Last June, the federal government’s Office of Personnel Management (OPM) made a startling announcement: it had been the victim of a sophisticated, large-scale hacking event.

The resulting data breach compromised the highly sensitive information of more than four million government employees, including names, Social Security numbers, birthdates, and more. It didn’t take long before another data breach was discovered. The federal workers who have the highest levels of security clearance were among those employees who were affected by the second data breach. That’s important because their applications for those clearances (SF-86) were lengthy—more than one hundred pages of personal history, information, and in some cases, even fingerprints.

These stored files included highly-detailed information on practically everyone they’d ever met: college roommates, former coaches and employers, distant relatives, and more. When cybercriminals stole that extensive data, it brought the number of people affected by the hacking event to well over 21 million, many of whom might have had no idea the government even had their information. As of this week, the OPM and the Department of Defense have finished mailing out the notification letters to everyone who was impacted by this event. With the abundance of mail coming through the postal system at this time of year, it may be a few more days before those letters reach all their intended recipients.

So what do you do if you receive a letter from the OPM? The same thing you do if you receive any notification letter informing you that your data has been compromised. First, you don’t panic, but you also don’t disregard it as just another 21st century crime. You read it very carefully for any specific instructions, you follow those instructions, and you put the letter in a safe place.

A typical notification letter starts by informing you exactly what information was compromised in the breach. In the case of the four million employees, hackers got everything. But for the “outsiders” in the secondary breach who were only listed as additional sources of verification and reference, their Social Security numbers, for example, aren’t believed to have been gathered in the first place and therefore weren’t compromised. In any hacking event or data breach, always read the notification carefully to learn exactly what personal information the thieves obtained in the incident.

The letter should also provide you with suggested steps you should take. For a breach that only compromised email addresses and account passwords, you might be instructed to simply change your account password and look over your account history carefully. However, in a situation where all of your sensitive identifying information was obtained, you will be given more detailed instructions and possibly even offered credit monitoring and protection.

Finally, it’s important that you put your notification letter in a safe place once you’ve read it and followed the instructions. It may help you down the road by serving as proof that your identity was stolen, which is especially important if someone commits a crime with your good name.

Travelers, beware! At least that’s the sentiment of many people who’ve had their credit card and payment information stolen while traveling, specifically while staying in hotels.

Hotel data breaches are nothing new. Experts have warned vacationers for quite some time about the dangers of turning over your payment card at a check-in or check-out desk, as unscrupulous hotel employees can easily make a copy of your card using the magnetic key card machine. For that reason, travelers have long been warned about letting their cards out of their sight.

But a rash of large-scale data breaches at major hotel chains have been linked back to hackers, specifically those involving the hacking of the point of sale payment networks through hotel gift shops. As recently as September 2015, Krebs on Security reported about a data breach involving the Hilton properties, and hotels around the world like Mandarin Oriental and White Lodging Properties have also been affected.

Now, news broke this week about another major hotel data breach involving 54 different Starwood Hotels & Resorts Worldwide properties. Once again, the breach seems to have impacted only the point-of-sale network within the hotel shops, and not the actual check-in desk or reservations system.

As the busy holiday travel season approaches, there’s no reason to think the situation will get better instead of worse. Hackers know they have an easy target in out-of-towners, especially as guests buy essential items or gifts from the hotel stores. Since this isn’t something you can easily plan ahead for or prevent, it’s better to take proactive steps before the issue occurs.

For starters, you can opt to pay with cash at hotel properties or, if possible, apply any charges to your hotel room.  Another way to minimize harm is to designate one low-limit credit card for all of your travel spending. This method will also help you by reducing the chances that you could go over your travel budget. The main thing to remember is not to use a debit card in these situations as they do not allow for the same level of protections that apply to credit card transactions.

More importantly, though, is the need for monitoring all of your account statements both before and after you travel. That way, you’ll have a clear picture of how much you’ve spent and where your funds have gone. If anything remotely out of the ordinary occurs, you’ll be prepared to head it off with your financial institution.

It’s important to remember that in most of these major hotel data breaches, there has been a long window of opportunity during which thieves gathered credit card information, then used that information for criminal purposes. Don’t think that just because your information was safe in the days after you returned home, you’re in the clear. Keep a close eye on your statements all year long to stay on top of any potential threats.

It was only two years ago that shoppers during the Black Friday madness received an unwelcomed gift: their personal details and credit card information were stolen by hackers in what was then one of the largest known retail data breaches.

Now, just in time for the busiest shopping week of the year, one of the world’s largest online retailers has found some equally unwelcomed news, that some of its customers’ passwords may be in jeopardy.

Amazon reached out to affected customers this week with the information, letting them know that their passwords may have been improperly stored or transmitted in a way that could open them up to outsiders. While there’s no known link yet between this password exposure and any hacking activity, Amazon conducted a “forced reset” of those passwords. Even if you didn’t receive a notification from Amazon, it’s recommended that you change your account passwords immediately.

Besides the obvious fear of hacking and data loss, there are some other valid fears associated with this kind of issue. First, there’s a real threat that scammers will swoop in with their own emails in an attempt to copycat this incident; if you receive an email that even looks as though it’s from Amazon—informing you that your account may have been compromised in some way, and offering you a link to reset your password—ignore the link and handle it yourself. By going directly to the retailer’s website on your own and changing your password instead of using a link that arrives in a message, you can avoid any phishing scams that come through your email inbox.

Also, this incident serves as a cautionary reminder of why it’s vital that you take your account passwords seriously. There are some features that “good” passwords have, namely that they’re strong and that they’re unique. A unique password is pretty much what the name implies; you only use it for one account or website. If you use the same password (or even a close variation of it) on multiple websites, you’re potentially handing over your entire web identity to a hacker.

As for being strong, that’s a different matter. A strong password is at least eight characters long, and contains at least one letter, one number, one symbol, and one uppercase character. It’s also not an easily guessed combination, like “Password1!” or your last name.

Finally, there’s one last piece of the “good” password puzzle, and that’s the frequency with which you change it. Think of your password as being the key to a highly lucrative lock; the more that a hacker stands to gain from breaking into your account—like your credit card, banking, or major retailer’s account—the more often you should update your password. If you have a strong, unique password on your local library’s website, for example, one that cannot be used to guess other passwords, then the danger from a hacker is less severe. But if you have an account that contains significant and lasting information about you, the more often you change your password, the better off you’ll be.

“Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response,” according to a new Ponemon Institute research report titled “The Importance of Senior Executive Involvement in Breach Response.”

The study sponsored by HP Enterprise Security Services surveyed 495 senior executives in the United States and United Kingdom to understand their perspective about the importance of executive- and board-level involvement in achieving an effective incident-response process.

I have delivered many speeches citing the need for senior executives and board members to get significantly involved in cybersecurity and data-breach risk management. Ponemon’s findings suggest that too many at the top of corporations are not properly engaged, even though their employees, customers and intellectual property are vulnerable.

Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response. Seventy percent of respondents say poor communications is a barrier and 68 percent of respondents believe organizations do not have the appropriate leadership in place to deal with data-breach incidents.

Senior executives believe their involvement in the incident-response process is necessary. Seventy-nine percent of respondents say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical.

Current incident response plans are more reactive than proactive. Less than half, (44 percent of respondents) characterize their organization’s incident response process as proactive and mature.

Executive level oversight is critical to minimizing financial loss and protecting reputation and brand. How do senior executives view their responsibility when an incident occurs? Senior executives are most concerned about the long-term effects and sustainability of the organization when sensitive and confidential information is stolen. Their focus is on minimizing financial loss and avoiding reputational damage.

Understanding the risk and approving incident response plans should be on the board of directors’ agenda. Seventy-seven percent of respondents say the board should be involved in reviewing risk assessments followed by approving the incident response plan (69 percent). Receiving regulatory and compliance updates (68 percent) and approving insurance coverage (66 percent) are other areas in which the board should be engaged.

From the perspective of a senior executive, what makes a data breach significant? In the context of this research, a material breach is one that requires more resources to resolve in order to minimize financial loss and reputational damage.Fifty-seven percent of respondents say the lost or theft of more than 10,000 records containing confidential or sensitive information constitutes a significant data breach.

Negligent and malicious insiders are considered the biggest security risks.Senior executives are more concerned about the threat within than with external risks caused by cyber criminals and hacktivists. Forty-two percent of respondents say they worry most about negligent insiders followed by 25 percent who say they are concerned about malicious insiders.

Incident response should focus on understanding the cause of an incident and addressing the negligent insider risk. Forensics investigations are key to responding to a breach (86 percent of respondents) followed by training and awareness of employees (81 percent)—probably because of executives concern about negligent insiders.

Mark’s most important: Note to small and large company leadership: Get involved in cybersecurity from top to bottom because it’s essential, the right thing to do and it will help mitigate and/or eliminate your risk specific to the 47 state notification laws, FTC Red Flags Rule, and HIPAA HITECH act.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

Two foreign nationals who worked for a third-party data company are suspected of stealing the personal information of as many as 4,000 Dow Corning employees. The two men, who worked for HCL America, are believed to have downloaded names, Social Security numbers, income records, and more, then transferred that data to a USB drive. The drive—and the information—are unaccounted for as of now.

HCL America is a third-party contractor that provides paid services to clients like Dow Corning. As such, they are responsible for conducting thorough background checks, employee verifications, and other authenticating procedures. Many businesses rely on this type of contractor to complete certain company tasks while saving on the hiring costs and benefits associated with bringing in full-time employees.

Internal data breaches like this one are certainly nothing new. One particular incident resulted in a conviction of a former Morgan Stanley financial advisor who stole account records from the database and downloaded them to his personal laptop; although he still claims that he never released or sold the records, batches of those same account records were found on a black market website.

What is different about this incident with Dow Corning, however, is the speed with which the incident was detected and the suspects’ names revealed. News of data breaches in the past has often involved months or even years between the breach occurring, investigators discovering it, and then the company notifying the victims. In this case, Dow Corning discovered the breach in late-September, and a hearing is scheduled for November 17th. A federal judge has already issued a mandate to prevent the two suspects from destroying any evidence, and the men have been detained as they are considered a flight risk.

But regardless of whether the guilty parties are apprehended or how the breach occurred, the outcome for the thousands of victims is the same: their highly-sensitive data has been stolen. Since there’s no evidence yet that it has been used or released anywhere, the affected individuals are only being cautioned to monitor their credit reports and financial statements at this time. It’s also a good idea for victims of a data breach to change their passwords on significant accounts like their email, to install robust anti-virus and anti-malware software, and to keep the notification letter in a safe place as proof that their identities may have been compromised.

CEOs and senior executives do not get fired when their companies get hacked or experience a data breach event. They get fired for failing to implement and test regularly a clearly defined, strategic management response to their data-breach event.

Whenever I speak to business audiences I always say, “No company can ever prevent itself from experiencing a data breach event and no single resource has all of the answers.” The point is your company’s response and recovery strategy may be as important (or more important) than your current cybersecurity technology initiatives. Why? Because according to technology research company Gartner, the forecast for worldwide spending on information security will reach $76.9 billion this year. Grant Thornton, a global accounting advisory firm, reported the total estimated cost of cybersecurity attacks over the past 12 months is $315 billion.

Think about it, nearly $77 billion is spent on information security this year and yet the annual cost of cybersecurity attacks is an astonishing $315 billion and getting worse. While cybersecurity in general and preventing a data breach event in particular are one of the most difficult challenges in today’s workplace environment, the technology aspect is falling short and, frankly, has failed to live up to expectations. With high-profile hacking and data-breach events affecting every business sector including the top 10 banks, top 10 insurance companies and the three major credit bureaus – all of which have more financial and information technology resources than any other industry groups – what is the answer?

The answer is an information security and governance plan with an emphasis on response and recovery. I’m not saying to ignore technology such as security or penetration testing, managed services or information-technology outsourcing and access management. These are all critical resources in protecting your business and mitigating the risks of a cyberattack.

Step 1: Make an initial assessment during a cyberincident. During a cyberincident, your business immediately should assess the nature and scope of the data-breach event. The type of incident will determine the type of assistance you will need to respond and the type of damage and remedial efforts that may be required.

Step 2: Implement measures to minimize continuing damage. After your business knows whether the incident is an intentional cyberintrusion or an accidental release, determine next steps to stop ongoing damage and take steps to prevent it from happening again.

Step 3: Record and collect Information. Your business should immediately make a “forensic image” of the affected computers and/or a record of the data-breach event to preserve a record of the incident for later analysis and potentially for use as evidence at trial.

Step 4: Notify. Contact employees within the organization, affected individuals outside the organization and law enforcement if criminal activity is suspected. Also, know that 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have notification laws in place to notify any individual whose personally identifiable information has been breached.

Mark’s Most Important: Increase the odds of your business surviving a data-breach event with a strong, tested and dynamic response and recovery plan.

Mark Pribish is vice-president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at article was originally published on and republished with the author’s permission.

The Dow Jones, which owns business oriented outlets like the Wall Street Journal, is synonymous with wealth and power. Most people only know of it in terms of investments and playing the stock market, and therefore it makes a logical “big fish” kind of target for hackers. After all, successfully infiltrating their stores of data could result in a tremendous payoff of information on some of the country’s wealthiest people.

And that’s why the information that was stolen in a recently uncovered data breach is somewhat perplexing. Investigators believe that between August 2012 and July 2015, cyber thieves began accessing information stored on subscribers in the system. This breach was discovered in July 2015, and experts are working to close the security flaw that allowed the breach to occur.

So what happens to some of the world’s wealthiest people when cybercriminals manage to nab their private information? They get emails.

According to the investigators in this particular incident, hackers appear to have stolen names, addresses, email addresses, and other similar information, not account numbers, Social Security numbers, or other financial data. What could they possibly want with a millionaire’s email address? The ability to target that individual with offers, solicitation requests, spam, or even phishing emails.

It might seem pretty pointless to steal a list of email addresses, but hackers know that if they can get the recipient of a phishing email to click an included link in the message, then the chances for installing invasive malicious software on the victim’s computer are great. In many cases, once that harmful software is installed, the hackers can use it to root around in the victim’s hard drive, cloud storage, email inbox (which would presumably contain email addresses for other industry leaders to target), and more. Currently, however, investigators into this breach have only discovered the intent to solicit the victims with requests.

The takeaway from this is that no piece of personal information is safe in a hacker’s hands, no matter how inconsequential it might seem. The Target data breach occurred through a similar scenario, for example. With this kind of access and a few simple human errors, the potential for further damage is almost limitless, and demonstrates again what the data security industry has been following in recent weeks: financial identity theft is still the top form of the crime but it’s losing ground to other forms that have the potential for long-term damage. Cybercriminals are no longer content with credit card information or bank account numbers, having discovered that there is even more money to be made from stealing other types of data.

Nearly half of all data breaches occur when ID-theft criminals access information because we lost a device. In fact, nearly 41 percent of all data breach events from 2005 through 2015 were caused by lost devices such as laptops, tablets and smartphones, according to a new TrendMicro report.

TrendMicro’s analysis included data breaches by business sector, and one of the significant findings was that missing devices and untrustworthy insiders made the health-care industry responsible for more data breaches than any other business sector in the last 10 years. To gain a security expert’s perspective on reducing the impact of lost or stolen devices, I reached out to Alan Saquella, a member of the Merchants ID Theft Advisory Board that I co-chair and the Western region manager of security/investigations for Cox Communications.

“The two things that we do at Cox to prevent and/or minimize lost devices is to implement a required, annual training on privacy and security, which is tracked by employee for compliance,” he said. In addition to education, “all devices are tracked with GPS and/or CompuTrace (a laptop tracking software) and so far, we have been very successful in recovering lost or stolen equipment,” Saquella said.

To help you understand where the major risk areas are beyond lost devices, TrendMicro reported that data breach events happen in the following ways:

  • 25 percent of breaches were caused by hacking and malware
  • 17.4 percent of breaches were caused by unintentional disclosure (not including lost devices)
  • 12 percent of breaches were caused by malicious insider leaks

The report said that that health-care business sector was the largest target, accounting for 26.9 percent of data breaches this decade, followed by education (16.8 percent), government (15.9 percent) and retail (12.5 percent). At the same time “healthcare had a significant insider leak problem (17.5 percent of its breaches). Insider leaks were the primary source of identity theft cases (44.2 percent) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8 percent of cases.”

While IT and hacking are the sizzle that continues to create data breach headlines, the truth is, most events are caused by device loss and the insider threat. While attackers certainly target personal identifiable information, credentials, more specifically the credentials of a network administrator, can be more lucrative. Administrator level credentials can provide attackers with the ability exploit an entire organization in an attempt to gain valuable Intellectual property such as trade secrets, or copywritten works. Although retailers have suffered many major losses as the result of data breach events, the most affected industry is the health-care sector.

Mark’s Most Important: Realize that devices will be lost, thus your organization needs to take steps to minimize the sensitive information contained on these devices, encrypt the data when it cannot be avoided, track and retrieve the devices when necessary, and remotely wipe devices if all else fails.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

This article was originally published on and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Consumers who used their credit cards at a variety of Hilton Hotels-owned properties between November of last year and now may have noticed some strange activity on their credit cards. Thanks to point-of-sale hacking at some of the properties, an unknown number of guests have had their credit card information stolen, according to a statement from the property chain.

Following reports of strange activity on consumers’ credit cards, investigators began to uncover fraudulent transactions at restaurants, gift shops, and other stores located inside Hilton locations. While the charges are believed to have begun in November of last year, investigators have reason to suspect it may still be happening.

It’s important that consumers know the online reservations and guest services registers do not seem to have been affected by this broad-scale identity theft. When point-of-sale fraud takes place, the culprit is often POS machine tampering or a software bug that has infected the POS network.

In the Target data breach, it was malicious software that stole customers’ information through the POS machines. The software was sent throughout the network after an HVAC contractor’s computers were infected. When an employee with the third-party contractor accidentally downloaded a virus from a phishing email, the hackers were able to root around in their smaller network system and look for bigger fish to fry. When they came across access to Target’s network, they were able to then install the malicious software on Target’s POS credit card network and steal consumers’ information.

A more basic version of POS fraud is through physical tampering with the credit card machine. It’s been known to happen in stores, but it’s a little harder to pull off if store employees see the culprit and report it. That’s why gas station pumps are a popular target for this kind of crime. With the vehicle parked in front of the pump, it’s a little easier to install the microfilm that steals the customers’ information when they pay at the pump.

For this reason, it’s too easy to assume that the Hilton breach is an “inside job,” but there has been no proof of that yet and the hotel chain is not releasing the locations that are known to be affected. What is known is that the locations can include any of Hilton’s other properties, including Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

When we think of major-name data breaches that affect millions of consumers, we probably think of teams of elite hackers infiltrating a network by exploiting a vulnerability in the technology. But sometimes, a data breach is the work of a good old-fashioned crook and not the result of sophisticated cybercrime skills.

When California-based managed care provider Molina Healthcare first learned a breach had occurred, the next step in the investigation was to uncover the source of the vulnerability. The breach was uncovered and reported to Molina in July by CVS, the pharmacy that oversees the provider’s over-the-counter (OTC) medications. According to their reporting, a CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.

While that information may not seem all that sensitive, having enough information allows the perpetrator to steal patients’ identities, sell their identities, and commit other forms of fraud. The immediate assumption is that this is enough personal data to engage in medical identity theft, which occurs when someone fraudulently uses the victim’s information to receive health care, prescription drugs, or other related services. Medical identity theft is one of the fastest growing forms of the crime, with a 22% increase in 2014 and estimates that as many as 2.3 million Americans have already been victims of this crime.

The type of data breach that seems to have struck Molina Healthcare is known as an internal data breach. Internal breaches are actually broken down into two different categories: accidental and intentional. Accidental data breaches are just what they sound like; an employee might have downloaded a virus from a phishing email, or lost a laptop with sensitive, unencrypted information on it. Intentional data breaches—again, as the name implies—occur when someone purposely steals customer or co-worker data, usually with plans to later use it or sell it for identity theft.

In this particular incident, investigators have made the connection between CVS providing OTC medications and the type of information the employee gathered. While identity theft is still a major concern—as medical identity theft following a data breach has risen by 21.7% in the past year—investigators are also concerned that the information may have been collected in order to fraudulently buy OTC medications, some of which are actually key ingredients in the creation of certain illegal drugs.

Individuals who are believed to have been affected by this data breach have already received notification letters that outline the steps for setting up alerts and freezes on their credit reports. It’s vital that known victims of a data breach take proactive steps to prevent damage to their identities; in any breach event in which the affected company offers credit monitoring services, it’s important that consumers take full advantage.