Tag Archives: identity theft resource center

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

Cyber Attacks Shift to Small Businesses

Small- and mid-sized businesses (SMBs) are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.

Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. So it’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.

As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40%, a worrying trend for those in the small business sector that likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.

Security falls short

Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods, leaving more records vulnerable and increasing the size of the victim pool that may be interested in suing.

See also: The Key to Survival in Wild West of Cyber  

Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well-adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA — as well as a robust, centralized breach-reporting mechanism — have made companies in the medical space a little paranoid about their heavily regulated environment.

Behind the curve

Other small business sectors aren’t as prepared for the risk of a breach. Outside healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or how to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.

Litigation bills add up

Data-breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, the company is likely to incur significant financial penalties no matter which way the lawsuit goes.

See also: Can Trump Make ‘the Cyber’ Secure?  

Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just as with the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches — and more class-action lawsuits — coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.

This article was originally posted on ThirdCertainty. It was written by Eduard Goodman.

Cyber: Best Defense Is a Good Offense

According to the Identity Theft Resource Center (ITRC), as of Aug. 11, there have been 472 data breaches, exposing 139,278,685 records in 2015 alone. It’s a safe bet that much of the personal identification information (PII) exposed in those breaches will be – at some point – used to perpetrate fraud. With all that PII out there, you might wonder what industry will likely fall victim to the fraud. The answer, according to the recently released results of the 2015 Fraud Mitigation Study, is simple: Cyber criminals do not choose one industry over another when it comes to committing fraud. In fact, all industries are targets.

The study, commissioned by the LexisNexis Fraud Defense Network, examines cross-industry fraud trends of all types – including identity-based fraud – and surveyed 400 fraud mitigation professionals from the insurance, financial services, retail, government, healthcare and communications industries. Overwhelmingly respondents (84%) indicated that the cyber fraud cases they investigated within their industry were also connected to another industry. And the impact of cross-industry fraud is significant: 77% of respondents said cross-industry fraud cases had a moderate to extreme financial impact on their organization.

So, what can industries do to mitigate cyber fraud? It’s often been said the best defense is a good offense – and that’s what’s required. That begins with changing how they are fighting fraud. The siloed approach to each sector dealing with the problem on its own – and relying only on data within its industry – isn’t adequate. Criminals count on the fact that industries aren’t talking to each other. Once the fraudsters have pilfered one industry sector, they move on to the next unsuspecting industry. But what if one industry sent up a flare to the others?

Imagine if data about fraud cases was shared across industries. The dynamic would shift. Through cross-sector collaboration, industry would have the upper hand. In this scenario, the fraudsters would be at a disadvantage. This is not just a pipe dream. Study respondents recognized they need more information to fight fraud; in fact, 74% acknowledged it would be valuable to have information on fraud cases from outside their industry.

75% of study respondents stated that they do rely on external data analytics to detect and prevent fraud; the other 25% do not primarily because of a lack of budget, awareness, knowledge, comfort level or relevant training. The primary question is, what’s the most effective way to share information?

This is the mission of the Fraud Defense Network: to facilitate sharing of information, best practices and data around fraud mitigation across industry and government sectors. We have created the LexisNexis Contributory Risk Repository, a cross-industry database that houses information about fraudulent and suspicious events from organizations in finance, retail, insurance, healthcare, law enforcement and government. After the data is collected through the Risk Repository, LexisNexis applies advanced analytics to identify meaningful connections that not only illuminate past fraudulent behavior but also help to flag suspicious patterns on future transactions.

Will 2015 Top 2014 in Security Exposures?

It’s hard to imagine how 2014 could be surpassed as the worst year for massive identity theft and data loss exposures.

The news developments of 2014 were relentless and mind-numbing. Heartbleed and Shellshock rose to the fore as two of the nastiest Internet-wide vulnerabilities ever to come to light. Heartbleed exposes the OpenSSL protocols widely used by website shopping carts. And Shellshock enables a hacker to take control of the module used to type text-based commands on Linux, Unix and Mac servers.

“These are problems in the very fabric of what the Internet is built on,” says David Holmes, security evangelist at F5 Networks.

Click here to receive fresh analysis of breaking developments from top cybersecurity and privacy experts.

Meanwhile, Target, Nieman Marcus, Dairy Queen, Home Depot, JP Morgan and SonyPictures led a parade of organizations disclosing major data breaches. Indeed, the tally of data breaches made public in the U.S. hit a record 783 in 2014, nearly 30% higher than in 2013, according to the the Identity Theft Resource Center.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” says Eva Velasquez, chief executive offer of the ITRC.

The scary part

Now here’s the scary part: The pace hasn’t slowed in the first few weeks of 2015.

Consider that the financial services sector has spent billions over the past decade on the best defensive technologies and systems money can buy. Yet a low-level Morgan Stanley financial adviser was able to exfiltrate account records, including passwords, for six million of the Wall Street giant’s clients.

Meanwhile, forensic analysts at Dell SecureWorks recently uncovered a novel strain of malware circulating deep inside a corporate network. It’s being referred to as a “skeleton key.” With a skeleton key an intruder can fool the authentication protocols on widely used Microsoft Active Directory systems by typing arbitrary passwords. This enables the attacker to do such things as gain unfettered access to webmail and virtual private networks (VPNs).

“It’s much easier to be an attacker than a defender,” observes Jeff Williams, director of security strategy for Dell SecureWorks’ Counter Threats Unit. “As a defender, you must protect all paths of access, whereas the attacker only needs to find one foothold from which to mount an intrusion.”

If nothing else, the headlines of 2014 should grab the attention of company owners, directors and senior executives. No one wants to make it to the ITRC’s list of U.S. breaches for 2015.

SMBs exposed

But small and medium-sized businesses (SMBs) should pay heed as well, says William Klusovsky, a security specialist at NTT Com Security. SMBs should grasp that they are part of a wider supply chain and that modern day cybercriminals are intensively hunting for all weak links, he says.

Small business owners should “understand your businesses processes, be aware of your risk profiles and be able to explain that to your partners,” Klusovsky advises. “And then within reason implement the protections you can afford.”

A good place to start, for companies of any size, is to step into an attacker’s shoes, Dell SecureWorks’ Williams says. “Identify paths of entry and put mitigations in place, whether that be two-factor authentication, removing unneeded services, implementing, monitoring or training staff,” Williams says.

Security consultants can be valuable guides, and third-party managed services can do the day-to-day heavy lifting. But the due diligence must come from the business owner.

The business owner should plan to “remain engaged and active in the conversations with that security service provider,” Williams says.

Over time, all business owners need to develop some level of skill about security policies and procedures and look to infuse that knowledge into the company’s infrastructure.

See more at Third Certainty

‘Data on the Move’ Means Data at Risk

Everywhere we look today, data is on the move. The downside:  When personal information and data are being moved electronically, they’re more vulnerable to identity theft.

At the Identity Theft Resource Center,  a crucial part of our analysis when we track data breaches is to look for emerging trends.  Unfortunately, one trend has become evident: The number of breaches linked to “data on the move” in the healthcare industry is up significantly.  In fact, these types of data breaches – say, when a laptop or flash drive is stolen or back-up tapes are lost in the mail – have risen above other industries quite dramatically.

But there’s hope. Companies and organizations can take steps to reduce these data breaches. They can provide more robust employee training and stricter controls over what devices are allowed to leave the premises. Organizations can also review what data is stored on devices and how the devices are protected. Adding encryption to laptops that contain sensitive data – and that must leave the premises – will also improve the situation without busting the bottom line.

Breach incidents because of data on the move have been trending downward as a percentage of all breach incidents, from 20% in 2008 to 12% in 2012. Although the percentage increased slightly to 13% in 2013, most industry sectors have seen a payoff from preventive measures.

The medical sector is not having a similar experience. More than half of the breaches because of data on the move occurred in the health/medical sector.

DataMove

For instance, in California, Palomar Health recently experienced a data breach when an encrypted laptop and two unencrypted flash drives were taken from a staff member’s car. The devices exposed the personal health information of 5,000 patients. In Michigan in late January, a laptop computer and flash drive were stolen from an employee of the state Long Term Care (LTC) Ombudsman’s Office. Information on the laptop was encrypted, but data on the flash drive was not. The flash drive contained personal information about 2,595 living and deceased individuals, including names and addresses and, for some individuals, dates of birth. Either a Social Security number or a Medicaid identification number was included with 1,539 records.

Data breaches pose a significant risk to consumers because of the correlation between breaches and identity theft. According to Javelin Research, one out of three people whose information was breached fell victim to fraud in the same year. When medical records or personal health information (PHI) are compromised, consumers are not only  facing an increased risk of medical identity theft. The risk for all types of identity theft is increased. (For more information on medical identity theft and its impact on the community, see the Medical Identity Theft and Fraud article on ITL).

The information entrusted to medical providers and insurance companies is often the same information that can be used to steal a person’s identity and commit financial identity theft, government identity theft and even criminal identity theft. In addition to receiving medical goods and services or prescriptions in the victim’s name, a thief could obtain loans or new lines of credit, apply for government benefits or file a false tax return. The perpetrator could even use the victim’s name if caught while committing a crime.

“Whether sensitive data is at rest or in transit, it should have appropriate risk-based controls and policies applied to its governance,” says Ann Patterson, program director with Medical Identity Fraud Association, which unites all the stakeholders and helps to convey the importance of these best practices. “The same judicious enterprise-wide data protection principles that you apply to your data at rest should also be considered for your data in transit and your mobile data. Particularly for mobile, BYOD policies (Bring Your Own Device) are essential.”

According to MIFA, many organizations are feeling the impact of shrinking budgets and may be tempted to reduce costs by limiting financial resources for internal fraud detection and prevention programs.  This may provide immediate help to the bottom line. But in the long term it’s the wrong solution. Costs creep up in other areas when fraud is ignored.  This could result in an organizational culture shift; as the old saying goes, what we allow, we encourage.

Coupled with human resources divisions, the fraud detection and prevention programs often provide employee training and formulate best practices in regard to fraud reduction.

The ITRC realizes the critical importance of information management and data security. We believe strongly in the importance of educating consumers and businesses about  the value of our individual data and the importance of personally identifying information (PII). For this reason, our organization began tracking data breaches in 2005. Tracking breaches has allowed us to look for patterns in regard to how our information is being safeguarded, or compromised, by those we trust with it.

The ITRC defines a data breach as an event in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data-breach-notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed. (For a more detailed explanation of our methods, visit the ITRC breach report page).

Data breaches and identity theft have been on the rise and have a significant effect on the individual victims as well as on the U.S. economy.  We acknowledge that there is no panacea to rid ourselves of this issue entirely. However, encouraging negligence by not providing employees with the proper tools, and simply not acknowledging the problem, is not the answer, either.

Small and steady gains can be made by implementing training and increasing accountability for the individuals and organizations that we entrust to be good stewards of our PII.  A good start would be to understand and recognize how each type of incident plays a role and identify deficiencies.

Another option for organizations is to get involved with industry and trade organizations that also tackle issues related to data breach best practices daily. Businesses want to keep proprietary information close to the vest, but best practices about breaches should not be a trade secret.  A highly engaged and enlightened health/medical community would be a step in the right direction.