Entries tagged with “data breach”.


A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers.  Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad.  A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.

ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft.  According to the report,  there are more than 10,000 separate crime rings operating in the United States.  Those rings appear to be most highly concentrated  in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala.    Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together.  You know what they say.  “The family that defrauds together…”

This report is interesting on a couple of levels.  First, there has been an assumption that Identity Theft is often the work of career criminals.  The report seems to contradict this, pointing out the almost communal nature of identity theft rings.  The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits.  Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home.   Another surprising revelation in the report is the genesis of the crimes.  Again, we tend to think of identity theft as an urban crime.  While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.

It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings.  It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.

Recent reports indicate that small businesses tend to overlook the threat of a data security breach.  Controlscan, a company that specializes in assisting small and medium sized businesses with PCI compliance issues, recently completed a study in cooperation with Merchant Warehouse.  The findings indicate that close to 80% of the surveyed merchants felt that they had little to no risk of a breach.  What’s more, according to ControlScan’s CEO Joan Herbig, close to half of the merchants surveyed hadn’t even heard of the PCI DSS.  These findings indicate a serious lack of communication between ISOs and Acquirers and their small merchants.

Since 2006, all organizations that store, process, or transmit cardholder data have been required to comply with the data security requirements contained within the Payment Card Industry Data Security Standard.  In fact, the Payment Card Industry Security Standards Council has even created a microsite dedicated to educating small merchants on the PCI DSS and their obligations under that standard.  The ramifications of non-compliance are many and can be overwhelming even for large merchants.  Should a breach occur, the fines, fees, and penalties can quickly add up and in many cases have put companies out of business.

This post could easily take on an alarmist tone.  Some might say that it already has.  Regardless, though, small merchants must comply with the same set of standards to which large companies are beholden.  How can one do that with comparatively limited resources?  By trying to limit the places in the merchant system that store, process, and transmit cardholder data.  Using a solution that processes payment card transactions using point to point encryption (P2PE) and tokenization can serve two objectives – making the data more secure, and reducing the burden of complying with the PCI DSS.

If you are a small merchant and you haven’t heard about PCI DSS or aren’t sure what you should do, reach out to your ISO or Acquirer.  They can explain what the standard requires and how you can achieve compliance.

Pardon the pun, but it seems that another day brings us news of yet another data breach.  In this instance, Northwest Florida State College has suffered a network breach that resulted in the compromise of an estimated 200,000 student records dating from 2005-2007.  As first reported, the compromise was believed to have been isolated to college employees, with even the president of the school reporting identity theft.  What’s worse, is that it seems the data thieves are not being shy about parlaying the theft of data into all out identity theft and larceny.  In fact, more than 100 employees have reported withdrawals from their bank accounts.   According to college president Dr. Ty Handy, “The more common mechanism is to go through a loan company and to secure a loan and to have that loan payment come directly out of the bank account…That’s how I was hit.”

This compromise is, in many ways, worse than having one’s credit card compromised.  In this instance, stolen data included social security numbers, banking information, and birth dates.  This is not just enough information to max out a credit card, but to access bank accounts and even to establish new lines of credit.  The question that comes top of mind as a result is, how should consumers (or even businesses) protect themselves against this type of attack.  There are a few ways to do so, some of them more onerous than others.

1) Monitor financial accounts - this step is something that is, surprisingly, often overlooked.  However, keeping an eye out for odd looking transactions can help to identify this type of theft and allow you to take action quickly.  Thieves and fraudsters bank (often literally) on the idea that their victims aren’t paying close attention.  So they run “test” transactions to see if they can get away with it.  Sometimes, thieves will hold data for more than a year before testing it, just to lull the victim into a sense of security.

2) Place a credit freeze - a credit freeze allows you to control third party access to your credit.  If a lender cannot access your credit history, then they cannot extend a line of credit.  If you are concerned about whether you might be a victim of a data compromise, or identity theft, this can be beneficial.  There are downsides, though.  Most notably. this can make it more difficult for you to open new lines of credit should you want or need to do so.  The credit freeze, which must be placed with each of the credit reporting agencies, remains in effect until you lift it.

For more information on how to detect and respond to identity or financial fraud, check out the Federal Trade Commission’s Identity Theft website.

On this blog, we have discussed, almost ad nauseum, data breaches.  How they happen, how they can be avoided, what to do if your business is impacted.  What we haven’t discussed much is that most merchants, particularly in the SMB segment, are also consumers.  So what rights do consumers have when their data has been compromised?  The Privacy Rights Clearinghouse has been producing a six part video series on important privacy topics.  This week, the organization released Part 4: Data Breaches: Know Your Rights.

The video walks viewers through an incident in which a consumer is notified that his data has been compromised.  It discusses what questions you should ask and what steps you might take to protect yourself.  As an example, we hear that consumers are often advised to get a “credit freeze” in the wake of a compromise.  But what does that mean and is that really the best option for everyone?

As an additional resources, check out the Fact Sheet also offered by the organization. Unfortunately, data breaches are going to continue to be common for the foreseeable future.  Not because organizations aren’t taking appropriate steps to protect the data, but because data thieves are often highly motivated and see hacking as a high-reward/low-risk activity.  That being the case, as consumers, it makes sense that we educate ourselves on how to respond and what rights we have under the various state or federal laws surrounding our financial or personally identifiable information.