Your Social Security number is not very safe for two reasons – where it’s been and where it will be going. Considering how widespread the abuse of SSNs by ID-theft criminals is, maybe it should be renamed our Social In-Security number.

Let me bring the point home by sharing a moment from a recent speaking engagement to business students at the University of Arizona. I was challenged by a couple of students who said they had no risk of identity theft because “they were so young” and their “personally identifiable information had not had a chance to be at risk yet.”

My response dashed their naïve thinking. I reminded the students that chances are their parents had multiple jobs as they were growing up, which included multiple health insurance providers and that their names and SSNs were still with those providers, along with the doctors, dentists and hospitals that they had visited over the years. I then asked how safe were their names and SSNs today?

Finally, I mentioned that most college students have a driver’s license and receive some form of financial aid, both of which require a name and Social Security number. How safe were their Division of Motor Vehicle records, along with their financial-aid forms, in these days of rampant data breaches? One of the two inquiring students acknowledged that she transferred from a community college from whom she received a letter notifying her of a data breach including her SSN.

I also shared with the college audience portions of a speech I gave to a national association in Las Vegas last year, when a financial institution CEO told me that his life and SSN were locked down and that he was a low risk to become a victim of identity theft. My response was to ask a few basic questions including, had this CEO worked for the same employer his entire life? Did he use the same home and auto insurance agent, tax preparation service provider, doctor, and dentist his entire life? Did he purchase his cars from the same auto dealer his entire life? Did he have health insurance from the same health insurance provider his entire life?

The answer of course was “no” to all of these – which means his name and SSN have been with multiple businesses and organizations throughout his career and personal life. Statistically, it’s likely some of these entities have had data breaches. When SSNs were first issued in 1936, the federal government told the public that the use of SSNs would be limited to Social Security programs only, including retirement benefits. Today, however, SSNs are the the default national identifier – used as an authenticator to confirm the identity of individuals. That makes SSNs highly desirable to identity thieves.

Mark’s most important: Add security to your Social Security number by assuming it’s been breached somewhere, or will be. Always be vigilant, regularly checking your accounts and records for unauthorized actions.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Is Sony’s data-breach event about to change how hackers go after our personally identifiable information in 2015?

When the news broke that the information of more than 6,800 Sony employees including Social Security numbers, birth dates, and salaries – most consumers, including me, thought “Here we go again” with another typical major data breach event.

However, this is anything but typical. Unlike Target or Home Depot hacks, the Sony breach exposes a new threat realm that includes stealing and exposing health-care information, employee e-mails and project e-mails involving clients, partners and other employees.

Can you imagine private e-mails from your employer, health provider, banker, social media or child’s school about your salary, medical records, credit score, child’s grades, personal or business relationships going public for everyone to read and see?

In Sony’s case, files that were hacked included unreleased movies (even forcing the cancellation of one), thousands of employees’ Social Security numbers, executive pay packages and internal e-mails that were uploaded to the Internet. Sony has described this breach as an “unparalleled crime” that is unprecedented in nature.

Sony Pictures now has legal, financial and public relations liabilities in protecting its image, responding to the needs of individuals affected by the breach and complying with state and federal data- breach laws.

I believe we will see more of the Sony-type hacks — targeted attacks specific to both our personal and business information.

I encourage you to check out Experian’s just released second annual data breach industry forecast report. Here are some of Experian’s 2015 data breach predictions:

  • Internet of things. Cyberattacks likely will increase via data accessed from third-party vendors
  • Employees will be companies’ biggest threat. A majority of companies will miss the mark on the largest data breach threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls.
  • Data-breach fatigue will grow among consumers. A growing number of consumers are becoming more apathetic and are taking less action to personally protect themselves.
  • Business leaders will face increased scrutiny. Where previously IT departments were responsible for explaining security incidents, cyberattacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable.
  • More hackers will target cloud data. Cloud services have been a productivity boon for consumers and businesses. However, as more information gets stored in the cloud and consumers rely on online services for everything, the cloud becomes a more attractive target for attackers.

Mark’s most important: Set goals in 2015 to focus on risk management and cybersecurity. Be proactive and prepared for a broader range of hacking threats.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

A number of government employees had their productivity cut short late last week when the government shut down its unclassified email system through the State Department. This shutdown occurred after IT experts noticed some unusual activity on the servers. This response, which didn’t affect any classified email systems or content, was swift and widespread throughout the department, with plans to return the system to operation on Monday or Tuesday after updating the security protocols and investigating the causes and the reach of the hackers’ access.

What made the action so sudden? Experts inside the system have reason to believe this most recent attack is linked to the data breach of the White House’s unclassified computers last month, a hacking event that they believe to have originated in Russia. A spokesman for Russian President Vladimir Putin, however, told CNN that the US has no proof that Russia is in any way behind that breach and that they would not discuss any allegations of hacking until proof was provided.

Immediately after the time that the White House computers were hacked, other mysterious activity was detected across government networks, but the extent of it has not yet been isolated. So far, computers at the US Postal System and the National Weather Service have also reported breaches.

In a statement published on Huffington Post, however, a senior State Department official who wished to remain anonymous said that the email outage was actually intentionally scheduled in an effort to conduct security maintenance on the system as a result of the earlier breach. This belies some of the media response that indicated the State Department had essentially pulled the plug on the system once suspicious activity was noticed. This official confirmed that investigators are still at work on the extent of the October breach, but reiterated that no classified information has been compromised.

It’s easy to give in to fear-mongering from sources who see this as our government’s inability to secure its own networks or who claim that our technology isn’t all that secure, but the better viewpoint is to applaud the State Department for taking action to minimize the amount of content that hackers could access. Even as recently as a year ago, reports of large scale data breaches in the private and corporate sectors were only made public months after the event and after investigators confirmed it had taken place. If anything has been learned from this, it’s that immediate action is important, even when suspicious activity is only suspected.

When most people think of a hacking event that results in the loss of highly sensitive government information, they probably envision foreign spies or figures like Edward Snowden. People who not only have an agenda to fulfill but also the means and the know-how to infiltrate what has to be the most secure network in the world.

Instead, the reality is that a shocking number of data breaches are caused by user error on the part of government employees, people who are all too often wholly untrained about the dangers associated with certain internet behaviors. These behaviors have led to a reported increase in cyber “incidents,” of which there were more than 200,000 last year alone, according to the Associated Press.

But with government officials placing cybersecurity as the number one threat to our country—even higher than terrorism—and a reported $10 billion a year of government funding spent on cybersecurity, why are we still subject to this kind of vulnerability?

Unlike the laws being put in place around the country requiring private businesses, from tiny startups to major corporations, to inform consumers if their personally identifiable information has been accessed through a data breach, the government isn’t required to inform the public if they’re the victims of a breach. Cyber security failures have fallen to news outlets to report. Those organizations uncovered a shocking amount of employee failure, most of which stemmed from falling for phishing emails, clicking on fake links which downloaded malicious software to a government computer, losing crucial pieces of technology like laptop computers with highly sensitive information stored on them, and more. Overall, the AP has uncovered that at least half of all government cyber incidents are the fault of an employee error.

Of course, it’s not only employees and contractors who are to blame for their online missteps. The other side of the coin is that the government’s data comes under constant threat from hackers, both from intentional foreign spies and from individuals who just want to see if they can accomplish the seemingly impossible by breaking in to this secure data. Unfortunately, as news outlets like The Washington Post have reported, it’s all too easy to access a government computer or server when employees are not trained on safe online security practices.

What is vitally important is better training and awareness of security threats, and the need to report these incidents to the public as they occur. When the White House’s own report states that 21% of the cyber incidents last year were due to employees violating workplace computer policies, and another 16% were due to employees losing a physical piece of technology, better instructional practices, constant threat management training, and penalties for outright violations might make our information more secure.

“What do we do next?”

Picture this: Your small business has been hacked and you are now asking yourself, your business partners or your management team that question.

If the question characterizes the state of your ID-theft preparedness, the painful answer I have is: It’s already too late.

You need to be ready before your data is hit and immediately launch your data-breach incident response plan. In case you’re not ready, let me give you the essentials I provide to my business and civic audiences so you can be prepared.

The first priority for your business is to understand the three primary data-breach risk factors: people, processes and technology. The people factor includes current and former employees, customers, associates, vendors and independent contractors.

Processes include information technology, enterprise risk management, marketing, sales and human resources.

The technology that you rely on to conduct and grow your business also is being used by cybercriminals to identify vulnerabilities of your business.

Your second priority is to complete a data assessment of all types of information that your business collects, uses, stores and transmits.

• What type of data (on employees, customers or patients) is in your files?

• What type of personally identifiable information is in your business data (for example, name, address, Social Security number, driver’s license, bank account, credit/debit card, medical plan information)?

• What aspects of your business are performed within and outside your business?

• What would be the value of your data assets if they were stolen and made public?

• What would be your overall financial risk if your data was breached?

• In which states does your business conduct business and in which what states are your customers/employees/patients living?

• Does your business insurance include cyber/network liability?

Your third priority is to include the following five components in your small-business data-breach incident-response plan:

• Determine breach source. Make sure the data compromise is isolated and access is closed. You may need a forensic investigation company.

• Breach assessment. Determine the scope of the data breach and privacy and data-security regulatory requirements.

• Response plan. Include internal employee education and talking points; public relations, customer education and resources; business or consumer solutions to be considered; and the content and timely release of notification letters.

• Protection plan. Determine what protection services will be offered to the compromised record group and confirm professional call-center and recovery advocate-support services.

• Breach-victim resolution plan. Provide access to professionally trained and certified identity-fraud recovery advocates who will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Templates are freely available online to assist with the creation of your data-breach incident response. Also, consider contacting your insurance broker and professional trade associations to which your business belongs. They often have good resources.

Mark’s most important: Promise yourself today that you will have a data-breach response plan in place by the end of the month.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

News broke this week of a breach of AT&T customers’ data, the second event this year for the cellular provider. In an eerily similar method of stealing private information for the purpose of reusing it, an employee allegedly accessed sensitive data, this time of over 1,600 AT&T customers.

Phone data breachThe breach that took place earlier in the year involved “unlocking” smartphones in order to take them to any provider. In that event, several third party contractors to the company quite literally entered an AT&T store and used the computer system to look up and record the private information on a few hundred customers. The thieves needed the private information in order to override the protocols that make an individual phone specific to the AT&T network. Once the retrieved data is used to unlock the phone from AT&T’s cellular service, the phone can then be used on any provider’s network. This is what makes a stolen phone useful for resale, since it would otherwise have to be sold to an in-network customer.

The thieves had a batch of stolen phones—either that they had stolen themselves or that they were in connection with—and needed customers’ security information in order to unlock them. There hasn’t been any definitive word on whether the thieves then went on to sell that information for identity theft purposes, but AT&T provided a year of credit monitoring protection to the affected consumers to be safe.

Now, an AT&T employee has accessed the data of almost two thousand customers, despite the fact that the company hasn’t been able to determine why the employee looked at the information. It’s believed that the purpose was for identity theft, but that hasn’t been confirmed. What is known is the types of information were accessed, and it was enough identifying information—like Social Security numbers, birthdates, and driver’s license numbers—that AT&T has terminated the employee and is once again covering the costs of credit monitoring services for the affected customers.

Whenever a breach like this one occurs, industry watchers have to ask the same question: why do companies gather and store this kind of information on their customers?

In the case of a service provider like a cell phone company, a credit check may be required in order to initiate a contract, but there’s no reason for the company to continue to store the Social Security numbers, especially when some reports indicate that the majority of consumer data breaches are inside jobs involving the companies’ own employees.

Moreover, the question needs to be asked, “Why are employees able to access this information in the first place?” Even if a legitimate reason for gathering the data was found, why are all employees able to view customers’ secure data?

There are an unfortunately low number of steps consumers can take to minimize their risks in this situation. Those who receive letters from AT&T must take advantage of the free credit monitoring option and will need to keep a close watch on their credit reports to look for suspicious activity. Customers who are not affected, even those from a different cell phone provider, can attempt to contact the companies and have their Social Security numbers deleted from the system’s computers in order to avoid an employee-based or network hacking data breach; if that doesn’t work, prepaid cell phone services do not require Social Security numbers as they are not running a background check.

 

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

In the latest round of confirmed data breaches, banking giant JPMorgan Chase—arguably the largest US bank—has announced that hackers may have accessed the secure information of approximately 83 million of its accounts, comprised of 76 million individual consumer accounts as well as around 7 million small business accounts.

In a filing made with the Securities and Exchange Commission yesterday, the company confirmed a breach that seems to have given criminals access to personal contact info on its account holders. This information is believed to be limited to basic data, such as individuals’ names, addresses, emails, and phone numbers, but has so far is not thought to include any account numbers, passwords, Social Security numbers, or more valuable personally identifiable information. As the consumers’ financial information seems not to have been stolen, the bank will not be providing credit monitoring services or compensation to its customers at this time.

The interesting thing for consumers to understand about this breach is that it is not the stuff of movies. In the cyberthrillers of pop culture, thieves hack into the computers and electronically deplete the accounts of their money, but that’s far from what transpired in this situation. Instead, the hackers went after personal data, which some experts say is far more valuable than the contents of your checking account. With the right information, thieves can wreak havoc with your identity or even sell your information on black market websites that deal in stolen data. It would seem nearly impossible to cover their tracks should they actually steal the money, but stealing personal data gives them a high rate of potential financial gain and a lengthy time period with which to use it before the breach is discovered and they’re shut down.

So if the hackers didn’t take consumers’ money, what are they doing with the information? Some experts have already said that the thieves in this case may use the data they garnered to launch spam and phishing attacks, presumably through email but possibly also through text message and phone calls. By selling the information to companies that send out mass-mailings on behalf of cheap advertisers, they stand to gain financially, and by using the information for phishing, they can attempt to trick consumers into falling for even bigger scams.

At this time, the investigations into the causes and the reach of this event are still underway. But the first thing that should come from this is the understanding that there’s no such thing as “too big to fail.” At the risk of oversimplifying an understandably complex issue, if JPMorgan can be breached, other companies need to take a serious look at the security protocols and the amount and type of data they gather.

Consumers, even those who do not bank with JPMorgan and whose data was therefore not accessed, should make sure that they are educated about their personal security and their online behaviors so they don’t fall for a scam or fraud attempt. Even being connected through email to someone who does business with JPMorgan could mean that your email address can receive these expected phishing emails, so make sure you know the difference between content that is safe to open and click, and what is fraudulent. The ITRC maintains a list of the top scams and phishing attempts on its website for reference.

 

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

It feels like new reports are coming out almost every day of major retail chains whose computers were hacked, leaving consumers exposed to identity theft and credit card fraud. But new information from the Secret Service may have found the connection between many of these recent data breaches.

Last month, the Secret Service released a report on its findings that may show a high number of companies were all breached by the same malware, known as Backoff. This program infiltrates the companies’ computers and point-of-sale credit card machines to gather information from the magnetic strips on the backs of credit cards. This method, known as RAM scraping, may have been put into effect from software that infected as many as seven different POS device manufacturers and distributors’ systems.

One of the most widely talked about recent breaches involved the retail chain Target, whose POS systems were hacked last year. That breach led to nearly 110 million consumers’ credit card information being accessed by criminals and sold on the internet to other thieves. The effects of that breach are still causing harm; Target has already paid a reported $148 million to clean up the damage, and credit card companies are still monitoring their members’ accounts. There have also been numerous pending lawsuits filed against Target for the breach given the news that the company was warned about vulnerabilities in their system by their own IT experts.

The Secret Service has yet to name the retailers that they believe were impacted by this malware infection, and hasn’t named the POS machine developers either. But they do seem to believe that the same malware has caused multiple major-name data breaches and that it began its malicious work in October of last year, right as the holiday shopping season began to kick off.

Interestingly, information from one of the leading cybersecurity experts in the country, Brian Krebs, links the spread of malware in data breach victims to employees who open and respond to phishing emails, those messages that contain a link that entice users to click it. By clicking the link, the employee accidentally downloads the malware and infects the entire system. In Target’s case, an employee at one of its third-party contractors who handles heating and cooling in the stores seems to have infected Target’s computers. A similar method of infecting computers can easily have happened at any of the recently breached companies.

While it’s up to the retailers to sort out how to investigate and clean up from a data breach, there are steps that consumers can take to protect themselves. The first lesson to be learned is almost too obvious: never, ever click on a link in an email unless you trust the source and can verify that it is not harmful. Also, keep your malware and antivirus subscriptions up to date, and always remember to download those pesky updates that your computer reminds you about from time to time. Those updates are helping your computer recognize and block the newest viruses or malware.

If you do suspect that you were a victim of a corporate data breach, remember to take the information seriously. When corporations offer credit monitoring services as part of their clean-up efforts, be sure to activate those subscriptions as soon as you’re informed. you do suspect that you were a victim of a corporate data breach, remember to take the information seriously. When corporationOf course, there’s no reason to wait for a company to discover it’s been hacked. Stay on top of your credit card statements, bank statements, and credit reports and watch for any suspicious activity so you can take action before things get out of hand, and report any strange purchases to your bank or card provider immediately.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

The Georgia-based company Home Depot, with 2,200 stores nationwide, appears to be the most recent victim of a massive data breach which may have given thieves access to tens of millions of consumers’ credit card account information.

According to security blogger Brian Krebs, this data breach incident at Home Depot could be significantly larger than the Target breach due to length of time it went undetected.

In a message on its website, Home Depot has confirmed they are looking into some “unusual activity” and that it is actively working with its banking partners and law enforcement to investigate this payment card breach which, according to some, may have started as early as April.

This determination is based on the recent appearance of credit card information becoming available in underground forums and on various websites.  Once the credit card information has been stolen and put up for sale, it can quickly be transferred onto blank plastic cards for use by identity thieves.  Initially selling for $50 to $100 on the black market, this information quickly loses its value once the financial institutions begin to detect “unusual activity”.

While the extent of the damage has yet to be determined, there are serious concerns that the breach compromised account numbers and expiration dates through malware placed on the company’s point-of-sale credit card readers.  In this case, many industry experts believe it is the same Backoff Point-of-Sale malware which may have compromised the credit card information in the breaches that occurred at Target, Neiman Marcus, Michaels and the UPS store.

The U.S. Secret Service estimates this malware has infected more 1,000 U.S. businesses.  If so, all of the account information contained on the magnetic strips on the individual cards could have been retrieved by the hackers before the POS devices encrypted the information.

The following message has been posted on the Home Depot website:

“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.  We know that this news may be concerning and we apologize for the worry this can create.  If we confirm a breach has occurred, we will make sure our customers are notified immediately.  For now, you should know the following:

First, you will not be responsible for any possible fraudulent charges.  The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach. Make sure you are closely monitoring your accounts and reach out to your card issuer should you notice any unusual activity. If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers. We’re working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more. If you have any questions, please call Home Depot Customer Care at 1-800-HOMEDEPOT (1-800-466-3337).”

What this means to you:

A compromise of payment information means that an unauthorized person(s) now has access to this information and could potentially use this information to make fraudulent purchases on the account(s) that were used when you shopped at Home Depot.

What you can do:

Monitor your credit and bank statements closely and look for any unauthorized activity.  Review each item, and keep an eye out for small dollar transactions. If you notice any fraudulent charges on your credit card or debit card, contact your financial institution (bank or credit card issuer) immediately.  Inform them that the charges are fraudulent and they will walk you through their remediation process.  Each financial institution has a different process.

Should you have any further questions or concerns about this event, please visit our website at www.idtheftcenter.org or call and speak to an advisor for free advice at (Toll Free) 888.400.5530.

Corporate security breaches seem to make news headlines almost daily. Companies like Target, Sally Beauty, eBay, and more have recently been the victims of large-scale security breaches that resulted in millions of customers’ personally identifiable information being stolen. That information is usually credit card information—data which is easily and immediately profitable—but can also include names, addresses, emails, Social Security numbers, and more.

In the case of this month’s PF Chang’s security breach in which millions of credit card numbers were stolen, the company’s corporate headquarters wasn’t even aware of the hacking event until it was brought to their attention that the credit card numbers were now for sale on a website that specializes in this kind of crime. A site that authorities believe may be based out of Russia is selling entire batches of card numbers to eager thieves, and one of the unifying factors in all of the cards is that they were used in a PF Chang’s restaurant location between March and May of this year.

Before you go check out the site to see if your card is listed…don’t. First of all, you won’t see any credit card information without signing up as one of their underhanded customers and paying for card information. But even going to the site could open you up to malware that infects your computer and retrieves even more of your data.

But what do hackers actually do with the information they steal? They sell it to their own customers. Their customers pay that website for information such as your credit card number, then turn around and use your card number for either online purchases or by attaching your data to the magnetic stripe on the back of a blank card. They can even sell these replicas of your credit card and turn a quick profit.

This is yet another case of corporate theft in which millions of victims did nothing wrong but were still subjected to potential identity theft and financial fraud. Short of never using a credit card or debit card, there isn’t a lot that consumers can do to prevent this kind of breach. However, it is certainly an example of the kinds of diligence that consumers must practice in order to protect themselves as much as possible.

First is to always read your credit card statements carefully, looking for any unauthorized charges or suspicious activity. You can also sign up for alerts from your credit card company, which will send you an email or text message any time a charge is made without your card being present. Also, choosing to do business with credit card companies who have a proven track record of watching their customers’ accounts for this kind of problem is a good idea.

This kind of awareness can help minimize the damage from a security breach and give you all of the necessary paperwork to file a police report and clear this up with your credit card company. Remember to take all news of a breach seriously, and treat even the hint that your information was compromised as a serious issue.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.