Identity Theft and Data Compromise - TWCA Fall 2012

924 views

Published on

Presented by David Speciale, J.D., CITRMS at the Texas Water Conservation Association Fall Conference 2012 www.twca.org

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
924
On SlideShare
0
From Embeds
0
Number of Embeds
242
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Intro Dave Speciale
  • We are going to cover the challenges relating to identity theft and data breach. The impact identity theft and data breach has on the consumer and business. We will cover the state and federal compliance requirements relating to data security and how and why a compliance plan is vital to your organization. We will review methods to help prevent a data breach and ways to mitigate the damages when a breach takes place. And finally ERM Best Practices in the Cyber World.
  • PII explain
  • A Tsunami can be devastating. We are all aware of what has recently taken place in Japan. Identity theft and data breach I want you to think of how devastating it can be to an individual business. Give an example.
  • Identity Theft has been first on the list of consumer complaints for 11 consecutive years. Epidemic proportionsNot Enough resources
  • A whopping 13% increase over prior year. A new victim every 3 seconds HAS ANYONE BEEN A VICTIM OF IDENTITY THEFT? PLEASE AK THE PERSON TO YOUR RIGHT IF THEY HAVE BEEN A VICTIM. DISCUSS
  • There are five common types of Identity Theft. Identity thieves know that in the United States one's drivers license is the number one source of identification. Fake drivers licenses are not only used to sneak into bars anymore. With a stolen drivers license a person could get arrested for DWI, or DUI (Use your name, claim they have no ID, and post bail) then fail to appear in court.. Many thieves use your drivers license when applying for jobs, to open new bank accounts, or even start a business. Until recently many states had your social security number as your drivers license number, unfortunately many of these numbers are still in old files and on the web. Social Security Number Identity Theft is perhaps the most misunderstood of identity theft. Some people have said, “I wish someone would steal my identity – My credit is messed up anyway, good luck!”. Please be careful of what you wish for. In the United States almost everything you do is tied to your social security number, when a thief gets this information, be it a stolen wallet or hacked database they can do almost anything to you and your name. Get copies of your credit reports, get employment, change your name, reroute credit, get loans, buy a house, a business, and rack up thousands of dollars in bills in your name. Many illegal immigrants have gotten employment, opened business, or applied for federal assistance with someone else’s social security number.Financial Identity Theft - Credit Card Identity Theft, also know as financial identity theft is the most thought of all identity theft, as it is the most common, and easiest to pull off. While there is anunlimited number of ways thieves get your credit card information, the two most common are mail theft, and dumpster diving. While sending and receiving your mail in a PO box, and shredding documents can deter a thief from your information, it will not stop them. As they also steal the mail and trash from companies you do business with, or hack their computers and steel their data. Medical Identity Theft is one of the most difficult types of Identity Theft to correct. Medical identity Theft is the unauthorized misrepresentation of individual identifiable health information for the purpose of obtaining access to services, which may result in long-lasting harm to an individual interacting with health healthcare benefits. It frequently results in erroneous entries being put into existing medical records, and can involve the creation of factious medical records in the victims name. A great example of medical Identity theft is a case in point. A women who owned a horse farm in Florida. Criminal/character identity Theft-Criminal Identity Theft is when the thief becomes you. Many thieves have their utilities, their homes, establish other credit cards, buy cars and make fake identity to be you. While for a time these thieves will even pay the bills. Some will take things to more extreme cases. I recall a high school Liberian from a Midwestern state retired after 30 impeccable years of service. She and her husband moved to Florida. She decided to answer an add for a part time Liberian in the local high school. She interviewed however did not get the job even she was the ideal candidate. She eventually found out the reason she did not get the job because she had two arrests for prostitution. Obviously she was not aware of the police record . Someone had stolen her identity and when arrested gave the vital information to the police. Identity theft is not just about credit cards
  • No one is immune from identity theft. After his social security number was published in the Congressional Record the former Chairman of the Joint Chiefs of Staff General SHAL I KASK VILI became an identity theft victim.
  • It’s no surprise that identity theft continues to be a time-consuming and expensive problem, but it’s just one fraction of the overall identity picture. A consumer’s identity portfolio is comprised of many different pieces and financial identity theft is just one portion. Medical, criminal and child identity theft, just to name a few, are some other factors consumers need to consider when monitoring their records for fraud.
  • And that’s only a tiny fraction of the $30 billion worth of devices that go missing around the globe each year. ( Yes I will hold while you make sure your cell is still at hand). With more personal info than ever being stored the mobile way, there’s a lot on the line if you and your beloved IPhone get separated. People have come to depend on there phones as there wingman. They help us remember birthdays, get directions and capture memories.
  • Boston-Contractor lost a hard drive with customer contact informationCity of Burlington-A hacker or hackers managed to transfer $ 400,000 in city funds to accounts across the country. City employees may have also had their direct deposit bank account information compromised.Wayne Count MI- sends out email blast containing some 1300 names and social security numbers of employees department of personnel/Human Resources
  • There are various ways a breach can take place. Negligence accounts for approximately 37% of all breaches.An example of negligence. In early 2010, the Massachusetts Secretary of State’s office accidentally released the Social Security numbers of, dates and locations of birth, and height , weight, hair color of 139,000 investment advisers registered with the state. The data were mistakenly sent to an investment industry publication that requested a list of registered investment companies, which is public information, from the Securities Division. The Securities Division mistakenly sent them a CD-Rom with the wrong data.Internal Theft-A hacker in India breached the databases of Digital River Inc, a Minnesota-based e-commerce company, leaving 200,000 customer records compromised. To make matters worse, an American teenager somehow got his hands on the data and attempted to sell it to a Colorado marketing firm for $500,000. Digital River suspects that a contractor working for them aided in the theft.Organized crime targeted a high – volume Redondo Beach, Calif., Arco gas station. The crime ring assigned a low-level person to infiltrate the business and waited eight months while he worked himself into a position that allowed him to plant a high-tech device skimmer, which gathered customers’ credit information. More than 1,000 customers were affected: the criminal spent nearly $300,000 before the scam was uncovered.
  • As mentioned a data breach can be very costly. Wells Fargo settled out of courtWells Fargo settles lawsuit / Class action alleged bank sold customers' financial informationWells Fargo agreed on to a $6.7 million settlement of a class-action lawsuit that accused the banking giant of illegally selling customers' financial information to telemarketers. The settlement calls for the bank to pay $3.2 million to 81 charities and provide $3.5 million worth of online services to customers. VA will pay $20 million to settle lawsuit over stolen laptop's dataThe Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit on behalf of the men and women whose personal data was on a laptop computer stolen during a burglary.The names, dates of birth and Social Security numbers of about 26.5 million active duty troops and veterans were on the laptop and external drive, which disappeared while in the custody of a Veterans Affairs data analyst in 2006. 800,000 people answered the email imagine the expense to service this number of calls/people.The theft led to an urgent search by federal authorities that ended with recovery of the laptop and a conclusion that the missing data had not been improperly used.TJX Inc. probably the most famous case has paid out big bucks Let's face it, there is a war out there: criminals are after sensitive information.  Certainly the $256 million is much more than what TJX would have spent on just securing their wireless communications.  The parent company of T.J. Maxx and Marshall stores, disclosed in January 2007 that its systems were hacked, exposing at least 45.7 million credit and debit cards to possible fraud. Under the terms of the settlement, the company will pay $2.5 million to create a data security fund for states and a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations. In addition, TJX said it agreed to certify that TJX's computer system meets detailed data security requirements specified by the states; and encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system. "Under this settlement, TJX and the attorneys general have agreed to take leadership roles in exploring n...
  • Identity Theft and Data Compromise - TWCA Fall 2012

    1. 1. Identity Theft and Data CompromisePresented by David Speciale, J.D., CITRMS
    2. 2. Texas Water Conservation Association October 2012November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 2
    3. 3. Identity Theft and Data Compromise – An overview of Identity Theft and Data Breach and its Impact on Consumers and Business – How to Reduce Cyber Risk and ExposureNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 3
    4. 4. Identify Theft Defined• Identity theft occurs when someone steals personal identifiable information and uses it to assume an identity in order to commit fraud or other crimes and or receive a service, information or merchandiseNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 4
    5. 5. PIINovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 5
    6. 6. November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 6
    7. 7. • Fastest growing Crime in the United StatesNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 7
    8. 8. • 2011 Number of victims rose to just under 12 millionNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 8
    9. 9. Identity Theft Criminal Drivers License Medical Social Security Credit CardNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 9
    10. 10. November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 10
    11. 11. • Identity theft is on the rise, according to a report released by Javelin Strategy & Research.• The crime struck almost 12 million victims in 2011, a whopping 13 percent increase from 2010.• The main reasons why: the growing number of data breaches and increasing reliance on smartphones and social media.November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 11
    12. 12. Niagara Falls• 4 phones are lost at Niagara Falls each dayNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 12
    13. 13. Smartphones• Smartphone users are about a third more likely to become victims than non-users.• Nearly 7 percent of smartphone users experienced identity fraud in 2011.• And 62 percent of smartphone users do not use password protection for their home screens, which means anyone who finds or takes their phones will have access to the information inside.November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 13
    14. 14. • High-profile data attacks on companies likely contributed to the rise in identity theft crimes in 2011.• The number of people who were notified that their information was lost in a data breach in 2011 increased by 67 percent from the previous year.November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 14
    15. 15. Data Loss Not if…. But when...November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 15
    16. 16. Data Breaches Affect Businesses Regardless of Size • Symantec 2010 Global SMB Survey – 74% of small and mid-size businesses were targeted for cybercrime – 42% lost confidential or private data – 40% experienced direct financial costs due to attacks – Average cost of the attack was $188,242 • Privacy Rights Clearinghouse – Over 542 million Records breached since 2005 • 2011 Javelin Strategy & Research – Small Business Owner’s Mean Victim Fraud Cost is more than double that of Consumers • SMBO: $1,574 • Consumer: $631 • Verizon 2011 Data Breach Report – Hospitality (40%), Retail (25%), and Financial Services (23%) represented the highest percentage – 96% of breaches could have been avoided by the victim business without having to use extremely difficult or expensive actionsNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 16
    17. 17. Breaches-Municipalities• Boston Water and Sewer Commission• City of Burlington, Washington• Wayne County, MinnesotaNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 17
    18. 18. Hackers come in all shapes and sizes •A person who breaks into a computer system with the purpose of inflicting damage or stealing data. Black hat hackers areBlack Hat known as the "bad guys" Hacker •The use of disruptive activities or the threat of such activities, against computers or networks, with the intention to cause harm or further social, ideological, religious, political, or similar objectives or to intimidate someone in the furtherance of such Cyber objectivesTerrorist •Hacktivism is the act of hacking or breaking into a computer system, in order to disrupt services and bring attention to a political or social cause. The individual who performs an act of hacktivism is said to be a hacktivistHacktivist •An amateur who tries to illegally gain access to a computer system using scripts (i.e., programs) that others have written. While they may have some programming skill, script kiddies do not have the experience to write their own programs that exploit Script vulnerabilities. Script kiddies may try to compromise any computer on the Internet they can connect to Kiddie •People who break into a computer system and inform the company that they have done so. They are concerned employees, hobbyists, or security professionals who are paid to find vulnerabilities. White hat hackers are known as the "good White guys" Hat Hacker November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 18
    19. 19. Breaches • Negligence • Internal Theft • Organized CrimeNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 19
    20. 20. Litigation/Settlements Wells Fargo $6.7 million Veterans Administration (VA) $20 million TJX Inc. $256 millionNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 20
    21. 21. Technology is in the hand of the criminals• Counterfeiting of checks, personal identification, account access devices, signature verification, business documentation and reference letters is a major exposure area. This has carried over to the electronic environment• PC document scanning/laser printing, color copiers• PC Check Printing Packages with MICR Ink• Skimmers, Plastic Card Embosser/Mag-Strip duplicators• User IDs, Passwords, & Tokens vs. Malicious software & Hacker ToolsNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 21
    22. 22. Skimming Device • Restaurant employee caught using skimming device to capture ATM and Credit Card numbers in Drive-Thru window • Employee was paid $1,000 for 50 numbers and $2,000 for 100 numbers provided to recruiter • Recruiter was paid $4,000 for every restaurant employee he recruited by ring leaderNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 22
    23. 23. New Technology – New Exploitations• High Risk Functionality – Inter-bank Money Movement, Wire Transfers and Bill Pay• Online account maintenance and product sign-up• New Payment Channels – Paypal, Obopay, etc.• Peer to Peer file sharing (PTP & BTB) Exploits• Social Networks – Facebook, MySpace, Twitter, LinkedIn, etc.• Online Games with Internet Connectivity – (i.e. Sony – PS3)• Dating & Special Interest websites, chat roomsNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 23
    24. 24. Mobile Fraud Examples• New Trojan Endangers Windows Mobile Devices – This malware affects Windows Mobile Pocket PC devices. The Trojan sends the infected device’s serial number, operating system and other sensitive information to the Trojan’s creators.• Security Hole Found in Apple’s iPhone – flaw could have allowed hackers to take control of the cell phone to spread spam or steal data if its owner visits a doctored website or internet hotspot.• Car Whisper – A Bluetooth mobile phone exploit called “car whisperer” hackers to take advantage of default Bluetooth passwords. The hackers sit at a hotspot and snoop information off your phone.November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 24
    25. 25. Data Risk Scenario Missing computer device storing PII, such as a laptop, USB flash drive or portable hard drive• Laptop stolen from a parked vehicle• Luggage containing a laptop or portable storage device fails to arrive at destinations• Laptop or portable storage device is stolen from a business or home officeNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 25
    26. 26. Data Risk ScenarioBreach caused by a vendorOutside vendor for services that involve PII or PHI of customers, clients or employees• Payroll processor or benefits provider suffers a breach that exposes employee PIINovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 26
    27. 27. Immediate to do list: Assess and Cover Risk• Complete “data” audit to determine • Type of personal information you retain• Complete a Security audit to determine weaknesses• Focus on Vendor Management• Determine the types and methods of insurance coverage and related services that are available to respond to the risk • 1st Party Costs (mailing, consults, mail-house, forensics, etc.) • 3rd Party Costs (Regulatory or Civil Liability and defense)November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 27
    28. 28. Immediate to do list: Documentation & Programs• Written Information Security Policy• Data Breach Response Plan w/ Remediation Resources in Place• Data Security and Privacy Awareness ProgramsNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 28
    29. 29. 5 ways to ensure that you are protecting dataNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 29
    30. 30. Protecting Data Utilize strong passwords and access controls on all computers, smart phones and network devicesNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 30
    31. 31. Protecting DataEmploy Encryption (using built in featuresand/or or enterprise solutions)November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 31
    32. 32. Protecting Data Ensure policies prohibiting removal of unencrypted personal data and unsecured technologies are followed and enforcedNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 32
    33. 33. Protecting DataDestroy or delete all paper and digital files once retention criteria is met Destroy all equipment/device memory once taken out of serviceNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 33
    34. 34. Protecting DataEducate and train on data handling and privacy best practices toensure a high awareness levelNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 34
    35. 35. ConclusionNot “if” but “when”Develop a plan to manage your privacyBe prepared to respond effectively, mitigate damages and protect reputations!November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 35
    36. 36. November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 36
    37. 37. WHO HAS THE FIRST QUESTIONNovember 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 37
    38. 38. November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 38
    39. 39. David Speciale, J.D., CITRMS (Certified Identity Theft Risk ManagementSpecialist), is Director of Business Acquisition at Identity Theft 911, a leader inidentity theft and data breach management, remediation and resolution services.David has held senior management positions throughout the United States withAllstate Insurance Company. While with AIG as vice president for South East Asiahe lived in Japan for 10 years. Upon his return to the U.S. with AIG, hisresponsibilities included international operations. David has written and lecturedextensively on identity theft and data security. He is a member of the InternationalAssociation of Privacy Professionals.Contact Information:Email: dspeciale@idt911.comPhone: 401-787-4248Identity Theft 911, LLC & IDT 911 maintains offices in Providence, R.I., New YorkCity, N.Y. and our Operations & Fraud Resolution Center in Scottsdale, Arizona. Inaddition, we have staff regional Sales Representatives throughout the U.S.November 5, 2012 © 2003-2011 Identity Theft 911, LLC. All Rights Reserved - Confidential 39

    ×