Previous month:
April 2012
Next month:
June 2012

13 posts from May 2012

Why Cyber Criminals Attack: For The Money

Last week, the Ponemon Institute and Check Point Software Technologies released the results of a joint survey, "The Impact of Cybercrime on Business" (Adobe PDF), conducted to better understand the nature of online attacks which businesses of all sizes face. The survey included executives from companies in several countries. Key survey findings:

  • Companies experience an average of 66 cyber attacks per year
  • Mobile devices (e.g., smart phones and tablets) present an increased breach risk
  • Cyber crime is expensive, costing companies on average
  • Criminals attack for the money

Almost all survey participants said:

"... the primary goal for cybercriminals is financial fraud and/or access to the company’s financial records. In the U.S. and UK, financial gain is followed by theft of customer data. Approximately five percent of security attacks are motivated by political or ideological agendas."

So, identity thieves and cyber criminals attack employers to steal money: the employer's and/or yours. And, the criminals will attempt to use your mobile devices to gain access to employer's networks:

"... Hong Kong and Brazil report on average the highest percentage of mobile devices infected an act of cyber crime... the lowest average of infected mobile devices and machines connected to the network at 11 percent in the U.S. and nine percent in Germany."

The Ponemon/Check Point survey included more than 2,600 experienced business leaders and IT security practitioners from commpanies located in the United States, United Kingdom, Germany, Hong Kong and Brazil.A similar study by Symantec found that 50% of cyber attacks focused on businesses with fewer than 2,500 employees, and targeted mobile device and social networking users.

The Ponemon Institute helps both public sector and privbate sectors by performing independent research on privacy, data security, and information protection. Check Point Software Technologies provides organizations with a veriety of solutions to secure online networks and data.


Data Breach At University of Nebraska

There is a storm brewing at the University of Nebraska. After a member of the school's information technology department discovered the data breach on May 23, the university distributed a notice on May 25 that the Nebraska Student Information Service, NeSIS, which contains sensitive information about students, alumni, and applicants had been accessed by unauthorized users.

Individuals are concerned because the types of data exposed or stolen includes school records, addresses, bank account information, and Social Security numbers. The breached database contains records for more than 650,000 individuals. The breach affects students, alumni, and applicants of the university’s four campuses, the Nebraska College of Technical Agriculture, plus university employees and parents of students who applied for financial aid.

In a letter to breach victims, Joshua Mauk, the university's Information Security Officer stated:

"On May 23, 2012, University personnel detected a security breach in the system indicating that an unauthorized individual had gained high-level access to the restricted database. This was a sophisticated and skilled attack on our system. Information in the system includes Social Security numbers, any bank account information associated with the NeSIS account, and personal and academic data. Our records indicate that you have a bank account that is associated with your NeSIS account, so we are writing to notify you of this breach and to advise you to monitor your bank accounts over the next several weeks and report any suspicious activity to your financial institution."

The letter also advises individuals to monitor their financial accounts and to consider placing a fraud alert or security freeze on their credit reports at the major credit reporting firms: Equifax, Experian, and TransUnion. The final number of records exposed/stolen has not been determined yet.

A breach investigation is underway by Nebraska University with local and federal law enforcement. The university has set up the http://nebraska.edu/security website to distribute updates about the breach and breach investigation.

Data security has been an issue in higher education since at least 2005: George Mason University (32,000 records). Recent, notable data breaches:

  • May 3, 2012: University of Pittsburgh: undisclosed
  • April 30, 2012: Volunteer State Community College (Tennessee): 14,000 records
  • April 18, 2012: Emory Healthcare, Emory University Hospital: 315,000 records
  • April 14, 2012: Texas A&M University: 4,000 records
  • April 10, 2012: Case Western Reserve University: 600 records
  • March 31, 2012; San Francisco State University: undisclosed
  • March 16, 2012: University of Tampa: 30,000 records
  • March 14, 2012: Humboldt State University: 5,700 records
  • March 13, 2012: Brigham Young University: 1,300 records
  • February 16, 2012: Central Connecticut State University: 18,763 records
  • February 15, 2012: University of North Carolina at Charlotte: 350,000 records
  • January 27, 2012: Indiana University (President's Challenge): 650,000 records
  • January 20, 2012: Arizona State University: 300,000 records

Breach history source: Privacy Rights Clearinghouse


Statistics: How You And Your Friends Use Social Networking Sites

A few social networking statistics reported recently by Consumer Reports:

  • 28% of users share their Facebook posts with an audience beyond only their friends. This means that about 1 of every 4 of your friends have not adjusted the privacy settings on their Facebook accounts.
  • 11% of households using Facebook said that they had privacy or data security problems last year (e.g., someone used their log-in without permission, harassed, etc.).
  • 37% of Facebook users said that they have modified their privacy settings to customize or limit how much personal information Facebook apps are allow to access.
  • 25% of Facebook users said that they have entered fake information in their online profiles to protect their identity.
  • Facebook alreadys stores about 60 billion photographs, and that total grows daily by 250 million
  • 69% of employers' human-resource officers have rejected job applicants based on what they found during reviews of candidates' profiles at social networking sites
  • About 25% of college admissions officers check applicants' social networking profiles. 12% of those officers reported finding posts last year that hurt applicants' admission chances

To learn more, see the module in the near right column titled, "Using Facebook Safely."


South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).


Data Breach At Experian Credit Reporting Service

Logo_experianExperian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.


Data Breach At Pantone.com

In an April 10, 2012 letter, X-Rite Inc. notified the State of California Attorney General of a data breach where hackers accessed a Pantone.com website server on or about February 6, 2012.The breach notice did not disclose the number of records accessed/stolen, nor the exact method the hackers used.

The breach was discovered by X-Rite management on March 23, 2012. The data accessed and stolen included the names, addresses, and credit card information of customers who bought products at the pantone.com website. X-Rite notified affected customers on April 6. In August 2007, X-Rite announced its acquisition of Pantone for about $180 million.

A copy of the breach notice is available at the State of California Attorney General website and here (Adobe PDF, 23k bytes).


5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?


Data Breach At Choice Hotels

Since I started this blog almost five years ago, I've written about a variety of data breaches, where sensitive customer and employee information was stolen. Sometimes, the breach involved hackers breaking into a company's website server. Often, it included the theft of a laptop computer or flash drive left in an employee's parked car. Sometimes, it was "insider identity theft" by an employee or contractor. This latest breach involved a method I hadn't heard before.

About April 25, 2012, Choice Hotels notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. According to the breach letter submitted by the company, sensitive customer information (e.g., credit card numbers, drivers license numbers, passport numbers, Social Security numbers) were not entered into the proper database fields in the company's customer systems. As a result, this sensitive data wasn't protected (e.g., encrypted), and was passed along to the company's marketing partners where the sensitive data was inadvertently printed on marketing envelopes mailed to customers.

Choice Hotels claims that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for markeing purposes. The company hired Kroll Advisory Solutions to investigate the problem with a "forensic analysis." About 59 New Hampshire residents were affected and have already been notified.

The company's breach notice did not identify the company's marketing partners. Its website Privacy and Security Policy states that:

"If you reside in California and have provided Choice your personally identifiable information, you may request a list from us of third parties with whom we shared your personally identifiable information for their own direct marketing purposes during the preceding calendar year..."

Choice Hotels operates several lodging brands including Clarion, Comfort Inn, EconoLodge, MainStay Suites, and Rodeway Inn. A copy of the breach notice is available at the New Hampshire Department of Justice website and here (Adobe PDF; 154k bytes). The California Attorney General website also includes a copy of the breach letter sent to affected consumers. The company has reportedly contracted with TransUnion Interactive for for free credit monitoring services for breach victims.


Data Breach At Opening Ceremony

BankInfo Security reported details of a data breach at Opening Ceremony, a New York-based clothing and shoe retailer. Hackers inserted malicious software on the company's website server.

The data stolen included the payment card information of customers who purchased products online between Feb. 16 and March 21. the company has already notified customers affected by the breach. In a May 4 letter to affected customers (Adobe PDF), Opening Ceremony has contracted with ID Experts for complimenary credit monitoring and resolution services.

 


Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.


6 Threats That Target Consumers' Mobile Devices

If you think that identity thieves and scam aartists have not already targeted your favorite mobile devices, then think again. Dark Reading reported about siz specific threats that target popular mobile devices:

"1. Zitmo - One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers..."

"2. Mobile Botnets - Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012...:

"5. JiFake - Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware..."

To protect yourself and the sensitive data on your smart phone or tablet, experts advise consumers to:

  • Download apps only from trusted websites,
  • Donwload only apps with privacy policies and terms of conditions that you understand and agree with,
  • Keep the anti-virus software on your mobile device updated, just like you do on your laptop or desktop computer, and
  • Password protect your mobile device in case it is lost or stolen.

FTC Seeks Information From The Public About How Identity Theft Impacts Elders

The U.S. Federal Trade Commission (FTC) seeks information from the public about how identity theft and fraud impact senior citizens. According to the Bureau of Justice statistics, 11.7 million people, about 5 percent of the population ages 16 or older, were victims of identity theft between 2006 and 2008. The FTC is concerned that:

"... seniors may be particularly susceptible to identity theft. They are often targeted for phishing scams; some seniors have granted powers of attorney giving wide access to their personal information; and most seniors' Medicare cards list their Social Security numbers. In addition, the personal information of senior citizens may be vulnerable in hospitals, nursing homes, and other care facilities."

To learn about the problem, the FTC seeks:

  • Original research about the scope of identity theft and elders,
  • The types of scams (e.g., phishing, tax, power of attorney, door-to-door) targeting elders,
  • Obstacles to fighting or preventing this identity theft,
  • Solutions by both the public and private sectors, and
  • Any related issues

The FTC focuses upon enforcing laws, sharing its identity-theft complaint data with local law enforcement, and educates both consumers and businesses about data security. The FTC has brought actions against 35 companies for failing to adequately safeguard the sensitvie consumer data stored. In the summer of 2011, the FTC held a forum on the impacts upon children of identity theft. In September 2011, the FTC testified before Congress (Adobe PDF) about the problem and the actions it was taking.

Comments and submissions must be received by July 15, 2012. Information can be submitted in electronic or paper formats. Submissions should be mailed or delivered to:

Federal Trade Commission
Office of the Secretary
Room H-112 (Annex L)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Submissions received will be made public on the FTC website.

The FTC helps consumers to prevent fraudulent, deceptive, and unfair business practices. It also provides information to help consumers spot, stop, and avoid them. If you have been a victim of identity theft and fraud, you can file a complaint in English or Spanish at the FTC Complaint Assistant website, or call 1-877-FTC-HELP (1-877-382-4357). The FTC compiles complaints it receives into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.