Tuesday, July 21, 2015

Cybersecurity & Civic Hacking # 7: Data Breaches

Quick update to last week’s Cybersecurity # 6 post: on July 21, 2015, Wired Magazine published “Hackers Remotely Kill a Jeep on the Highway—With Me in It;” if you’re concerned about your car being vulnerable to digital attack, you should read the article.

July 22 Civic Hacking Event UPDATE:  Omni Resources will be sponsoring pizza for the evening of civic hacking at The Avenue HQ in Appleton. Check out the post “Civic Hacking Event: July 22, Appleton, The Avenue HQ” from last week for more details about the event.

-------------------------------------

Mega data breaches exposing personal information of millions of people are becoming routine events. Major memorable breaches include Target, Anthem, US Office of Personnel Management (OPM), and now, Ashley Madison.

Data breaches aresecurity incidents in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.” Data breaches which have gotten a lot of attention in mainstream media over the past couple years often involved theft of personal information about customers or employees of companies or organizations (which could lead to identity theft).

Below are excerpts from articles about the four data breaches listed above. As you can see from the numbers mentioned in the articles, it appears that in the past couple years, data breaches have exposed personal information of several hundred million people. That either means data breaches aren't important enough to worry about or it means we have a HUGE problem.

OMP

The OMP data breach is disturbing for several reasons. First, the attack involved information 20 to 26 million people. Second, the data taken included social security number and fingerprints. Third, many people in the database had applied for US government security clearance, and the information included detailed summaries of psychological and emotional health counseling, as well as other sensitive information related to security clearance. Fourth, “the Inspector General warned OPM last year about serious security and privacy problems after it was hacked in a smaller-scale incident, yet the agency did not implement the recommended changes to its systems or practices.” Here’s an excerpt from “Hacking of Government Computers Exposed 21.5 Million People.”
“...21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information, including Social Security numbers and some fingerprints. Every person given a government background check for the last 15 years was probably affected...hackers stole “sensitive information,” including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, a breach revealed last month that compromised the personnel data of 4.2 million federal employees...The breaches constitute what is apparently the largest cyberattack into the systems of the United States government, providing a frightening glimpse of the technological vulnerabilities of federal agencies that handle sensitive information. They also seemed certain to intensify debate in Washington over what the government must do to address its substantial weaknesses in cybersecurity, long the subject of dire warnings but seldom acted upon by agencies, Congress or the White House...”
Ashley Madison

In July 2015, a seedier side of the Internet was exposed as information about millions of apparent adulterers was exposed by someone who didn’t agree with Ashley Madison’s business practices.
Infidelity site Ashley Madison hacked as attackers demand total shutdown” explains that the digital attack was done to shut the site down.
Hackers have stolen and leaked personal information from...Ashley Madison, an international dating site...The site, which encourages married users to cheat on their spouses and advertises 37 million members, had its data hacked by a group calling itself the Impact Team...The Impact Team claims to have complete access to the company’s database, including not only user records for every single member, but also the financial records of ALM and other proprietary information. For now, the group has released just 40MB of data, including credit card details and several ALM documents...“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails...the group’s statement reads...”
Anthem

When a company is entrusted with the care of your health, you would hope that they can keep your records safe and secure. Well, Anthem Blue Cross figured out in January 2015 that they had lost to cybercriminals the data for up to 80 million people. The LA Times article “Anthem is warning consumers about its huge data breach. Here's a translation.” certainly doesn’t make the reader feel like Anthem did everything possible to keep this data safe.
Anthem, the health insurance company...allowed hackers to gain access to information it held on as many as 80 million Americans. The victims are current and former members of Anthem health plans, and even some nonmembers, since Anthem manages paperwork for some independent insurance companies...Anthem's communication is a pretty standard version of the genre. It's a "don't-blame-us" message masquerading as a mea culpa, along with an offer of free identity theft services that aren't as useful as recipients are led to believe...Anthem: "On January 29, 2015, Anthem, Inc. (Anthem) discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem's IT system and obtained personal information..."...The message is that the hackers were so skilled that Anthem couldn't possibly defend against them--no one could. This is a conventional defense by cyber-attack victims...Often it turns out that the breach isn't so sophisticated, but that hackers exploited known vulnerabilities in the target's system. That appears to be the case with Anthem. The huge healthcare firm didn't encrypt the huge volume of personal information it held…”
Target

There were other retailer data breaches before it, but the 2013 Target fiasco became a landmark case. The personal information of up to 110 million people was compromised, and as of August 2014, it was estimated the breach had cost Target $148 million dollars. An analyst from Forrester Research expects the final cost of the breach to be close to one billion dollars. Here’s an excerpt from the New York Times article “For Target, the Breach Numbers Grow.”
Target on Friday revised the number of customers whose personal information was stolen in a widespread data breach during the holiday season, now reporting a range of 70 million to 110 million people. The stunning figure represents about a third of all American adults at the low end, and is nearly three times as great as the company’s original estimate at the upper end. The theft is one of the largest ever of retail data. Not only did Target’s announcement disclose a vastly expanded universe of victims, but it revealed that the hackers had stolen a broader trove of data than originally reported. The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers or names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center...Target said up to 110 million customers had data stolen, and that some of it was taken before the holiday shopping season...Fraud experts said the information stolen from Target’s systems quickly flooded the black market. On Dec. 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a 10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union…”
In this blog post, you’ve read about hundreds of millions of people having their personal data stolen in four data breaches. There were other major data breaches in the past few years in addition to these four. And there will be other data breaches in the future.

The real question is, in light of certain knowledge that data breaches will happen in the future, what should you do about your data that’s held by companies and organizations not under your control. This question actually consists of three parts:

  1. Steps to take before your info is exposed in a data breach.
  2. How to monitor or know if your data is exposed.
  3. Steps to take after your data is exposed in a data breach.

The need for a good answer to this three-part question is one of the reasons I proposed the following collaborative NE Wisconsin cybersecurity initiative in my post "Cybersecurity: A New Horizon For Civic Hacking?"

I propose one or several NE Wisconsin colleges launch a collaborative regional cybersecurity pilot initiative. Civic hackers known as the Northeast Wisconsin Cyber Defense Force (NEW CDF), in collaboration with the new college cybersecurity program, help area residents and businesses maintain the best possible computer security and personal privacy. NEW CDF is a cadre of ethical and knowledgeable technologists working together to improve and practice their cybersecurity knowledge and skills. CDF provides practical training for business and personal computer security at the CDF Cybersecurity Training Center or onsite at northeast Wisconsin businesses and organizations. This community of cybersecurity civic hackers also helps catalyze and spin off cybersecurity startups and other high tech businesses.

After the NE Wisconsin cybersecurity initiative is launched, you’ll be able to work with the Cyber Defense Force to get your personalized answer to the above three-part question about data breaches.

---------------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: This post, published July 21, 2015
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"

*****

No comments:

Post a Comment