Tag Archive for PII

| May 12, 2015
One comment

What Triggers a Data Breach?

What Triggers a Data Breach?Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable.

When it comes to cyber risk, it is not a question of if or when, but how – how can an organization proactively prepare for and then quickly respond to cyber-related breaches and interruptions?

data breaches are inevitableACE has a unique position to speculate, according to ClaimsJournal ACE has over 15 years of experience with cyber-risk. The firm has cataloged a considerable amount of lost data. They recently shared several key insights from their proprietary dataFierceITSecurity explains that based on cyber insurance provider ACE data, the top triggers for data breaches are:

  1. top triggers for data breaches Network security attacks – 25%
  2. Lost or stolen devices – 20%
  3. Human error -16%
  4. Rogue employees – 15%
  5. Faulty policies – 9%
  6. Use of paper – 6%
  7. Software error – 3%

The firm’s data says that lost and stolen devices that led to data breaches are:

  1. Laptops – 70%
  2. Memory devices – 28%
  3. Smartphones – 2%

stolen devicesFormer employees accounted for 25 percent of insider attacks, and financial incentive was the motive in 72 percent of insider attacks, according to ACE.

rb-

I have written about the cyber insurance market here and here. The most surprising factoid to me is that lost or stolen smartphones lead to data breaches 2% of the time. Perhaps the ACE data is old, or the security marketers have spread FUD and hubbub about the need for MDM, EMM, and remote wipes just to make a buck.

Do you agree with ACE’s stats? 

Related articles
  • Why small businesses should consider cyber liability insurance (hiscoxsmallbizblog.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| March 19, 2015
Comments Off on ZOUP! POS Breached

ZOUP! POS Breached

ZOUP! POS BreachedAnother day, another data breach. Zoup! the restaurant known for its soup, salad, and sandwiches is the latest retailer to have it POS system hacked. The hack exposed credit card information hacked according to MLive. From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – too bad so sad, “… in the days ahead, we will work hard to preserve your trust.

ZOUP! Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI-based Zoup! will not be contacting customers who were affected by the cyber-attack.

The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.

The MLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, the malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the cardholders’ name, card expiration date, and verification code.

POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.

What does this do?CEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks or paid attention to US-CERT or warnings they would have been prepared.

The company set up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.

rb-

I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| March 17, 2015
Comments Off on Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay FraudSearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

Apple Pay logoWhen Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. eWeek.com provided a good overview of how Apple Pay’s approval process works:

  • The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
  • Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
  • If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
  • Apple checks to see if the card is already on file in iTunes, verifying it through a match
  • But most cards aren’t already in iTunes – so Apple sends card data, phone data, and iTunes account info to the card-issuing bank
  • If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

criminals have set up iPhones with stolen cardl info from Target and Home Depot hacksAccording to reports, criminals have set up iPhones with stolen personal information, which has been tracked back to accounts compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014, and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up.  Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| March 10, 2015
Comments Off on Anthem Data Breach Hits BCBSM Users

Anthem Data Breach Hits BCBSM Users

Anthem Data Breach Hits BCBSM UsersThe recent cyber-attack on the second-largest health insurance company in the U.S., Anthem Insurance was allegedly pulled off by Chinese hackers. Now the attack, which I covered here has spread to Michigan. Emily Lawler at MLive is reporting that Michigan residents are caught up in the national healthcare insurance data breach.

The Anthem health insurance company compromised data includes an estimated 80 million people, of which 636,075 Blue Cross Blue Shield of Michigan users. According to the article, some of the compromised information could have come from BCBSM customers. A BCBSM spokesperson told MLive there was a “strong possibility” some BCBSM customer data had been caught up in the data breach.

BCBSM is an affiliate of the compromised company, so the Michigan firm shared critical customer information with Anthem. The affiliation allowed the attackers to gain access to Michigan BCBSM users. Ms. Lawler cites information from Anthem’s initial investigation, which found that compromised Michigan personally identifiable information (PII) that could have been compromised includes names, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information.

Data theftReassuringly (snark) BCBSM and Michigan’s Department of Insurance and Financial Services have been monitoring the data breach and its potential effect on Michiganders. BCBSM External Affairs Manager Stephanie Beres told MLive numbers from Anthem say 636,075 Michigan residents are impacted. That includes 410,990 Anthem members, and 225,745 customers of Blue Cross Blue Shield, Ms. Beres said.

rb-

Anthem is sending letters to those impacted their oopsie who will offer two years of free credit monitoring and identity theft repair. According to Anthem’s website AllClear ID will provide credit monitoring services. Those who think they may be affected are encouraged to visit a website Anthem has set up to distribute information about the hack, www.anthemfacts.com.

Related articles
  • Connecticut bill requires insurers to encrypt personal data (newsday.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| February 19, 2015
Comments Off on Anthem Data Breach Allows Phish of US Cyber Forces

Anthem Data Breach Allows Phish of US Cyber Forces

Anthem Data Breach Allows Phish of US Cyber Forces– Updated 10/25/2018 – Anthem, Inc. has agreed to pay a $16 million HIPAA fine to the U.S. Department of Health and Human Service, Office for Civil Rights. The OCR found that the data breach between December 2, 2014, and January 27, 2015, cyber-attackers stole the electronic protected health information of almost 79 million people. The stolen information in the data breach included names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

The $16 million settlement is the largest HIPAA settlement.

Anthem Breach Allows Phish of US Cyber ForcesMany online believe that the Anthem (ANTM) hack was a strategic cyber-war strike by China. Stu Sjouwerman at CyberheistNews writes that PII thefts would normally be a Russian operation. However, the Anthem data breach appears to be a Chinese attack. CNN reports that Chinese hackers tend to target trade, economic, and national security secrets that could help the Chinese economy. Mr. Sjouwerman says he received an insider tip that most of the three-letter U.S. Government agencies have their employees insured through Anthem’s Blue Cross Blue Shield. Anthem also provided health insurance defense contractors Northrop Grumman and Boeing.

Anthem Bluse Cross logoKnowbe4’s Sjouwerman speculates that the Chinese now own the identities of all the people fighting them. The stolen data can now be used in a multitude of social engineering scenarios. Dmitri Alperovitch, co-founder of security firm CrowdStrike told CNN that the attack fit the profile of a hacking group believed to be Chinese government spies called “Deep Panda.”

The objective of the “Deep Panda” data breach according to the CrowdStrike CTO is to amass a large collection of Americans’ personal information to find citizens willing to spy for the Chinese and find potential U.S. spies operating in China. Mr. Alperovitch told CNN that’s why Chinese hackers broke into U.S. federal employee network last year. They also broke at least three hospital chains and two insurance providers the public hasn’t yet heard about.

PhishingKnowbe4 speculates that many people in the Government have steam coming out of their ears about the Anthem hack. Cyberwar has suddenly become very personal to them. This may be why President Obama recently signed an executive order that will nudge private companies to share data about cybersecurity threats between each other and with the federal government.

Apart from the cost of the Anthem data breach are likely to smash $100 million barrier, it’s surprising that Anthem did not encrypt SSN’s which allowed wholesale identity theft of thousands of American cyber-warriors.

Deep Panda is amassimg a large collection of Americans' personal informationCEO Sjouwerman explains that hackers are going after healthcare records because they are much more valuable. He points out that healthcare records stay active for several months after a hack, as opposed to credit card numbers which quickly get nixed after a few days. Since Anthem is a healthcare company, you would expect them to take HIPAA compliance to the max and even top the required controls with higher standards. As we all know, compliance does not equal security, but it establishes a baseline at the very least.

rb-

There is enough blame to go around.

Time to go back to a cash society and barter.

Say, Doc Johnson, I’ll trade you two chickens for measles vaccination.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »