Tag: Data Breach

They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.

Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.

Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.

Kaspersky Lab widened the net in its survey of the cost of a cyberattack and found that from the 5,000 participants, the total impact of a breach for a North American enterprise comes it at only $1.3 million—about a a third what the Ponemon study reported.

That’s quite a gap that on the surface has North American enterprises benefiting from geography, but they reported have suffered the most breaches with the highest loss of records. Overall, each breach is not only growing larger but more costly as well.

Continue reading

The recent  Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States.  Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals.  According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files.  In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.

Your data is now out there, thank to Equifax breach
Your data is now out there, thank to Equifax breach

 

More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public.  One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation.  To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach.  While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.

 

Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach.  The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why.  A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact.  The company has until September 28 to answer the questions outlined in the Committee’s letter.

The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens.  Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;

the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.

It is important to underscore that these millions of individuals did not carelessly protect or handle their own data.  Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence.  Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required.  Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.

 

Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.  However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.”  This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised.  In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups.  The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens.  Such actions are not only negligent but border on criminal in their own right.

 

The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people.  Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices.  U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.

While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics.  This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario.  What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology.  That seems a call that both sides of the aisle should be able to get behind.

 

This is a guest post written by Emilio Iasiello.

Healthcare Data: Everything Has a Price; Everything Has Value

Unsurprisingly, the healthcare sector continues to be an attractive target as data stolen continues to provide value to a diverse threat actor set.  Indeed, criminals and those actors associated with traditional cyber espionage activities have conducted some of the more news garnering incidents over the past few years.  What’s more, depending on the actors’ intent, all types of information have been sought after and stolen by these groups and individuals to include financial and insurance-related information, personal identifiable information, and even the health records of patients.  The targeting of these different types of data should demonstrate to the healthcare industry that there is no seemingly benign data when it comes to healthcare and that strategies must be designed to safeguard any and all types of data that relate to patients and their care treatments.

Continue reading

Should We Just Accept Cyber Breaches as the New Normal?

An August article suggested that the due to the large amounts of cyber breaches that have impacted both public and private sectors that have put millions of individuals personal identifiable information at risk, the general attitude toward breaches is becoming more mainstream and accepted.  This is an unfortunate state of affairs when instead of compelling organizations to aggressively improve their network security practices, the public writ large is willing to accept credit monitoring for a period of time (usually 1-2 years) as a consolation prize.  According to one source, the first half of 2016 has seen 538 breaches identified; 60 percent of businesses losing valuable intellectual property and/or trade secrets; and approximately 13 million records exposed.

Continue reading