Stolen Hardware - Most Common Cause for Data Breaches
Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.
the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
Employees Are Great at Circumventing IT Security Policies
According to a survey conducted by Palo Alto Networks and quoted by DarkReading, employees in most enterprises are constantly circumventing corporate security policies by deploying unauthorized applications, including video viewers, streaming audio, P2P, and Google applications.
Palo Alto Networks used data from 20 different enterprises, gathered during vulnerability assessments, to reach the study results.
Employees are using a broad variety of tactics for circumventing IT policies on network usage, Palo Alto found. For example, approximately 80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user’s identity and surfing habits from IT monitoring tools.
“There’s no business reason for using proxies in the enterprise, other than to hide your activity from IT,” Mullaney says. “But we see at least some use of them in most of the enterprises we [assess].”
Hannaford - An Inside Job
Recent details on the Hannaford security breach point to an inside job. It appears Hannaford employees are most likely to have planned and then infected over 300 servers of the grocery chain.
Experts said the breach should serve as a big lesson for retailers: It’s as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it’s foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford’s claims it did.
“The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges,” said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford’s regularly. “I don’t see how anyone at Hannaford could get that level of access unless they were a very well-known entity.”
The Hannaford data breach has exposed over 4 million credit card accounts, thus being the second largest breach ever reported.
Personal Data Thrown in the Dumpster
The financial information and social security numbers of hundreds of inhabitants of Flint, USA, have been found in a dumpster. Customers of the Affordable Realty entrusted these private details to the realty mortgage company. When Affordable Realty was evicted from the building where their office was location, company representatives thought the best place to get rid of the data would be the nearest dumpster.
ABC12 News has video record of the incident, along with some text comments. Let’s hope the company is properly held responsible in order to prevent similar future incidents.
Mindblowing Data Breaches of 2007
CSO Online has recently published a top 10 of the most significant data breaches of 2007. They have analyzed stolen hardware, malware infections and other such security breaching activities. CSO has also concluded the “most brilliant lunacy” of the year was to require the usage of social securities numbers as passwords.
If you haven’t guessed who the dark winner is, it’s the nasty TJX affair. But considering other data and facts we’ve recently told you about, the CSO estimated losses seem to be a bit off. Nevertheless, the top is quite interesting and a very good reminder security should never be taken lightly.
Data Breaches Going up
IT Security published an interesting feature this week focusing on data breaches, their trends, the laws regarding such security breakdowns and the targeted company. I thought some of the fats and issues they pointed out are highly important and worth being re-broad casted.
- the first law in the US regarding data breaches notice dates back to 2003 and was issued in California. Since the 37 states have enforced similar stipulations.
- In 2007, over 162 million records have been stolen or lost. To better understand what a significant growth the past few years accounted for, note that in 2002 the lost or stolen records amounted to a little under 5,000.
- Big companies with numerous private records seem to be the preferred target. Yet the cause of such breaches is not the thieves’ high level of knowledge. It’s human errors that facilitate such attacks.
TJX, the parent of retail chains including TJ Maxx, announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.
Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker’s ingenuity. “The fundamental problem is a lack of security awareness,” Johnson said. “Employees weren’t aware of the risk involved, so they didn’t take the appropriate precautions.”
The case of HM Revenue & Customs, the United Kingdom’s tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing personal information for 25 million people.
- Criminal gangs stealing data get 1$ to 10$ per record. Therefore, as long as the attacks are profitable, they will continue
- The first step a company should take is to realize what sensitive data they have and where it is stored. Such a step should make the implementation of an efficient Endpoint security and DLP solution easier.
- Another security measure would be to only process the data needed at a certain time (e.g. a few entries as opposed to an entire Excel file containing those entries)
- Users or consumers should investigate more the risks they expose themselves to when entrusting their private information to third parties.
Laptop with Private Data Stolen from Kraft Foods Employee
A laptop has been recently stolen from a Kraft Foods staffer doing some business traveling. The computer in question contained the private data of 20,000 US-based employees who were then informed they ran the risk of having their identities stolen.
According to Kraft Foods spokesman Cathy Pernu, quoted by Quad-City Times, the theft was reported in mid-January. The data stored on the stolen laptop was to be transferred on a different computer. It contained employee names and it is possible to also have stored social security numbers. Kraft on the other hand believes the private records were not obtained by anyone and then state the stored information wasn’t used for any malicious purposes.
The company is now trying to offer retroactive protection to those affected. It seems protecting data pro-actively would have had better results:
We have contacted people whose names were on the computer, by letter, offering as a precaution, free credit monitoring … to help guard against improper use of personal information. It is a two-year program,” she said.
Only those who were potentially affected and received letters are being offered the credit monitoring program through TransUnion.
US Government Agencies Have Higher Security Levels
Although US government agencies fall short when it comes to protecting private data, apparently their level of security has been improved throughout 2007 according to their compliance analysis to the Federal Information Security Management Act (FISMA) of 2002. This is the core finding of a report recently issued by the Office of Management and Budget and quoted by ScurityFocus.
The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated “satisfactory” or better.
The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT’s EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.
OMB identified the four stars of the compliance efforts as being the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense, all doing a great job at complying to FISMA. The Department of Defense however did not do that great. It looks like security policies and compliances fall short for this particularly important agency.
Private Records of 500 Seniors Lost or Stolen
One would think that in our world of subsequent technological breakthroughs, where kids are born with computers, iPods and Facebook within reach, people would choose some other means of transporting private records than having it printed clearly on paper and mailing it in an envelope. Apparently, if you think like that, you’re wrong.
As Boston Herald reports, personal information of nearly 500 seniors who received flu shots in Wellesley has been lost or stolen. When the envelope containing their private records reached a Medicare office in Boston torn and void of any data. The Postal service is still trying to figure out what has happened there. Seniors will now receive snail mail announcing them that their social security numbers, addresses and dates of birth might have been exposed. I wonder, will these envelopes reach them?
