Archive for April, 2011
Last week’s Sony data breach shattered TJX’s longstanding record for the largest customer data theft ever, a dubious honor that TJX has held since 2007.
The massive Sony breach leaves millions and millions of credit cards at risk. Details still aren’t clear yet, but the Sony breach *may* have included the theft of customer credit card information, as well as other personal information such as billing addresses, usernames/passwords, email addresses, birthdays, and transaction histories.
Did Sony take reasonable care to protect, encrypt, and secure the private and sensitive data of its users?
Did Sony take too long to notify customers that their personal information had been exposed?
Looks like these questions will be answered in a courtroom as the first lawsuit resulting from the Sony security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.
The class action lawsuit seeks seeks a trial by jury and fitting monetary reimbursement…. And the case’s Overview cites “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” as cause enough, noting Sony’s “failure to maintain adequate computer data security of consumer personal data and financial data.”
For more information, take a look at the post on the Sony PlayStation blog. I’m sure we’ll be learning more as further breach details are disclosed and as court proceedings advance.
Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches. Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.
Here are a few noteworthy data points:
- Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
- 4 million records were compromised in 2010 which is significantly less than the 144 million compromised in 2009
- Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
- 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
- Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component
A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped. This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.
As the Verizon team points out, in the world of cyber crime, knowledge is power. Not only do companies require visibility into the files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.
Dropbox’s response is not adequate. It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers. As such, these users are increasing the risk of their information being stolen and their businesses being compromised.
Instead, Dropbox needs to say what steps they are taking to close this security gap. If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.
Encryption is the best way for Dropbox to proceed right now. Encrypting their configuration files would be the first and best place to start. Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity. Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.
Third, no application or user should be given implicit access to a user’s files. All access needs to be explicit. An end user needs to specify each application and user that has permission to view, update, copy or remove their files.
As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.
I, like many others, have received security notifications about the Epsilon data breach. In the last 48-hours I have been sent email warnings from 8 companies that I trusted with my personal information – Banks, retailers and hotels.
These companies entrusted my private contact information to Epsilon, a 3rd party e-mail marketing company…. And that information has now been compromised by hackers. Awesome.
Details of this massive breach are still rolling in, but so far the list of affected companies is known to include: Ameriprice Financial; Best Buy; Brookstone; Capital One; Citibank; Disney Destinations; Hilton; Home Shopping Network; JPMorgan Chase; Kroger; LL Bean Visa Card; Marriott; QVC; Robert Half; Red Roof Inn; Ritz-Carlton; Target; The College Board; TiVo; US Bank; Walgreens; 1-800-FLOWERS. And there are likely many more that we haven’t heard about yet.
The Epsilon e-mail breach is a warning about the data security standards employed by third-party service providers, as well as a not-so-subtle reminder to organizations to require strong contractual obligations related to security practices with every business partner and third-party provider you do business with. As we learned with Epsilon, the privacy – and trust – of your customers may depend on it.
Lastly, be on the lookout for scam emails in your inbox. The Epsilon breach is an example of how hackers can now match your name and email address to companies that you interact with. So get ready for the onslaught of emails trying to trick you into handing over your online usernames and passwords. I suggest not clicking links embedded in emails, instead always go to the company website directly and logon from their safe homepage. Check out this informative article on The Last Watchdog for more on spear phishing risks as well as some commentary by Ipswitch’s Frank Kenny on data breaches and customer notifications.