Posts

Data Breach Aftermath

Haste certainly doesn’t make waste if you’ve suffered from an entity getting hacked resulting in a data breach. Don’t waste a single minute delaying notifying affected accounts! In the case of a credit card company, they will investigate; you won’t have to pay the fraudulent charges. The breached card will be closed, and you’ll get a new one. And there is more.
11D
All sounds simple enough, but the experience can be a major hassle. Below is what you should do upon learning your card has been breached:

  • If a SSN is breached, place a credit freeze or fraud alert with the three big credit bureau agencies. Placement of the credit freeze or fraud alert will net you a free copy of your credit reports; review them.
  • See if you can find companies that have accounts in your name—that you didn’t set up. Notify and cancel them. Make a list of entities that might be affected by your ID theft, then contact them.
  • If your identity is actually stolen, you may need documents to show creditors proof of your ID theft, you should file a report with the police and FTC.
  • Keep vigilant documentation of all of your relevant correspondence.

If your credit card was compromised, you also must contact every company or service that was on autopay with the old card. This includes quarterly autopays (e.g., pesticide company) and yearly autopays, like your website’s domain name. Don’t forget these! You now have to transfer all the autopays to your new card.

But you also must consider the possibility that your credit card breach is only the beginning of more ID theft to come. You now must be more vigilant than ever. If it can happen once, it can happen again.

  • Check every charge on every statement. If you don’t remember making that $4.57 charge…investigate this. Thieves often start with tiny purchases, then escalate.
  • Use apps that can detect anomalous behavior with your credit card account. These applications are free and will alert you if there’s a purchase that’s out of the norm, such as there’s a charge to the card in your home town, but an hour later another charge occurs 800 miles away.
  • See if your card carrier will let you set up account alerts, such as every time a purchase exceeds a set amount, you get notified.
  • Never let your card out of your sight. The thief could have been someone to whom you gave your card for a payment—they used a handheld “skimming” device and got your data. If you don’t want to hassle with, for instance, the restaurant server who wants to take your card and go off somewhere to get your payment, then pay cash (if possible).
  • Never use public ATMs; ones inside your bank are less likely to be tampered with with skimming devices.

Other than tampered ATMs and retail clerks taking your card out of your view to collect payment, there are tons of ways your personal information could get into a thief’s hands. Here are steps to help prevent that:

  • Shred all documents with any of your personal information, including receipts, so that “dumpster divers” can’t make use of them.
  • When shopping online, use a virtual credit card number; your bank may offer this feature.
  • When shopping, patronize only sites that have “https” at the start of the Web address.
  • Never save your credit card number on the site you shop at.
  • If a retail site requires your SSN in order to make the purchase, withdraw from the site and never go back.
  • Never give your credit card or other personal information to online forms that you came to as a result of clicking a link in an e-mail message. In fact, never click links inside e-mail messages.
  • Make sure all your computer devices have a firewall, and antivirus/antimalware software, and keep it updated.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Study Shows 67% of Employees Expose Sensitive Data Outside the Workplace

IDC, an IT analyst firm, estimates that the mobile worker population could reach 1.3 billion by 2015, meaning, they access workplace data outside the workplace. This is risky because it exposes data to hackers.

2DIn fact, the safety of what’s displayed on the computer screen in public is of huge concern. The 3M Visual Data Breach Risk Assessment Study provides some troubling findings.

First off, 67 percent of workers expose company data beyond the workplace, including very sensitive information. Typically, the employee has no idea how risky this is. It’s as easy as the crook capturing data, that’s displayed on a screen, with a smartphone camera as he passes by or secretly looks on continuously from nearby.

And there’s little corporate policy in place to guard against this. The study says that 70 percent of professional employees admitted their company lacked any explicit policy on conducting business in public. And 79 percent reported that their employer didn’t even have a policy on privacy filter use.

Either communication about policies with employees is feeble, or attention to visual policy from the decision makers is lacking.

An increasing number of people are taking their online work to public places, but if they knew that company data was properly protected from roving snoops, they’d be more productive. Companies need to take more seriously the issue of visual privacy and this includes equipping employees with tools of protection. Below are more findings.

Type of Data Handled in Public

  • Internal financials: 41.77%
  • Private HR data: 33.17%
  • Trade secrets: 32.17%
  • Credit card numbers: 26.18%
  • SSNs: 23.94%
  • Medical data: 15.34%

Only three percent of the respondents said that there were restrictions imposed on some corporate roles working in public. Eleven percent didn’t even know what their employer’s policy was.

One way to make headway is a privacy filter because it blocks the lateral views of computer screens. Eighty percent of the people in the study said they’d use a device with a filter.

Another factor is that of enlightening workers about the whole issue. An enlightened employee is more likely to conduct public online business with their back to a wall.

Additional Results

  • In general, work is not allowed in public: 16%
  • No explicit policy on public working: 70%
  • To the worker, privacy is very important: 70%; somewhat important: 30%; not very important: 4%; not important at all: 1%.
  • Only 35 percent of workers opted to use a kiosk machine with a privacy filter when presented with two machines: one with and one without the privacy filter.

The study concludes that businesses are sadly lacking in security tactics relating to data that’s stored, transmitted, used and displayed. This is a weak link in the chain of sensitive information. Any effective IT security strategy needs to address this issue and take it right down the line to the last employee.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Cloud Data Breaches mo’ Money

IT people need to beef up their opinions about cloud security, says a recent report by the Ponemon Institute called “Data Breach: The Cloud Multiplier Effect.”

3DYes, data breaches occur in the cloud. In fact, it can be triple the cost of a data breach involving a brick and mortar medium.

The report put together data from the responses of over 600 IT and IT security people in the U.S. The report has three observations:

  • Many of the respondents don’t think that their companies are adequately inspecting cloud services for security.
  • The cost of a data breach can be pricey.
  • When a business attempts to bring its own cloud, this is the costliest for high value intellectual property.

More Results

  • 72% of the participants thought that their cloud service providers would fail to notify them of a breach if it involved theft of sensitive company data.
  • 71% believed this would be the same outcome for customer data breaches.

Many company decision makers don’t think they have a whole lot of understanding into how much data or what kind is stored in a cloud.

  • 90% thought that a breach could result when backups and storage of classified data were increased by 50 percent over a period of 12 months.
  • 65% believed that if the data center were moved from the U.S. to a location offshore, a breach could result.

All of these findings mentioned here are the result of self-estimations rather than objective analysis of real breaches.

Ponemon also determined that if a breach involved at least 100,000 records of stolen personal data, the economic impact could jump from an average of $2.4 million to $4 million, up to $7.3 million. For a breach of confidential or high-value IP data, the impact would soar from $3 million to $5.4 million.

In addition to the self-reporting loophole, the report had a low response rate: Only 4.2 percent of the targeted 16,330 people responded, and in the end, only 3.8 percent were actually used. Nevertheless, you can’t ignore that even self-estimated attitudes paint a dismal picture of how cloud security is regarded.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

10 ways to protect your Devices and Data

Gee, it used to be just your desk computer that needed protection from cyber thugs. Now, your connected thermostat, egg tray monitor, teen’s smartphone, garage door opener, even baby monitor, are all game for cyber creeps.

7WCan’t be said enough: Install antivirus software. This software really does make a huge difference. Malware scanners are not enough, by the way. You need both: antivirus, anti-malware, though malware usually targets laptops and PCs. But don’t bet on it staying this way; Macs, mobiles and tablets are vulnerable. Don’t wait to get security applications for your smartphone and tablet. Android is particularly vulnerable.

Enrich your Wi-Fi. Turn on your WPA or WPA2 encryption. Change your router’s default password to something really unique. Update the router’s firmware. Register any new routers online. Contact the router manufacturer’s site for helpful information on making things more secure. Whenever using free public WiFi recognize your data can be sniffed out. Use Hotspot Shield whenever logging in at airports, hotels, internet cafés and more.

Don’t use outdated software. Are you still on Windows XP? Time to switch to 7 or 8. Security holes in outdated applications will not get plugged if there’s no longer support.

Power passwords. You wear a power suit; you take a power lunch, a power nap and a power walk, but do you have a power password? A power password is extremely difficult to crack. It’s at least 12 characters long, contains no dictionary words or keyboard sequences, and has a variety of symbols. You can also use a password manager to create and encrypt passwords.

OS updates: often. Many people fail to keep their operating systems updated. Big mistake. An update means that a security hole, through which a hacker could get in, has been patched. Lots of holes mean lots of entry points for hackers. If Windows alerts you to an available update, then run it. Learn about your system’s update dynamics and get going on this.

Patch up your software. Have you been getting update alerts for Adobe Reader? Take this seriously, because this software is highly vulnerable to hacking if it has unpatched holes. Any reminder to update software must be taken seriously. Don’t wait for an attack.

Wipe old hardware. Got any defunct laptops, tablets, flash drives, hard drives, etc.? Before reselling them, strip them of your data. If you want to discard them, literally hammer them to pieces.

Two-factor authentication. A long, strong password is not 100 percent uncrackable. If a hacker cracks it, but then finds he must apply a second factor to get into your account…and that second factor requires your smartphone to receive a one-time code, he’ll move on.

Don’t get duped. Never click links in e-mails. Don’t click on something that seems too good to be true (a link to naked photos of your favorite movie star). Avoid suspicious looking websites.

Stop blabbing on social media. Information you post on Facebook, for instance, could contain clues to your passwords or security questions for your bank account. Sure, post a picture of your new puppy, but leave the name a mystery if it’s the answer to a security question.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Use an ePrivacy Filter to prevent Visual Hacking

In an average year I’ll tally 75,000 airline miles. In an average week while waiting for the plane to board or while in flight I’ll see multiple laptop screens flipped open with an over the shoulder view of emails being sent and received, PowerPoint presentations being tweaked, proposals being written and various client and employee records being crawled through. The fact is, I’m a good guy with no bad intentions, but I can’t help seeing what I see, it’s distracting. The screens are bright and propped right in my face. If I was a bad guy, this would be considered “visual hacking”.

2PHacking can be done without viruses: with just one’s eyes. The visual hacker prowls the public, seeking out computer screens displaying sensitive data. The company 3M now offers the ePrivacy Filter. This software, when paired with a traditional 3M Privacy Filter, which blacks out content that can be viewed from side angles where hackers can lurk, alerts the user to snoops peering over their shoulders from just about every angle. I’m seeing more and more of these in flight. Which frankly, is nice, and less distracting.

More people will merely state that they prize visual privacy than will actually do something to protect this, according to a recent 3M study. The study revealed that 80 percent of the professionals who responded believed that prying eyes posed at least some threat to their employers.

Strangely, most of these workers opted not to give their visual privacy any protection when they were accessing information with an unprotected computer in a public location of high traffic.

Employees have a funny way of asserting a belief but acting otherwise. This shows that businesses need to educate employees on the risks of data leaking out to visual hackers.

The fact is employees more mobile than ever. And with corporate secrets being Wikileaked, “Snowdened”, and just plain hacked, customers require more assurance than ever that their data is protected.

An ePrivacy Filter, coupled with a laptop or desktop privacy filter helps protect visual privacy from virtually every angle. Compatible with devices that use Windows operating systems, the ePrivacy Filter will alert the user to an over-the-shoulder snooper with a pop-up image of his or her face, identifying the privacy offender. However, you don’t have to worry about your data if you step or look away briefly. The screen will be blurred and will only unlock when you return thanks to its intelligent facial recognition feature.

Please, stop hijacking my attention and get a privacy filter.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

7 ways to prevent Data Theft when traveling

The threat of data theft follows travelers; there’s never a vacation from hackers. So what should the traveler do? Anticipate snooping by hackers. This way, you can prepare for the worst.3D

  1. If you must bring a laptop, use it as a shell to access data remotely. Leave private information behind. If this is not possible, bring it with you in the form of an encrypted memory stick or have it stored online to download later.
  2. Always use comprehensive security software whenever connecting online.
  3. If you anticipate bringing your laptop or other devices along, have an IT expert install on it disk encryption software. Better yet, have the whole hard drive encrypted: This would be worthless in the hands of a thief.
  4. Install a VPN: virtual private network. The VPN will allow you to get onto websites that are blocked in some foreign countries like China. A VPN will also protect data as it’s transmitted through the air, scrambling it so that hackers can’t understand it.
  5. Use multiple layers of protection. For example, if your device has the capability, use a fingerprint scanner to verify the user’s identity in addition to password protecting your device. Any combination of these features might be built into the hardware, software or available as a peripheral.
  6. To prevent visual hacking (people spying on what you’re doing on your computer), use a privacy screen. 3M makes a great one. And be careful where you choose to work on your computer. Don’t have your back facing the open where someone can easily peer over your shoulder or even record what’s on your screen from a distance.
  7. Never leave your devices in a hotel room or unattended while you head off to the restroom or take a break from a conference meeting. Just suck it up and take it with you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

SEC comes down on Breached Companies

If you’re wondering if businesses, who’ve been targets of cybercrime, have been properly handling the fallout, you have company: The U.S. Securities and Exchange Commission.

1SThe SEC is investigating this very issue. Key Questions Include:

  • Did the businesses adequately protect data?
  • Were investors properly notified about the breach’s impact?

One of the companies being investigated is Target Corp.

The SEC, historically, has concentrated on giving guidance to companies regarding disclosure of data-breach risks, and the SEC has traditionally also assisted with ensuring that financial companies were well-equipped against hackers.

But the SEC doesn’t like when there seems to be incomplete disclosures of the data breaches or some kind of perceived misleading information.

For example, Target didn’t disclose its breach until the day after it was first reported—by renowned security blogger Brian Krebs.

Just how much should companies say about breaches? This is being debated among regulators, corporate attorneys and activist investors.

Nevertheless, public companies owe it to investors to inform them of material compromises that could affect the investors’ decisions to sell or buy shares. A material attack, says the SEC, includes one that makes a company greatly boost what it spends on defenses, and one in which intellectual property is stolen.

Businesses in general would rather keep silent about breaches to avoid negative fallout. At the same time, it’s not easy to come up with evidence that a business should have disclosed more about a data breach than it actually did. A stolen trade secret, even, won’t necessarily be harmful to a big company’s growth or profits. The interpretation here varies almost as much as the different kinds of cyber attacks do.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Post-Data Breach Reputation Building

You WILL be hacked. Remember that mantra if you’re a business. Business leaders need to realize the effect that a data breach would have on customers and clients—an aftermath of distrust which can take a lot of time and money to rebuild.

4HInteractions is a customer experience marketing group that released a study called “Retail’s Reality: Shopping Behavior After Security Breaches.” One of the findings is that 45 percent of shoppers don’t trust retailers with their personal information. Following a data breach, 12 percent of faithful shoppers cease shopping at that store, and 36 percent shop there less. And 79 percent of those who’d continue shopping there would more likely use cash—which means buying less.

So that’s a retailer’s worst nightmare: Non-trusting customers who are spending less (not to mention the ones who quit shopping there altogether).

This leaves retailers with two options: prevent all data breaches (not an attainable goal) or devise a plan to minimize the disastrous aftermath.

Communication and transparency with customers is crucial in the aftermath of a breach. Customers want to know that a company will rise to the occasion in the event of a breach and are more interested in how the retailer will deal with the fallout, rather than how a retailer will prevent it. After all, consumers tend to realize that hacking these days is just a part of life.

Companies should not wait till a breach occurs to figure out how to retain customer trust; they should plan ahead. Companies should be able to assess the risk related to the data they collect and have a breach response plan in place prior to a data breach.

The IT department is often on center stage following a breach, but marketing, customer service, and HR departments are also very important.

The departments should pool together to come up with a plan to reassure customers that their security is the top priority and that should a breach occur, they will do everything possible to protect their customers and restore any and all accounts that are compromised as a result.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Mailroom Error, Big Data Breach

Data breaches need not be launched maliciously in order to be very troublesome, as was the case involving about 3,700 Medicare Advantage members. Freedom Blue and Security Blue members received risk assessment results that actually belonged to other individuals. The addresses, birthdates, member ID numbers and medical information of some members ended up in the hands of other members.

1DAnd how? An innocent mistake committed by a mailroom employee. Though there was no evidence of malicious use of this personal information, it just goes to show you how easily a person’s private information can end up in a stranger’s hands. Imagine receiving a stranger’s medical information in your mailbox. It would make you think twice about trusting the company with your personal information in the future.

Members were notified of this error after the insurer spent a month exploring how it happened. Though the unintended recipients received information about other members’ scores on mood tests, medications and results of frailty tests, at least the Social Security numbers weren’t revealed.

If a breach affects more than 500 people, law requires that the health industry alert the Health and Human Services Department, which will then launch an investigation. The affected consumers, and local news outlets, are also required to be notified.

Highmark Inc., the health insurance company whose members were affected by the mailroom breach, changed the member ID numbers of the affected members or those who might have been affected. Sixty-three members received forms pertaining to other people, and 233 never received a mailing, suggesting that their forms possibly went to other members.

As for the bumbling employee, that person was fired. The other employees are being retrained, and Highmark will implement a bar code system on all mailings, which is one proper way to track breach notification letter mailings to ensure the right pieces of mail end up in the right hands and avoid over-stuffing or mis-stuffing of envelopes..

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

 

Data Breaches May Result in Board Breakups

The ripple effect continues to haunt Target: It’s expected that seven of its board of directors members may be replaced because they failed to provide effective oversight into the corporation’s data-protection risks. Boards simply need to be more proactive in safeguarding their companies against data breaches.

2DInstitutional Shareholder Services (ISS) prepared a report on the Target data breach and aftermath. The report states that Target’s board members should have been kept in the loop pertaining to protection of sensitive information and what a breach could mean to brand reputation and customer loyalty.

“The company acknowledged the need for more stringent internal capabilities to identify potential risks with less reliance on external reports which suggested the systems were robust enough,” the report says.

The report concludes that Target failed to prepare for keeping up with today’s cyber threat technology, and that this failure comes from the audit and the corporate responsibility committees.

ISS says that these committees are responsible for being in charge of risk assessment and management. This includes the risk of fraud. The inadequate oversight in these areas paved the way to the disastrous data breach.

The ISS report should be a wakeup call to board members of all businesses. Board members need to realize the importance of directing more time, energy and money toward improving security programs.

Though the dismissal of seven of Target’s total of 10 board members may seem radical, it also has a fair degree of rationale because it sends the message that boards and senior executives need to be held accountable for their company’s cyber security.

Boards need to be practically fused with their organization’s IT experts and executive team so that they have an intimate knowledge of the steps a company is taking to protect customer information—even if none of the board members are security experts. The ramifications from poor handling of a data security incident are now things that even board members must be aware of and work to prevent.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.