Please subscribe to our RSS feed and contribute by leaving a comment.

The Attrition.org site has now re-emerged as DataLossDB. Their mission is described as follows on their site:

“DataLossDB, formerly the Attrition.org, Data Loss Database Open Source, is an research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database. ”

This is a terrific new resource that will help ensure that the size and scope of data breach events, as well as those individuals that may be impacted, is made public and generally available.

By Rebecca Seaman

By now, most savvy consumers are aware of Phishing Scams: emails supposedly sent from one of the entities we do business with asking us to verify our personal information by clicking on a link in the body of the email. We know that if our creditors or banking institutions need to correspond with us, they will usually initiate contact by sending us a letter or, occasionally, by calling us.

To keep up with consumer’s increasing awareness of phishing scams, thieves have now gotten more technical. Leslie Hunt for Bankrate.com describes the latest ploy known as ‘vishing’-scammers will send an email that appears legitimate asking a consumer to contact their banking institution at a number listed in the email. New Voice over IP (VoIP) technology makes it easy for a scammer to set up new phone numbers quickly, with any area code, and the calls are often automated. For example, a recent scam targeting PayPal users directed consumers to call a number that simply stated “Welcome to account verification. Please enter your 16-digit card number.” The thief is then able to glean the account information from the consumer, and the rest is history.

The reality is, the entities we do business with are very vigilant with the safety of their customer’s personal information, and would never send an email asking consumers to contact them. If necessary, they will contact the consumer directly, sometimes over the phone. That being said, some Vishers are cold calling customers masquerading as legitimate companies. For more details, see this Bankrate.com article in MSN Money.

So how do we know whether or not to trust a phone call from what appears to be a legitimate source? Jim Stickley, the Chief Technology Officer for TraceSecurity, a security compliance software firm, recommends just hanging up if someone who claims to be from your bank calls. Then, call the bank directly. “Use the number on the back of your cards,” he says. “If the call was legitimate, the bank would know that number, too.”

If you find out your bank, creditor or escrow service didn’t contact you; notify them, as well as the Internet Crime Complaint Center and the Federal Trade Commission. Forward the e-mail to spam@uce.gov. Visit the FTC’s identity theft Web site if you’ve responded to a vishing e-mail.

By Rebecca Seaman

A modified bill that would allow victims of ID Theft to recoup costs in federal court and which would impose harsher restrictions on cyberattacks passed in the Senate this week. The bill, known as the Identity Theft Enforcement and Restitution Act, still needs to be approved by the House, but is a much needed step in the right direction to further protect consumers. More details are available in the July 31 article from SC Magazine.

Interestingly, the bill would make it a felony to use various types of malware known as keyloggers and spyware to damage more than 10 computers, regardless of the extent of the damage. Previously, attacks resulting in less than $5,000 worth of damage were only classified as misdemeanors.

Patrick Leahy (D-VT), a co-sponsor of the bill said in a statement released Thursday: “The Senate’s action moves us in the right direction to provide critical tools to combat cybercrime and to protect the privacy of all Americans. I hope the leadership in the House will quickly act to pass this legislation and send it to the president for signature.”

The incidence of Identity theft perpetrated through CyberCrime is a fast growing epidemic, and legislation such as this is great initiative to protect consumers from these crimes. However, it’s important that these bills move quickly through Congress if they are going to keep up with scammer’s increasingly sophisticated attacks. Hopefully, this bill and others like it will move rapidly. Stay tuned. 

Data breaches are on the rise, despite preventative measures such as state notification laws. Specifically, the Washington Post reports that data breaches reported by businesses, governments and universities are up 69 percent this year. Businesses alone accounted for a 27 percent increase in breaches, or one third of all those reported.

This may not be as alarming a trend as it may appear on the surface. In fact, it may be that businesses are simply more aware of breaches now that they know what to look for and have a better understanding of how breaches occur. Likewise, with the implementation of state notification laws, businesses may feel more compelled to report a breach than they were in the past.

Linda Foley, founder of The Identity Theft Resource Center, a nonprofit organization in San Diego, points out that “Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.”

Regardless of how these breaches are occurring, businesses need to remain vigilant in preventing a breach, rather than focusing on damage control once a breach has occurred. Lost or stolen laptops remain the largest reported cause of business related breaches. They account for 20 percent of all reported cases, while hacking was the least cited. In other words, these breaches were largely preventable.  By making breach prevention a matter of policy (For example-evaluating risk and implementing tough cyber-security rules), businesses are less likely to experience a breach, and better prepared to manage one that does occur.

Verizon Business Security Solutions recently released a study titled “2008 Data Breach Investigations Report” that looks at the causes of data breaches and prescribes recommendations for improving data security policies that can lead to data breaches.

An article in CNET related to this study, “Reports examine causes and victims of data breaches“, notes that a key conclusion of the report is that “9 out of 10 corporate data breaches could have been prevented, had appropriate security measures been taken”.

Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions says of this report that  “it can help companies better understand data breaches – how they occur and the commonalities that exist. Most importantly, it urges organizations to be proactive in their approach to security — the absolute key to safeguarding data.”

Two key recommendation from the report follow:

• Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement, implement, implement.
• Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.

It is wonderful to see research on the topic of data breaches that outlines recommendations that can help companies avoid data breaches, while being better prepared to deal with them when they unavoidably occur.

While there are currently many Carding Forums operating on the web, the article Data Breaches: What the Underground World of “Carding” Reveals focuses on one particular organization whom the FBI managed to infiltrate and shut down: The Shadowcrew Criminal Organization. According to the Author; Kimberly Kiefer Peretti, this group“ Was a global organization of thousands of members that was dedicated to promoting and facilitating the electronic theft of personal identifying information, credit card and debit card fraud, and the production and sale of false identification documents”. The organization “Operated from 2002 until October 2004, when it was taken down by the USSS as the result of a yearlong undercover investigation known as Operation Firewall.”

The Shadowcrew website was a highly organized online meeting place where criminal hackers and other identity thieves would convene to post, trade and sell stolen account information obtained from large-scale data breaches. The online forum quickly made the data accessible to cyber thieves worldwide.

The Shadowcrew crime ring operated globally; emphasizing the new trend of organized crime being perpetuated in cyberspace. The FBI stated that during prosecution, “Shadowcrew defendants revealed that members from one country would conspire with members from another country to commit specific carding crimes. In addition, the FBI enlisted the help of several foreign governments during their investigation. These countries included Canada, Bulgaria, Belarus, Poland, Sweden, the Netherlands and Ukraine.

What were the costs to businesses and consumers as a result of the Shadowcrew Crime ring? The FBI’s investigation concluded that “Shadowcrew members collectively trafficked in at least 1.5 million stolen credit card numbers that resulted in over $4 million in actual losses to credit card companies and financial institutions. However, it is estimated by law enforcement authorities that, had the organization not been interrupted, the credit card industry could have faced hundreds of millions of dollars in losses.”

A study published this week by Carnegie Mellon researchers concludes that data breach notification laws that have been enacted in 43 US states do not seem to be causing a decrease in the rate of identity theft.

An article published in Infoworld reports that:

“‘There doesn’t seem to be any evidence that the laws actually reduce identity theft,’ said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper’s authors. Romanosky’s team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California’s SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen.”

The authors call for the federal government to pass a uniform breach notification law in order to eliminate conflicts that exist between state laws and to ensure an appropriate standard for effectively notifying individuals whose personal information has been compromised.

As noted by InfoWorld, however, as to what other factors may be contributing to the lack of reduction in the incidence of identity theft — “the fraudsters are also getting better at what they do”.

 By Rebecca Seaman

The Federal Bureau of Investigation recently released a report detailing a new trend in global organized cyber crime: Carding Forums. In these online forums where data is posted for sale much like one would post a sofa for sale on craigslist; the detailed financial and personal information of individuals who have fallen victim to large-scale data breaches is offered to the highest bidder. What is perhaps most alarming is the fact that this information can be breached/hacked and posted on the internet within hours or days; long before the organization whose records have been hacked is even aware of the breach.  

What is “carding” and how is it perpetrated? Kimberly Kiefer Peretti of the FBI explains “In its narrow sense, the term “carding” refers to the unauthorized use of credit and debit card account information to fraudulently purchase goods and services. In contrast to other types of identity theft, carding involves the large-scale theft of credit card account numbers and other financial information” obtained by, among other methods, “computer hacking, phishing, cashing-out stolen account numbers, and Internet auction fraud. The individuals who engage in these criminal activities are referred to as “carders.” 

According to Peretti, once individuals log into one of these sites, they post messages to various forums advertising the stolen data, and “Provide guidance to members on producing, selling and using stolen credit card and debit card information and false identification documents.” Individual members to the site were often known by several nicknames in the interest of anonymity. In addition to the forum’s many members, there are usually several site ‘administrators’, individuals near the top of the forum’s hierarchy. The administrators serve as a “Governing council of the criminal organization”. There are usually several ‘moderators’ as well- individuals who are experts in, and responsible for, one geographic location or subject content. 

In conclusion, it is important to understand that we are not just dealing with cyber thieves at home in the U.S; but that cyber crime rings are becoming increasingly organized and are operating on a global scale. This collaboration makes it possible for large amounts of data to become breached and disseminated quickly via the intranet. Any organization entrusted with the security of its client’s personal information needs to be aware of this new threat to their cyber security and be prepared to handle a breach of this nature.

by Doug Pollack

Most of us by now have received at least one data breach notification letter that has stated that our personal information was lost or stolen. I received one just a month ago from a brokerage firm that I did business with years ago. Often, with high profile companies or very large breaches, these events can turn into a PR nightmare for the company.

A recently published article titled “Data Breaches Mean More Than Bad Publicity” in the New York Law Journal looks at an associated trend toward civil litigation targeted towards companies that experience a data breach.

“The negligent (or even innocent) loss of electronic data to cybercriminals inflicts billions of dollars of damage on our economy, as personal information has become a sought-after treasure trove for cybercriminals…These costs are likely to escalate as, in an increasing trend, corporations are also being pummeled with civil litigation related to data breaches.”

The authors also note the difficulties inherent with complying with the numerous, different and sometimes conflicting state data breach notification laws.

“Forensic investigations are also critical to guide a corporation through the maze of state data breach notification laws. Such laws will require varying levels of compliance, depending on the nature of the breach and of the entity’s operations. California’s data breach law, which has served as a model for many other states, demands that upon discovering a breach of personal information, a business ’shall disclose any breach of the security of the system’ to any affected persons ‘in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.’ ”

The authors conclude that companies must prepare for lawsuits that may accompany a data breach. But they also note that plaintiffs have a difficult time proving damages in many cases. Companies should be very diligent in managing their data breach response efforts in order to ensure that affected individuals do not suffer real harm.

“While the hurdles for plaintiffs remain high, these lawsuits have become a fact of life in today’s litigious society. Corporations suffering data breaches thus must now routinely face an onslaught of civil litigation in addition to the negative publicity and regulatory scrutiny coming from data breaches and their announcements. “