Tag Archives: Data Breach

Staying Vigilant Against Identity Theft

Much hay is being made of an apparent decline in the number of identity theft victims and losses, amid an ongoing number of significant data breaches.

The headlines follow release of the 2015 Identity Fraud Study by Javelin Strategy & Research. The study found that there were 12.7 million identity fraud victims in 2014, down 3 percent from the near record high of 13.1 million victims in 2013.

At the same time, some $16 billion was stolen from fraud victims in 2014, an 11 percent decline from $18 billion in 2013. Javelin attributes the decrease to the combined efforts of industry, consumers and monitoring and protection systems that are catching fraud more quickly.

As we know, 2014 saw a number of major data breaches, notably from retailers Home Depot, Neiman Marcus, Staples and Michael’s as well as financial institutions such as JP Morgan Chase.

But lest you think that the swift response to data breaches has nullified the identity theft threat, think again.

Javelin found that two-thirds of identity fraud victims in 2014 had previously received a data breach notification in the same year. Also, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

Meanwhile, identity theft just topped the Federal Trade Commission’s (FTC) national ranking of consumer complaints for the third consecutive year, accounting for 13 percent of all complaints.

Government documents/benefits fraud (39 percent) was the most common form of reported identity theft, followed by credit card fraud (17 percent), phone or utilities fraud (13 percent), and bank fraud (8 percent), the FTC said.

Whether or not identity theft is caused by a data breach (remember, stolen laptops, wallets, dumpster diving, phishing scams  are some of the most common causes of identity theft), or whether an individual even knows how their information was compromised (many don’t), it’s important to stay vigilant to this threat.

A 3 percent decline in identity fraud victims in one year isn’t much. As Al Pascual, director of fraud & security at Javelin notes:

Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem.”

Wondering if your homeowners insurance policy includes coverage for identity theft? Check out these useful tips from the I.I.I.

Another Mega Data Breach

In what is being described as potentially the largest breach of a health care company to-date, health insurer Anthem has confirmed that it has been targeted in a very sophisticated external cyber attack.

The New York Times reports that hackers were able to breach a company database that contained as many as 80 million records of current and former Anthem customers, as well as employees, including its chief executive officer.

Early reports here and here suggest the attack compromised personal information such as names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

On a website — www.AnthemFacts.com — set up to respond to questions, Anthem noted that there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Anthem said the breach was discovered on January 27 and that the company is fully cooperating with the FBI investigation. The health insurer has been praised for its initial response in promptly notifying the FBI after observing suspicious activity.

An  FBI statement quoted in an LA Times article noted:

Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”

On the dedicated website, Anthem president and CEO, Joseph R Swedish, offered a personal apology to members. Anthem has also established a toll-free number — 1-877-263-7995 FREE — that both current and former members can call if they have questions related to the breach.

In 2014, the medical/healthcare sector accounted for 42 percent of data breaches — the largest among industry sectors — as reported by the Identity Theft Resource Center (ITRC).

In fact, breaches in the medical/healthcare industry have accounted for the largest percentage of data breaches by industry sector since 2012, which ITRC attributes primarily to the mandatory reporting requirement for healthcare breaches to the Department of Health and Human Services (HHS).

If the estimate of 80 million records compromised holds, this will put the Anthem data breach up there with recent mega breaches of 2014 such as eBay (145 million people affected), JP Morgan (76 million households and 7 million small businesses affected) and Home Depot (56 million unique payment cards).

While 2014 was dubbed the year of the mega breach, the Ponemon Institute recently warned that 2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack.

As of January 27, 2015, some 455,377 records had been exposed in 64 breaches reported to the ITRC. This followed a record high of 783 U.S. data breaches exposing 85.6 million records tracked by the ITRC in 2014.

For an analysis of cyber risk and insurance, download this Insurance Information Institute (I.I.I.) white paper.

Cyber Value-At-Risk

Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.

The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.

The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.

Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?

The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.

As the report states:

The financial services industry has used sophisticated quantitative modeling for the past three decades and has a great deal of experience in achieving accurate and reliable risk quantification estimates. To quantify cyber resilience, stakeholders should learn from and adopt such approaches in order to increase awareness and reliability of cyber threat measurements.”

One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.

The report points out that the goal is not to provide  a single model for quantifying risk.  Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:

A shared approach to modeling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.”

 

Cyber Risk on the Inside

While the Sony cyber attack has put the spotlight on sophisticated external attacks, a new report suggests that insiders with too much access to sensitive data are a growing risk as well.

According to the survey conducted by the Ponemon Institute, some 71 percent of employees report that they have access to data they should not see, and more than half say this access is frequent or very frequent.

In the words of Dr. Larry Ponemon, chairman and founder of The Ponemon Institute:

This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences.”

While the focus in recent weeks has been on the risk of external attacks, the Ponemon study finds that data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks they present.

Some 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

In a workplace environment where employees are under pressure to deliver more, faster, cheaper, it’s easy to overlook security risks in the name of efficiency.

Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half believe their companies strictly enforce security policies related to use of and access to company data.

The flip side is that businesses need to be reticent of going to the other extreme, limiting data that their employees or customers need.

Some 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs. And 68 percent say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Ponemon interviewed 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees in a range of industries including financial services, public sector, health and pharma, retail, industrial and technology and software.

More on insider threats in  this I.I.I.  paper on  cyber risks.

IBM: Information Sharing Key to Address Cyber Threat

There’s an interesting moment in a report on the current state of  cyber security leadership from International Business Machines Corp (IBM).

For those who haven’t seen it yet, the report identifies growing concerns over cyber security with almost 60 percent of Chief Information Security Officers (CISOs) saying the sophistication of attackers is outstripping the sophistication of their organization’s defenses.

But as security leaders and their organizations attempt to fight what many feel is a losing battle against hackers and other cyber criminals, there is growing awareness that greater collaboration is necessary.

As IBM puts it: “Protection through isolation is less and less realistic in today’s world.”

Consider this: some 62 percent of security leaders strongly agreed that the risk level to their organization was increasing due to the number of interactions and connections with customers, suppliers and partners.

Despite this widespread interconnectivity that drives modern business, security leaders themselves aren’t sufficiently collaborative, IBM says.

Just 42 percent of organizations that IBM interviewed are members of a formal industry-related security group. However, 86 percent think those groups will become more necessary in the next three to five years.

Instead of focusing on just their own organizations, security leaders need to take a “secure the ecosystem” approach, IBM concludes.

A sidebar highlights one company’s experience and approach to collaboration and how the key to being more secure is being more open.

For some practical strategies to address cyber  risk in your business check out this I.I.I. presentation.

Sony Cyber Attack Breaks New Ground

More news keeps tumbling in the wake of the recent cyber attack at Sony Pictures Entertainment–Sony’s second major hacker attack in three years–and it’s not good.

The fact that the breach has exposed employee information ranging from salaries to medical records to social security numbers to home addresses, not to mention five yet-to-be-released Sony movies,  causing a major shutdown of the company’s computer systems, appears to break new ground.

First up, the Wall Street Journal says the attack revealed far more personal information than previously believed, including the social security numbers of more than 47,000 former employees along with Hollywood celebrities like Sylvester Stallone.

According to the WSJ:

An analysis of 33,000 Sony documents by data security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.”

And:

Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.”

Aren’t most businesses run in Excel?

A well-timed piece over at the New York Times Bits Blog makes the point that companies that continue to rely on prevention and detection technologies, such as firewalls and antivirus products, are considered sitting ducks for cyber attacks.

Bits Blog cites Richard A. Clarke, the first cybersecurity czar at the White House, who says:

It’s almost impossible to think of a company that hasn’t been hacked–the Pentagon’s secret network, the White House, JPMorgan–it is pretty obvious that prevention and detection technologies are broken.”

So what approaches are working?

According to the Bits Blog post, experts say the companies best prepared for online attacks are those that have identified their most valuable assets, like Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data.

Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

Breach detection plans and more secure authentication schemes, in addition to existing technologies, are the key to being better prepared.

Insurance too, is seen as a vital preparedness step.

Earlier this week, a top U.S. regulator said banks should consider cyber insurance to protect themselves from the growing financial impact in the wake of cyber attacks.

Let’s hope companies take heed.

As of December 2, the Identity Theft Resource Center (ITRC) reports that 2014 has seen 708 data breaches, exposing 85.1 million records (this list includes the Sony attack, listing the number of records exposed at 7,500).

Those figures are even higher than 2013, when the total number of data breaches and records exposed, soared.

More on the potential fallout and growing identity theft threat facing consumers here.

The Importance of Having a Cyber Liability Policy

As the number of companies suffering a data breach continues to grow — with U.S. retailer Staples now reported to be investigating a breach — so do the legal developments arising out of these incidents.

While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.

A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.

Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies–and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.

P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.

An earlier  post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant  has the details on  the  legal action  between Travelers and P.F. Chang’s.

To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.

One recent high profile  — and oft-cited case  — followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.

A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Further expertise and analysis on cyber risks and insurance is available from the I.I.I.

Data Breach Preparedness Plans More Likely to Include Insurance

A second annual survey from Experian and the Ponemon Institute appears to show that more companies are prepared for a data breach, and that cyber insurance policies are becoming a more important part of those preparedness plans.

The study, which surveyed 567 executives in the United States, found that 73 percent of companies now have data breach response plans in place, up from 61 percent in 2013. Similarly, 72 percent of companies now have a data breach response team, up from 67 percent last year.

In the last year the purchase of cyber insurance by those companies has more than doubled, with 26 percent now saying they have a data breach or cyber policy, up from just 10 percent in 2013.

However, this means that two-thirds of respondents — 68 percent — are still not buying cyber policies. (Six percent of respondents are also unsure whether their company has cyber insurance.)

Interestingly, the fact that more companies have data breach response plans in place does not appear to instill greater confidence that they are effective.

Despite the existence of plans, only 30 percent of respondents say their companies are effective or very effective in developing and executing a data breach plan, the survey found.

Why are the plans not effective?

The survey indicates that in many cases a breach response plan is largely ignored after being prepared.

Some 41 percent of respondents say there is no set time for reviewing and updating the plan, while 37 percent say they have not reviewed or updated the plan since it was put in place.

All of this comes as the frequency of data breaches is accelerating. Some 60 percent of respondents say their company experienced more than one data breach in the past two years, up from 52 percent in 2013. And 43 percent say their company had a data breach in the last year, up from 33 percent in 2013.

Check out the latest I.I.I. white paper on this topic Cyber Risks: The Growing Threat.

More on this story from the Wall Street Journal’s Risk & Compliance Report.

Latest Cyber Security Breach: 1.2B Passwords Stolen

Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.

As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.

The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.

The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.

According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.

If ever there was a reason to research — and buy — cyber insurance, this would be it.

In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.

Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.

It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.

Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.

According to the report’s authors:

The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”

It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

Target Data Breach: More on the Numbers

Two months after Target announced a massive data breach in which hackers stole 40 million debit and credit card accounts from stores nationwide and the rising costs related to the incident are becoming clear.

Costs associated with the Target data breach have reached more than $200 million for financial institutions, according to data collected by the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA).

Breaking out the numbers, CBA estimates the cost of card replacements for its members have reached $172 million, up from an initial finding of $153 million. CUNA has said the cost to credit unions has increased to $30.6 million, up from an original estimate of $25 million.

So far, cards replaced by CBA members and credit unions account for more than half (54.5 percent) of all affected cards.

In a press release, CBA notes that the combined $200 million cost does not factor in costs to financial institutions other than credit unions or CBA members, nor does it take into account any fraudulent activity which may have occurred or may occur in the future:

Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.†

A post over at the Wall Street Journal Corporate Intelligence blog points out that cyber attacks like these continue to be a drain on the wider economy.

It cites a study backed by computer security firm McAfee that last year estimated the total cost of cybercrime and cyber espionage to the United States at up to $100 billion each year.

Meanwhile, legal experts caution that companies need to take stock in the wake of the Target breach and make sure they have adequate insurance in place.

A post by Emily R. Caron in Media, Privacy and Beyond published by law firm Lathrop & Gage notes that fortunately Target appears to have a lot of insurance in place.

It cites reports suggesting that between cyber coverage and directors and officers (D&O) coverage, Target has $165 million in total limits, after self-insuring the first $10 million. (Hat tip to @LexBlogNetwork for highlighting this article)

However, The New York Times recently reported that total damages to banks and retailers could exceed $18 billion according to estimates by Javelin Strategy & Research.

In addition the NYT noted that nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

As Caron notes  in her article at Media, Privacy & Beyond, there is a big gap between $165 million and $18 billion.

Check out I.I.I. facts + statistics on ID theft and cyber security.