Posts

The “Mother of All Data Breaches?” It Could Be Here…

You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.

data breach

Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.

This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.

So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.

This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Top 12 Tips to Destroy Your Sensitive Data

Believe it or not, you just can’t shred too much. If you aren’t destroying your sensitive data, my best advice is for you to start now. There are people out there who make a living diving into dumpsters in search of credit card info, bank account number, mortgage statements, and medical bills; all things they can use to steal your identity.  

Here are 12 tips that you can use to help you destroy your sensitive data:

  1. Buy a shredder. That said, I don’t own a shredder. I’ll explain shortly. There are a number of different brands and models out there. Some even shred CDs. This is important if you keep your documents saved on a computer, which you then saved to a CD. Don’t, however, try to shred a CD in a shredder that isn’t equipped to do this job. You will definitely break it.
  2. Skip a “strip-cut” shredder. These shredders produce strips that can be re-constructed. You would be surprised by how many people don’t mind putting these pieces together after finding them in trash. Yes, again, people will go through dumpsters to find this information. Watch the movie “Argo” and you’ll see what I mean.
  3. Shred as small as you can using a cross cut shredder. The smaller the pieces, the more difficult it is to put documents together again. If the pieces are large enough, there are even computer programs that you can use to recreate the documents.
  4. Fill a large cardboard box with your shreddables. You can do this all in one day, or allow the box to fill up over time.
  5. When the box is full, burn it. This way, you are sure the information is gone. Of course, make sure that your municipality allows burning.
  6. You should also shred and destroy items that could get you robbed. For instance, if you buy a huge flat screen television, don’t put the box on your curb. Instead, destroy, shred, or burn that box. If it’s on the curb, it’s like an invitation for thieves to come right in.
  7. Shred all of your documents, including any paper with account numbers or financial information.
  8. Shred credit card receipts, property tax statements, voided checks, anything with a Social Security number, and envelopes with your name and address.
  9. Talk to your accountant to see if they have any other suggestions on what you should shred and what you should store.
  10. Shred anything that can be used to scam you or anyone. Meaning if the data found in the trash or dumpster could be used in a lie, over the phone, in a call to you or a client to get MORE sensitive information, (like a prescription bottle) then shred it.
  11. Try to buy a shredder in person, not online. Why? Because you want to see it and how it shreds, if possible. If do buy a shredder online, make sure to read the reviews. You want to make sure that you are buying one that is high quality.
  12. Don’t bother with a shredder. I have so much to shred (and you should too) that I use a professional document shredding service.

I talked to Harold Paicopolos at Highland Shredding, a Boston Area, (North shore, Woburn Ma) on demand, on-site and drop off shredding service. Harold said “Most businesses have shredding that needs to be done regularly. We provide free shredding bins placed in your office. You simply place all documents to be shredded in the secure bin. Your private information gets properly destroyed, avoiding unnecessary exposure.”

Does your local service offer that? Shredding myself takes too much time. And I know at least with Highlands equipment (check your local service to compare) their equipment randomly rips and tears the documents with a special system of 42 rotating knives. It then compacts the shredded material into very small pieces. Unlike strip shredding, this process is the most secure because no reconstruction can occur.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Weak Passwords Mean Data Breaches

Studies across the board indicate that weak usernames and passwords are one of the top causes of data breaches, and I find that information to be unfortunate, because it is preventable. According to a recently concluded survey conducted by uSamp and sponsored by Siber Systems, creators of the RoboForm Password Manager: 70% reported forgetting a password, or had a password become compromised, in their professional life in the US.

  • More organizations are enacting policies where employees can use their own devices and store information on a cloud.
  • This means that it is more important than ever before to protect accounts with strong passwords.
  • A strong password is the first line of defense against scammers and hackers, and it helps to keep data safer.

The Research on Passwords Doesn’t Lie

The data from these studies indicates that there is no organization in any industry that is not vulnerable to a breach of data.

  • Every company, no matter what size, should put in some effort to protect their sensitive data.
  • Many breaches of data could have been prevented by implementing stronger security controls, improving credentials used to long in and employing safety best practices in the workplace.
  • Weak or stolen usernames and passwords are one of the top causes of data breaches, and more than 75 percent of attacks on corporate networks are due to weak passwords.
  • Almost half of all instances of hacking is due to stolen passwords, which are obtained through the theft of password lists.

Know The Risks of Choosing Weak Passwords

Experts have warned for many years that there are risks associated with relying on weak usernames and passwords to restrict the access of data.

  • Verizon estimates that about 80 percent of all data breaches could have been stopped if a stronger, better password was used.
  • Experts, including the IT team of companies, can offer assistance to employees seeking to improve their passwords and reduce risk.
  • Too many companies protect their data with passwords that are too weak or too easy to guess, such as the name of the organization or other obvious words.
  • It is also difficult to enact policies for improved passwords in the workplace because employees are not informed of the facts.
  • The best passwords are long and varied, with symbols, letters and numbers. These passwords should also not be obvious, such as the name of a company, address or company motto.
  • One of the best investments in ones personal security is in a password manager. Frankly, I don’t know how anyone can use a PC and not have a password manager in place.

Robert Siciliano is a personal privacy, security and identity theft expert to RoboForm discussing identity theft prevention. Disclosures.

Cloud Data Breaches mo’ Money

IT people need to beef up their opinions about cloud security, says a recent report by the Ponemon Institute called “Data Breach: The Cloud Multiplier Effect.”

3DYes, data breaches occur in the cloud. In fact, it can be triple the cost of a data breach involving a brick and mortar medium.

The report put together data from the responses of over 600 IT and IT security people in the U.S. The report has three observations:

  • Many of the respondents don’t think that their companies are adequately inspecting cloud services for security.
  • The cost of a data breach can be pricey.
  • When a business attempts to bring its own cloud, this is the costliest for high value intellectual property.

More Results

  • 72% of the participants thought that their cloud service providers would fail to notify them of a breach if it involved theft of sensitive company data.
  • 71% believed this would be the same outcome for customer data breaches.

Many company decision makers don’t think they have a whole lot of understanding into how much data or what kind is stored in a cloud.

  • 90% thought that a breach could result when backups and storage of classified data were increased by 50 percent over a period of 12 months.
  • 65% believed that if the data center were moved from the U.S. to a location offshore, a breach could result.

All of these findings mentioned here are the result of self-estimations rather than objective analysis of real breaches.

Ponemon also determined that if a breach involved at least 100,000 records of stolen personal data, the economic impact could jump from an average of $2.4 million to $4 million, up to $7.3 million. For a breach of confidential or high-value IP data, the impact would soar from $3 million to $5.4 million.

In addition to the self-reporting loophole, the report had a low response rate: Only 4.2 percent of the targeted 16,330 people responded, and in the end, only 3.8 percent were actually used. Nevertheless, you can’t ignore that even self-estimated attitudes paint a dismal picture of how cloud security is regarded.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 ways to prevent Data Theft when traveling

The threat of data theft follows travelers; there’s never a vacation from hackers. So what should the traveler do? Anticipate snooping by hackers. This way, you can prepare for the worst.3D

  1. If you must bring a laptop, use it as a shell to access data remotely. Leave private information behind. If this is not possible, bring it with you in the form of an encrypted memory stick or have it stored online to download later.
  2. Always use comprehensive security software whenever connecting online.
  3. If you anticipate bringing your laptop or other devices along, have an IT expert install on it disk encryption software. Better yet, have the whole hard drive encrypted: This would be worthless in the hands of a thief.
  4. Install a VPN: virtual private network. The VPN will allow you to get onto websites that are blocked in some foreign countries like China. A VPN will also protect data as it’s transmitted through the air, scrambling it so that hackers can’t understand it.
  5. Use multiple layers of protection. For example, if your device has the capability, use a fingerprint scanner to verify the user’s identity in addition to password protecting your device. Any combination of these features might be built into the hardware, software or available as a peripheral.
  6. To prevent visual hacking (people spying on what you’re doing on your computer), use a privacy screen. 3M makes a great one. And be careful where you choose to work on your computer. Don’t have your back facing the open where someone can easily peer over your shoulder or even record what’s on your screen from a distance.
  7. Never leave your devices in a hotel room or unattended while you head off to the restroom or take a break from a conference meeting. Just suck it up and take it with you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Post-Data Breach Reputation Building

You WILL be hacked. Remember that mantra if you’re a business. Business leaders need to realize the effect that a data breach would have on customers and clients—an aftermath of distrust which can take a lot of time and money to rebuild.

4HInteractions is a customer experience marketing group that released a study called “Retail’s Reality: Shopping Behavior After Security Breaches.” One of the findings is that 45 percent of shoppers don’t trust retailers with their personal information. Following a data breach, 12 percent of faithful shoppers cease shopping at that store, and 36 percent shop there less. And 79 percent of those who’d continue shopping there would more likely use cash—which means buying less.

So that’s a retailer’s worst nightmare: Non-trusting customers who are spending less (not to mention the ones who quit shopping there altogether).

This leaves retailers with two options: prevent all data breaches (not an attainable goal) or devise a plan to minimize the disastrous aftermath.

Communication and transparency with customers is crucial in the aftermath of a breach. Customers want to know that a company will rise to the occasion in the event of a breach and are more interested in how the retailer will deal with the fallout, rather than how a retailer will prevent it. After all, consumers tend to realize that hacking these days is just a part of life.

Companies should not wait till a breach occurs to figure out how to retain customer trust; they should plan ahead. Companies should be able to assess the risk related to the data they collect and have a breach response plan in place prior to a data breach.

The IT department is often on center stage following a breach, but marketing, customer service, and HR departments are also very important.

The departments should pool together to come up with a plan to reassure customers that their security is the top priority and that should a breach occur, they will do everything possible to protect their customers and restore any and all accounts that are compromised as a result.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches May Result in Board Breakups

The ripple effect continues to haunt Target: It’s expected that seven of its board of directors members may be replaced because they failed to provide effective oversight into the corporation’s data-protection risks. Boards simply need to be more proactive in safeguarding their companies against data breaches.

2DInstitutional Shareholder Services (ISS) prepared a report on the Target data breach and aftermath. The report states that Target’s board members should have been kept in the loop pertaining to protection of sensitive information and what a breach could mean to brand reputation and customer loyalty.

“The company acknowledged the need for more stringent internal capabilities to identify potential risks with less reliance on external reports which suggested the systems were robust enough,” the report says.

The report concludes that Target failed to prepare for keeping up with today’s cyber threat technology, and that this failure comes from the audit and the corporate responsibility committees.

ISS says that these committees are responsible for being in charge of risk assessment and management. This includes the risk of fraud. The inadequate oversight in these areas paved the way to the disastrous data breach.

The ISS report should be a wakeup call to board members of all businesses. Board members need to realize the importance of directing more time, energy and money toward improving security programs.

Though the dismissal of seven of Target’s total of 10 board members may seem radical, it also has a fair degree of rationale because it sends the message that boards and senior executives need to be held accountable for their company’s cyber security.

Boards need to be practically fused with their organization’s IT experts and executive team so that they have an intimate knowledge of the steps a company is taking to protect customer information—even if none of the board members are security experts. The ramifications from poor handling of a data security incident are now things that even board members must be aware of and work to prevent.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Law Enforcement Detects Breaches Before Victims

Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

1GUnlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches Equal Job Loss

Is it coincidence that Beth Jacob CIO resigned from her job as chief information officer of Target Corporation? Or could this possibly be connected to the data breach that slammed Target in December of 2013, affecting as many as 70 million customers? Being a CIO is no easy task, especially when you have thousands of criminals trying to breach your networks every minute of every day.

4DTarget also announced that its information security procedures and compliance division will be completely revamped. The retail giant will also be seeking an interim CIO.

That’s not all. Gregg Steinhafel, Target’s former chief executive, recently lost his job with the retailer due to the data breach. He had been with the company for 35 years.

Should weaknesses in computer safety be blamed on Chief Executive Officers? Yes, because ultimately, the CEO is responsible for protecting the customer’s sensitive data. For instance, Steinhafel was at the helm when thieves hacked customer data records such as credit card information and home addresses, from the retailer’s computer system. Boards are also latching onto this issue and will be very influential in the before and after of a breach.

The company CEO isn’t just responsible for sales; this individual is responsible for security. Target’s data breach is a rude awakening for CEOs everywhere; data security breaches influence sales—very negatively—not to mention customer loyalty.

And then there’s the enormous expense of recovering from the breach and regaining customer trust. In Target’s case it rings in at $17 million thus far. And it is growing. Ultimately, the costs for everything related to the data breach is projected to soar into the billions.

The Secret Service, which is involved in the ongoing investigation, reports that it may take years to nail the hackers.

Law Enforcements motto is “Serve and Protect” and people gripe “where’s a cop when you need one” suggesting Law Enforcement is supposed to be there to protect us at all times. This misconception has created an entire culture of “its not my job/responsibility/problem”. YES. IT. IS. As a company front line employee, an officer or a CEO, security is your responsibility. Security is everyone’s responsibility.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.