Hackers pose bigger threat than malicious insiders

The Identity Theft Resource Center has found that hacking accounted for the largest number of breaches in 2011 year-to-date.  Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems.

This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

Note that these numbers do not include the recent hackings of enormous quantities of email addresses from companies. Email addresses alone do not pose a direct threat as long as consumers realize that they are more susceptible to phishing scams. Phishing scams try to trick readers into providing personal information that can be used for identity theft.

Paralleling the ITRC breach report finding is the recently released Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010. This may partially explain why the ITRC observation of increased hacking has occurred so quickly.

Additionally, a new survey by McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees. ITRC views these as two different types of breaches. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company. However, the insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.

As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.”

The business community seems to be taking the brunt of hacking attacks, according to published reports of breaches. In fact, 53.6% of all breaches on the ITRC report were business related.   The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military,”, and “Medical/Healthcare” all dropped in their respective percentage of reported breaches.

Unfortunately, it is still difficult to ascertain the true cause of many breaches due to entities publicly stating “the information was stolen” or “due to theft.” Additionally, nearly half of breached entities did not publicly report the number of potentially exposed records. Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

This was probably due to mandatory reporting by HHS. Since other entities do not have that type of requirement, it is likely that entities in other categories also had breach events with large record exposure numbers that went publicly unreported.

No conclusions can be drawn yet about how this year will compare to prior years. The one thing that is consistent, year after year, is that data breaches will occur. These events are outside the realm of consumer control. Due to our individually broad electronic “footprints”, our Social Security numbers and financial account numbers are in a vast pool of information that can be breached.

The responsibility for protecting this personal identifying information is fully on those who request and store it. All entities that collect personal information need to understand and embrace the concept that only they can safeguard our information and that this safeguarding must be an urgent priority.

Not only are hackers winning, but so are the thieves who steal unattended laptops and dig into dumpsters behind companies for paper data. Breaches just don’t happen, they are allowed to happen. ITRC will continue to track, analyze and report on the situation of breaches of personal information.

One third organisations on the verge of a data breach

Just four months into 2011 and we’ve already seen some of the largest data breaches ever, be it the Epislon data breach or Texas breach. This however, doesn’t seem to be an end to data breaches. Large number of enterprises across the world are the brink of a data breach, according to a report from Courion Corporation. The survey report unearths the level of understanding enterprises have regarding IT risk management and user access.

The global survey of more than 1,250 IT decision makers at large enterprises found that one third (33 percent) of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats. This lack of confidence in risk assessment is warranted for two reasons. First, nearly one in four companies (23 percent) indicated that they do not have a formal IT risk management program in place. Second, a large percentage of businesses do not routinely review user access rights to data. More than 90 percent of respondents said that identification of user access is a core component of their IT risk management strategy, yet 60 percent said they only review individual user access or entitlements once a year or less frequently, with 45 percent saying they do not certify user access to high-risk applications on a regular basis. All of this creates serious data breach risks from excessive user rights, access creep (an accumulation of access credentials as an employee transitions through different positions within a company), and inappropriate access by privileged users within the organization. Many organizations discover alarming facts when they conduct user access reviews:

• Nearly half (48 percent) of companies have discovered excessive user rights within their systems;

• 39 percent of respondents say they have identified instances of inappropriate access by privileged users within their organizations;

• 56 percent say they found cases where access was still active for a user’s prior role.

“The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk,” said Kurt Johnson, vice president of strategy and corporate development for Courion. “No company wants to suffer the brand damage and liability caused by data breaches. The first step in preventing this is to establish a risk management strategy, and make user access reviews a key part of that process. Too often, an organization’s most highly sensitive data is easily accessible by numerous individuals who do not require access in the first place.”

WordPress servers breached

WordPress’ founder Matt Mullenweg has communicated through his blog that hackers have breached the security of of Automattic, the company that runs WordPress, and broken into several of its servers.

Mullenweg says that Wednesday’s incident was a low-level root access breach. The company is reviewing its data logs to figure out what information may have been stolen and is working on patching any holes in its security. It seems unlikely that personally identifiable user information was taken during the attack, but Automattic has yet to complete its investigation.

“We presume our source code was exposed and copied,” Mullenweg stated on the company’s blog. “While much of our code is open source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

WordPress hasn’t issued any advice to its millions of users so far, apart from suggesting the use of strong and unique passwords.

HP sues former executive

Adrian M. Jones, who resigned from HP recently as a Senior Vice President of HP’s ESSN (Enterprise server, storage and networks) business unit in APJ and joined Oracle as Senior Vice President, Hardware Sales, Asia has been sued by HP for carrying companies’ confidential data along with him to the company arch rival.

According to the case filed by HP at California court, on February 11, 2011, just days before Jones resigned from HP, he utilized backup software to copy hundreds of files and thousands of e-mails from his HP computer to a portable USB storage, including files containing HP’s highly confidential, proprietary and trade secret information that Jones could utilise in his new position with a direct competitor.

When Jones resigned on February 16, 2011, on the next day he returned to HP, his employee badge, a computer security key, the company laptop, his company Blackberry, and his company credit card. Jones did not return the portable USB storage device that he used to copy hundred of files and thousands of e-mails.

HP has demanded the return of all documents and has called for damages to be awarded.

HP and Oracle became intense rivals after Oracle’s purchase of Sun Microsystems pushed it firmly into the server hardware market, in which it previously cooperated with HP. Relations soured last year when ousted HP Chief Executive Mark Hurd joined Oracle. Legal wrangling over Hurd’s hiring by Oracle are still unresolved.

No Personal identifiable information was compromised: Epsilon

Epsilon has reaffirmed in a press statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personal identifiable information (PII) was compromised, such as social security numbers, credit card numbers or account information. “Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations,” according to the press release.

Late last week, Epsilon detected that customer information of a large number of  Epsilon’s email clients had been exposed by an unauthorized entry into its email system. The affected clients represent approximately 2% of Epsilon’s total client base. Since the discovery of the unauthorized entry, rigorous internal and external reviews continue to confirm that only email addresses and/or names were compromised.

“We are extremely regretful that this incident has impacted a portion of Epsilon’s clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information,” said Bryan J. Kennedy, president of Epsilon. “We apologize for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers’ confidence.”

Epsilon is working with Federal authorities, as well as other outside forensics experts, to both investigate this matter and to ensure that any additional security safeguards needed will be promptly implemented. Within Epsilon, security protocols controlling access to the system have undergone a rigorous review, and access has been further restricted as the ongoing investigation continues.

“We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize,” said Ed Heffernan, chief executive officer, Alliance Data. “While we can’t reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets – their customers. Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency.”

Marketing campaigns were restarted as clients continue to receive further assurance regarding security. Epsilon’s email volumes are not expected to be significantly impacted.

The Company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients. Specifically, the Company’s number one priority over the near and long-term will be to ensure that Epsilon’s clients regain complete trust in the company’s operations. Epsilon has earned its premier provider status in the transactional-based micro-targeted marketing space, and is well positioned to retain it. All efforts will be made to reach out to those affected clients and provide whatever assistance is needed to preserve their business over the long term.

Ex-employee uses ‘secret’ account to hack into Gucci systems

>

Manhattan District Attorney Cyrus R. Vance, Jr., today announced the indictment of SAM CHIHLUNG YIN, 34, for accessing and tampering with the corporate computer network of Gucci America (“Gucci”), the Manhattan-based American affiliate of the Italian luxury goods retailer. YIN, who had been previously terminated by Gucci as a network engineer, used an account he secretly created during his tenure at Gucci to access and control the company’s computer system, shutting down some of its servers and networks, and deleting data from others. He is charged in a 50-count indictment with Computer Tampering, Identity Theft, Falsifying Business Records, Computer Trespass, Criminal Possession of Computer Related Material, Unlawful Duplication of Computer Related Material, and Unauthorized Use of a Computer.

“Computer hacking is not a game. It is a serious threat to corporate security that can have a devastating effect on personal privacy, jobs, and the ability of a business to function at all,” said District Attorney Vance. “This Office’s Cybercrime and Identity Theft Bureau is committed to preventing and prosecuting crimes such as the one charged in today’s indictment.”

According to documents filed in court, Gucci, whose American corporate headquarters are located on Fifth Avenue in Midtown Manhattan, provides employees with remote access to its virtual private network (“VPN”) by attaching a USB-sized token to a computer. While employed as a network engineer, YIN secretly created a VPN token in the name of a fictional employee. After being fired by Gucci in May 2010 for unrelated reasons, YIN took the VPN token with him. In June 2010, YIN emailed members of the Gucci’s IT Department using the fictional identity and tricked them into activating his VPN token. In the months that followed, using the VPN token, YIN exploited his familiarity with Gucci’s network configuration and administrator-level passwords to gain nearly unfettered access to Gucci’s network. As a result, Gucci lost access to documents and e-mail for nearly 24 hours, while other documents and emails were deleted permanently. This intrusion cost Gucci more than $200,000 in diminished productivity, restoration and remediation measures, and other expenses.

On November 12, 2010, YIN accessed Gucci’s network through the VPN for a two-hour period. During that time, YIN deleted several virtual servers, shut down a storage area network, and deleted a disk containing the corporate mailboxes from an e-mail server. As a result, Gucci staff was unable to access any documents, files, or other materials saved anywhere on its network. Additionally, YIN’s destruction of data from the e-mail server cut off the e-mail access not only of corporate staff, but also of store managers across the country and the e-commerce sales team resulting in thousands of dollars in lost sales. Gucci’s IT staff was unable to restore system operations until the end of the business day, and the lingering effects of the intrusion continued to impose costs on the company in the weeks and months that followed.