FROM THE RESOURCE GUIDE

Robert Holtfreter, Ph.D., CFE, CICA, CBA

It seems almost weekly that the media reports a high profile hacker has initiated a data breach. By doing so, the public is conditioned to believe that data breaches are only caused by hackers and not other external and internal causal factors. But, in a recent factor analysis of more than 3,800 data breaches reported by the Privacy Rights Clearinghouse (PRCH), my research assistant and I discovered other types of causal factors (Holtfreter & Harrington model) including internal: loss of data, hacking and theft of data by a current or former employee, improper protection or disposal of data, and external: theft of data by a non-employee, partner/third-party theft or loss of data by improper exposure or disposal and hacking by a non-employee. As will be shown, data breaches — especially those initiated by hackers — are very hard, if not impossible, to protect against. This is confirmed in an article in The Wall Street Journal on April 20, 2015, where Danny Yardron, a hacking prevention specialist, mentioned that “No matter how much companies spend on digital defenses, hackers often still get in (to computer networks) to test the defenses of what is often a weak spot in hackers defenses: people.”

To get a better grasp of the scope of the problem that hackers and others are creating, PRCH, Verizon Business (VB) and the Identity Theft Resource Center (ITRC) track and classify the data breaches they learn of through many different sources.

From January 1, 2005, through April 15, 2015, the PRCH has reported 4,517 data breaches and more than 816 million compromised records. Their reported compromised records are significantly understated because in more than 50 percent of the data breaches the numbers are unknown. VB reported 2,122 data breaches in 2014. From January 1, 2005, through March 20, 2015, the ITRC has reported 5,203 data breaches and more than 778 million compromised records. Hackers employ a variety of schemes and methods to infiltrate the networks of organizations with malware to steal personally identifiable information (PII) of customers to use for their criminal activities or directly rob the organizations of their resources, including cash.

 In the biggest retail hacking case in U.S. history, hackers installed malware onto Target’s security and payments system in November 2013 allowing criminals to steal credit card information at all of their 1,797 U.S. stores when customers swiped their cards. The stolen information was stored on a Target server controlled by the criminals and was later moved to staging points throughout the U.S. and finally to computers in Russia. What is amazing is this scheme eluded security people who were overseeing a $1.6 million malware detection tool installed by Target six months earlier. In another major case, Premera Blue Cross in the state of Washington revealed on February 15, 2015, that hackers used a sophisticated attack to gain unauthorized access to their information technology systems on May 4, 2014. Eleven million customers were possibly affected, compromising PII including name, address, telephone number, date of birth, Social Security number, member identification number email address and claim information. At this point it is not known how the hackers infiltrated their network, but no doubt, it was probably people-based.

Organizations are responsible for many internal breaches and need to continually educate their employees about all types of data breach causal factors. Educating employees and the public is not the only fix but is probably the most important one to put in place to help curtail compromised records containing valuable PII and reduce identity theft. 

As I have written in many of my cybersecurity/identity theft articles in Fraud Magazine, encrypting all forms of PII with an advanced encryption standard will help immensely.

In order to survive, everything must evolve — including crime and security. As time goes on and fraud fighters become experienced in new fields, criminals evolve their tactics to get to their victims’ pocketbooks or assets. The ACFE’s course Protecting Against Data Breaches and Cyberfraud will prepare your employees to ensure your organization’s data security, safeguard intellectual property and protect against cyberfraud. This 2-day, instructor-led course will guide you through strategies needed to mitigate the threat of malicious data theft and minimize the risk of data loss. You can read more about this course and more events and seminars in our latest Resource Guide.