Tag Archive for Data breach

| February 17, 2015
Comments Off on Scary PII Numbers

Scary PII Numbers

Scary PII NumbersAs you may have heard by now, the second-largest health insurer Anthem gave away at least 80 million of their customers’ PII records to hackers. I say at least because these always grow as the experts dig through the wreckage. The WSJ reports the Indianapolis-based insured did not encrypt this data (I covered encryption here and here). That means customers’ social security numbers, phone numbers, and other PII were easy targets for Chinese hackers according to CNBC.

did not encrypt data

Anthem is just the latest. There are even larger targets out there. The Business Insider published some pretty scary numbers. BI reports that somehow the biggest tech companies have done a great job at convincing people that their services for sending/receiving payments and purchasing goods are trustworthy and worthwhile. The article estimates that Apple has somewhere around a billion iTunes accounts (with plenty of PII and credit cards) on file.

This chart from BI IntelligenceApple (AAPL) is nearing a billion iTunes accounts on file, and that number is likely to surge immensely. Customers in China can now link their UnionPay payment cards to their Apple IDs: For context, UnionPay is the largest card network in the world with more cards in circulation than Visa and MasterCard combined.

Amazon (AMZN) has approx. 300 million payment cards on file while PayPal has around 200 million payment cards on record.

Apple, Amazon, PayPal Payment Cards on File - Business Insider

A second BI article indicates that based on leaked Uber data charted analyzed by BI Intelligence, the ride-sharing firm has well over 12 million payment cards on file. Their closest competitor Hailo has 4.4 million payment cards on file.

Ride-Sharing Payment Cards on File - Business Insider

rb-

You have been warned. The next mega data breach could come from a tech firm like Apple or Amazon.

Data theftThe WSJ article argues that companies can use many techniques to secure their data, but those things slow companies down, sometimes to a degree they find unacceptable.

I think most victims of identity theft or credit fraud find that unacceptable.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 5, 2015
Comments Off on Spies Say Encryption Best to Protect Data

Spies Say Encryption Best to Protect Data

Updated August 01, 2019 – Trump’s top cop U.S. Attorney General William Barr rehashed the time-worn government demands for private firms to break encryption. AG Barr closed his July 23, 2019 speech at the International Conference on Cyber Security, by saying that U.S. citizens should accept encryption backdoors because backdoors are essential to our security.

Spies Say Encryption Best to Protect DataDespite what current US policy appears to be, a newly leaked document courtesy of Edward Snowden revealed that some U.S. officials are encouraging the use of encryption to protect data. GigaOm points out a 2009 document penned by the U.S. National Intelligence Council, which explained that companies and the government are prone to attacks by nation-states and criminal syndicates “due to the slower than expected adoption…of encryption and other technologies.” The report detailed a five-year prognosis on the “global cyber threat to the US information infrastructure” and stated that encryption technology is the “[b]est defense to protect data.”

750 major data breaches exposing more than 81 million private records.Seems that these spooks were right. FierceITSecurity reports there were 750 major data breaches in the U.S. last year, exposing more than 81 million private records. FierceITSecurity cites data from SysCloud, a provider of security and data backup for enterprises which provided the following infographic about data breaches.

 

SysCloud infographic

U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers2015 will be worse. The WSJ reports a single data breach at the U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers when attackers broke into a database. According to the WSJ, the breach exposed names, birthdays, addresses, and Social Security numbers. Anthem said in a statement that the affected (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. Anthem did not encrypt the stolen PII according to reports.

GigaOm explains that encryption makes it possible for documents and messages to be unreadable to people who don’t have the proper cryptographic key.

encryption

A cryptographic key is the core part of cryptographic operations which scramble information. Cryptographic systems include pairs of operations, such as encryption and decryption. A key is a part of the variable data that is provided as input to a cryptographic algorithm to execute this sort of operation. The security of the scheme is dependent on the security of the keys used.

The spooks also encouraged multi-factor authentication, which adds another step to the security process beyond simply entering a password.

vocal opponent of encryption technologyDespite the totally porous nature of online security, GigaOm points out that the Obama administration is a vocal opponent of encryption technology. According to Bruce Schneier the gooberments opposition to encryption on phones is all bluster and sound bites.

Encryption is no doubt a hot topic in the security space. GigaOm says there’s been a wave of security start-ups focusing on encryption scoring millions of dollars in investment in recent months. Security start-ups VeradocsCipherCloud, and Ionic Security have recently landed over $100 million in investments.

Despite political pushback, it’s clear that companies won’t slow down on implementing encryption any time soon, so long as large-scale data breaches continue to occur on a seemingly weekly basis.

rb-

Is it time to go back to a cash economy?

 

Related articles
  • Crypto-Wars Escalate: Congress Plans Bill To Force Companies To Comply With Decryption Orders (thenewsdoctors.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| October 23, 2014
Comments Off on Avoid A Data Breach

Avoid A Data Breach

Avoid A Data BreachSecurity firm SRC Cyber cites a report from the United States Government Accountability Office, The U.S. Computer Emergency Readiness Team (PDF) reported a 782% increase in cyber incidents from 2006-2012. As this number increases, SRC Cyber and other cybersecurity companies are pressured to respond. They are creating products that not only defend against threats but also aid in recovery if a data breach occurs.

Data breachSRC Cyber points out that security breaches can happen to anyone at any time. The article claims that system problems and human error account for the majority of the data breaches. The most common single cause of data breaches at 42% is malicious intent.

This SRC Cyber infographic shows the impact of three high-profile data breach attacks. The attacks have had an effect on security spending, attack awareness, and in the case of the Target breach how it’s hit the company’s profits.

 

Avoid a Breach Infographic

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| July 31, 2012
Comments Off on Mommy Hacker

Mommy Hacker

Mommy HackerTime Magazine reports that a Pennsylvania woman faces six felony charges for hacking the computer system at her kids’ schools. Catherine Venusto, 45, hacked into the Northwestern Lehigh School District computer system and altered the grades of her two children, ABC News reports. Venusto had worked at the district as an administrative office secretary from 2008 through April 2011. A year before she quit, Venusto, of New Tripoli, PA had been accused be being a hacker. She reportedly changed her daughter’s failing grade to a medical exception. And in February 2012, she was accused of changing her son’s 98 to a 99.

Third-degree felonies

Data integrityMs. Venusto was arraigned on three counts of unlawful use of a computer. She was also charged with three counts of computer trespassing and altering data. All six of those charges are third-degree felonies. Pennsylvania State police say Venusto admitted changing the grades, saying she thought her actions were unethical but not illegal.

When ABCNews.com attempted to contact Ms. Venusto at her current job as an event coördinator at Lehigh University, a school employee said her employment ended Wednesday. Venusto’s lawyer, Thomas Carroll, declined to comment.

GradesI’m concerned on numerous levels,” said Jennifer Holman, Northwestern Lehigh School District’s assistant superintendent. “When we say systems, there were three different systems violated…There were 10 different users that at some point had their email violated.

PA State police investigate the hacker

Ms. Holman told ABCNews.com that she first realized something was wrong when a teacher asked why superintendent Mary Ann Wright was in that teacher’s online grade book. Once Wright explained she was never in the grade book the investigation began. Administrators and state police looked for whoever used Wright’s username and password without permission.

Bad passwordsPA State police discovered Venusto used Wright’s credentials 110 times to access the district’s online grading system, according to the District Attorney’s office. Venusto also allegedly accessed nine other faculty members’ email accounts without permission. She also accessed the human resources “H-drive” to view “thousands of files associated with district policy, contract information, employee reports, and personnel issues.

Superintendent Wright released a statement in anticipation of Venusto’s arraignment.

We deeply regret this incident and that this unauthorized access occurred, and we sincerely regret any inconvenience this may cause,” Wright wrote. “We are doing everything we can to prevent this from happening again, and new security procedures are in place to better assure that our systems are protected from such attempts.

The court set bail at $30,000. Venusto will not have to pay the bail unless she does not appear in court for her preliminary hearing. Venusto could face a maximum of 42 years in prison or a $90,000 fine, according to District Attorney’s office spokeswoman Debbie Garlicki, who said the maximum penalty on each count is seven years or a $15,000 fine.

rb-

New sheriff in townThe mommy hacker’s defense is “I thought it was immoral but not illegal”. I will mention in passing the declining parenting standards which are creating a bunch of narcissistic and self-absorbed generation that has no consciousness to what right and wrong is. 

The Administration and IT departments both bear the blame for this intrusion. Some easy-to-implement best practices could have shut the mommy hacker down quicker. They should have required regular password changes. They could have broken the bank and installed an intrusion protection system.

Those of us who work in K-12 understand that security is only important after an incident.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| June 14, 2012
2 comments

Got Cyber Insurance?

Got Cyber Insurance?Network World says that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible. This is causing many firms to investigate cyber insurance.

data is not tangibleThe decision that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro (IM) had purchased from American Guarantee.

After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Buyers push back

major source of push-back by potential buyersThe resulting complexity is a major source of push-back by potential buyers. According to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection, “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Mr. Ponemon told Network World. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.

Cyber insurance coverages available

Data breach coverageData breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center. They also cover credit monitoring, and credit restoration services for the victims, and other crisis management services. Ken Goldstein, vice president at insurer Chubb Group told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts,” he says.

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach. It also covers fines from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action. While others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverageCyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, Haase says.

Loss coverages

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.

Loss of data coverageLoss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

rb-

Seems that interest is growing in cyber insurance. I wrote about cyber insurance here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »