Archive for July, 2016

Durham’s police chief to lead independent probe into data breach

The investigation is expected to focus on a number of non-criminal matters arising from the breach and was announced eight months after an official ruling on the issue.

In November, Sir Stanley Burton, the Interception of Communications Commissioner, said in a report that Police Scotland contravened the Acquisition and Disclosure of Communications Data Code of Practice on five occasions.

The Interception of Communications Commissioner’s Office (IOCCO) conducted a review after fears were raised that officers had been ”illegally spying on journalists”.

Those five incidents are all said to be linked to the investigation into the murder of prostitute Emma Caldwell in 2005.

Police Scotland Deputy Chief Constable Iain Livingstone said: “The Chief Constable, Phil Gormley, has asked Mike Barton, Chief Constable, Durham Constabulary, to conduct an independent investigation into a number of non-criminal complaints, which relate to matters connected to the breach of communications data protocols and guidance.

“Police Scotland has fully accepted that standards fell below those required in this case.

“It would be inappropriate to comment further at this stage given the investigation is to be conducted by Chief Constable Barton.”

Derek Penman, HM Inspector of Constabulary in Scotland, conducted a review of the force’s counter corruption unit in the wake of the breach.

Work is ongoing to address the 39 recommendations he made in June following an inspection.

Article source: http://www.thenorthernecho.co.uk/news/14653490.Durham_s_police_chief_to_lead_independent_probe_into_data_breach/

,

No Comments

Why India too needs a transparent system of data breach notification


cuber security, india cybersecurity, cyber security india, european union cybersecurity, Europe cycber security, india cyber attacks, cyber attack, technology news, india news Failure to notify consumers of data breaches disables them from exercising their right to choose to continue with a breached service provider, and from pursuing appropriate legal remedies against negligent providers. (Photo for representational purpose only)

The European Parliament, on July 6, 2016, adopted the Directive on Security of Network and Information Systems. The NIS Directive, as it is known, will usher in a new era of EU-wide cooperation and national capacity building to effectively respond to cyber-attacks ‘becoming bigger, more frequent, and more complex’. It also mandates EU member states to implement mandatory cybersecurity incident reporting requirements for e-commerce platforms, payment gateways, social networks, search engines, application stores, cloud computing services, in addition to entities operating in critical sectors including energy, transport, banking, health and finance. In other words, if an entity is the subject of a cyber-attack or data breach where sensitive customer information is compromised, they will have to report the same to a regulator.

With this move comes yet another affirmation of the role that transparency and timely breach disclosures can play in mitigating the costs of attacks, developing threat intelligence, and ensuring that cybersecurity best practices are adopted in the long run. Under the regime proposed by the NIS Directive, national regulators may elect to disclose breach details to affected individuals where such disclosure is deemed to be in public interest after considering reputational and commercial damage to breached entities. Though only to a limited extent under the NIS Directive, the requirement that cybersecurity incidents and data breaches be notified to end-users is slowly catching on as jurisdictions including South Korea, Taiwan, Ireland, Uruguay in addition to 47 US States, in many cases, require breaches to be reported to affected individuals while others, such as Sweden, empower the respective national regulator to order notification to affected individuals where required. Australia is among others currently in the process of legislating on the issue.

And with an estimated 600 million user passwords entering the public domain from breaches in the last month alone at household names including LinkedIn, Myspace and Tumblr, such reforms cannot come any sooner. It is an inherent right of affected consumers to be notified if their sensitive information has been the subject of a leak or successful breach. If not stemming from a mere moral obligation to disclose breaches, very real practical justifications exist – in order to enable affected individuals to take steps to mitigate risks of fraud and identity theft. The need for data breach notification assumes further importance as consumers are not often fully aware of the kinds of sensitive information collected in the first place by online services and mobile applications. Often, the first consumers come to know of breaches is when their credit card numbers, passwords, or biometric records are offered for sale on the digital black market, or in the worst case, where their compromised accounts are misused.

The Indian cybersecurity framework has also seen recent movement with the RBI, in June 2016, issuing a clear mandate for banks to immediately implement internal cybersecurity frameworks. These directions also include an explicit requirement for banks to report ‘all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify)’ to the RBI. Similar requirements exist for stock markets, commodity exchanges, and other market infrastructure entities to notify SEBI, while there is also a general requirement for cyber-security incidents affecting Indian individuals and organisations to be reported to the Indian Computer Emergency Response Team (CERT-In) under the Information Technology Act framework.

Despite this plurality, there exist no provisions which may require breached entities to notify affected end-users – arguably, the most critical stakeholders – that their sensitive information has been compromised. In fact, in some cases (such as under the IT Act), law achieves the opposite – ensuring that incident notifications made to regulators remain highly confidential. This approach reflects an outmoded view of cybersecurity which considers breaches and other incidents best-addressed outside the public sphere – in secret.

Failure to notify consumers of data breaches disables them from exercising their right to choose to continue with a breached service provider, and from pursuing appropriate legal remedies against negligent providers. The lack of incentive to disclose incidents and unclear liability norms have also meant that Indian entities that have been breached have not begun offering credit monitoring or other recompense to affected consumers.

In the absence of breach notification requirements, there is no incentive for businesses to upgrade cyber-security practices as the risk of public embarrassment is minimised to a large degree. Mandating public data breach notification will encourage businesses to implement security best-practices while enabling consumers to protect themselves in the wake of their sensitive information being breached.

Article source: http://indianexpress.com/article/blogs/why-india-too-needs-a-transparent-system-of-data-breach-notification-2946089/

,

No Comments

Michigan credit unions join lawsuit over Wendy’s credit card data breach

The Michigan Credit Union League, on behalf of Michigan credit unions, joined a class action lawsuit this week against the Wendy’s restaurant chain following a recent credit card data breach.


 

Wendy’s said it first reported unusual payment card activity affecting some franchise-owned restaurants in February 2016, and in June the company reported an additional malware variant had been identified and disabled.

The breach affects customers between Dec. 2, 2015 and June of 2016, and also includes locations outside of Michigan, Wendy’s said. 

The breach impacted more than 100 locations across Michigan, the MCUL said in a news release, and the class-action lawsuit alleges it was due to Wendy’s poor data security measures, failure to discover and contain the breach and for neglecting to notify financial institutions of the compromise.

The legal action is meant to recoup the costs to credit unions, including reissuing new cards and refunding members’ lost money.

“Until retailers are forced to invest in robust data security measures, credit unions will continue to pay the price for retailer data breaches,” MCUL Chief Operating Officer Ken Ross said. “Adding our name to this class action is one way we are going to bat for Michigan credit unions until a legislative solution is achieved.”

Ross called for changes in federal law to hold retailers accountable to security standards. 

Other plaintiffs listed in the class action include the Credit Union National Association, the Ohio, Georgia and Indiana state credit union leagues and numerous credit unions.

In July, Wendy’s apologized to the those impacted and encouraged customers to search a database to see impacted restaurant locations.

“We are committed to protecting our customers and keeping them informed,” Todd Penegor, Wendy’s president, said in a July 7 statement. “We sincerely apologize to anyone who has been inconvenienced as a result of these highly sophisticated, criminal cyberattacks involving some Wendy’s restaurants.”

“We have conducted a rigorous investigation to understand what has occurred and apply those learnings to further strengthen our data security measures,” he said. 

Penegor recommended customers remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring credit reports for unauthorized activity.

Wendy’s offered one year of complimentary fraud consultation and identity restoration services to all customers who used a payment card at a potentially affected restaurant during the breach time period.

Customers with questions can call (866) 779-0485, from 8 a.m. to 5:30 p.m. Central Time, Monday through Friday excluding major holidays.

MCUL says the Wendy’s data theft is the latest in a string of compromises for which member-owned credit unions have incurred the costs.

Breaches at Target and Home Depot in 2013 and 2014, respectively, cost credit unions nationwide an estimated $90 million combined, according to the Credit Union National Association. In Michigan, credit unions paid out an estimated $4.4 million as a result of the same breaches, MCUL said. MCUL was also a plaintiff in the class action suit against Home Depot.

Article source: http://www.mlive.com/news/index.ssf/2016/07/michigan_credit_unions_join_la.html

,

No Comments

We apologize for the data breach

Dear SafeCorp users,

By now you have heard about the data breach that exposed our users’ private information to hackers, to the U.S. government, and to the public. We are sorry, and we are embarrassed. But especially sorry. Although almost equally embarrassed. But not quite as embarrassed as we are sorry.

Your data is precious, and we did not take sufficient measures to protect it. We know that now, and we know we should have known all along. We shouldn’t have declared ourselves the “industry leader in data security” and “way more serious about data security than our competitors” and “just nuts about data security, really insane, like if data security is a crime then lock us up, but good thing it isn’t, because we’re ga-ga for data security.” We really thought we had that stuff down.

We were fully confident that when we issued our “Security Breach Challenge,” offering a million-dollar prize to anyone who could hack our site, that no one would succeed. We were confident enough to issue the challenge during a public tour of our data center, to which we handed out invitations during DEF CON 2016, in the form of “golden tickets,” each bearing an employee’s iPhone passcode. We now see our confidence was unfounded.

We regret storing our users’ usernames and passwords in plaintext, in a shared Google doc. We regret printing out that Google doc, then printing coupon fliers on the back of that printout to save paper, then distributing those fliers by aerial drop over the Kremlin.

We regret testing our Facebook Live account by reading our users’ security questions and answers in a monotone, as if we were memorializing the dead, then carving those questions and answers into a granite block in downtown Manhattan.

We regret activating an always-on “share my location” feature, on an opt-out basis, announced only by a whisper into a warm glass of milk by a sleepy child. We regret changing our company logo to a regularly updated, algorithmically generated map of the “most surprising user locations.”

If we had avoided these missteps, we likely would not have suffered such a serious breach, one that resulted in the exposure of user identities, preferences, behaviors, and “star potential.” And we likely could have contained the breach at that point, had we not tweeted “Come on you bastards, is that all you’ve got? We personally invite Anonymous and LulzSec to test their might, for our (1/2),” or, thirty seconds later, “(2/2) truly important information remains impeccable and virginal, untouched by human hands, like Wonka’s chocolate,” or “(3/2 sry) and you script-kiddie filth can only dream of violating our sanctum with your leprous tendrils!” But, as has been widely reported and testified under oath, we did accidentally let that tweet slip out, though it was meant only as a draft, and for that mistake we lay the blame squarely on the confusing UI of TweetDeck. We still share the blame for the second wave of attacks that revealed our users’ social graphs, private messages, “deleted” posts, and a groundbreaking artificial-intelligence prediction of their spending habits over the next three years.

Thus, after the breach, when users questioned our security methods (and after we tweeted “LOL looks like someone believed an Onion article” and then respectfully deleted that tweet), we divulged the above missteps immediately after a public outcry, CNN investigation, federal inquiry, Congressional hearing, class action suit, multiple appeals, Supreme Court decision, and a dedicated visual album by Beyoncé Knowles.

Our thoughts are with our users as they sit down for hard conversations with their wronged spouses and children, hopefully uninterrupted by the SWAT teams responding to prank calls from 4chan. Our hearts especially go out to our pro users and whichever customers they have somehow convinced to stay. We take full responsibility for every hardship our users have faced: the harassment, doxing, extradition, denial of service, kidnapping, long hold times, data loss, cold calling, name calling, and forced Microsoft Silverlight download.

Please do not hesitate to reach out to us with your request, complaint, or threat. Our staff can be reached by writing their names on the wings of a dove, then releasing that dove over a body of water, pointing it toward the U.S. Virgin Islands, and crying after it, “Godspeed to you, my glittering saviors!” If a dove is unavailable, please visit us in person. You may arrange an appointment by dove.

Unfortunately, we will be unable to refund all auto-renewing memberships.

With our utmost and very real apologies,

SafeCorp

Article source: http://www.dailydot.com/unclick/we-apologize-for-the-data-breach/

,

No Comments

Is Ransomware a Notifiable Data Breach Event?

There is no doubt that companies face unprecedented volume and variation in both disruptive and intrusive cyberattacks on their networks.  Among the different attack methodologies today, ransomware is quickly becoming a major concern for CISOs and security professionals.  According to Interagency Guidance from the U.S. Government, there are currently over 4,000 daily ransomware attacks – up over 300% from the 1,000 daily ransomware attacks experienced in 2015.

Ransomware can potentially hold hostage critical corporate, customer and employee data, but in-house legal and communications teams are also concerned about whether these attacks trigger publicly notification rules.  The Department of Health and Human Services Office of Civil Rights (“HHS OCR”), which enforces the HIPAA Security and Breach Notification Rules, stated in recently issued guidance that ransomware incidents may be considered a breach that require notification.  The guidance is a poignant reminder to all companies, whether regulated by HIPAA or not, to carefully consider how evolving attack methodologies can directly implicate incident response strategies and compliance obligations.

What is ransomware? 

Ransomware is computer code (malware) that is typically deployed into a network, often when an unsuspecting user clicks on a malicious link or opens a file in a phishing email.  Once inside the network, ransomware typically self-proliferates and encrypts data inside the environment, and renders the data inaccessible and essentially, useless.  A successful ransomware attack can result in the temporary or permanent loss of sensitive information, serious disruption to operations, financial costs of restoring systems and data, and possible reputational or brand impact to the enterprise.

Generally, the attacker will provide a decryption “key” only after the company pays a ransom (almost always in hard-to-trace Bitcoins).  Other forms of ransomware can destroy or delete data, hide data by relocating it within the network, or even ex-filtrate data outside of the company’s environment.

Myriad security software vendors offer ransomware mitigation and decryption tools.  However, some recent sophisticated ransomware – such as the recently observed “Locky” malware variant – is not easily mitigated or decrypted.  The only remedy in that situation is to restore affected databases from back-up tapes (if they exist!).  Paying the ransom may or may not result in the attacker providing a working decryption key.

OCR says ransomware can trigger HIPPA Breach Notification Rule

HHS OCR’s recent guidance warns HIPAA-regulated entities that application of the HIPAA Breach Notification Rule is a “fact specific” inquiry.  A breach under HIPPA is defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”  45 C.F.C. 162.402.  HHS OCR states that where PHI is “encrypted as the result of a ransomware attack, a breach has occurred because the PHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure not permitted under the HIPAA Privacy Rule.”  It does not address “access” in the context of ransomware.

However, as HHS OCR points out, notification may not be required if the entity can demonstrate a “low probability that the PHI has been compromised,” which turns on several factors identified in 45 C.F.R. 164.402(2):

  1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the disclosure was made;
  3. whether the PHI was actually acquired or viewed; and
  4. the extent to which the risk to the PHI has been mitigated.

The guidance goes on to explain, for example, that the lack of attempted or actual data ex-filtration, mitigation based on disaster recovery and data backups, and the entity’s use by the organization appropriate level of encryption to protect the information prior to the ransomware attack (such that the data is not “unsecured PHI” under the rules), among other factors, may negate the requirement to notify affected individuals.

That said, the guidance is clear that covered entities and business associates must be highly diligent in their forensic analyses to take advantage of the notification exception.  As HHS OCR remarks, “[t]he risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith and reach conclusions that are reasonable given the circumstances” and the entity must maintain specific and strong “supporting documentation” as required under the rules.

Does ransomware trigger U.S. State breach notification rules?

U.S. state breach notification rules are generally triggered on an unauthorized “acquisition” and/or “access” to certain delineated types of unencrypted personal information.  Ransomware that only encrypts data inside an environment, but does not allow an attacker to view, copy, re-locate, or ex-filtrate it (e.g., download, email, transfer) is unlikely to trigger a notification duty under the statutes that define breach as the “unlawful and unauthorized acquisition” of personal data.

For example, Vermont’s law includes factors to consider in determining whether personal information has been acquired by an unauthorized person[1]. The law provides that the following “indications” may be considered:

  • information “is in the physical possession and control of a person without valid authorization” such as a lost or stolen computer or other device containing information;
  • information “has been downloaded or copied”;
  • information “was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported”; and
  • information “has been made public, such as posting on a website.”

Based on these factors, typical ransomware incidents that do not show evidence of download or exfiltration may not qualify as an “acquisition” by the attacker, subject to notification obligations.

However, a small number of states[2],  as well as the HIPAA Security Rule itself, define a breach as the “unauthorized access” to personal information, a lower threshold than  unauthorized acquisition.  Ransomware could trigger breach notice in the “access” states even if it does not trigger notice in the “acquisition” states, incidentally leaving organizations with a difficult business decision on whom to notify and in what form

There are additional factors a company and its counsel may need to consider.  For example, if the data was encrypted by the data owner before it was encrypted by the ransomware attacker, in many states there would be no notification obligation. Moreover, many states permit a risk-of-harm analysis, and/or define breaches as only those incidents which “compromise the security, confidentiality, or integrity” of the personal information.  Whether a ransomware attack is a notification-triggering event will always require a fact-specific analysis, based on a careful and complete investigation (sometimes by outside forensic experts) of the underlying circumstances of the attack.

What should companies do?

Given the sharp uptick in ransomware attacks and escalating legal scrutiny on breach notification decisions, companies are well advised to re-examine and update their policies and plans, and of course, to tabletop them in simulated tests:

  • Incorporate additional forensic analyses, PR/communications work streams and notification considerations into enterprise incident response plans (and/or security team field guides) to specifically address ransomware.  These considerations should be based on the various factors that HHS OCR and other regulators have recommended to assess whether a ransomware attack constitutes a reportable incident, such as: (1) examining the nature and extent of personal information involved, including the sensitivity of the information and likelihood that it will be accessed; (2) whether the personal information was actually viewed, accessed, acquired or ex-filtrated; and (3) the extent to which the risk to the personal information has been mitigated.
  • Update critical data backups and supplement them as necessary.  This can be done as part of internal processes to integrate disaster recovery and business continuity planning with incident response programs.  As noted above, ransomware attackers may or may not provide working decryption keys upon being paid, so maintaining robust back-ups will help to mitigate business disruption.

Re-assess proactive encryption at-rest strategies.  In the event of a ransomware attack or other security incident, the use of encryption may better position the company to invoke an exception to breach notification requirements.  The U.S. Computer Emergency Readiness Team (“US-CERT”) has published a series of helpful proactive measure that companies should consider to help manage ransomware risk.

 

 

 

[1] California issued guidance similar to Vermont’s law in 2012.  While this guidance predates recent amendments to the California state breach notification, it remains helpful to a breach notification analysis.

[2] For example, states like Connecticut, Florida, Kansas, Louisiana, and New Jersey include unauthorized access to data as a breach.

Article source: http://www.jdsupra.com/legalnews/is-ransomware-a-notifiable-data-breach-58331/

,

No Comments

Laurel clinic warns patients of data breach – WDAM

LAUREL, MS (WDAM) –

A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems. 

Jefferson Medical Associates issued a press release stating that privacy events may have compromised certain personal information. 

The events are believed to be the result of criminal activity. 

According to the release, on June 1 an unauthorized individual not affiliated with JMA accessed a database containing a limited history of prescriptions and other information for a small percentage of patients. 

Based on the investigation, the individual unlawfully copied one of the practice’s databases which included patient names, dates of birth, social security numbers, addresses, and phone numbers as well as limited prescription information. Drug names, dosages, and refill quantities were also compromised. 

JMA has since secured the database, disabled the ability for remote connections, and is implementing additional data security measures to prevent future incidents. 

The release stated: 

“At this time, investigators do not believe the individual who accessed the database has used the information acquired.  Instead, it is believed that the individual accessed the database only to demonstrate his ability to do so.  Through JMA’s investigation of this issue, it also has learned that other remote connections were made to this database from unknown sources at various times between March 25, 2014, and June 1, 2016.  JMA has not been able to determine whether any of these other connections actually resulted in any acquisition, access, use, or disclosure of patient information, but it is possible.”

JMA has mailed notice to all potentially affected patients of this incident and is offering one year of credit monitoring and identity protection services through AllClear ID™ at no cost to the affected patients.  In cooperation with law enforcement, JMA is continuing to investigate this incident.  

“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued patients,” said Robby Graham, JMA’s Administrator.  “We take the privacy of their health information as seriously as we do their care.  We want to assure our patients and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.” 

Those who believe they may have been affected by this incident should contact JMA’s dedicated incident response hotline at (855) 260-2771.  

Jefferson Medical Associates, in Laurel, Mississippi, is one of the area’s largest private, multi-specialty medical groups. Its physicians provide primary care, as well as sub-specialty medical care for residents of south central Mississippi.

Copyright WDAM 2016. All rights reserved. 

Article source: http://www.wdam.com/story/32574292/laurel-clinic-warns-patients-of-data-breach

,

No Comments

23% of businesses say they stop a data breach every day

Beyond hackers (24 percent), IT managers rated employees as the second biggest risk to security.

Nearly a quarter (23 percent) of businesses claim that they stop a data breach every day.

 

A survey conducted by WinMagic released results from 250 IT managers and 1,000 employees and found that 41 percent of employees still believe IT security is the sole responsibility of the IT department. However, 37 percent say they have a role to play in IT security as well.

 

A fifth of IT managers want to be able to empower employees to use personal devices to access work documents even though many of them refuse to be held responsible for IT security. Only 36 percent felt such access should be restricted to approved employees.

 

Beyond hackers (24 percent), IT managers rated employees as the second biggest risk to security. Employees agreed that they were a risk with 17 percent admitting that they are “somewhat likely” to open an attachment from an unknown sender. Unprotected devices also pose a big risk.

 

Encryption itself can be a complex task open to human error. IT managers must recognise this and ensure they have the processes and tools in place to facilitate effective encryption across the entire device estate. Devices change and move as much as the data itself and encryption is not a tick box task. By using automation and effective tools, businesses can ensure that the last of defence from hackers and human error, is robust and minimises the chance and impact of a data breach,” said Andreas Jensen, enterprise director for EMEA at WinMagic.

Article source: http://www.scmagazine.com/23-of-businesses-say-they-stop-a-data-breach-every-day/article/512394/

,

No Comments

Australian Bureau of Statistics reports 14 data breaches since 2013 …

The Australian Bureau of Statistics has had 14 data breaches since 2013, but it has defended its handling of Australians’ personal information amid privacy concerns over the 2016 census.

The Office of the Australian Information Commissioner (OAIC) told Guardian Australia it had received 14 data breach notifications with regard to personal information held by the ABS since 2013.

The ABS has faced criticism from a number of privacy and civil liberties groups over changes to the 2016 census that will involve the retention of Australians’ names and addresses. This will mean that for the first time, the census will retain identifiable information on all Australians for a period of four years. The ABS has said this will allow it to form a “richer and dynamic statistical picture” of the country.

While none of the breaches were related to the handling of census details, a key criticism from groups such as the Australian Privacy Foundation highlighted how difficult it was to secure vast amounts of personal information once it was retained.

All 14 data breach notifications since 2013 were voluntarily made to the OAIC by the ABS, a spokeswoman for the information commissioner’s office said.

“The ABS appears to have taken a precautionary or ‘pro-disclosure’ approach to voluntarily notifying the OAIC of all matters regardless of the severity of the breach, indicating a transparent approach,” she said.

“None of the notifications received related to disclosure or mishandling of any census data, or to attempts by an external party to expose or steal information.”

The ABS’ decision to voluntarily report the data breaches is considered best practice in a legal environment where it is not yet a mandatory requirement.

A spokesman for the ABS said it took its privacy obligations very seriously.

“The ABS continually reviews its processes to strengthen data handling policies and procedures. OAIC notifications routinely result in reviews that further strengthen ABS’ approach,” he said.

The spokesman said the bureau’s handling of information was audited externally as well as internationally.

“The ABS securely manages hundreds of thousands of electronic and paper forms every year – with more than 9 million forms received during a census year alone. Forms are tracked from the point of collection to secure destruction,” he said.

“The public can be confident that the ABS has stringent policies and vigilant staff to protect privacy and confidentiality.”

The census debate has continued to cause alarm, and some individuals and groups have called for a boycott of the count. Australians who refuse to answer questions in the 2016 census over privacy concerns surrounding the retention of their personal information could face fines.

Article source: https://www.theguardian.com/australia-news/2016/jul/29/australian-bureau-of-statistics-reports-14-data-breaches-since-2013

,

No Comments

Average total cost of data breach increases to Rs 97.3 million: IBM …

TOI Tech | Jul 28, 2016, 08.59 PM IST

The study analyzed the financial impact of data breaches on a company’s bottomline.

NEW DELHI: The total average cost paid by a company due to a data breach increased from Rs 88.5 million to Rs 97.3 million in 2016 in India, according to a new study conducted by the Ponemon Institute on behalf of IBM Security. The study analyzed the financial impact of data breaches on a company’s bottomline.

Cybersecurity incidents continue to grow in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. The study has found that companies lose up to Rs 3,704 per compromised record.

Breaches in highly regulated industries were even more costly. Breaches in financial institutions had a per capita cost of Rs 5,544 which is well above the mean of Rs 3,700.

While data breaches due to third-party errors or extensive migration to the cloud increase the per capita cost, according to the study, leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach – from Rs 3,704 to Rs 2,498 on average. In contrast, third party involvement in the cause of the data breach increased the average cost to as much as Rs 4,622.

The study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. The breaches that were identified in less than 100 days cost companies an average of Rs 89.4 million, while in those that were discovered after 100 days the average cost rose significantly to Rs 105.6 million.

The annual Cost of a Data Breach study examines both direct and indirect costs to companies in dealing with a single data breach incident. Through in-depth interviews with nearly 37 companies across the country, the study factors in the costs associated with breach response activities, as well as reputational damage and the cost of lost business.

Stay updated on the go with Times of India News App. Click here to download it for your device.

Comments

Refrain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks, name calling or inciting hatred against any community. Help us delete comments that do not follow these guidelines by marking them offensive. Let’s work together to keep the conversation civil.

X

{{if user.username || user.id}}
{{:user.name}}
{{else}}
{{:user.name}}
{{/if}}

{{if user.points}}
<!––>

{{:user.points}}

{{:user.pointsNeeded}} more points needed to reach next level.
Know more about Times Points


{{/if}}
{{if user.badge}}

<!– –>
{{for user.badge}}
{{if #index

{{:#parent.parent.parent.data.user.name}} {{:levelDesc}}

{{/if}}
{{/for}}
{{if user.badge.length 3}}


{{for user.badge}}

{{:name}}
{{:count}}

{{/for}}

{{/if}}

{{/if}}

{{if parentusername}}
<!– –>


{{/if}}
{{if user.location}}
<!– –>


{{/if}}

{{if user.username || user.id}}


{{/if}}


<!–

–>

{{if trimcom}}{{:trimcom}}{{else}}{{:comment.substr(0,500)}}{{/if}}
{{if comment.length 500}}
Read More
{{/if}}

{{if comment.length 500}}

{{:comment}}

{{/if}}

{{if id!=-1}}

{{/if}}

Article source: http://timesofindia.indiatimes.com/tech/tech-news/Average-total-cost-of-data-breach-increases-to-Rs-97-3-million-IBM-study/articleshow/53437588.cms

,

No Comments

CiCi’s Pizza Data Breach Leaves Mid-South Customers At Risk


If you’ve had pizza night at any of the five Mid-South CiCi’s Pizza restaurants, your personal information could be in the hands of a stranger.

Malware was found on the devices used to run bank and credit cards at restaurants.   

Cici’s is investigating data breaches at more than 100 restaurants across the country, starting in March 2015, with most of the breaches beginning March of 2016.

A statement released from the company says they worked quickly to eliminate the problem by July 2016.

If you visited any of the CiCi’s Pizza restaurants during these times, at Poplar Plaza, North Germantown Parkway in Cordova, Stage Road in Bartlett, Goodman Road in Southaven or Caraway Road in Jonesboro, you should check your credit report immediately.

Copyright 2016 Nexstar Broadcasting, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Article source: http://www.localmemphis.com/news/local-news/cicis-pizza-data-breach-leaves-mid-south-customers-at-risk

,

No Comments