Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Identity theft

The Top 7 HIPAA Risk Analysis Myths

HIPAA-Risk-Assessment-Infographic-e1406067274883

Advertisements

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

More Than 12 Million Identity Fraud Victims in 2012, study finds

Javelin Strategy & Research have released their 2013 Identity Fraud Report with some startling results the scariest being “one in four consumers who receive a data breach letter will become the victim of identity fraud.”

This means the days when a breached organisation would try to keep a breach quiet with the hope that it would go away have gone because the odds are far too high to ignore financial impacts that follow Identity Theft. 

This past year was one where there were both successes and setbacks for consumers, institutions and fraudsters,” said Jim Van Dyke, CEO of Javelin Strategy & Research, in a prepared statement. “Consumers and institutions are now starting to act as partners detecting and stopping fraud faster than ever before. But fraudsters are acting quicker than ever before and victimizing more consumers. Consumers must take data breach notifications more seriously and maintain vigilance to safeguard personal information, especially Social Security numbers

Key findings from the study include:

–  $21 billion was stolen in 2012. Higher than in recent years but considerably lower than the $47 billion in 2004

–  Almost 1 in 4 consumers who received a breach notification letter became a victim of identity fraud.

This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer

–  The stolen information was misused for a variety of fraud types, for example credit cards, loans and mobile phone bills and on average was misused for an average of 48 days during 2012 which is down from 55 days in 2011 and 95 days in 2010.

More than 50% of victims were actively detecting fraud using financial alerts, credit monitoring or identity protection services and by monitoring their account

–  15% of all fraud victims changed their online behavior and avoid smaller merchants

While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, username and password were compromised in 10% of incidents and 16% of incidents included Social Security numbers

It’s not just online fraud or data breaches. More than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Lower income consumers were more likely to be victims of familiar fraud. The information most likely to be taken via familiar fraud includes name, Social Security number, address and checking account numbers

Javelin have produced some guidance for consumers called the “Seven Safety Tips to Protect Consumers”

Javelin Strategy & Research recommends that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach: Prevention, Detection and Resolution™.

Prevention

1. Keep personal data private—Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features—When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share—Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive—There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others—There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously—If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately—If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

2012 saw a 5% increase in fraud

CIFAS (Credit Industry Fraud Avoidance System) is a not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates two databases:

  1. National Fraud Database (NFD)
  2. Staff Fraud Database (SFD)

CIFAS’s analysis of fraud trends during 2012 reveals a 5% increase in the overall level of fraud, when compared with 2011. While the rate of the increase has slowed, further key findings present a more complex picture of the true state of the economic crime landscape in the UK:

  • Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
  • The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
  • The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
  • Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application. 

The 5% increase in fraud levels recorded during 2012 serves as a reminder of the economic trials currently facing UK businesses and consumers. Nearly 250,000 frauds were identified in 2012. This represents a smaller rate of increase from the 9% surge recorded in 2011, but still constitutes the largest number of confirmed frauds ever recorded in a single year by organisations participating in the CIFAS national fraud data sharing scheme.

CIFAS Head of Communications, Kate Beddington-Brown, comments:

 “Fraud is frequently described as a victimless crime, but this is far from the truth. Whether it is an individual being impersonated, or public and private organisations losing funds due to fraudulent applications and transactions, the net effect is that the economic squeeze gets worse. Fraud acts as an impediment to business recovery and damages cashflow for us all; as losses incurred inevitably get passed on to society at large. The increase in fraud levels, therefore, might be seen as organisations getting better at rooting out fraud, but the implications are clear: increased fraud levels mean that organisations and individuals face a bigger problem than ever before.”

Identity crime: the fraudster’s biggest weapon

The fraudulent use of identity details (either those of an innocent victim or completely fictitious ones) is the biggest and most perturbing fraud threat. 50% of all frauds identified during 2012 relate to the impersonation of an innocent victim or the use of completely false identities.

Furthermore, Facility (or Account) Takeover Fraud – where a fraudster gains access to and hijacks the running of an account (e.g. theft of security details through computer hacking, interception of post details, social engineering through popular websites etc) rocketed by 53% compared with the previous year. This means that those frauds where the criminal requires identity details accounted for almost 2 in 3 (65%) of all frauds in 2012. The number of victims of both types of fraud has when combined also risen by 24% from the levels in 2011; underlining the very real cost of these crimes.

Kate Beddington-Brown notes:

 “These increases serve as a warning and a challenge to organisations and consumers equally. Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing. In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously”

Frauds by account holders in decline

As problematic for organisations and the economy at large is fraud committed by the actual account holder. One piece of apparent good news, therefore, is that all frauds which come under this first party fraud heading declined in 2012: including misuse of facility fraud (where a legitimately obtained account is used fraudulently by the account holder) which decreased by 15% from the levels of 2011.

A substantial proportion of these frauds still bear the hallmarks of ‘money mule’ activity (where a criminal recruits another party to use his or her account on the fraudster’s behalf), but the decrease is encouraging in terms of consumer behaviour.

Kate Beddington-Brown notes:

“Organisations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard. Any requests to receive and transfer funds on behalf of a person or organisation should be viewed with suspicion and reported, ultimately, to Action Fraud.”

Misuse of an account, however, is still the second largest type of fraud identified in 2012 and therefore increased attention must also be paid to ensuring that individuals are aware of this.

Kate Beddington-Brown explains:

“In these difficult economic times, the motivation to attempt fraud or the vulnerability to being duped into doing so – is perhaps understandable. Organisations, however, must do all that they can, to ensure that consumers are aware that committing fraud can have very serious consequences: from withdrawal of services to criminal charges. If organisations and consumers alike can stamp out this kind of fraud, extra effort can then be dedicated to preventing those criminals who are responsible for the rise in identity crime.”

CIFAS Chief Executive, Peter Hurst, concludes: “With the cost of living increasing, pay levels frozen for many, benefit changes taking effect and a sluggish economy, it is unsurprising that fraud has increased. Prevention remains better than cure, however, and it is time for all organisations and consumers to start reviewing their approaches to preventing fraud rather than just dealing with its effects. Investment in proper fraud prevention systems and approaches, from online security to data sharing, and education are the cornerstones of such an approach and without them the only thing that is guaranteed is an ever increasing fraud losses to organisations and society at large.”

CIFAS’s summary of  identified fraud cases in 2011 and 2012:

  2011 2012 % Change
Fraud cases identified 236,516 248,325 +5.0%

CIFAS’s summary of the types of fraud undertaken is below:

Fraud Type 2011 2012 % Change
Identity Fraud – Total 113,259 123,589 +9.1%
Application Fraud – Total 43,263 39,868 -7.8%
False Insurance Claim 396 279 -29.5%
Facility Takeover Fraud 25,070 38,428 +53.3%
Asset Conversion 532 337 -36.7%
Misuse of Facility 53,996 45,824 -15.1%
Victims of Impersonation 96,611 112,179 +16.1%
Victims of Takeover 25,250 38,686 +53.2%

You might also want to read

.

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

One in four consumers are victims of card fraud – new study reveals

A global study of more than 5,200 consumers across 17 countries conducted by ACI Worldwide and Aite Group has revealed that one-in-four respondents has been victimised by credit, debit or pre-paid card fraud during the past five years.

More than 20% respondents reporting that they will stop using, or switch from, the card impacted by fraudulent activity.

The report also found the top two countries affected by credit fraud were

  1. Mexico with 44% of residents affected
  2. 42% of United States

The countries with the lowest levels of fraud were The Netherlands and Sweden with fraud at 12%

“The results of this survey show that card fraud continues to be one of the greatest threats and concerns for consumers, financial institutions and retailers,” said Mike Braatz, Senior Vice President, Payments Fraud, ACI Worldwide. “While there have been significant advances in fraud prevention technology, it is clear that more needs to be done to educate consumers about fraud and engage them as allies when it occurs. These results should serve as a call-to-action for financial institutions and retailers to remain constantly vigilant and earn the trust of customers by working with them to combat fraud.”

The 2012 Fraud Survey also found that:

Financial institutions risk losing customers due to fraud

  • Attrition rates after experiencing card fraud average 21% among cardholders.
  • Of cardholders who received replacement cards as a result of a data breach or fraudulent activity in the past year, 46% used the new card less than the original.
  • After experiencing fraud, more than 50% of cardholders used cash or an alternate form of payment instead of their credit or debit card.

Consumers fear identity theft yet continue risky behaviour

  • Identity theft replaced credit card fraud as the greatest concern from fraud exposure in the 2012 survey, with 49% of respondents indicating they were very concerned about possible harm to their financial standing and rating.
  • Many consumers continue to exhibit risky behaviours that put them at higher risk of financial fraud, including keeping written records of PIN numbers, throwing un-shredded documents containing sensitive information into trash bins and using public computers or computers without security software for Internet banking services and to shop online.

Consumers want to partner with banks for fraud prevention

  • If their financial institution notices unusual activity on their bank account or card, 82% of respondents are “very interested” in being notified prior to the bank taking action.
  • Consumers prefer immediate and direct communication from their banks when fraudulent activity is detected. The most preferred method of contact was found to be a call to the respondents’ mobile phone, followed closely by e-mail or text message.  This illustrates a change from 2011 where contact via home phone was the second most preferred method.

“The 2012 Fraud survey paints a compelling picture of the global nature and threat of fraud,” said Shirley Inscoe, Senior Analyst, Aite Group.  “Financial institutions, issuers and retailers need to enlist customers in the fight against fraud, educate them on prevention best practices, and reassure them of policies should fraud occur.  Maintaining customer satisfaction, loyalty and preserving wallet share can be achieved by communicating with and enlisting the customer in the fight against fraud”.

The ACI press release can be found here.

.

Four Things You Need to Know About Risk Analysis

Guest Blog: IDexperts Chris Apgar.

Every privacy professional knows that risk analysis is a foundation for successful information privacy and security, just as flossing your teeth is a foundation for good oral health. If you’re in healthcare, you also know that risk analysis is one of the five core Office for Civil Rights (OCR) “culture of compliance” requirements, and a prerequisite to receiving “meaningful use” dollars for implementing electronic health records (EHR). But what you may not know, according to nationally recognized information security expert and former HIPAA Compliance Officer Chris Apgar, is that compliance is not the biggest reason for conducting ongoing risk analysis. The biggest reason is that it can save your business.

OCR audits are proceeding, and failure to conduct risk analysis can result in a finding of “willful neglect” with penalties up to $50,000 per incident and up to $1.5 million per calendar year for the same type of violation (and any such finding will typically involve multiple types of violations). That risk, alone, justifies the cost of conducting risk analysis. A thorough risk analysis also provides a strategic roadmap for security spending, but Apgar says that even now, when he speaks to groups about medical data privacy, only about 1/3 of all healthcare organizations that are not seeking “meaningful use” dollars indicate that they’ve conducted risk analysis, and he points out that this is dangerous because by deferring the analysis, they may fail to identify other risks such as lawsuits, civil penalties, and loss of reputation that could damage or destroy their business.

Here are three other things Chris Apgar says you need to know risk analysis:

  • Confidentiality is not enough. The three pillars of security are confidentiality, availability, and integrity, and risk analysis needs to account for all of these. Yes, you want to prevent data breach, but that’s not enough. For example, what happens if a patient is in critical care, systems go down, and doctors lose access to critical information they need to make medical decisions?  Data corruption can be even more serious because if doctors unknowingly make bad healthcare decisions based on corrupt information, lives can be lost.
  • Technical security is not enough. Apgar says that, too often, when an organization looks at risks, they look only on the digital side, but PHI risks extend far beyond technical infrastructure. You need to look at every place where PHI lives, in any form, and everyone who touches it. For example, encryption can mitigate risk  in case of a security related incident involving electronic records, but  you can’t encrypt paper.  So if paper records are lost, by definition, that’s a security incident and potentially a reportable breach. People and process risks also have to be assessed as part of the security plan. One privacy officer that Apgar worked with pointed out that he and other compliance professionals in the organization had to be considered as organizational assets and as liabilities, because at that time, they were the only ones who knew how to respond in case of an incident, and if they were unavailable, the organization would be at risk.
  • There’s more than one way to become a covered entity. A new Texas healthcare privacy law goes into effect this month. Apgar says that, in addition to non-compliance penalties over and above the federal, it has a broader definition of covered entities.  Under the Texas law, if an organization handles any sort of electronic healthcare information, no matter its role in the healthcare system, it is covered by the new privacy requirements and considered a covered entity. So, for example, a small dental practice that transmits HIPAA covered transactions in Texas is now a covered entity under Texas law.  In addition, business associates and subcontractors could now face non-compliance fines from both OCR and state of Texas. Other states, including California and Massachusetts, also have high levels of regulation around healthcare information. A thorough and ongoing risk analysis program is necessary to keep organizations of all sizes abreast of new risks and requirements at state and federal levels.

Apgar has a number of practical recommendations for conducting risk analysis.

  • Successful risk analysis begins with a thorough inventory that accounts for all assets: digital, physical, and human. He points out that you need that inventory, anyway, to create a disaster recovery plan, and that keeping that inventory current makes the initial risk analysis and updates relatively simple because you have a baseline to work from.
  • Think of things inside the organization that can hurt you. “Threats” are unpredictable outside factors such as natural disasters and hackers that require response plans, but there are “vulnerabilities” that you can address to head off trouble. For example, you can help preventing network attacks by putting in place a process to ensure security patches are always kept up to date.
  • The risk analysis needs to rate risks both in terms of likelihood and in terms of potential harm or impact. For example, tsunamis are unlikely in Oklahoma so they don’t need to be part of an Omaha hospital’s disaster recovery plan, and unauthorized access to one patient record showing on a computer screen is likely to cause far less damage than a stolen computer full of patient records in lab’s business office. Once you’ve made a reasonable assessment of the likelihood and potential impact, it will become clear how best to spend your security budget and resources.
  • Don’t stop with the risk analysis. Meaningful use requires risk analysis, documentation, a mitigation plan, and implementation of a risk management program. Whether or not your organization is seeking meaningful use dollars, knowing about a risk offers little protection if you don’t act on the knowledge and implement steps to manage risk throughout the year.
  • If you bring in experts to conduct a risk analysis or to help your staff conduct one, look for someone who has done this before in healthcare and who has a track record with your type of healthcare business. Make sure their products and services address more than just technical security, and check references, of course, but also ask colleagues about their reputation. Word travels fast in the healthcare industry, and word on the street may tell you things that you won’t find out in a reference check.

Chris Apgar says the most critical thing to realize about risk analysis is that it stretches beyond what the regulations require. “There are so many other risks: the risk of being sued, of losing your practice, of causing harm to your patients. Yes, doing risk analysis costs time and money, but not doing it is a good way to lose more money or lose your business.”

.

Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.

.

Consumers express their opinions of Data Breach Notifications

Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.

I have made a summary of the survey below.

Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions

  • 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
  • 57% say that they want to be informed only if the organization is certain that they are at risk
  • 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message

The trustworthiness of an organization is linked to the efforts it makes to protect personal information

  • 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
  • 82% believe the privacy and security of their personal information is important

Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft

  • 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
  • 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.

Most consumers recall receiving a form letter and more than one notification

  • 65% of consumers say they have received at least one notification
  • 35% recall receiving at least three In 2005, 91% said they received only one
  • 62% of consumers say the notification was a form letter 19% who say it was a personal letter.

Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach

  • 72% of consumers were disappointed in the way the notification was handled
  • 28% say the organization did a good job in communicating and handling the data breach

A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.

  • 41% of respondent say their data was most likely stolen
  • 37% say they have no idea what the data breach incident was about
  • This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
  • 51% say their customer or consumer information was stolen
  • 21% who say it was their financial information such as credit card/debit card account numbers
  • In 2005 86% said it was their customer or consumer information 10% said it was employee records
  • 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.

Personal data respondents worry most about if lost or stolen

  • 48% Email address
  • 48% Health plan provider account number
  • 48% Taxpayer ID number/Employer ID number
  • 52% Telephone or mobile number
  • 53% Driver’s license number
  • 57% Credit or payment history
  • 65% Credit card or bank payment information
  • 65% Prescriptions
  • 68% Social media accounts/handles
  • 89% Social Security number
  • 92% Password/PIN

Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.

The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.

How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.

Notification letters are increasingly perceived to be junk mail, according to many consumers

  • 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
  • 34% say it was an important communication, this is a significant decrease from 51% in 2005

If they thought it looked like junk mail

  • 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
  • 54% say the notification should be personalized
  • 50% suggest making a phone call or email alerting them to the notification

Customer loyalty is at risk following notification. In response to being notified by an organization

  • 15% say they will terminate their relationship
  • 39% say they will consider ending the relationship
  • 35% say their relationship and loyalty is dependent upon the organization not having another data breach

Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.

As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.

Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.

The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.

The believability of data breach notifications has declined

  • In 2005, 61% say the message was believable
  • This has decreased to 55% in 2012

Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,

Respondents are just as worried today as they were in 2005 about the security of their personal information

  • 63% are more worried about the security of their personal information
  • 44% say they have had to spend time resolving problems as a result of the breach
  • Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves

Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.

Ponemon’s Conclusion

Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.

One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.

These include

  • Making the notification easier to understand by making it shorter with less legalese
  • Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
  • Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
  • Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences

Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.

In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.

Read the full report by registering here.

With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.

UK Card Fraud losses fall because of technology and risk awareness

The UK Card Association along with the Cheque & Credit Clearing Company, Financial Fraud Action UK and other industry groups has produced their report on UK fraud activities during 2011.

The results released in March 2012 show, Fraud losses on UK cards fell 7% from £365.4m in 2010 to £341.0m in 2011, a ten year low.

The reductions have been attributed to the efforts of the industry to “deter, detect and prosecute fraudsters”.

Card Scheme initiatives have been noted as working, for example:

  • MasterCard SecureCode
  • Verified by Visa
  • American Express SafeKey

Awareness and technology have combined to improve fraud protection by:

  • Offering advice to retailers and consumers
  • Improved the sharing of fraud data and intelligence within the industry
  • Sharing fraud data with law enforcement
  • Chip and PIN equipment
  • Fraud detection tools

Payment Card Industry Compliance was not mentioned in the release but from experience the majority of awareness campaigns, training and policies implementations by Merchants have resulted from the mandates of PCI DSS.

Of interest is the switch in direction by the fraudsters to older fraudulent methods e.g. telephone and cheques, see the exact numbers at the end of the post.

Melanie Johnson, Chair of The UK Cards Association comments:

Driving down fraud and keeping cards safe continues to be a priority for the industry. This is the third year card fraud losses have fallen – clear proof that our endeavours to fight fraud are packing a punch. Customers have also played their part in driving down losses by taking heed of advice about looking after their personal and financial details. Fortunately, they can always be confident that if they are the innocent victim of fraud, they have excellent fraud protection that they don’t get if they use cash.”

DCI Paul Barnard who heads up the industry-sponsored police squad, the Dedicated Cheque and Plastic Crime Unit says:

As technological advances have made our payments more secure, we’ve seen a spike in more simplistic crimes. Many scams involve customers being conned into handing over their cards and PINs, or their telephone banking security details by someone calling, pretending to be their bank or police. Our appeal to the public is to be wary of any unsolicited phone calls or emails. Never hand over your card and PIN or bank security details in full as neither your bank or the police will ever ask you for these.”

UK Fraud broken down by type over the past 5 years is shown below:

Card Fraud Type on UK-issued credit & debit cards 2007 2008 2009 2010 2011 % +/- 10/11
Telephone,   internet and mail order fraud (card-not-present fraud) £290.5m £328.4m £266.4M £226.9m £220.9m -3%
Counterfeit   (skimmed/cloned) fraud £144.30 £169.8m £80.9m £47.6m £36.1m -24%
Fraud on lost or stolen cards £56.2m £54.1m £47.7m £44.4m £50.1m 13%
Card ID theft £34.1m £47.4m £38.2m £38.1m £22.5m -41%
Mail non-receipt £10.2m £10.2m £6.9m £8.4m £11.3m 34%
TOTAL £535.2m £609.9m £440.0m £365.4m £341.0m -7%

See a summary of the 2010 figures here.

.

Data Protection & Breach Readiness Guide

The Online Trust Alliance (OTA) has release it’s 2012 Data Protection & Breach Readiness Guide, a comprehensive guide outlining key questions and recommendations to help businesses in breach prevention and incident management.

This post is a summary of their results and guidance.

Craig Spiezle, Executive Director and President of the Online Trust Alliance said

Last year, more than 125 million people were affected by data loss incidents. Combined with the increased awareness of these high visibility incidents and aggressive data collection and sharing practices, consumers’ trust and online confidence is under attack. By following the recommendations in this guide we have an opportunity to enhance online trust and promote the vitality of the internet”

Rob McKenna, Washington State Attorney General and 2011-12 President of the National Association of Attorneys General said

“Today’s consumer is often aware of when their personal data is collected and wants to ensure that businesses protect it. The Online Trust Alliance’s resources are a valuable tool for businesses committed to ensuring customers’ privacy and security”

John Roberson, Executive Director, Small Business Development Resource Center, Chicagoland Chamber of Commerce said

“Businesses need to look holistically at data privacy and ask, ‘What is the compelling business reason to keep customer data?’ When you have a data incident, the more data you have stored – and compromised – the more damaging it can be for both the individual and the company. The OTA guide gives key insights into questions that companies need to ask themselves to protect their customers and delivers information for any business developing, implementing, or updating their privacy policies and notices”

“The Internet has become the land of opportunity for scams and, unfortunately, we see thousands of them every year,” notes Genie Barton, Vice President of the Council of Better Business Bureaus and director of its Online Behavioral Advertising Program. “Consumers need assurances that they can trust the companies they do business with to secure their data, and the OTA Data Protection & Breach Readiness Guide is a great tool to help businesses protect themselves and their customers. BBB is happy to recommend it to businesses large and small, and we are delighted to help build a safer Internet for all by supporting excellent initiatives such as this guide.”

The 2012 Guide recommends that businesses need to accept three fundamental truths about data:

  1. The data they collect includes some form of Personally Identifiable Information (PII) or “covered information”
  2. If a business collects data it will experience a data loss incident at some point
  3. Data stewardship is everyone’s responsibility

2011 incidents, the highlighted statistics:

  • 558 breaches
  • 126 million records
  • 76% server exploits
  • 92% avoidable
  • $318 cost per record – an increase of over $100 per user record from 2009
  • $7.2 million average cost of each breach
  • $6.5 billion impact to U.S. businesses

The 558 incidents were recorded by the Privacy Rights Clearinghouse (PRC) and the Open Security Foundation reported and were broken into specific sectors, details below:

  • Education (schools and colleges) 13%
  • Government agencies 15%
  • Health care providers 29%
  • Business 43%

Compared to 2010, the sectors with the highest percentage change were:

  • Healthcare with an 11% increase
  • Business incidents decreased by 13%

In Verizon’s 2011 Data Breach Notification report, 50% of all data breaches were through hacking (up 10% over 2010) and 49% incorporated malware (up 11% over 2010). Most alarming is that 96% were avoidable through simple steps and internal controls.

The implications of a breach to the organization can be grave, for example:

  • An employee of Massachusetts General Hospital left 192 patient records on a subway, the hospital was fined $1M by the US Health and Human Services
  • The Massachusetts eHealth Collaborative, a 35-person non-profit, experienced a single laptop theft that cost them over $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Employees also spent over 600 hours dealing with the damage that the breach caused to their brand and reputation.

The report offers the following guidance:

Data Incident Plan Framework

An effective Data Incident Plan (DIP) includes a playbook that describes the fundamentals of a plan that can be deployed on a moment’s notice. Organizations need to be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensics evidence is not accidentally ruined and immediately initiate steps to notify regulators, law enforcement officials and the impacted users of the loss.

Risk Assessment/Prevention

To help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders the following questions:

  1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
  2. Do you have an accounting of all stored data including backups and archived data?
  3. Do you have a map of data workflows both within your organization and your vendors’ organizations to identify points of vulnerability?
  4. Do you have a 24/7 incident response team in place?
  5. Is management aware of the regulatory requirements related specifically to your business?
  6. Have you conducted an audit of your data flows across your company and vendors, including a privacy and security review of all data collection and management activities?
  7.  Are you prepared to communicate to customers, partners and stockholders during an incident?
  8. Do you have access credentials in the event key staff is not available?
  9. Do you have a employee contact list to contact in the event of a breach, and is updated with contact information on a quarterly basis?
  10. Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
  11. Have you coordinated with all necessary departments with respect to breach readiness? (For example information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams).
  12. Do you have a privacy review and audit system in place for all data collection activities including that of third-party/cloud service providers? Have you taken necessary or reasonable steps to protect users’ confidential data?
  13. Do you review the plan on a regular basis to reflect key changes? Do key staff members

The report identifies 19 steps that are required by an organisation if they are to be effectively prepared to handle a data breach:

  1. Data Classification
  2. Audit & Validate Data Access
  3. Forensics, Intrusion Analysis & Auditing
  4. Data Loss Prevention Technologies
  5. Data Minimization
  6. Data Destruction Policies
  7. Inventory System Access & Credentials
  8. Creating an Incident Response Team
  9. Establish Vendor and Law Enforcement Relationships
  10. Create a Project Plan
  11. Determine Notification Requirements
  12. Communicate & Draft Appropriate Responses
  13. Providing Assistance & Possible Remedies
  14. Employee Awareness & Readiness Training
  15. Analyse the Legal Implications
  16. Funding & Budgeting
  17. Critique & Post Mortem Analysis
  18. Implement Steps to Help Curb Misuse of Your Brand, Domain & Email
  19. International Considerations

The complete OTA  guide is available here.

.

Students are concerned that information online might affect their careers

42% of Students are concerned that personal information available about them online might affect their future employment prospects, the Information Commissioner’s Office (ICO) said, as it launched its 2011 Student Brand Ambassador campaign.

New figures also show that many students are not adequately protecting themselves against the risk of identity theft.

  • 33% students who have lived at a previous address while at university still haven’t arranged the redirection of all their important post to their current university address
  • 76% haven’t checked their credit rating in the last year
  • 66% have never checked it, allowing suspicious credit applications to go unnoticed

The ICO has launched its 2011 Student Brand Ambassador Campaign, a nationwide project aimed at raising young people’s awareness of information rights.

Students at 15 universities across the UK, including Manchester, Cardiff, Edinburgh and Ulster, have been recruited to promote the ICO’s work on campus. Tasks involve spreading the word using social media, generating local media coverage and doing promotional work.

Information Commissioner, Christopher Graham, said:

“In tough times, young people are clearly less relaxed about privacy, particularly in relation to information that they post online – but many may not know what they can do about it. The Student Brand Ambassador campaign is about arming students with the advice they need to protect themselves from obvious dangers such as identity theft and keeping their social lives private. It’s about empowering young people to take back control of their information and I hope the campaign is embraced by students at universities across the UK.”

All figures, unless otherwise stated, are from YouGov Plc.  The survey’s total sample size was 500 full time university students. Fieldwork was undertaken between 14 and 17 October 2011.

.

The 10 Ten Early Warning Signs Of Fraud In Organisations

After completing a survey on the activities of the National Fraud Authority (NFA) UKFraud.co.uk has offered advice on how to minimise the impact of fraud.

Ten Early Warning Signs Of Fraud In Organisations
1. Erratic reporting
Erratic, incomplete, late or excuse laden management reporting is often a classic sign that something is wrong. One of the possibilities is the existence of fraud. Further investigation will reveal common excuses used are often the frequent occurrence of IT failures, technology compatibility issues between different company systems or international systems. Act: Insist on up-to-date reporting. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2. Apparent Process Laziness
A weakening of anti-fraud and data security systems can happen naturally, over time; and is normal – especially when things get busy. However, with the seemingly right processes in place, top level management are often lulled into a false sense of security that they are actually being used, whilst the fraudster is busy at work getting around them. Act: Make sure you implement the suggestions of your internal compliance managers. Where systems/processes are under pressure when used in practise, introduce a review process – and then adapt them promptly.

3. Organisational change and the desire to dump data
A major indicator can be the act of deletion or pressure on staff to delete, remove or otherwise dump past records following a restructure. An excuse of, “oh I’m sorry those files were destroyed.” should be cause for alarm. Act: Take care to establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records.

4. Data Inconsistencies
Whether it is archive data or cross reference checks that are missing or wrong; factual inconsistencies will also occur naturally. The cheats who seek to defraud an organization will use the possibility to explain such inconsistencies and hide their fraud. Act: Make sure that all files are electronically stored, with appropriate back-ups as part of your compliance systems and that no-one has the access to any files that include a DELETE capability.

5. Audit-Time Delays
Excuses, confusion or wild goose chases when disclosing to auditors, be they internal or external, can be a telltale sign too. We need to remember though that the audit team is not there to find fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection. Act: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Make sure that the business critical and financial exposure areas take a priority and act upon all failings both quickly and completely; with follow-up audits if necessary.

6. Behaviour Abnormalities
These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specific questions are asked about processes or figures. Research shows that internal fraudsters are most likely to be either ‘youngsters who cut across the processes and systems’ or ‘middle aged executives with the authority and a gripe’. Act: Get HR more closely involved. Then if you still have concerns about such people upon closer inspection, all the relevant files need to be pulled and checked.

7. Gossip Mongers in overdrive
Staff whispers and rumours “that all is not right” should always be taken seriously. These are, however, so often overlooked by senior management. Act: Listen, take all such rumours seriously and investigate the reality.

8. Twitchy Non-Execs
Good non-execs provide a considered, independent and external perspective. Often they bring in specific expertise from outside the board’s immediate experience and their skills can vary from financial knowledge through to IT. When their comfort factor ‘goes south’ or when they have a ‘bee in the bonnet’ about something that does not add up or make sense, they often have good reason to worry. So must you. Act: It is always good for the business to maintain a fresh supply of new thinking, new approaches and new concerns. Thus if non-execs have concerns about particular issues, one should allow them to bring in the appropriate specialist experts that can investigate matters more deeply.

9. Unofficial IT Work
Technical staff working around the enterprise conducting unsupervised IT activity often outside normal hours, can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. Act: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the look out for data-theft, IPR theft, time theft (people spending all day on facebook etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.

10. Scapegoating
Where people are given a title but without actual responsibility, it can effectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed. Act: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifications.

.

Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here

.

Card fraud and online banking fraud down, but cheque and phone banking fraud up

New figures released on the 5th October 2011 show that fraud losses on UK cards decreased in the first half of 2011 compared with the same time last year, as did fraud on online bank accounts. However, cheque fraud and fraud on phone banking accounts increased over the same period.

Total fraud losses on UK cards fell to £169.8 million

Between January and June 2011 a 9 per cent reduction compared with losses in the first half of 2010. This half-year total is the lowest for eleven years and also the third consecutive decrease. The sustained fall is due to the success of a number of industry initiatives such as the increasing use of fraud detection software, the roll-out of updated chip cards and the increasing roll-out of chip and PIN technology abroad. Lost and stolen card fraud losses rose slightly, increasing by £4.4 million. Initiatives such as chip and PIN have made it harder to commit ‘high-tech’ frauds, and criminals are instead reverting to more basic frauds centred around stealing people’s cards and PINs. These scams range from distracting people in shops or at cash machines and then stealing their cards without them noticing, to simply tricking them into handing over their cards and PINs on their own doorstep.

Online banking fraud losses totalled £16.9 million

During January to June 2011 a 32 per cent fall on the 2010 half-year figure. A variety of factors have contributed to the decrease in online banking fraud, including increased customer awareness of computer security combined with banks’ use of fraud detection software.

Phone banking fraud losses rose to £8.6 million

A 48 per cent increase during January to June 2011. As with card fraud, criminals are focusing on the straightforward crime of duping a customer into believing they are dealing with a bank or police representative and getting them to disclose their financial security details, such as PINs, passwords and login details, which the criminal then uses to access the customer’s bank account over the phone.

Cheque fraud losses increased

Cheque fraud losses increased from £14.0 million in the first half of 2010 to £16.4 million during the same period in 2011. Although this is a 17 per cent increase, the overwhelming majority of this type of fraud is stopped before the cheque is paid. In fact, more than £254 million of attempted cheque fraud was spotted and stopped during the clearing process in the first half of this year.

DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police squad which is sponsored by the banking industry and has an ongoing brief to help stamp out organised payment fraud across the UK, said:

Losses are appreciably lower than they were a few years ago and everyone involved in tackling fraud has reason to be encouraged by this and that includes bank customers who, as their own front-line of defence, have certainly played their part too.

“However, there has been an increase in old fashioned scams criminals using distraction techniques and social engineering methods to get hold of people’s cards or phone banking details. We are urging everyone to be on their guard. Your bank or the police will never cold call you or email you and ask you for your login details, cards or PINs. If anyone does, they are probably  a criminal, so hang up the phone or delete the email.”

Card Fraud Type – on UK issued credit and debit cards Jan-June 2007 Jan-June 2008 Jan-June 2009 Jan-June 2010 Jan-June 2011 +/- 10/11
Phone, internet and mail order fraud (Card-not-present fraud) £137.0m £163.9m £134.0m £118.2m £109.2m -8%
Counterfeit (skimmed/cloned) fraud £72.3m £88.8m £46.3m £28.2m £18.0m -36%
Fraud on lost or stolen cards £30.7m £26.8m £25.1m £21.3m £25.7m 20%
Card ID theft £18.7m £19.5m £23.9m £15.0m £11.5m -23%
Mail non-receipt £4.9m £5.3m £3.5m £3.8m £5.4m 42%
TOTAL £263.6m £304.2m £232.8m £186.8m £169.8m -9%

The release places some of the success on fraud detection solutions and Chip and Pin but lets not underestimate the impact of the improved focus on IT Security which is being enforced by compliance and regulatory requirements like PCI DSS and the Data Protection Act.

.

The majority of adults are worried about possible exposure of their personal information

According to SailPoint’s Market Pulse Survey, the majority of adults in the United States, Great Britain and Australia are worried about possible exposure of their personal information, and a large percentage of adults have lost confidence in how companies protect their personal information. As an example, 80% of Americans, 81% of Britons and 83% of Australians who have personal medical information are concerned about moving that information to an electronic form because of the risks of identity theft or invasion of privacy resulting from their personal information being exposed on the Internet, to other staff members or even their employers. The frequent incidence of data breaches is reflected in the fact that many adults think they have become commonplace at financial institutions and retailers: 12% of Americans, 8% of Britons and 8% of Australians believe these breaches happen all the time.

The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers,” said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. “These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception.”

The Market Pulse Survey indicates that a security breach at a financial institution or retailer can severely impact customer loyalty. Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft. Within these groups, 10% of Americans, 14% of Britons and 16% of Australians would not only not do business with that organization, but also would tell their family and friends not to do business with that same organization.

In all three regions, the growing use of electronic medical records is a main concern because adults believe that having healthcare organizations manage their personal data electronically exposes them to more threats. Specifically, of the adults in these countries who have personal medical information: 29% of these Americans, 26% of these Britons and 30% of these Australians are most concerned that medical records being made available electronically might result in those records being exposed on the Internet. 35% of these Americans, 33% of these Britons and 37% of these Australians are most concerned about the use of their private information being used to steal their identity. Finally, 10% of these Americans, 14% of these Britons and 11% of these Australians are most concerned about staff members not directly related with their care being able to view their private data.

Consumers have reason to be concerned about the safety of their personal information and to question how effective organizations are at protecting that information,” continued Gilbert. “In some widely publicized cases, the very basics of user access control were not put in place to safeguard sensitive data, making it child’s play for intruders to gain access to it. SailPoint is working with some of the largest financial services, retail and healthcare organizations around the world to ensure strong controls over data access. Unfortunately, as this survey shows, there is still a lot of work to do to win back customer confidence in light of the number of bad examples across industries.”

Survey background: SailPoint Market Pulse Survey, conducted online by Harris Interactive, consumers expressed cynicism about how these organizations are protecting their data and a willingness to leave a business that experienced a breach. The recent online survey was conducted among 2,241 adults in Great Britain, 1,023 adults in Australia and 2,309 U.S. adults. SOURCE: SailPoint

.

Test your IT Security and ID Theft Knowledge

KENZ
Image via Wikipedia

Preparation is often the best way of ensuring you have the right protection.

The Consumer Federation of America have worked to put together some excellent quizzes that will help you understand the potential impact of an Identity Theft and several IT Security threats and risks.

Test your Identity Theft knowledge by participating in any or all of the following Identity Theft Quizzes.

  1.  Pretend that your identity’s been stolen and learn how to get it back by correctly answering questions in the Federal Trade Commission’s ID Theft Face-Off Quiz.
  2. Learn how to keep your wireless Internet connection secure and fend off intruders by taking the Federal Trade Commission’s Invasion of the Wireless Hackers Quiz.
  3. Don’t let spyware sneak onto your computer to give others a peek at information you enter online. Get wise to the spyware guise by taking the Federal Trade Commission’s Beware of Spyware Quiz.
  4. The techie spy and his cunning crew are out to get your personal information. Stop them cold and prove you’re ready to protect yourself online by cracking the Federal Trade Commission’s Case of the Cyber Criminal Quiz.
  5. You’re in big trouble at work because your laptop’s been stolen and the information on it wasn’t secure. It won’t happen again if you take the Federal Trade Commission’s Mission: Laptop Security Quiz.
  6. Phishers are looking to lure you into providing your personal information with bogus emails and pop-ups. Will you take the bait or live to swim another day? Find out by taking the Federal Trade Commission’s Phishing Scams Quiz.
  7. Identity thieves use many methods to steal your key personal and financial information to sell, use to drain your accounts, or set up new accounts using your good name. How much do you know about identity theft, related fraud, and how to reduce your risks? Find out and have some fun by taking the University of Oklahoma Police Department’s Identity Theft and Fraud Quiz.
  8. Are you at risk for identity theft? Take the Privacy Rights Clearinghouse Identity Theft IQ Test to see how you rate.
  9. Identity theft affects people of all ages, including children. Test your knowledge of child identity theft by taking the Identity Theft Risk CheckSM Quiz, a quiz designed by the National Sheriffs’ Association and the National Foundation for Credit Counseling.

.

An Insurers perspective of Cyber Crime

Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.

Beazley quote some interesting research to support their release:

  • According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
  • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)

Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.

Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”

Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:

  • The cost of responding to impacted clients is simply a postage stamp per breached record.
  • Our information is well-protected by our IT consultants.
  • Our employees would not act maliciously and know how to protect our data.
  • Security breaches are covered by our general liability policy.

Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.

Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.

Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.

Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.

Beazley’s Reasearch Sources:

(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011

(2) Verizon Research PDF can he found here.

Beazley’s website can be found here.

.

How to Contact the Credit Reporting Agencies to Place a Fraud Alert

The National Insurance numbercard issued by th...
Image via Wikipedia

The Identity Theft Resources Centre has some great advice on how and what to do when contacting a Credit Reporting Agency:

  • Please use the report fraud phone numbers from each credit reporting agency to place a fraud alert on your credit report. We recommend that you call all three credit reporting agencies because they may have different information that might cause the fraud alert to be denied.
  • These will be automated systems, please listen for the prompt for the fraud alert.
  • The automated system will ask identifying questions, such as your name, Social Security Number (US), National Insurance Number (UK), address number, and date of birth. This is to verify your identity.
  • If you are successful in placing the fraud alert on your credit report, you will receive a confirmation number immediately or you will receive a notification letter by mail within the next 10 to 14 business days.
  • On your notification letter, there will be a telephone number to request a free copy of your credit report. Please contact theCRA’s immediately to obtain these reports.
  • You are not successful in placing the fraud alert if the automated system asks for you to write to them with documentation. This is common for victims of identity theft. The credit reporting agencies usually require a copy of a current utility bill, copy of your current driver’s license or a state ID, and a letter with your full name, Social Security Number and date of birth, requesting a fraud alert be placed. You will also want to request your free credit report in the letter.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: