Archive for November, 2015

Email Data Breaches: The Threat That Keeps On Giving

By most accounts, 2015 was a year of unprecedented data breaches. Several major government agencies, enterprises and consumer sites were hacked – leaking the personal information of millions onto the web.

But an initial security breach doesn’t end the vulnerability. For example, according to the data cultivated by email security firm MailChannels, spam and phishing emails to addresses stored in the Ashley Madison database – compared with the volume sent to a random sample of addresses – have increased exponentially since the hack.

“The data offers some insights into what consumers can expect: a steadily growing amount of scams and spam – both targeted and general – will hit inboxes in 2016,” according to Ken Simpson, CEO at MailChannels. “Anyone whose email has been exposed is a prime target for cybercriminals looking to profit from extortion, identity theft and data exploitation. The increased volume in email attacks won’t come right away, but evidence from the Ashley Madison data leak shows that the growth in volume of will be sustained throughout 2016; it isn’t going to tail off with time.”

Simpson spoke with Information Management about what he expects organizations will experience on the IT security front in 2016, and how those trendsmay impact customers.

Information Management: What does your data reveal that CIOs should know in terms of corporate email security issues?

Ken Simpson: CIOs should create a process for retrieving leak data when large leaks happen, because our analysis shows that the very appearance of someone’s email address in a leak exposes them to more abuse after the leak occurs. Attackers use leaks to build their database of targets for all sorts of fraud – not just fraud related to the leak itself. For instance, with the Ashley Madison’s breach, we saw users receiving regular spam and phishing attacks in addition to targeted attacks such as scams promising to remove users’ personal information from the Internet.

Information Management: What types of data are most at risk?

Simpson: It’s not so much the types of data that are at risk, it’s the potential for social engineering that’s the real risk. When an attacker knows something about your user because he or she was included in a breach, they can leverage that information to tailor an attack.

For example, let’s say your HR SaaS provider experienced a breach, allowing an attacker to know not only that your employee “Sandra” in marketing makes $55,000/year, but also that she lives in London, England. You can now hit Sandra with a customized email claiming to be someone from the London office who needs some money because their passport was absconded during a trip to Egypt.

Information Management: Are organizations giving IT security enough attention, budget, and staffing?

Simpson: Security is never given enough attention until there is a major problem – this has always been true and probably always will be. Enlightened organizations invest more in security because they know that the cost of doing nothing is to guarantee – at some unknown time in the future – an incident that is very costly.

Ashley Madison’s parent company nearly ceased operations after their disastrous breach. Were they doing enough on security? Not for a firm that deals in information that can destroy marriages. And we’re only beginning to see the legal fallout that could hobble them for years to come.

Information Management: How does the CIO or the CISO best go about creating a culture of security awareness?

Simpson: I think it pays to keep on top of security events that receive widespread press, and to remind management and staff that they too are vulnerable. Part of the CIO’s job is to provide information about the general threat landscape so that the organization starts to take security seriously. The CIO alone can’t pull enough budget;but the collective concern of every department will start to make a difference.

Information Management: What do you predict will be the top IT security issues, challenges, and threats in 2016?

Simpson: In 2016, the threat for tailored attacks at the individual level will become common place. With this previous year having been one riddled with information breaches, our data shows cybercriminals have an increased repository of personal information pieces that will look to build out into comprehensive profiles that can be used for identity theft, extortion and hacking. The more built out a profile, the more possibilities for illicit activity and cybercriminals will be on the hunt to collect the missing information they need to exploit an individual or business through targeted emails and spam campaigns.

I also believe we’ll see more nation state hacking and espionage causing real economic damage. For example, could a powerful Chinese SOE with influence in the Communist Party prod the red army’s electronic division (unit 61398 – into hobbling a major US industrial company for competitive reasons? Say, through a major breach that was made to look like it came from Anonymous? Yes, that could happen in 2016. But this time, the linkage with the nation state will become clear.

Article source:


No Comments

OPM Just Now Figured Out How Much Data It Owns

Why did this agency, which functions as the federal government’s human-resources department, have so much trouble protecting its data? For one, it didn’t know how much it had to begin with.

According to its inspector general, at the time of the breaches, OPM did not have a complete inventory of the servers, databases, and network devices that it owns, maintains, and operates. Not having the inventory “drastically diminishe[d] the effectiveness of its security controls,” wrote Michael Esser, the agency’s assistant inspector general for audits, in an oversight report published this month.

“Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems,” the report read.

OPM only completed an inventory of its databases within the last few months, said Sam Schumach, a spokesperson for the agency. As far back as 2009, the inspector’s office began warning that the agency was having trouble keeping track of its information systems. The following year, auditors noted that OPM’s “passive approach” to maintaining its inventory was putting its sensitive data at risk.

The agency is still cleaning up from the breaches it announced this summer. After hiring a contractor to contact the millions of individuals who had not yet heard from the government, the agency finally began sending out notification letters. As of last week, 14 million letters have been sent, Schumach said. OPM hopes to send out the last of the letters by mid-December.

Dealing with the fallout of a data breach is expensive. Just notifying the individuals affected by the hack set the government back $133 million. Recognizing that cyber attacks that target government data will only ramp up in the future, OPM has already budgeted an additional $500 million for data breaches over the next five years.

OPM is slated to receive updated cybersecurity systems for its networks in the “near future,” a spokesperson for the Department of Homeland security said. The new system, which has the capability to block incoming attacks, will replace a system that could only monitor networks for intrusions.

But even those tools would be useless without a basic understanding of the data the agency is entrusted with, and the servers that hold that data.

The high-profile data breaches have kept OPM in the news, but it’s far from the only government agency that has fallen short of basic IT standards.

A recent report compiled by the House Oversight Committee graded federal agencies on their implementation of a key federal IT law. The majority of agencies—including OPM—received a D grade. Three agencies received an F: the Department of Education, the Department of Energy, and NASA. No agency received an A.

Article source:


No Comments

Paysafe says current accounts safe from 2009-10 data breach

British mobile payments company Paysafe Group Plc (PAYS.L) said on Monday it was confident that the data stolen through cyber-attacks in 2009 and 2010 could not be used to access existing Neteller or Skrill customer accounts.

The company, formerly known as Optimal Payments Plc, said that third-party attackers had managed to obtain limited account details from 3.6 million Neteller accounts and basic personal details relating to 4.2 million Skrill accounts.

Paysafe said that less than 2 percent of these accounts were active in the six months to Nov. 1 and that the data acquired did not include passwords or customer card data, or bank account information.

(Reporting by Esha Vaish in Bengaluru; Editing by Gopakumar Warrier)

Article source:


No Comments

‘Everyone should own a data breach’ so that blame isn’t pinned on any one person

Everyone in an organisation should “own” a data breach, so that the blame isn’t pinned on any one person, according to Neil Thacker, information security and strategy officer EMEA at Websense.

Thacker was speaking at Computing‘s Enterprise Security Risk Management Summit last week, when he said that all businesses should instil a culture in which all staff should take ownership of data, but could also therefore be held collectively accountable for a data breach.

He said that one way of ensuring the business isn’t hit by a data breach is to have a list of asset owners. “It means they are accountable for assets within the organisation. It’s not ‘my’ job to be accountable – it’s their job. So you have to think about how you use your technologies [in the enterprise]; that’s how you [make them accountable],” he said.

Thacker admitted that the perception of an “asset owner” could leave some people in the business looking smug if it isn’t “their” area from which data is lost in the event of a data breach. 

But he insisted that it is still the right approach – for ownership to be devolved – in order to beef up security and help thwart attacks. “We need to start mapping who is responsible and accountable for different areas,” he said. 

This includes areas such as data discovery, data cleansing, data encryption, statistics and data science. He said that giving employees responsibility for different assets will empower them and that they, in turn, will be motivated to make better decisions, strengthening the company’s security.

However, even in the worst case scenario – that a company is hit by a data breach – Thacker suggested that it could also make it more difficult to pinpoint blame.

“If it is the [company] making a mistake then they should probably have some responsibility for that. If the owner [of the data] has not been made aware of that, then perhaps that should be the CISO’s failure. If there has been no business process defined, then you may perhaps blame the auditors for certain things: it’s really hard to blame people for these things,” he said.

Thacker went on to ask the audience whether TalkTalk CEO Dido Harding’s job was to ensure that the internet service provider was able to protect against a simple SQL injection attack. 

“The CEO will take ultimate responsibility for everything. There will be lots of things they will be responsible for, so perhaps they should be made aware of that. But then [there are questions such as] did the CISO tell her about the encrypted data, did they highlight they were having issues with deploying existing technologies they had?” he asked.

Last month, Computing asked CIOs and other IT leaders who they thought should be held accountable in the event of a data breach.

Article source:


No Comments

League of Women Voters wants inquiry into Georgia data breach

Georgia’s largest nonpartisan voting advocacy group requested Monday that Gov. Nathan Deal order an independent investigation into the massive data breach exposing 6 million voters’ personal information.

In a hand-delivered letter, the League of Women Voters of Georgia called the breach “an obvious threat to the voter registration process.” It also said the state should be concerned that Georgians “regardless of their political persuasion will be deterred from registering to vote if they are not assure that their personal information will not be compromised and their personal finances put at risk”

The letter was signed by Elizabeth Poythress, the league’s president.

League of Women Voters wants inquiry into Georgia data breach photo

Anyone registered to vote in Georgia was affected by the disclosure — some 6.2 million people.

Georgia Secretary of State Brian Kemp two weeks ago fired an IT employee over what he called a “clerical error.” Kemp said the employee inadvertently added the personal data, including Social Security numbers and birth dates, to a public statewide voter file before it was sent out last month to 12 organizations who regularly subscribe to “voter lists” maintained by the state.

The groups receiving the data — delivered via compact discs — included state political parties, news media organizations and Georgia GunOwner Magazine.

Kemp, who became aware of the breach Nov. 13, has said all 12 data discs illegally disclosing the private information have either been recovered or destroyed and that the data was not disseminated. He also denied the disclosure was a breach of the state’s voter registration system, saying the system itself was not hacked.

Article source:


No Comments

XL Catlin Launches Online Data Breach Resource Portal

XL Catlin’s Cyber Technology insurance business has launched a new online resource –, to provide clients with support for cybersecurity readiness and incident response services. features a comprehensive portal including:

  • Information on the underwriting and claims cyber/tech team
  • A cyber liability library specific to XL Catlin containing articles and videos by XL Catlin colleagues as well as product and policy information.
  • An incident roadmap suggesting steps to take following a network or data breach incident.
  • News center with articles and commentary discussing trends, major breach events, security awareness strategies and, risk management guidance and helpful industry links.
  • Learning center with a library of best-practices articles, white papers and webinars from XL Catlin Colleagues, leading technical and legal practitioners.
  • Risk manager’s toolbox providing self-help for managing cyber risk, including a cyber-risk assessment survey, breach notification guides, what if modeling tools to estimate the cost of a breach, and research tools to monitor the type, frequency and severity of incidents occurring in your business sector.
  • Vendor partner resources including a directory  to help XL Catlin clients gain access to its recently-expanded pre-qualified  network of third-party resources with expertise in pre- and post-breach disciplines, including network vulnerability testing, IT risk assessments, incident response planning, security awareness training, PCI compliance, security incident response planning, data breach tabletops, and enhancement of a company’s vendor management program as well as crisis response services inclusive of expert computer forensics, legal and public relations advice, regulatory response and notification/credit monitoring.

XL Catlin’s cyber insurance provides coverage for data protection and privacy risks, both for third-party claims and first-party mitigation costs following a technology or cyber event. Coverage is tailored for businesses across various industries and technology companies. XL Catlin’s North America Cyber Technology business is headquartered in New York City with underwriting offices in Chicago, Washington, DC and San Francisco.

The XL Catlin insurance companies offer property, casualty, professional, financial lines and specialty insurance products globally.

Article source:


No Comments

Not Even Kids Are Safe from Data Breaches

Like stalled subway cars and autocorrect changing certain words to “ducking,” data breaches have unfortunately become an accepted part of life.

Sometimes the release of personal information and private preferences comes with mixed sympathy, as in the case of the extra-marital dating site Ashley Madison this summer. Other times, as hackers collect credit-card and Social Security numbers from various retailers, banks, or insurance companies, there’s a collective groan and shuffle to monitor credit scores.

But Monday brought a sadder breach, perhaps the saddest of all time, as VTech, a company that makes tablets and other educational gadgets for kids, announced that data from 5 million of its user accounts was leaked earlier this month, including kids’ names, birthdays, and genders.

The breach happened as an “unauthorized party” accessed a database held on the Learning Lodge app store, which lets users download games, e-books, and other educational tools, according to a statement from VTech. The database held no credit-card information or Social Security numbers, but contained e-mail, mailing, and I.P. addresses, passwords, secret questions and answers for password retrieval, and download history.

This means that somewhere on the black market there is record of not only 5 million children’s birthdays, but perhaps the names of their parents’ first cars, mothers’ maiden names, and favorite pets and elementary-school teachers.

No presidential candidate has issued a statement on the breach as of yet, but we expect a rash of stump speeches mentioning how every little Isabelle or Jack they meet on the campaign trail is devastated, humiliated, and downright mad that the whole world can know that they chose to download the pet-doctor app in a moment of weakness. Our kids deserve better.

Article source:


No Comments

VTech data breach impacts 5 million accounts

0) { %

0) { %

0) { %

Article source:


No Comments

Retail data breaches: 3 lessons companies have learned


(Photo: Thinkstock)

Crackdown on cyber criminals

Opinions are divided on whether governments are really in a position to stem the tide of cyber crime, which is by its nature heedless of national borders. Nevertheless, some experts believe governments will have to become more involved in the investigation and criminal prosecution of cyber crime. Without such a large, international effort, they say, the cost of securing data and recovering from attacks will eventually outstrip the benefits of conducting business in cyberspace. Suggestions include an international governing body that would work not only to stop cybercriminals, but also to regulate security measures, requiring companies around the world to adopt a universal baseline of prevention and detection methods.

Make individual cyber hygiene a habit

The time has come for all of us to accept that we have to step up our personal online protection if we want to keep our financial and personally identifiable information safe from criminals. Just as we once had to accept that we should lock our doors and keep the children in the yard, we now have to realize that certain inconveniences such as using a different password for every online service and storing those passwords in a secure app or, better yet, in our memories, must become a matter of habit. Credit card and loan offers that could once be discarded with the junk mail should be shredded, and credit card statements need to be reviewed every month. Individuals have to be more diligent about avoiding emails from unfamiliar addresses or clicking on mysterious links. Even phone calls that seem to come from benign solicitors or even familiar institutions like banks and workplaces may be phishing attempts. 

The more consumers are acquainted with methods to protect themselves from fraud and identify theft — and the consequences if they choose not to — the fewer claims a company has to cover and the less a store loses on fraudulent purchases that no one — not the credit card holder, the credit card company nor the credit card fraudster — is going to pay for. What’s more, customers who know they have protected themselves will have greater confidence in the security of their information as they venture out to make purchases. A better informed consumer will always be a benefit to the market.

The time has come for everyone to recognize cyber crime as a serious threat to economic security for both individuals and corporations. We may not yet know how to shut down cyber criminals completely, but there is a long way to go before we can say that we have done all we can.

Lance Spellman is the founder and President of Workflow Studios, an enterprise software development consulting company in Dallas, Texas.


How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM’s cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.

Article source:


No Comments

Data Breach Threats Lurk Within

Almost every day, the media has a report of a cybersecurity breach. Target, Home Depot, Sony Pictures, Internal Revenue Service, the U.S. Government, big banks, hotels, and supermarkets have all been victims of cyber attacks. Recently a major league baseball team was accused of hacking a rival team’s data in a case of corporate espionage.

Billions of dollars are lost, reputations are damaged, and business is left disrupted in the wake of data breaches. And while the big names make the news, small businesses are proving to be equally vulnerable. A survey of 675 small businesses by the National Small Business Association found that half of them have been victims of information theft in 2014.

The war against electronic data theft is being fought on two fronts, although one front makes more headlines than the other. External threats generate a lot of attention and rightly so. Online hacking rings and foreign governments are constantly scouring targets, sometimes making off with millions of records – credit card information, health records, employee data, and other personal information. However, the ongoing battle which is overlooked deals with intrusion from within the inside of organizations.

A 2014 report from the Ponemon Institute, a research center dedicated to privacy and data protection, claims that 15 percent of the time, a trusted insider with malicious intent was the root cause of a data breach. A 2012 report from the Software Engineering Institute on Mitigating Insider Threats puts that figure even higher, stating that 21 percent of cybercrimes were committed by insiders.

Workforce Screening for Better Data Protection

The Computer Emergency Response Team (CERT) Program from Carnegie Mellon University’s Software Engineering Institute recommends using the hiring process as a starting point for mitigating insider threats. Measures such as background screening can help employers make trust-based hiring decisions. In fact, First Advantage conducted a survey of 337 professionals including human resources, risk management, and C-suite executives about their attitudes toward internal and external security threats. Sixty percent of respondents said background screening of new employees is the most important security control that can be put in place to protect organizations from data breaches. Anti-malware ranked second (53 percent), followed by physical security and physical access controls (39 percent).

Human Resources and Security

Organizations need to determine where their information assets are, what value they have and who has access to them. Human resources and information security professionals within the organization should develop a policy framework about what factors are appropriate for background screening for specific positions. If an employee has access to credit card information or other personal identifiable information, a background check might include a national and county level criminal history in all areas a candidate has lived or worked. It may also include a check on financial information such as credit history or bankruptcy filing. Screening may even involve a check of terrorist watch lists.

Many employers think that background screening ends when the new hire comes onboard. Unfortunately that can be a shortsighted and risky approach. Life happens and circum­stances change. Young people are less likely to have a criminal record or bad credit initially, but could incur debt over time that needs to be serviced, potentially increasing their risk to the organization. People also change positions and have access to different levels and types of data. Companies should have a solid standards-based policy framework that includes con­tinuous monitoring and updating of background information through a periodic rescreening process. Fortunately, technol­ogy now allows for groups of employees to be rescreened all at once for a fraction of the cost of the original background check.

Preventing Breaches through Vendors

Company supply chains and third-party business partners are other vulnerable points for attack. The massive Target data breach was traced to a third-party heating, ventilating and air conditioning partner that was hacked. It is wise to make inquiries about whether contractors, suppliers, and staffing firms have robust policies in place regarding background screening in addition to technology-based solutions to protect against deliberate or inadvertent data breaches.

The information age has changed the way we do business, but it has also created new risks that can lead to catastrophic losses. To ensure the greatest possible protection of valuable company information, organizations would be well advised to think about both internal and external threats, maintaining a thorough employee screening program along with tight IT security measures.

Article source:


No Comments