm

peoples-logou.gifby Doug Pollack

It was reported yesterday by TheDay in Connecticut that People’s United Bank recently experienced a data breach that may affect hundreds of thousands of their customers. An affiliated third party had created unencrypted backup tapes with personal information of their customers and a box of these tapes was misplaced.

This situation provides a great case example of the importance of prompt notification to individuals that are part of a data breach population. Per the article:

Connecticut state law requires banks to immediately notify customers when such information is lost. Rell said the Bank of New York Mellon did not quickly notify People’s United Bank of Bridgeport of the security breach.

As a result of the lack of notification, combined with the publicity surrounding this event, the bank has been deluged with calls from concerned customers.

“People’s United Bank has been flooded with calls over the past two days, ever since Attorney General Richard Blumenthal revealed Wednesday that a data breach had affected hundreds of thousands of its customers, according to a bank spokesman.”

Best practices in coordinating and managing a data breach response effort reinforce the importance of timeliness of notification. The Ponemon Institute Study on “Consumers’ Report Card on Data Breach Notification”  speaks to this issue based on a survey that, among other things, asks consumers who have been part of a data breach about whether rapid notification influences whether they remained a customer of the institution.

Needless to say, this situation illustrates the importance of communicating to your customers about a data breach before they read about it in the newspaper. By initiating the communication rapidly, prior to publicity, organizations can ameliorate some of the concern and confusion that surrounds a situation like this that is made public prior to formal notification by the organization.

Q&A on New Ponemon Study

May 19, 2008 – 11:52 pm

 itbe_logo.gif

IT Business Edge recently published a question and answer style interview with Doug Pollack at ID Experts concerning the recently released Ponemon Institute study titled “Consumers’ Report Card on Data Breach Notification“.

The interview highlights key findings in this study which surveyed individuals who had been involved in one or more data breaches over the last two years.

“The thing that is amazing is that there is a statistic that says that of the one-third who were offered free or subsidized services, 97 percent of them rated those services as good or excellent. The people who were offered and accepted a free or subsidized service, such as credit report monitoring, were 2.5 times more likely to feel that the company was helpful in responding to their concerns.”

To read more, check out the entire interview at IT Business Edge.

DataBreachWatch.org to encompass data breach alerts, breach news and online resources

May 19, 2008 – 8:01 am

BEAVERTON, Ore., May 13 — ID Experts(TM), the leader in data breach protection services, announced today its new blog DataBreachWatch.org that will feature data breach alerts, breach news and online resources for security and privacy professionals.

“DataBreachWatch.org is a great way for us to consolidate data breach events and information as they happen and organize that information in ways that are useful for subscribers,” said Rick Kam, president of ID Experts. “As an expert in data breach protection, we can also showcase our own expertise through best practices in managing breach notification, response and more.”

Among the information featured on the site is a recent study by The Ponemon Institute, “The Consumers Report Card on Data Breach Notification”, which revealed 63 percent of respondents were dissatisfied with data breach notification and as a result, 31 percent said they terminated their relationship with the organization.

“Our goal is to raise awareness levels around breach and close the gap between legal obligations of a data breach and consumer satisfaction for maintaining a sustainable business,” said Kam. “Corporations and other organizations can learn and adopt valuable best practices learned from this report and other information available at DataBreachWatch.org.”

The sponsor of the Data Breach Watch blog, ID Experts, has established data breach services, ID Experts Breach Respond and ID Experts Breach Assess, to address the growing consumer dissatisfaction with current breach and response methods. These services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.

About DataBreachWatch.org

Sponsored by ID Experts, DataBreachWatch.org is a dedicated information site for data breach alerts, breach news and resources for privacy and security professionals. The information contained on the site will better help establish information to develop best practices around data breach events, notification, response and recovery across all industry segments. To subscribe
to DataBreachWatch.org or contribute timely information, visit www.databreachwatch.org.

About ID Experts(TM)

ID Experts(TM) provides identity theft protection services for individuals, corporations and the public sector. Unlike other identity theft protection service providers that rely solely on credit monitoring, ID Experts takes a uniquely personal approach to identity protection-whether it’s an individual or family, or the largest corporations, government agencies and universities, ID Experts ensures each and every individual receives protection and recovery assistance. Today, ID Experts protects more than 3 million individuals nationwide from identity theft. These customers benefit from ID Experts’ team of experienced identity recovery advocates who have a 100 percent success rate in restoring victims’ identities to pre-theft status. For more information visit www.idexpertscorp.com.

Jeni Cantley of MacKenzie Marketing Group, +1-503-225-0725,
jenic@mackenzie-marketing.com, for ID Experts