Tag Archives: home depot

Firms Ally to Respond to Data Breaches

More companies than ever realize they’ve been breached, and many more than you might think have begun to put processes in place to respond to breaches.

A survey of 567 U.S. executives conducted by the Ponemon Institute and Experian found that 43% of organizations reported suffering at least one security incident, up from 10% in 2013. And 73% of the companies surveyed have data breach response plans in place, up from just 12% in 2013.

“Compared with last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” says Larry Ponemon, namesake founder of Ponemon Institute.

Major data breaches have become a staple of news headlines. So it can’t be that companies are complacent. The problem seems to be that big organizations just can’t move quickly enough.

Home Depot was blind to intruders plundering customer data even as Target endured exposure and criticism for being similarly victimized just months before, possibly by the same gang.

In our connected world, it’s hard to keep pace. The Ponemon study found 78% of companies do not account for changes in threats or as processes at a company change.

Rise of threat intelligence

That’s where the trend toward correlating data from disparate threat sensors could begin to close the gap. It’s a promising sign that ultra-competitive security companies have begun to collaborate more on sharing and analyzing threat intelligence.

Boulder, Colo.-based security vendor LogRhythm, for instance, has formed an alliance with CrowdStrike, Norse, Symantec, ThreatStream and Webroot to share sensor data and compare notes on traffic that looks suspicious.

LogRhythm supplies a platform for culling and analyzing data from its partner vendors “to help identify threats in our customers’ IT environments more quickly, with fewer false positives and fewer false negatives,” says Matt Winter, LogRhythm’s vice president of corporate and business development.

Since announcing its Threat Intelligence Ecosystem last month, LogRhythm has received “considerable inbound interest from customers and channel partners,” Winter says. “Feedback has been very positive.”

Similar threat intelligence alliances, both formal and informal, are taking shape throughout the tech security world. The business model of Hexis Cyber Solutions, a year-old startup, relies on pooling threat sensor data from several security vendors, including antivirus giant Symantec and social media malware detection firm ZeroFOX.

Hexis applies analytics with the goal of accurately identifying – and automatically removing – clearly malicious programs.

“The state of the art today is a single-point security product triggering alerts on particular things and putting a warning on a screen,” says Chris Fedde, president of Hexis. “We’re all about analyzing alerts and taking action on them. Anything that’s malicious we go ahead and remove.”

In one recent pilot study, Hexis tracked 5,000 computing devices and 13,000 user accounts of a U.S. medical center for 30 days. Hexis intercepted 35,000 incidences of suspicious outside contacts and removed 23 malicious files.

Those malicious files that got inside the medical center’s network included: Dirtjumper, a tool used to conduct denial of service attacks; Tsumani, malware used for spamming and data theft; a remote access tool (RAT) used to take full control of a compromised computer; and an adware Trojan.

There’s a long way to go. But alliances to share threat sensor information, like the ones being pioneered by LogRhythm, Hexis and many other security vendors, seem destined to take root.

Someday in the not too distant future, it may not matter if intruders get inside the network, if robust threat intelligence systems are poised to cut them off from doing damage.

IoT Is Game Changer for Insurers

The Internet is now an integral part of our daily lives, and we would struggle to imagine life without it. However, to date, growth has largely been driven by access to content and by speed.

We are now moving into the new phase of growth where the everyday “things” around us will be connected to the Internet. This is the Internet of Things (IoT) – it will have a profound impact on our daily lives and change the way we interact with our environment. It will also have a big impact on how industries operate and relate with their customers. This is particularly true for insurance companies, where there is an opportunity to move from being passive and reacting to losses, to being proactive and helping prevent them.

In short, the IoT will be a game changer for insurers.

In the commercial sector, we are familiar with the benefits of connectivity in smart buildings. When we go to a hotel, door locks are controlled with smart cards, and there are links to lighting and air conditioning to save energy and improve security. Fire systems are networked to sprinklers. Indeed, I’m not sure I’d book a hotel that gave me a metal key. More significantly, most modern commercial buildings would struggle to get insurance coverage without new technology.

The IoT will bring this same level of intelligence to the home.

Standard devices such as light switches, thermostats and door locks are being networked. Smartphones allow us to monitor and control air conditioning, as well as access and monitor security and lighting, with alerts if there is a problem. The first wave of connected appliances is now starting to roll out. Just as with commercial buildings, “interoperability” will become standard in homes because it makes them safer, more energy-efficient and easier to manage.

The smart home is already going mainstream. Big-box stores like Lowe’s, Home Depot, Best Buy, Target and Sears have started to offer their own DIY smart home solutions. They are competing with the major service providers such as AT&T, Comcast, TWC and others that have developed their own consumer offerings. The entry of Apple, Google and Microsoft into the space with different consumer strategies is a clear sign that the market has arrived.

Many of these new entrants have recognized that data will be key to their future success in a connected world where devices will generate as much as we can handle and the ability to refine and exploit it will decide the winners and losers in many industries. This data is going to be particularly important to insurers, which have traditionally based their pricing on risk assessment. If a competitor has better data on which to base judgments, it will have the edge.

The IoT and access to data will reshape industry boundaries and create opportunities.

The IoT will allow insurance companies to move from the traditional passive role of underwriting risk to take a more active position by supplying smart home products and services. Other industries have already adopted this type of strategy. For example, the major cable companies and telcos now offer smart home products over the top of their broadband. These provide new revenue streams, leverage their core competencies, increase customer loyalty and provide a platform for growing new value-added services. Insurance companies could take a page out of the service providers’ playbook and offer their own solutions to realize similar benefits.

The IoT and smart home can give insurers a more direct relationship with the consumer through daily interaction using touch points in apps and messaging. Insurers could also become more competitive by adopting pricing strategies that include direct sourcing and bundling with policies. Contrast this to consumers’ traditional negative experience of bill paying on an annual or semi-annual basis for something they most likely didn’t use.

Consumers would see insurance companies as a logical source for products and services that protect people and their property. Smart home systems can be DIY, offering protection for security, fire and flood. Moreover, they bring new levels of protection with innovation. For example, low-cost leak detectors and temperature sensors can automatically shut off the water supply when triggered.

The IoT is a real growth opportunity, and any business can scale as new connected devices come along. This can be done by offering devices and sensors that improve in-home healthcare and appliances that can be remotely monitored to reduce warranty support costs. These products and value-added services can drive new revenue streams, improve customer retention and reinvent the way consumers perceive their insurance provider. More importantly, the IoT secures access to the data from the things in the home that would help insurance companies manage risk.

If there is a nervousness to step outside the traditional industry boundaries, the alternative is to forge new partnerships with the companies that are deploying smart home solutions.

These companies have access to the data that will help insurance companies manage risk. For example, Lowe’s has partnered with a number of leading insurance companies to trade data from the Iris smart home system. Clearly, data privacy is a major issue, so customers have to approve sharing. This can be achieved by offering a benefit on the policy, usually in the form of a discount.

Clearly, the IoT market is moving extremely fast, and it will challenge conventional wisdom. Just five years ago, the only connected device in home improvement retail was a smart door lock, and now there are hundreds – even dog bowls and toothbrush are becoming connected. If the IoT grows as predicted, every powered device will be IP addressable in the next 10 years. Ignoring this market is not a smart move.

While competing in the smart home space by offering consumers new products and services may seem daunting, the IoT will disrupt traditional industry boundaries, and attack is sometimes the best form of defense. Moreover, actively entering the market has the biggest upside. At a minimum, there is a need to find ways to partner to protect your position and get access to data to remain competitive. The leading insurance providers will be those that embrace the IoT and its impact.

Was Your Data Taken in Experian Breach?

A breach to one of Experian‘s servers – discovered on Sept. 15 – has resulted in 15 million compromised records with personal information like names and Social Security numbers. The breach included information about T-Mobile customers from as far back as 2013. Here are the details and action steps you can take if you think you’re a victim.

The server that was attacked housed records of those who applied for T-Mobile’s services between Sept. 1, 2013, and Sept. 16, 2015. Overall, the compromised information included…

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Passport IDs

The affected server was not part of Experian’s consumer credit bureau; nevertheless, a data breach is good reason to check your defenses when it comes protecting your personal information, and there are plenty of ways you can protect yourself.

Make sure hackers didn’t steal your information and use it for their advantage. Annually check your credit reports and bank statements for suspicious activity, like a new line of credit or purchases you didn’t make.

Be cautious! When a breach like this occurs, fraudsters may call the victims and say they’re from the affected companies. They may ask you for your personal information, so they can “help” you. Keep in mind that T-Mobile and Experian made it clear that they will not send a message or call and ask for personal information connected with the incident.

Consider some of the major data breaches we’ve had in the past couple years:

  • JP Morgan Chase – 76 million customer records
  • Anthem – 87.6 million
  • Home Depot – 56 million
  • Target – 110 million

Whether or not you think you’re a victim, employing an identity theft protection plan is relevant and important.

Ironically, T-Mobile is offering resolution services through Experian’s ProtectMyID, for those who were affected by the data breach; however, full, continuing coverage demands an identity protection service that has more robust features than those provided through the complimentary membership.

ProtectMyID’s complimentary membership includes SSN and credit-card monitoring, but you also need monitoring for high-risk transactions and data sweeps. ProtectMyID includes credit monitoring and an Experian credit report upon entry, but you also need your credit score and identity risk score (showing how vulnerable you are to identity theft). ProtectMyID has lost wallet/purse assistance and alerts for suspicious activity, which is good. It is backed by $1 million identity theft insurance coverage, too, but you also need coverage that will reimburse you for the expenses you incur while returning your life to normal. ProtectMyID has fraud resolution agents who can offer assistance to victims, but you also need a financial consultation, a legal consultation and more.

You need stronger layers of protection against identity theft, help creating an action plan and professional assistance with addressing compromised information and accounts.

The Experian data breach is a big reminder of how a robust identity theft protection plan is absolutely necessary.

Unclaimed Funds Can Lead to Data Breaches

When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information.

For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks.

Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction

That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized.

Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does.

The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country.

States’ response to questions about public database

When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states:

— California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.”

The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner’s representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both.

This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security.

— Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.”

My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts.

— Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.”

Protect and serve should be the goal

While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do.

The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed.

In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes.

The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.

Data Breach Law Could Hurt Consumers

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers.

Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. The Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land.

The Data Security and Breach Notification Act of 2015 says it “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was written by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right.

The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information.

The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation.

Why It’s an Issue

Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony before the House of Representatives.

In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed.

And here’s the really bad news: they would be two of the less alarming casualties.

The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much.

As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief.

To give an example of the kinds of preemption that are possible here, Florida’s privacy law includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Eight other states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia and, as of July 1, Hawaii and Wyoming. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit.

In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached, and this proposed law in Congress says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on pay-per-view. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text.

And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items.

Defining Harm

According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain.

A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better.

What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies.

There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way that data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.