CEOs and senior executives do not get fired when their companies get hacked or experience a data breach event. They get fired for failing to implement and test regularly a clearly defined, strategic management response to their data-breach event.

Whenever I speak to business audiences I always say, “No company can ever prevent itself from experiencing a data breach event and no single resource has all of the answers.” The point is your company’s response and recovery strategy may be as important (or more important) than your current cybersecurity technology initiatives. Why? Because according to technology research company Gartner, the forecast for worldwide spending on information security will reach $76.9 billion this year. Grant Thornton, a global accounting advisory firm, reported the total estimated cost of cybersecurity attacks over the past 12 months is $315 billion.

Think about it, nearly $77 billion is spent on information security this year and yet the annual cost of cybersecurity attacks is an astonishing $315 billion and getting worse. While cybersecurity in general and preventing a data breach event in particular are one of the most difficult challenges in today’s workplace environment, the technology aspect is falling short and, frankly, has failed to live up to expectations. With high-profile hacking and data-breach events affecting every business sector including the top 10 banks, top 10 insurance companies and the three major credit bureaus – all of which have more financial and information technology resources than any other industry groups – what is the answer?

The answer is an information security and governance plan with an emphasis on response and recovery. I’m not saying to ignore technology such as security or penetration testing, managed services or information-technology outsourcing and access management. These are all critical resources in protecting your business and mitigating the risks of a cyberattack.

Step 1: Make an initial assessment during a cyberincident. During a cyberincident, your business immediately should assess the nature and scope of the data-breach event. The type of incident will determine the type of assistance you will need to respond and the type of damage and remedial efforts that may be required.

Step 2: Implement measures to minimize continuing damage. After your business knows whether the incident is an intentional cyberintrusion or an accidental release, determine next steps to stop ongoing damage and take steps to prevent it from happening again.

Step 3: Record and collect Information. Your business should immediately make a “forensic image” of the affected computers and/or a record of the data-breach event to preserve a record of the incident for later analysis and potentially for use as evidence at trial.

Step 4: Notify. Contact employees within the organization, affected individuals outside the organization and law enforcement if criminal activity is suspected. Also, know that 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have notification laws in place to notify any individual whose personally identifiable information has been breached.

Mark’s Most Important: Increase the odds of your business surviving a data-breach event with a strong, tested and dynamic response and recovery plan.

Mark Pribish is vice-president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at article was originally published on and republished with the author’s permission.

The Dow Jones, which owns business oriented outlets like the Wall Street Journal, is synonymous with wealth and power. Most people only know of it in terms of investments and playing the stock market, and therefore it makes a logical “big fish” kind of target for hackers. After all, successfully infiltrating their stores of data could result in a tremendous payoff of information on some of the country’s wealthiest people.

And that’s why the information that was stolen in a recently uncovered data breach is somewhat perplexing. Investigators believe that between August 2012 and July 2015, cyber thieves began accessing information stored on subscribers in the system. This breach was discovered in July 2015, and experts are working to close the security flaw that allowed the breach to occur.

So what happens to some of the world’s wealthiest people when cybercriminals manage to nab their private information? They get emails.

According to the investigators in this particular incident, hackers appear to have stolen names, addresses, email addresses, and other similar information, not account numbers, Social Security numbers, or other financial data. What could they possibly want with a millionaire’s email address? The ability to target that individual with offers, solicitation requests, spam, or even phishing emails.

It might seem pretty pointless to steal a list of email addresses, but hackers know that if they can get the recipient of a phishing email to click an included link in the message, then the chances for installing invasive malicious software on the victim’s computer are great. In many cases, once that harmful software is installed, the hackers can use it to root around in the victim’s hard drive, cloud storage, email inbox (which would presumably contain email addresses for other industry leaders to target), and more. Currently, however, investigators into this breach have only discovered the intent to solicit the victims with requests.

The takeaway from this is that no piece of personal information is safe in a hacker’s hands, no matter how inconsequential it might seem. The Target data breach occurred through a similar scenario, for example. With this kind of access and a few simple human errors, the potential for further damage is almost limitless, and demonstrates again what the data security industry has been following in recent weeks: financial identity theft is still the top form of the crime but it’s losing ground to other forms that have the potential for long-term damage. Cybercriminals are no longer content with credit card information or bank account numbers, having discovered that there is even more money to be made from stealing other types of data.

Nearly half of all data breaches occur when ID-theft criminals access information because we lost a device. In fact, nearly 41 percent of all data breach events from 2005 through 2015 were caused by lost devices such as laptops, tablets and smartphones, according to a new TrendMicro report.

TrendMicro’s analysis included data breaches by business sector, and one of the significant findings was that missing devices and untrustworthy insiders made the health-care industry responsible for more data breaches than any other business sector in the last 10 years. To gain a security expert’s perspective on reducing the impact of lost or stolen devices, I reached out to Alan Saquella, a member of the Merchants ID Theft Advisory Board that I co-chair and the Western region manager of security/investigations for Cox Communications.

“The two things that we do at Cox to prevent and/or minimize lost devices is to implement a required, annual training on privacy and security, which is tracked by employee for compliance,” he said. In addition to education, “all devices are tracked with GPS and/or CompuTrace (a laptop tracking software) and so far, we have been very successful in recovering lost or stolen equipment,” Saquella said.

To help you understand where the major risk areas are beyond lost devices, TrendMicro reported that data breach events happen in the following ways:

  • 25 percent of breaches were caused by hacking and malware
  • 17.4 percent of breaches were caused by unintentional disclosure (not including lost devices)
  • 12 percent of breaches were caused by malicious insider leaks

The report said that that health-care business sector was the largest target, accounting for 26.9 percent of data breaches this decade, followed by education (16.8 percent), government (15.9 percent) and retail (12.5 percent). At the same time “healthcare had a significant insider leak problem (17.5 percent of its breaches). Insider leaks were the primary source of identity theft cases (44.2 percent) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8 percent of cases.”

While IT and hacking are the sizzle that continues to create data breach headlines, the truth is, most events are caused by device loss and the insider threat. While attackers certainly target personal identifiable information, credentials, more specifically the credentials of a network administrator, can be more lucrative. Administrator level credentials can provide attackers with the ability exploit an entire organization in an attempt to gain valuable Intellectual property such as trade secrets, or copywritten works. Although retailers have suffered many major losses as the result of data breach events, the most affected industry is the health-care sector.

Mark’s Most Important: Realize that devices will be lost, thus your organization needs to take steps to minimize the sensitive information contained on these devices, encrypt the data when it cannot be avoided, track and retrieve the devices when necessary, and remotely wipe devices if all else fails.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

This article was originally published on and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Consumers who used their credit cards at a variety of Hilton Hotels-owned properties between November of last year and now may have noticed some strange activity on their credit cards. Thanks to point-of-sale hacking at some of the properties, an unknown number of guests have had their credit card information stolen, according to a statement from the property chain.

Following reports of strange activity on consumers’ credit cards, investigators began to uncover fraudulent transactions at restaurants, gift shops, and other stores located inside Hilton locations. While the charges are believed to have begun in November of last year, investigators have reason to suspect it may still be happening.

It’s important that consumers know the online reservations and guest services registers do not seem to have been affected by this broad-scale identity theft. When point-of-sale fraud takes place, the culprit is often POS machine tampering or a software bug that has infected the POS network.

In the Target data breach, it was malicious software that stole customers’ information through the POS machines. The software was sent throughout the network after an HVAC contractor’s computers were infected. When an employee with the third-party contractor accidentally downloaded a virus from a phishing email, the hackers were able to root around in their smaller network system and look for bigger fish to fry. When they came across access to Target’s network, they were able to then install the malicious software on Target’s POS credit card network and steal consumers’ information.

A more basic version of POS fraud is through physical tampering with the credit card machine. It’s been known to happen in stores, but it’s a little harder to pull off if store employees see the culprit and report it. That’s why gas station pumps are a popular target for this kind of crime. With the vehicle parked in front of the pump, it’s a little easier to install the microfilm that steals the customers’ information when they pay at the pump.

For this reason, it’s too easy to assume that the Hilton breach is an “inside job,” but there has been no proof of that yet and the hotel chain is not releasing the locations that are known to be affected. What is known is that the locations can include any of Hilton’s other properties, including Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

When we think of major-name data breaches that affect millions of consumers, we probably think of teams of elite hackers infiltrating a network by exploiting a vulnerability in the technology. But sometimes, a data breach is the work of a good old-fashioned crook and not the result of sophisticated cybercrime skills.

When California-based managed care provider Molina Healthcare first learned a breach had occurred, the next step in the investigation was to uncover the source of the vulnerability. The breach was uncovered and reported to Molina in July by CVS, the pharmacy that oversees the provider’s over-the-counter (OTC) medications. According to their reporting, a CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.

While that information may not seem all that sensitive, having enough information allows the perpetrator to steal patients’ identities, sell their identities, and commit other forms of fraud. The immediate assumption is that this is enough personal data to engage in medical identity theft, which occurs when someone fraudulently uses the victim’s information to receive health care, prescription drugs, or other related services. Medical identity theft is one of the fastest growing forms of the crime, with a 22% increase in 2014 and estimates that as many as 2.3 million Americans have already been victims of this crime.

The type of data breach that seems to have struck Molina Healthcare is known as an internal data breach. Internal breaches are actually broken down into two different categories: accidental and intentional. Accidental data breaches are just what they sound like; an employee might have downloaded a virus from a phishing email, or lost a laptop with sensitive, unencrypted information on it. Intentional data breaches—again, as the name implies—occur when someone purposely steals customer or co-worker data, usually with plans to later use it or sell it for identity theft.

In this particular incident, investigators have made the connection between CVS providing OTC medications and the type of information the employee gathered. While identity theft is still a major concern—as medical identity theft following a data breach has risen by 21.7% in the past year—investigators are also concerned that the information may have been collected in order to fraudulently buy OTC medications, some of which are actually key ingredients in the creation of certain illegal drugs.

Individuals who are believed to have been affected by this data breach have already received notification letters that outline the steps for setting up alerts and freezes on their credit reports. It’s vital that known victims of a data breach take proactive steps to prevent damage to their identities; in any breach event in which the affected company offers credit monitoring services, it’s important that consumers take full advantage.

In a move that has been a long time coming—literally, since it was first mandated in 2013 and again in 2015—the Pentagon has finally issued its new Rule on how defense contractors will report suspected cybercrimes.

No longer allowing contractors to wait until a breach has occurred and the extent of the damage investigated, this Rule requires contractors to report any and all suspicious activity if there’s even a chance that harm could come from it. This “potential for harm” reporting is intended to thwart cyberattacks before they occur and minimize the time between an actual hacking event and the reporting.

The Department of Defense has relied on contractors almost since it was established, as they serve to fill important roles without the need to hire superfluous manpower. If a business is already providing a service, whether it’s sewing uniforms for the military or providing highly-trained intelligence security systems, it makes sense to hire them instead of trying to reinvent the wheel.

The use of defense contractors is similar in nature to a corporation hiring third-party vendors to fulfill some of its needs rather than hiring and training additional members of the workforce. Unfortunately, third-party vendors—and logically by the same definition, contractors—have proven to be the weakest link in preventing corporate data breaches. The infamous Target breach has been traced back to a small company that serviced the retail chain’s refrigeration units and AC systems. With businesses in nearly every sector of industry hiring third-party vendors to cover everything from billing and payroll to data entry and even janitorial services, cybersecurity experts are warning companies to take a closer look at who they work with and to take immediate action when a threat is uncovered.

The same is true for the government. After the Office of Personnel Management breach that comprised at least four million employees’ identities and may have affected another 22 million people, the government is taking a hard look at how threats are detected, reported, and addressed. These newly released guidelines will ideally serve as a streamlined effort in data breach reporting, even if an event hasn’t fully been uncovered.

Unfortunately, what isn’t so straightforward is how the government will oversee the compliance with these guidelines, or outline any “punishment” for violating the mandates. It will largely be up to defense contractors to police themselves, which is why the focus is initially on helping them know when to report and whom to report it to. One of the major obstacles will be in aligning the standards that contractors already adhere to as places of business with the standards they must now meet as government contractors.

A spring 2015 data breach has resulted in one and half million residents of Indiana—approximately one-fourth of the state’s population—having their medical and identifying information stolen by hackers.

The incident, which affected Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard, also impacted another nearly four million individuals across the country.

The information that the as-of-yet unknown hackers accessed includes patient names, Social Security numbers, lab test results, and medical records, as well as a wealth of other information. The data is believed to have been stolen from hospitals across Indiana, Ohio, and Michigan, as well as from healthcare providers and numerous radiology centers which all used MIE for data processing.

Medical systems are a high-profile target for hackers due to the incredible amount of information they gather and store on patients. That’s coupled with the fact that practically everyone uses some kind of medical provider over the course of their lifetimes, so the information is there for the taking.

While MIE’s official statement warns individuals to immediately begin monitoring their credit reports and to set up alerts and freezes on their credit, affected individuals also need to remember to file their tax returns as early as possible next January so that they can beat an identity thief to the punch.

There is one other thing all consumers can do to minimize this kind of threat, and that’s to be mindful of how much information they share about themselves. This doesn’t only go for medical offices, which are widely known for requesting patients’ SSNs, but even school enrollment formsday camp forms, and volunteer applications to teach Sunday School are known for putting a blank for you to provide the number. Too often, the public sees the blank and fills it out without asking who needs it, why they need it, and how they plan to keep it from falling into the wrong hands.

It can be tough to keep from giving out your SSN, as the law doesn’t really offer protection for consumers who don’t wish to provide it. It does mean that your number should only be used for its originally intended purposes of tax identification, but it also means that a doctor’s office, for example, does not face repercussions for refusing you treatment for non-life threatening situations if you don’t provide it. Currently, several states are working on enacting legislation to protect consumers and their private, sensitive data by limiting who can request the SSN, but until that time, it is the individual’s responsibility to give it out wisely.

Cybersecurity firm Trustwave provides an invaluable public service each year when it releases its annual report on data breach activity. This report, the 2015 Trustwave Global Security Report, examines the ways hacking attempts and data breaches were perpetrated, which sectors of industry are hit the hardest, even the corporate and consumer behaviors that lead to data compromise. (Did you know that “Password1” is still the most commonly used password?)

The 2015 report, which was released in June, examined the incidents that Trustwave was asked to investigate last year. Key findings of their research include:

  • 43% of the incidents were in the retail industry, followed by 13% for the food and beverage industry and 12% for the hospitality industry.
  • Half of the incidents that they investigated took place in the United States.
  • In 31% of cases, hackers were after payment card track data on the back of a payment card (these are things like the three-digit code on the back of the card, needed for an in-person transaction).
  • In 20% of the cases, attackers were after financial credentials or proprietary information like payment details.

There were two shocking highlights concerning both consumers’ and hackers’ behaviors, though. In the first instance, 81% of the victims did not discover on their own that they’d been hacked. Trustwave went on to reveal that self-examination vastly speeds up the time to response; in cases where the company discovers they’ve been hacked through self-monitoring, there are usually two weeks between the incident occurring and the company putting a stop to it, but in cases where companies are not running self-checks and uncovering suspicious behaviors, the average time between the breach and containment is over 150 days.

As for the hackers, Trustwave has revealed a crucial statistic when it comes to understanding why hacking events and data breaches are on the rise, and that’s the payout it provides for the criminals. In other words, why do they do it? The answer is, quite simply, because it works.

According to the report, “Attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment).” For very little financial investment and even less investment in manpower, hackers can make significant gains, largely thanks to the fact that businesses and consumers are doing their work for them. Weak security protocols, outdated POS systems, failure to recognize malicious spam emails, and useless passwords all offer thieves the opportunity to waltz right in and make some serious money.

So what should we do with this information now? According to Trustwave’s chairman, we must learn from it and adjust the way we do business.

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

To view the full 2015 Trustwave Global Security Report, go to

Data breaches and identity theft are becoming so prevalent that some industry experts have said they’re inevitable, and that identity theft is basically unavoidable. The good news is there are steps consumers can take to minimize the chances of becoming victims of data breaches or identity theft, but the bad news is those types of crimes don’t only affect your information or even your finances.

In some cases, the consequences of a data breach can actually be deadly. That is, if the entity that was infiltrated is a part of the health care industry. While major health insurance providers like Anthem have already been the victims of data breaches, individual health care systems like the UCLA Health System are also prime targets for hackers. Medical offices, hospitals, and insurance providers are notorious for collecting copious amounts of information on their patients and storing it in centralized computers. Many systems and offices also use outside billing contractors, and research has already shown that in the majority of data breaches, the culprit—intentionally or accidentally—is a third-party vendor or contractor.

UCLA Health System is just the latest in a long line of medical data breaches. In that instance, hackers are believed to have gained access to around 4.5 million patients’ names, addresses, Social Security numbers, health records, and more. The breach is thought to have started in September 2014, and allowed hackers to access this unencrypted information.

But how does that affect patients’ health? Unfortunately, this is a case where you almost hope the hackers just want to steal your financial identity. If they’re able to sell the data to people in order to commit medical identity theft and fraud, then that will allow people to use the stolen information to gain access to healthcare.

The frightening worst-case scenario would involve something like this: a thief goes to the hospital for treatment using your name, insurance information, and more. Doctors discover he’s diabetic, and he’s put on a treatment regimen that includes insulin. Your medical records now not only indicate that you have diabetes (and could be treated as such in an emergency if you can’t confirm that it’s not true), but they also indicate you’re taking insulin. This could cause a host of problems, not the least of which are of a dire nature. It’s also possible that a pharmacy or insurance company would deny you a different medication or treatment option due to “red flags” about how that option would interact with insulin or diabetes.

Of course, that is an overly alarming thought, but the more likely circumstance is of a far more annoying nature. Where there are laws in place that cover an identity theft victim following a financial issue like credit card fraud, those protections aren’t necessarily in place yet for medical identity theft. One article indicated that most victims of financial fraud are responsible for around $50 in charges, if any charges at all. However, “the majority of victims of medical identity theft paid an average of $13,500 to resolve the crime.” Compounded with our strict privacy laws in this country where health care is concerned, it can be difficult to resolve medical identity theft.

As with all data breach and identity theft issues, the best option for now is to prevent a thief from getting as much of your information as possible. While you can’t personally prevent hackers from breaking into the computer network of a major medical center, you can certainly limit the amount of information a thief would find under your name. You are not required to provide your Social Security number to a medical office, for example, and many offices have been found to ask for it without even knowing why they collect it. You can also read over all insurance statements carefully—not just the box that tells you how much you owe—to make sure someone isn’t already using your information without your knowledge.

News came out last week that CVS, the country’s second largest pharmacy chain, may have suffered a data breach of its photo uploading and printing website.

CVS Photo has had a message on its site since Friday that stated there was reason to believe a breach had occurred and that the site would be offline until the issue could be resolved. The message went on to reassure customers of the chain that this only applies to the photo site, not the main website or the physical stores, and to suggest that customers monitor their credit card or bank statements carefully for any suspicious activity.

Following any data breach, forensic experts work to uncover the root cause of the breach. In this case—and in so many others, like the now-famous Target data breach or the Goodwill breach—the weak link in the data protection chain appears to be a third-party company. In CVS Photo’s case, it’s believed to be PNI Digital Media, a Canadian company that handles the credit card transactions for the pharmacy’s photo uploading site.

Unfortunately, this isn’t the only instance in which PNI is believed to have been hacked. Walmart has already issued a warning that it, too, uses PNI’s services for its Canadian photo upload purchases and that it believes customers’ credit cards may have been accessed. Just like with CVS, though, Walmart assured customers that its US-based websites and main stores were not impacted.

Interestingly, in almost every major data breach, experts have traced the break in security to a third-party vendor. According to an article for Info Security Magazine by MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research,  “One consistent breach finding may get their attention: Almost without exception, a third-party vendor or affiliate is involved. It may be the client, or it may be the origination point of the breach.”

Why are third-parties such a lucrative target? They carry a lot of trust with the companies they contract with, and as such, often have access to avenues of infiltration that hackers need in order to catch the bigger fish. In the case of Target’s breach, for example, the third-party contractor they used to get through the network was a heating, air conditioning, and refrigeration company in Pennsylvania. That same HVAC company has also reportedly done work for three other major retail chains in five states.

Unfortunately, as smaller companies with less manpower and tighter budgets than the corporations they’re contracting with, third-party vendors can also be somewhat of a sitting duck when it comes to keeping sophisticated cyberattacks at bay. The amount of access the company has combined with its lack of resources means vendors often end up as the door through which hackers walk on in.

While this should hopefully serve as a warning to the security industry in general, it does mean that there’s not a lot consumers can do to avoid paying through a third-party vendor. Instead, the smarter course of action is to keep tabs on your information, which is always a necessity. Read your credit card and bank statements carefully before tossing them, and make sure you’re paying close attention to how you dispose of them.