Tag Archives: Data Loss

cybersecurity, Data Loss, Data Protection, Information Security, insidertrading

How to ruin the reputation of your (118 year old) company, lose your job and your liberty

Unfortunately there are so many cases I can use to illustrate this. Most topical at this time at the start of autumn (fall) 2017 is Equifax.

They provide credit scoring services to the public and businesses in 14 countries, including Canada, UK and USA. Many financial organisations use them to assess the credit-worthiness of individuals and companies.

This company has been around for more than 100 years, they have an operating revenue of over 3 billion USD and over 9000 employees.

Their bread and butter is information. Personal information. Including name, addresses, social security number, income and loans amongst others. Stuff classed as sensitive PII by most if not all data protection agencies.

They hold data on more than 820 million individuals and 91 million businesses.

In May 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.

Heads Roll

Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.

The market is not impressed

Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.

The actual financial impact to Equifax is unknown at this time, as it’s still so recent.

It gets worse

During a congressional hearing, it transpired that the CIO, Jun Ying had sold 950k USD of company shares. June 2019, he was found

guilty of insider trading and sentenced to 4 months in prison

and ordered to pay restitution amounting to 120M USD, as well as a 55K USD fine.

As of 13/05/19: This incident has cost the firm 1.4 B USD so far

 

IT Pro article

Moneysavingexpert article

Data Loss, Data Protection, Personal Information

World Leader’s PI leaked

The personal details of all 31 leaders at the recent G20 summit in Australia have been accidentally leaked by the Australian immigration department. Despite being notified of the high-profile breach four months ago, it neglected to inform anyone.

The details included passport numbers, visa details and other particulars of each leader at the summit.

Tony Abbott and Vladimir Putin cuddle koalas before the start of the first G20 meeting in November 2014. Photograph: Andrew Taylor/G20 Australia/Getty Images

In a letter obtained under Freedom of Information requests, it’s been revealed that a staffer at the G20 leaders summit staged in Australia last November mistakenly mailed a list of the leaders’ personal details to an official at the Asian Football Cup Local Organising Committee.

Although the information hasn’t been publicly exposed and is unlikely to be of use for nefarious purposes, not many people are likely to pretend to be Vladimir Putin or David Cameron. The damage is reputational and is certainly embarrassing for the Australian government. Ironically it had just recently passed controversial mandatory metadata retention laws.

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015

International Business Times article on the new Australian Bill and obligations of ISPs

The Guardian’s article on the new Australian Bill

 

 

 

Data Loss, Data Protection, Hacked

2014 – The Year of 1 Billion Data Record Losses

Gemalto the digital security services company and Safenet have released a report titled “2014 – Year of Mega Breaches & Identity Theft”

2014 Data Breaches Gemalto Infographic

The headline numbers make for sober reading. The number of data records loss jumped 78%, from about 575 million in 2013 to more than one billion in 2014.

In terms of time, in 2014 some 2,803,036 data records were lost every day, 116,793 every hour, 1,947 every minute and 32 every second. So figure in about the time it took to read the previous sentence, about 400 data records would have been stolen or lost based on the 2014 data breach statistics.

Despite the widespread availability of commercially and indeed open source encryption solutions as a means for protecting  information and privacy, only 58 of the data breach incidents in 2014, or less than 4% of the total, involved data that was encrypted in part or in full.

In short, companies and organisations are still not taking protection of data seriously. It’s likely to take the commensurate loss of revenue or regulatory fines, up to and including gaol time for things to start improving.

One catalyst for this may well be the EU General Data Protection Regulations, but there’s a lot of lobbying and compromises between the proposals and actual legislation. It may still revert back to being an EU Directive. Meanwhile our Personal Information is being  shared, sold and aggregated ad infinitum, that’s before it’s leaked and stolen !

Gemalto’s 2014 Data Breach Report

Data Loss, Data Protection, Hacked

Significant data theft from Anthem – one of USA largest health insurers

anthemlogo

Anthem, the US’s second biggest health insurer with about 70 million people on its books across the country, admitted late on 4th February 2015, that it was the target of an external cyber attack.

These attackers gained unauthorised access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.Tens of millions of records are likely to have been obtained illegally as a result of the hack, Anthem warned.

Health plans branded Anthem Blue Cross; Anthem Blue Cross and Blue Shield; Blue Cross and Blue Shield of Georgia; Empire Blue Cross and Blue Shield; Amerigroup; Caremore; Unicare; Healthlink; or DeCare, are at risk.

It is not clear when the company’s databases were compromised – just that it was discovered some time last week.  Anthem is offering free credit and identity monitoring cover to those affected by the breach.

Up to 80 million Americans (current and ex-insurees), are now being warned that they’re being targeted by scammers who are trying trick the victims into revealing additional personal information. Scammers are running email phishing campaigns, and even placing phone calls to affected customers, Anthem says.

The identity of the perpetrators hasn’t been disclosed yet, the FBI are are investigating the. Mandiant, a well-known cybersecurity firm, to look into vulnerabilities of its computer system.

Anthem’s statement

An interesting viewpoint from Kreb’s 

Chun’s view

It’s way too soon to speculate on the whys and what happened, only that your organisation is neither too big or too small to be vulnerable.

Good policies and good housekeeping are the backbone of any ISMS. Having a comprehensive plan to deal with breaches and data loss will go a long way in containment and minimising the damage.

 

Data Loss

First post of 2015 – Insider Threat – Data theft from 350000 Morgan Stanley’s clients

A Morgan Stanley employee, Galen Marsh stole sensitive information from 350000 wealth management clients in December 2014, of which 900 client’s data was posted on Pastebin, an internet expose site with a link for interested parties to purchase more information.

http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/?_r=0

http://www.morganstanley.com/about/press/articles/7f189537-f51c-40b0-a963-fc0dc6c65861.html

Protecting from external threats is relatively simple, the insider threat is much more difficult to mitigate and potentially a lot more damaging.

A robust security policy with regular employee security awareness and obligations training, allied to a well tuned data loss detection and protection is essential. Post-incident response and lessons learnt completes the cycle.

Data Loss

My predictions for security/breaches/data loss in 2015 (and beyond)

Top of the list is existing vulnerabilities; the ones that have been published, the ones with patches issued 6 months ago. Coming joint first will be ingress aided by social engineering, the “click here for the latest on Brad Pitt and Angelina Jolie” or pop-up boxes with “Please enter your credentials to access xyz”.

The first bot on a kitchen appliance has already been reported. As more devices are connected to the ‘net, the more will be compromised and conscripted into the bot armies directed by techno-bandits. Baby monitors, home heating controls, solar panel generators and cars are part of IoT (internet of things).

Much more serious, is nation critical infrastructure being online, even if it supposed to be off net, you can bet that someone has connected it up via 3G, wireless, the forgotten ISDN line or even a dial-up modem. All for the sake of convenience, as convenience always trumps security, it will be a heady cocktail for someone to exploit. The technology is there, the momentum is increasing, but has the security kept up ? From past experience, I’d say not.

ATM (cash machines) will continue to be targeted, whether by skimming or wire-tapping or by re-programming by insiders or malware. Crime and criminals will always follow the money.

On the subject of corporate security failings, they’ll keep happening till the board embraces corporate responsibility for security and instils the necessary cultural changes throughout the company, from top down.