Nearly half of all data breaches occur when ID-theft criminals access information because we lost a device. In fact, nearly 41 percent of all data breach events from 2005 through 2015 were caused by lost devices such as laptops, tablets and smartphones, according to a new TrendMicro report.

TrendMicro’s analysis included data breaches by business sector, and one of the significant findings was that missing devices and untrustworthy insiders made the health-care industry responsible for more data breaches than any other business sector in the last 10 years. To gain a security expert’s perspective on reducing the impact of lost or stolen devices, I reached out to Alan Saquella, a member of the Merchants ID Theft Advisory Board that I co-chair and the Western region manager of security/investigations for Cox Communications.

“The two things that we do at Cox to prevent and/or minimize lost devices is to implement a required, annual training on privacy and security, which is tracked by employee for compliance,” he said. In addition to education, “all devices are tracked with GPS and/or CompuTrace (a laptop tracking software) and so far, we have been very successful in recovering lost or stolen equipment,” Saquella said.

To help you understand where the major risk areas are beyond lost devices, TrendMicro reported that data breach events happen in the following ways:

  • 25 percent of breaches were caused by hacking and malware
  • 17.4 percent of breaches were caused by unintentional disclosure (not including lost devices)
  • 12 percent of breaches were caused by malicious insider leaks

The report said that that health-care business sector was the largest target, accounting for 26.9 percent of data breaches this decade, followed by education (16.8 percent), government (15.9 percent) and retail (12.5 percent). At the same time “healthcare had a significant insider leak problem (17.5 percent of its breaches). Insider leaks were the primary source of identity theft cases (44.2 percent) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8 percent of cases.”

While IT and hacking are the sizzle that continues to create data breach headlines, the truth is, most events are caused by device loss and the insider threat. While attackers certainly target personal identifiable information, credentials, more specifically the credentials of a network administrator, can be more lucrative. Administrator level credentials can provide attackers with the ability exploit an entire organization in an attempt to gain valuable Intellectual property such as trade secrets, or copywritten works. Although retailers have suffered many major losses as the result of data breach events, the most affected industry is the health-care sector.

Mark’s Most Important: Realize that devices will be lost, thus your organization needs to take steps to minimize the sensitive information contained on these devices, encrypt the data when it cannot be avoided, track and retrieve the devices when necessary, and remotely wipe devices if all else fails.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

This article was originally published on and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Consumers who used their credit cards at a variety of Hilton Hotels-owned properties between November of last year and now may have noticed some strange activity on their credit cards. Thanks to point-of-sale hacking at some of the properties, an unknown number of guests have had their credit card information stolen, according to a statement from the property chain.

Following reports of strange activity on consumers’ credit cards, investigators began to uncover fraudulent transactions at restaurants, gift shops, and other stores located inside Hilton locations. While the charges are believed to have begun in November of last year, investigators have reason to suspect it may still be happening.

It’s important that consumers know the online reservations and guest services registers do not seem to have been affected by this broad-scale identity theft. When point-of-sale fraud takes place, the culprit is often POS machine tampering or a software bug that has infected the POS network.

In the Target data breach, it was malicious software that stole customers’ information through the POS machines. The software was sent throughout the network after an HVAC contractor’s computers were infected. When an employee with the third-party contractor accidentally downloaded a virus from a phishing email, the hackers were able to root around in their smaller network system and look for bigger fish to fry. When they came across access to Target’s network, they were able to then install the malicious software on Target’s POS credit card network and steal consumers’ information.

A more basic version of POS fraud is through physical tampering with the credit card machine. It’s been known to happen in stores, but it’s a little harder to pull off if store employees see the culprit and report it. That’s why gas station pumps are a popular target for this kind of crime. With the vehicle parked in front of the pump, it’s a little easier to install the microfilm that steals the customers’ information when they pay at the pump.

For this reason, it’s too easy to assume that the Hilton breach is an “inside job,” but there has been no proof of that yet and the hotel chain is not releasing the locations that are known to be affected. What is known is that the locations can include any of Hilton’s other properties, including Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

When we think of major-name data breaches that affect millions of consumers, we probably think of teams of elite hackers infiltrating a network by exploiting a vulnerability in the technology. But sometimes, a data breach is the work of a good old-fashioned crook and not the result of sophisticated cybercrime skills.

When California-based managed care provider Molina Healthcare first learned a breach had occurred, the next step in the investigation was to uncover the source of the vulnerability. The breach was uncovered and reported to Molina in July by CVS, the pharmacy that oversees the provider’s over-the-counter (OTC) medications. According to their reporting, a CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.

While that information may not seem all that sensitive, having enough information allows the perpetrator to steal patients’ identities, sell their identities, and commit other forms of fraud. The immediate assumption is that this is enough personal data to engage in medical identity theft, which occurs when someone fraudulently uses the victim’s information to receive health care, prescription drugs, or other related services. Medical identity theft is one of the fastest growing forms of the crime, with a 22% increase in 2014 and estimates that as many as 2.3 million Americans have already been victims of this crime.

The type of data breach that seems to have struck Molina Healthcare is known as an internal data breach. Internal breaches are actually broken down into two different categories: accidental and intentional. Accidental data breaches are just what they sound like; an employee might have downloaded a virus from a phishing email, or lost a laptop with sensitive, unencrypted information on it. Intentional data breaches—again, as the name implies—occur when someone purposely steals customer or co-worker data, usually with plans to later use it or sell it for identity theft.

In this particular incident, investigators have made the connection between CVS providing OTC medications and the type of information the employee gathered. While identity theft is still a major concern—as medical identity theft following a data breach has risen by 21.7% in the past year—investigators are also concerned that the information may have been collected in order to fraudulently buy OTC medications, some of which are actually key ingredients in the creation of certain illegal drugs.

Individuals who are believed to have been affected by this data breach have already received notification letters that outline the steps for setting up alerts and freezes on their credit reports. It’s vital that known victims of a data breach take proactive steps to prevent damage to their identities; in any breach event in which the affected company offers credit monitoring services, it’s important that consumers take full advantage.

In a move that has been a long time coming—literally, since it was first mandated in 2013 and again in 2015—the Pentagon has finally issued its new Rule on how defense contractors will report suspected cybercrimes.

No longer allowing contractors to wait until a breach has occurred and the extent of the damage investigated, this Rule requires contractors to report any and all suspicious activity if there’s even a chance that harm could come from it. This “potential for harm” reporting is intended to thwart cyberattacks before they occur and minimize the time between an actual hacking event and the reporting.

The Department of Defense has relied on contractors almost since it was established, as they serve to fill important roles without the need to hire superfluous manpower. If a business is already providing a service, whether it’s sewing uniforms for the military or providing highly-trained intelligence security systems, it makes sense to hire them instead of trying to reinvent the wheel.

The use of defense contractors is similar in nature to a corporation hiring third-party vendors to fulfill some of its needs rather than hiring and training additional members of the workforce. Unfortunately, third-party vendors—and logically by the same definition, contractors—have proven to be the weakest link in preventing corporate data breaches. The infamous Target breach has been traced back to a small company that serviced the retail chain’s refrigeration units and AC systems. With businesses in nearly every sector of industry hiring third-party vendors to cover everything from billing and payroll to data entry and even janitorial services, cybersecurity experts are warning companies to take a closer look at who they work with and to take immediate action when a threat is uncovered.

The same is true for the government. After the Office of Personnel Management breach that comprised at least four million employees’ identities and may have affected another 22 million people, the government is taking a hard look at how threats are detected, reported, and addressed. These newly released guidelines will ideally serve as a streamlined effort in data breach reporting, even if an event hasn’t fully been uncovered.

Unfortunately, what isn’t so straightforward is how the government will oversee the compliance with these guidelines, or outline any “punishment” for violating the mandates. It will largely be up to defense contractors to police themselves, which is why the focus is initially on helping them know when to report and whom to report it to. One of the major obstacles will be in aligning the standards that contractors already adhere to as places of business with the standards they must now meet as government contractors.

A spring 2015 data breach has resulted in one and half million residents of Indiana—approximately one-fourth of the state’s population—having their medical and identifying information stolen by hackers.

The incident, which affected Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard, also impacted another nearly four million individuals across the country.

The information that the as-of-yet unknown hackers accessed includes patient names, Social Security numbers, lab test results, and medical records, as well as a wealth of other information. The data is believed to have been stolen from hospitals across Indiana, Ohio, and Michigan, as well as from healthcare providers and numerous radiology centers which all used MIE for data processing.

Medical systems are a high-profile target for hackers due to the incredible amount of information they gather and store on patients. That’s coupled with the fact that practically everyone uses some kind of medical provider over the course of their lifetimes, so the information is there for the taking.

While MIE’s official statement warns individuals to immediately begin monitoring their credit reports and to set up alerts and freezes on their credit, affected individuals also need to remember to file their tax returns as early as possible next January so that they can beat an identity thief to the punch.

There is one other thing all consumers can do to minimize this kind of threat, and that’s to be mindful of how much information they share about themselves. This doesn’t only go for medical offices, which are widely known for requesting patients’ SSNs, but even school enrollment formsday camp forms, and volunteer applications to teach Sunday School are known for putting a blank for you to provide the number. Too often, the public sees the blank and fills it out without asking who needs it, why they need it, and how they plan to keep it from falling into the wrong hands.

It can be tough to keep from giving out your SSN, as the law doesn’t really offer protection for consumers who don’t wish to provide it. It does mean that your number should only be used for its originally intended purposes of tax identification, but it also means that a doctor’s office, for example, does not face repercussions for refusing you treatment for non-life threatening situations if you don’t provide it. Currently, several states are working on enacting legislation to protect consumers and their private, sensitive data by limiting who can request the SSN, but until that time, it is the individual’s responsibility to give it out wisely.

Cybersecurity firm Trustwave provides an invaluable public service each year when it releases its annual report on data breach activity. This report, the 2015 Trustwave Global Security Report, examines the ways hacking attempts and data breaches were perpetrated, which sectors of industry are hit the hardest, even the corporate and consumer behaviors that lead to data compromise. (Did you know that “Password1” is still the most commonly used password?)

The 2015 report, which was released in June, examined the incidents that Trustwave was asked to investigate last year. Key findings of their research include:

  • 43% of the incidents were in the retail industry, followed by 13% for the food and beverage industry and 12% for the hospitality industry.
  • Half of the incidents that they investigated took place in the United States.
  • In 31% of cases, hackers were after payment card track data on the back of a payment card (these are things like the three-digit code on the back of the card, needed for an in-person transaction).
  • In 20% of the cases, attackers were after financial credentials or proprietary information like payment details.

There were two shocking highlights concerning both consumers’ and hackers’ behaviors, though. In the first instance, 81% of the victims did not discover on their own that they’d been hacked. Trustwave went on to reveal that self-examination vastly speeds up the time to response; in cases where the company discovers they’ve been hacked through self-monitoring, there are usually two weeks between the incident occurring and the company putting a stop to it, but in cases where companies are not running self-checks and uncovering suspicious behaviors, the average time between the breach and containment is over 150 days.

As for the hackers, Trustwave has revealed a crucial statistic when it comes to understanding why hacking events and data breaches are on the rise, and that’s the payout it provides for the criminals. In other words, why do they do it? The answer is, quite simply, because it works.

According to the report, “Attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment).” For very little financial investment and even less investment in manpower, hackers can make significant gains, largely thanks to the fact that businesses and consumers are doing their work for them. Weak security protocols, outdated POS systems, failure to recognize malicious spam emails, and useless passwords all offer thieves the opportunity to waltz right in and make some serious money.

So what should we do with this information now? According to Trustwave’s chairman, we must learn from it and adjust the way we do business.

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

To view the full 2015 Trustwave Global Security Report, go to

Data breaches and identity theft are becoming so prevalent that some industry experts have said they’re inevitable, and that identity theft is basically unavoidable. The good news is there are steps consumers can take to minimize the chances of becoming victims of data breaches or identity theft, but the bad news is those types of crimes don’t only affect your information or even your finances.

In some cases, the consequences of a data breach can actually be deadly. That is, if the entity that was infiltrated is a part of the health care industry. While major health insurance providers like Anthem have already been the victims of data breaches, individual health care systems like the UCLA Health System are also prime targets for hackers. Medical offices, hospitals, and insurance providers are notorious for collecting copious amounts of information on their patients and storing it in centralized computers. Many systems and offices also use outside billing contractors, and research has already shown that in the majority of data breaches, the culprit—intentionally or accidentally—is a third-party vendor or contractor.

UCLA Health System is just the latest in a long line of medical data breaches. In that instance, hackers are believed to have gained access to around 4.5 million patients’ names, addresses, Social Security numbers, health records, and more. The breach is thought to have started in September 2014, and allowed hackers to access this unencrypted information.

But how does that affect patients’ health? Unfortunately, this is a case where you almost hope the hackers just want to steal your financial identity. If they’re able to sell the data to people in order to commit medical identity theft and fraud, then that will allow people to use the stolen information to gain access to healthcare.

The frightening worst-case scenario would involve something like this: a thief goes to the hospital for treatment using your name, insurance information, and more. Doctors discover he’s diabetic, and he’s put on a treatment regimen that includes insulin. Your medical records now not only indicate that you have diabetes (and could be treated as such in an emergency if you can’t confirm that it’s not true), but they also indicate you’re taking insulin. This could cause a host of problems, not the least of which are of a dire nature. It’s also possible that a pharmacy or insurance company would deny you a different medication or treatment option due to “red flags” about how that option would interact with insulin or diabetes.

Of course, that is an overly alarming thought, but the more likely circumstance is of a far more annoying nature. Where there are laws in place that cover an identity theft victim following a financial issue like credit card fraud, those protections aren’t necessarily in place yet for medical identity theft. One article indicated that most victims of financial fraud are responsible for around $50 in charges, if any charges at all. However, “the majority of victims of medical identity theft paid an average of $13,500 to resolve the crime.” Compounded with our strict privacy laws in this country where health care is concerned, it can be difficult to resolve medical identity theft.

As with all data breach and identity theft issues, the best option for now is to prevent a thief from getting as much of your information as possible. While you can’t personally prevent hackers from breaking into the computer network of a major medical center, you can certainly limit the amount of information a thief would find under your name. You are not required to provide your Social Security number to a medical office, for example, and many offices have been found to ask for it without even knowing why they collect it. You can also read over all insurance statements carefully—not just the box that tells you how much you owe—to make sure someone isn’t already using your information without your knowledge.

News came out last week that CVS, the country’s second largest pharmacy chain, may have suffered a data breach of its photo uploading and printing website.

CVS Photo has had a message on its site since Friday that stated there was reason to believe a breach had occurred and that the site would be offline until the issue could be resolved. The message went on to reassure customers of the chain that this only applies to the photo site, not the main website or the physical stores, and to suggest that customers monitor their credit card or bank statements carefully for any suspicious activity.

Following any data breach, forensic experts work to uncover the root cause of the breach. In this case—and in so many others, like the now-famous Target data breach or the Goodwill breach—the weak link in the data protection chain appears to be a third-party company. In CVS Photo’s case, it’s believed to be PNI Digital Media, a Canadian company that handles the credit card transactions for the pharmacy’s photo uploading site.

Unfortunately, this isn’t the only instance in which PNI is believed to have been hacked. Walmart has already issued a warning that it, too, uses PNI’s services for its Canadian photo upload purchases and that it believes customers’ credit cards may have been accessed. Just like with CVS, though, Walmart assured customers that its US-based websites and main stores were not impacted.

Interestingly, in almost every major data breach, experts have traced the break in security to a third-party vendor. According to an article for Info Security Magazine by MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research,  “One consistent breach finding may get their attention: Almost without exception, a third-party vendor or affiliate is involved. It may be the client, or it may be the origination point of the breach.”

Why are third-parties such a lucrative target? They carry a lot of trust with the companies they contract with, and as such, often have access to avenues of infiltration that hackers need in order to catch the bigger fish. In the case of Target’s breach, for example, the third-party contractor they used to get through the network was a heating, air conditioning, and refrigeration company in Pennsylvania. That same HVAC company has also reportedly done work for three other major retail chains in five states.

Unfortunately, as smaller companies with less manpower and tighter budgets than the corporations they’re contracting with, third-party vendors can also be somewhat of a sitting duck when it comes to keeping sophisticated cyberattacks at bay. The amount of access the company has combined with its lack of resources means vendors often end up as the door through which hackers walk on in.

While this should hopefully serve as a warning to the security industry in general, it does mean that there’s not a lot consumers can do to avoid paying through a third-party vendor. Instead, the smarter course of action is to keep tabs on your information, which is always a necessity. Read your credit card and bank statements carefully before tossing them, and make sure you’re paying close attention to how you dispose of them.

For some time, the government has been working through the aftermath of the Office of Personnel Management hacking event that compromised the highly detailed, sensitive information of as many as 22 million people. In what experts are considering a separate data breach, the National Guard has announced its database has also been compromised.

The information that was inadvertently made accessible by a contract employee is believed to include names, addresses, Social Security numbers, birthdates, and more on “all current and former National Guard members” going back to 2004. It’s important to understand the reactions in this event, as well as the steps that individuals should take. This has been determined to not have been a hacking event, but would fall more into the category of what experts call an accidental internal data breach. The contract employee transferred the files containing the sensitive information to a non-accredited data center, which does not offer any indication that anyone accessed it or has malicious intent. It was simply a matter of the data center not having prior approval to receive that level of information.

No one has clarified yet if the file transfer was even requested by the data center or its employees. However, in this climate of data breaches and identity theft, the National Guard isn’t taking any chances. The affected individuals have been informed of the event, and a website and a call center have been set up that will let Guardsmen and Guard veterans check their credit reports, find identity theft prevention tips, and report any strange activity involving their private data.

Some of the strange activity that affected victims—or anyone who’s ever been the victim of an intentional or accidental data breach, for that matter—should watch for will include new lines of credit or new bank and credit card accounts, any signs of other employment being assigned to their Social Security numbers, medical bills or health insurance statements for treatment they never received, even warrants for their arrest should it go that far.

It’s also vital that anyone impacted by a data breach of any kind be watchful of their tax returns and file as early as possible in order to avoid being the victim of tax refund fraud next year. Anyone who’s already been a victim may also be eligible to place free alerts and freezes on their credit reports, which should prevent unauthorized people from opening new lines of credit.

Internal data breaches occur when an employee of a company or organization uses his or her position to gain access to individuals’ personal identifiable information. Typically, the reason for accessing and gathering the information is so the employee can then sell it to identity thieves or use it to open new accounts and make purchases in the victims’ names.

Sometimes these breaches are accidental, such as when an employee accidentally downloads malicious software to a company computer or loses a company laptop with sensitive information stored on it. Of course, intentional internal data breaches are also prevalent, and occur when the employee begins stealing identifying information from data the company has gathered.

One Florida-based telemarketing company has experienced an internal data breach that almost looks too easy. How? Because the company in question, Advanced Tech Support (operated by Inbound Call Experts), is actually a PC repair and tech support company that can gain remote access to your computer if you’re having an issue. This remote access lets someone on a different computer use your computer in real time, and the scammers needed that ability to pull this off.

The fraudsters, posing as employees of ATS, seem to have been using the remote access feature to sift through the customers’ computers for online banking information, and even contacting customers to say that they owed money to the company, which they would say could be paid via wire transfer. They had to have gained access to the customers’ contact information somehow, and that’s where the internal data breach comes into play.

You might think no one would fall for this, but there’s another angle to this story. Advanced Tech support and a few other companies were sued last fall by the Federal Trade Commission for some shady practices, so the scammers reached out to customers to inform them they’re owed a refund due to being overcharged for services, or due to the outcome of the class-action lawsuit. The fake employees told customers they’ll use the remote access feature to transfer the money back to the customer, but were instead trying to uncover stored sensitive information from the computer.

Making this story even more interesting is a warning that was posted on the ATS website, informing customers of the breach. It went on to state that the guilty party had been terminated, and that no credit card numbers had been accessed. However, this warning was removed after one news source contacted ATS directly to ask about the data breach.

While law enforcement can sort out the details of what has actually happened, there are some important things to remember about protecting yourself from this kind of scam:

  1. You will never be called out of the blue and sent an instant electronic funds transfer as part of a lawsuit settlement. These issues are handled via the postal system.
  2. Of course, electronic funds transfers also don’t require someone to access your computer.
  3. If you receive an unsolicited call from someone who wants remote access to your computer, hang up and call the company using a phone number that you’ve verified yourself—not a number the caller provided you with or one that was on your caller ID.
  4. If you’re ever in doubt about the veracity of the caller’s story, hang up. Even if the person states that an error has occurred—such as the overpayment ploy the scammers used in this case—you’re not required to respond or take action based on a phone call or email. Any legitimate correspondence will come through the mail so that you have a paper trail on the case.

Part of what made this breach work is the scammers were contacting people who already know very little about their computers… that’s why they had signed up for tech support packages with remote access in the first place. It didn’t take much to convince the victims to let them have access to the computer. It’s very important that you know how these issues really get resolved, and to listen to the little voice in your head telling you something might not be right.