Category Archives: Security Breaches & Data Loss Incidents

2016: Data Breach Statistics, Year until 10/19/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted as of October 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

August 26, 2016 – County of Sacramento, California, issued a statement that an unknown number of records with personal data were exposed due to an error in the online automated application for Emergency Medical Service license. The information included name, address, social security number, driver’s license, phone number, date of birth of the applicants. Although there has been no report of misuse of PII, yet the county offered one year credit monitoring services of Experian to the affected people as a precaution.

Source: California Attorney General

 Healthcare

September 26, 2016 – One worker at Yale- New Haven Hospital and her friend were arrested for illegally procuring classified personal information of at least 20 near death patients and using the stolen data to obtain credit cards, becoming beneficiaries in their insurances among other planned crimes. This had been going on for two years before they were caught. A year’s credit monitoring has been offered to the victims.

Source: Media: News 3

August 12, 2016 – Bon Secours Health System disclosed that R-C Healthcare Management, a third-party vendor managing their Medicare and Medicaid reimbursement, accidentally left patients’ files accessible over the internet while updating network settings. About 665,000 records containing patient name, health insurer’s name, health insurance identification number, social security number and some health information was exposed to the general public. A forensic investigator was hired to correctly identify people that were affected by this breach and then informed about the incident. 435,000 were from Virginia and the rest were from Kentucky and South Carolina. No misuse of the exposed data has been reported so far.

Source: Media: http://www.nbcconnecticut.com/

Business

September 22, 2016 – Premier America Credit Union, California, reported that a departing employee sent an account list containing name, address and maybe social security and/or employer Identification number to his personal email address for most likely solicitation purposes in future. The employee was reminded of his obligations and company regulations and advised not to use any of this information for any purpose. The management further offered complimentary one year credit monitoring services of Experian to the victims.

Source: California Attorney General
August 8, 2016 – 7-Eleven reported that in June 2016 during a regular maintenance cycle some of the franchisees received the records of employees other than their own franchisee’s employees. The exposed information contained name, address, phone number and social security number of 7,820 employees. The correction was completed within 5 days. 7-Eleven offered 12 months of First Watch Technologies’ professional identity monitoring service to the victims in addition to $1,000,000.00 in identity theft insurance with no deductible.

Source: California Attorney General

Major Insider Data Breaches in Government Sector in 2015-16

In our last post, we talked about insider threats being faced by government organizations.

Today, we are sharing examples of data loss incidents that have affected government sector because of insiders. Though sporadic in nature, they give a deeper insight on how vulnerable the government is.

  • In June 2016, The Washington State Liquor and Cannabis Board stated that the personal information of marijuana license applicants was released in response to a public record request. The exposed information included social security numbers, tax and financial information, attorney-client privileged information for an unknown number of records. The License Control Board had accidentally sent in the PII along with the requested information.
  • Virginia State Corporation Commission suspects that a former contractor made copies of PII for an unknown number of people whose license had either expired or lapsed between 1979 and 2004. This came into light in June 2016.
  • In April 2016, the FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of affected people on a personal portable device. When the breach was detected, the employee was contacted, who immediately returned the device and signed an affidavit stating that the information was not used for any purpose.
  • In February 2016, Washington State Health Authority (HCA) notified that 91,000 records of Apple Health (Medicaid) clients were accessed without proper authorization by an employee. Social security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees but as a precaution, free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident happened.
  • County of San Diego confirmed in January 2016 that the classified records of all employees were sent to Wells Fargo as opposed to only those records who were set up for health savings accounts, HSA. Consequently, the bank set up HAS for all the employees. The county and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.
  • In October 2015, the Vacaville Housing Authority (VHA) notified affected individuals that one of their employees unintentionally sent an email to a person with an attachment containing their names and social security numbers. The receiver immediately informed VHA about the lapse and they deleted the email from the person’s computer. As a precaution, VHA has offered free credit monitoring service to affected customers for 12 months.

A 2016 U.S. Government Cybersecurity Report by SecurityScorecard reported the following:

  • Government sector has the lowest security score as compared to retail, transportation, healthcare and other sectors
  • NASA is at the bottom of 600 government organizations, followed by US Department of State, IT systems of Connecticut, Pennsylvania, and Washington.
  • Three areas where government organizations struggle with security are – Malware Infections, Network Security and Software Patching

While government organizations are enhancing their cyber security strategies, there are still many risks that they need to address. A wholistic view of their strengths and weaknesses will enable them to implement the right solution and take proactive measures aimed at addressing the risks posed by internal threats.

12 Million Records Breached by May 2016

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Since our last report in February on statistical data, 327 data breaches affecting 10 million+ records have been reported.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted between February and May 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

11 April, 2016 – FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of the affected people on a personal portable device. FDIC uses technology to track downloads to portable devices. On being detected, the employee was contacted, who in turn, immediately returned the device and signed an affidavit stating that the information was not used for any purpose.

Source: Washington Post

Healthcare

February 2, 2016 – Hawaii Medical Service Association (HMSA) disclosed that they accidentally sent 10,800 letters to wrong addresses instead of the rightful owners. Luckily, the letters did not have any sensitive data but only information about how these patients can better manage the ailment they are suffering from. The affected members were contacted telling them of the mistake and answering any questions they might have.

Source: Databreaches.net

Business

March 15, 2016 – Laborers Funds Administrative Office of Northern California, reported that an undisclosed number of records had been compromised due to a computer error. Classified information of not only members but also their dependents was accidentally emailed to a fund member instead of the IRS. The office does not believe that the information has been misused but they have offered a one year free credit monitoring to all the affected people.

Source: California Attorney General

March 7, 2016 – Turner Construction, San Diego, California, stated that an undisclosed number of records with classified information were breached as an email containing sensitive information was accidentally sent out to an unauthorized party. The company has since taken many steps to mitigate the threat. Kroll, an ID monitoring service, has been engaged to provide free monitoring to all the affected people for ten years. The services include Credit Monitoring, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Theft Insurance, Identity Consultation, and Identity Restoration.

Source: Maryland Attorney General

Education

16 May, 2016 – Poway Unified School, California inadvertently released data of about 36,444 students and their parents to one parent who had requested information related to her name only. The information included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. It did not list the social security numbers. The exposed data falls under protected information under the Family Educational Rights and Privacy Act and the school could risk losing federal funding. The data contained information of about 70,000 people.

Source: San Diego Union Tribune

25 January, 2016 – California Virtual Academies (CAVA), California informed its registered users on December 9, 2015 that their data storage system is prone to data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Since then, it has been established that unauthorized access was limited to the data security researcher who had initially notified CAVA. Users have been urged to check their personal accounts, change security settings online and read information provided on credit and identity protection.

Source: California Attorney General

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.

Examples

In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.

Conclusion

It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Top Breaches in Healthcare in 2015-16

 

Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.

Conclusion

In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.

Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.

Conclusion

The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.

Higher Education: Prevent Data Loss, Act Now

In our previous post, we saw why higher education is highly susceptible to data beaches. The sector is a significant source of Personally Identifiable Information (PII), which can easily be breached given lack of uniform regulations and proper cybersecurity measures. One of the largest breaches in higher education has been at the University of Maryland in 2015, when 300,000 records with sensitive data including social security numbers were exposed.

In this blog, we have used research findings from some prominent studies to illuminate the fact that data loss is a big threat in higher education.

The Ponemon Institute, an independent research company on data security, has determined that the average cost of a cybercrime in education is $3.89 million annually; And the number of records exposed due to breaches is nearly 316,000 for year till date!

In a recent study conducted by the Center for Digital Education, the key concerns of IT leaders in higher education were analyzed and the following conclusions were derived:

  • 72% said that they were concerned about rampant data breaches
  • 73% said that cybersecurity is a high priority
  • 70% said that spam and phishing will be the main threats for data loss

Recently, education institutes have started implementing a number of measures to thwart the rising threat of data breaches. Some best practices being followed in this sector are summarized as follows:

  • Tactics, Techniques, and Procedures (TTP) Analysis

Studying the tactics, techniques and procedures used by hackers gives a great insight into the world of unauthorized access and helps understand the 4 Ws – who are these people, why are they hacking, what are they after and what procedures they are deploying to harness the information.

  • Willingness to Report Incident

Willingness to come forward and share the breach incident with other institutes helps in reducing the incidents.  The EDUCAUSE Center for Analysis and Research (ECAR) has come up with studies to prove that alerting higher education leaders and IT professionals about an incident lowers the risk of a repeat incident at same or another location. IT leaders at these institutes can collectively come up with methods to prevent similar future breaches.

  • Incident Response Plan Implementation

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath is a best practice. This is very important for the reputation of the institute. Having a robust plan, in sync with what needs to be done, specifying the roles, whom to contact, what to expect is a smart countermeasure.

 Conferences for Knowledge Sharing

Many institutes like Dartmouth conduct annual conferences where peers discuss best practices being followed for data loss prevention. In the process, institutes mutually gain the knowledge to avoid and deal with data loss incidents. Dartmouth has implemented both knowledge-based authentication (KBA) and two-factor authentication (2FA) that sets an example of cybersecurity measures other institutes could follow.

Safeguarding the “present” of our students will lead the way to a secure future for them. Act now, else face the threat of data loss.

2016: Data Breach Statistics*, Year until 02/23/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

1.7 Million Records Already Breached within Just Two Months of 2016

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted during the first two months of 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

2 February, 2016 – Washington State Health Authority (HCA) has notified that 91,000 records of Apple Health (Medicaid) clients were accessed without any authorization by an employee. Social Security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees. However, as a precaution free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident came to light.

Source:  King 5 News

26 January, 2016 – The County of San Diego has confirmed that the classified records of all the employees were accidently sent to Wells Fargo as opposed to only those that are set up for Health Savings Accounts with the latter. The County and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.

Source: California Attorney General, SC Magazine

Healthcare

25 January, 2016 – Health Equity has informed that an employee sent an email containing personal information including Social Security numbers of its clients to one of their business partners by error. An unknown number of people have been affected and are being given a year of free credit monitoring.

Source: California Attorney General

Education

5 January, 2016 – Southern New Hampshire University (SNHU) has confirmed that due to a configuration error, on part of a third party vendor, the database containing names, email addresses, IDs, course details, scores etc. of its students has been exposed. Reports show that about 140,000 students have been affected due to the breach even though the university has only 70,000 enrollments. It is believed that the discrepancy in numbers may mean that both former and current students have been affected. The investigation is still ongoing.

Source: CSO Online

Insider Threat Mitigation – A Simple, Secure & Successful Approach

data loss prevention
In our last week’s post on Zecurion’s Annual Review: 2015 Data Breach Statistics, we saw that human error, caused by negligent employees, results in nearly one-fifth of data beaches. And a whopping one-half of breaches are caused by malicious attacks, including intentional insider attacks. While the motivation is different and unique to each incident, the common factor underlying all data breach incidents is loss of critical data.

What is Insider Threat?

Zecurion defines insider threat as threats arising as a result of unauthorized access to an organization’s system or information by employees either intentionally or accidentally. Insider threat could also arise by having others gain access to critical data without the required authorization.

What is Critical Data?

Critical data includes internal resources, personally identifiable information, financial information, personnel records, security systems, information systems, business equipment, intellectual property, trade secrets, supply chains, or any other information that may either be proprietary to the organization or confidential to its personnel or customers.

What is Insider Threat Mitigation Program?

Even though insider threat is a growing concern, as revealed in our post Zecurion’s Annual Review: 2015 Data Breach Statistics, most of the organizations are still not equipped to detect and deter insider threats in a timely manner. For many of these organizations, especially those with limited IT resources, the challenge is the very first step itself – i.e. not knowing where to start from. The problem of insider threats seems to be humongous, complicated and organizations that lack IT resources are overwhelmed. However, even though it may appear complicated, the solution itself is very simple, easy to implement and manage, and does not required a dedicated resource.

As part of the insider threat mitigation program, efforts should be focused on identifying very specific and definable targets such as:

  1. What comprises the organization’s critical data
  2. In what ways can insiders access this data
  3. What policies are in place to prevent unauthorized access
  4. Are employees aware of such policies
  5. What will be the reaction to unauthorized actions

Using this focus, the organization can instill an active insider threat mitigation program that combines three key elements:

  1. Classification of data as per the business process rules and determining where the critical data is located, who has access to it, what options and methods could be used to gain access to the sensitive data. Further, mapping out tell-tale signs for unauthorized access can help in early detection of data breach incidents.
  2. Protection of critical data using intelligence and analysis to recognize unauthorized (including accidental) access; identification of the insider’s associates within systems and network and proactive disruption of any such actions.
  1. Prevention of data breach incidents by implementing policies based on user role, giving access as per those user roles, installing data loss prevention solutions, developing employee training on policies and solutions in place

To accomplish these objectives, the organization should limit the ways employees can interact with systems and networks by putting forward IT usage policies and technical measures. Zecurion recommends the following measures.

  1. Create policies that preventing employees from connecting USB storage devices to their workstations.
  2.  Insert tags in documents that create signatures in the document and implement policies that prohibit them from leaving the organization.
  3. Conduct diligent scrutiny of audit logs to determine if any sensitive data has been uploaded by an insider.
  4. Create decoys to attract the insider and then understand as to how the insider operates and accordingly come up with efficient and effective solutions.
  5. Focus on critical data only. Focusing on all data is redundant and wastage of time and effort; rather seeking out organization’s critical data makes the insider threat mitigation program more effective. This, in turn, requires collaboration between various business groups across the organization, making insider threat mitigation more of a critical business process rather than an IT initiative.

An effective program integrating both non-technical as well as a technical approach necessitates involvement of strong leadership. The idea is to bring together stakeholders from across the organization including human resources, administration, legal, physical security, information security, and information technology under one umbrella. This makes implementation of the program successful, thus mitigating data losses before they transform into an expensive public alarm.