FTC Report on Social Security Numbers and their Relationship to Identity Theft

 by Doug Pollack

The FTC released a report last month titled “Security in Numbers — SSNs and Identity Theft” that delves into the linkage between how we are asked to use our social security number for identification and authentication, and the related implications on subsequent identity theft. It notes that identity theft continues to be a major issue with severe economic consequences in America.

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The thrust of this report, however, is around how best to change how organizations use and require you to use your social security number in order to limit the risks of data breach and identity theft.

“There is a broad consensus that the use of the SSN as an identifier is often beneficial, but that its use as an authenticator – as proof of identity – is problematic. Identifiers are effective only when they are widely shared. One’s name, for example, is widely known and generally effective as an identifier, although in many cases its lack of permanence or uniqueness prevents it from being useful as an identifier. Authenticators, on the other hand, are effective only when they are secret and thus not widely known. According to commenters and workshop participants, SSNs do not function well as authenticators because they are used commonly as identifiers and thus are widely available.”

In today’s environment, the idea of expanding our government regulation in order to provide greater privacy and security for Americans is likely to find a more positive reception given the recent issues that have resulted from poor oversight in the financial markets. The recommendations of this report (below), specifically the establishment of authentication standards for businesses that hold our personal data, represent a terrific path for ensuring greater protection of our identities from theft and misuse.

“The Commission believes that a number of actions could be taken to reduce the role of SSNs in identity theft, with emphasis on reducing the demand for SSNs by minimizing their value to identity thieves through improved authentication processes. Most importantly, the Commission recommends that Congress consider establishing national authentication standards for businesses that have consumer accounts and are not already subject to authentication requirements from other federal agencies.”

Posted in Data Breach News | No Comments »

Peer to peer networks create enterprise data leakage risk

by Doug Pollack

Today’s article by Ben Worthen in the Wall Street Journal highlights an unexpected risk to an organizations data security. While many companies do not sanction the use of peer-to-peer network sharing software by employees, the article describes the potential risk of a data breach when employees use business files on a home PC.

A letter from Senator Joe Biden that was reviewed by the Journal notes that “files containing the personal identitying information of nearly 24,000 US soliders” were made publicly accessible via a peer-to-peer file sharing network. The information included “the full names and social security numbers” of the soldiers.

While it isn’t known exactly how the files were breached, it is possible that files from a work PC are loaded onto a home PC that uses a file sharing application like Limewire or Bitorrent. Businesses are starting to become more aware of the risks associated with peer-to-peer networks. A recent Ponemon Institute study noted that peer-to-peer file sharing software represented the single greatest threat to security pros who cited it.

While removable media like thumb drives have become almost ubiquitous within corporations, they also pose a very special class of threat of data breach given that employees are spending greater amounts of time working outside their primary workplace and using computers that are not controlled by their organization’s information security technologies.

Posted in Data Breach News | No Comments »

Stock Market Woes Result in Increased Cyber Attacks

by Doug Pollack

During this period of economic uncertainty and financial decline, there concurrently appears to be an increase in cyber attacks using malware.

The Wall Street Journal reported recently that:

“Ever since the start of September, when the financial crisis hit in earnest, something odd has happened on the days the stock market experienced its biggest losses: The number of new pieces of malware detected has spiked. On the days when the market gains, the amount of malware detected drops. It’s happened eight times over the last month. ”

Investors and traders need to be particularly wary during this time of financial turbulence, especially when logging onto their brokerage and trading accounts, or dealing with any email correspondence from these institutions.

Posted in Data Breach News | 2 Comments »

New Data Privacy Laws

by Doug Pollack

This week Ben Worthen of the Wall Street Journal published an article titled “New Data Privacy Laws Set for Firms” describing new laws that will affect business of all shapes and sizes in terms of how they protect the personal information of their customers and clients.

Law related to data privacy enforcement have been enacted by several states including Massachusetts and Nevada thus far, and numerous other states are considering similar laws. Mr. Worthen notes that:

“While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.”

Over 40 US states have already enacted breach notification laws that speak to an organizations requirements to notify individuals that may be affected by a loss of data, a data breach. These new laws are intended to speak to how companies are required to protect personal information.

While existing Red Flag laws mandate financial institutions to take certain measures to protect the personal information of account holders, these laws do not cover the broader base of businesses and government organizations that also maintain databases that include personal information on employees, customers, vendors and the like.

As noted by Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation “Breach notification laws deal with what happens after the horse leaves the barn. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”

Posted in Data Breach News | No Comments »

Reduce the Impact of a Data Breach

by Doug Pollack

“Thirty-one percent of customers—nearly one-third of a company’s client base and revenue source—are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.”

Rick Kam, president of ID Experts provides guidance in a recently published article in CSO Magazine titled “How to Minimize the Impact of a Data Breach” on best practices that should be adopted by companies and organizations that hold personal data on their customers, employees and suppliers.

Mr. Kam lays out seven key strategies for a successful data breach response.

1. Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
2. Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
3. Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
4. Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
5. Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the â¬Snext steps⬝ they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
6. Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.

It is surprising how few companies, even those in the Fortune 500, have well crafted data breach response plans that cover the all of the line functions that are essential to an effective response. These will typically include the IT and security teams, but also privacy, legal, marketing, financial, product management and customer support. Lack of a complete and integrated response to a data breach event can and does cost companies significantly in terms of lost customers and the tarnishing of their brand.

Posted in Data Breach News, Data Breach Resources | 1 Comment »

Countrywide Breach Affects Millions

by Doug Pollack

The Los Angeles Times last week reported that Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring.” They report that personal information including social security numbers have been stolen from over 2 million Countrywide mortgage applicants over a period fo some two years.

This situation highlights the risks to financial services firms with whom consumers regularly share  their most personal and sensitive information. In this case, an employee of Countrywide was alleged to have accessed their computer systems in order to acquire applicant information in order to sell it to mortgage brokers and others.

The article also notes that:

“Two Countrywide customers sued the lender and its parent company last month in U.S. District Court in Los Angeles, accusing Countrywide and Bank of America of failing to protect customers’ sensitive information. The suit asks that it be certified as a class action.”

The potential for this type of litigation is beginning to motivate other firms who  experience data breaches to provide a broader set of services to the potential victims of their breach, including insurance and identity theft restoration services. This can enable such an organization to minimize the damages that may occur to their consumers while giving them comfort that the organization is doing everything possible to help them.

Consumer Affairs has already received complaints from individuals affected by the breach who appear to be very dissatisfied with the response from Countrywide. “They offered to fix the situation by providing me a two year free subscription to ConsumerInfo.com, which is one of their vendors,” said Michael from Sicklerville, New Jersey. “I find this to be insufficient, and wonder if I can take any legal action against them.”

A recent study by the Ponemon Institute titled “Consumers’ Report Card on Data Breach Notification” notes that around a third of customers that receive a data breach notification letter plan to terminate their business relationship with their provider. They note that companies that have a breach and then notify their customers could do a much better job in addressing the real and perceived fears that people have associated with identity theft.

Posted in Data Breach Alerts | 2 Comments »

DataLossDB Site Beta

by Doug Pollack

The Attrition.org site has now re-emerged as DataLossDB. Their mission is described as follows on their site:

“DataLossDB, formerly the Attrition.org, Data Loss Database Open Source, is an research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database. ”

This is a terrific new resource that will help ensure that the size and scope of data breach events, as well as those individuals that may be impacted, is made public and generally available.

Posted in Announcements | 1 Comment »

Phishers Upgrade to Vishing: Phone Scams Target Your Identity

By Rebecca Seaman

By now, most savvy consumers are aware of Phishing Scams: emails supposedly sent from one of the entities we do business with asking us to verify our personal information by clicking on a link in the body of the email. We know that if our creditors or banking institutions need to correspond with us, they will usually initiate contact by sending us a letter or, occasionally, by calling us.

To keep up with consumer’s increasing awareness of phishing scams, thieves have now gotten more technical. Leslie Hunt for Bankrate.com describes the latest ploy known as ‘vishing’-scammers will send an email that appears legitimate asking a consumer to contact their banking institution at a number listed in the email. New Voice over IP (VoIP) technology makes it easy for a scammer to set up new phone numbers quickly, with any area code, and the calls are often automated. For example, a recent scam targeting PayPal users directed consumers to call a number that simply stated “Welcome to account verification. Please enter your 16-digit card number.” The thief is then able to glean the account information from the consumer, and the rest is history.

The reality is, the entities we do business with are very vigilant with the safety of their customer’s personal information, and would never send an email asking consumers to contact them. If necessary, they will contact the consumer directly, sometimes over the phone. That being said, some Vishers are cold calling customers masquerading as legitimate companies. For more details, see this Bankrate.com article in MSN Money.

So how do we know whether or not to trust a phone call from what appears to be a legitimate source? Jim Stickley, the Chief Technology Officer for TraceSecurity, a security compliance software firm, recommends just hanging up if someone who claims to be from your bank calls. Then, call the bank directly. “Use the number on the back of your cards,” he says. “If the call was legitimate, the bank would know that number, too.”

If you find out your bank, creditor or escrow service didn’t contact you; notify them, as well as the Internet Crime Complaint Center and the Federal Trade Commission. Forward the e-mail to spam@uce.gov. Visit the FTC’s identity theft Web site if you’ve responded to a vishing e-mail.

Posted in Announcements, Data Breach Alerts, Data Breach News | No Comments »

Senate Passes Stricter Identity Theft Legislation

By Rebecca Seaman

A modified bill that would allow victims of ID Theft to recoup costs in federal court and which would impose harsher restrictions on cyberattacks passed in the Senate this week. The bill, known as the Identity Theft Enforcement and Restitution Act, still needs to be approved by the House, but is a much needed step in the right direction to further protect consumers. More details are available in the July 31 article from SC Magazine.

Interestingly, the bill would make it a felony to use various types of malware known as keyloggers and spyware to damage more than 10 computers, regardless of the extent of the damage. Previously, attacks resulting in less than $5,000 worth of damage were only classified as misdemeanors.

Patrick Leahy (D-VT), a co-sponsor of the bill said in a statement released Thursday: “The Senate’s action moves us in the right direction to provide critical tools to combat cybercrime and to protect the privacy of all Americans. I hope the leadership in the House will quickly act to pass this legislation and send it to the president for signature.”

The incidence of Identity theft perpetrated through CyberCrime is a fast growing epidemic, and legislation such as this is great initiative to protect consumers from these crimes. However, it’s important that these bills move quickly through Congress if they are going to keep up with scammer’s increasingly sophisticated attacks. Hopefully, this bill and others like it will move rapidly. Stay tuned. 

Posted in Announcements, Data Breach Alerts, Data Breach News | No Comments »

Data breaches up 69 percent this year; businesses account for one third.

By Rebecca Seaman

Data breaches are on the rise, despite preventative measures such as state notification laws. Specifically, the Washington Post reports that data breaches reported by businesses, governments and universities are up 69 percent this year. Businesses alone accounted for a 27 percent increase in breaches, or one third of all those reported.

This may not be as alarming a trend as it may appear on the surface. In fact, it may be that businesses are simply more aware of breaches now that they know what to look for and have a better understanding of how breaches occur. Likewise, with the implementation of state notification laws, businesses may feel more compelled to report a breach than they were in the past.

Linda Foley, founder of The Identity Theft Resource Center, a nonprofit organization in San Diego, points out that “Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.”

Regardless of how these breaches are occurring, businesses need to remain vigilant in preventing a breach, rather than focusing on damage control once a breach has occurred. Lost or stolen laptops remain the largest reported cause of business related breaches. They account for 20 percent of all reported cases, while hacking was the least cited. In other words, these breaches were largely preventable.  By making breach prevention a matter of policy (For example-evaluating risk and implementing tough cyber-security rules), businesses are less likely to experience a breach, and better prepared to manage one that does occur.

Posted in Data Breach Alerts, Data Breach News | No Comments »