Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the report based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group.

The data breach statistics from the report totaled 268 incidents affecting 94 million people.  The biggest factor responsible for the largest number of breaches of data was unintended disclosure due to negligence and clerical errors. 78 incidents led to exposing almost 12 million records of private information.  The next highest number was 51 incidents due to the loss of a portable data storage device which resulted in breaching almost 82 million personal records.  Hacking was low on the list, adding up to 40 incidents exposing about 1 million records.   

What can be done about this alarming problem?

Security experts advise implementing nationally mandated data breach protection protocols and developing effective breach response programs in conjunction with cyber security training for employees who handle sensitive public data.  Employing technology such as encryption is another method to counter human error since it is inexpensive, simple to administer and highly effective in protecting data.  Using management software that can track and monitor which devices are being used, monitor downloaded data and has the ability to remotely wipe the memories of lost or stolen devices is another data protection tool.

Some experts even go so far as to suggest that all these initiatives need to be backed by a law that punishes workers who fail to follow these protocols with either firing them from their jobs or jail time, depending on the severity of the data breach.  The bottom line is that protecting the public’s most private information is serious business and those who are entrusted with such sensitive information need to recognize that they have a responsibility to protect the public’s privacy.  And in turn, it’s a responsibility that we, the people must ensure that they take seriously.

For a company, a data breach can seem like it comes out of the blue. Yet, according to analysis by the Identity Theft Resource Center (ITRC), the three primary causes of data breaches have remained the same since 2009:

• Hacking
• Data on the move
• Insider theft

ITRC has been releasing an annual Breach Report since 2007. For the first time, hacking outpaced all other triggers to account for just more than a quarter of the 419 breaches in 2011. Incidents of hacking rose from 17.1% in 2010 and, the previous high, 19.5% in 2009 to 25.8% in 2011.

Data on the move* was the second highest trigger, accounting for 18.1% of the breaches in 2011. Insider theft, falling slightly from 2010, caused 13.4% of the breaches as the third trigger. ITRC further counts hacking and insider theft together as a malicious attack, adding up to nearly 40% of breaches in 2011.

The numbers make it clear that companies can’t rely on one form of data breach prevention alone. The 2011 Breach Report further illustrates that no company is immune. Of the entities reporting data breaches, 47% fell into the business category. Both business and educational entities experienced an upswing in data loss incidents in 2011.

The report also considers government/military, financial/credit and health/medical entities, the third of which accounted for 20.5% of the breaches in 2011.

Among the more alarming findings is that 61.6% of the reported breaches in 2011 exposed Social Security numbers (SSN), one of the most valuable pieces of personal data an individual has. Such exposure can leave a consumer vulnerable to identity theft indefinitely. Individuals can’t easily exchange their SSN for a new number like they can with credit or debit cards. (Loss of credit and debit card data was a factor in 26.5% of incidents in 2011.)

Drawing on what’s known about how breaches occur, companies can plan ahead to prevent and respond to incidents in order to protect themselves and the consumer data they use and collect. A comprehensive prevention and response plan should account for all of the various ways, including accidental exposure and subcontractor loss, that breaches occur.

Staying aware of vulnerabilities can only help companies strengthen their defense. Data breaches are here to stay, so there’s no time like the present to take prevention and preparation seriously.

*“Data on the move” refers to data that has left its usual place of rest, i.e. its proper storage place. This includes data in transport to a new storage location as well as data that has left an office on an electronic drive, a mobile device or paper.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

• An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
• Many breach notifications (at least what is disclosed by the entity) underreport the number of records
• Many breach notifications also do not clearly define the types of information exposed.
• Public information is often incomplete in detailing how the breach occurred
• Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It was only a matter of time before a flood of class action lawsuits began to wash over breached companies. In general, these suits allege that a company: 1) did not adequately protect the sensitive data entrusted to it and 2) did not notify consumers of the breach in a timely enough manner. In 2011, after one of the biggest breaches of the year went public, it took just one day for the first class action lawsuit to be lodged.

The avalanche of recent breaches has been worrisome for consumers, causing lawyers, as well as lawmakers, to take note. Moving into 2012, businesses will want to carefully watch the changing landscape of litigation and legislation.
Two recently submitted bills would require companies to inform affected customers, the Federal Trade Commission and law authorities of a data loss within 48 hours of completing a breach assessment.

No matter the outcome of these bills, companies that delay making their breaches public will continue to face the consequences. In 2011, a large financial institution found itself in hot water after waiting weeks to notify customers of a breach. The controversial delay prompted a leading industry group representing the country’s largest financial institutions to testify before congress. The testimony suggested that banks should immediately notify federal officials and affected customers of a breach.

While the outcome of recent litigation remains to be seen, many lawyers expect these suits to inevitably increase in size – and rewards. To date, Internet privacy-related lawsuits have yet to yield the hefty settlements of securities fraud cases. Still, with the escalating breadth of data breaches, higher profile law firms, ones known for mounting successful security fraud litigation on behalf of shareholders, are getting involved.

The challenge for plaintiffs’ lawyers in security breach cases is not in proving liability but establishing damages. Judges must determine whether the compromise of personal data represents a loss of value or if there should be additional proof of tangible harm.

With the recent spate of data breaches and accompanying class action lawsuits, businesses have constant reminders that an ounce of prevention is worth a pound of cure. The best way to protect your business against the high costs of data breaches is to ensure your security practices and fraud resolution plans are strongly built to ward off malicious attacks and the complications that follow.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

The tourism industry may be bouncing back from the worst of the recession, but occupancy, unfortunately, isn’t the only thing on the rise.  So are data breaches.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, reports and tour companies.

Why are hackers increasingly making themselves at home in the hospitality sector?

According to hospitality experts, the reasons are multi-fold:

1.    Labor cutbacks.  Given the recessionary climate, hotels have reduced staff and are trying to do more with less.  While the lean and mean approach may help hospitality businesses bolster bottom lines, it hurts the industry’s front line defenses against hackers.

2.    Software and equipment reductions.  While hotels ride out the recession, security maintenance, implementation and upgrades fall lower in the priority checklist, creating an easy welcome mat for fraudsters.

3.    Multiple entry points.  Customers book hotels through hotel websites, online travel reservation portals, phone calls, email, postal mail, and in-person with concierges.  Each channel offers its own risks for data breaches and must be individually addressed.

4.    Large access to personal data.  The hospitality industry keeps massive amounts of personal data on file for years and can sometimes lose track of what they have stored and where – all within databases that may be far less than bullet-proof.

5.    Guest room computers with flimsy protection.  Those networked desktops that hotels sometimes provide for guests can be so helpful…and harmful.  Often these computers are riddled with viruses or hiding bits and bytes of old customer data.

6.    Insecure cultures.  Even in the best of times, much of the hospitality industry simply doesn’t prioritize security as it should.  By creating business cultures that don’t sufficiently respect privacy, hotels are jeopardizing the trust of their customers.

Given that hackers have identified the hospitality sector as a soft target, what can hotels do to keep these unwanted guests out?  Here are some tips from industry watchdogs:

1. Minimize data collection.  If you don’t need it, don’t collect it.
2. Understand and comply with PCI-DSS.  Make sure your business is completely aware of its “cardholder data environment” and is providing appropriate protections.
3. Find and digitally shred unneeded information.  Old, forgotten data is dangerous. Don’t be “data blind” – eliminate what you no longer need.
4. Simplify your reports.  For example, don’t offer up social security numbers if not needed.
5. Limit access.  Employees should be on a “need to know” basis with PCI and HR data.
6. Split up your network.  Create electronic firewalls that limit the spread of viruses and attacks.
7. Encrypt. Proper encryption renders hacked data unusable.
8. Understand your network.  Review network logs for unauthorized activity, and make sure your security professionals do, too.
9. Don’t put security in the ghetto.  Security isn’t just for IT professionals; make sure your entire organization creates and respects a culture of privacy that prioritizes security as the basis for all of its operations