Archive for November, 2016

Navy asks Hewlett Packard to pay up for personal data breach

The Navy is pressing private contractor Hewlett Packard Enterprise to pay for credit monitoring services for sailors affected by a data breach that exposed more than 130,000 social security numbers, a defense official familiar with the ongoing investigation said.

The request comes as the investigation into the breach has also expanded to include the FBI, which has joined with Naval Criminal Investigative Service in probing the case, said the official who spoke on background to discuss an ongoing investigation.

HP, which contracts with the Navy to manage personal information for thousands of sailors, has declined to comment on the breach, the investigation or whether the company intends to pay for the credit monitoring for sailors.

“The security and privacy of our clients is a top priority for Hewlett Packard Enterprise (HPE),” said Thomas Brandt, a spokesman for the contractor. “This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”

Providing credit monitoring is a standard practice for companies and organizations who suffer cyber-attacks that expose personal information that could be used to open unauthorized bank and credit card accounts. 

The breach became public Nov. 23 when the service announced that a computer supporting a contract that dealt with reenlistment and career data was “compromised.” Names and social security numbers of 134,386 current and former sailors were accessed and likely extracted from the computer by unknown persons.

The personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit requests for re-enlistment and to change Navy Occupational Specialties. Most are expected to be active-duty sailors, but the service says it’s possible that some are now in the selected reserve or could be totally out of the Navy, too.

Navy officials initially thought that detailed information on sailors’ security clearance levels was also accessed, but investigators now believe that was unlikely, the defense official said.

This is at least the second major breach of Navy data linked to its contracting activities with Hewlett Packard. In 2013, the service announced that Iran had penetrated its unclassified Navy and Marine Corps Intranet.

In March 2014, the Wall Street Journal reported that the breach was due to a sloppily written contract with Hewlett Packard that didn’t require HP to provide security for some of the Navy’s unclassified databases. 

Article source: https://www.navytimes.com/articles/navy-asks-hewlett-packard-to-pay-up-for-personal-data-breach

,

No Comments

Europol in massive data breach on terrorism probes

“The concerned former staff member, who is an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy,” said Jan Op Gen Oorth, a spokesman from the agency, in an email.

He said the cases related to the breach are a decade old and that all involved EU states have been notified.

Dutch TV programme Zembla, aired by public broadcasters Vara and NPS, which first reported the breach, said the agent had inadvertently published information about 54 different police investigations. The programme had reportedly informed the agency of the files some two months ago.

The breach spanned over 700 pages of data. Europol says most pages contain public information and that those that were not public have not had any affect on ongoing investigations.

“Individual mistake by ex-staff, yes, some data yes, but most information is public anyway and of those that were not public, no ongoing investigation has been jeopardised,” said Op Gen Oorth.

But Dutch liberal MEP Sophie in ’t Veld wants Europol’s director Rob Wainwright and the EU commissioner in charge of security, Julian King, to explain the leak before the EU parliament.

“This is extremely shocking. Europol was aware of this security incident since September, yet its director decided not to inform the parliament during a joint meeting of the European Parliament and the national parliaments on Europol scrutiny just two days ago,” she said.

The breach poses larger questions about data protection standards of an agency, whose investigative powers are set to expand next May. Leaked information may also strain relations with other EU states, who may be reluctant to share data if it is not properly secured.

The new rules will make it easier for the agency, which employs over 600, to set up so-called specialised units. Those units are likely to work a lot closer with intelligence agencies in an effort crack down on terrorism and crime.

Europol is helping police track down terrorists and other criminals. It maintains a terrorist database, known as Focal Travellers Point, to help coordinate their efforts. The database contains information on some 34,000 people, including foreign fighters.

The agency had also processed some 80 terabytes of data in the aftermath of the Paris and Brussels terror attacks.

Article source: https://euobserver.com/justice/136097

,

No Comments

Sage escapes financial damage from ‘criminal’ data breach

Shareholders of Sage breathed a sigh of relief today as a cyber-attack did not dent the accounting software firm’s financial performance.

Revenues rose 9.3% to £1.57 billion in the year ended September, with operating profits up 9% at £427 million. 

However, Sage took a £110 million hit as part of its two-year turnaround operation, which, combined with a fall in the value of the pound since the Brexit vote, dragged pre-tax profits down slightly to £275 million.

The company declined to comment on the data breach in August, which exposed the details of up to 300 corporate customers, saying it was the subject of an “ongoing criminal investigation”. 

Two days after news of the hack, a 32-year-old worker from Sage was arrested at Heathrow on suspicion of conspiracy to defraud.

Asked about potential reputational damage, chief executive Stephen Kelly said: “Our first port of call when it happened was to communicate with our customers… and I think they respect us for that.”

Shares in the FTSE 100 group rose 7.5p to 683p.

  • More about:
  • Sage
  • Business

Article source: http://www.standard.co.uk/business/sage-escapes-financial-damage-from-criminal-data-breach-a3408651.html

,

No Comments

UK National Lottery data breach: Fingers crossed – it might not be you

Cyber criminals appear to be using passwords and email addresses from previous breaches to gain access to 26,000 online UK National Lottery accounts.

Camelot, the company behind the National Lottery, detected the scam and subsequent attempted frauds and responded by locking down accounts, triggering compulsory password resets and contacting those affected directly. Although 26,500 accounts were compromised, Camelot reckons fewer than 50 have had some activity take place within the accounts and that this was limited to some of their personal details being changed.

In a statement, Camelot downplayed the significance of the incident – which didn’t result in financial fraud but might nonetheless have exposed the personal details of thousands.

We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes. In addition, no money has been deposited or withdrawn from affected player accounts.

We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.

Camelot added that it was “working closely” with the National Crime Agency and the National Cyber Security Centre over criminal access to its systems.

James Maude, senior security engineer at global cyber security firm Avecto, said the incident represents the latest in a growing line of similar attacks, which ultimately depend on consumers reusing passwords on multiple sites.

“This is part of a continuing trend of credential stuffing, where passwords from one breach are reused to gain access to other accounts to harvest more personal information,” Maude said. “Users need to be aware of the dangers of reusing passwords especially when these cross the boundary between personal and business accounts.”

“Though Camelot believe fewer than 50 customers have had activity take place within their accounts, it’s yet another wakeup call for organisations to bolster the security of customer data. Taking proactive steps to secure systems and monitor for breach attempts, rather than reactive measures after an event,” he added.

The credential stuffing attack against Camelot customers follows shortly after a technically similar attack against users of online takeaway firm Deliveroo that resulted in victims being charged for food they did not order. Victims were reimbursed and Deliveroo has promised to improve the security of its systems by requiring additional checks before delivering food to new addresses, among other measures.

UK data privacy watchdogs at the ICO said that the body has launched an investigation into the incident. It said Camelot had notified it prior to going public this morning.

Ollie Whitehouse, technical director at NCC Group, added: “This latest hack is yet another example of why people should use different and strong passwords for all online accounts due to the lack of transparency with regards to how they are held. Although individual breaches like this might seem small or harmless, they could eventually have more serious consequences for individuals who choose to recycle the same passwords.” ®

Sponsored:
Customer Identity and Access Management

Article source: http://www.theregister.co.uk/2016/11/30/national_lottery_breach/

,

No Comments

Data breach could cost $3 million, Michigan State says

EAST LANSING – Whoever hacked into a Michigan State University database earlier this month “found the Holy Grail,” according to one security expert.

Names and MSU identification numbers were exposed along with social security numbers, which are extremely valuable to criminals, said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse.

Armed with social security numbers, a criminal could open up new credit cards or file someone’s taxes and collect their refund. And unlike having a credit card number exposed, consumers can’t simply call their bank and have the account closed, Stephens said.

Between providing identity protection and enhancing its security systems, MSU estimates that it will spend $3 million in response to the attack. 

The potential for identity theft underscores why institutions like MSU shouldn’t hold onto these records for more than a couple years after someone leaves, Stephens added.

“There’s no need to maintain certain data elements,” Stephens said. “And MSU shouldn’t have maintained social security numbers.”

MSU spokesman Jason Cody defended MSU’s record keeping, saying the university needs the records because it maintains “ongoing relationships with members of our community long after they leave us.”

MSU also keeps extensive records for current and past employees who collect benefits through MSU, Cody added.

The compromised database did not include passwords or financial, academic, contact or health information.

An email from the alleged hacker seeking money arrived on Nov. 13, alerting the university to the data breach, Cody said. Some 400,000 records for current and former students and staff were on the exposed database. MSU first announced the breach and began alerting those affected five days after finding out about the attack and about an hour before most banks close for the week.

Defending the amount of time between the attack and the alert, Cody said law enforcement officials needed to be contacted and the cause of the attack needed to be identified to prevent further attacks. MSU’s timeframe “wasn’t particularly egregious,” according to Stephens.

While MSU may review its data policies in response to the breach, there are no current plans to change what information is kept, Cody said. Forensic experts from MSU, alongside law enforcement, confirmed only 449 of the 400,000 exposed records were accessed.

Stephens cast doubt on that figure.

“If (MSU) couldn’t see their database was hacked in the first place, how much confidence can you put in the number of records accessed,” he asked, referring to the fact that MSU was notified of the hack by an alleged perpetrator.

MSU officials have signed a contract with AllClear IDto provide identity protection for anyone whose records were on the compromised database.

A recent study funded by IBM found the average cost of a data breach for affected organizations is about $4 million.  

More than 5,200 data breaches have been made public since 2005, according to Privacy Rights Clearinghouse, exposing some 900,000,000 records. MSU is targeted, “hundreds of thousands of times” a month by digital attacks, Cody said, from attempted breaches to malware emails.

After the email arrived, MSU immediately contacted law enforcement and began investigating how the breach occurred, Cody said. The database was taken offline within 24 hours. MSU has determined the breach was caused by a piece of licensed software.

Those affected include students who attended MSU between 1991 and 2015 and faculty, staff and students employed by the university between 1970 and Nov. 13.

Despite never working for or attending MSU, Jeff Kussow said he received a letter from MSU saying his records were part of the breach.

“In fact, I’ve never set foot on the campus and don’t recall enrolling in anything they’ve offered, even online,” Kussow wrote in an email.

Applying to graduate school at in the mid-1990s was the only contact Kussow remembers having with MSU.

Cody said there’s no reason to believe information from applicants was on the compromised database. A handful of people like Kussow have contacted MSU in the past week after receiving letters despite no connection to MSU. Cody chalked it up to someone having the same name as someone who did attend or work for the university.

MSU began sending out emails and letters about the hack Nov. 18, Cody said. Anyone whose data was comprised is advised to visit msu.edu/datasecurity to sign up for identity protection. Those wishing to know if they were affected by the breach or wanting to sign up for identity protection should call 1-855-231-9331.

Stephens advised those affected to sign up for additional credit monitoring and file their taxes early to prevent a criminal from claiming their refund.

In 2014, the University of Maryland took about a day to disclose a data breach that included some 300,000 personal records. That same year, Target waited close to two months to let customers know of a breach that affected millions of customers. Ohio State University took about a month in 2010 to disclose that some 760,000 people had their data exposed and were at risk of identity theft.

Cody said further details about the breach, including where it came from, aren’t yet known. A criminal investigation is ongoing.

Contact RJ Wolcott at (517) 377-1026 or [email protected] Follow him on Twitter @wolcottr.

Looking for identity protection

For help signing up for identity protection, call 1-855-231-9331 or visit msu.edu/datasecurity/

Article source: http://www.lansingstatejournal.com/story/news/local/2016/11/30/msu-estimates-spending-3-million-responding-data-breach/94541962/

,

No Comments

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states.

Historically the European Union has also not had a general, non-sectoral, data breach notification statute. Uniform data breach notification rules were only established for the telecommunication sector. While some member states enacted broader breach notification legislation, by and large there was far less uniformity in the EU between, and among, member states, then existed in the United States.

The EU’s new General Data Protection Regulation (“GDPR”) includes, for the first time, a broad breach notification requirement. The requirement purports to apply not only to companies based in the EU, but to United States companies that process information and (1) intend to offer products or services to people in the EU, or (2) monitor people in the EU.1 Under the GDPR, a “personal data breach” is defined broadly as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.2 It will formally go into force in the spring of 2018.

The GDPR’s breach notification requirements are modeled loosely after those found in the United States. For example, US breach notification laws generally require that data licensees notify data owners of a data breach, and data owners, in turn, notify consumers and/or government regulators of a security breach. The GDPR imposes a requirement on data processors to notify data controllers of a data security breach.3 Data controllers, in turn, must notify consumers and/or government regulators.4 That said, there are several significant differences including: 

  1. Type of Information Governed. Data breach notification laws in the United States apply only to enumerated types of data that are considered particularly sensitive such as Social Security Numbers, financial account numbers, or driver’s license numbers. The GDPR’s breach notification provision applies to all types of “personal data” – a term that is defined as “any information relating to identified or identifiable natural person (data subject).”5
  2. Materiality Threshold For Government Notification. Some breach notification laws in the United States only require notification if the breach is “material” (g., it compromises confidentiality, security, or privacy of an individual). The GDPR’s breach notification provision requires notifying a government agency (i.e., relevant Data Protection Authority) unless the breach is not likely to result in a risk of the “rights” of individuals.6
  3. Time Limit To Notify Government. The shortest time period in which a company must act in the United States to notify a government agency following a data breach is 10 days. The GDPR’s breach notification provision will require notification to occur within 72 hours of discovering a breach. Company’s which notify after that time will be required to provide a “reasoned justification” for the delay.7 Once the company has notified the government authority of a personal data breach, the company may have to coordinate with governmental authorities concerning the necessity of notifying individual data subjects.8
  4. Materiality Threshold For Consumer Notification. Some breach notification laws in the United States only require notification if the breach is “material” (g., it compromises confidentiality, security, or privacy of an individual). The GDPR’s breach notification provision requires notification to the impacted individual only if there is a “high risk” to the “rights” of the data subject.9 Such notifications must contain (1) a description of the nature of the personal data breach, (2) the categories and approximate number of data subjects, (3) the contact information of the company’s data protection officer, (4) the likely consequences of the personal data breach, and (3) the measures taken by the company to address and mitigate the personal data breach.10 Where a high risk does not exist, such as when the breached personal data was encrypted, notification is not required.
  5. Damages. United States breach notification statutes differ in terms of whether they specifically confer a private right of action. The GDPR’s breach notification provision grants an individual a right to seek compensation for any damages that they suffer from a violation of the requirements under the GDPR, e.g. if the company fails to comply with the GDPR notification requirements.11
  6. Penalties. United States breach notification statutes differ in terms of whether they specifically confer a fine or penalty for failure to comply. If a company fails to comply with the breach notification obligations in the GDPR, the data protection authority in a member state may seek an administrative fine of up to the greater of € 10 million or 2% of the company’s annual revenue.12

The following summarizes some of the key provisions of the GDPR notification provisions: 

What to consider when preparing for the GDPR:

  1. Is your organization subject to the GDPR?
  2. What data does your organization keep that could trigger the GDPR notification obligation?
  3. Which government agency would you need to report a breach to within the EU?
  4. Have you modified your incident response plan to account for the EU government and consumer notification requirement?
  5. Have you reviewed your incident response policies with vendors for compliance with the new GDPR breach notification requirements?

1. GDPR Recitals ¶¶ 20, 21; GDPR Art. 3(1), (2).

2. GDPR Art. 4(9).

3. GDPR Art. 31(1), (2).

4. Id.

5. GDPR Art. 4(1).

6. GDPR Art. 31(1).

7. GDPR Art. 31(1).

8. GDPR Art. 32(4).

9. GDPR Art. 32(1).

10. GDPR Art. 32(1), (2), 31(3)(b), (d), (e).

11. GDPR Art. 77(1).

12. GDPR Art. 79(3a).

[View source.]

Article source: http://www.jdsupra.com/legalnews/data-breach-notification-in-the-eu-a-31594/

,

No Comments

Trump Hotel Collection reaches settlement after data breaches

NEW YORK (Legal Newsline) – In September, New York Attorney General Eric T.  Schneiderman announced a settlement with Trump
Hotel Collection (THC) after data breaches allegedly exposed more than 70,000 credit card
numbers and other personal data.

According to Schneiderman, THC failed to timely
notify its customers of a first security incident and failed to timely
implement THC’s forensic investigator’s remediation recommendation before the
second security incident occurred.

The agreement also explained that THC must pay $50,000 in
fines and is required to improve its data security.

“It is vital in this digital age that companies take all
precautions to ensure that consumer information is protected, and that if a
data breach occurs, it is reported promptly to our office, in accordance with
state law,” Schneiderman said. 

“Consumers’ personal information are
all too often exposed to wrong-doers with ill-intent. We will continue
working to help protect hardworking New Yorkers from all forms of identity
theft.”

According to court documents, in May 2015 multiple
banks analyzed hundreds of fraudulent credit card transactions and determined
that THC was the last merchant in which a legitimate transaction took place. 

The investigation traced the breach back to May 19, 2014, when an attacker infiltrated THC’s payment processing system. 

“Using this unauthorized access, the attacker deployed
malware designed to steal credit card information across the THC computer
network and credit card processing environment,” the court document said. “By
June 10, 2015, a preliminary forensic investigation confirmed the existence of
credit card targeting malware at multiple THC locations, including in the
computer networks associated with New York, Las Vegas and Chicago hotels.”

According to the AG’s report, despite THC’s knowledge that
multiple properties had been infiltrated with malware designed to steal credit
card numbers and that banks had analyzed multiple fraudulent transactions and
identified THC as the source of the breach, it did not provide notice to
customers until close to four months later, in September 2015, when it placed a
notice on its website about the data security breach. 

The AG’s office also explained that on March 30, THC
received additional reports from its payment processors about a second
breach. Another forensic investigation revealed that THC experienced a
second breach in which an attacker gained unauthorized access on Nov. 10,
2015. 

The final forensic investigation report of the first breach
recommended that THC adopt additional security precautions including
“two-factor authentication” for remote access to the THC network, which is an
extra layer of security that requires not only a username/password but
additional information that only the user will know. THC did not
implement the recommendations in a timely manner, Schneiderman alleged.

“It was not until April 4, 2016, that THC adopted this
solution,” the AG’s office said in a press statement. “If THC had adopted this solution after
the first breach, consistent with its forensic investigator’s recommendation,
it may have prevented the second breach.”

This settlement, according to the AG’s office press release, is a
demonstration to its commitment to keep fraudulent activity from happening to
its citizens and hold companies accountable for their lack of security when
something like the TCH breach happens. 

Article source: http://legalnewsline.com/stories/511046355-trump-hotel-collection-reaches-settlement-after-data-breaches

,

No Comments

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states.

Historically the European Union has also not had a general, non-sectoral, data breach notification statute. Uniform data breach notification rules were only established for the telecommunication sector. While some member states enacted broader breach notification legislation, by and large there was far less uniformity in the EU between, and among, member states, then existed in the United States.

The EU’s new General Data Protection Regulation (“GDPR”) includes, for the first time, a broad breach notification requirement. The requirement purports to apply not only to companies based in the EU, but to United States companies that process information and (1) intend to offer products or services to people in the EU, or (2) monitor people in the EU.1 Under the GDPR, a “personal data breach” is defined broadly as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.2 It will formally go into force in the spring of 2018.

The GDPR’s breach notification requirements are modeled loosely after those found in the United States. For example, US breach notification laws generally require that data licensees notify data owners of a data breach, and data owners, in turn, notify consumers and/or government regulators of a security breach. The GDPR imposes a requirement on data processors to notify data controllers of a data security breach.3 Data controllers, in turn, must notify consumers and/or government regulators.4 That said, there are several significant differences including:

  1. Type of Information Governed. Data breach notification laws in the United States apply only to enumerated types of data that are considered particularly sensitive such as Social Security Numbers, financial account numbers, or driver’s license numbers. The GDPR’s breach notification provision applies to all types of “personal data” – a term that is defined as “any information relating to identified or identifiable natural person (data subject).”5
  2. Materiality Threshold For Government Notification. Some breach notification laws in the United States only require notification if the breach is “material” (g., it compromises confidentiality, security, or privacy of an individual). The GDPR’s breach notification provision requires notifying a government agency (i.e., relevant Data Protection Authority) unless the breach is not likely to result in a risk of the “rights” of individuals.6
  3. Time Limit To Notify Government. The shortest time period in which a company must act in the United States to notify a government agency following a data breach is 10 days. The GDPR’s breach notification provision will require notification to occur within 72 hours of discovering a breach. Company’s which notify after that time will be required to provide a “reasoned justification” for the delay.7 Once the company has notified the government authority of a personal data breach, the company may have to coordinate with governmental authorities concerning the necessity of notifying individual data subjects.8
  4. Materiality Threshold For Consumer Notification. Some breach notification laws in the United States only require notification if the breach is “material” (g., it compromises confidentiality, security, or privacy of an individual). The GDPR’s breach notification provision requires notification to the impacted individual only if there is a “high risk” to the “rights” of the data subject.9 Such notifications must contain (1) a description of the nature of the personal data breach, (2) the categories and approximate number of data subjects, (3) the contact information of the company’s data protection officer, (4) the likely consequences of the personal data breach, and (3) the measures taken by the company to address and mitigate the personal data breach.10 Where a high risk does not exist, such as when the breached personal data was encrypted, notification is not required.
  5. Damages. United States breach notification statutes differ in terms of whether they specifically confer a private right of action. The GDPR’s breach notification provision grants an individual a right to seek compensation for any damages that they suffer from a violation of the requirements under the GDPR, e.g. if the company fails to comply with the GDPR notification requirements.11
  6. Penalties. United States breach notification statutes differ in terms of whether they specifically confer a fine or penalty for failure to comply. If a company fails to comply with the breach notification obligations in the GDPR, the data protection authority in a member state may seek an administrative fine of up to the greater of € 10 million or 2% of the company’s annual revenue.12

The following summarizes some of the key provisions of the GDPR notification provisions:

What to consider when preparing for the GDPR:

  1. Is your organization subject to the GDPR?
  2. What data does your organization keep that could trigger the GDPR notification obligation?
  3. Which government agency would you need to report a breach to within the EU?
  4. Have you modified your incident response plan to account for the EU government and consumer notification requirement?
  5. Have you reviewed your incident response policies with vendors for compliance with the new GDPR breach notification requirements?

 

Article source: http://www.lexology.com/library/detail.aspx?g=8185429b-c98d-484a-9fce-890606c42804

,

No Comments

Data Breach Preparation and Response: Breaches are Certain, Impact is Not

Remediating Your Exposures

Once a thorough understanding of the components of the Breach Breakdown, the systems that were involved, and the vulnerabilities that were exploited have been established, remediation steps can begin. These steps should be prioritized based on their positioning within the network, the criticality of the vulnerability, and the complexity of the fix. Externally facing systems should be addressed first since they have the highest likelihood of being compromised again, followed by internal systems in and around the location of the targeted data. Using the diagram you presumably created that includes all of the systems involved in the Breach is a great mechanism for tracking system vulnerabilities, and determining the order of remediation. This is also true for deploying new countermeasures such as firewalls, encryption, or user-based access control mechanisms.

Data Breach Preparation and Response: Breaches are Certain, Impact is Not

Author: Kevvie Fowler

Learn more about Data Breach Preparation and Response from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

There is a common misconception that once the vulnerabilities on the affected systems have been addressed, they are now “safe” from attackers. Well, how do you know that the fixes and countermeasures that have been deployed are having the desired impact? Short answer is, “you don’t.” In many of the cases I have worked when I bring this exact point up, I get the “deer in the headlights” look. So, I happily (it’s sort of fun at this point in my career) repeat my question, this time a bit more slowly, emphasizing every few words, “How do you know, that the steps that you have taken to secure the affected systems are having the desired impact?”. The overwhelming majority of the time, the answer has been, “We don’t.”

Imagine the logic in that? There is a significant data Breach that is going to be expensive to investigate, will have a presently unquantifiable negative impact on the brand and company valuation to include stock price, and may very well end up being litigated for the next few years. You figure out how the Breach took place and focus all available resources on remediating the vulnerabilities that were exploited by the attackers. But, you don’t see the need to get an external team of experts to VALIDATE that those fixes are actually doing what you think they are going to do. Why? I said they would work, and they will! That’s good enough, right? Yet as crazy as that sounds, it is very much a reality in organizations all over the world.

Funny how in so many other aspects of life this is simply assumed but in computer security it’s like a pink fluffy unicorn dancing on a rainbow. Would you let your plumber fix a water leak without testing it to make sure the pipe is not still leaking? Would you expect your mechanic to fix the air conditioning on your car without turning it on to make sure it’s blowing cold air? Would you want your doctor remove a cast from a broken bone without taking an X-ray to determine if the bone had healed properly? No, no, and no. So why in the world, after suffering an expensive, damaging, data Breach would you not expect to test the remediation steps to make sure they are functioning properly? Hint: you shouldn’t.

For this process, I recommend retaining external penetration test or “Red Team” services, which we discuss further in Chapter 8, to ensure that the specific vulnerabilities exploited by the attackers have been remediated, and to confirm that any countermeasures that have been deployed are having their intended impact. There are a few reasons for my recommendation to use an external team, rather than internal resources. One, they are experts in identifying and exploiting system, configuration, and application weaknesses. They will look at your systems from the eyes of an attacker and provide you with a candid view of your security posture; something you may not be willing or able to do. Two, they are not beholden to anyone within your organization and can therefore remain unbiased. Political pressures will exist from the executives, or IT manager (likely both) to provide a “clean bill of health” so that business can resume. These pressures can also surface from individuals within the organization whose responsibility was to maintain the security of the impacted systems, who may very well be in jeopardy of losing that job. These pressures and the desire to get back to normal operations can lead to a premature or imprecise decision making that could very well do more harm to the organization than good.

An external tester that is not beholden to anyone within the organization is free (for the most part albeit not entirely) from these pressures. Three, they can also help to identify vulnerabilities that you may or may not have known about and help prioritize them based on their exploitability. Not all vulnerabilities are exploitable in the context of the current environment and its security controls. Understanding the impact of known vulnerabilities can help direct your remediation priorities. In addition, the likelihood of exploitability, due to its complexity, knowledge requirements, or the vector of attack also plays into this prioritization.

Article source: http://searchsecurity.techtarget.com/feature/Data-Breach-Preparation-and-Response-Breaches-are-Certain-Impact-is-Not

,

No Comments

Berkshire Medical Center reports data breach affecting 1700 patients

Information for 1,745 Berkshire Medical Center cardiology patients was found on thumb drives belonging to a vendor employee, according to The Berkshire Eagle.

Pittsfield, Mass.-based BMC contracted with the vendor, Wilmington, Del.-based Ambucor Health Solutions, to provide remote monitoring for cardiac devices.

Earlier this year, Ambucor told BMC that an Ambucor employee emailed information on 41 BMC patients to his personal computer. Ambucor informed each of those 41 patients. But in September, Ambucor found the employee possessed two thumb drives containing information for 1,745 patients, including some of the initial 41.

Ambucor said the thumb drives contained patients’ names, dates of birth, addresses, phone numbers, testing data, ethnicity and identification numbers. They did not contain Social Security numbers, or financial, insurance, Medicaid and Medicare information.

Ambucor is notifying all affected patients and offering one year of identity protected services. If necessary, the company is also providing impacted patients with recovery services and $1 million identity theft insurance.

More articles on health IT:
Trump says Apple CEO Tim Cook called him after election despite tension
Gov. Charlie Baker unveils Massachusetts Digital Healthcare Council
UCSF, GE Healthcare leverage deep learning algorithms for clinician support 


© Copyright ASC COMMUNICATIONS 2016. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

Article source: http://www.beckershospitalreview.com/healthcare-information-technology/berkshire-medical-center-reports-data-breach-affecting-1-700-patients.html

,

No Comments