• Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Special Offers
Business Intelligence Info
  • Business Intelligence
    • BI News and Info
    • Big Data
    • Mobile and Cloud
    • Self-Service BI
  • CRM
    • CRM News and Info
    • InfusionSoft
    • Microsoft Dynamics CRM
    • NetSuite
    • OnContact
    • Salesforce
    • Workbooks
  • Data Mining
    • Pentaho
    • Sisense
    • Tableau
    • TIBCO Spotfire
  • Data Warehousing
    • DWH News and Info
    • IBM DB2
    • Microsoft SQL Server
    • Oracle
    • Teradata
  • Predictive Analytics
    • FICO
    • KNIME
    • Mathematica
    • Matlab
    • Minitab
    • RapidMiner
    • Revolution
    • SAP
    • SAS/SPSS
  • Humor

Tag Archives: Breach

Equifax Data Breach Settlement No Wrist Slap

July 28, 2019   CRM News and Info

The United States Federal Trade Commission on Monday announced that Equifax has agreed to pay a minimum of US$ 575 million as part of a global settlement of claims against it arising from a 2017 data breach that affected 147 million Americans.

The settlement with the FTC, the Consumer Financial Protection Bureau, and 50 states and territories potentially could reach $ 700 million.

In its complaint against Equifax the FTC alleged that the credit reporting agency failed to secure a massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information, which could result in identity theft and fraud.

As part of the proposed settlement, Equifax will pay $ 300 million to fund credit monitoring services for consumers.

The fund also will compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the data breach.

An additional $ 125 million will be added if the initial funding level should fall short of the amount required to compensate consumers for their losses.

What’s more, starting in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years — in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently must provide upon request.

The company also has agreed to pay $ 175 million to 48 states, the District of Columbia and Puerto Rico, as well as $ 100 million to the CFPB in civil penalties.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said.

“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he added.

More Than Big Money Payout

In addition to the financial terms in the settlement, Equifax has agreed to implement a comprehensive information security program, which includes the following measures:

  • Designating an employee to oversee the information security program;
  • Conducting annual assessments of internal and external security risks, and implementing safeguards to address potential risks, including patch management and security remediation policies, network intrusion mechanisms, and other protections;
  • Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
  • Testing and monitoring the effectiveness of the security safeguards; and
  • Ensuring service providers that procedures to access personal information stored by Equifax implement adequate safeguards to protect such data.

To ensure compliance with the agreement, Equifax must obtain third-party assessments of its information security program every two years. Assessors are required by the agreement to specify the evidence that supports their conclusions and conduct independent sampling, employee interviews, and document reviews. Moreover, the FTC has final say over any assessor chosen by Equifax.

The order also requires Equifax to provide an annual update to the FTC about the status of the consumer claims process.

The FTC has established an email address dedicated to Equifax whistelblowers:
equifax@ftc.gov.

Proving Harm

Although the FTC pegs Equifax’s minimum payout at $ 525 million, the actual payout may be lower than that, maintained Ted Rossman, industry analyst at
CreditCards.com.

“They’re going to be asking people to claim how they were harmed financially from this,” he told the E-Commerce Times.

“While this was a huge breach, the information never appeared on the dark Web, and people were not really harmed financially as much as we all feared,” Rossman observed.

“It seems that this was some sort of theft by a government or intelligence agency,” he continued. “It really wasn’t a monetary theft, as much as it was an information theft, so I don’t think people are going to be able to claim full financial benefits.”

A common offering to data breach victims is credit monitoring.

“It’s an empty gesture,” asserted Robert Cattanach, partner at
Dorsey & Whitney, an international law firm based in New York City.

“I do a lot of these cases, and less than 10 percent of the people offered credit monitoring actually take it,” he told the E-Commerce Times.

“It’s of course important for consumers to monitor their credit, but if there are problems, the real challenge is in addressing fraud and proactively repairing damaged credit,” said Willy Leichter, vice president of marketing at
Virsec, an applications security company.

“Free reporting does none of that,” he told the E-Commerce Times.

Guidelines for disbursements to consumers from the Equifax fund haven’t been established yet. “It will be interesting to see what kind of claims they will accept, what their criteria will be, and how much money they will pay out,” said Daniel Castro, vice president of ITIF, the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.

“There’s a lot money there, but it seems most of the money is going to lawyers,” he told the E-Commerce Times. “That’s one of the problems with creating a private right to action for these data breach cases. It creates more opportunities for lawyers to rake in massive fees on settlements. Consumers often see very little tangible impact.”

More Than a Wrist Slap

This latest big settlement over a data breach appears to be a signal to businesses that regulators are taking the issue seriously.

“When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist,” observed Deepak Patel, security evangelist at
PerimeterX, a Web security service provider in San Mateo, California.

“The FTC and GDPR are imposing meaningful fines to hold these large corporations accountable for breaches involving sensitive user data,” he told the E-Commerce Times.

British Airways recently was fined $ 230 million under the EU’s GDPR (General Data Protection Regulation) for a website failure that affected the personal data of some half a million customers.

GDPR fines are capped at 4 percent of global revenue, noted Pravin Kothari, CEO of
CipherCloud, a cloud security provider in San Jose, California.

However, the FTC has reached settlements with some companies much higher than that. A settlement with Facebook was about 9 percent of revenue, and the Equifax deal is about 25 percent.

“This sets a new precedent and a wake-up call to all businesses to be extremely careful,” Kothari told the E-Commerce Times.

“However, many businesses are still not doing enough to protect their clients’ sensitive information. They do not realize that Internet and cloud services are not bullet-proof,” he said. “They assume that their information is safe with service providers, but a simple misconfiguration, a bug, or abuse of API could cause major exposure and havoc.”

Shifting Costs to Crooks

Large penalties do change the risk equations that many businesses use to decide on their level of security investment, noted Virsec’s Leicher, “but given the scale of the Equifax breach, this penalty is relatively light and may have little direct effect on other businesses and little direct effect on improving consumer security.”

Large fines may encourage some companies to invest more in cybersecurity, but what’s really needed is commitment, maintained Torsten George, cybersecurity evangelist at Centrify, an authentication and access control company in Santa Clara, California.

“Companies have to make a decisive commitment to protecting sensitive customer data,” he told the E-Commerce Times. “Without that commitment and an approach to cybersecurity that can make an actual difference in the modern threatscape and against modern attackers, these settlements won’t make a noticeable difference.”

Data protection has to become more personal, especially for corporate executives, suggested Tim Bedard, director of security product marketing at
OneSpan, an authentication and fraud analysis company in Chicago.

“Until regulators implement new compliance and regulations holding organizations’ executive leadership personally responsible for the security and protection of consumers’ personal identifiable information, then future massive settlements will only go so far,” he told the E-Commerce Times.

“Consumers should not bear the costs of computer crime, but neither should other crime victims, like the vendor,” said Michael Clauser, global head of data and trust at
Access Partnership, a global public policy firm serving the tech sector, with offices on five continents.

“Ultimately, governments, vendors and consumers will need to find a way to shift costs ‘upstack’ to the criminal actor,” he told the E-Commerce Times. “I think over time, emerging technology, including AI, will make that a reality.”
end enn Equifax Data Breach Settlement No Wrist Slap

John%20P.%20Mello%20Jr. Equifax Data Breach Settlement No Wrist Slap
John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.

Let’s block ads! (Why?)

CRM Buyer

Read More

3 Ways to Prevent a Data Breach from Becoming an Ordeal

June 21, 2018   Big Data
3 Ways to Prevent a Data Breach from Becoming an Ordeal 4 3 Ways to Prevent a Data Breach from Becoming an Ordeal
Griffin Binko avatar 1513266803 54x54 3 Ways to Prevent a Data Breach from Becoming an Ordeal

Griffin Binko

June 21, 2018

It’s easy to think of a data breach as a one-time event, putting the affected company at risk for a workday and causing residual headaches for maybe a week. But when IT systems aren’t regularly audited for security and layered stopgaps aren’t put in place to mitigate the damage, even significant multinational agencies like Equifax can remain vulnerable for months. How can you make sure you’re not caught sleeping at the wheel when the time comes to put your data security to action?

3 Ways to Prevent a Data Breach from Becoming an Ordeal banner 2 3 Ways to Prevent a Data Breach from Becoming an Ordeal

1. Audit Early, Audit Often

According to a study by Syncsort, nearly two-thirds of companies in the study perform security audits on their systems. Yet digging deeper, they discovered that for those who perform audits, the most common schedule was annual (39%), and another 10% audit every 2 years or more. Considering how sophisticated cyber-criminals have become and how frequent security events like Equifax seem to happen, this is unacceptable. An outdated system or plan removes any challenge hackers may face. And when it can take up to a year for an organization to act on their outdated infrastructure, the consequences of that inaction could multiply exponentially.

2. Don’t Stop at One

The most secure physical structures don’t rely on one layer on integrity. Make sure the structural integrity of your less tangible data and technology stays strong with multiple layers of resilience. Your multi-faced approach should address the vulnerabilities and strengths of the following areas:

  • Port/IP Address
  • Exit Point
  • File Security
  • Field Security
  • Command Control
  • Object Authority

That’s right: the integrity of your data depends on all of these layers, with even one neglected layer potentially being the only open door malicious actors need to capture sensitive information.

3. Communication is Key

In the unfortunate event that your organization suffers a security breach, there’s no need to exacerbate the issue by hesitating to inform the public. Any security event will understandably test the public trust, but you could suffer even more PR damage by withholding significant news for any amount of time. Acting fast isn’t just for IT administrators. Executive staff, retained PR agencies and any other public-facing entities in your organizations must stay on the ball to deliver the “Who, What, Why, Where and When” people need to know.

Download our Whitepaper today and discover the causes and effects of data breaches.

Let’s block ads! (Why?)

Syncsort Blog

Read More

How Congress should respond to the Equifax breach

November 8, 2017   Big Data
How Congress should respond to the Equifax breach

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen again and, just as importantly, what Congress can do to ensure that victims of massive data breaches are compensated fairly when a company is negligent with their sensitive data. In this post, we offer up some suggestions that will go a long way in accomplishing those goals.

A Federal Victims Advocate to Research and Report on Data Breaches

When almost half of the country has been affected by a data breach, it’s time for Congress to create a support structure for victims at the federal level.

Once a consumer’s information is compromised, there is a complex process to wade through to figure out who to call, what kind of protections to place on one’s credit information, and what legal remedies are available to hold those responsible accountable. To make it easier for consumers, a position should be created within the executive branch and given dedicated resources to support data breach victims.

This executive branch official, or even department, would be charged with producing rigorous research reports on the harm caused by data breaches. This is important because the federal courts have made it very hard to sue companies like Equifax. The judiciary has effectively blocked litigation by setting too high a standard for plaintiffs to prove they were harmed by a data breach. Federal research and data analyzing the financial harm Americans have faced will help bridge that gap. If attorneys can point to authoritative empirical data demonstrating that their clients have been harmed, they can make companies like Equifax accountable for their failures to secure data.

Federal Trade Commission Needs to Have Rule-making Authority

Speaking of the executive branch, the Federal Trade Commission (FTC) has a crucial role to play in dealing with data breaches. As it stands now, federal regulators have little power to ensure that entities like Equifax aren’t negligent in their security practices. Though Americans rely on credit agencies to get essential services—apartments, mortgages, credit cards, just to name a few—there isn’t enough oversight and accountability to protect our sensitive information, and that’s concerning.

Equifax could have easily prevented this catastrophic breach, but it didn’t take steps to do so. The company failed to patch its servers against a vulnerability that was being actively exploited, and on top of that, Equifax bungled its response to the data breach by launching a new site that could be easily imitated.

To ensure strong security, Congress needs to empower an expert agency like the FTC, which has a history and expertise in data security. This can be accomplished, by restoring the FTC’s rule-making authority to set security standards and enforce them. The FTC is currently limited to only intervening in matters of unfair and deceptive business practices, and this authority is inadequate for addressing the increasingly sophisticated technological landscape and collection of personal data by third parties.

Congress Should Not Preempt State Data Breach Laws

While empowering executive agencies to address data breaches, Congress should take care in ensuring that states don’t lose their own laws dealing with data breaches. Any federal law passed in response to the data breach should be the foundation—not the ceiling—upon which states can build according to their needs.

States are generally more capable of quickly responding to changing data collection practices. For example, California has one of the strongest laws when it comes to notifying people that their information was compromised in a data breach. Among other things, it prescribes a timeline to notify victims and the manner in which it should be done. By the time a company has to comply with California’s laws, the company has infrastructure in place to notify the rest of the country. Given this, Congress should not pass a law that would gut states’ ability to have strong consumer friendly data breach laws.

Create a Fiduciary Duty for Credit Bureaus to Protect Information

Congress must also acknowledge the special nature of credit bureaus. Very few of us chose for our most sensitive information to be hoarded by an entity like Equifax that we have no control over. Yet the country’s financial infrastructure relies on them to execute even the most basic transactions. Since credit bureaus occupy a privileged position in our society’s economic system, Congress needs to establish that credit bureaus have a special obligation and a fiduciary duty to protect our data.

Ultimately, companies like Equifax, Experian, and Transunion serve a purpose, but they lack a duty of care towards the individuals whose data they have harvested and sell because they are not the bureaus’ customers. Without obligations to adequately protect consumer data, we will likely see lax security that will lead to more breaches on the scale of Equifax.

Give People their Day in Court

The first big problem for those seeking a remedy for data breaches is just getting into court at all, especially in sufficient numbers to make a company take notice. For too many people impacted by data breaches, they learn to their great dismay that somewhere in the fine print they agreed to a mandatory arbitration clause. This means that they cannot go to court at all or must engage in singular arbitration, rather than a class-action lawsuit.

After the Equifax breach, a lot of the focus has been on binding arbitration clauses because of the company’s egregious attempt to use it to deny people their day in court. Companies like Equifax shouldn’t be able to prevent people from going to court in exchange for weak assistance like credit-monitoring services given the scale of the breach and harm

As Congress debates how to protect Americans’ legal rights after a breach, the focus should go beyond just prohibiting mandatory arbitration clauses. Congress should preserve, protect, and create an unwaiveable private right of action for Americans to sue companies that are negligent with sensitive data.

We Don’t Need Additional Criminal Laws

A knee-jerk reaction to a significant breach like Equifax is to suggest that we need additional criminal laws aimed at those who are responsible. The reality is, we don’t know who was behind the Equifax breach to hold them accountable. More significantly, knowing their identity does nothing to ensure that Equifax actually applies crucial security patches when they are available. We don’t need increased criminal penalties—we need to incentivize protecting the data in the first place.

Another good reason for this is that these additional criminal anti-hacking laws more often end up hurting security researchers and hackers who want to do good. For instance in Equifax’s case, a security researcher had warned the company about its security vulnerabilities months before the actual breach happened; yet the company seemed to have done nothing to fix them. The security researcher couldn’t go public with the findings without risking significant jail time and other penalties.

Without a meaningful way for security testers to raise problems in a public setting, companies have little reason to keep up with the latest security practices and fearing the resulting negative publicity. If Congress uses the Equifax breach to enhance or expand criminal penalties for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA), we’d all be worse for it. Laws shouldn’t impede security testing and make it harder to discover and report vulnerabilities.

Free Credit Freezes, Not Credit Monitoring Services

Lastly, Congress needs to provide guidance on the immediate aftermath of a data breach. It’s become almost standard practice to offer credit-monitoring services to data breach victims. In reality, these services offer little protection to victims of data breaches. Many of them are inadequate in the alerts they send consumers, and more fundamentally, there’s little utility in being informed of improper usage of one’s credit information after it’s alreadybeen exploited. Consumers will still potentially have to spend hours to get their information cleared up with the various credit bureaus and entities where the information was used fraudulently.

Instead, Congress should legislate that victims of data breaches get access to free credit freezes, which are much more effective in preventing financial harm to victims of data breaches, at all major credit bureaus. There are proposals in Congress along these lines and we are glad to see that.

There’s no question that the Equifax breach has been a disaster. We at EFF are working with congressional offices to pass sensible reforms to ensure that it doesn’t happen again.

This story originally appeared on the EFF’s blog.

Let’s block ads! (Why?)

Big Data – VentureBeat

Read More

Will the Equifax data breach finally spur lawmakers to recognize data harms?

October 1, 2017   Big Data
Will the Equifax data breach finally spur lawmakers to recognize data harms?

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.

Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear. That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

The law consistently fails to recognize other sorts of harms to victims. In some cases this arises in the context of threshold “standing” to sue, a legal requirement that requires proof of harm (lawyers call it “injury in fact”) to even get into the door in federal courts. In other cases the problem arises within the claim itself, where “harm” is a legal element that must be proven for a plaintiff to win the case. Regardless of how the issue of “harm” comes up, judges are too often failing to ensure that data breach victims have legal remedies.

The consequences of this failure are two-fold. First, there’s the direct problem that the courthouse door is closed to hundreds of millions of people who face real risk and the accompanying reasonable fears about the misuse of their information. Second, but perhaps even more important, the lack of legal accountability means that the companies that hold our sensitive data continue to have insufficient incentives to take the steps necessary to protect us against the next breach.

Effective computer security is hard, and no system will be free of bugs and errors.

But in the Equifax hack, as in so many others, the breach resulted from a known security vulnerability. A patch to fix the vulnerability had been available for two months, but Equifax failed to implement it even though the vulnerability was being actively exploited. This wasn’t the first time that Equifax has failed to take computer security seriously.

Even if increasing liability only accomplished an increased incentive to patch known security problems, that alone would protect millions of people.

The High Bar to Harm

While there are exceptions, too often courts dismiss data breach lawsuits based on a cramped view of what constitutes “harm.” These courts mistakenly require actual or imminent loss of money due to the misuse of information that is directly traceable to a single security breach.

Yet outside of data breach cases, courts routinely handle cases where damages aren’t just a current loss of money or property.The law has long recognized harms such as the infliction of emotional distress, assault, damage to reputation and future business dealings.1 Victims of medical malpractice and toxic exposures can receive current compensation for potential for future pain and suffering. As two law professors, EFF Advisory Board member Daniel J. Solove and Danielle Keats Citron, noted in comparing data breach cases to the recent claims of emotional distress brought by Terry Bollea (Hulk Hogan) against Gawker: “Why does the embarrassment over a sex video amount to $ 115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?” “Why does the embarrassment over a sex video amount to $ 115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?”

For harms that can be difficult to quantify, some specific laws (e.g. copyright, wiretapping) provide for “statutory damages,” which sets an amount per infraction.2

The recent decision dismissing the cases arising from the 2014-2015 Office of Personnel Management (OPM) hack is a good example of these “data breach blinders.” The court required that the plaintiffs—mostly government employees—demonstrate that they faced a certain, impending, and substantial risk that the stolen information would be misused against them, and that they be able to trace any harm they alleged to the actual breach. The fact that the data sufficient to impersonate was stolen, and stolen due to negligence of OPM, was not sufficient. The court then disappointingly found that the fact that the Chinese government—as opposed to ordinary criminals—are suspected of having stolen the information counted against the plaintiffs in demonstrating likely misuse.

The ruling is especially troubling because we know that it can take years before the harms of a breach are realized. Criminals often trade our information back and forth before acting on it; indeed there are entire online forums devoted to this exchange. Stolen credentials can be used to set up a separate persona that incurs debts, commits crimes, and more for quite a long time before the victim is aware of it. And it can be difficult if not impossible to trace a problem with credit or criminal activity misuse back to any particular breach.

How are you to prove that the bad data that torpedoed your mortgage application came from the breaches at Equifax as opposed to the OPM, Target, Anthem, or Yahoo breaches, just to name a few?

What the Future Holds

When data is being declared the ‘oil of the digital era’ and millions in venture capital funding await those who can exploit it, it’s time to reevaluate how to think of data breaches and misuse, and how we restore access to the courts for those impacted by them.

When data is being declared the ‘oil of the digital era’ and millions in venture capital funding await those who can exploit it, it’s time to reevaluate how to think of data breaches and misuse, and how we restore access to the courts for those impacted by them.

Simply shrugging shoulders, as the OPM judge did, is not sufficient. Courts need to start applying what they already know in awarding emotional distress damages, reputational damages, and prospective business advantage damages to data breach cases, along with the recognition of current harm due to future risks, as in medical malpractice and pollution cases. If the fear caused by an assault can be actionable, so should the fear caused by the loss of enough personal data for a criminal to take out a mortgage in your name. These lessons can and should be brought to bear to help data breach victims get into the courthouse door and all the way to the end of the case.

If the political will is there, legislatures, both federal and state, can step up and create incentives for greater security and a much steeper downside for companies that fail to take the necessary steps to protect our data.

The standing problem requires innovation in crafting claims, but even the Supreme Court in the recent Spokeo decision recognized that intangible harms can still be harms under the Constitution and Congress can make that intention even more clear with proper legislative language. Alternately, as in copyright or wiretapping cases where the damages are hard to quantify, Congress can use techniques like statutory damages to ensure that those harmed receive compensation. Making such remedies clearly available in data misuse and breach cases is worthy of careful consideration. So far, the federal bills being floated in response to the Equifax breach and earlier breaches do not remove these obstacles to victims bringing legal claims and ensure a private right of action.

Similarly, outside of the shadow of federal standing requirements, state legislatures can consider models of specific state law protections like California’s Lemon Law, formally known as the Song-Beverly Consumer Warranty Act. The Lemon Law provides specific extra remedies for those purchasing a new car that needs significant repairs. States should be able to recognize that data breach situations are special and may similarly require special remedies. Things to consider are giving victims easier (and free) ways to clean up their credit rather than just the standard insufficient credit monitoring schemes.

By looking at various options, Congress and state legislatures could spur a race to the top on computer security and create real consequences for those who choose to linger on the bottom.

Of course, shoring up our legal remedies isn’t the only avenue for incentivizing companies to protect our data better. Government agencies like the Federal Trade Commission and state attorneys general have a role to play, as does public pressure and media attention.

One thing is for sure: as long as the consequences for neglecting to protect user data are weak, data breaches like the Equifax breach will continue to occur. Worse, it will become increasingly difficult for victims to demonstrate which breach caused their credit rate to drop, their job prospects to dim, or their hopes for a mortgage to be dashed. It’s long past time for us to rethink the approach to harm in data breach cases.

This story originally appeared on the EFF’s blog.

Let’s block ads! (Why?)

Big Data – VentureBeat

Read More

Are You in the Half of Firms with No Tested Data Breach Plan?

May 23, 2017   FICO

Last week alone, a New York hospital, a US car washing business and a UK online retailer all suffered headline-making data breaches. There is no fool-proof cybersecurity defence, so businesses of all sizes need to consider not only how they can prevent breaches but also determine what they will do should the worst happen.

Additional losses are heaped on companies that fail to manage the fallout from a breach well. Poor customer communication, disastrous PR and a slow or ineffective response all damage reputation, lose customers and worry shareholders.

Despite this, a new, independent cybersecurity survey we commissioned with independent research and consultancy firm Ovum shows that only 51% of companies surveyed have a tested data breach response plan.

Looking across the six countries we surveyed, it’s clear that some are doing better than others, though none had excellent coverage on this question. The Norwegians are top of the class – 62% of respondents have a tested data breach response plan; the UK is at the other end of the scale with just 41%.

Cyber survey chart 1 Are You in the Half of Firms with No Tested Data Breach Plan?
There was less variation when we looked at the industries surveyed across all countries: e-commerce/retail had the lowest figure at 49%, and telecommunications were the highest with 54%. Looking at the industry data at a country level did yield interesting anomalies. In the UK only 25% of e-commerce/retail companies had a tested data breach response plan, while 78% of Norwegian media services companies do. Size of company didn’t seem to be a factor in whether firms had a tested data breach response plan.

The General Data Protection Regulation (GDPR) is about to be enforced, and it impacts organizations not only in Europe but worldwide. GDPR means that regulators can demand bigger fines from those that lose customer data; in the UK, for example, the ICO will be able to fine an organization up to £17 million or 4% of global turnover.

With this in mind all businesses should review their cybersecurity practices and think hard about the implications of a breach and how they will respond should the worst happen – a good, well-rehearsed plan could become a matter of survival.

Our cybersecurity research has produced a great deal of interesting information on attitudes to cybercrime across the industries and countries involved – we’d like to share more of it with you so join our Tweet Chat using the hashtag #cybertrends on 1st June 2017 at 4 pm BST / 8 am PDT.

Do you know if you’re likely to suffer a data breach in the next year? Find out with the FICO Enterprise Security Score.

Let’s block ads! (Why?)

FICO

Read More

Why Dropbox’s data breach response is still wrong

August 31, 2016   DWH News and Info

One day Dropbox may well get its head around the best-practice methods for handling customer data breaches, but today is not that day.

News broke on Tuesday that details of 68,680,741 user accounts had been found online, apparently the result of a data breach back in 2012. The files reportedly contained the users’ email addresses, plus their salted and hashed passwords.

Dropbox’s response was to email the affected users, who could be forgiven for not realising it was about a data breach.

More security news

“Resetting passwords from mid-2012 and earlier,” was the subject line.

“We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience,” the email read.

“To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at password-reset-help@dropbox.com.”

If users did click through, they’d had to have scrolled down four sub-headings before they were finally told there’d been a data breach — and even then, it was only after yet more softening of the message.

“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.”

I reckon there’s a few problems with that messaging, though I’ll come back to that. There’s more to worry about.

First, there’s a problem with the secondary authentication protocol: it isn’t being used.

Assume for the moment that the bad guys have obtained a user’s password. They can log in to Dropbox. Then, if they’re forced to change the password, this is what they see.

dropbox password dialog Why Dropbox’s data breach response is still wrong (Image: Dropbox)

The bad guys enter a new password, and it’s game over.

What should happen? The secondary authentication protocol should be brought into play. For Dropbox, that’s the user’s email address.

Once the user has entered the old password, they should be emailed a one-time time-limited token, one of those emails that says “Click here to enter you new password”. That way the bad guys need to have gained access to the user’s email account as well. Not perfect, but a significant additional hurdle.

Second, even when a user does change their password, Dropbox says that any logged-in sessions on other devices will still be active — and that would include any sessions created by the bad guys before the user changed the password.

What should happen? When there’s any suspicion that an account may have been compromised, all logged-in sessions should be logged out immediately. When the user logs back in, they should be forced to change their password immediately — not merely prompted to do it when they get around to it.

OK, sure, in this particular instance Dropbox says their threat monitoring and password storage strategy give them a clean bill of health. So far, we have no reason to doubt that.

But Dropbox has form.

In 2014, Dropbox waved away security concerns, despite having written that “there’s nothing more important to us than keeping your stuff safe and secure”.

In 2012, Dropbox clearly failed to reset everyone’s passwords after a potential data breach. If they had done, they wouldn’t be asking users to reset them now, right?

And in 2011, Dropbox left a bunch of users’ files open to the internet, yet brushed away concerns by claiming it was only “a very small number of users (much less than 1 percent)” who might have been affected. That’s no consolation if you were one of them.

Dropbox, like so many other organisations, is presumably worried that users will be scared away by security breaches, so they soften the language. But experience and research show that when it comes to data breaches, owning up actually increases trust.

So here’s how I’d have handled Dropbox’s latest problems — apart from fixing those secondary authentication and session management problems.

“Security Message”, I’d have written in an email to every user, having previously shoved the PR and marketing teams into a canal.

“We’ve had a security problem. So far our investigations suggest that your account hasn’t been accessed by anyone else. See below for the details. But to be sure, we need you to reset your password. It might also be a good idea to turn on two-factor authentication (2FA).”

I’d list the steps users need to take, and then the rest of the details — including the steps we’d already taken to investigate and rectify the problem, and when we’d be emailing them an update.

Yes, I’d say “problem” not “issue”, because that’s what it is. And yes, I’d email every user, because why not? It builds trust.

One day Dropbox should start paying attention to this sort of best-practice advice, and today is that day.

Let’s block ads! (Why?)

Colbran South Africa

Read More

VTech Data Breach Highlights IoT Failings

November 29, 2015   Mobile and Cloud

VTech Holdings Limited, the Hong Kong maker of baby monitors and electronic toys, announced that its customer database was hacked two weeks ago.

The company says an unauthorized party accessed VTech customer data housed in its Learning Lodge app store database on November 14, 2015. Learning Lodge gives its customers the ability to download apps, learning games, e-books and other educational content to their VTech products.

Upon discovering the unauthorized access, VTech claims it immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. The company says its customer database contains general user profile information including names; email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories.

In the company’s statement on the incident, it says: “It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway. In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).”

This is where the company’s reaction is a bit obtuse. The company is hoping to make good waves in public sentiment by stating that no payment information or personal I.D. data was present in the heist. While that technically may be true, a brute force hacker or semi-intelligent cracker could use the combination of customer mailing addresses, answers to secret questions, and IP addresses to correlate lots of information that render a credit card or I.D. unneeded.

For example, an attacker can correlate on the information to readily-available credit information sold on the Dark Web, and then apply for new credit cards with the address, name, and secret answer data.

Hong Kong’s common law has a data privacy ordinance as well as dozens of past cases that could put the company in jeopardy. The Hong Kong government takes data privacy very seriously, and VTech should face fines and possible other civil or criminal penalties for failing to secure customer data.

Most importantly, this highlights the failings for many Internet of Things companies on the security front. Companies concentrate on developing usable devices that connect to the Internet, but secure methods of information transmission or information storage are forgotten or ignored. Especially in Hong Kong, which lacks a large community of technologists, these failings are all too common.

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.

ChinaWirelessNews.com

Read More

Tor browser co-creator: Experian breach shows encryption may not be security panacea

October 5, 2015   Big Data

The Experian/T-Mobile hack may be more worrisome than Experian’s carefully worded description of it suggests, some security experts said Friday.

One of them is the co-creator of the Tor secure browser David Goldschlag (now SVP of strategy at Pulse Secure). Goldschlag previously was head of mobile at McAfee, and also once worked at the NSA.

I asked Goldschlag a simple question: “After the Office of Personnel Management and Experian hacks, is there reason to fear that hackers now have the means to steal actual financial information (credit card numbers, etc.) from banks or insurers?”

From VentureBeat

Got translation? You got problems. We’re here to help. Localization and translation tips from the best minds in marketing.

Goldschlag didn’t answer the question directly, but his answer was disturbing.

“Experian differentiated between personally identifying information that was not stored encrypted, and credit card info which was stored encrypted — both were hacked,” Goldschlag wrote in a note to VentureBeat.

“Experian added that it is likely that the hackers were able to decrypt the encrypted information too,” he said. (Experian’s CEO admitted this.) “So storing information in an encrypted form may not be the panacea that people expect.”

“Experian had a reason to have the credit card info, perhaps to check account balances,” Goldschlag said. “And that means that Experian has systems and applications that decrypt the encrypted information.”

“If the hackers stole information using those systems, then the hackers would see the decrypted credit card numbers,” he said.

Indeed, if the hackers were able to decrypt the data it paints a very different picture of the attack and its implications. “If the encrypted data was compromised, that would indicate a very effective and broad compromise of Experian’s network, most likely due to compromised administrator credentials of some kind,” said Trend Micro’s Christopher Budd in a statement.

Goldschlag believes better authentication is key to reducing vulnerability to hackers and other security threats. Basic authentication techniques are commonly used to protect banking information, but the recent large-scale breaches at Ashley Madison, the Office of Personnel Management, and Experian show that some information must require a greater level of authentication as a form of defense.

Back in 2012, hackers gained access to the Experian servers by stealing the account credentials from a Texas bank. It’s possible that hackers gained access to the Experian server by stealing a T-Mobile account holder’s credentials.

“The Experian breach is yet another example of a company being affected by one of its third party vendors,” said Trend Micro’s Budd. “This situation is similar to the Heartland Payment Systems breach and further reiterates how companies responsible for processing financial information continue to be a weak link in the chain.”

At Experian’s Q&A page it says the following about the exposure of credit card data: “There were no credit card numbers or account numbers contained in the file accessed, based on our investigation to date.”

One security firm says it’s already spotted advertisements for the sale of the stolen T-Mobile data on the dark web.

Only time will tell how much data from the Experian hack eventually makes it into the hands of identity thieves, and what damage they do with it.

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.

VentureBeat » Big Data News | VentureBeat

Read More

This Week In Tech: Typos No More, Bitcoin Breach, Chips And PINS, And CES

January 10, 2015   BI News and Info

Friday Flashback11 This Week In Tech: Typos No More, Bitcoin Breach, Chips And PINS, And CESThis week in tech showed us some interesting technology, such as the Typo keyboard created by American Idol host Ryan Seacrest. And of course, we also saw another company – an unexpected company – fall victim to a security breach. There was also a new card system aimed at preventing future data breaches, and some new (and old) tech gadgets shown at CES 2015.

Here’s what happened, this week in tech.

1. Hello Typos. Tired of iPhone’s autocorrect and endless typos? So was American Idol’s host Ryan Seacrest, so he made a bluetooth keyboard. Called Typo, it has three versions – Typo2 ($ 99) for the iPhone 6, and two Typo models ($ 179) for the iPad Mini and the iPad Air. Seacrest and partner Laurence Hallier, launched Typo Innovations when Seacrest complained about all the misspelled words in his emails. Typo Innovations ran into a little trouble when Blackberry filed a lawsuit claiming that the keyboard was a copy of their own keyboard, but the Idol host commented about the case saying, “…that is an old issue. This is a new keyboard with a new design.” The Typo keyboard has a sturdy hinge stand to set your iPad at any angle, and also has its own rechargeable battery, but will last many battery cycles of your iPad. The Typo keyboard models for the iPads are expected to debut in March of this year.

2. Bitcoin Breach. Yet another victim to a security breach, BitStamp announced that over $ 5 million (equivalent to 19,000 bitcoins) worth of cyber currency has been lost. This, coming from a company thought to have a very secure and tight infrastructure. After learning about the breach, the company suspended operations hoping to prevent any more damage. BitStamp seemed to evade further damage and stated that the cyber coins lost were only “a small fraction of BitStamp’s total bitcoin reserves,” and that remaining bitcoins are “held in secure offline cold storage systems.” The good news is that BitStamp customers have nothing to worry about and the company reassures that all balances will be honored in full. However, this comes after another hack that happened last year involving the digital currency, stirring up some controversy on bitcoin security and safety for mainstream use.

3. Chips and PINS. Cards are used for everything, but those little magnetic strips might not be around for too much longer. The U.S. might finally be moving on to Chip and PIN cards. These cards don’t encode the information on the magnetic strip, but rather encode a user’s account information on an embedded computer chip. When used, the chip creates a one-time code for each sale, helping to keep user account information safe. While “chip cards” are their nickname, the official name for this new cards system is EMV – Europay, Mastercard, and Visa standards. Because of this new system only storing unique codes per sale, it will help prevent big data breaches, such as Target. In a report by the Federal Reserve Bank of Kansas City, MO., chip cards could reduce credit card fraud by 40 percent. However, this change-over won’t be without expenses, and those costs will vary depending on the size of the merchant. There is hope with this new system, we won’t have a year remembered for its hacked companies like we saw in 2014.

4. CES Week – The International Consumer Electronics Show started Tuesday of this week, with many new tech gadgets storming the technology front, including some oldies, but goodies.

One such product is the Walkman. Before the days of iPod and MP3 players, Walkman ruled the music industry. Sony made a new audio player called Walkman ZX2, however, the price might be a little higher than its 35 year old counterpart – with Walkman ZX2 going for over $ 1,100 dollars.

Another big trend that continued from last year was the smarter generation of technology: smarter homes, wearables and smarter fitness apps, and even smarter breathalyzers. Smarter homes focused on smart locks, smart lighting, and thermostats like Nest, that learn and adjust to habits – it’s all about the connected home. Wearables were also big again with focus on the new Apple Watch and the Fitbits. And for smarter breathalyzers, the BACtrack smart breathalyzer paired with an iOS or Android app, can tell you whether or not you are sober enough to drive.  Tech leaders across the industry also gave keynotes discussing focusing on how mobile connectivity is transforming the industry and our daily lives. CES is showing a lot of what technology has to offer in 2015, and we are eager to see more.

That’s it for this week. Did we miss anything?

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.

Innovation » Jen Cohen Crompton

Read More

  • Recent Posts

    • InfoWars Surrenders
    • Invest Your Time in the Right Skills to Become a Data Scientist in 2021
    • Facebook’s new computer vision model achieves state-of-the-art performance by learning from random images
    • Now make soup!
    • Attach2Dynamics Or SharePoint Security Sync – Choose your smart app for effective document management in Dynamics 365 CRM/Power Apps.

  • Categories

  • Archives

    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    • December 2016
    • November 2016
    • October 2016
    • September 2016
    • August 2016
    • July 2016
    • June 2016
    • May 2016
    • April 2016
    • March 2016
    • February 2016
    • January 2016
    • December 2015
    • November 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • December 2014
    • November 2014
© 2021 Business Intelligence Info
Power BI Training | G Com Solutions Limited