Poor Records Management = Identity Theft Victims

The spouse of a Seras partner recently had their credit card number stolen – TWICE in one month!  She was on the phone with the bank, ironing out the erroneous charges that some stranger had made in the thousands of dollars across Las Vegas, for over an hour on multiple occasions.  Identity theft is on the rise, as everyone has seen countless times in the news and across multiple media platforms for years.  If you have ever had to deal with identity theft, you know it can be a nightmare that can sometimes take years to repair. Initial solutions for this global concern revolved around reducing the amount of hard-copy paperwork that an organization generated – which is great news for Seras because we provide document scanning services.  As cyber criminals began to understand the value of consumer information, it became just as important to protect electronic data as it was to protect and reduce hard-copy paperwork.  Identity theft best practices should include protection for both types of information.

The most recent example that we found might very well affect you personally – “On Nov. 24, (2013) Trustwave researchers tracked that (hacker) server, located in the Netherlands. They discovered compromised credentials for more than 93,000 websites, including:

  • 318,000 Facebook (FBFortune 500) accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo (YHOOFortune 500) accounts
  • 22,000 Twitter (TWTR) accounts
  • 9,000 Odnoklassniki accounts (a Russian social network)
  • 8,000 ADP (ADPFortune 500) accounts (ADP says it counted 2,400)
  • 8,000 LinkedIn (LNKD)accounts

 

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.”

For more information, check out this article from CNN Money: http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/index.html

Here are some other recent examples provided by Ericka Chickowski of Dark Reading:

Company Compromised: CorporateCarOnline.com

Breach Stats: 850,000 records stolen

The Details: Personal details, credit card numbers, and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business, and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.

Lessons Learned: A key lesson is how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards, and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile, the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.

Company Compromised: Adobe

Breach Stats: Nearly 3 million PII records, more than 150 million username/password combos, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products were stolen.

The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it's now clear that Adobe is contending with the loss of a vast trove of login credentials, and, more startlingly, its source code.

Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they've established a foothold in a corporate network, it's also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.

Company Compromised: U.S. Department Of Energy Breach Stats: PII stolen for 53,000 former and current DOE employees The Details: Attackers targeted DOEInfo, the agency's outdated, publicly accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.

Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly facing websites.

Company Compromised: Advocate Medical Group Breach Stats: 4 million patient records stolen The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

Lessons Learned: Health-care breaches are dominating the 2013 breach disclosure list thus far, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption, and data protection were all deficient. In particular, endpoint theft and loss in health-care issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.

As you evaluate your organization’s records management procedures, from digitization to hard-copy storage, we encourage you to focus on security and repelling potential identity theft from multiple fronts.  For more information about how to protect your business, employees, and clients, contact Seras today and we’ll get you started.