Target CEO Departure a Teaching Moment?

There are times when it just makes sense to walk away.  To blow it all up and just leave it all behind, especially in the face of a disaster.  Sometimes, it might not be the most logical move, and keeping one’s head down and focus forward can yield positive results in the future, perhaps even a redemption of sorts (Congrats to the San Antonio Spurs on their 2014 NBA title).

Then you have the other hand, times when stepping aside and bowing out are likely options, even seemingly inevitable.  Such a scenario now faces the players of the Spurs’ opponent, the upcoming free agents of the defeated Miami Heat, as they approach their impending offseason; as it did Target CEO Gregg Steinhafel when the company’s board of directors requested his resignation last month, following the holiday credit card breach that impacted about 40 million customers.

Hard to find fault with an ousting like this.  The “common perspective” might be that in matters of cyber security and data breach incidents, the buck stops at IT.  And perhaps that has even been the case in the past.  But that’s irrelevant now.  When you consider the exponentially increasing sophistication of the tools available to cyber thieves, along with the unprecedented scope of their actions (again, 40 million, yeesh), of course, the firing of some IT executive isn’t going to be sufficient, particularly in the public eye.  Eric Basu of Forbesintimates this is a sign of things to come for C-level executives of businesses across the spectrum; sums of billions, as Target is expected to lose, tend to demand a fall from on high.

It thus becomes imperative for CEOs and other execs to learn their way more around information security, technological concepts, etc., as well as the risks of corporate data loss, and the opportunities to address such key issues.  Perhaps most crucially, this will help impart knowledge about the difference between compliance and security.

While it seems unlikely that a similar fate will befall some Domino’s executive due to the theft of the personal (but not financial) information of almost 600,000 French and Belgian Domino’s customers—and the failed ransom threat on the company—cyber criminals are not going to halt their offensive.  CEOs and other members of management should have a more thorough understanding of their systems, technologies, and courses of action in event of a serious breach.  Otherwise, more will inevitably follow Mr. Steinhafel out the door.


http://www.netlib.com/blog/application-security/Target-CEO-Departure-a-Teaching-Moment.asp

Called Out by Google, Comcast's Response on Email Encryption

Movement on all things data security has really picked up in recent months.  Thanks in part to numerous high profile data breaches which I feel I keep mentioning, it’s the new hot topic; significant pushes have been made to bolster the earthworks around people’s information, from IT to the national level.

Database Encryption for Physical, Virtual, & Cloud Environments

YOUR CHALLENGE

The shift to make businesses more competitive means that critical data must be available and secure in the Physical, Virtual and Cloud environments. Organizational effectiveness is directly related to performance of applications and the database systems delivering the data. Security and compliance initiatives have historically had a negative impact on performance levels, leading to increased labor cost and slowed client transactions. Current practices focus on Perimeter Protection - firewalls, intrusion detection, monitoring. This leaves critical databases and back up media (data-at-rest) with little to no protection from external or internal intruders. Most data breaches occur while data is at rest. The risk associated with a data breach can severely impact cash flow, stock price and reputation.

Automation - The story of a Hacker attacking you with your refrigerator

“New... powerful... hooked into everything, trusted to run it all. They say it got smart, a new order of intelligence.”

While this quote and its context are a bit more morbid than my feelings on this topic, those words Kyle Reese uttered are the first that come to mind whenever I hear about the succinctly named “Internet of Things.”  If the term is unfamiliar, and you haven’t caught the Cisco commercial that illuminates the possibilities, the core idea is to take anything you can possibly think of—any device, any tool, any bit of electronics—and make it “smart.”  Create a network of physical devices connected via new technology. 

Changing the Status Quo on Data Notification Laws

“Patchwork.”  That’s the term that seems to be bandied about with the most frequency when talking about the system in place for notifying customers their personal information has been compromised.  A “patchwork quilt.”  And not the nice kind, like the family quilt your grandmother inherited from her parents which eventually finds it way down to you.  No, this patchwork is the type that can only be described, to quote Senator Tom Carper (D-Del), as “a nightmare.”

Pointing the Finger - Who has Responsibility for Stolen Consumer Data?

See, now this is exactly what I was just talking about last time.  You know, that recent string of data breaches perpetrated against major retailers like Target and Neiman Marcus.  With this recent survey, retailers better hope that the issue of notification laws regarding data breaches gets resolved soon, and that stronger standards are put in place, because consumers are understandably a bit out of sorts about the theft of their personal information.  According to the survey, conducted by data science company Feedzai of 2,000 shoppers across the country, 60% attribute responsibility squarely at these retailers.  The runner up: banks, garnering 13% of the vote.  And a mere 5% of participants believed it is the duty of the consumer him/herself to prevent their personal information from being compromised.  80%, by the way, said the experience is worse than getting the flu – As I have never suffered the flu, I will have to take them at their word.

In Light of Breaches, Mandatory Cyber Liability Insurance?

Should companies be mandated to have cyber liability insurance?  65% of publicly traded companies currently don’t have any such policy, according to a recent survey by Chubb Group of Insurance Companies.  In many cases, this is due to a simple lack of awareness: CEOs just do not know that this type of insurance is available.  Perhaps they often assume their business’ general liability coverage accounts for and protects them from any incidents of data breach and theft.  Generally, it doesn’t.  Cost can be another factor, with higher premiums for those companies deemed “higher-risk” by financial institutions.

Switching to Chip Cards - Maximum Protection?

Compared to much of the world, our credit card security kind of sucks.  The magnetic stripes on cards that are using to hold customer data are easily duplicated, and the signatures required can be forged with little effort, which causes all sorts of temperamental afflictions to both banks and retailers alike (and of course, consumers).

Which is more important, compliance or security?

Which is more important, compliance or security?  Which comes first, or should come first, in a company’s considerations? 

Security would seem to be the obvious, as well as the predominant answer.  It’s what you use to encrypt and protect your data, after all.  It’s as straightforward as that, and should be a major, if not the predominant, consideration in a company’s risk analyses and strategies. 

Increasing Encryption Deployment and the Federal Wall of Shame

Oftentimes—actually, most of the time—I write articles about some sordid data breach or other; a hack, a theft, a massive intrusion, many of which likely could have been prevented by encrypting people’s sensitive data.  So when I finally stumble upon a storyabout the use of encryption continuing to grow as more and more companies need to address consumer concerns, that makes me happy.  Well, maybe happy is too strong a word…’Reasonably satisfied’, maybe. 

RAM Scraping a New Old Favorite For Hackers

Some of the best stories involve a conflict with an old enemy: a friend-turned-foe, long thought dead, returning from the grave for violent retribution; an ancient order of dark siders from the distant reaches of the galaxy, hiding in plain sight and waiting to seize power for themselves; a dark lord thought destroyed millennia ago, only to rise again and seek his favorite piece of jewelry.  The list goes on.

LinkedIn Lawsuit Leaves No Room For Confusion

False representation by a company of its security protocols: an odd decision to make, in light of the growing frequency and severity of data breaches that have struck retailers and consumers in 2014 like slaps from an Emmy-worthy Peter Dinklage. 

A Cyber World War I?

Drawing near is an unfortunate centennial, one which might not be immediately apparent to many these days.  Nevertheless, its significance far outweighs the familiarity, an event which sent violent echoes of change radiating around the globe.  Just outside Schiller’s delicatessen, with a car in a motorcade backing up in order to take the route to the hospital, a man stepped forward and shortly thereafter the Archduke of Austria-Hungary and his wife were dead.  That was June 28, 1914, and I don’t need to tell you what happened next.  Justlook to Hemingway if you forget the effect the so called “Great War” had on an entire generation.

Find the Silver Lining

Education remains perhaps one of the most crucial tools to combat the rising tide of data breaches.  Which is why, in a roundabout sort of way, a silver lining can be seen amidst the storm of recent major retailer breaches.  How?  The key word here is major.  Because you’ve heard all the news in the past six months about companies like Target, Neiman Marcus, Michaels, and now even sites like eBay (not to mention the LinkedIn hack of 2012); stories you might not have heard in times past, if they happened to smaller organizations.  But breaches involving smaller organizations wouldn’t have led to 110 million Americans having their information compromised in the past 12 months, or 432 million accounts, according to a report created by Ponemon Institute and CNN Money.  The more colossal the impact, the more the general populace is going to hear about it.  In spite of the obvious damage done to those affected, shedding light on these issues is something sorely needed.

Ready to Launch?

I mentioned this in passing a few weeks ago, but video game launches, especially with hardware but also software, can be complicated, frustrating, blood-soaked really happy family playing affairs.  In essence, when a new console comes out, as Sony’s Playstation 4 and Microsoft’s Xbox One did in November, what those early adopters are opting for is to be paying beta testers.  They are the first customers to experience the new technology and games, but they also volunteer to

Through the Back Door

In a time when the recent end of net neutrality is causing split concern between those who fear the FCC’s new, vast authority over regulating the Internet, and those who worry about ISPs and content providers having free reign in a digital Wild West, certain incidents prove the dangers that can arise when government agencies and private companies collude to work around consumer interests.

Keeping Your House in Order

The leading cause of data breaches in the past twelve months, according to Forrester in its “Understand the State of Data Security and Privacy” report, might surprise you.  Neither hacking nor fraud emerges here as the primary culprit; rather, internal threats wear the crown.  Naturally, every breach comes in a different garb, from the faux pas to the deliberate thefts and exposures.  Indeed, Forrester’s examination revealed that 36 percent of breaches

Secure Breaches

What is the take away from this story:

Only 1% of Q1 data breaches were "secure breaches"

Hackers don't attack the ones that have security put in place?

1% are secure so that is a start?

Or the growth of the number of records lost capered to Q1 last year is 233% more?



Article Here

They "CRAFTED" a highly sophisticated hack

Michaels is the most recent breach and by the looks of thing they were attacked by Malware. This is not because most of there stores are in the "Mall" either.

I do find it strange that they have been "investigating the security breach for 3 months" and there really is no details about what happened.


Article Here

Ever Changing Landscape of Data Security

With breaches happening on a daily basis and in some cases hourly, it's not surprising you see titles like this one "Help wanted: Day-to-day data breach incident management".

They really need more help than they think.



Article Here

In Light of Breaches, Mandatory Cyber Liability Insurance?

Should companies be mandated to have cyber liability insurance?  65% of publicly traded companies currently don’t have any such policy, according to a recent survey by Chubb Group of Insurance Companies.  In many cases, this is due to a simple lack of awareness: CEOs just do not know that this type of insurance is available.  Perhaps they often assume their business’ general liability coverage accounts for and protects them from any incidents of data breach and theft.  Generally, it doesn’t.  Cost can be another factor, with higher premiums for those companies deemed “higher-risk” by financial institutions.

Who has become a victim of a data breach?

US population 315 million...... records exposed in 2013 due to a data breach 57 million. That is 1 in 6 people have been exposed and are at risk. Why is it that credit monitoring is not just a standard feature that you banks offer, at the end of the day maybe they can stop some of the loses they have to eat during a breach.

Article Here

Health Breaches - Well the list is rather long

No real surprise that there is a list this long but a little surprising.

No real commentary needed for this.


Article Here

Pointing the Finger - Who has Responsibility for Stolen Consumer Data?

See, now this is exactly what I was just talking about last time.  You know, that recent string of data breaches perpetrated against major retailers like Target and Neiman Marcus.  With this recent survey, retailers better hope that the issue of notification laws regarding data breaches gets resolved soon, and that stronger standards are put in place, because consumers are understandably a bit out of sorts about the theft of their personal information.  According to the survey, conducted by data science company Feedzai of 2,000 shoppers across the country, 60% attribute responsibility squarely at these retailers.  

Read More Here

Written by Jonathan Weicher

"Scramble -- it's compliance time!"

This may save you from a small fine but if you don't stay compliant and you get breached the fine will be much larger and you will have to deal with reputation issues. Don't scramble, put some basic guidelines in place for your employees, educate them on what they can and can't do & stay proactive that is the solution to compliance.



Article Here

Subcontractor or Human Error the data is still gone!

I think it is safe to say that this was really just another example of how human error is at the root of most breaches.


Article Here

Breached since 2012 - Were you Compliant Ever?

Retail Giant Spec's has had a Sophisticated Hacking Scheme attacking them since October of 2012. Until we learn more about how they did this the one question I have is how could they be PCI compliant during that time. Now we don't know how they did it or if it ever fell under PCI guidelines but its safe to say someone was asleep at the wheel to have missed a breach for close to 2 years.


Article Here

Flash Drive Breach

Shouldn't all data be encrypted? I think we have got to a point where we don't give the employees an option to have unencrypted data. If they do let the IT group make sure it is in a secure location, this might be the only way to protect against human error.

http://healthitsecurity.com/2014/03/31/palomar-health-notifies-5000-patients-of-health-data-breach/

Credit Card's can be replaced but SSN's can not be.

When a breach happens there is certain information that once lost it is always lost and can never be replaced. SSN's are one of those things that once it is out on the web it will always be out there, one other is Medical records. Once they are out there everyone will know all about you and what issues you may have, not that hard to create a second YOU if they know so much about you.

Article Here

Even Security Providers aren't Safe

It was only a matter of time before the provider of security products was blamed or at least held up to be attacked. Trustwave may not be the first security company to be sued, nor will it be the last one. As I discussed with someone in the security industry today, the common issue with all these breaches is human error. A firewall doesn't fail, encryption doesn't just un-encrypt it's self......... USER intervention is needed.

Article Here

New Mexico adding another layer to the already complicated DATA BREACH LAWS

Don't get me wrong the newly introduced Data Breach Notification Bill is great for consumers and card issuers. Customers can sue for damages from $100-$300, while the numbers look rather small when you take into account the number of people that are effected in an average breach. Lets just say they lose 10,000 records (which is rather small) that could lead to $1,000,000 in customer suits, plus the card issuers can now sue for recovery of of administrative costs.

The bigger issue is companies have compliance laws, State law and Federal laws they need to decipher to make sure the don't get any unwanted fines. They need to make this easier for the companies not harder.

Article Here

Look Around ........ good chance someone you see has been affected by a Data Breach

Based on these numbers when you stand in line at Starbucks this morning or stuck in commuter traffic, it is safe to say at least one person you can see has been effected by a data breach.
In fact they say 44% of Banking Customers have been effected, so you should still worry about the retailers but your financial instatution is not out the question for a data breach.

Article Here

Try NetLib's database encryption Here

UK Companies and the rest of the world take notice from the Target Breach

Although the UK companies may have lessons to learn for the Target breach, the rest of the world should take notice and learn some lessons as well.

At the end of the day, to be completely secure a company must know where all the data is being touched, and make sure that all interactions need to be encrypted and no 3rd party should ever have access to data in clear text.

Article Here


Encrypt your Data with NetLib

Working with Real Data comes at a Cost

When the Stanford contractor sent patient Data to a third part as an electronic spreadsheet, they violated the basic principals of the HIPAA regulations.

"Protecting Customers After Data Breaches Becoming Standard Practice"

Shouldn't we be trying to protect them before a breach happens? I think we need to focus on trying to stop them from getting any data of any value, once we stop them from getting and valuable data we have this issue.


http://www.bankerandtradesman.com/news158886.html

Stand in Line at the DMV or Renew online and let hackers have you CC?

You could stand in those crazy lines that every DMV has across the country or you can renew your Drivers License online? I don't remember ever seeing the warning on the online site saying "WARNING - Your Data may get compramised - USE AT OWN RISK". Yes I know this could be said for almost any online site out there, but when you are required to do this by the government you expect that they have taken all procausions.


http://texaspolitica.com/?p=41064&utm_source=rss&utm_medium=rss&utm_campaign=california-dmv-investigates-potential-large-scale-data-breach

Who needs to be ready for the HIPAA Audits

I'm not really sure who needs to be ready for this years HIPAA audits, the Auditors or the Auditees.

I have a feeling these audits aren't going to go as smoothly as they want, based on all the breaches it leads me to believe that there are not many compliant companies.


http://securitymusings.com/article/4432/hipaa-audits-are-coming-are-you-ready

CRYPTO NERDS

UMD "Asleep at the Wheel"

When you get breached once the first thing you do is look at all your systems and lock them down ASAP. But how do you let it happen again, with in 4 weeks they have 2 breaches.

This is the ultimate "Asleep at the Wheel", I think it safe to say that someone may lose there job over this one..... thats just a guess.

http://www.myfoxdc.com/story/25032592/university-of-maryland-reports-2nd-data-breach-in-4-weeks#axzz2wbArBxpS

Airline Hacked?

Not sure if this is possible or not but I'm sure its only a matter of time before it would happen. It is also very scary that it could be possible.

http://www.nbcnews.com/storyline/missing-jet/experts-very-unlikely-missing-malaysian-jet-was-hacked-n56881

The value of stolen medical records? - UNDER valued!

So how does this work....... my SS# and medical records are out in the world for 4 months. During this time my information could be used in so many ways, from identity theft to annoying phone scams. The fact is your

Pay-roll data not secure ............ Who doesn't encrypt Pay-roll data

Not really sure why payroll data wouldn't be encrypted.


http://news.techworld.com/security/3506753/morrisons-supermarket-suffers-pay-roll-data-breach-after-insider-attack/

Healthcare is where the data is for Hackers

When a report comes out stating that nearly half of all the data breaches come from the the medical industry it doesn't really surprise me. I look at the Banking industry where most of there business is electronic and they should be on the cutting edge when it comes to Data Security.

IT Security is not the first thing that the Healthcare industry needs to worry about, but since the creation of HIPAA and electronic records they need to make it a priority or the breaches will continue.

http://www.marketwatch.com/story/medical-id-theft-is-even-scarier-than-the-target-breach-2014-03-18

Someone Broke into my House - Not sure if they took anything????

Isn't it safe to say that if a hacker goes to the effort to break into your network they are going to take some sort of souvenirs. Sally Beauty gets hacked on march 5th and now we find out that they lost CC info, almost 2 weeks after the breach.

Not sure I really understand what they were waiting for, it is straight forward that they lost CC data.

http://www.net-security.org/secworld.php?id=16537

$3 million Breach settlement first of its kind

AvMed has been hit with a $3 million dollar settlement they need to pay victims of the 2009 breach. This is another cautionary tale of what happens when you choose not to encrypt the data at rest even if it is stored on a laptop.

http://www.computerworld.com/s/article/9247017/Court_approves_first_of_its_kind_data_breach_settlement

You may be retired but your Data is not!

When you become a retired Police Officer in Syracuse you plan your retirement going fishing, spend more time with the grand kids. You don't plan on dealing with your PII data being lost and having to replace CC's and monitor you credit.

I think I may have said it before but if only they have encrypted the data at rest.

http://www.cnycentral.com/news/story.aspx?id=1019959#.Uydr0FFdWzs

What Fines should Target receive if "I told you so"

We come to find out that Target was giving some warning about the recent breach, does this mean they should be fined differently.

If they had warning as they claim they did shouldn't the fine be a little bigger.

http://www.wsiltv.com/news/three-states/Target-Ignored-Early-Signs-of-Data-Breach-250353881.html

Small or Big - Breaches Hurt everyone

Doesn't really matter the size of the organization they are targets to the hacker world. In fact I would have to say it is far more important to a smaller organization to protect their data, a larger company may be able to handle the fines and all the other expenses. A small company may find themselves out of business if they take a big enough hit.


http://www.healthcareitnews.com/news/small-town-hospital-gets-hacked

HIPAA's unseen obstacles

While HIPAA has some big benefits to protect the patients and their medical records, we now see that more work needs to be done and not in the most obvious areas.

This article explains the problem that we face when trying to share data with legitimate organizations.


http://insurancenewsnet.com/oarticle/2014/03/16/police-find-hipaa-privacy-law-an-obstacle-a-475208.html#.UycIIlFdWzs

Even a small breach costs

Even the small breaches cost a lot of money as Indiana University is finding out. They have spent $80,000 so far and who knows how much more they may have to shell out when its all over.
They could have spent just a fraction of that money and secured the data.


http://www.miamiherald.com/2014/03/17/4000166/data-breach-response-costs-iu.html

Who Shoulders the cost of a Breach

Doesn't it just make sense that if the breach happens at the retails location the they should be accountable for the costs. It's not the banks fault that a retailer didn't comply with standards that were put in place and why should they have to take all the costs. At some point the Banks fee will haver to increase as they spend more and more on data breaches.


http://www.mercurynews.com/opinion/ci_25332720/data-breaches-retailers-and-others-should-shoulder-some

Transporting Sensitive Data

Who stores data on Compact Disc's anyway?

No one should be able to copy data on to any type of removable media.



http://time.com/23466/nyc-transit-agency-has-data-breach/

Affordable Care Act at the cost of possible Data Breaches

While the Affordable Care Act brings healthcare to all who need it, there is a price to pay.
The Act expands healthcare to so many that the amount of data sharing has increased dramatically, it has also made it harder to regulate who has what data and what they need to do with it.

http://www.healthdatamanagement.com/news/annual-survey-shows-security-progress-and-new-concerns-47421-1.html

Indiana University - Inadvertently Exposed 146,000 records

Can't we just make a blanket statement that all sensative data must be encrypted at rest. There will always be data that is lost but if we just follow that simple guide it will be far less painful.



http://www.edtechmagazine.com/higher/article/2014/03/146000-indiana-university-student-records-potentially-exposed

Data Encryption the Corner Stone to solve the Data Breach epidemic

While Congress and other organizations around the world hear from industry experts and debate the best policy to tackle the Data Breach epidemic we all face, Hackers don't have to wait and they also know now is the time to strike. But there is something that can be done NOW......

Possible Data Lose? There was a breach unsure if they took anything.

Vermont Health Connect had a breach in December.....Yes December 2013, and today we hear "It was somebody coming in through an unlocked front door."

They know that someone from "ROMANIA" accessed their system in December but it was a test system no real data in it. If no real data was in question why is it news? 

http://digital.vpr.net/post/state-says-personal-data-safe-after-breach-involving-vermont-health-connect

Data Breach Notification Problems - Isn't the Breach the Problem?

I know they are having problems coming up with a consensus on how to notify data breach victims. Isn't the real problem that fact that there was a breach in the first place, once the breach has happened the Banks cover all the charges and you can always get new cards. Shouldn't we be spending more time looking at a way to sot breaches from happening or at least making the data useless to the hackers.


http://www.boston.com/business/technology/2014/03/09/consensus-notifying-victims-data-breaches/1U4ZQnPWS6zRSS4GFdNVMJ/story.html

Slow and steady go the Data Breach Fines

Skagit County had a breach back in 2011 and violated several HIPAA privacy, security and breach notification rules.

And today March 10th 2014 they are fined $215,000 for the incident that happened almost 3 years ago. What sort of punishment is that?

http://www.ihealthbeat.org/articles/2014/3/10/first-county-level-hipaa-fine-issued-la-county-reports-data-theft

Statista becomes the latest Statistic

While this breach creates so many great blog titles it doesn't seam to be very damaging for a data lose stand point. The data lose looks to be just emails and passwords to the site, Yes you will get some great spam sent to you if you are effected but no new CC needed just a better spam filter.

No one is safe No company is been excluded from these attacks.

http://www.net-security.org/secworld.php?id=16496

University data breaches are the tip of the iceberg

While Universities scramble to plug holes in their networks and not become the next Maryland or Indiana, other industries need to be looking long and hard at their own networks.
Whats next maybe your local Gym or some other sort of membership driven industry, they are typically not that technical so it stands to reason that they may have some security holes.

http://techpageone.dell.com/industries2/education/data-breaches-challenge-university-data-security/#.Ux2-EuddVJM

PII shouldn't be stored on Local PC's

When someone steals a laptop and it has Sensitive Data it is a breach even if they use the data or not. My question is why risk it and allow the data to be stored on the device in an unencrypted form. Allow your users to connect to your data over the network and don't let them store the data in any form on their devices.

http://www.tweaktown.com/news/36101/168-000-at-risk-after-computers-stolen-health-data-compromised-in-la/index.html

Secure your Data and your job will be Secure.

At the end of the day when something goes wrong it's always the bosses fault and they are the ones that take the fall. Hackers now have so much power, if they decide to target your company and your an IT executive there is a good chance you will be let go following the breach.

The Target breach is a great wake up call for all IT exec's, secure your data or your job won't be too secure.

http://www.journalgazette.net/article/20140310/BIZ/303109992/1031

Use Cash to Pay for Cabs in Chicago. OK but what about everywhere else?

I get that after the data breach in Chicago we need to possibly use cash to pay for Cabs when in town. But the breach it's self didn't give me much comfort for the rest of the Cab industry, should I be using cash every time I get in a cab?
Does this also mean any town car or limo services?

http://www.tweaktown.com/news/36046/visiting-chicago-use-cash-instead-of-credit-or-debit-to-pay-for-cabs/index.html

There are Benefits of being a victim of a Data Breach

I'm not sure I would call them Benefits but yes being made to setup new auto payments, changing your password & free credit reporting are great.

But you should always change your password or a regular basis, this should be a routine you get into once a month. As for credit reporting, this will become a standard banking practice soon as they will offer it as a standard feature to all customers.

http://www.dailyfinance.com/2014/03/08/3-reasons-thank-target-losing-your-credit-card-number/

Data Securities Biggest Problem - Employee Education

The Iowa DHS Breach is a great example of how employees need to be educated on the ways to stay secure. It also highlights how hard it is for a company to stay compliant, a company may do all the right things to become compliant but it is really hard to stay that way when you have so many variables.

Making sure you employees are educated should be one of the first priorities once you have become compliant.

http://www.cbs2iowa.com/news/features/top-stories/stories/iowa-dhs-data-breach-personal-info-25429.shtml

Is a Data Breach a Data Breach?

Ok so Johns Hopkins didn't lose any SS #'s or CC #'s, but the fact that they lost any data should be the concern.
It only takes one hole in the network for a hacker to access the entire network, once in who knows what they can find.

The real story here is that they found a way in ...... a small way in but a way in never the less.

http://www.wbaltv.com/news/fbi-probes-johns-hopkins-university-data-breach/24858850

Simple As Peanut Butter & Jelly...... That's What the Hackers are saying now

Lets hope the data is too sticky and the hackers get caught with jelly on their hands. 

That is what management at Smuckers are hoping right about now, as they become the latest in the long line of companies to get hacked. I do start to sound like a broken record but if they encrypted the data at rest or encrypt the columns that contain CC info this wouldn't even be a story.




http://www.infosecurity-magazine.com/view/37342/stuck-in-a-jam-smuckers-suffers-data-breach/

When Hardware is stolen it is a Breach?

Oak Associates had a "device" stolen that had sensitive data on it, now they need to notify everyone and take what ever fines get handed out.

At some point all the devices that store or connect to sensitive data need to be secure, a simple policy for devices is that they need to be connected to the network for the data to be accessible. Is it inconvenient .... maybe ....... but we need to work for the greater good.



http://www.esecurityplanet.com/network-security/oak-associates-funds-admits-data-breach.html

Should different types of organizations be held to a different Data Security Standard?

In the UK the Abortion provider has been fined £200,000 for a breach that happened in March of 2012. They are planning on appealing the fine as they believe it is "Out of Proportion", so what is out of proportion? the fine or the fact that we hold the type of information they store to a higher protection standard.
The Abortion industry is highly criticized and in the public eye all the time, based on the information that they store they should be held at a higher Standard for data protection.

http://www.bbc.com/news/health-26479985

Data Breach & Unnecessary Burdens

What am I missing here? "Data and security breach notification rules must not place unnecessary burdens on businesses, says expert" (http://bit.ly/1bRPTH1) I go on your website and buy a Hans Solo figurine for my desk, looks great on my desk. You say your site is secure I'm happy with that, then when you loose all my info and you complain that there are too many notification rules.

Wouldn't you expect the same if it was your information that was lost, just securely encrypt all of the data and you wont need to worry about notifying anyone.

Credit Card Data Not Encrypted Again!! - Uncle Giuseppe's Marketplace Breach

When will people learn that if you store your credit card info in plain text you are asking for trouble. This will not be the last time this happens but maybe some retailers will start to listen and protect the data at rest.

IF YOU STORE MY CC INFO PLEASE PROTECT IT.

http://www.newsday.com/business/li-s-uncle-giuseppe-s-marketplace-reports-computer-data-breach-1.7308291

Data Protection Standards are a must - Congress needs to act Fast

Congress can talk to as many experts as they can find, some of them may even have an original thought about Data Protection. I believe that at the end of the day there really are some simple guidelines that need to be put in place to create an effective Data Protection Standard.

Econofoods Breach

With breaches happening on an daily (if not hourly basis) it is no surprise that another retailer goes down. Econofoods (http://bit.ly/1l3bMpm) is the latest in a list of retailers to loose CC info, It makes you wonder why they don't just spend the few bucks they need to encrypt all the data. This shouldn't be a requirement for compliance it should be STANDARD in the way retailers do business.

Encryption is not an expense its a required cost to do business.

Don't become one of the next retailers to go down Encrypt your Data now.

A Diary of a Hacker - Who to Hack

Do they have targeted lists to go after or is it just random?

I'm sure only a hacker could really answer the question but it is safe to assume that they look at companies the same way we do. Who has the most PII data that they can get easily. Right now they are looking at Universities & Healthcare and all they can do is smile, it seams they are the most vulnerable right now.

http://triblive.com/news/adminpage/5717110-74/employees-upmc-theft#axzz2vDFXFi4l

Educate the Educators - NDUS 2nd University in as many weeks to be Breached

Now this is what we think of when we hear about a hack......... a server containing PII was hacked, not stolen or thrown away by accident. The best part is it happened a month ago and we are just hearing about it today.  

http://www.wday.com/event/article/id/94315/group/homepage/

Do You Buy Insurance For you House But No Locks For The Doors!

I get it Cyber Insurance is the next great business opportunity, it may even save some companies a great deal of money. But remember with all insurance policies there are always ways for the insurance company to not pay. While I have no knowledge about how the policies are structured, I am sure they won't just pay out claims if you are not trying to stop the breaches.
So the need for proper security measures will always be present


http://www.cioinsight.com/security/slideshows/what-to-do-after-a-security-breach.html/

Beauty comes with a cost you may not be aware of.

The list of retails that have had breaches is long and Sally Beauty just joined in on the party. 282,000 stolen debit and credit cards have been posted for sale. Please can someone wake these retailers up and educate them in the ways to secure Credit Card information, can they just encrypt the data at rest to start with.


http://www.businessweek.com/articles/2014-03-05/sally-beauty-data-hack-another-day-another-retailer-in-a-massive-credit-card-breach

Target CIO resigns...Did she really have a choice.

After one of the largest breaches in US history that lost personal data of tens of millions of customers, it is not really surprising that one of the top executives from the company would fall. We can't really blame her for leaving after all the buck does stop with her.


http://adage.com/article/cmo-strategy/target-cio-resigns-wake-data-breach/291987/

Credit Unions have your back But who has theirs?

When a breach happens and it is no fault of the card issuing Banks or Credit Unions who takes the biggest hit. Well the multi million dollar banks have deep pockets and will happily refund any nefarious activity on your accounts, your small Credit Unions will always do the same but when they reissue your card it is a cost they must eat.

There are no rules in place to make the offending merchant liable for any of these costs, unless there are changes made to these rules the smaller banks and credit unions will have no choice but charge higher fees or just go out of business.

http://thehill.com/blogs/congress-blog/technology/199856-credit-unions-and-their-members-pay-a-steep-price-after-data

There's a Bright side to Data Breach?

Google Results: The Bright Side of a Data Breach?

Google is saying that when you get breached your page rankings go up and it could boost sales. In this article they use Target as an example....... doesn't everyone know who Target is don't they already rank 1 or 2 in a search.

All the money you lose in negative publicity and fines are going to be made up in higher page rankings .....hehehehehe. What a joke.

FYI a month after your breach your page ranking will more than likely start to slip back to normal, so make the most out of the sales you get in that month.

http://www.bloomberg.com/news/2014-03-04/google-results-the-bright-side-of-a-data-breach-.html

Faxes are the most secure way to communicate .......REALLY!

I need to verify that you are in the hospital so I send a fax with all your sensitive details on it to the hospital, the hospital then just checks a box to say if you are still admitted or discharged.

REALLY ..... this is the most secure way to gather that info. Try maybe an email with a case number with your last 4 of your SS# or maybe pick up the phone to verify. You know it would also be really cool if the Insurance companies could submit a request in the hospitals medical system.

So many other options to send sensitive data ....... But a fax

http://www.counton2.com/story/24885891/thousands-of-patient-data

The Desolation of Fraud

In this day and age, the need for solid security is more vital than ever, and its importance shouldn’t be underestimated.  Even the dwarves of Erebor knew to protect their treasure horde with the most stalwart defenses imaginable, sealing off even the back entrance into the Lonely Mountain with a door whose keyhole would only be visible when the thrush knocked and the door was struck by the setting sun with the last light of Durin’s Day, the first day of their new year.  Not an easy defense system to crack!

Congress working at Glacial speeds.....again!

Congress will again today hear from top law enforcement, consumer advocacy and industry experts regarding Data security. It is the 5th such meeting since the Target breach in 2013, so far they have taken some breaks ordered some lunch and CREATED ZERO laws bill or any government relate regulations. 
In the mean time we have companies out there losing data on a daily basis, how many INDUSTRY EXPERTS do we need to hear from to understand that system is broken and more congressional meetings will not solve any problems.

To add insult to injury ...... The House Science Committee is having a session on Thursday regarding Data Privacy, you might say great they are all trying to get something done. But both groups don't speak to each other, they are completely different people in each group and if they every wanted to discuss their findings they would schedule a NEW MEETING.


http://thehill.com/blogs/hillicon-valley/technology/199896-overnight-tech-data-breach-talks-back-in-congress

Students Express Disbelief

A quote from a student at UMD “This is such an established university. I thought, ‘How does this happen?’” (http://bit.ly/MgfqNA) Really ....... some of the biggest banks and companies in the world have been hacked, they also have endless funds to prevent this type of thing from happening. Why would you think that a University that has limited funds and for years have never had to worry about DATA Secuirty would be more secure.

I would say Universities are low hanging fruit for a hacker.

Zevin Asset Management Acknowledges Data Breach

Once again we talk about the lack of employee education. In this breach (http://bit.ly/1gSMJlA) it came down to an employee just post information where they shouldn't have. It's a simple solution ....education, once the company puts simple guidelines in place educating your employees on best practices is easy.

The Next Big Threat In 2014?

While the next obvious data breach will come in the way of a retailer or bank or something along those lines as pointed out by Kaspersky Lab (http://bit.ly/1dX2pUv). One of the most damaging breaches comes in the way of an application hack. Giving the attackers the ability to get the source code, imbed code in to the program or worse yet compromise the user data. Encryptionizer for application developers can help you protect all you source code from any prying eyes ( http://bit.ly/1edeUGO )

Issuing new Credit Cards with Chip Technology - Premature?

I give the Banks credit for issuing these types of cards for extra protection.

My question is where can I use it?

I'm not sure we a quite there yet, I know in other part of the world chip technology in CC's are old news and standard. But her in the US most of the POS devices still can't handle the chips, so the extra security really is pointless as they still use the magnetic strip on the back of the cards.

Until our POS devices are converted to handle the chip's it will be just a great decoration on your card, until then you can go to party and say "look at my new CC with the chip......isn't it cool"


http://www.dailyprogress.com/workitcville/news/virginia-credit-union-issues-credit-cards-with-chip-technology/article_1c115ba4-a3e5-11e3-bbba-001a4bcf6878.html

Eating, Sleeping & Identity Fraud are all part of our lives.

It is a little crazy to believe that Identity Fraud could be stopped with a few fire walls and encrypted databases. The more we move to a mobile life the better the chance you will become a victim of Identity Fraud. It is the new way of life that we all need to accept.

http://securitywatch.pcmag.com/identity/320763-identity-fraud-it-s-here-to-stay

Database Encryption for Physical, Virtual, & Cloud Environments

YOUR CHALLENGE

The shift to make businesses more competitive means that critical data must be available and secure in the Physical, Virtual and Cloud environments. Organizational effectiveness is directly related to performance of applications and the database systems delivering the data. Security and compliance initiatives have historically had a negative impact on performance levels, leading to increased labor cost and slowed client transactions. Current practices focus on Perimeter Protection - firewalls,

Your Bank is like a piece of Swiss Cheese

Warning Not Safe For Your Eyes.........Your bank has a lot of holes for data to slip out (http://bit.ly/1k5i7R7). Most banks have large numbers of vendor software that they use, while they do test most of them it only stands to reason that they cant check all of them. Banks need to secure this data step by step, first step is to encrypt the data where it resides once this is done other applications would need to be fully vetted to gain access to the data. Don't rely on the vendor to be secure make your self secure first.

Get your nose out of my patient's business

 It is great to see the increase in Healthcare IT spend (http://bit.ly/1heGvuC). 51% have increased the security budgets but only 3% are using it to secure Patient data ........Huh. What other data are you trying to protect? Patients are your business and should be the focus and the priority for all data security. When talking about health care data all data should be encrypted for the good of the patient not for the good of the company.

Encrypt your data every where.

Nonprofits Brace for Data Breaches

Yes  even the charities of the world are potential victims in this ever growing ocean of data breaches (http://bit.ly/1hhlwbQ). We look at large companies taking breaches and continuing business as usual the next day, that cant be said for an organization that survives on the donations. It would be a hard lesson to learn for a nonprofit to be breached, that is why they need to be very careful with all the data the store and encryption is a must.

Data Breach & Unnecessary Burdens

What am I missing here? "Data and security breach notification rules must not place unnecessary burdens on businesses, says expert" (http://bit.ly/1bRPTH1) I go on your website and buy a Hans Solo figurine for my desk, looks great on my desk. You say your site is secure I'm happy with that, then when you loose all my info and you complain that there are too many notification rules.

Wouldn't you expect the same if it was your information that was lost, just securely encrypt all of the data and you wont need to worry about notifying anyone.

Department of Veterans Affairs gets data breach warning?

Let me understand this correctly......... the VA was given a warning the breach would happen and still did nothing about it??? Lets do quick poll of all the companies out there that have been hacked, ask them if they were given a heads up what would they do.

 I would bet they would do anything to get that sort of info, so where does this leave the VA? I would say they need to be seriously delt with, to ignore a rules and regulations (FIPs 140-2, Hipaa, PCI ........) is one thing but to ignore a serious vunrabilty in you IT infustracture when you have been given a warning ....... what should the punishment be?

 http://bit.ly/1heZh6k

BREAKING DATA NEWS ALERT - UMD is offering one year of free credit protection

While one year credit monitoring is a wonderful gift for attending UMD. (http://bit.ly/1bzhcFi) It still shows how organizations are still not protecting the PII data they hold. Until they secure all sensitive data this will be a common gift given to all victims. 

So when is credit monitoring going to just given to everyone as a standard, clearly they are willing to spend money on that and not encryption.

HIPAA Audits to Resume ?

So they are going to start Audits again (http://bit.ly/1k62jO2)...... this is a great example of how the government works. They say to everyone that they must be HIPAA compliant, BUT we are not going to check up on you. If you put rules in place you should be checking all the time other wise there is no point to the enforcement of those rules. Really not sure what the hold up is on these Audits, we need to make these organizations accountable if they are not compliant.

Witnesses Tell CA State Needs Stiffer Breach Penalties - HUH?

 Not sure I really understand this title - "Witnesses Tell California Lawmakers State Needs Stiffer Breach Penalties" (http://bit.ly/1k5Sb7K). I agree 100% on the topic of the article but the title is strange, who are these witnesses....... the whole state of CA....everyone that has ever been involved with a hack?  I understand that the whole country needs tougher Penalties for breaches the title still confuses me.

Congress - Growing data breaches looms

Wait news flash - Congress just realized that there is a growing data breach looming over the nation. Now how long will it take them to pass some sort of laws to help with it? How many more breaches will there be before they put some real notification laws in place. http://bit.ly/1ch2JJt

HIPAA Fines hidden in plain sight

YES the Fed will only fine you $1.5 million per year for a breach, but it doesnt stop the State and local governments from placing fines on you as well. One of the most important parts regarding the fines is that the Fed will stop at $1.5 m per year, but the same is not to be said for everyone else that can fine you. There is a simple answer is to protect your data, use encryption.

  http://bit.ly/1hbLHRM

Healthcare needs HIPAA education

HIPAA breaches come in all different shapes and sizes (http://bit.ly/MUVEbf), but the most common element in all of them are employees. Healthcare organizations are required to become compliant with the HIPAA regs which are hard enough to decipher, the missing step was the education of the employees on what to do and what not to do with electronic records. It's not completely the healthcare companies fault after all only 1% of the industry is IT. 

“But I would like to feel protected by my university.”

From what I can gather some of the former students didn't get notified of the breach. Now some of the current students are saying “But I would like to feel protected by my university.”  I hate to give you the  bad news but todays universities need to spend a little money and secure the data they collect.

http://bit.ly/1jx69gl

Start-up Question - Security or Growth?

This is a puzzling question as there is really only one answer that should not be questioned.

That is of course BOTH security & growth, we all know that start-up money is hard to get and even harder to spend wisely. There is no easier way for a company fall rapidly and that is to lose all of their customers data, why would you skimp on security  when it could be your companies downfall.

http://www.todayonline.com/tech/start-ups-rush-lock-security-door-after-horse-has-bolted

Data Breaches cause a Hiring spree

Breached - Now Hiring

With all of these breaches companies are now scrambling to hire IT professionals, but buyer be ware, rushing to hire so called "security experts" in the IT space should be done with caution. Internet Security is always changing as the hackers find new ways to attack, "security experts" need to be chameleons in the way they address breaches and the possibility of future attacks.

http://www.wtsp.com/news/article/358645/250/Need-for-cybersecurity-solutions-create-job-demand

HHS "Who should we Audit" you tell us!

HHS (Department of Health and Human Services) to Conduct Survey About Which HIPAA (Health Insurance Portability and Accountability Act) Covered Entities and Business Associates Should Be Audited. 

Why are they not auditing everyone it just doesn't make sense. If you have a breach at a large company or several small companies doesn't it all equal the same thing. You have medical records of patients out in the world somewhere.  

Article here

How can the PCI compliance program evolve

There is a laundry list big retailers that have become victims of data breaches, Target is just the latest on the list and Neiman Marcus maybe joining at any minute.

Not being PCI compliant is the most common factor in all of the breaches, while being compliant is not guaranteeing you that it will stop the attack from happening. But when that attack happens and you are in catch up mode trying to get ahead of the breach, being PCI compliant may still  help you.

Target - Lose $1 billion in revenues after Breach... then spend $100 million on some fixes

So I'm sure you know where I'm going with this post.......

Target takes a hit to their reputation, they take a hit to revenues. They then spend $100 million on fixing security holes they may have, even after the breach there some obvious issues they have addressed. But the question I ask them is if you had spent a little money securing all the different points at which customer data is accessed or stored, this would be a different story.

http://risnews.edgl.com/retail-best-practices/Target-Invests-$100M-in-Data-Security91496?googleid=91496

1,700 Detroit employees' personal data breached

DETROIT — Detroit says a recent computer security breach affected files that contained personal identifying information of about 1,700 city employees.

City chief information officer Beth Niblock said at a news conference Monday that a city employee apparently clicked on a malicious software link in an email that released a code that froze access to numerous files.

Niblock says two files included information such as the names, birth dates and Social Security numbers for the current and former employees.

http://www.mercedsunstar.com/2014/03/03/3526509/detroit-reports-recent-computer.html

Read more here: http://www.mercedsunstar.com/2014/03/03/3526509/detroit-reports-recent-computer.html#storylink=cpy

As Data Security Grows More Complex, Snapchat is a Cautionary Tale

I have to confess, I am not a big app user.  In fact, I can’t recall the last time I made any such download, whether to my phone or iPad.  This aversion doesn’t merely stem from a lack of interest in their functions.  Rather, I remember one particular time when I went to install a certain app, saw that it required full access to my phone and its data, and hopped right on the “nope” train.  Now, maybe (probably) that was just me being paranoid, but when certain incidents make the news, you begin to wonder if your caution was warranted after all.

NHS patient data made publicly available online

The shambles that is NHS England's Care.data patient data sharing scheme suffered another blow this week as it is revealed that patient-level data was available publicly online.

Ben Goldacre has tweeted that Hospital Episode Statistics (HES) -- the psuedonymised data collected about patients when ........http://www.wired.co.uk/news/archive/2014-03/03/care-data-leaks

Minnesota Companies will notify you within 48hrs of breach

This is a great start to help those effected when a company is breached and your data is lost. We still need to work on the prevention of data lose, as I have mentioned in a previous post California has a great guideline to help handle breaches and the prevention of breaches.

The Minnesota bill:

http://www.bna.com/minnesota-breach-law-n17179882557/

California Guideline:

https://oag.ca.gov/cybersecurity

Senate, Retailers Push Data-Theft Law

Congress and the Obama administration are rallying retail-sector support for a national standard for companies to notify customers about data theft, but a government cybersecurity task force member says ambiguous language in bills might allow “a get-out-of-jail-free card” about when to warn consumers.

http://www.usnews.com/news/articles/2014/03/03/senate-retailers-push-data-theft-law

Recent FTC Ruling Could Cloud Data Security Enforcement

The arcane world of data security regulations just got a little more ambiguous.

In January, the Federal Trade Commission affirmed its authority to bring action against businesses that fail to adequately protect consumer data. The decision has particular implications for health care, as the case involved LabMD, a medical testing laboratory and a covered entity under HIPAA.  

http://www.ihealthbeat.org/insight/2014/recent-ftc-ruling-could-cloud-data-security-enforcement

BREAKING DATA NEWS ALERT - Is your ventilator or IV leaking? Your data of course.

Experts Cite Medical Devices, Patient Portals Among Emerging HIPAA-HITECH Security Threats

Well thats not what I was expecting when we talk about HIPAA violations. We all think that the typical breach comes in the form of a database being lost or stolen, but the bigger picture is that every device that connects to sensitive data needs to be secure. 

If you start to think about the number of devices that are in a hospital the amount of security holes are endless.

http://www.digitaljournal.com/pr/1768280

Don't Blink or your Identity will be lost

Reachers say that every 2 seconds someone loses their Identity, but wait there is good news here.
Last year thieves only stole $18 billion to the previous year $21 billion, it is safe to say that companies are starting to take notice and do something about it.

http://www.mainstreet.com/article/moneyinvesting/news/identity-fraud-continues-skyrocket

BREAKING DATA NEWS ALERT - "What's wrong with my friend" Healthcare Breach

"Health care workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers."

While this is not the big data breach that we hear about in the news all the time, It is however classed as a breach under the HIPAA Omnibus Rule. These types of breaches have been going on for years and will continue until organizations but safe guards in place to stop this from happening. Make employees accountable for snooping on their friends and family.

http://www.dotmed.com/news/story/23033/

BREAKING DATA NEWS ALERT - Your Mortgage company will be breached

Over 70% of mortgage lenders risk data breach

Does this really surprise you at all, I have had my dealings with mortgage companies just like most Americans. They way I have had to send info in to them via fax and other means still really just surprises me. It is not surprising that they still have practices that were in place 10 years ago. Time for them to change and catch up with the current electronic practices.

http://www.presstv.ir/detail/2014/03/03/352988/mortgage-lenders-risk-data-breach/

California Gov Stands out from the crowd

While many states are getting hacked on a regular basis and California is one of them, at least they are taking a proactive approach.

California has published a guideline that all states should take a look at and mirror where possible.

https://oag.ca.gov/cybersecurity

Where does the data go when it is lost?

When you hear of these breaches that happen your first reaction is to think how inconvenient it is. But where does the data go really..... well Hold Security has found your data and another 1.25 billion emails and login credentials. It's not surprising to find the large block as there have been a boat load of breaches, it's a great wake up call to everyone that was involved in a breach to change your details ASAP.

http://www.allvoices.com/contributed-news/16637298-massive-data-breach-360-million-cyber-accounts-compromised-125-billion-emails-hacked