Archive for May, 2015

FBI opens probe of IRS data breach


The FBI is launching an investigation into a recent data breach at the Internal Revenue Service.

The FBI said Thursday that it is working with other agencies “to determine the nature and scope of this matter,” and urged taxpayers contacted by the IRS as victims of the hackers to ensure their personal information is secure.

“The compromise of government systems and theft of taxpayer data are taken very seriously, and the FBI and IRS will aggressively pursue and hold accountable those responsible for this recent incident,” the FBI said in a statement.

On Tuesday, the IRS announced that it had discovered that hackers had breached the agency’s website and gained access to the old returns of over 100,000 taxpayers. Using stolen identification information obtained elsewhere, the hackers were able to impersonate taxpayers on the IRS’s website, gaining access to old returns containing a wealth of personal financial information.

IRS Commissioner John Koskinen said at the time the agency believed the breach was the work of organized crime, and would be notifying all taxpayers targeted, and providing credit monitoring services to those who had their information compromised.

The FBI said Thursday that any taxpayer that suspects their identity has been stolen should report it to the agency.

Lawmakers are also probing the breach, as the Senate Finance Committee announced plans to discuss the matter on June 2 with Koskinen and other IRS officials.

Article source: http://thehill.com/policy/finance/243303-fbi-looking-into-irs-data-breach

,

No Comments

Target customers hit by data breach can file claims until July 31

WATERLOO | Target store customers may have some money coming back.

According to a legal notice that went out last week, Minneapolis-based Target Corp. reported a settlement has been proposed in lawsuits against the company related to Target customers whose credit/debit card information or personal information was stolen as a result of a data breach that was reported in December 2013.

Target has one store each in Waterloo and Cedar Falls.

The notice said Target customers who were included in the settlement may be eligible for a cash payment.

Customers affected by the breach can submit a claim form at targetbreachsettlement.com by July 31.

The case is In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court, District of Minnesota, No. 14-md-02522.

A U.S. judge in December approved consumers filing suit against the retailer over the breach, rejecting Target’s argument the consumers lacked standing to sue because they could not establish any injury.

The settlement is subject to final approval by a federal court Nov. 10. The plan calls for Target to put $10 million into a fund to pay its affected customers.

Target has reported at least 40 million cards were compromised in the breach and may have resulted in the theft of as many as 110 million people’s personal data, such as email addresses and telephone numbers.

The settlement calls for two types of recoveries. In the first category, claimants who can document financial losses that resulted from a compromise of their personal or financial information can recover as much as $10,000. Such losses include unauthorized, unreimbursed charges; certain costs and fees; and lost or restricted access to funds; and so on.

The second category includes those who don’t have documentation and calls for “an equal share of the settlement fund remaining after payment of claims for documented losses and service payments.” For example, if the total of service payments awarded by the court plus documented claims adds up to $1 million and 300,000 settlement class members submit valid claims without documentation, a claimant would receive $30 from the settlement fund, the legal notice said. The amount of actual payments will depend on the amount of claims received.

In an Associated Press story, Vincent Esades, the plaintiffs’ lead counsel, said Target’s total settlement costs could reach $25 million.

Article source: http://wcfcourier.com/business/local/target-customers-hit-by-data-breach-can-file-claims-until/article_593aa1b5-f58d-58cd-9f7f-0eeff42aeefb.html

,

No Comments

Supermarket giant leaks $1million of gift cards in huge data breach

Supermarket giant leaks $1million of gift cards in huge data breach. Photo: Supplied

Supermarket giant Woolworths has cancelled over $1million of shopping vouchers after a massive customer data leak.

A spreadsheet with the names and addresses of thousands of customers and a link to download 7,941 vouchers was reportedly emailed to more than 1000 people.

All of whom were emailed the link could access the gift card codes and begin using the money to shop, reports Fairfax media.

The data breach was discovered on Saturday morning after customers logged on to find that their vouchers were already spent.

  • Man dies after collapsing on football field
  • IS destroys infamous Syria prison as regime bombing kills scores
  • Silk Road mastermind jailed for life

The vouchers had been purchased from Groupon which ran a deal offering Big W egift cards valued between $100 and $200 at a 7.5 per cent discount.

Customers impacted by the leak were emailed on Saturday morning informing them that the gift cards had been cancelled.

When contacted by Yahoo7 a Woolworths spokesman confirmed no personal data had been leaked, apart from the email addresses.

Woolworths would not reveal how many people had been impacted by the leak or how it happened but said they were investigating.

A spokesman added: “Woolworths takes the concerns of its customers and data security seriously.

“We experienced a technical fault with an e-voucher offered to customers this week. 

“We are working to resolve the issue and are assisting customers.”

Were you impacted by this data breach? Email the newsroom on [email protected]


Article source: https://au.news.yahoo.com/a/28286758/supermarket-giant-leaks-1million-of-gift-cards-in-huge-data-breach/

,

No Comments

FBI to Investigate Internal Revenue Data Breach

The Federal Bureau of Investigation has opened an investigation into the theft of tax return information from the Internal Revenue Service, an escalation of the government’s response to the identity-theft scheme.

An FBI spokesman said on Thursday that agents are working to determine the “nature and scope’’ of the theft and urged people who think their identities may have been stolen to contact authorities.

“The compromise of…

Article source: http://www.wsj.com/articles/fbi-to-investigate-internal-revenue-data-breach-1432827138

,

No Comments

Emails reveal new details about Equifax data breach, AG announces settlement

PORTLAND, Maine — There’s a major settlement between Maine and the three credit reporting agencies. The agencies have now agreed to change the way they do business. The announcement comes just two months after CBS 13 exposed a big mistake made by one of the bureaus.

In the more than 50 page settlement between Attorney General Janet Mills and the credit agencies, the agencies agree to do a better job to produce more accurate credit reports and be more responsive when consumers call to correct mistakes — like the one we told you about in March, when one of those agencies, Equifax, sent a Maine woman hundreds of confidential credit files that weren’t hers.

“The sheer volume, 312 envelopes received by the woman in Biddeford, set this case apart from any we’d dealt with before,” Will Lund, superintendent of the Bureau of Consumer Credit Protection told CBS 13.

He’s talking for the first time on camera about the massive amount of mail sent to Katie Manning in March.

“It’s people’s personal information: credit report, Social Security, birthdays, full names, current address, previous address,” Manning said in March.

Envelope after envelope were stuffed with the private information of complete strangers, and they were all sent to her by the credit reporting company Equifax.

We connected her with state regulators.

“Releasing this much information inadvertently is not a small matter; it’s a major matter,” Lund said.

Lund picked up and inventoried each envelope, finding he said, they belonged to consumers in at least five states — including five from Maine.

“This is a serious situation,” Equifax Vice President of Corporate Communications Tim Klein told CBS 13 on the phone at the time.

He’s since stopped responding to requests for additional details.

So we used Maine’s right to know law to get all letters and emails between Lund and lawyers for Equifax. Two days after our story, Equifax filed notice of a security data breach, citing a “technical error.” A new email sent to Lund on Monday is revealing even more.

“This was a computer error, the company attempted to upgrade or put a new process in place that had to do with addressing envelopes — it malfunctioned in this particular case,” Lund explained.

Lund said Manning wasn’t the only one to get other people’s credit files in this mailing mix up. In fact, according to that email — the software problem stretched two days before the company “reverted back to its prior application.”

“This was the largest case. There were similar situations simultaneously in other states they were much smaller in the handful of cases,” Lund said.

Attorney General Janet Mills said this case highlights ongoing concerns with the three main credit reporting agencies: Equifax, Experian, and Transunion. She and Attorneys General in 30 other states are announcing a $6 million settlement with the agencies to settle claims the agencies violated consumer protection laws.

“The three nationwide credit reporting agencies have been in compliance with federal and state law, but as we showed in launching the National Consumer Assistance Plan, we do not hesitate to make improvements beyond what the law requires when doing so will benefit consumers,” Stuart Pratt, President and CEO of the Consumer Data Industry Association, the trade association which represents the agencies, said in a statement.

“This is about changing behavior,” Mills said.

Under the terms of the settlement, the agencies must make a number of changes to their business practices, including implementing a faster process for handling complicated disputes.

“Particularly when it involves identity theft, fraud or mixed up files. As you know, there have been mixed up files; people have been sent erroneous credit information or credit information about different people, other people,” Mills said.

Mills said she’s hopeful the settlement will help ease the concerns of consumers giving you more accurate reports and improved communication.

“We’re going to monitor this thing for the next three years and make sure we keep their feet to the fire and change their corporate behaviors to protect our consumers,” Mills said.

As for that so called “technical error” — a lawyer for Equifax told the state, the company will continue to take steps to minimize the risk of similar events occurring in the future.

State regulators say Equifax won’t be required to pay any financial penalties specifically for the “technical error” mailing because because they didn’t find any criminal or civil wrongdoing or gross negligence.

Right now the Bureau of Consumer Credit Protection is in the middle of a routine compliance check and because of our stories will be asking some extra questions about information security and quality control, according to Lund.

 

Article source: https://bangordailynews.com/2015/05/30/news/state/emails-reveal-new-details-about-equifax-data-breach-ag-announces-settlement/

,

No Comments

Woolworths leaks $1 million of gift cards in massive data breach debacle

EXCLUSIVE

When Jason Wang checked the balance on his gift cards he found some had already been spent in Sydney stores.

Grocery giant Woolworths has scrambled to cancel over $1 million worth of shopping vouchers after a massive leak of customer data, in which it mistakenly emailed the redeemable codes of 8000 gift cards containing the customers’ names and email addresses.

Fairfax Media has obtained a copy of the email which contained an excel spreadsheet with the names and email address of thousands of customers and a downloadable link to 7,941 vouchers, worth a total of $1,308,505. It is understood the spreadsheet was emailed to more than 1000 people, all of whom could access the gift card codes and immediately begin shopping. 

As a result of the data leak, customers reported they had logged onto the Woolworths site on Saturday only to discover their vouchers had already been spent.

The data breach, which was discovered on Saturday morning, occured after customers purchased the vouchers from the online savings site Groupon, which ran a deal last week offering BIG W eGift cards, valued at $200 and $100, at a 7.5 per cent discount. The cards were redeemable at Woolworths online and in store, Big W stores, and Caltex petrol stations.

Once customers had paid for the vouchers via the Groupon site they were advised they would receive an email from Woolworths’ Everyday Gift Cards containing a PDF attachment with the electronic voucher. 

But when some customers proceeded to open the attachment they discovered the excel spreadsheet containing the links to over $1 million worth of vouchers. 

Luke, a 36-year-old from Perth, WA, said he decided to check the balance on his 10 giftcards, worth $1900, on the Woolworths website after he realised other customers had probably been emailed the same excel spreadsheet with the links to his vouchers.

“One of my gift cards had be used for online shopping already. Another one had been used in store at Woolworths Parramatta,” the father-of-two told Fairfax Media.

“Hopefully my email address doesn’t end up somewhere where it permanetly gets lots of spam.”

Another customer, Jason Wang, said three of his $200 vouchers had been spent at a Woolworths in Ashfield in Sydney’s inner west, about 300km from his home in Canberra. 

On Saturday evening, affected customers received an email from Woolworths advising them the gift cards had been cancelled. 

But this, too, caused at least one customer further distress.

Mr James, who did not want to disclose his first name, said he “was embarrassed in front of a large number of people” after he attempted to buy his weekly groceries using his gift cards in a Woolworths store on Saturday, only to be told by staff he was using stolen cards.

“They took my money from my credit card and told me I was using stolen cards. I could not take the trolley of groceries home as I did not have enough money to pay.”

“I tried to call Woolworths but no one picked up the phone.”

“I have had a very very horrible day.”

When contacted by Fairfax Media, Woolworths refused to provide any detail on how the data breach occured or the number of customers affected. Instead, they issued a two-line statement.

“Woolworths takes the concerns of its customers and data security seriously,” the statement read.

“We experienced a technical fault with an e-voucher offered to customers this week. We are working to resolve the issue and are assisting customers.”

Article source: http://www.smh.com.au/digital-life/consumer-security/woolworths-leaks-1-million-of-gift-cards-in-massive-data-breach-debacle-20150530-ghd8wl.html

,

No Comments

13 Investigates: Emails reveal new details about Equifax data breach, AG …

WGME (PORTLAND) – There’s a major settlement between Maine and the three credit reporting agencies. The agencies have now agreed to change the way they do business. The announcement comes just two months after CBS 13 exposed a big mistake made by one of the bureaus.

In the more than 50 page settlement between Attorney General Janet Mills and the credit agencies, the agencies agree to do a better job to produce more accurate credit reports and be more responsive when consumers call to correct mistakes – like the one we told you about in March, when one of those agencies, Equifax, sent a Maine woman hundreds of confidential credit files that weren’t hers.

“The sheer volume, 312 envelopes received by the woman in Biddeford, set this case apart from any we’d dealt with before,” Will Lund, Superintendent of the Bureau of Consumer Credit Protection told CBS 13.

He’s talking for the first time on camera about the massive amount of mail sent to Katie Manning in March.

“It’s people’s personal information: credit report, social security, birthdays, full names, current address, previous address,” Manning said in March.

Envelope after envelope were stuffed with the private information of complete strangers, and they were all sent to her by the credit reporting company Equifax.

We connected her with state regulators.

“Releasing this much information inadvertently is not a small matter; it’s a major matter,” Lund said.

Lund picked up and inventoried each envelope, finding he said, they belonged to consumers in at least five states – including five from Maine.

“This is a serious situation,” Equifax Vice President of Corporate Communications Tim Klein told CBS 13 on the phone at the time.

He’s since stopped responding to requests for additional details.

So we used Maine’s right to know law to get all letters and emails between Lund and lawyers for Equifax. Two days after our story, Equifax filed notice of a security data breach citing a “technical error.” A new email sent to Lund on Monday is revealing even more.

“This was a computer error, the company attempted to upgrade or put a new process in place that had to do with addressing envelopes — it malfunctioned in this particular case,” Lund explanied.

Lund said Manning wasn’t the only one to get other people’s credit files in this mailing mix up. In fact, according to that email — the software problem stretched two days before the company “reverted back to its prior application.”

“This was the largest case. There were similar situations simultaneously in other states they were much smaller in the handful of cases,” Lund said.

Attorney General Janet Mills said this case highlights on-going concerns with the three main credit reporting agencies: Equifax, Experian, and Transunion. She and Attorneys General in 30 other states are announcing a $6 million settlement with the agencies to settle claims the agencies violated consumer protection laws.

“The three nationwide credit reporting agencies have been in compliance with federal and state law, but as we showed in launching the National Consumer Assistance Plan, we do not hesitate to make improvements beyond what the law requires when doing so will benefit consumers,” Stuart Pratt, President and CEO of the Consumer Data Industry Association, the trade association which represents the agencies, said in a statement.

“This is about changing behavior,” Mills said.

Under the terms of the settlement, the agencies must make a number of changes to their business practices, including implementing a faster process for handling complicated disputes.

“Particularly when it involves identity theft, fraud or mixed up files. As you know, there have been mixed up files; people have been sent erroneous credit information or credit information about different people, other people,” Mills said.

Mills said she’s hopeful the settlement will help ease the concerns of consumers giving you more accurate reports and improved communication.

“We’re going to monitor this thing for the next three years and make sure we keep their feet to the fire and change their corporate behaviors to protect our consumers,” Mills said.

As for that so called “technical error” — a lawyer for Equifax told the state, the company will continue to take steps to minimize the risk of similar events occurring in the future.

State regulators say Equifax won’t be required to pay any financial penalties specifically for the “technical error” mailing because because they didn’t find any criminal or civil wrong doing or gross negligence.

Right now the Bureau of Consumer Credit Protection is in the middle of a
routine compliance check and because of our stories will be asking some
extra questions about information security and quality control,
according to Lund.

13 Investigates: Emails reveal new details about Equifax data breach, AG announces settlement

Article source: http://www.wgme.com/news/features/13-investigates/stories/13-investigates-emails-reveal-new-details-equifax-data-breach-ag-announces-settlement-100.shtml

,

No Comments

Here’s how healthcare can guard against data breaches in the “year of the hack”

Stephen Treglia photoProtected Health Information, or PHI, is increasingly attractive to cybercriminals. According to PhishLabs, health records can fetch as much as 10 times the value of credit card data on the black market.

Stolen healthcare records can be used for fraudulent billing which, unlike financial fraud, can go undetected for long periods of time. The rising price of healthcare records on the market is attracting more cybercriminals, who are exploiting any vulnerability they can find, be it an unpatched system or an insecure endpoint device.

We’ve all heard about several devastating data breaches in the healthcare industry this year – Anthem’s breach of more than 78 million records and the Premera Blue Cross breach of 11 million records. In the first quarter of 2015 alone, there have been 87 reported data breaches affecting 500 or more individuals, according to data from US Department of Health and Human Services Office for Civil Rights. These breaches affected a combined total of 92.3 million individuals, up 3,709 percent from Q1 2014.

Given the mega breaches experienced by Anthem and Premera, one could consider them as outliers. In terms of comparison, excluding the aforementioned breaches would still leave us with a 4.9 percent increase in individuals affected in the first quarter of 2015 versus the same quarter in 2014. Although the first three months of 2014 saw three more data breaches than what has occurred in 2015, it is clear that the number of individuals affected per breach is on the rise.

2015 is the year of the “hack”, but people are still the root cause.

In the first quarter of the year, 33 percent of data breaches were attributed to hacking or an “IT incident,” but the methods by which cybercriminals have successfully penetrated corporate networks are quite telling. These breaches have originated from unencrypted data, unpatched systems, or compromised passwords. In 2015, several hacking incidents have been tracked back to the compromise of a single set of credentials.

The Verizon 2015 Data Breach Investigations Report analyzed nearly 80,000 security incidents including 2,122 confirmed data breaches. Its findings reveal that despite the rise in cyberattacks, 90 percent of security incidents are tied back to people and their mistakes including phishing, bad behavior, or lost devices. The report notes that, even with a detailed technical report of a security incident, the “actual root cause typically boils down to process and human decision-making.” This is frightening but also good news, as there are measures that can be taken to reduce these risks by improving upon process and education, complemented by the right data security solutions.

It’s not all about the network

Healthcare organizations reacting to data breach headlines may focus efforts on protecting the network, leaving data vulnerable to other attack vectors and overlooking the people and process risks that ultimately result in most data breaches.

Cyberattacks come from many different vector points. It only takes one missing device, one use of unsecured WiFi, one compromised password, one click of a phishing email to compromise the entire corporate network. Many of these risks, which originate on the endpoint, put corporate network at risk. Current data security strategies in healthcare cannot be network versus endpoint, nor can they ignore the “people” risk that is only amplified by such trends as BYOD, mobile work, the cloud, and the Internet of Things.

A holistic approach to healthcare security

If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals – breaches will continue to occur. Healthcare organizations that want to get ahead of cybercriminals need to create a holistic approach to data security that incorporates threat prevention, incident detection, and efficient response.

Reduce “the attack surface”

Every point of interaction with PHI puts that data at risk. Reducing the sum total of these points of interaction – the attack surface – can reduce the risk to the data. I suggest a layered approach to data security which decreases the attack surface across endpoints as well as the network, including:

  • A foundation of tight controls and processes;
  • Encryption is a must, but on its own is often circumvented;
  • Supplement encryption with a persistent technology that will provide a connection with a device, regardless of user or location while defeating attempts to remove the technology;
  • Network segmentation is key — granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems;
  • Automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.

Minimize the “people” risk

You can have the best firewalls, encryption and network access controls, but your employees are still your weakest link. Using a combination of process (education and interactive ongoing training) and technology (such as mobile device management), employees should be aware of their part in protecting corporate data on endpoints.

Know how to detect anomalies

Conduct regular security audits on the network and endpoints. Know where your sensitive data resides and how it’s being used (or misused, in the case of employees) with the aid of a data loss prevention (DLP) tool. Most DLP and endpoint security tools can create automated alerts for suspicious activity.

Develop and maintain an incident response plan

With clear procedures in place to pursue anomalies and to escalate breach situations, potential risks can be addressed promptly and effectively. With many false positives, skilled IT personnel need to connect the dots (such as a user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) and spot a true security incident quickly. Ensure your endpoint security supports remote actions such as data delete and device freeze.

With data regulations tightening, and healthcare data breaches escalating, don’t give cybercriminals an easy “in” to your organization. Trim the sails and batten the hatches to weather the oncoming storm of cyberattacks with a holistic approach to data security.

The more layers of protection you have in place, the better chance you have of avoiding a breach. Just as sailors can make or break a ship’s success in a storm, your employees are your first line of defense in preventing and detecting a data breach incident. If an incident is discovered, an efficient response plan can help your organization stay afloat in the muddy and complex waters of compliance.

About Stephen Treglia

As Legal Counsel at Absolute Software, Stephen Treglia provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conduct data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the US regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.

Article source: http://medcitynews.com/2015/05/heres-how-healthcare-can-guard-against-data-breaches-in-the-year-of-the-hack/

,

No Comments

Here’s how healthcare can guard against data breaches in the “year of the hack”

Stephen Treglia photoProtected Health Information, or PHI, is increasingly attractive to cybercriminals. According to PhishLabs, health records can fetch as much as 10 times the value of credit card data on the black market.

Stolen healthcare records can be used for fraudulent billing which, unlike financial fraud, can go undetected for long periods of time. The rising price of healthcare records on the market is attracting more cybercriminals, who are exploiting any vulnerability they can find, be it an unpatched system or an insecure endpoint device.

We’ve all heard about several devastating data breaches in the healthcare industry this year – Anthem’s breach of more than 78 million records and the Premera Blue Cross breach of 11 million records. In the first quarter of 2015 alone, there have been 87 reported data breaches affecting 500 or more individuals, according to data from US Department of Health and Human Services Office for Civil Rights. These breaches affected a combined total of 92.3 million individuals, up 3,709 percent from Q1 2014.

Given the mega breaches experienced by Anthem and Premera, one could consider them as outliers. In terms of comparison, excluding the aforementioned breaches would still leave us with a 4.9 percent increase in individuals affected in the first quarter of 2015 versus the same quarter in 2014. Although the first three months of 2014 saw three more data breaches than what has occurred in 2015, it is clear that the number of individuals affected per breach is on the rise.

2015 is the year of the “hack”, but people are still the root cause.

In the first quarter of the year, 33 percent of data breaches were attributed to hacking or an “IT incident,” but the methods by which cybercriminals have successfully penetrated corporate networks are quite telling. These breaches have originated from unencrypted data, unpatched systems, or compromised passwords. In 2015, several hacking incidents have been tracked back to the compromise of a single set of credentials.

The Verizon 2015 Data Breach Investigations Report analyzed nearly 80,000 security incidents including 2,122 confirmed data breaches. Its findings reveal that despite the rise in cyberattacks, 90 percent of security incidents are tied back to people and their mistakes including phishing, bad behavior, or lost devices. The report notes that, even with a detailed technical report of a security incident, the “actual root cause typically boils down to process and human decision-making.” This is frightening but also good news, as there are measures that can be taken to reduce these risks by improving upon process and education, complemented by the right data security solutions.

It’s not all about the network

Healthcare organizations reacting to data breach headlines may focus efforts on protecting the network, leaving data vulnerable to other attack vectors and overlooking the people and process risks that ultimately result in most data breaches.

Cyberattacks come from many different vector points. It only takes one missing device, one use of unsecured WiFi, one compromised password, one click of a phishing email to compromise the entire corporate network. Many of these risks, which originate on the endpoint, put corporate network at risk. Current data security strategies in healthcare cannot be network versus endpoint, nor can they ignore the “people” risk that is only amplified by such trends as BYOD, mobile work, the cloud, and the Internet of Things.

A holistic approach to healthcare security

If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals – breaches will continue to occur. Healthcare organizations that want to get ahead of cybercriminals need to create a holistic approach to data security that incorporates threat prevention, incident detection, and efficient response.

Reduce “the attack surface”

Every point of interaction with PHI puts that data at risk. Reducing the sum total of these points of interaction – the attack surface – can reduce the risk to the data. I suggest a layered approach to data security which decreases the attack surface across endpoints as well as the network, including:

  • A foundation of tight controls and processes;
  • Encryption is a must, but on its own is often circumvented;
  • Supplement encryption with a persistent technology that will provide a connection with a device, regardless of user or location while defeating attempts to remove the technology;
  • Network segmentation is key — granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems;
  • Automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.

Minimize the “people” risk

You can have the best firewalls, encryption and network access controls, but your employees are still your weakest link. Using a combination of process (education and interactive ongoing training) and technology (such as mobile device management), employees should be aware of their part in protecting corporate data on endpoints.

Know how to detect anomalies

Conduct regular security audits on the network and endpoints. Know where your sensitive data resides and how it’s being used (or misused, in the case of employees) with the aid of a data loss prevention (DLP) tool. Most DLP and endpoint security tools can create automated alerts for suspicious activity.

Develop and maintain an incident response plan

With clear procedures in place to pursue anomalies and to escalate breach situations, potential risks can be addressed promptly and effectively. With many false positives, skilled IT personnel need to connect the dots (such as a user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) and spot a true security incident quickly. Ensure your endpoint security supports remote actions such as data delete and device freeze.

With data regulations tightening, and healthcare data breaches escalating, don’t give cybercriminals an easy “in” to your organization. Trim the sails and batten the hatches to weather the oncoming storm of cyberattacks with a holistic approach to data security.

The more layers of protection you have in place, the better chance you have of avoiding a breach. Just as sailors can make or break a ship’s success in a storm, your employees are your first line of defense in preventing and detecting a data breach incident. If an incident is discovered, an efficient response plan can help your organization stay afloat in the muddy and complex waters of compliance.

About Stephen Treglia

As Legal Counsel at Absolute Software, Stephen Treglia provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conduct data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the US regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.

Article source: http://medcitynews.com/2015/05/heres-how-healthcare-can-guard-against-data-breaches-in-the-year-of-the-hack/

,

No Comments

IRS data breach is intolerable — and the woes only seem to be worsening

When thieves steal credit card and personal identity information from a retailer, such as Target, it results in a loss of consumer confidence in both retail and the banking system. But at least shoppers can choose to go elsewhere for the same goods.

But when the IRS makes itself vulnerable to a widespread security breach, the resulting loss of confidence in government and tax collection is far more serious. The IRS may have been the butt of jokes for more than 100 years, but its ability to securely collect revenue while protecting taxpayers from fraud is no laughing matter. It is essential to the nation.

This week, the IRS announced that more than 100,000 tax filers had their electronically filed income tax returns stolen by cyber thieves this year. Then it acknowledged that the thefts appear to have originated in Russia. The thefts occurred in February and May. The thieves apparently used information stolen elsewhere to attempt to access 200,000 records, and they succeeded in half those attempts.

This breach is intolerable. Of all agencies, with the exception of the nation’s defense forces, the IRS ought to have the most sophisticated and impenetrable cyber protections in place. There is plenty of evidence that the IRS has been failing on this front for years and that the problem is getting worse.

In 2012, the Treasury Inspector General for Tax Administration performed an audit that found thieves had stolen $5.2 billion from the agency in 2011. That report identified weaknesses and made seven recommendations for improving fraud detection. But the losses continued in subsequent years. The IRS said 1.2 million taxpayers had their identities stolen in 2012, and 1.6 million in 2013, meaning this week’s breach is just a small portion of fraud cases annually.

The report said, “Our analysis of … 2010 tax returns processed during the 2011 Filing Season identified that tax fraud by individuals filing fictitious tax returns with false income and withholding is significantly larger than what the IRS detects and prevents.”

Just as troubling as the loss of revenue to fraud is the agency’s inability to quickly respond to these problems and make taxpayers whole. A report in 2013 found it took the IRS an average of 312 days to resolve such cases. Many of the cases sat idle for hundreds of days, and 25 percent of the cases were “not correctly resolved.”

People who have been the subject of IRS scrutiny through the years attest that the IRS is not so lenient with taxpayers who delay their payments.

The problems made public this week cannot be allowed to fade quickly from public awareness. Added atop evidence the IRS targeted conservative groups seeking tax exempt status and that employees spent millions of dollars in work time doing union activities, it is evidence of the need for a massive overhaul of agency leadership and policies.

Utah Sen. Orrin Hatch, chairman of the Senate Finance Committee, has said he plans to demand answers from IRS Commissioner John Koskinen at a committee hearing next week. That’s a good first step.

In a world dominated by Internet transactions, it may not be possible to eliminate electronic fraud completely, but the IRS must begin stemming this problem and drastically reducing successful fraud attempts. To date, it appears the agency hasn’t made much of an attempt.

Article source: http://www.deseretnews.com/article/865629645/IRS-data-breach-is-intolerable-2-and-the-woes-only-seem-to-be-worsening.html?pg=all

,

No Comments