As estimates range from 400 to 535 data breaches in 2011, with tens of millions of records exposed, The Fraud Practice looks at the impacts of data breaches over the past year and how this may affect laws and regulations in 2012.
High profile data breaches that occured in 2011 include those against Epsilon, Sony, Stratfor, The United Nations and law enforcement agencies.
While many data breaches intended to steal payment account and identity information to be used for financial gain, many data breaches in 2011 were rooted in motivations other than money as hactivist groups were respoonsible for several data breaches as well.
Press Release: 2011: The Year of the Data Breach
Sarasota, FL, January 6, 2012 / Internal Release - While companies focus their fraud prevention efforts on direct third party fraud, they had better be spending some time on mitigating the risks of account takeover. In a year that began with high profile attacks on Sony and email marketing firm Epsilon, ended with hactivist campaigns and posting sensitive information stolen from Stratfor, all while Federal initiatives in response to data breaches gained momentum, data breaches made headlines more than ever before in 2011. The fact is fraudsters are focusing on account takeovers as a means to commit fraud and they are harvesting accounts through phishing, pharming and data breaches. As estimates range from 400 to 535 data breaches in 2011, with tens of millions of records exposed, The Fraud Practice looks at the impacts of data breaches over the past year and how this may affect laws and regulations in 2012.
Targeted phishing campaigns and malicious emails were a persistent problem in 2011 due to the wealth of information pilfered by hackers, much of which came in data breaches that occurred in April. The first was against Epsilon, who manages email marketing for many large clients, which was the largest security breach ever according to the Privacy Rights Clearinghouse. Estimates on the number of consumer emails taken by hackers range from 50 million to a potential 250 million. Also in April the loose-knit hactivist group Anonymous launched a DDoS attack against Sony, later that month the Sony Playstation Network was taken offline and hacked. Ultimately the data breaches against Sony would result in the compromise over 100 million names, emails, birthdates and addresses along with over 12,000 credit and debit card numbers.
An email address is easier to replace than a credit card, but the effects of the breach can still be very damaging. If a fraudster knows a name and email address, and also that the person gave this email to McDonalds or any of Epsilon’s other clients, then the fraudster can make a more catered and convincing email to dupe the victim of the data breach. Emails purporting to be from a trusted company with which a consumer has previously done business with are being sent with malicious links or attachments, or instead try to trick the recipient into sharing more personal information. Although spam emails in the U.S. decreased by billions overall in 2011 targeted email attacks, or spear phishing, is on the rise (Source: Cisco 2011 Annual Security Report and SC Magazine).
2011 also saw several data breaches and other cyber attacks organized by hactivist groups motivated by making a statement. The group LulzSec orchestrated multiple DDoS attacks, including one that temporarily shut down CIA.gov, in addition to hacking and posting the names and addresses of eight Arizona police officers because the group did not agree with the state’s immigration law. After law enforcement in multiple countries made a series of arrests against those who participated in the DDoS attacks Anonymous organized against Visa, MasterCard and PayPal for not processing payments to Wikileaks the hactivists planned their retaliation. AntiSec, an effort that started in 2011 by LulzSec and Anonymous, hacked and posted 10 gigabytes of information taken from 70 U.S. law enforcement agencies, including the names and addresses of over 7,000 officers, which they explicitly stated was a consequence of the earlier arrests.
AntiSec continued their hactivism campaigns through the remainder of 2011 supporting the Occupy protests. Anonymous hactivists were able to breach the systems of the United Nations and post 1,000 user names and passwords. Anonymous then organized Operation Robin Hood, an effort to steal credit card information from big banks and use them to donate to charities (of course all fraudulent donations will be charged back). AntiSec claimed to have already breached Bank of America, Citi and Chase banks, and although the legitimacy and extent of these claims is still yet to be determined, they are presumed to be exaggerated if not entirely false. It should be noted, however, that Citi suffered a data breach in May, 2011 where the names, emails and card account numbers of 360,000 North American customers were compromised. The hactivist groups ended the year by hacking into the servers of the global intelligence firm Stratfor resulting in their website being shut down for about two weeks and compromising 200 gigabytes of data, according to Anonymous. The hactivists then posted the names, addresses, credit card numbers and hashed passwords of 75,000 Stratfor customers along with the user names, passwords and email addresses of the 860,000 users registered on Stratfor’s site just before the end of 2011.
With the number of high profile data breaches that occurred in 2011 it is no surprise that this topic gained so much media attention, but now with the year coming to a close we can assess the aggregate numbers. The Privacy Rights Clearinghouse estimates that there were 535 data breaches in 2011 which resulted in the compromise of over 30 million records. Since they began tracking data breaches in 2005 they estimate that 543 million records have been compromised as the result of data breaches. The Identity Theft Resource Center (ITRC) provides a lower estimate. As of December 27, 2011 they concluded that 414 data breaches occurred in 2011 resulting in the exposure of nearly 23 million records. Since 2005 the ITRC has tallied 511.5 million exposed records resulting from 3,139 data breaches.
With over 3,000 data breaches and more than 500 million records exposed since 2005 it seems like Federal guidance on data breaches and notification requirements in the United States are overdue. Two initiatives were taken in 2011 to help limit data breach risk exposure as well as notify and protect data breach victims in the U.S. The first is the Secure and Fortify (SAFE) Data Act which would set a national standard for breach notification requirements. This bill was approved by a House subcommittee in the summer of 2011 and will continue through a series of revisions and votes to attempt to become law in 2012.
In October the White House issued an executive order outlining new requirements for all government agencies to take further measures in safeguarding classified information. The executive order, titled Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, consists of seven titles outlining the general responsibilities of all government agencies and creating a new government task force and program. The executive order was in direct response to the compromised cables published by Wikileaks and came only a few days after the Government Accountability Office released a report stating that at 24 major federal agencies “weaknesses in information security policies and practices” continue to put sensitive information at risk. The executive order calls for the creation of the Insider Threat Task Force which will develop a government-wide program to improve protection and reduce vulnerabilities that could compromise classified information.
These initiatives should lead to higher security against data breaches in government agencies as well as more protections for data breach victims in the United States. However, it is still up to the private businesses to safeguard and encrypt data to protect against breaches and cyber attacks. Millions of consumers were victimized by data breaches in 2011, and millions more will likely be data breach victims in 2012. But these initiatives will helpfully encourage more investment in protecting data and protecting against cyber attacks. According to the Ponemon Institute the average cost of a data breach in 2010 was $7.2 million dollars, and with changes to breach notification requirements the costs of a data breach may become even greater. But expect the several high profile data breaches and pending Federal laws of 2011 to encourage businesses to invest in more security and protection against data breaches, or to at least consider data breach insurance, an industry sector expecting strong growth in 2012.
About The Fraud Practice
The Fraud Practice, http://www.fraudpractice.com, is a privately held US LLC based in Sarasota, Florida. The Fraud Practice provides consulting services on eCommerce payments, fraud prevention and credit granting as well as prepared research and online training for payment and fraud professionals. Businesses throughout the world rely on The Fraud Practice to help them build and manage their payment, fraud and risk prevention strategies.
introduction to Common Compliance and KYC REquirements for US eCommerce.
Covers the basic regulatory programs related to compliance within the USA indicating the core requirements and who is required to comply. This session covers topics such as KYC, SOX, PCI, OFAC, AML, SARS, Privacy notices, FRCA, Breach Notification, Export and Denied Party lists.
Best Practices for Protecting Yourself When Transacting Online.
Going online is a part of everyone's daily life today, but not everyone understands what, where and how they are at risk. This training session provides an introduction to common attacks that occur when going online such as phishing, pharming, account takeovers, malware, spyware, antivirus and identity theft. Learn about some of the best practices to get yourself more comfortable with the companies or people you may interact with online.
Introduction to eCommerce Credit Card Payments.
Covers the credit card process flow defining each of the "payment players" and reviews payment concepts such as authorizations, settlements, reversals, chargebacks and the credit card association's high risk programs.
- The Top Half Dozen Most Siginificant Data Breaches in 2011 - By: The Privacy Rights Clearinghouse
- Spam drop, but target attack rise, is key 2011 takeaway - By: Angela Moscaritolo, SC Magazine
- AntiSec Hackers Release 10GB of Law Enforcement Data - By: David Murphy, PCMag.com
- Citi Says Many More Customers Had Data Stoeln by Hackers - By: Eric Dash, The New York Times
- Anonymous Continues Holiday Hacking Spree - The Fraud Practice FraudBlog
- Hackers release credit card, other data from Stratfor breach - By: Elinor Mills, CNET
- 2011 ITRC Breach Report - Identity Theft Resource Center
- SAFE Data Act - U.S. House of Representatives
- Structural Reforms to Improve the Security of Classified Networks Executive Order - The White House, Office of the Press Secretary
- More Businesses Expected to Insure Against Data Breaches, Cyber Crimes - The Fraud Practice FraudBlog