Breaches Are Just Part Of Doing Business - Not Really

Have we gotten to the point where someone losing our data does not affect us anymore.  Have we reached the point where the pain of changing things is greater than our outrage at poor management of our personal information?

 I read an article by Elinor Mills, “Why 'data breach' isn't a dirty word anymore”, in a CNET (blog) - ‎Mar 26, 2012‎. Her first sentence was, “Contrary to popular belief, data breaches don't necessarily sink a company, studies and survivors indicate.”  While it is an interesting article it overlooks several things I believe need to be considered. 

The example of the Heartland Payment Systems is interesting in that it is not a direct to the consumer business.  They provide businesses with the system to handle credit and debit card transactions.  The customers of Heartland could switch to a different processing company but that requires some serious thought and consideration.  Additionally the Heartland customers are not directly feeling the effects of the breach.  They are not being sued.  Their names are not being bandied about in the press so there is limited impact on them.

For the Heartland it means that they must fix the problem and show the customers that they are taking the correct steps keep it from happening again. It also means that Heartland has to defend itself from all of the different laws suits that will be filed.  Yes I know that one of the suits was dismissed but there are still the costs of the lawyers to defend against it.  If you take the costs of the lawyers and the fixes that need to be made to the systems, you will find that it could have been done for so much less if someone had analyzed the process, detected the flaws, and applied the fixes that were needed in the first place.

Breaches do not need to happen. They happen because someone did not takes the steps to make the system right, use the system right, or protect the data.

Microsoft Strikes Back at ZeuS and SpyEye

Our good friend Brian Kreb’s blog today brings new hope. It appears that Microsoft has teamed up with law-enforcement that have been able to track down servers and operating a bot net supporting the Zeus and SpyEye malware.  These two malwares have been responsible for the theft of over $100 Million dollars from small and midsized businesses.  The takedown took place last week in several different locations.  Along with the seizure of servers operating the bot net malware there where 800 domains used by the crime servers. These domains were used to give the appearance of legitimate operations while the thefts were taking place.

Iovation: The New Tool in the Fight Against Identity Theft and Fraud

One of the big advantages that identity thieves have had is the ability to be so many different people at the same time from the same computer.  We’ve all heard the stories of the bad guy sitting in front of his computer shopping in his underwear.  Ordering online from many different stores with one identity then shifting to the next and going through the next identity shopping at the same stores. 

Well there is a way to take that advantage away from the thieves. A program offered by iovation called  ReputationManager 360 takes this long time advantage away from the criminals. 

What makes the ReputationManager 360 so special is the fact that it identifies the machine involved in the transaction as well as the user profile.  The machine’s footprint is one of those things that is unique about the transaction.  Imagine being able to see three transactions coming in with different user IDs but from the same machine footprint.  Is it possible yes, but is it likely no.  The not likely factor will save you a lot of time and money over the best guess analytics that most companies are using today.

In 2008 iovation commissioned a study “The Total Economic Impact™ of iovation ReputationManager™” to document the effects on a single company in the financial services industry.  I found the results to be eye opening to say the least.  A 300% ROI is nothing to sneeze at. If it can help shut down the thieves and reduce the loses then it is something to seriously look at.

For more information on ReputationManager 360 I suggest that you check at www.iovation.com.   

H&R Block Manager Arrested for Identity Theft of Tax Clients

An H&R Block manager in Southern California has been arrested for identity theft.  The stolen identities used were of his former tax preparation clients. Arrested by special agents with the IRS’s Criminal Investigation division is Damon Dubose of North hill Ca.

Dubose has been working as a manager for an H&R Block office in Van Nuys.  It appears that he used his position to access old client files to prepare bogus tax returns. He prepared bogus tax designed to obtain tax refunds and credits.  He then used H&R Block Emerald Cards to withdraw the fraudulently obtained refunds from automated teller machines.

In an article, written by Michael Cohn for Accounting Today,  H&R Block made the following comment. "H&R Block takes this matter very seriously," said H&R Block spokesman Gene King. "This was an isolated incident and we are cooperating fully with authorities on the investigation of a former employee. The situation involves a small number of clients who have been contacted and informed of the steps the company is taking to help them and correct the situation."

The way this guy was discovered is to say a little unusual to say the least.  He was noticed by a patrolman loitering near bank ATMs wearing pantyhose over his head.

In the search of Dubose’s vehicle, the officer found six envelopes with personal information and H&R Block Emerald Cards.  Emerald Cards allow H&R Block customers to access their tax refunds electronically like a debit card.

Dubose appeared in Court Thursday and was released on bond.  His next court appearance is April 30.

The notable thing is that almost every year there are stories of tax preparation service employees caught committing identity theft.  Perhaps it’s time to take a serious look at who you have doing your taxes.

Hacktivism: Leading Cause for Compromised Data in 2011

Verizon’s new report identifies that hactivists were responsible for more than half of the data stolen from companies in 2011.  What is more of a concern to me is that 98 percent of the data breaches covered in the new report came from external agents.  More troubling is that 83% were identified as organized criminal groups.

Hacktivists are searching for headlines and ways to embarrass whichever company they chose to oppose.  The greater concern is the under the radar criminal groups who are after transaction data or personal identifying information with profit in mind.  I wonder how many companies have been breached without it being detected or reported. 

From reviewing the report I am forced to wonder about all of the small to mid-size targets that are going through day to day operations with limited security and protection.  I wonder how long it will be before we hear of companies being extorted for money to prevent the damage to their reputation by perpetrators of a breach. 

For the small to mid-size companies I strongly suggest you take a careful look at what data you have and how it is protected.  You won’t need to build a Fort Knox of security around it if you take some simple precautions with how you store it. The time and money you invest in doing it right will be a lot less expensive than paying for a breach. 

A salute to the Sheriff Al Lamberti of Broward County Florida.  He is taking a new approach to the identity theft at tax time problem.  The Sheriff is fighting back using  code enforcement.

 The Broward Sheriff’s Office and the City of Oakland Park recently began examining many of the newly opened tax service providers opening within the city. According to a prepared release, approximately three dozen tax service providers have opened since the start of the 2012. So far the investigators have found that many of these temporary businesses don’t have the proper business licenses required to operate.

 Florida officials have some concerns that the illegally operating shops are possibly contributing to the growing number of identity theft cases. They suspect some illegitimate tax preparers are taking customer information and using it to either file phony tax returns or selling the information to others.

The management of Blue Cross Blue Shield of Tennessee (BCBST) has discovered the cost of data in-security.  Its 1.5 million dollars for the loss of 57 unencrypted computer hard drives from a facility in Tennessee. This is a costly way to find out that you haven’t got enough or the right type of security to protect the information at the core of your business.  Costly because you will still need to review and implement the safeguards for the data now.

Business needs to readdress the way it values the data that it collects on its clients, patients and employees.  Knowing the contact information of your patients helps you contact them when you need to.  Having additional information can be used for specific things with in the business.  But consider that the information you have to contact  your patients, clients or employees is what I need to steal their identities or to scam them into giving me more information so I can do further damage. 

It is time to look at the data from two viewpoints.  What do I need to have to do the job and what value does that have for someone else?  Does what I collect need a special form of storage or protection? What do I need to do to make it less susceptible to external theft and less available to insider miss use.

When I approach my business from this second point of view I can be better able to avoid the cost of a breach.

An article by Chris Strohm for Bloomberg discussed the need for the upper management in the medical profession to start giving very serious thought to the security of the patient data.  It will not be long before you will see lawsuits start against anyone who loses control of their data.  There are many steps that can be taken to reduce the risk and at this time all of the various steps are much less expensive than the cost of a data breach.  The article is worth the time to read it.

Digital Health Data at Risk From Manager Support, Study Finds

http://www.blogger.com/blogger.g?blogID=1006404151226945489#editor

The recent report from the Ponemon Institute, sponsored by security company Trend Micro, found the cause of many data breaches was a combination of employee error and misconduct.

The report called ‘The Human Factor in Data Protection,’ revealed that more than 78 percent of respondents site intentional and accidental staff errors for at least one data breach in the past two years. And a separate analysis of companies of fewer than 100 employees found that small to medium businesses are at greater risk of their employees mishandling data than large enterprises. The rate of data breaches at SMBs was 81 percent, compared to 78 percent across the board.

This is because the report identified SMB employees were reported to be more likely to engage in ‘risky’ behavior; over half (58 percent) have or will open attachments or website links in spam, compared to 39 percent from large enterprises.

More than three quarters (77 percent) will or have left their computer unattended, compared with 62 percent at enterprises. A further 55 percent of SME employees were likely to visit off-limit websites, 11 percent more at enterprises.

 The three base causes of security breaches are laptop loss or mobile data device (35 percent), third party mishaps (32 percent), and system errors (29 percent).  Nearly 70 percent of respondents felt strongly that their organization’s security measures are not sufficient to stop a targeted attack or hacker.

Once again the Ponemon Institute has presented a crucial piece of work for the small and med size businesses to take note of.  Given the choice of attacking a large enterprise network with a dedicated security team watching it or hitting a smaller less patrolled network which would you pick?  Run the risk of quick detection or smaller safer reward with smaller chance of discovery? 

The Federal Trade Commission has just released a new victim impact report.  I suggest that anyone in business who deals with claims of identity theft please read this report.  You will find a number of items from which you can draw guidance.

Identity theft is not going to go away.  The thieves know how profitable it is and how easy it is to avoid being caught. The Federal Trade Commission recently released its annual report on the complaints of 2011.  No one should be surprised to see Identity Theft in the top spot once again.  This is the crime that not restricted by borders or governments.  Your information can be stolen from any place where it has been stored as well as sold to anyone anywhere who might wish to abuse it.

There has been a fluctuation in the numbers for the past three years 2009 numbers were higher than 2010.  Many people speculated that the crime was receding while I believe that the financial environment and tighter credit granting practices had more of an impact.  Now with the report from Javelin placing the number closer to 12 million and the number increases from the FTC for 2011 it is clearer that the problem appears to be back on the rise.

When you read in the paper or see on television that a group has been arrested, remember that there are a lot more of them out there continuing to commit the crime.  There have been a lot of ideas put forward to help protect you from identity theft.  The problem with the claim is that there are so many different ways your identity can be used and abused that no one idea can cover all of the different elements.

There are some of the companies offering services are expanding into the uncovered areas.  Each step is a move in the right direction.  We need to remember that complete protection is a number of steps away from being total coverage.

One of the topics I will cover has to do with data breaches.  There are all sorts of opinions about the need to protect a company’s data.  The rules about protecting the data vary from State to State but the base principals  are the same.  You collect it you need to make sure that it is secure