Archive for January, 2014

A Wall Street analyst projects the Target data breach could cost the retailer $1 billion in fines after at least 10 percent of bank cards used at Target appeared to indicate fraudulent activity, . 

Daniel Binder, an analyst at global investment banking firm Jeffries, said approximately 5 million of the 40 million credit and debit cards exposed during a data breach at Target stores nationwide could have been used for fraud. This number is based on a major banking institution saying between 10 to 15 percent of cards affected by the breach had fraudulent activity.

"We could ultimately see 4.8 (million) to 7.2 million cards with fraudulent activity, and this is out of the 40 million cards that were captured in the data breach," Binder wrote in a note to clients, according to Pioneer Press. 

One of the victims of the breach, Texas Dermatologist Lauren Campbell told a local news station that someone else applied for new lines of credit using her identity, .

Spokeswoman Molly Snyder said the retailer has not given an estimate of how much the breach will cost Target.

Banks Pay Millions to Reissue Cards
Snyder said the retailer has not had reports of fraud using Target REDcards, which include both credit and debit cards. Snyder did confirm that Target Visa cards have experienced "very low levels of additional fraud." She did not give more details of any instances of fraud reported by banks.

The data breach does not only impact Target and the retail industry as a whole. The spillover of the massive data breach also impacts the banking and financial services sector due to the millions of bank cards at risk for fraud. Recently, the Consumer Bankers Association said the banks could pay hundreds of millions of dollars to distribute new cards, which could stretch into the billions, . Banks have spent more than $153 million issuing 15.3 million new credit and debit cards to customers. 

The last time a major retailer suffered a similar data breach was TJX Companies, which owns T.J. Maxx and Marshalls stores, in 2007. The company was forced to pay $64 million or more in settlements, with $40 million going toward banks and payment providers.

"I cannot think of another breach where one out of three Americans were affected," said Richard Hunt, head of the Consumer Bankers Association. "[Target has] been silent since their first and only response to this. They've been hiding behind the retail trade associations."

Mark McCurley is information security advisor at IDT911 Consulting.


Son of a breach, two more security incidents are making headlines: Coca-Cola Co. and Michaels Stores Inc.

That means we’re looking at four major data loss events in the past month alone—three at national retailers, including Target and Neiman Marcus.

Companies can learn from how other organizations respond to a data breach, for better or worse. Here are key takeaways for businesses that want to protect themselves from similar disasters.


When hospitals find themselves in the middle of a breach, they usually prioritize improving their security to prevent further security breach incidents. In addition to defending themselves against data breaches, health systems also need to find the right balance to adequately protect their patients' privacy. Since medical information is stored digitally, patients may not be fully aware how crucial it is to protect their data from being seen by unauthorized persons, . Some privacy breaches may be avoidable and learning from these mistakes is essential for health systems to maintain security of sensitive patient information.

Here are three reasons why patient security may be lacking at health organizations:

1. Privacy Is Put on the Back​ Burner
When health IT systems are built, ensuring patient privacy is usually not on the forefront of designers' and engineers' minds, according to Healthcare It News. These IT experts usually put system functions ahead of privacy, which could result in poor privacy protection later on in the road. Some developers may also leave out privacy features altogether, which could put patient information at risk for being compromised.

2. Human Error May Breach Privacy Protection
In a recent report, psychiatric facilities in Texas suffered a string of data breaches, but the majority of them were caused by human error, . Dr. Deborah Peel, the Austin founder of watchdog group Patient Privacy Rights, said repeated data breach incidents could lead patients to question whether their information is secure, which could cultivate distrust among patients.

"Our patients deserve privacy and expect that their information is kept confidential," said Christine Mann, spokeswoman for the Texas Department of State Health Services, which oversees the hospitals. "We're doing everything we can to figure out what happened and how to address it."

3. Organizations Don't Prepare for Insider Data Breaches
While health systems may report cyberattacks, they are also susceptible to data breaches caused by employees. One of the data breaches reported in Texas' Big Spring State Hospital in the past six months was the result of an insider data breach. A former nursing assistant stole the information of about 50 patients, including their names and other medical information.

"I feel like I can't trust the hospital anymore, not with anything personal," said James Boucher, one of Big Spring's patients impacted by the breach. "I don't even know where the records have been."

By now, most of us know that when surfing the Web we shouldn’t click on ads promising us new ways to lose weight without dieting, read emails about magic pills to boost our “egos” or even click on Twitter links about the “shocking” pictures some friend supposedly found of us online.  That is, we know not to do those things from our computers. And hackers and cybercriminals know we know this, too. That’s why they’re targeting our smartphones.

A study by Trend Micro suggests that there are nearly 750,000 malware apps for Android users alone — and that’s just apps. A security company called Bitdefender documented a nearly 300% rise in Android-focused malware in 2013, though that’s not limited to apps. And a Cisco security study issued last week showed that 99% of all the mobile malware out there targets Android users, noting that the fully 71% of Android users encounter some form of malware, either through apps, email phishing, “smishing” (the use of text messages to distribute malware) or other forms of social engineers.


Following a string of high-profile data breaches in the retail industry, the FBI has alerted retailers to brace for even more cyberattacks this year, . The FBI said the same malware that exposed the information of about 110 million Target customers was also used for an estimated 20 other hacking attempts in 2013. The federal law enforcement agency said malware designed to infect point of sale systems, such as machines to swipe credit cards, puts retailers at risk for confidential data breaches.

The FBI warns retail stores that cybercrimes involving malware infections are likely to increase, and they may even thwart IT security firm defenses. 

"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said, according to Reuters.

The Rise of Malware Against Retailers
Malicious software was also used to steal information from nearly 1.1 million customers who shopped at Neiman Marcus stores, . While the high-end retailer said the cyberattack does not appear to be connected to the data breach incident that happened to Target, The Washington Post notes that they are similar. Karen Katz, the president and chief executive of Neiman Marcus Group, admitted that malware was responsible for the data breach that exposed customer credit and debit card information between July  - which is almost six months before the retailer confirmed there had been an attack – and October 2013.

The FBI report said that the advanced methods used for these attacks could lead to data breaches being undetected. The FBI also stated that cybercriminals are profiting off black marketplaces for malware, and since intruders are motivated by the money gained from targeting luxury retailers like Neiman Marcus, these attacks will only become more sophisticated.

While IT organizations will try to detect data breaches early on, the National Retail Federation, a retail trade association, encouraged firms to be on the lookout for cyberthreats. 

"Retailers have been and remain vigilant in their efforts to provide the highest level of security for their data systems in order to protect against malicious and criminal acts," NRF Vice President Tom Litchford said in a statement. "As the criminal investigation continues and more information becomes available, you can be sure that the retail industry will be responsive and engaged to ensure this particular cyber-attack does not happen again."

Mark McCurley is information security advisor at IDT911 Consulting.

Tax efile

E-filing your tax return is a quick and easy method preferred by the IRS—and scammers, too.

With a computer and your personal information—name, address, birth date and Social Security number—criminals can e-file a fraudulent tax return to claim your refund. Already netting scammers billions in bogus refunds, it’s a crime that’s high

By electronically filing tax returns that indicate an entitled refund, identity thieves need no W-2s or other tax forms, just the personal identifiers of legitimate taxpayers. Refunds for e-file returns are typically issued within 21 days of IRS receipt, although it can take several months for the IRS to actually receive and “document-match” tax-related paperwork such as employer-provided W-2s and 1099s with claims made on a tax return.


SMB Spotlight
Employees at a fast-growing national company came to work one day to find a daunting message on their computer screens. The company’s network had been hijacked and was being held for ransom. Management faced a tough decision: Should they pay the ransom?

Unfortunately, this is a true and increasingly common story. Nearly half of all targeted attacks were aimed at businesses with fewer than 2,500 employees in 2012, according to the Symantec Intelligence Report. And 31 percent hit firms with fewer than 250 employees.

SMBs are prime targets for hackers because they can be rich sources of information, such as employee personal and financial data. They typically lack a security budget, resources and expertise to protect that data, creating a side door for hackers to gain entry into larger companies. And their websites are often insecure, leaving them vulnerable to attacks like the one mentioned in our example. In the event of an attack, SMBs can face legal action and liabilities for failing to protect key data.

Companies don’t need to break the bank to secure their systems, however. Here are five important steps SMBs can take right now:


Hacking groups that have politically-charged motives for disrupting normal operations of high-profile targets are constantly changing their cyberattack strategy. These evolving hacking methods make it difficult for IT security professionals to keep up and adequately protect organizations against their attacks, . Cybersecurity firms will have to be on guard after a newly released report by threat intelligence company CrowdStrike shows one of the events cybercriminals may look forward to interrupting is the 2014 Winter Olympics held in Sochi, Russia.

As an international event that will draw in skilled athletes to compete and millions of viewers from around the world hoping to cheer on their national teams, cybercriminals could try to launch strategic Web compromises (SWCs) against the winter games. These hacking groups may be motivated politically in their attacks, which could involve spreading malware infections through phishing emails, . One of the most notorious hacking groups that target well-known companies and websites for political gain is the Syrian Electronic Army. The group, which supports Syrian President Bashar al-Assad, made headlines in 2013 after taking over the social media accounts of reputable news organizations, including Reuters.

Cybercriminals Changing Up Strategy
In modifying their strategy, cybercriminals could go after third-party devices and accounts, rather than attacking the servers that are directly involved with major events, like the Olympics. Other events that could also be hit with cyberattacks include the World Cup, also taking place this year, and the G20 Summit, according to CrowdStrike.

"Expect to see adversaries targeting third-party vendors [in 2014] in an attempt to compromise the ultimate target," the report stated. "Third-party vendors often have less-robust security than their larger customers, and their networks offer an avenue through which those customers can be compromised."

Despite the challenges that cybersecurity firms must face with politically-motivated cyberattacks,  Co-founder and Chief Technology Officer of CrowdStrike Dmitri Alperovitch said they will have to be prepared for attacks in the future.

"One of the things we tried to do with this report is to look forward at potential future attacks, rather than just looking back at the year," Alperovitch said. "With good threat intelligence, every organization should be able to do predictive analytics based on its history and the history of security events. If you know what your attacker did last year, you can get a sense for what he might do this year."

At around the same time, two large retailers Target and Neiman Marcus both announced they were hit with data breaches. Cyberattackers managed to get their hands on the credit and debit card information of about 40 million Target customers and the personal data of 70 million more. Neiman Marcus, however, did not disclose the scope of its recent data breach. While the two corporations were in the cross fire from both former customers and the media, some IT security experts disagreed on whether the security breaches were actually linked.

Retail Breaches Connected By Malware?
Israel-based cybersecurity firm Seculert, which focuses on advanced persistent threats, believed the Target breach and the one experienced by Neiman Marcus were not connected, . Recent information from security firm IntelCrawler showed that a 17-year-old hacker from Russia may be the one responsible for one of the malware threats that left millions of Target customers vulnerable, .

The teenager created the malware, known as BlackPOS, that was then sold to other hackers. The point of sale systems used by Target were infected with this malware, which allowed cybercriminals to access Target customer bank card information.

A spokeswoman for Neiman Marcus confirmed its systems were also infected with BlackPOS, . The spokeswoman said its systems were vulnerable to infection because the credit card terminals used in stores had weak passwords. 

Retailers Still in Danger of Cyberattacks
While the source of the data breach stemmed from the malware infection, IT security experts have said the threat to retailers has not stopped, but could morph into something new for cybercriminals to use.

"Once [the malware is] identified, then the security community can rally around it and put controls in place," SecureState CEO Ken Stasiak said, according to CNN. "But the problem is, the hackers know that. And they manipulate or mutate this malware, and then reuse it."

The consequences of a major data breach are apparent as both retailers are being sued by not only customers, but banks, . More customers could also be in danger of having fraudulent charges on their accounts. While the class-action lawsuit filed against Neiman Marcus lists the dates of the data breach from mid-December in 2013, to Jan. 1, 2014, cyberattackers were actually obtaining information as early as July, .

With big-name breaches potentially exposing massive amounts of consumer data, some lawmakers have urged improved retail cybersecurity.

"We have been advocates for data security and breach notification legislation that would better protect consumers and improve corporate responsibility," Democratic U.S. Sens. Claire McCaskill of Missouri and Jay Rockefeller of West Virginia wrote. "Target's recent incident demonstrates the need for such federal legislation."

How would you cope if the tax refund you were counting on, and were counting the days until you received, just never showed up? How freaked out would you be if you found that it was sent to another address instead? How angry would you be if you received a notice a couple weeks after filing from the IRS, that not only didn’t include your refund but also demanded that you fork over additional taxes for supposedly failing to properly document income attributed to your Social Security number but from some employer you had never even heard of?

That is what people every day have to deal with when they are caught up in the nightmare of tax-related identity theft — a crime that is rapidly reaching epidemic proportions. It jeopardizes the financial future of millions of Americans, robs the Treasury of billions of dollars and can be just the first indication to victims that their lives are about to be turned upside down by thieves (and inside out by the government and newly-discovered creditors).

There were more instances of tax ID theft uncovered in the first six months of 2013 (1.6 million) than in all of 2012 (1.2 million), and IRS criminal investigations are up 66% since then. In that period of time, the IRS stopped 14.6 million suspicious returns from being processed and refused to distribute $50 billion in fraudulent refunds – and that’s just a drop in the bucket of what’s American taxpayers are really facing.