Data Breach Expert Sileo Talks to Fox Business
Victim of a Cyber Attack? What You Should Tell Customers
It seems like every day consumers are learning of data breeches from companies like Sega, Sony and Google. Major corporations like these tend to have the funds and resources to recover from an attack, but for small businesses, that’s often not the case.
A slow response and lack of communication with customers are among the missteps many small businesses make when facing an attack, both of which can cause irreparable damage to the business.
“When consumers are a victim of ID fraud based on interaction with a small business, 1 in 3 never come back,” said Phil Blank, senior analyst for security and fraud at Javelin Strategy & Research.
While data breaches hitting major banks and corporations tend to dominate headlines, small businesses are increasingly becoming targets. Hackers like to prey on small businesses because computers and mobile phones tend to be used for both work and personal use, and many small businesses don’t have an IT staff monitoring and protecting operations.
According to Javelin, small business fraud totaled $8 billion in 2010. Of that, banks, merchants and other providers absorbed $5.43 billion of the loss while the cost to victims was $2.61 billion.
Dropbox a Crystal Ball of Cloud Computing Pros & Cons
Dropbox is a brilliant cloud based service (i.e., your data stored on someone else’s server) that automatically backs up your files and simultaneously keep the most current version on all of your computing devices (Mac and Windows, laptops, workstations, servers, tablets and smartphones). It is highly efficient for giving you access to everything from everywhere while maintaining an off-site backup copy of every version of every document.
And like anything with that much power, there are risks. Using this type of syncing and backup service without understanding the risks and rewards is like driving a Ducati motorcycle without peering into the crystal ball of accidents that take the lives of bikers every year. If you are going to ride the machine, know your limits.
This week, Dropbox appears to have altered their user agreement (without any notice to its users), making it a FAR LESS SECURE SERVICE. Initially, their privacy policy stated:
… all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. (Quoted from PCWorl)
Currently, the privacy policy says that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement. Why is that important? Because it means that the encryption keys that keep your files private are actually stored on Dropbox’s server, not on your own computer. This puts the keys to your data (and every other Dropbox user) in the hands not only of Dropbox employees and law enforcement, but vulnerable to hackers. When the encryption key is located on your computer, at least the risk is spread over Dropbox’s user’s network.
Sony Data Breach Grows by 25 Million – $1 Billion Price Tag
Sony just admitted this week that their Sony Online Entertainment (SOE) division, which they though was not affected by the recent breach, has also been compromised. They believe that the hackers stole personal information from an additional 25 million users and that the breach included credit card information.
In an unrelated article, Mizuho Investors Securities analyst Nobuo Kurahashi estimated the cost of Sony’s recovery from the data breaches to be approximately $1.25 billion:
Kurahashi estimates that the data breach will cost Sony about Y100 billion, or $1.25 billion from lost business, various compensation costs and new investments–assuming that no additional security problems emerge. The cyber attacks on Sony in recent weeks involved the theft of personal data that include names, passwords and addresses from accounts on its PlayStation Network and Sony Online Entertainment gaming services. Sony has also said that more than 10 million credit-card numbers may have been compromised.
The return on investment of Sony simply protecting their customer data properly in the first place would be thousand-fold. But if companies were doing more to protect themselves before the attack, what would we write about?
John Sileo’s motivational keynote speeches train organizations to play aggressive information offense before the attack, whether that is identity theft, data breach, cyber crime, social networking exposure or human fraud. Learn more at www.ThinkLikeASpy.com or call him directly on 800.258.8076.
Sony PlayStation Network User Information Hacked
Sony Corp. on Tuesday admitted that hackers have obtained personal data and possibly credit card information of tens of millions of people who have registered for PlayStation Network, the company’s online game and movie service, as well as its Qriocity digital music service.
PlayStation is a fun game, data breach is not.
As of March 31st, the Sony PlayStation Network has about 77 million accounts. These accounts link users to the network to obtain downloads and access online movies through services like Netflix. While Sony states that not all of the 77 million accounts are active accounts and some individuals have multiple accounts, they are not denying that a breach of information occurred.
The company spokesman, Patrick Seybold, admitted that the hackers not only gained such information as names, addresses, phone numbers, user names, birth dates, email addresses and passwords of registrants; but they are unsure if credit card information was compromised as well. Update: Sony recently announced that an additional 25 million records were breached.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Seybold wrote. ”If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
Comprehensive Opt Out List for Marketing Databases
Major data breaches like the recent Epsilon Breach occur frequently, even if you don’t hear about all of them. With all the publicity surrounding this particular breach, people have been asking how to remove themselves from some of those marketing lists that are frequently compromised.
Opting our of marketing databases is one way to lower your risk of becoming a data breach victim.
So, how do I get out of marketing data bases?
Most databases allow you to opt out of having them share and sell your information, you just need to find out how. Many sites make it tricky to get this done, but most sites that are selling or harvesting your information allow you to do so one way or another.
The Privacy Rights Clearing House lists 135 marketing data brokers who are selling your private information, and tells you whether or not they have opt-out policies. If they do, you have to go to the brokers’ websites and suppress your name yourself. Most of the sites have hard-to-find opt out pages, but you can generally track them down by visiting the Privacy Policy which frequently appears as a link in small print at the bottom of the home page.
Stock Plummets as Epsilon Breach Rears Ugly Head
When will corporations learn? I received 6 data breach emails yesterday because of the Epsilon’s lack of security.
Have you been inundated with more spam and phishing emails recently? If so, it may be due to one of the largest email and data breaches in Internet history. Epsilon is one of the world’s largest providers of marketing-email services and they handle more than 40 billion emails annually and more than 2,200 global brands.
Epsilon issued the following statement: “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only.”
The following companies have already sent out warnings (like those below) to their companies: Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, Ameriprise Financial, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books, Lacoste.
iPad & Tablet Users Asking for Identity Theft
The identity theft and corporate data risk problem isn’t limited to iPad users – it affects all Tablets – but iPads are leading the way. With the rapid increase in highly powerful tablet computers, including the Motorola Xoon and Samsung Galaxy, a new survey is urging users to beware of the risks. Harris Interactive just released a study showing that tablet users transmit more sensitive information than they do on smartphones and are considerably less confident of the security protecting those tablets.
The survey shows that 48% of tablet users transfer sensitive data using the device while only 30% of smart phone users transfer sensitive information. The types of sensitive data included credit card, financial, personal and even proprietary business information. Many factors contribute to the increased risk:
- Users initially bought tablets as book readers and web browsers, but have increasingly added to their functionality with new Apps.
- Tablet computers are in their infancy and haven’t been equipped with the same security features as laptops and desktops.
- Corporate users haven’t yet been trained on securing the data on tablets.
- Tablets are more capable than smartphones, making it a natural laptop replacement, but without the robust, time-tested security.
- Indiscriminate App downloading (covered in detail in the Smartphone Survival Guide) greatly increases chances of accidentally loading malware to your tablet.
Avoid Tax Time Identity Theft
Identity theft speaker John Sileo shares his tax-time identity theft prevention tips.
This past week, a New Jersey man admitted to stealing tens of thousands of dollars in government checks from mailboxes. He stole Social Security, tax refund and unemployment checks from November 2009 to April 2010, then recruited people to cash them using fake IDs. Prosecutors say the scheme cost the government more than $70,000. Not only did this criminal have the actual financial refunds from most individuals, but he also had identity information and even social security numbers.
Around this time of year, tax time, people are more vulnerable to Identity Theft. There is very little that is more damaging and dangerous to your identity than losing your tax records. After all, tax records generally contain the most sensitive personally identifying information that you own, including Social Security Numbers (for you, your spouse and maybe even your kids), names, addresses, employers, net worth, etc. Because of this high concentration of sensitive data, tax time is like an all-you-can-eat buffet for identity thieves. Here are some of the dishes on which they greedily feed:
- Tax documents exposed on your desk (home and work)
- Private information that sits unprotected in your tax-preparer’s office
- Improperly mailed, emailed and digitally transmitted or filed records
- Photocopiers with hard drives that store a digital copy of your tax forms
Information Offense – How Google Plays
Google recently offered $20,000 to the first person who could hack their web browser, Chrome. Without question, a hacker will crack it and prove that their browser isn’t as mighty as they might think.
So why waste the money?
In that question, ‘why waste the money?’ lies one of the root causes of all data theft inside of organizations. Google’s $20,000 investment is far from a waste of money. Consider:
- The average breach inside of an organization costs $6.75 million in recover costs (Ponemon Study). $20,000 up front to define weak points is a minuscule investment.
- Chrome is at the center of Google’s strategic initiatives in search, cloud computing, Google Docs, Gmail, displacing Microsoft IE and mobile OS platforms – in other words, it is a very valuable asset, so Google is putting their money where their money is (protecting their profits).
- By offering up $20,000 to have it hacked IN ADVANCE of successful malicious attacks (which are certain to come), Google is spending very little to have the entire hacker community beta test the security of their product.
I would bet that there will be tens or hundreds of successful hacks into their browser, all of which will be fixed by the next time they commission a hack.
Data Breach Increases 33% in 2010 and You’re Next
The latest identity theft statistics released by the Identity Theft Resource Center documented 662 data breaches* in the United States in 2010. The message couldn’t be more clear:
Corporations are not yet taking identity theft and data breach seriously enough to properly train their employees, executives, and board on the BOTTOM-LINE DESTRUCTION caused by data breach.
Sure, at this point, many organizations pay lip service to data crimes. They have a privacy policy and their marketing materials state that they do everything in their power to protect your private information. Everything, that is, unless it costs them money to do so. Many corporations tend to hide behind the excuse that in these lean times, they can’t afford to take any additional security steps. But they must understand the disproportionate costs of recovering from theft rather than preventing it. In the simplest of terms, the ROI on data theft prevention training can easily be a thousand-fold. Each record lost, according to the Ponemon Institute, costs, on average, $204 to recover. Lose 1000 records (considered a very small breach), and you are suddenly out $204,000! According to the same study, the average cost for a business to recover from a data breach is $6.75 Million. The average cost to implement identity theft, social engineering and data breach training? In most cases, less than $50,000.
Sileo In the Media
Privacy Project Newsletter
Tools and tips for bulletproofing yourself against identity theft, data breach and corporate espionage. Subscribe to the newsletter and get John Sileo's 7 Survival Strategies for Starving Data Spies for FREE!
