Blog

Posts Tagged ‘data breach’

« Older Entries
Newer Entries »

Honda Canada Hack Exposes Data on 280,000 Customers

Friday, May 27th, 2011

Honda Canada is informing some 280,000 customers of a data breach that exposed their personal data. The actual attack was discovered a couple months ago, but Honda Canada had to first determine the scope and impact of the attack before it could begin notifying customers.

There is some good news as well, though–at least good news relative to having data on 280,000 customers compromised. According to the notice sent by Honda to customers, the data that was exposed did not include sensitive details such as Social Security numbers, driver’s license information, birth dates, phone numbers or credit card numbers.

Good news aside, the delay in reporting the attack highlights an issue faced by many companies–they lack the archiving and logging that would make a forensic investigation of an incident much easier. IT admins should have tools in place to A) monitor outbound traffic and block sensitive data from being compromised or exposed, and B) create an audit trail for data that is allowed out so that IT admins can quickly and easily identify which data may be impacted by a security incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Sony Still Under Seige from Hackers

Wednesday, May 25th, 2011

Wow. Sony really pissed somebody off. It seems like every day there is news of another Sony network falling victim to attack.

Just in the past couple days one attack yielded 2,000 customer records, while another exposed 8,500 customer accounts. Of course, those are pocket change compared with the estimated 77 million accounts exposed by the hack of the Sony Playstation Network.

What is the lesson here, though. Is it that Sony pissed off the wrong hackers and other companies should try to stay more low profile so they don’t invite a similar wrath? Or, is it that Sony should have better network and data security so that hackers can’t just waltz in and take sensitive data?

I am going to suggest it is somewhere in the middle. Obviously, it is best not to poke the proverbial hornets’ nest, but you can’t let the possibility of offending cyber criminals dictate how you conduct business. That said, it seems equally obvious that Sony’s network defense and data protection is trivial for hackers to circumvent.

I think there is some danger for other organizations in assuming that the problem stems purely from Sony making enemies of the hackers in question–as if, had Sony not done that the data would be safe. Don’t assume that just because your network is not under seige like Sony, that it is impervious, or that your data couldn’t suffer a similar fate.

On the contrary, use this as a learning expeirence. To the extent you can–given whatever details Sony might reveal–assume that your network or data were under a similar attack and try to predict what would happen. Perhaps you can gain some valuable knowledge from the experience and put it to good use before your data gets exposed as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 4 Comments »

Don’t Let Your Company Join the Data Breach Epidemic

Thursday, May 12th, 2011

I know I sound like a broken record, but it’s not my fault. You can’t go online, turn on the TV, or pick up a newspaper without seeing news of some major data breach exposing sensitive data on millions of users. Why?

Don’t get me wrong. I understand that there is no security silver bullet. Given an attacker with enough time, skill, and dedication, there is no server or network fortified such that it can’t be hacked. In fact, I think security administrators should keep the mindset that it is a matter of when, not if, a server will be hacked. But, as I have pointed out previously in this blog, a server breach does not have to be a data breach.

I wrote a consumer-oriented article detailing how individual users can take steps to try and protect their own data and shield it from being exposed by the companies they have entrusted it to. But, IT admins and security administrators also need to take proactive steps to prevent data from being compromised, and keep their own organization out of the headlines.

Data breaches are expensive. Really expensive. Never mind the fact that a data breach on your watch could cost you your job. Do yourself a favor. Save your organization the hassle and the money, and help preserve your job security by contacting Zecurion and finding out just how easy it is to protect your data and prevent your company from becoming a data breach epidemic statistic. Wouldn’t you rather be a hero than a fall guy?

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Don’t Tell Me How Much You Value My Privacy

Tuesday, May 10th, 2011

With the number of massive, high-profile data breaches that have occurred in recent months, there is a very good chance you have received at least one notice from a vendor letting you know that your personal data or account information may have been compromised or exposed. Without fail, those notices start with something to the effect of “Your privacy is our number one priority”, or “We value the security of your personal data above all else”. Please. If that were true, you wouldn’t be sending me the notice in the first place.

Do you really want to show me how much you value my privacy, or how much of a priority it is for you to protect my personal information? Try more proactive action to prevent it from being compromised or exposed, and less apologizing after the fact for your failure to do so. Honestly, with each passing data breach that makes the headlines it becomes less and less excusable for organizations to not take steps to put the tools in place to prevent data from getting breached.

I am not suggesting that the network itself should be impenetrable, or that laptops or portable storage drives should never be lost or stolen. Those things are not truly possible. But, with the right tools and security measures in place, a hacked network won’t expose sensitive information, and a laptop or portable drive in the wrong hands won’t mean that personal data is potentially compromised.

Doing the right thing up front will not only earn you my respect, and help you avoid having to send out those condescending notifications, but it is also significantly less costly than the consequences and fallout of a data breach.

Tags: , , ,
Posted in Data Storage Security | 2 Comments »

Users Are the Real ‘Advanced Persistent Threat’

Wednesday, April 13th, 2011

Advanced Persistent Threat–or APT–is a new class of cyber attack. Maybe.

According to Tim ‘TK’ Keanini, CTO of nCircle, an APT attack involves patient, skilled, well-funded attackers going after the really big prize. Wikipedia claims that APT is a term “used in reference to a long-term pattern of targeted sophisticated hacking attacks aimed at governments, companies and political activists, and by extension, also to refer to the groups behind these attacks.”

By those descriptions, an APT does seem to be distinct from your off-the -shelf malware attack, but it has become a mis-used buzzword in the media, and a sort of badge of honor for companies that are compromised. Nobody wants to get admit their network was infiltrated by a plain old phishing attack, but saying that your company was the victim of an APT almost carries with it a sense of prestige in order to be worthy of the dedication and resources necessary to execute such an attack.

The recent RSA data breach is an example of how the term is abused, though. RSA initially indicated that it was the victim of an APT, but it was later discovered that RSA was breached through a run-of-the-mill phishing attack using a zero-day exploit against Adobe Flash.

Anup Ghosh, Founder and Chief Scientist of Invincea, describes the flaw in the APT logic. “We’ve heard in a number of sales meetings over the last year ‘We’re not that concerned with commercial malware–it is the APT stuff that scares us,” and we shake our heads in disbelief on the car ride back to the airport,” adding, “Don’t they understand that virtually all malware has the potential to damage a company, to pilfer off Intellectual Property, to expose their brand to irreparable harm, to cost them untold millions?”

As Ghosh explains, “The reality is, the security industry needs to protect the network from the user and the user from him or herself. Educating the user just isn’t enough. The security industry is without a doubt stuck in a wash-rinse-repeat cycle, waiting for an attack to happen before anyone jumps into action.”

To take it a step farther–it doesn’t really matter if the attack is a simple phishing attack, a traditional penetration of the network through hacking, or a more insidious Advanced Persistent Threat. In most of these cases, confidential or sensitive data is leaving the network using the context and permissions of an authorized user. What organizations need is a tool in place to monitor outbound traffic and communications and prevent data from being leaked by any means–accidental, intentional, or ‘APT’.

Tags: , , , , , ,
Posted in Data Storage Security | 2 Comments »

Everything Is Bigger in Texas–Even Data Breaches

Tuesday, April 12th, 2011

Not to be outdone by the likes of Epsilon, Texas holds true to its popular tag line that “everything is bigger in Texas” with a larger than life data breach of its own. Heads rolled and people lost their jobs when it was discovered that sensitive information on more than 3.5 million people was left exposed to the public by the Texas Comptroller office.

The Epsilon data breach affected more individuals, but all that was compromised were email addresses, and perhaps the affiliation of an email address as a customer of a specific bank or retail establishment. The Texas breach, on the other hand, exposed much more useful data from an identity theft perspective: names, addresses, and Social Security numbers. In some cases, even dates of birth and driver’s license numbers were compromised.

Tsk, tsk Texas. To borrow a quote from Benjamin Franklin, “an ounce of prevention is worth a pound of cure.”

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

No Excuse for Lightning to Strike Twice at Health Net

Tuesday, March 22nd, 2011

There is a saying something to the effect of “Fool me once, shame on you. Fool me twice, shame on me.” Well–shame on Health Net for getting hit with its second massive breach of customer data in as many years. Thanks to nine unecnrypted drives getting “lost” during a move to a new data center, Health Net has potentially exposed sensitive data on 1.9 million customers.

Ericka Chickowski notes in an article on Dark Reading that, “According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done.”

I get it. On some level I understand that security is an expense and requires effort, and that it is easy to assume that security incidents and data breaches only happen to other companies. It is easy to rationalize gambling with sensitive customer data and assume that having information lost or stolen is about as likely as getting struck by lightning.

But, there isn’t really any excuse for getting struck by lightning twice. Health Net should have learned its lesson the first time around and taken steps to proactively encrypt and protect data on server drives and backup media. A solution from Zecurion would have cost Health Net a fraction of a percent of that estimated $655 million in damages from the data breach–virtually nothing in the grand scheme of things.

Don’t assume that lightning can’t strike at your organization. Your data, and the personal information of your customers, deserve better protection than keeping your fingers crossed and hoping for the best.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Maybe the Backup Drive Should Be Encrypted?

Monday, March 14th, 2011

I know. It’s crazy talk.

A backup drive for one of Western Michigan University’s departments went missing. The school is not sure if the drive was stolen, or is just misplaced indefinitely, but it is notifying those whose personal data might be compromised should the data be accessed.

Here is the thing, though. If WMU had encrypted the data on its backup drives there would be no issue and no concern. Lost drive? No problem. Replace the drive and go on with life, comfortable and secure in the knowledge that the drive’s new owner can not possibly access the data it contains.

If it was some horrifically complex, costly, or cumbersome process, I could more easily understand why so many schools, hospitals, and other organizations fail at this one, simple thing. But, it’s not. It is simple, automatic, easy, and cost effective–significantly less than the cost of dealing with a data breach incident–to just put the right tools in place proactively and encrypt data on backup media.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Got a Spare $7.2 Million in Your IT Budget?

Saturday, March 12th, 2011

Does your IT budget have $7 million or so to spare? I think I can say with absolute certainty that no organization–regardless of size and revenue–has an IT budget with an extra $7.2 million of unallocated money.

The follow up question to that rhetorical lead-in is “why are you gambling with $7.2 million you don’t have?”

A new survey from the Ponemon Institute–sponsored by Symantec–found that the average cost of a data breach for a company in the United States has increased to $7.2 million. That breaks down to an average of $214 per individual exposed or compromised data record. The kicker is that the survey also reveals that the number one cause of data breaches is negligence.

Don’t gamble $7.2 million you don’t have. Don’t let you organization be negligent. Invest proactively in the tools your organization needs to prevent sensitive information from leaving your network and make sure your company isn’t tomorrow’s data breach headline.

It will cost you $7.2 million to react to a data breach incident after it’s too late. It will cost you a fraction of a percent of that $7.2 million to prevent the data breach in the first place.

Tags: , , , , , ,
Posted in Data Storage Security | 2 Comments »

« Older Entries
Newer Entries »