Update on Lifelock-Experian Lawsuit

by Doug Pollack

It was reported today in Finextra that US judge Andrew Guilford has concluded that “Lifelock….has been employing unfair business practices by placing fraud alerts on customer credit files it maintains.”

Data breach incidents have been on the rise this year. Typically a credit monitoring offering is provided to the victims of a data breach as part of the remediation offered by the organization that experienced the breach. Rather than provide credit monitoring, Lifelock relies on setting fraud alerts with the credit bureaus as a means of offering some protection to their customers.

The Experian lawsuit claimed, and this appears to have been upheld, that Lifelock uses “unfair business practices” by setting and resetting fraud alerts every 90 days, independent of whether there is any reason to believe the individuals are at risk of identity theft.

Posted in Announcements | No Comments »

Social Media Risks

by Doug Pollack

A recent news segment on the risks of identity crime that occur in the common usage of social networking sites such as Facebook, Myspace and Twitter.

Posted in Data Breach News | No Comments »

Do Breach Notification Laws Work?

by Doug Pollack

This past week, a seminar was held on the campus of UC Berkeley on the topic of Security Breach Notification. Wired Magazine published an article about this topic and the unfortunately conclusion that while breach notification laws are substantially increasing the awareness of data breaches with the public and the security risks of data breaches with those who hold your personal data, data breach events nonetheless are on the rise.

“It’s clear that the laws have made the public more aware of breaches and the vulnerability of their data, and have exposed poor security practices at many businesses. A 2005 study by the FBI showed that in the absence of a legal requirement to report breaches, only 20 percent of firms would report serious breaches to law enforcement.”

And while there has been a great deal of study as to whether the breach notification laws have reduced the incidence of subsequent identity theft due to breach events, the results remain inconclusive.

Posted in Data Breach News | No Comments »

Old Scam Making Alarming Comeback on Facebook

By Rebecca Seaman

Remember the classic “Nigerian 419” scam; where a rich Prince or Bank Executive from a foreign country just needed your banking information to facilitate a transfer of funds? In exchange for your help, you would receive a percentage of those funds; Gratis. And just like that, you could make a profit. Unfortunately, the only ones profiting were the thieves, who would use the banking information given to them to drain the funds from your account and disappear.

Hopefully, you didn’t fall for this scam, but thousands of would-be Good Samaritans and those hoping to make a quick profit did-some of them even went to Nigeria to meet the ‘Prince’ or ‘Bank Executive’ themselves. More on this here.

A disturbing new spin on the classic “Nigerian 419” scam has emerged recently. You may be too savvy to fall for the Prince, but what if you received word that one of your own friends or loved ones was in danger and needed your help and funds immediately? Many of us, no matter how aware we may be, would do anything to help our loved ones in a time of need. In fact, a recent article by Bob Sullivan of The Red Tape Chronicles highlights just such a scenario:

One evening, Bryan Rutberg’s daughter ran into his bedroom asking why he’d changed his Facebook status to read “BRYAN IS IN URGENT NEED OF HELP!!!.”  Initially, Bryan let this go, until his wife woke him to ask him what was wrong. By this time the incident had his attention and soon, he realized his Facebook account had been hacked. Friends began to call incessantly-several of them had received an email stating that Bryan had been held up at gunpoint while travelling abroad and needed cash to return home.  One concerned friend even wired $1,200.00 to London via Western Union.

Bryan began an urgent search for a way to reach Facebook and stop the hackers. But by this time the hackers had managed to lock Bryan out of his own account. They had changed his username and password so that he couldn’t access his Facebook page. Because of this, he couldn’t remove the ominous status message or contact his friends to let them know this was a scam. The hackers had even “de-friended,” his wife, so he was unable to post a message in her account alerting his friends to the situation and let them know he was really safe at home.  Eventually, he was able to get his account deactivated; but not before his friend had lost a considerable amount of money, not to mention the time it took for Bryan to sort out the mess. “It was all over by Thursday (the next day) but not without a hell of a lot of drama” he said. By then, one concerned colleague had even called Microsoft to warn the firm that Rutberg was in trouble.

Bryan and his friend who wired the money were both educated Microsoft employees; which speaks to the fact that anyone can fall victim to new and increasingly sophisticated attacks. Bryan was the victim of a newer, more precise version of the “Nigerian 419” scam.  Instead of sending out millions of spam messages in the hopes of fooling a small percentage of recipients, Cyber Thieves are getting much more personal in their attacks, using social networking sites like Facebook and MySpace to victimize users. In Bryan’s case, criminals were able to steal his Facebook password, steal his Facebook identity, and change his status to make it seem he was in trouble and needed help.

What can you do to protect yourself from social networking scams? A few basic precautions are as follows:

·      Change your password regularly, be sure that it is unique and preferably alphanumeric

·      It’s not a good idea to have the same password for more than one account

·      Be very cautious of any friend or contact asking for money or for personally identifying information. If you do receive such a request, call the person and verify their request over the phone

·    Have more than one email address, in case one address is hacked or compromised 

If you feel that your Facebook identity has been compromised, Facebook has established a link to report the abuse. Note: It’s difficult to find navigating Facebook’s home page; so keep this link handy. http://www.facebook.com/help/contact.php?show_form=account_compromised

Posted in Announcements, Data Breach Alerts, Data Breach News | No Comments »

Third Parties in Data Breaches

by Doug Pollack

The VA this week announced that they will pay up to $20 million to veterans whose personal information was exposed in 2006 when a laptop was lost by an employee of Unisys, a government contractor that was handling claims processing for them.

USA Today reported that while the laptop was later recovered, it had personal information such as social security numbers for over 26 million veterans and active duty troops. This exemplifies a growing trend in data breaches in that almost half of the data breaches reported in 2008 were caused by so-called “3rd parties”, outside information agencies, facilities, integrators and consultants who are entrusted with personal data from their corporate and government clients.

Given this trend, organizations must look harder at how they certify and validate the security and privacy policies of 3rd parties to whom they entrust information on their customers, patients and constituents.

Posted in Data Breach News | No Comments »

Data Breach Causes Shareholder Value Decline

by Doug Pollack

This past week, Heartland Payment Systems (HPY) announced that a system they use to process over 100 million payment card transactions per month had been hacked during 2008 and that intruders may have had access to personal information of cardholders for over several months.

USA’s article on this topic titled Hackers breach Heartland Payment credit card system notes that “Heartland’s disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20% year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure that they’re active.”

Experts conclude that this may be the largest data breach in history, possibly larger than the infamous TJX breach that exposed 94 million customers’ records in 2007. As of now, Heartland does not know how many of their cardholders were affected but stated that they plan to notify them once they have sorted this out.

This breach is a perfect illustration of how an organization may believe themselves “secure” because they comply with relevant security and privacy regulations. In this case, Heartland is PCI compliant, the Payment Card Industry data security standard that Visa and MasterCard require, but obviously this wasn’t sufficient to ensure cardholder data is safeguarded.

Because most organizations that hold PII (personally identifiable information) on their customers make significant security investments and comply with numerous regulations and standards, there obviously remains an issue with knowing how best to prevent the breach of PII.

The business impact of this type of data breach is now becoming obvious. Heartland lost over $180MM in shareholder value, over 35%, in the five days following the public announcement of this breach. With the potential for this type of decline in market value, companies must begin to look harder at measures that are more specifically targeted to the prevention data breaches.

Posted in Uncategorized | 1 Comment »

FTC Report on Social Security Numbers and their Relationship to Identity Theft

 by Doug Pollack

The FTC released a report last month titled “Security in Numbers — SSNs and Identity Theft” that delves into the linkage between how we are asked to use our social security number for identification and authentication, and the related implications on subsequent identity theft. It notes that identity theft continues to be a major issue with severe economic consequences in America.

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The thrust of this report, however, is around how best to change how organizations use and require you to use your social security number in order to limit the risks of data breach and identity theft.

“There is a broad consensus that the use of the SSN as an identifier is often beneficial, but that its use as an authenticator – as proof of identity – is problematic. Identifiers are effective only when they are widely shared. One’s name, for example, is widely known and generally effective as an identifier, although in many cases its lack of permanence or uniqueness prevents it from being useful as an identifier. Authenticators, on the other hand, are effective only when they are secret and thus not widely known. According to commenters and workshop participants, SSNs do not function well as authenticators because they are used commonly as identifiers and thus are widely available.”

In today’s environment, the idea of expanding our government regulation in order to provide greater privacy and security for Americans is likely to find a more positive reception given the recent issues that have resulted from poor oversight in the financial markets. The recommendations of this report (below), specifically the establishment of authentication standards for businesses that hold our personal data, represent a terrific path for ensuring greater protection of our identities from theft and misuse.

“The Commission believes that a number of actions could be taken to reduce the role of SSNs in identity theft, with emphasis on reducing the demand for SSNs by minimizing their value to identity thieves through improved authentication processes. Most importantly, the Commission recommends that Congress consider establishing national authentication standards for businesses that have consumer accounts and are not already subject to authentication requirements from other federal agencies.”

Posted in Data Breach News | No Comments »

Peer to peer networks create enterprise data leakage risk

by Doug Pollack

Today’s article by Ben Worthen in the Wall Street Journal highlights an unexpected risk to an organizations data security. While many companies do not sanction the use of peer-to-peer network sharing software by employees, the article describes the potential risk of a data breach when employees use business files on a home PC.

A letter from Senator Joe Biden that was reviewed by the Journal notes that “files containing the personal identitying information of nearly 24,000 US soliders” were made publicly accessible via a peer-to-peer file sharing network. The information included “the full names and social security numbers” of the soldiers.

While it isn’t known exactly how the files were breached, it is possible that files from a work PC are loaded onto a home PC that uses a file sharing application like Limewire or Bitorrent. Businesses are starting to become more aware of the risks associated with peer-to-peer networks. A recent Ponemon Institute study noted that peer-to-peer file sharing software represented the single greatest threat to security pros who cited it.

While removable media like thumb drives have become almost ubiquitous within corporations, they also pose a very special class of threat of data breach given that employees are spending greater amounts of time working outside their primary workplace and using computers that are not controlled by their organization’s information security technologies.

Posted in Data Breach News | No Comments »

Stock Market Woes Result in Increased Cyber Attacks

by Doug Pollack

During this period of economic uncertainty and financial decline, there concurrently appears to be an increase in cyber attacks using malware.

The Wall Street Journal reported recently that:

“Ever since the start of September, when the financial crisis hit in earnest, something odd has happened on the days the stock market experienced its biggest losses: The number of new pieces of malware detected has spiked. On the days when the market gains, the amount of malware detected drops. It’s happened eight times over the last month. ”

Investors and traders need to be particularly wary during this time of financial turbulence, especially when logging onto their brokerage and trading accounts, or dealing with any email correspondence from these institutions.

Posted in Data Breach News | 2 Comments »

New Data Privacy Laws

by Doug Pollack

This week Ben Worthen of the Wall Street Journal published an article titled “New Data Privacy Laws Set for Firms” describing new laws that will affect business of all shapes and sizes in terms of how they protect the personal information of their customers and clients.

Law related to data privacy enforcement have been enacted by several states including Massachusetts and Nevada thus far, and numerous other states are considering similar laws. Mr. Worthen notes that:

“While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.”

Over 40 US states have already enacted breach notification laws that speak to an organizations requirements to notify individuals that may be affected by a loss of data, a data breach. These new laws are intended to speak to how companies are required to protect personal information.

While existing Red Flag laws mandate financial institutions to take certain measures to protect the personal information of account holders, these laws do not cover the broader base of businesses and government organizations that also maintain databases that include personal information on employees, customers, vendors and the like.

As noted by Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation “Breach notification laws deal with what happens after the horse leaves the barn. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”

Posted in Data Breach News | No Comments »