Some 64 million members of an online dating site have reason to be a little more cautious today after news broke that AdultFriendFinder had suffered a data breach. The scope of the breach isn’t yet known, but the company is already alerting users to the fact that names, addresses, email addresses, sexual orientations, marital statuses, and other sensitive information may have been accessed.

The dating site, which bills itself as a website where members can find other interested parties for casual sex or other spontaneous meetups, is part of a much larger parent company called Friend Finder Networks, which has more than 600 million members across its 40,000 websites.

There are always questions when a data breach occurs, and one of the major ones for consumers is, “What will a thief do with my information?”

If credit card information or Social Security numbers are stolen in a breach, then there’s a good chance there could be financial repercussions. But if those pieces of the puzzle are missing, there are still plenty of ways the data can be useful to a thief. Email addresses can be used for phishing attempts, but can also be sold to online marketers for spam. Physical addresses can lead to mail fraud and “dumpster diving,” which can then easily turn into other potential forms of identity theft, scams, or fraud.

But whenever a “mature” website or similar online activity is at the heart of the crime, there is another concern. While this type of crime will hopefully never befall a victim of identity theft, there is always the potential for extortion. Given that this data breach included highly personal information that many of the members might not want shared, it’s alarming to think that a thief could extort money from some of the members in exchange for not blasting the news of their participation in a site dedicated to sexual relationships with strangers. This practice has unfortunately become so commonplace in the world of social media that it has its own term, sextortion.

Unfortunately, at this stage in the investigation of any data breach, the company involved and the forensic team they’ve brought in to uncover the extent of the damage cannot discuss the details. An official statement from Friend Finder did have this to say: “Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.”

Whenever news of a hacking event or data breach comes out, there’s always the logical question: what will a thief actually do with the information? Whether it’s just accessing your name or email address or actually infiltrating the files that contain more sensitive information like credit card numbers or Social Security numbers, the real threat is in how that information can be used.

Depending on who caused the attack and what information was gleaned, there are a lot of options. It might be a simple matter of selling batches of information on black market internet sites, or it could be opening accounts in the victims’ names. If SSNs were stolen, it could lead to tax refund or employment and benefits fraud. It really all depends on what the thieves were able to find out.

But a new issue has cropped up involving Starbucks’ gift cards and its mobile payment app, and this one is so twisted that it takes a map to keep track of the aftermath. Basically, many consumers who have these payment methods set up to auto-reload—meaning their credit cards are associated with the gift card or app via the Starbucks website, and their mobile accounts will automatically refill off that credit card once a pre-determined balance is reached—are finding their cards charged, drained, and reloaded over and over. One customer who spoke to industry watcher Bob Sullivan actually watched this process happen on her phone in real time, although Starbucks has formally stated that there’s no evidence that the mobile app for payment has been breached.

Since Starbucks gift cards are a common gift or promotional item, the Starbucks site also lets you combine different gift cards. If you’re carrying a card in your wallet with six dollars left on it and you receive a new card from your boss for employee appreciation day, you can combine the cards into one balance right there on the website. Since using your same registered gift card and refilling it gives you rewards points, many people choose to transfer the balance from a new gift card to the one that they have stored in the Starbucks computer… and it’s also the one they have set to auto-reload off their credit cards.

That’s where hackers step in. They simply log into your Starbucks account, change the email address associated with your account to one that they control, and then link all of your gift cards to a new one that they have possession of. Then when they drain your gift card balance and put it on their own cards, your credit card kicks in and adds money automatically without the thief ever having to know your credit card details. Then they simply repeat the cycle, as many times as they want, all in a matter of a few minutes.

What can the hacker do with a fully-loaded gift card? Use it himself or sell it on the black market. Gift card fraud has grown in recent years, and in some cases thieves simply use the gift card to purchase high-end items which they then sell online, pawn, or return for cash, depending on the store’s policies.

In order to protect yourself from this and other similar types of gift card fraud you must have strong, unique passwords on all of your online accounts; make sure your password is a long combination of letters, numbers, and symbols, and do not use the same password on multiple websites and accounts.

Whenever I speak publicly, I always talk about how information technology and hacking are the “sizzle” that helps create the headline news for data-breach events.

However, this week’s news that 31 world leaders, including President Obama – who had their personal information breached, including name, date of birth and passport number – should remind employers and employees that human error is a significant factor in data breach events. In this case, an Australia immigration service employee mistakenly e-mailed the sensitive information of the above-mentioned world leaders days before November’s G-20 summit in Brisbane, Australia. However, the Australian immigration department did not report the breach to the world leaders even though it was a clear violation of the privacy laws of three of the affected countries, including the U.K., France and Germany, all of which require mandatory notification for data breach victims.

Well it gets worse. In IBM’s 2014 Cyber Security Intelligence Index, “95 percent of all security incidents involve human error.” According to the IBM’s report, “many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.” In January, Vormetirc, a data security firm, released its 2015 Insider Threat Report and found that 93 percent of U.S.-based organizations surveyed believed that they were vulnerable to insider threats.

The Vormetric survey received responses from more than 800 organizations worldwide. I read with great interest the following four highlights:

  • 59 percent of U.S. respondents believed privileged users posed a threat to their organization.
  • 46 percent named contractors and service providers as a risk to their organization.
  • 43 percent said that business partners were a threat.
  • 59 percent agree that most information technology security threats from insiders are the result of innocent mistakes.

I believe businesses, especially small- to medium-size businesses, need to understand that current and former employees, vendors and even customers are a potential threat to a future data breach event, whether it is an accidental release of information or an act of malicious intent. For the purpose of transparency, half of my company is in the ID theft and data breach risk management business and the other half is in the background screening and behavioral testing business. My colleague Jim Collins, a longtime background screening expert, said that “as per industry best practices, businesses should not underestimate the insider threat.”

Collins said, “While most organizations require background checks at the time of employment, very few employers conduct regular screening of their employees, such as annual background checks.” This means that longtime employees who have access to the most sensitive personal, company and proprietary information could be a threat based on “unknown changes in that employee’s personal and professional life,” Collins said. The Vormetric threat report said that “almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”

Mark’s Most Important: It doesn’t take the president or world leaders to recognize that employees — or even you — can make a mistake in data management and protection. Focus on increased employee education on information security.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

When the retail shopping chain Target experienced a large-scale data breach in 2013, consumers and advocates alike flew into a near-panic mode. It was an eye-opening event, to be sure, and one that has been repeated with a number of other large retailers. While the end result was hundreds of millions of dollars in damage to the corporation, the plus side to it is consumers are more aware than ever about the potential for data breaches.

On the other hand, when the Anthem healthcare breach happened more recently, consumer outcry was far quieter even though healthcare data breaches stand to cause far more damage to citizens than a retail data breach. To understand why, you have to uncover what it is that cyber criminals get in a healthcare breach and what they can do with it. So many consumers are largely unfazed since their financial information isn’t accessed, but there is a much larger problem they may now face.

In the famous Target data breach, hackers accessed the credit card and debit card information for an estimated 70 million to 110 million customers. Some of those individuals also had their names, addresses, email addresses, and phone numbers accessed. The damage a hacker can do with that information is still very serious, but the thieves would typically rely on tactics like phishing email campaigns, selling the information to spammers, or other additional action ploys.

So what can a hacker gain during a healthcare data breach? Your name, address, Social Security number, family members’ names and Social Security numbers, employers’ name, bank account numbers, and more.

According to a study by Kaiser-Permanente, there were around 1,000 medical data breaches between 2010 and 2013; 29 million individual health records are believed to have been accessed by criminals in those breaches. Five states—California, Florida, Illinois, New York, and Texas—accounted for more than one-third of all the medical breaches in the country.

But consumers still seem to respond more proactively to retail data breaches than to medical data breaches. If you receive a letter informing you that your credit card number was accessed by a cybercriminal, what do you do? You get a new credit card from your account issuer, and the old account number is useless. But how do you go about getting a new Social Security number if hackers access your medical information? You don’t.

A financial data breach is serious and must be acted upon immediately, but it’s vital to remember that a healthcare data breach is potentially even more serious. A hacker can use your identity for years to come once he gains access to that level of personally identifiable information.

There are steps you can take to minimize the potential for problems in a healthcare data breach, and most of it comes down to what you choose to share with your health care provider. On the required forms in the doctor’s office, are you using your physical address, or a post office box if you have one? Are you listing your Social Security number, even though it’s not required for medical treatment and is legally not to be used as an identification number? Are you providing the doctor’s office with a check (which contains your bank account number), or paying by credit card and then paying that off immediately?

While certain pieces of information are going to be included in your health insurance profile, the trail you leave behind in the provider’s office is a good place to start with preventing identity theft. By adopting an air of caution when it comes to your information, you can work to minimize the effects of a medical data breach.

When the retail shopping chain Target experienced a large-scale data breach in 2013, consumers and advocates alike flew into a near-panic mode. It was an eye-opening event, to be sure, and one that has been repeated with a number of other large retailers. While the end result was hundreds of millions of dollars in damage to the corporation, the plus side to it is consumers are more aware than ever about the potential for data breaches.

On the other hand, when the Anthem healthcare breach happened more recently, consumer outcry was far quieter even though healthcare data breaches stand to cause far more damage to citizens than a retail data breach. To understand why, you have to uncover what it is that cyber criminals get in a healthcare breach and what they can do with it. So many consumers are largely unfazed since their financial information isn’t accessed, but there is a much larger problem they may now face.

In the famous Target data breach, hackers accessed the credit card and debit card information for an estimated 70 million to 110 million customers. Some of those individuals also had their names, addresses, email addresses, and phone numbers accessed. The damage a hacker can do with that information is still very serious, but the thieves would typically rely on tactics like phishing email campaigns, selling the information to spammers, or other additional action ploys.

So what can a hacker gain during a healthcare data breach? Your name, address, Social Security number, family members’ names and Social Security numbers, employers’ name, bank account numbers, and more.

According to a study by Kaiser-Permanente, there were around 1,000 medical data breaches between 2010 and 2013; 29 million individual health records are believed to have been accessed by criminals in those breaches. Five states—California, Florida, Illinois, New York, and Texas—accounted for more than one-third of all the medical breaches in the country.

But consumers still seem to respond more proactively to retail data breaches than to medical data breaches. If you receive a letter informing you that your credit card number was accessed by a cybercriminal, what do you do? You get a new credit card from your account issuer, and the old account number is useless. But how do you go about getting a new Social Security number if hackers access your medical information? You don’t.

A financial data breach is serious and must be acted upon immediately, but it’s vital to remember that a healthcare data breach is potentially even more serious. A hacker can use your identity for years to come once he gains access to that level of personally identifiable information.

There are steps you can take to minimize the potential for problems in a healthcare data breach, and most of it comes down to what you choose to share with your health care provider. On the required forms in the doctor’s office, are you using your physical address, or a post office box if you have one? Are you listing your Social Security number, even though it’s not required for medical treatment and is legally not to be used as an identification number? Are you providing the doctor’s office with a check (which contains your bank account number), or paying by credit card and then paying that off immediately?

While certain pieces of information are going to be included in your health insurance profile, the trail you leave behind in the provider’s office is a good place to start with preventing identity theft. By adopting an air of caution when it comes to your information, you can work to minimize the effects of a medical data breach.

Cyber insurance for your business might be worth the cost. It deserves a good look because it educates on reducing risk, helps when a breach happens and can be a competitive advantage.

In 2015, data breach events are once again on the rise. How your organization, regardless of size, efficiently and compliantly manages a breach incident response can be the difference between being the next headline news story or going out of business. As business owners and executives look for new ways to protect their business risks and branding, cyber insurance is receiving more consideration as a way to help you manage and respond, whether your data breach is caused by outside hackers, your own employees, or vendor relationships ranging from malicious intent to accidental release of information.

The use of cyber insurance communicates to clients, prospects and vendors that your business is serious about managing a data breach event and your commitment to protecting customer and employee information.

Here are three tips to consider when reviewing the option of adding a cyber insurance policy:

  • Work with an insurance broker who understands cyber insurance. An insurance broker who understands cyber insurance can help educate your business on the different types of cyber insurance policies and validate the need for a cyber-insurance policy. A broker can also help you understand business interruption, legal liability, costs to investigate a data breach, notification to victims and defend/settle class-action lawsuits, including regulatory enforcement actions and fines.
  • Data breach assessment. Your business needs to evaluate its overall risk of experiencing a data breach and the type data you collect, store and transmit. Here are some questions to ask when considering cyber insurance: What type of industry are you in? What is the type and volume of data that your company collects, uses, stores, and transfers? What is the prominence of your brand? Are your technology and information security and governance best practices up to date? Are mobile devices an integral part of your business? What are the total number of vendors and third-party contractors with access to your company’s sensitive data?
  • Learn about cyber policy exclusions and endorsements. Not all cyber insurance policies are created equal. Ask about retroactive coverage for “prior, unknown data breaches.” Ask about coverage that includes “loss of data” versus only “theft of data.” If your business acts as a vendor or third party contractor for other businesses, ask about your cyber coverage that includes liability to cover your business clients.

The reality is, the challenges of a data breach event can include complex federal and state breach notification laws, and most small businesses lack the financial and human resources to respond. Cyber insurance can support your risk-management objectives.

Mark’s Most Important: Take a look at cyber insurance before your business is a data breach victim.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Those of us in the identity theft, information security and related fields, are always interested in the latest trends in data breaches. One such source of information is Verizon’s annual Data Breach Investigations Report (DBIR).

This report, otherwise known as the DBIR, gathers information from 70 different organizations who report on data breaches, including the Identity Theft Resource Center.  The report then examines the data breaches which have occurred throughout the past year and determines trends in the field.  Of course, the most important part of reading the report and learning about breaches of all sizes and types, is the fact we can use this information to better help consumers and businesses protect themselves. This year’s DBIR held many findings which will help define who needs to be the most concerned about data breaches and how they can protect themselves. 

Here a few of those findings:

  • It is estimated that the financial loss from data breaches covered in the DBIR was $400 million. You read that right and, yes, it is a lot of money. It is large numbers like this that are prompting companies who have long avoided creating a data breach incident plan to do so.  Companies, even small local businesses, are now being forced to look at how they are protecting the personal identifying information (PII) of their clients. In addition, consumers themselves are realizing how much of a pain, and potential expense, it can be if they are not careful about who they are letting have control of their own PII.
  • The ratio of internal to external threats remains relatively static. The DBIR shows that in the past five years of the study, internal threats and external threats only varied around 5%, with more than 80% of threats being external rather than internal. This information can show two things to those interested in how to protect from a data breach. First, you have a much higher risk from external threats than from internal threats.  However, many entities are completely unprepared for an internal threat, which leaves them at risk for an attack from an employee who may be disgruntled or being paid for their intrusion. Businesses must look at both risks to ensure they are protected.
  • One hour is all it took for nearly 50% of the recipients to open an email and click on phishing links.  In a test performed with their partner security firms, Verizon set up an experiment to see how quickly a phishing attack would spread and, therefore, how long a company or individual has to respond to this type of attack.  The fact that almost half of the phishing emails were opened within an hour of them being sent is bad news.  That means a faster spread rate and a larger breach.  There is a reason the name virus was given to this type of malware and that is because it spreads from one victim to the next making an exponential mess for anyone trying to stop it. The DBIR does note though that the best way to stop phishing attacks and protect against the is education and awareness, which can be easily undertaken.

The DBIR continues to remind us that data breaches are something everyone must be concerned about.  The constant adaptation of criminals to surpass security or adapt to new technology will ensure that businesses and consumers will not soon be free of the fear of data breaches.  Click here for full report

The cybersecurity and data protection industries are still reeling from the shell-shock that was 2014. With the highest number of data breaches in a single year, last year was an eye-opener for business leaders and consumers alike. While the industry still sorts through how these record-setting events happened and what we can do to prevent 2015 from playing out the same way, there are a few key takeaways that we can already identify.

One of the chief causes of data breaches is what’s known as internal data breaches, and those events fall into two categories: accidental and intentional. Internal data breaches, as the name implies, occur when a company employee opens the business up for a hacking event or data leak. The categories indicate that these events can be intentional or purely accidental.

In an intentional internal data breach, an employee, vendor, or third-party contractor purposefully accesses customer or employee data with the intent to use it. This could be checking out their co-workers’ Social Security numbers and birth dates, accessing client credit card numbers, or any number of other scenarios that lead to the theft of personally identifiable information. Typically, a thief in this instance either uses the information personally to open financial accounts or commit tax refund fraud, or sells the list of information to a thief who will pay good money for it.

There have been a lot of these cases in recent months. Every type of thief, from elementary school cafeteria workers to a fraud ring that targeted deployed soldiers and impoverished children, has been guilty of this type of crime. Unfortunately, it’s a crime of convenience, especially in any field that gathers and stores lots of excess information on individuals.

An equally detrimental though somewhat less malicious type of data breach is the accidental breach. While it still involves an employee of a company who makes access to large stores of personal information available to a criminal, at least in this case the bad guy may only be guilty of poor judgment or failure to follow company policy. An accidental breach occurs when an employee does something that results in exposing information to a hacker, such as clicking on a malicious link in a phishing email, downloading harmful software to the network by mistake, losing a company laptop or flash drive that contained sensitive information, or more.

Unfortunately, whether the employee intended to expose the company to thieves or not is irrelevant, as the outcome can be the same. The infamous Target data breach that affected over 100 million consumers has been traced back to a third-party contractor whose employee clicked on a phishing email, thereby downloading harmful software that infiltrated Target’s POS system. That employee certainly didn’t mean to cause one of the largest data breaches to date, but that is what happened.

So what can you do about this type of data breach, especially when you consider that one involves someone who is determined to nab personal information and the other involves someone who seemingly doesn’t care enough to protect it?

There are a number of steps businesses can take, including ensuring that employees don’t have unrestricted access to information. You can also ensure that your business (or companies you patronize, if you’re a consumer) doesn’t gather more information than needed, then store that information on unsecured technology or networks. Employers can present their staff with clear policies for computer and technology use, as well as present and enforce the consequences for violating those policies.

 

Consumers beware: you have more medical-related issues to be worried about, but a trip to the doctor or ER won’t cure them as the healthcare industry continues to be plagued by information security breaches.

Anthem Healthcare reported last week that approximately 80 million customer and employee records were stolen.

Last April I referenced the increase in medical ID theft and expressed concern about this lucrative cyber criminal business.

Here we are less than a year later and things are even worse as healthcare has become a most valuable target for cyber criminals due to the wealth of exploitable information in our medical records.

Since that column, there have been 79 additional healthcare related data breach events according to the Privacy Rights Clearinghouse; approximately 1.5 healthcare data breaches each week on average!

Anthem — provider of health insurance to nearly 10 percent of all Americans — reported that 80 million records were taken including names, birthdays, medical identification numbers, Social Security Numbers, street addresses, e-mail addresses, employment, and income information.

Now consider the financial value of these medical records and you’ll see the motivation. Stolen medical and healthcare records are the “Rolls Royce” with a black market value of approximately $200 per record as evidenced in hacker forums. As a comparison, our credit card records have become essentially a commodity and sell for about $1 per record.

ID theft criminals fraudulently use our stolen information for financial gain or to attain services at hospitals, emergency rooms, doctors’ offices, and pharmacies resulting in fraudulent charges and potentially deadly negative impacts to our medical records.

To make matters worse “phishers and phone fraudsters are capitalizing on the public concern over the Anthem data breach,” explained Brian Krebs, a nationally recognized security expert.

Krebs reported that, “the flood of phishing scams was unleashed just hours after Anthem announced publicly their data breach.”

Anthem said “all impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps, phishers took that as an invitation to blast out variations of phishing scams which spoofs Anthem and offers recipients a free year’s worth of credit monitoring services for those who click the embedded link.”

I encourage the healthcare industry to take a hard look at their information security and governance best practices. The Identity Theft Resource Center reported 42 percent of data breaches were related to healthcare last year and the Ponemon Institute found that data breaches in healthcare are costing $5.6 billion annually.

I also encourage all of you — whether you are an Anthem customer or not to review all of your medical bills, Medicare summary notices, explanation of benefits statements, and regularly review your credit reports (by going to www.annualcreditreport.com) to help protect yourselves from medical identity theft.

Mark’s Most Important:

Stay informed about your healthcare records and all related documents to avoid having to cure a big medical ID theft problem.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com

 

This article was originally published on AZcentral.com and republished with the author’s permission.

When it comes to keeping up with your digital information, you have options besides just taking up precious space on your computer with old files. Whether you’re storing precious family photos, videos of your kids, or more important documents like business files or tax information or scanned copies of your will, you want your data to be safe and secure but still easily accessible.

Two of the most common forms of storing individual user content are an external hard drive and a cloud-based storage subscription. You might have heard of terms like “backup drive” or storing your photos “in the cloud,” and these are the same concept.

An external hard drive is a device that plugs into your computer (typically via a USB cable) and acts just like a file cabinet for your computer. Just like you would transfer a document or a picture from one folder to another on your computer, you would transfer those same pieces of content to this other drive for safe keeping.

One of the best things about an external hard drive is the fact that you can disconnect the drive with a simple click of the mouse then pulling the plug on the cable. If a hacker was to dig around in your computer via a remote connection, trojan, malware, or virus, your sensitive content would be safely tucked away in this hard drive and not accessible as long as the cable wasn’t connected. This is especially handy if you use a laptop computer, for two reasons: first, you’re not filling up your laptop’s limited memory with old pictures, and second, you’re not carrying around all of your personal content every time you take your laptop somewhere. It would be a shame if your digitized wedding video disappeared because your laptop was lost or stolen.

Unfortunately, external hard drives are just as vulnerable to physical threats as any other form of technology. If the drive is stolen during a break-in, permanently damaged by heat or water due to a house fire or flood, or any other of a number of scenarios, then your content is gone.

This is why cloud-based storage is growing in popularity. In a cloud storage situation, you would contract with a company that offers this storage solution and pay a monthly fee to use their secure servers. You would upload your content to your own personal, private account, just like you would if you were transferring it to an external hard drive. Besides the benefit of knowing your content is secure in a location far from home—keeping it away from burglars and house fires—you can access it anywhere from your laptop or portable device by logging in over an internet connection. You don’t have to worry that you left an important document at home in your hard drive because you can simply connect and call it up.

However, there have been widespread, justified fears about the security of cloud-based storage, especially in light of the growing numbers of data breaches and hacking events. So which solution is right for you?

That depends on what you’re storing. If you need constant, on-the-go access to your content, then a cloud-based server option may be better for you. If you’re simply storing photos, mementos, and your old tax returns, you might be better off with an external hard drive; you can even secure the hard drive in a fire safe in your home when you’re not using it, just to give it a little extra security from theft or damage. Do remember that the lower-end monthly costs associated with a storage subscription for approximately four years can be about the same as purchasing a top-of-the-line hard drive outright, so don’t let the price tag make this decision for you.