Blog

Posts Tagged ‘data breach’

« Older Entries

Negligent Employees Are Leading Cause of Data Breaches

Friday, April 6th, 2012

It’s that time of year again. Ponemon recently published its latest survey of data breach costs. The report–sponsored by Symantec–provides a lot of valuable information and insight into the underlying causes of data breaches, and the impact on organizations that don’t take the appropriate precautions to prevent them.

For the first time in the seven years Ponemon has been tracking this data, the average cost of a data breach has declined. The total impact went down from $7.2 million to only $5.5 million, and the average cost per compromised record dropped from $214 to $194. The decline in financial impact of a data breach can be largely attributed to customer apathy. Data breaches are so common that users are jaded and less likely to pack up and take their business elsewhere. It’s good news for the affected companies, but for the wrong reason.

Here are some other key findings from the report highlighted in a Symantec press release:

  • Negligent insiders and malicious attacks are the main causes of data breach. Thirty-nine percent of organizations say negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
  • Certain organizational factors reduce the overall cost. If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record. When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.
  • Specific attributes or factors of the data breach also can increase the overall cost. For example, in this year’s study organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
  • Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion.
  • More customers remain loyal following the data breach. For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.

Tags: , , , , ,
Posted in Data Storage Security | No Comments »

Texas Police Officer Details Exposed

Monday, February 6th, 2012

The hacktivist collective known as Anonymous is taking credit for exposing the names, addresses, and police departments of hundreds of Texas police officers. The group hacked the Texas Police Association website to obtain the data because it feels that the official response to a police officer found to be collecting child pornography is too timid.

While it is understandable to be upset, and sympathize with the cause, the actions of Anonymous can’t be excused. Compromising personal information of law enforcement officers doing their duty to protect their communities in retaliation for the actions of a sick rogue officer, or even the seemingly tepid response to his alleged crimes crosses the line no matter how you slice it.

That said, this also isn’t the first time the Texas Police Association has been targeted, and there is also no excuse for why sensitive information like the personal addresses of police officers is not better protected. The Texas Police Association needs to take a close look at its network and data security measures. It should have tools in place that encrypt and protect the data stored there even if hackers manage to compromise the server itself.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Trusting Employees Is Bad Security Policy

Thursday, November 10th, 2011

Companies like to be able to trust employees. This is particularly true in smaller companies, where the environment is more like a family and the founders/owners are often personal friends with the employees. In the end, though, business is business and it doesn’t mix well with personal trust–especially when it comes to protecting sensitive and confidential data.

Michael Pattison, the head of Allens Arthur Robinson’s technology law group is quoted saying, “Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached.”

When employees leave a company–whether through firing or of their own accord–they often take proprietary and sensitive data with them out the door. Computershare is learning that lesson the hard way. An employee resigned and the company is accusing her of having stolen internal documents, emails, and possibly personal data and financial records of millions of shareholders that rely on Computershare’s global share registry.

A certain measure of trust is expected between employees and employers. If either party can’t trust the other to some extent, it creates a paranoid, hostile work environment. But, trust is a poor policy for data protection, and companies need to have tools in place to secure sensitive data even from the employees it is entrusted to.

Tags: , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Israeli Data Breach Has Terrorist Implications

Thursday, October 27th, 2011

Any time personal details and sensitive information are breached it’s a problem. Most of the time, though, people are concerned with receiving more spam, or–at worst–identity theft that could lead to funds being taken from bank or investment accounts, or debt being run up in the name of the victim. A data breach in Israel, however, put the details of virtually the entire population at risk in a way that could be used by terrorists or opposition forces to target certain demographics or individuals.

The compromised data includes names, ID numbers, addresses, birth dates, and other sensitive data such as relationships between individuals for 9 million Israeli citizens. The information was illegally distributed in a program called Agron 2006 which enables users to query the database and drill down through the data to identify demographic sectors of society, and trace the relationships between key individuals. In the wrong hands, this information could be used to target certain groups or individuals, and put their extended families and friends at risk as well.

The Justice Ministry investigation has been ongoing for five years, and just recently resulted in the arrest of six individuals. Bringing responsible parties to justice is important, but the proverbial horse has already escaped the barn. Hopefully the Israeli government has implemented better data encyrption and data loss prevention tools to prevent such incidents from occurring in the first place in the future.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Anonymous Austria “Stumbles Upon” Data on 600,000

Wednesday, October 5th, 2011

The records of more than 600,000 individuals insured by Tyrolean Health Insurance (TGKK) have been compromised by the Austrian arm of the hacker collective known as Anonymous.

In this particular case, though, Anonymous Austria insists that it didn’t have to do any fancy hacking to get the data–it just “found it”. TGKK agrees because it is adamant that its network and servers were not breached.

A TGKK official stressed that no hackers have penetrated the insurer’s double firewall. But, if personal information on 600,000 customers has been exposed or compromised in any way, the double firewall and extensive security measures in place internally on TGKK servers offers little solace.

The fact remains that data entrusted to TGKK–that TGKK is obligated to protect and securely maintain–is now in the hands of someone else. In fact, it is actually a larger issue that the information was just “discovered” online somewhere. It would be better if Anonymous Austria had to demonstrate some degree of hacking prowess to acquire the data.

The question for TGKK is “what good is a double firewall and formidable server protection if you transmit or share unencrypted and unprotected data across the Internet?”

TGKK should be using tools to ensure that sensitive data doesn’t leave the network in the first place. If the data transmission is authorized and legitimate, TGKK should have a record of exactly who sent the data and where it went, and the data should be encrypted so it can’t be intercepted and accessed by unauthorized users.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 4 Comments »

There Comes a Point Where It’s Willful Neglect

Monday, September 26th, 2011

Benefits Administration Services (BAS) revealed that a CD containing sensitive information on about 4,000 U.S. Steel Mining retirees and their dependents is lost in the mail somewhere. The CD is supposedly password protected, but the data it contains is not encrypted.  

I think we’ve all been pretty tolerant of data breaches up to now. Perhaps too tolerant.

We always give the benefit of the doubt to companies and their employees: “They didn’t mean to expose my Social Security number”, or “I’m sure it was an accident that the medical center posted my health record on the Web”, or “Well, it’s not my bank’s fault that the postal system lost the disc with my data on it.”

But, those excuses won’t fly any more. Companies and employees do know better. It is a simple matter of having solid data handling and data protection policies, and the tools in place to enforce them. That worker probably didn’t intend to expose your Social Security number, but a data loss prevention (DLP) tool could have prevented the inadvertent exposure. It probably was an accident that your medical records were posted online, but a DLP gateway would prevent that information from leaving the network. Your bank can’t guarantee that the post office won’t lose a disc in transit, but they can have tools in place to automatically encrypt data so that it is protected from unauthorized access.

In the past, we could forgive these things. But, data breaches are in the news almost daily. There are multiple industry, state, and federal mandates in place governing the effective protection of personal and sensitive data. No company or employee can claim ignorance at this point.

No. Now it’s a matter of willful neglect. Employees know what they’re supposed to do, but they’d rather take shortcuts and ignore data protection policies. Companies know what they’re supposed to do, but they’d rather save a buck and gamble with your personal data instead. 

DLP tools are not expensive–especially in relation to a data breach. There is no excuse.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Data Breaches Cost More than Data Protection

Friday, September 16th, 2011

Tony Bradley, Chief Marketing Officer for Zecurion, recently joined host Tom D’Auria on the IMI-TechTalk radio show to talk about data protection. The daily headlines of data being stolen, compromised, and exposed suggests that many organizations either don’t understand the risks, or fail to implement adequate protection. Often, those decisions are driven by dollars–organizations simply feel they can’t afford data loss prevention (DLP) or data encryption technologies that could prevent data breaches.

Unfortunately, many of those businsses end up learning the hard way that this approach is penny wise but pound foolish. Saving a few dollars in the short term can have significant repurcussions when it costs the company exponentially more to recover from a data breach incident. You can listen to the entire IMI-TechTalk show by playing the recorded version from the IMI-TechTalk blog site.

Tags: , , , ,
Posted in Data Storage Security | 1 Comment »

True Statement–In Spite of the Source

Sunday, July 31st, 2011

Great advice is great advice no matter where it comes from, right?

A splinter or subgroup of the hacking collective known as Anonymous has hacked personal data of 214,000 Austrian television viewers and radio listeners. The group issued a statement explaining that it did not hack the data with the intent of doing harm to the individuals. It just wanted to demonstrate that the broadcaster had lax security and was not adequately protecting the data.

‘Such sensitive data must not be stored over many years and must not be so easily available to everyone,’ the group said.

They have a point.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Free Credit Monitoring Is the Least You Can Do…Literally

Saturday, June 25th, 2011

Free credit monitoring is the de facto response in the case of a data breach incident. The organization that was entrusted with sensitive, personal information that can be used to steal the customers’ money or identity (or both) generally picks up the tab for a year of free credit monitoring to keep an eye on things and make sure no suspicious activity occurs. With the rate and scope of data breaches these days, probably just about every American with a bank account or credit card already has free credit monitoring from at least one data breach–but not Citigroup.

Following a data breach that exposed information from as many as 360,000 credit card accounts, Citigroup sent letters to the affected customers with some helpful tips to follow, but it stopped short of offering any actual assistance. That translates roughly to “hey, sorry we didn’t take better care of your data–sucks being you.”

It’s the least you can do Citigroup. No, really–it is literally the least you can do. It is the bare minimum you can offer loyal customers as some feeble apology for violating the trust of your customers and allowing sensitive data to be compromised or exposed. Honestly, the credit monitoring even seems like a paltry apology–but it is better than nothing, and it seems like the most logical course of action for the organization because there is no way of knowing up front which accounts will actually be impacted. Free credit monitoring at least lets customers know you care enough about having exposed their data to offer to keep a proactive eye on things rather than placing the burden on the customers to monitor for suspicious activity themselves.

Citigroup should be examining how the data breach occurred and putting tools and controls in place to ensure it doesn’t happen again. In the meantime, though, Citigroup should step up and offer free credit monitoring.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Texas Making Data Breach Headlines Once Again

Wednesday, June 15th, 2011

Just a couple months after the Texas State Comptroller’s office disclosed that it had exposed sensitive data on some 3.5 million residents, Texas is making data breach headlines again–albeit on a much smaller scale. A blog post from Austin’s KUTNews site explains, “As many as 4,900 current and former employees of the Texas Department of Assistive and Rehabilitative Services (DARS) may have had their personal information exposed in the latest data security breach involving state workers.”

Citing concern over interfering with the ongoing investigation by law enforcement, and not wanting to further compromise any data, the Texas agency is not yet sharing any details about how the breach may hve occurred, or–more importantly–what data has been exposed. From the perspective of the affected individual, there is a big difference between exposing only a name and address, or exposing more sensitive details like drivers license, Social Security, credit card data and such.

Given the relative ease with which hacking collectives like Anonymous and LulzSec are breaching networks and taking down Web servers, organizations of all sizes need to take a close look at their network security and data protection, and make sure it is locked down as tight as it can be. Employing tools to prevent sensitive data from being saved or transported on portable storage devices, or monitoring outbound network communications to ensure sensitive data doesn’t leave the network are crucial elements that organizations should employ to protect data.

Tags: , , ,
Posted in Data Storage Security | No Comments »

« Older Entries