Third Parties in Data Breaches

by Doug Pollack

The VA this week announced that they will pay up to $20 million to veterans whose personal information was exposed in 2006 when a laptop was lost by an employee of Unisys, a government contractor that was handling claims processing for them.

USA Today reported that while the laptop was later recovered, it had personal information such as social security numbers for over 26 million veterans and active duty troops. This exemplifies a growing trend in data breaches in that almost half of the data breaches reported in 2008 were caused by so-called “3rd parties”, outside information agencies, facilities, integrators and consultants who are entrusted with personal data from their corporate and government clients.

Given this trend, organizations must look harder at how they certify and validate the security and privacy policies of 3rd parties to whom they entrust information on their customers, patients and constituents.

Posted in Data Breach News | No Comments »

Data Breach Causes Shareholder Value Decline

by Doug Pollack

This past week, Heartland Payment Systems (HPY) announced that a system they use to process over 100 million payment card transactions per month had been hacked during 2008 and that intruders may have had access to personal information of cardholders for over several months.

USA’s article on this topic titled Hackers breach Heartland Payment credit card system notes that “Heartland’s disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20% year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure that they’re active.”

Experts conclude that this may be the largest data breach in history, possibly larger than the infamous TJX breach that exposed 94 million customers’ records in 2007. As of now, Heartland does not know how many of their cardholders were affected but stated that they plan to notify them once they have sorted this out.

This breach is a perfect illustration of how an organization may believe themselves “secure” because they comply with relevant security and privacy regulations. In this case, Heartland is PCI compliant, the Payment Card Industry data security standard that Visa and MasterCard require, but obviously this wasn’t sufficient to ensure cardholder data is safeguarded.

Because most organizations that hold PII (personally identifiable information) on their customers make significant security investments and comply with numerous regulations and standards, there obviously remains an issue with knowing how best to prevent the breach of PII.

The business impact of this type of data breach is now becoming obvious. Heartland lost over $180MM in shareholder value, over 35%, in the five days following the public announcement of this breach. With the potential for this type of decline in market value, companies must begin to look harder at measures that are more specifically targeted to the prevention data breaches.

Posted in Uncategorized | 1 Comment »

FTC Report on Social Security Numbers and their Relationship to Identity Theft

 by Doug Pollack

The FTC released a report last month titled “Security in Numbers — SSNs and Identity Theft” that delves into the linkage between how we are asked to use our social security number for identification and authentication, and the related implications on subsequent identity theft. It notes that identity theft continues to be a major issue with severe economic consequences in America.

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The thrust of this report, however, is around how best to change how organizations use and require you to use your social security number in order to limit the risks of data breach and identity theft.

“There is a broad consensus that the use of the SSN as an identifier is often beneficial, but that its use as an authenticator – as proof of identity – is problematic. Identifiers are effective only when they are widely shared. One’s name, for example, is widely known and generally effective as an identifier, although in many cases its lack of permanence or uniqueness prevents it from being useful as an identifier. Authenticators, on the other hand, are effective only when they are secret and thus not widely known. According to commenters and workshop participants, SSNs do not function well as authenticators because they are used commonly as identifiers and thus are widely available.”

In today’s environment, the idea of expanding our government regulation in order to provide greater privacy and security for Americans is likely to find a more positive reception given the recent issues that have resulted from poor oversight in the financial markets. The recommendations of this report (below), specifically the establishment of authentication standards for businesses that hold our personal data, represent a terrific path for ensuring greater protection of our identities from theft and misuse.

“The Commission believes that a number of actions could be taken to reduce the role of SSNs in identity theft, with emphasis on reducing the demand for SSNs by minimizing their value to identity thieves through improved authentication processes. Most importantly, the Commission recommends that Congress consider establishing national authentication standards for businesses that have consumer accounts and are not already subject to authentication requirements from other federal agencies.”

Posted in Data Breach News | No Comments »

Peer to peer networks create enterprise data leakage risk

by Doug Pollack

Today’s article by Ben Worthen in the Wall Street Journal highlights an unexpected risk to an organizations data security. While many companies do not sanction the use of peer-to-peer network sharing software by employees, the article describes the potential risk of a data breach when employees use business files on a home PC.

A letter from Senator Joe Biden that was reviewed by the Journal notes that “files containing the personal identitying information of nearly 24,000 US soliders” were made publicly accessible via a peer-to-peer file sharing network. The information included “the full names and social security numbers” of the soldiers.

While it isn’t known exactly how the files were breached, it is possible that files from a work PC are loaded onto a home PC that uses a file sharing application like Limewire or Bitorrent. Businesses are starting to become more aware of the risks associated with peer-to-peer networks. A recent Ponemon Institute study noted that peer-to-peer file sharing software represented the single greatest threat to security pros who cited it.

While removable media like thumb drives have become almost ubiquitous within corporations, they also pose a very special class of threat of data breach given that employees are spending greater amounts of time working outside their primary workplace and using computers that are not controlled by their organization’s information security technologies.

Posted in Data Breach News | No Comments »

Stock Market Woes Result in Increased Cyber Attacks

by Doug Pollack

During this period of economic uncertainty and financial decline, there concurrently appears to be an increase in cyber attacks using malware.

The Wall Street Journal reported recently that:

“Ever since the start of September, when the financial crisis hit in earnest, something odd has happened on the days the stock market experienced its biggest losses: The number of new pieces of malware detected has spiked. On the days when the market gains, the amount of malware detected drops. It’s happened eight times over the last month. ”

Investors and traders need to be particularly wary during this time of financial turbulence, especially when logging onto their brokerage and trading accounts, or dealing with any email correspondence from these institutions.

Posted in Data Breach News | 2 Comments »

New Data Privacy Laws

by Doug Pollack

This week Ben Worthen of the Wall Street Journal published an article titled “New Data Privacy Laws Set for Firms” describing new laws that will affect business of all shapes and sizes in terms of how they protect the personal information of their customers and clients.

Law related to data privacy enforcement have been enacted by several states including Massachusetts and Nevada thus far, and numerous other states are considering similar laws. Mr. Worthen notes that:

“While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.”

Over 40 US states have already enacted breach notification laws that speak to an organizations requirements to notify individuals that may be affected by a loss of data, a data breach. These new laws are intended to speak to how companies are required to protect personal information.

While existing Red Flag laws mandate financial institutions to take certain measures to protect the personal information of account holders, these laws do not cover the broader base of businesses and government organizations that also maintain databases that include personal information on employees, customers, vendors and the like.

As noted by Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation “Breach notification laws deal with what happens after the horse leaves the barn. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”

Posted in Data Breach News | No Comments »

Reduce the Impact of a Data Breach

by Doug Pollack

“Thirty-one percent of customers—nearly one-third of a company’s client base and revenue source—are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.”

Rick Kam, president of ID Experts provides guidance in a recently published article in CSO Magazine titled “How to Minimize the Impact of a Data Breach” on best practices that should be adopted by companies and organizations that hold personal data on their customers, employees and suppliers.

Mr. Kam lays out seven key strategies for a successful data breach response.

1. Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
2. Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
3. Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
4. Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
5. Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the â¬Snext steps⬝ they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
6. Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.

It is surprising how few companies, even those in the Fortune 500, have well crafted data breach response plans that cover the all of the line functions that are essential to an effective response. These will typically include the IT and security teams, but also privacy, legal, marketing, financial, product management and customer support. Lack of a complete and integrated response to a data breach event can and does cost companies significantly in terms of lost customers and the tarnishing of their brand.

Posted in Data Breach News, Data Breach Resources | 1 Comment »

Countrywide Breach Affects Millions

by Doug Pollack

The Los Angeles Times last week reported that Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring.” They report that personal information including social security numbers have been stolen from over 2 million Countrywide mortgage applicants over a period fo some two years.

This situation highlights the risks to financial services firms with whom consumers regularly share  their most personal and sensitive information. In this case, an employee of Countrywide was alleged to have accessed their computer systems in order to acquire applicant information in order to sell it to mortgage brokers and others.

The article also notes that:

“Two Countrywide customers sued the lender and its parent company last month in U.S. District Court in Los Angeles, accusing Countrywide and Bank of America of failing to protect customers’ sensitive information. The suit asks that it be certified as a class action.”

The potential for this type of litigation is beginning to motivate other firms who  experience data breaches to provide a broader set of services to the potential victims of their breach, including insurance and identity theft restoration services. This can enable such an organization to minimize the damages that may occur to their consumers while giving them comfort that the organization is doing everything possible to help them.

Consumer Affairs has already received complaints from individuals affected by the breach who appear to be very dissatisfied with the response from Countrywide. “They offered to fix the situation by providing me a two year free subscription to ConsumerInfo.com, which is one of their vendors,” said Michael from Sicklerville, New Jersey. “I find this to be insufficient, and wonder if I can take any legal action against them.”

A recent study by the Ponemon Institute titled “Consumers’ Report Card on Data Breach Notification” notes that around a third of customers that receive a data breach notification letter plan to terminate their business relationship with their provider. They note that companies that have a breach and then notify their customers could do a much better job in addressing the real and perceived fears that people have associated with identity theft.

Posted in Data Breach Alerts | 2 Comments »

DataLossDB Site Beta

by Doug Pollack

The Attrition.org site has now re-emerged as DataLossDB. Their mission is described as follows on their site:

“DataLossDB, formerly the Attrition.org, Data Loss Database Open Source, is an research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database. ”

This is a terrific new resource that will help ensure that the size and scope of data breach events, as well as those individuals that may be impacted, is made public and generally available.

Posted in Announcements | 1 Comment »

Phishers Upgrade to Vishing: Phone Scams Target Your Identity

By Rebecca Seaman

By now, most savvy consumers are aware of Phishing Scams: emails supposedly sent from one of the entities we do business with asking us to verify our personal information by clicking on a link in the body of the email. We know that if our creditors or banking institutions need to correspond with us, they will usually initiate contact by sending us a letter or, occasionally, by calling us.

To keep up with consumer’s increasing awareness of phishing scams, thieves have now gotten more technical. Leslie Hunt for Bankrate.com describes the latest ploy known as ‘vishing’-scammers will send an email that appears legitimate asking a consumer to contact their banking institution at a number listed in the email. New Voice over IP (VoIP) technology makes it easy for a scammer to set up new phone numbers quickly, with any area code, and the calls are often automated. For example, a recent scam targeting PayPal users directed consumers to call a number that simply stated “Welcome to account verification. Please enter your 16-digit card number.” The thief is then able to glean the account information from the consumer, and the rest is history.

The reality is, the entities we do business with are very vigilant with the safety of their customer’s personal information, and would never send an email asking consumers to contact them. If necessary, they will contact the consumer directly, sometimes over the phone. That being said, some Vishers are cold calling customers masquerading as legitimate companies. For more details, see this Bankrate.com article in MSN Money.

So how do we know whether or not to trust a phone call from what appears to be a legitimate source? Jim Stickley, the Chief Technology Officer for TraceSecurity, a security compliance software firm, recommends just hanging up if someone who claims to be from your bank calls. Then, call the bank directly. “Use the number on the back of your cards,” he says. “If the call was legitimate, the bank would know that number, too.”

If you find out your bank, creditor or escrow service didn’t contact you; notify them, as well as the Internet Crime Complaint Center and the Federal Trade Commission. Forward the e-mail to spam@uce.gov. Visit the FTC’s identity theft Web site if you’ve responded to a vishing e-mail.

Posted in Announcements, Data Breach Alerts, Data Breach News | No Comments »