How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Ways small businesses are preventing Breaches

How did that huge recent data breach of a major retailer occur in the first place? Well, valuables can’t be stolen if there aren’t any valuables to begin with. Large merchants will store customers’ credit/debit card data to facilitate faster transactions. But small retailers keep minimal or zero data—this will not attract thieves.

2DIf customers want increased security of their card data, they’re going to have to give up the speedy transactions and automatic debits, because currently, they can’t have it both ways.

A smaller outfit may keep only the last four numbers of a credit card on file; no SSN or anything else. This isn’t much for thieves to work with. Yet at the same time, every time a customer makes a purchase, they must give all the required information.

Some small retailers are completely technology-free, though this seems like an impossible undertaking in this modern e-age. For example, a small business that bills monthly for services may not honor automatic withdrawal of a member’s monthly fees. Members may pout, unaware that this inconvenience has a protective feature.

Banks also have a role in protecting customers and businesses. A good start would be to require a PIN from cardholders for every transaction.

Another maneuver would be for the U.S. to ditch the magnetic strip on cards and replace with a digital chip. This would prevent thieves from stealing data off the strip. Thanks to the magnetic strip, America is the hacking capital of the world.

Additional Tips

  • Hardware: firewall security appliances and routers.
  • Software: Think anti: virus, spyware, phishing. Also think full disk encryption and total protection suites.
  • E-mail security: It must be hammered into employees NEVER to click on any link in an e-mail from an unfamiliar sender.
  • Physical security: The building should be equipped with video surveillance (outside and indoors), alarm systems and solid core doors of commercial grade.
  • The test: Find someone, known as a “penetration tester” who knows all about hacking, but whom you can trust, to “hack” your network to see what needs to be done to protect it from a real villain.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches hurt Businesses’ Brand

That very newsworthy data breach that’s still in the news struck 110 million customers, not the more commonly reported 40 million; that’s one-third of the U.S. population.

4HThere was also another, but less publicized, breach of huge proportions that occurred to a major retailer in mid-December of 2013. And some reports say another 6 or more retailers may be affected in a similar breach.

The major-news retailer that got kicked in the butt by cyber criminals has run full page newspaper ads apologizing for not effectively protecting customers’ data, and hoping to win back consumers’ trust and loyalty. Kind of sounds like the Tylenol poisoning scare in the 1980s when the drug maker went on a massive ad campaign to win back consumers’ trust.

But with each new revelation of more data being compromised and growing concern of additional fraud, has come more media and customer scrutiny resulting in compounded brand damage.

Trust and Security

Feeling secure and trusting the brand is a major force behind consumer loyalty. Prior to that massive December breach, the retailer was right up there with its huge competitors as far as meeting reasonable consumer expectations.

That data breach has severely tainted the retailer’s customers’ trust. The 2014 Customer Loyalty Engagement Index accesses the retailer’s brand engagement level to be about 6 percent.

Sales have plummeted since the breach hit the news. Recovery is expected to be slow and arduous, and social media is fueling the sensationalism. It can take years to build up trust, but just a few hours of news “going viral” to crush it.

All is not lost.

The adage “What doesn’t kill us makes us stronger” plays a vital role when companies embrace their failures, learn from them and do right by their customers. The next few months will have a serious impact on the future of the breached companies and every retailer who accepts credit cards for payment.

Now is the time to beat the drum of customer security and bring awareness to how your company protects customer data. Move up t Move down

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is a Data Breach and how do I protect Myself?

When protected, sensitive or confidential data is accessed or used by someone without authority, this is a data breach. This can involve any kind of data such as personal health, financial, or business related.

3DNot all data breaches result from hacking into a computer. One can breach data simply by peering over someone’s shoulder at the computer screen when they shouldn’t be. It can also be elaborately planned: A company’s new employee may actually be working for an extensive crime ring to steal data from the inside. Needless to say, a data breach can lead to identity theft (among many other problems).

In the workplace, especially retail, where credit cards are processed, the Payment Card Industry Data Security Standard is designed to provide retailers with guidelines to eliminate data breaches. In a healthcare workplace, HIPAA (Health Insurance Portability and Accountability Act) helps control who has access to personal health information.

How can you protect yourself?

  • As a consumer you must keep your operating system updated to the latest secure version.
  • Run antivirus, antispyware, antiphishing and a firewall.
  • Protect your wireless communications with encryption and use a VPN for portable devices.
  • Use secure passwords with upper/lower case and numbers.
  • In the event someone else is responsible for a breach read very carefully any notification of a data security breach and don’t assume that the breach was accidental or that identify theft is not likely.
  • Use an identity theft protection product. It will scavenge cyberspace for any unauthorized use of personal information such as from your credit cards and Social Security number; will keep track of personal credit information; and will send an alert if suspicious activity is detected—maybe even prior to you receiving a consumer notification.

Robert Siciliano is an identity theft expert to discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

One in Three Massachusetts Residents’ Records Breached

Massachusetts has one of the most stringent data protection laws on the books. Businesses are required to disclose data breaches, and companies are now reporting when even a single individual’s information has been compromised.

Despite strict laws and security requirements, companies are continually being hacked in record numbers. And if major businesses still being hacked despite allocating significant resources to securing their data, you’re more than likely at least as vulnerable.

The Boston Globereports, “Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.”


  • Since January 2010, 1,166 data breach notices have been filed
  • 480 of those breaches occurred between January and August of 2011
  • 2.1 million residents were affected
  • 25% involved deliberate hacking of computer systems containing sensitive data

This is just Massachusetts. Every other state is experiencing the same thing. According to Juniper Research, in the past year, 90% of organizations have suffered from some form of data breach. Since the start of 2011, there have been 365 data loss incidents involving 126,727,474 records around the world.

Keeping PCs and Macs updated with antivirus and anti-spyware software is fundamental, as is updating all critical security patches. You should also have a two-way firewall monitoring incoming and outgoing traffic, and strong passwords that combine upper and lowercase letters, numbers, and preferably other characters.

Robert Siciliano personal and home security specialist to Home Security Source discussing identity theft on YouTube.

Data Privacy Day 2012

Lately, it seems that barely a day goes by when we don’t learn about a major Internet presence taking steps to further erode users’ privacy. The companies with access to our data are tracking us in ways that make Big Brother look like a sweet little baby sister.

Typically when we hear an outcry about privacy violations, these perceived violations involve some apparently omnipotent corporation recording the websites we visit, the applications we download, the social networks we join, the mobile phones we carry, the text messages we send and receive, the places we go, the people we’re with, the things we like and dislike, and so on.

How do they do this? By offering us free stuff to consume online and infrastructure for the online communities that tie us together. We gobble up their technologies, download their programs, use their services, and mindlessly click “I Agree” to terms and conditions we haven’t bothered to read.

What’s the point of all this? Sales, marketers, advertisers, other businesses benefit from knowing every last detail about you—the “33 bits of information” necessary to pin down your identity—in order to deliver precisely targeted advertisements to your digital device of choice, whether that’s a computer, tablet, or smartphone.

Should we care? What is the potential danger? “Back in the day,” examples might include telemarketers abusing your phone number by calling incessantly, or direct marketers filling your mailbox with junk mail.

Today, it’s spammers sending unwanted emails, or the same advertisement from the same company popping up again and again on every single website you visit. The concern is that this could go from annoying to frightening.

Privacy advocates are working to prevent the worst and most extreme outcomes of personal data collection. They know that without checks and balances, without consumers knowing their rights and actively protecting their own privacy and personal data, that data could be used unethically.

Privacy is your right. But realize that in our wired, interconnected world, privacy only really consists of what you say and do within your own home, legally, with the shades pulled down, between you and your loved ones, that is not communicated, recorded, broadcast, or reproduced on the Internet or any public forum in any way. Beyond that, especially when taking advantage of various online resources, be sure that you know what it is you’re agreeing to and take precautions to protect yourself.

Saturday, January 28th is Data Privacy Day which promotes awareness about the many ways personal information is collected, stored, used, and shared, and education about privacy practices that will enable individuals to protect their personal information.  This is a good time to check your privacy settings on social networking and other sites you use, ensure you have a strong password and be aware of where and with whom you are sharing your personal data with.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

5 Quick Tips on How to Prevent the Next Data Breach

You may be aware of the uber techie bad boy hackers of Anonymous/Lulz/Anti-sec/Wikileaks/ScriptKiddies and the organized web mobs of the world.  Did you know they have wreaked havoc to the degree that almost a billion records have been compromised?  A recent study “gathered 3,765 publicly disclosed data breach incidents occurring in 33 countries during 2005-2010. The incidents included over 806.2 million known records being disclosed– averaging more than 388,000 records per day/15,000 records per hour every single day for the past six years.”

#1 Not all data is hacked. Exercise basic to advanced premise/physical security such as access control, security cameras and alarms.

#2 Limit the amount of data required from customers. If you don’t really need a Social Security number then don’t store it. If credit card information doesn’t need to be stored then don’t store it.

#3 Recognize that knowledge based authentication questions as password resets can bring down the house. Many of the answers can be found in social media sites.

#4 Laptops are one of the biggest data breach points. Laptop data should be encrypted. Laptops should never be left in a car overnight or left in a hotel room or office alone or on a coffee table in a café unattended. Laptop tracking software that locates and wipes data is essential.

#5 Train, train, train, train. Training on data security and what to do, and what not to do is priority number one.  Clicking links in emails, downloading anything from the web or email, opening attachments in emails, have all been recent successful ways to infect a network.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Consumers Need to Rethink IT Security and Safety

Hackers and crackers and data breaches! Oh my! Confused? Overwhelmed? Don’t care? You should, and there’s help.

Few people are head first into gadgets, technology, the cloud and security as I. I have my devices, my wife’s, my kids, there’s Apple products, Microsoft Windows, smart phones, feature phones and tablets. It’s maddening.

Now instead of one PC per household, consumers are purchasing multiple devices . And with consumers able to access the digital world as easily from their smartphones and tablets as from their personal computer, PCs are no longer the main method of connecting to the Internet.

This wave of new devices and their ease of connectivity also means that consumers are now starting to think differently about their digital security.

Mobile Device Users

The threat of lost or stolen devices and the possibility of their personal information being used for fraudulent means a significant concern. In the United States 113 mobile phones are lost every minute  and more than half of smartphone users do not use any password protection to prevent unauthorized device access.

Mac UsersMac OS is not safe from viruses. As of late last year there were 5,000 malware versions targeting the Mac, a number that is growing by ten percent per month.

Child and Teen Users
Are your kids they being exposed to pornography? Will they be contacted by strangers through their social networking profiles?  Are they downloading age-appropriate music and movies? Having protection on the household PC is no longer enough. Parents need to know that their children are safe on all the devices they use, wherever they connect.

It is here and called McAfee All Access. Before consumers had to look for and download a hodge podge of security software from numerous vendors with multiple “keys” to activate. What McAfee knew consumers wanted was an “all in one” solution that for once and for all provides a dashboard to manage all your devices from one place regardless of if it is a PC, smartphones, tablets, netbooks, or Mac.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)



Hackers Target Small Business

Big companies and big government get big press when their data is breached. And when a big company is hit, those whose accounts have been compromised are often notified. With smaller businesses, however, victims are often left in the dark, regardless of the various state laws requiring notification.

One reason for this is that smaller businesses tend not to keep customer names and contact information on file, and credit card companies discourage them from recording credit card data.

This is serious cause for concern. The Wall Street Journal reports that the majority of breaches impact small businesses:

“With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.”

If 95% of breaches affect small companies, it’s anyone’s guess how many times my or your credit card numbers have been compromised. I’ve received four new cards in the past three years as a result of major companies being breached. But I use credit cards at more than a hundred different retailers in a year. And it isn’t only credit card numbers that are stolen, but also usernames and passwords, Social Security numbers, email addresses, and more.

Check your credit card statements online weekly and refute any unauthorized charges. As long as you dispute charges within 60 days, federal laws limit your liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

Change up your passwords at least once every six months. If a business is hacked, they may not know for years, and can’t possibly notify you until it’s much too late.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)

Disclosing Data, Despite Breaches

The ticker tape of data breaches in the last few months has been astounding. Many have called 2011 “The Year of The Hacker“ and that prognostication has rung true, without question. Halfway through the year, data breaches are an incessant news story.

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange.

Scammers know and are capitalizing on this. There isn’t an online gamer, dater, social networker, or consumer today who isn’t at some level of risk.

While all necessary defenses must be employed to prevent hackers from compromising data, an additional layer of protection should be implemented to keep them off websites in the first place.

Every one of these platforms would do well to stem the tide of fraud by incorporating device reputation. One anti-fraud service offering fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. Hundreds of online businesses prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their websites, and with iovation’s service, they stop 150,000 online fraudulent activities each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)