Comments on Verizon’s 2010 Data Breach Investigations Report

Posted on August 3, 2010 by Jaime Chanaga

The annual Data Breach Investigations Report produced by Verizon has once again garnered the attention of business and technology professionals in helping all understand the reasons for and bottom line impact of information security breaches.  This year is no exception.  For the just released 2010 DBIR, Verizon collaborated with the United States Secret Service (USSS), one of the world’s premier law enforcement agencies who regularly investigates cyber security crimes.  Together these two organizations have produced a document that every business leader and senior executive must read now.

Based on the Verizon survey information from working with industry and additional data provided by the USSS, the 2010 DBIR showed a more accurate insight into insider threats facing organizations. While most data breaches still originate from criminal entities (organized crime) or individuals external to an organization, the facts are clear – insider threats are real and are increasing. 

According to the 2010 DBIR’s question Who Is Behind Data Breaches?

70% resulted from external agents (-9%)
48% were caused by insiders (+26%)
11% implicated business partners (-23%)
27% involved multiple parties (-12%)

The increases or decreases for these categories were based on 2009 DBIR data.  The 2010 DBIR provides several recommendations for organizations to implement to mitigate these risks—however, I will address three (3) of those recommendations:

Eliminate unnecessary data; keep tabs on what’s left
Today organizations are compelled by regulatory mandates to retain data on their customers, business partners, and operations for a long length of time.  However, I have found that many organizations do not have formal data clean up policies and procedures to ensure they are only keeping data records that are vital to their business operations.

As a consultant and advisor to executives and organizations, I’ve seen forgotten data being the most vulnerable for misuse often resulting in catastrophic security breaches for organizations.  Knowing what business information to protect and what data to safely dispose of are two critical steps to the success of information security management efforts within every organization.

Ensure essential controls are met
As a result of financial and mismanagement scandals; today business organizations have very strict financial controls. In the technology performance of organizations, implementing strict controls is perceived as a roadblock to operational efficiencies and productivity. A large part of this perception is driven by senior management within organizations.  If you are a member of senior management, lead by example. Don’t ask your employees to follow strict controls (IT, financial, and operational) that you are not willing to follow yourself.  Effective control adoption begins at the top of every organization.

Audit user accounts and monitor privileged activity
One area of technology adoption where organizations continuously fail to review is active monitoring of user accounts and user activity. Perhaps it is in the trusting nature of personal relations, organizations only conduct active monitoring when inappropriate usage is suspected. No one wants to live in a police state fearing big brother is watching. However, organizations must do more to actively monitor the activities of their trusted employees.  All employees in organizations, including senior management should be subject to monitoring of their activities and privileged activities within information systems to ensure transparency and accountability for all actions.

Enduring Idea: The 2010 DBIR provides key insights that business executive and technology professionals should consider in evaluating their information security and data protection priorities. Remember information security and privacy of the information entrusted to an organization is the responsibility of all employees including senior management and every staff member.

To read more about the 2010 DBIR, please visit Verzion’s Security Blog at:

http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/

To download a copy of the 2010 DBIR, please click here.

Share|
Posted in Business, Current Affairs, Cybersecurity, Data Breach, Economy, Privacy, Technology, Web/Tech, Weblogs | Tagged , , , , , , , , , , , , , | Leave a comment

Southshorehospital.org Data Breach 800,000 People Affected

Posted on July 27, 2010 by Jaime Chanaga
Copyright © South Shore Hospital

Copyright © South Shore Hospital

South Weymouth, Massachusetts – South Shore Hospital has disclosed (disclosure) that a data management company hired to destroy back-up computer files lost files containing the personal information on 800,000 affected individuals. The missing computer files contained personal information of patients, employees, physicians, volunteers, donors, vendors and other business partners. 

Healthcare organizations face increasing challenges given their limited financial and operational resources for information technology management. It is not easy for healthcare organizations to protect the vast amounts of personal information with limited financial resources for information technology investments.

South Shore Hospital has advised the MA Attorney General’s office, the MA Department of Public Health, and the US Department of Health and Human Services about this matter. The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing.

“I am deeply sorry that these files may have been lost,” said Richard H. Aubut, South Shore Hospital president and chief executive officer. “Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting. I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information.”

As a former CISO in healthcare, I applaud CEO Richard H. Aubut and South Shore Hospital’s open disclosure of their efforts to notify those involved and working with government agencies to find out the extend of this data breach.

Enduring Idea:  If you are a CXO or Senior Executive and your organization suffers a data breach, don’t mistakenly consider this a Public Relations matter.  This is a credibility and integrity matter.  Get in front of your customers, employees, and business partners and demonstrate open, honest, direct leadership in finding the extent of the problem and take action to correct your mistakes.

Share|
Posted in Business, Current Affairs, Cybersecurity, Data Breach, Economy, Healthcare, Privacy, Technology | Tagged , , , , , , , , , , , , | Leave a comment

BVU.edu Data Breach 93,000 People Affected

Posted on July 18, 2010 by Jaime Chanaga
Copyright © Buena Vista University

Copyright © Buena Vista University

July 16, 2010 – STORM LAKE, Iowa – Buena Vista University (www.bvu.edu) is one of the latest universities to suffer an on-campus data breach that has placed at risk for identity theft the names, social security numbers, and driver’s license records of over 93,000 people including students, parents, faculty and staff, alumni, and donors.  BVU has published an informational web page (http://www.bvu.edu/data) to provide those affected incident details and information on free credit monitoring services.

Universities like any other business organization need to be held accountable for lax security policies and controls that allow data breaches. In the last 10 years, the healthcare and financial services industries have been mandated by federal and state governments to implement strong data privacy programs and technical controls when using consumer information. 

It is time that universities are also held to the same standards for data privacy and consumer protection mandates. Universities are a business and have a moral and ethical responsibility to protect the personal and financial information of their students and employees.  

Data Breach Information
http://www.bvu.edu/data/ 

Large Database Breached at Buena Vista University
http://www.kmeg14.com/Global/story.asp?S=12822306

Share|
Posted in Business, Current Affairs, Cybersecurity, Data Breach, Technology | Tagged , , , , , , , , , , , , , , , | 1 Comment

American Airlines 79,000 Employees at Risk for ID Theft

Posted on July 10, 2010 by Jaime Chanaga
Copyright © American Airlines, Inc.

Copyright © American Airlines, Inc.

On July 2, 2010, AMR Corporation (NYSE:AMR), parent company of American Airlines, disclosed that a computer hard drive (hard disk) was stolen from their offices in Ft. Worth, Texas.  The hard drive contained the personal information of 79,000 former and current employees at the company. The personal information contained on the stolen computer hard drive included names, social security numbers, and other employee benefits information. AMR reports an investigation continues.  Affected employees are being provided with free credit report monitoring for one year.  

American Airlines proudly proclaims the motto “Serving The People Who Serve You” on their website (click here).  Offering one year of free credit monitoring is not enough. How about a public letter of apology from the CEO of American Airlines to each and every employee for this incident?  Taking it one step further why not offer free credit monitoring and company paid legal representation for each employee for as long as necessary to protect their personal and financial identity and good name?  

To American Airlines: As a regular customer of AA, I appreciate all the benefits of being a valued customer. Now it is your turn to show the same care, concern, and loyalty to your employees. Please offer your employees more long term legal and financial assistance than the standard corporate mea culpa of one year of free credit monitoring.  

Takeaway: Companies must demonstrate the same commitment and concern with their employees as they do with their customers.  Employers who are committed to the well being of their employees will earn the trust, respect, and loyalty of their employees and their customers.  

CBS News: American Air Parent Claims Worker Data Compromised
http://cbs11tv.com/local/American.Airlines.AA.2.1785491.html  

SC Magazine: American Airlines hard drive stolen
http://www.scmagazineus.com/american-airlines-hard-drive-stolen/article/174254/

Share|
Posted in Business, Cybersecurity, Data Breach, Economy, Privacy, Technology, Travel | Tagged , , , , , , , , , | 2 Comments

California DHCS discloses 50,000 Social Security Numbers

Posted on February 8, 2010 by Jaime Chanaga

According to a story in the Los Angeles (http://latimesblogs.latimes.com/lanow/2010/02/social-security-numbers-of-nearly-50000-californians-disclosed.html) times this evening, the California Department of Health Care Services has exposed the social security numbers of approximately 50,000 elderly patients of the Adult Day Health Care program.  According to the report, state employees at DHCS sent a mailing list to an outside contractor who printed envelopes and mailed them on behalf of California.

California Department of Health Care Services

http://www.dhcs.ca.gov - © State of California

Why after hundreds of accidental disclosures of personal and private information do organizations continue to commit these types of oversights?  Its easy to blame organizations as an entity, but what about personal responsibility?  Why don’t people speak up within their organizations when they see bad actions?  Everyone has a personal responsibility to question, speak up, and effect change from within their organization. 

We are in 2010 not 1995.  Will you step up and do what is right to protect the customers you serve, those who have entrusted you and your organization with their private and personal information?

Share|
Posted in Business, Cybersecurity, Data Breach, Privacy | Tagged , , , , , , , , , , , , , , | Leave a comment