Sarasota, FL, January 6, 2012 / Internal Release - While companies focus their fraud prevention efforts on direct third party fraud, they had better be spending some time on mitigating the risks of account takeover. In a year that began with high profile attacks on Sony and email marketing firm Epsilon, ended with hactivist campaigns and posting sensitive information stolen from Stratfor, all while Federal initiatives in response to data breaches gained momentum, data breaches made headlines more than ever before in 2011. The fact is fraudsters are focusing on account takeovers as a means to commit fraud and they are harvesting accounts through phishing, pharming and data breaches. As estimates range from 400 to 535 data breaches in 2011, with tens of millions of records exposed, The Fraud Practice looks at the impacts of data breaches over the past year and how this may affect laws and regulations in 2012.
Targeted phishing campaigns and malicious emails were a persistent problem in 2011 due to the wealth of information pilfered by hackers, much of which came in data breaches that occurred in April. The first was against Epsilon, who manages email marketing for many large clients, which was the largest security breach ever according to the Privacy Rights Clearinghouse. Estimates on the number of consumer emails taken by hackers range from 50 million to a potential 250 million. Also in April the loose-knit hactivist group Anonymous launched a DDoS attack against Sony, later that month the Sony Playstation Network was taken offline and hacked. Ultimately the data breaches against Sony would result in the compromise over 100 million names, emails, birthdates and addresses along with over 12,000 credit and debit card numbers.
An email address is easier to replace than a credit card, but the effects of the breach can still be very damaging. If a fraudster knows a name and email address, and also that the person gave this email to McDonalds or any of Epsilon’s other clients, then the fraudster can make a more catered and convincing email to dupe the victim of the data breach. Emails purporting to be from a trusted company with which a consumer has previously done business with are being sent with malicious links or attachments, or instead try to trick the recipient into sharing more personal information. Although spam emails in the U.S. decreased by billions overall in 2011 targeted email attacks, or spear phishing, is on the rise (Source: Cisco 2011 Annual Security Report and SC Magazine).
2011 also saw several data breaches and other cyber attacks organized by hactivist groups motivated by making a statement. The group LulzSec orchestrated multiple DDoS attacks, including one that temporarily shut down CIA.gov, in addition to hacking and posting the names and addresses of eight Arizona police officers because the group did not agree with the state’s immigration law. After law enforcement in multiple countries made a series of arrests against those who participated in the DDoS attacks Anonymous organized against Visa, MasterCard and PayPal for not processing payments to Wikileaks the hactivists planned their retaliation. AntiSec, an effort that started in 2011 by LulzSec and Anonymous, hacked and posted 10 gigabytes of information taken from 70 U.S. law enforcement agencies, including the names and addresses of over 7,000 officers, which they explicitly stated was a consequence of the earlier arrests.
AntiSec continued their hactivism campaigns through the remainder of 2011 supporting the Occupy protests. Anonymous hactivists were able to breach the systems of the United Nations and post 1,000 user names and passwords. Anonymous then organized Operation Robin Hood, an effort to steal credit card information from big banks and use them to donate to charities (of course all fraudulent donations will be charged back). AntiSec claimed to have already breached Bank of America, Citi and Chase banks, and although the legitimacy and extent of these claims is still yet to be determined, they are presumed to be exaggerated if not entirely false. It should be noted, however, that Citi suffered a data breach in May, 2011 where the names, emails and card account numbers of 360,000 North American customers were compromised. The hactivist groups ended the year by hacking into the servers of the global intelligence firm Stratfor resulting in their website being shut down for about two weeks and compromising 200 gigabytes of data, according to Anonymous. The hactivists then posted the names, addresses, credit card numbers and hashed passwords of 75,000 Stratfor customers along with the user names, passwords and email addresses of the 860,000 users registered on Stratfor’s site just before the end of 2011.
With the number of high profile data breaches that occurred in 2011 it is no surprise that this topic gained so much media attention, but now with the year coming to a close we can assess the aggregate numbers. The Privacy Rights Clearinghouse estimates that there were 535 data breaches in 2011 which resulted in the compromise of over 30 million records. Since they began tracking data breaches in 2005 they estimate that 543 million records have been compromised as the result of data breaches. The Identity Theft Resource Center (ITRC) provides a lower estimate. As of December 27, 2011 they concluded that 414 data breaches occurred in 2011 resulting in the exposure of nearly 23 million records. Since 2005 the ITRC has tallied 511.5 million exposed records resulting from 3,139 data breaches.
With over 3,000 data breaches and more than 500 million records exposed since 2005 it seems like Federal guidance on data breaches and notification requirements in the United States are overdue. Two initiatives were taken in 2011 to help limit data breach risk exposure as well as notify and protect data breach victims in the U.S. The first is the Secure and Fortify (SAFE) Data Act which would set a national standard for breach notification requirements. This bill was approved by a House subcommittee in the summer of 2011 and will continue through a series of revisions and votes to attempt to become law in 2012.
In October the White House issued an executive order outlining new requirements for all government agencies to take further measures in safeguarding classified information. The executive order, titled Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, consists of seven titles outlining the general responsibilities of all government agencies and creating a new government task force and program. The executive order was in direct response to the compromised cables published by Wikileaks and came only a few days after the Government Accountability Office released a report stating that at 24 major federal agencies “weaknesses in information security policies and practices” continue to put sensitive information at risk. The executive order calls for the creation of the Insider Threat Task Force which will develop a government-wide program to improve protection and reduce vulnerabilities that could compromise classified information.
These initiatives should lead to higher security against data breaches in government agencies as well as more protections for data breach victims in the United States. However, it is still up to the private businesses to safeguard and encrypt data to protect against breaches and cyber attacks. Millions of consumers were victimized by data breaches in 2011, and millions more will likely be data breach victims in 2012. But these initiatives will helpfully encourage more investment in protecting data and protecting against cyber attacks. According to the Ponemon Institute the average cost of a data breach in 2010 was $7.2 million dollars, and with changes to breach notification requirements the costs of a data breach may become even greater. But expect the several high profile data breaches and pending Federal laws of 2011 to encourage businesses to invest in more security and protection against data breaches, or to at least consider data breach insurance, an industry sector expecting strong growth in 2012.
Comments