Operation Emmental, cleverly named by Trend Micro to convey how full of holes online banking protections can be, is the latest threat affecting 34 banks and a yet-to-be-determined number of European consumers. While there has been considerable news coverage of this hacking scam in tech and cybersecurity circles, the story has not made it into the consciousness of mainstream America and probably wasn’t a topic of discussion at your dinner table last night. The article in the New York Times recently, didn’t make the top 20 most read online articles while “French Food Goes Down” and “What Writers Can learn from ‘Goodnight Moon’” did.
We deal with many cases of financial fraud and identity theft here at the Identity Theft Resource Center. Our full-time team of advisors provides phone support to callers with all kinds of stories. One type of fraud that is increasing in both frequency and severity is the sweetheart scam. A sweetheart scam happens when a criminal poses as a suitor who is romantically interested in the victim. As the online relationship progresses, the swindler begins to financially exploit the victim. In the past, criminals used personal ads and, with the invention of the Internet, email. Now, social networking and online dating sites are the platforms du jour.
The U.S. Department for Health and Human Services' Office for Civil Rights recently issued its annual report on data breaches that may have exposed protected health information, showing the number of people affected by data breaches has been on the rise. Between September 2009 and December 2012, the OCR received 720 breach reports that ultimately affected about 22.5 million people, .
The report also states that a greater number of the breaches have been from online hacks of Internet health websites rather than hacks through a stolen laptop or hard copies of documents from stolen boxes.
Risks of Noncompliance for Health Care Groups
Many smaller medical groups, such as clinics and hospitals, don't realize the significant penalties that come from noncompliance with federal data privacy and security regulations, said Ted Kobus, partner and co-leader of the privacy and data protection team at law firm Baker/Hosteller, .
"They don't really understand the extent of compliance that's going to be required," Kobus said. "Many of them just aren't prepared to deal with an OCR investigation, and they're not prepared to show their compliance with the HIPAA security and privacy rules."
Kobus urged that covered entities under the Health Insurance Portability and Accountability Act (HIPAA), such as health care providers, take a proactive stance to protect themselves from legal liabilities by looking at state and federal regulations, along with keeping scrupulous documentation of everything that a company might do.
"Documenting and compliance are the two most important things," Kobus said. "If you're forced to do something that may not be exactly the way that you think the security rule requires you to do it, or you make a decision and accept a risk, the key is going to be documentation."
Recent Examples of Medical Data Breaches
There have been several data breaches impacting the health care industry as of late, . One such case is a theft at a Pennsylvania-based hospital in which 661 patients' data were stolen in June. The information, which included patients' dates of birth, names and the last four digits of credit card numbers, was taken from hard copies of receipts
Another hospital in Providence, Rhode Island, was sued after a breach in 2011 affected 14,000 patients. This year, the hospital reached a settlement of $150,000, according to the source. The breach was caused when unencrypted back-up tapes disappeared from storage.
This is not including the potential cost that the hospital must pay for not being in compliance with government regulations. Companies must be careful to follow all rules and make data security a top priority.
Mark McCurley is information security advisor at IDT911 Consulting.
The recent high profile breach that caused cloud based service provider to shutter its doors illustrates, in a very painful way, how a single compromised administrative credential can make incident response planning and preparation irrelevant.
Fifty-six percent of the malware discovered by the Solutionary Security Engineering Research Team (SERT) was found in the U.S. in the second quarter, . This is a 12 percent increase from the fourth quarter of 2013. Of the Internet service providers (ISPs) hosting malware, 10 of them hosted about half of all malicious software in Q2 2014. Forty-one percent of hosted malware came from the Amazon ISP.
U.S. Home to Majority of Malware
The U.S. continues be the major source of hacking software. This is due in part to the fact that Amazon hosts so much of the malware in existence, in addition to many of the top 10 ISPs at home in the U.S.
Smaller ISPs have also been targeted for hosting malware. Chad Kahl, a SERT analyst said that "jumping from ISP to ISP has been a common tactic to provide cover and obfuscation, and add complexity to forensic investigations for many years," .
Many Servers Still Unprotected from Heartbleed Attacks
The Heartbleed Bug continues to be a problem for many servers using older versions of Secure Sockets Layer (SSL) – an Internet protocol - that haven't been updated yet. This puts them at risk for being hacked. To extract data using the Heartbleed Bug, cybercriminals must send "millions" of requests, according to the SERT report. The attack could therefore be seen as an attempt at doing a Denial of Service Attack (DoS), in which thousands of requests are sent to a server to overload its ability to function and shut it down. Thus the extraction of data may go unnoticed.
US Building Laws to Protect Its Citizens
Cyberbreaches are still a major dilemma for people who regularly access sites that are at risk for being hacked. These sites might store someone's personal data such as credit card info or medical history. But the U.S. has begun the process of passing state laws that will require businesses to notify customers when they are hacked, .
Even if these laws are passed, it can still be a long time before companies realize they have been hacked. In the above example about Heartbleed, companies may not realize data has been stolen because the hacking attempt has been masked. Additionally, hacking victim Target did not realize for some time that it had been subject to a data breach. People must continue to remain vigilant against attacks no matter what laws are passed.
Nearly every single organization in a study that looked at U.S. and European companies across several industries experienced at least one security breach, with many reporting more than one, . More than 96 percent of respondents experienced a security incident while 39 percent experienced between two and five, and about 16 percent experienced more than five.
The most common way that companies face an attempted data breach was via a phishing scam. Other issues stemmed from compliance policy violations and the unsanctioned use of devices or applications. Finally, a number of businesses reported that someone simply attempted an unauthorized data access.
Additionally, 40 percent of those surveyed said that keeping data secure became more difficult in the past two years.
Making Cybersecurity a Part of Due Diligence
With so many companies hacked, it becomes important to make cybersecurity a major part of a company's business strategy - including when connecting with other businesses. Mergers and acquisitions often lead to gaining access to technology that is potentially compromised with malware or other hacking devices. And yet, very few companies actually include cybersecurity as part of their due diligence when doing M&A, . Ninety percent of respondents admitted that a data breach would seriously impact a company's value during a merger, but 78 percent said they did not look at currently existing cyberdefenses when working out a deal.
Ensuring Business Partners are Also Secure
Cybersecurity goes beyond M&A, however. Whenever one company does business with another company, the risk of being hacked increases if the two companies don't practice equally good cybersecurity. It is already a challenge to keep one's own employees informed about the risks of a cyberattack, but one must also be sure that the companies one does business with are also practicing good security tactics.
The matter of protecting oneself from other companies also comes into play during outsourcing. When businesses outsource an aspect of their work such as payroll, they should check to see if they are responsible for what happens if that company is hacked. Additionally, businesses should look into whether the company they are outsourcing their work to is keeping up with current cybersecurity trends.
When planning measures for cyberdefenses, businesses can't leave out any of the companies they work with – like their suppliers, their outsourcing partners and the firms they acquire. With a huge number of corporations facing attempted data breaches every year, every partnered business becomes a potential liability in a company's security network.
Small businesses make risky choices every day by gambling that their business will fly below the radar of cyber criminals and not become a target for data theft. Businessowners are misguided in thinking their business is too small and their data is not valuable enough to a hacker. (more…)
Identity theft is far more common than you may think. In fact, 16.6 million people experienced identity theft in 2012, . That means 7 percent of everyone over the age of 16 has experienced identity theft. Protecting yourself from this crime is a serious matter.
Here are four reasons why you should protect yourself from identity theft:
Enjoy better credit and financial health. The expenses associated with identity theft are nothing to joke about. The total loss of money attributed to stolen identities amounted to $24.7 billion dollars in 2012, according to the BJS. Protecting yourself from data theft will keep your financial health secure and ensure that your credit history checks run smoothly every time.
Help keep your job opportunities secure. Employment background checks are a serious matter. Often companies will check your credit history as part of your employment check. If you have suffered identity theft without knowing it, you could severely reduce your chances of having good credit. Find out what's on your credit report. Check it at least twice a year, .
Have a better relationship with your doctor and insurance company. Medical identity theft can seriously harm your health. This problem continues to increase in the U.S., . In 2012, 272 million people had their medical credentials and information stolen. Victims could have problems getting their medications refilled, and they might have things fraudulently reported to their insurance company. Additionally, medical records contain a great deal of personal information that would then be held in the wrong hands.
Keep your children safe. Child identity theft is such a significant crime that New York lawmakers have worked on a bill to help prevent it. Recently, a measure was sent to Gov. Andrew Cuomo that would allow parents to freeze children's bank accounts in the event of data theft, . If your child receives bills in the mail or the IRS sends letters pertaining to tax issues that shouldn't apply, then your child may be a victim of identity theft, . Kids are vulnerable because they have a clean credit history, which is valuable to identity thieves. Additionally, children might not know they have been victims until years later when they apply for credit cards or a loan.
There have been more incidents of identity theft from data breaches lately than ever before. In 2013, 61 percent of people who experienced a data breach also experienced a resulting incident of fraud, . In 2010, that number was 1 in 9.
Identity Theft on the Rise, and Likely to Keep Rising
Additionally, identity theft is expected to continue growing. There have been 368 breaches so far this year, an increase of 19 percent year over year, . Over 10 million personal records have thus been exposed to criminals in this year alone so far.
As more data is shared on the Internet, including financial information such as credit card numbers, more data is being stolen, . Point of sale machines are easy to use, but they are also easily hacked. Malware can infect cash registers so that credit and debit numbers are uploaded to a remote server, allowing cybercriminals direct access to data to steal.
The recent breach at restaurant chain P.F. Chang's is an example of this. It has recently confirmed that the data breach had to do with its database of credit and debit cards, although the scope of the attack is still unknown, . Visa and MasterCard have yet to send any alerts to banks about potential frauds from the hack into P.F. Chang's, which leaves room for consumers to be hacked in the meantime if they don't pay close attention to their bank records.
Identity Theft More Common than Violent Crime
Over 16 million people have been the victims of cybercrime, . Additionally, while the majority of victims were able to clear identity theft-related issues up in about a day, 10 percent of victims required a month or longer to deal with identity fraud. Two out of 3 victims did not know how their identity was stolen, and 9 out of 10 victims didn't know who the cybercriminal responsible for the identity theft was.
Now that identity theft is becoming so common, it grows more important that consumers protect themselves by staying informed about the latest breaches and maintaining a close watch on their bank accounts. Being cautious and on the lookout for suspicious activity is the only way to stay safe, and the potential fallout from identity theft on someone's financial resources is too dangerous to ignore.
There is a great deal of false information out there about data breaches, and yet it is imperative that a company knows as much as possible about this important liability.
Here are five common myths about data breaches that could put a business at risk:
1. Small Businesses Aren't in Danger
Small businesses are at risk for cyberattacks just like big companies, . In fact, some cybercriminals prey upon small businesses exclusively because their lack of caution and proper security measures make them easy targets. Additionally, Visa said small businesses account for 95 percent of credit card breaches, reported. One out of every 5 small businesses becomes a victim to cybercrime, according to . Of these small companies, 60 percent go out of business within six months.
2. Information Security and Information Technology Are the Same
Some people think that information security is just one aspect of the IT department. In fact, the two things are different. Information security teams focus on making sure that information is kept as securely as possible given the resources of the company. Information technology works to make sure the business run smoothly. Companies need to have both of these capabilities in the company, so that data not only is readily accessible but secure as well.
3. Threats Are Coming from the Outside Only
The reality is much of the risk behind data breaches is due to internal sources. Workers may leave their laptops unattended or use easy-to-guess passwords. This problem can be fixed with proper training. Preventing data breaches at a firm is not only the responsibility of the information security team – it is the responsibility of everyone within the company. Some businesses even begin training employees during orientation to be vigilant against cyberattacks. There are many ways to protect a company from internal risk. See some examples at the IDT911 blog.
4. Vendors Are Not a Threat
Vendors are indeed a threat - companies as diverse as Adobe, LexisNexis, J.P. Morgan and others have all experienced data breaches. Businesses shouldn't trust their vendors to do the appropriate due diligence for them. For some good ways to protect assets from vendor threats, take a look at the Knowledge Center.
5. Firewalls Are the Only Safety Net Companies Need
Although firewalls are important for keeping your networks secure in the most basic way possible, they are only one part of a larger chain of defense that will keep your company safe. Ninety-six percent of data breaches happen to companies with minimally protective firewalls, according to the .
Mark McCurley is information security advisor at IDT911 Consulting.