data breach

Subscribe to data breach via RSS

… wMan with starting pistol over a background of ready racersell, not quite that fast.  But nine minutes is pretty quick, as FTC researchers recently confirmed.

The FTC’s Office of Technology Research & Investigation (OTech) ran an experiment in April and May, posting made-up personally identifiable information in plain text on two different Internet paste sites.  The phony PII was consumer account information for 100 fictitious people, including name, address, phone number, email address, password, and payment means (credit card number, online payment account, or Bitcoin wallet).  Then, OTech waited to see what would happen, monitoring for access attempts on email and payment accounts, attempted credit card charges, and calls and texts received.

The results, and the speed of those results, were a surprise to all but the most jaded.  Here’s what OTech’s monitoring revealed:Continue Reading How quickly is stolen PII fraudulently used? Faster than you can tweet “covfefe”

dominoes fallingSometimes one must look past the headlines (Target’s $18.5 million deal with the states) to see what’s truly important in effective data breach response.

Last week, in the Experian data breach litigation, the District Court denied plaintiffs’ motion to compel production of the forensic analysis report on the breach, prepared by Mandiant.  Why?  Because it was Experian’s law firm that retained Mandiant to perform the forensic analysis and prepare its report, in anticipation of litigation.  According to the court:

  • Jones Day hired Mandiant to assist the law firm in providing legal advice to the client Experian;
  • Mandiant’s report was based on server images that are independently discoverable, without the report;
  • only a summary, not the full report, was shared with Experian’s internal Incident Response Team; and
  • though Mandiant had in the past worked directly for Experian on other matters, this engagement was separate.

On this basis the court held that the report was protected work product, without even reaching the additional point of attorney/client privilege.

So what’s the big deal?  It’s this – in the heat of an unfolding security incident (in Experian’s case, impacting 15 million people), things move fast.  Really fast.  Victim companies scramble to understand what happened, when it happened, what must now be done, and by when. The what and when are of course important, but  so too are the who and how of effective breach response.  For example, a natural move under the gun is to have the infosec folks immediately bring in an outside security/forensics firm and turn them loose.  Sounds great … until litigation ensues, and all of the forensic firm’s analysis is fair game in discovery – the good, the bad, and the ugly.

This is a no-win situation, for both the unprepared and the semi-prepared:

Continue Reading In breach response, who and how are just as important as what and when

Verizon 2017 DBIRI always look forward to Verizon’s annual Data Breach Investigations Report.  Verizon dropped the 2017 DBIR last week, and for the 10th year in a row it cuts through the confusing landscape of security incidents and data breaches with analysis, alacrity … and yes, attitude (in what other report can you find a paragraph heading like “Tall, Dark, and Ransom”?).

The 2017 DBIR distills global information from 65 collectors of incident and breach data, analyzing 42,120 security incidents and 1,925 breaches that occurred during 2016.  The threat environment changes each year, but one of the reasons I value the DBIR is that it shines a light on a few key things that don’t change.  Here are four central aspects of data security that endure – and which we forget at our peril:Continue Reading Yipee – Verizon’s 2017 DBIR has arrived!

Adding piece to jigsaw puzzleEffective June 16, New Mexico will be the 48th state with a PII data breach notification statute.  New Mexico joins the vast majority of states, plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, in requiring notice to affected residents of PII security breaches – as of June, only Alabama and South Dakota will lack such a law.

Like other states’ statutes, New Mexico’s new law is triggered by the residency of the affected individuals, and so companies across the country with PII of New Mexico residents must now fold the New Mexico requirements into both their PII policy definitions and their breach response protocols.

So, how does New Mexico’s new statute fit into our perplexing puzzle of PII breach notification laws?Continue Reading America’s great – New Mexico makes 48

Breach VennI wish I had a bitcoin for every time I get an email with the subject line “Data Breach,” yet the facts upon investigation reveal no notifiable breach occurred.

In the Venn diagram of cyber security, the big rectangle is security incidents, enveloping a smaller circle of incidents that are breaches under state PI breach notification statutes.  And a yet smaller circle are the breaches for which these statutes require notification of affected individuals.

So, what are common scenarios in which a security incident does not trigger notification duties under state PI breach notification statutes?Continue Reading When is a “data breach” not a breach?

Vice President Mike PenceSorry to revive ugly memories of last fall’s vituperative presidential campaign, in which bile was spewed over candidate Clinton’s use of a private email server while Secretary of State, and its vulnerability to hacking.  Clinton eventually conceded that her use of a personal email server was a “mistake.”  Which it was, on so many levels.

Now, news reports indicate that Vice President Mike Pence, while Governor of Indiana, used a private email account (AOL, no less) to conduct state business.  And that some of the messages apparently contained sensitive law enforcement and Homeland Security information.  And that, unlike Clinton’s private server, Governor Pence’s personal email account was actually hackedAnd that the hack occurred (wait for it) last summer – in the midst of all of the self-righteous indignation over Clinton’s email practices.  Thankfully, Governor Pence and his wife were NOT stranded in the Philippines, and we did NOT need to wire them emergency funds.

These revelations will no doubt spur cries of bald-faced hypocrisy, and equally heated arguments that Pence’s situation is different than Clinton’s (AOL v. private server, Governor v. Secretary of State, sensitive Homeland Security information v. classified information, and so forth).

But here’s a thought – instead of yet another round of beating ourselves over the head with partisan cudgels, what if we tried something different this time?Continue Reading So, Governor Pence used his hacked AOL account for state business – can we please now depoliticize data security?

Ship engine trottle, full speed aheadNews reports today indicate that Verizon is pushing ahead with its purchase of Yahoo’s core internet business, despite Yahoo’s massive data breaches.  Yahoo suffered a breach of 500 million user accounts in 2014, on the heels of a one billion account compromise in 2013 (names, telephone numbers, birth dates, passwords, and security questions), reputedly the largest data breach in history.

Speculation swirled for months about whether Verizon would simply walk away from the deal, originally set at $4.83 billion, or would proceed with a drastically reduced acquisition price.  And the result, as of today’s announcement?  Full speed ahead, after lowering the purchase price by $350 million.

Verizon will gain personal data on Yahoo’s over one billion users, which will no doubt boost its digital media and targeted advertising revenues, and the deal will help Verizon expand beyond the crowded market for wireless services.  So, the value of user information is not in doubt.  But what about the value of privacy?

$350 million is a lot of money.  And apparently Verizon and Yahoo will share certain costs related to governmental investigations and breach litigation, with Yahoo remaining on the line for SEC and shareholder litigation fallout.  But still, the results of simple division are stark – $350 million against up to 1.5 billion affected persons … yielding 23 cents.
Continue Reading What’s our privacy worth? According to the Verizon/Yahoo deal, about 23 cents.

aerial view of forestAs the calendar year turned there were several great posts highlighting lessons learned in 2016 from notable HIPAA breaches and enforcement actions.  It’s also useful to climb up out of the trees and view the forest.  The HHS Office of Civil Rights publishes information each year on reported HIPAA security breaches affecting 500 or more persons, and this database offers a unique, multi-year dataset on such breaches of protected health information.

Here’s a forest-altitude look at significant HIPAA breaches suffered by healthcare providers (setting aside health plans and clearinghouses), looking for key trends emerging during the five years from 2012 to 2016.

Continue Reading HIPAA trends emerge from five years of provider breaches

One Bullet in Gun Barrel Having too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.
Continue Reading Why govern your information? Reason #9: Unnecessary business data multiplies data security exposures

Phishing emailReports indicate that in mid-March of this year, John Podesta and various Clinton campaign staff members received individual notifications from Google like this one, telling them to change their Google passwords, pronto.  Just one problem – the security alerts weren’t from Google.  Months later, a barrage of Mr. Podesta’s hacked emails were published by WikiLeaks, serving up yet more artillery shells in this war zone of a presidential election.

Let’s look at this through a different lens. What if there was a bank, Podesta Savings & Loan, and the bad guys scammed their way in, emptied the vault, and then scattered the currency all over Main Street.  You’re a bystander, and you see the bank’s cash being strewn on the street in front of the bank – is it OK for you to pocket the money?Continue Reading Our complicity in the Clinton campaign email hacks