Data Breaches and Point of Sale Systems

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

If you have a Point of Sale, POS, system you need to read this latest Informational Release from  iSight Partners.  Additionally, if you are one of the 70 million Americans that had their data compromised in the Target or Nieman Marcus data breaches you should read this also.

KAPTOXA POS Report – Released Jan. 16, 2014

iSIGHT Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large number of retail information systems. A joint publication has been issued by the Department of Homeland Security, USSS, FS-ISAC and iSIGHT Partners.

Retailers:

If you have a POS system in operation, you may be at risk. If you are interested in a copy of the iSIGHT KAPTOXA POS Report, please contact info@isightpartners.com. If you believe that you have been compromised, immediately contact your local U.S. Secret Service Field Office/Electronic Crimes Task Force (ECTF) or the USSS toll free number at 877-242-3375. For all inquiries pertaining to the official joint publication, please contact the DHS NCCIC Duty Officer at NCCIC@hq.dhs.gov or 1(888) 282-0870

 Consumers:

Don’t be worried, but do be vigilant

As always, regularly check bank statements for fraudulent charges, monitor credit statements for unusual activity, and do not open email from unknown or suspicious sourcesIf you receive an email from what appears to be your bank or financial institution, do not open the email or click on any links. Instead, contact your financial institution directly via phone or website to avoid any phishing scams

– See more at: http://www.isightpartners.com/#sthash.R8e8flBT.dpuf

Why buy Cyber Liability Insurance?

Why buy Cyber Liability Insurance?

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

I am amazed that according to Experian, as of August 2013 that almost 70% of business owners have yet to purchase data breach (cyber liability) insurance!   There are so many reasons to buy – and, I cannot think a single reason not to purchase this almost mandatory insurance.  What is keeping businesses from buying this important insurance?  Certainly, it is not because they feel it is not necessary.  This same Experian study points out that business owners consider cyber threats to be as big a threat as other business risks.  In fact, data from the Gartner Group bear this out as 40% of all businesses that experience a data breach are out of business in 6 months and 51% closed their doors within two years after a major data breach.  So what is keeping you?  It can’t be the price.   The price of coverage has steadily dropped over the last two years as more carriers enter the market.  I can provide coverage for an average business for around $1000 a year, besides if you can’t afford the price of the policy, how could you afford the cost of a major breach?  I cannot figure it out, so I am asking you business owners and decision-makers to let me know your major purchase objections to buying this insurance?

Please post a comment with your reasons!  I promise I won’t try to sell you a policy.  I am just curious how there can be such a major disconnect between the need to purchase and the number of companies that have actually purchased it.  Of course if you want a policy I would be happy to help with that also.  These policies are not one-size-fits-all and you would be well served to buy from someone that has some expertise in selling these policies.

Data Breaches – Know the Numbers

The True Numbers behind Data Breaches – 75-50-75!                                                                                                                                                                                             Stew Nelson Senior Risk Advisor

Seems like almost every day I read about another large data breach.  Maybe I just notice these articles because I am always looking for more information to put out in another Blog post?  It is amazing

to think that 25% of the individuals whose records have been breached end up as victims of identity theft. The cost including lost productivity and aggravation is staggering yet I still encounter small businesses owners that feel “it can’t happen to me,” and so they continue lax security practices that put more records at risk.  Well I am here to tell you that it is happening to businesses like yours every day!  Come on folks! It is not that hard to at least put some basic protection in place.

 

Here are the numbers that you need to know:Data Breach Lock

75! – 75% of all data breaches are not the result of a targeted attack.  Targeted companies are in the minority.  Most breaches occur when a hacker just “surfs” on into your valuable data.  You would not leave your business with the doors unlocked at night so why think you can leave your data unlocked and get away with it?  You are just asking for a thief to stroll on in and help themselves to data you have been entrusted with by your customers.

50! – 50% of all data breaches are caused by employee error.  Spend some time with your employees reinforcing the necessity of protecting data with common sense measures.  Leaving a firewall off, carelessness with a lap top or not updating anti-virus software are practices that can mean the end of your business.  Training can help your employees keep the “black hats” out of your network.

75! – 75% of breaches are possible because a hacker has guessed what your password is!  How many of you have not changed the password on our fire wall from the default “Admin” password?  Using strong passwords works to keep the hackers at bay.

For most of you, just following these simple-common sense business processes will help keep you from having to explain to your customers why you didn’t care enough about them to protect their data.  That is not a conversation I would like to have ever!

Stew Nelson
Senior Risk Advisor

Did you know that 24% of data breaches affected retail environments & restaurants?

The bottom line is: If you own a retail store or restaurant that accepts credit cards (Do you know any that don’t?) then you owe it to yourself to spend 13 minutes watching this video!  This might be the most important thing you can do to protect yourself against data theft and associated PCI fines that could put you right out of business.  Like they say, it is what you don’t know that can hurt you.

In the video they talk about insuring that your Point of Sale System, POS, is compliant with the Payment Application Best Practices, PABP, put out by VISA and last revised in February 2012.  In this document they list Payment Application Vendors and the validated PABP versions.  You should check this list for the vendor of your POS.  If nothing else you should at least have the conversation with you vendor to insure that magnetic stripe data, CW2, Pin Blocks from the cards are not stored anywhere in your system.  If that data is stored on your system you should find out what file(s) it is in and remove it from your hard drive.  That is the information that will get you in serious trouble if compromised.  Remember, if you don’t need the data for a business practice, then don’t store it.  It is permissible to store the Cardholder’s Name, Primary Account Information, Expiration date and Service Code, but these need to be stored using PCI DSS.

For additional protection consider purchasing a small cyber liability policy that would pay any fines you might receive and also any notification or forensic costs you might incur if you have a breach.  The pricing has really become affordable and every restaurant and retailer should seriously consider it.

(Source: 2013 Verizon Data Breach Report)

Reporting and Notification Rules Regarding Data Breaches in Michigan

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

Remember, I am not a lawyer but for those of you that have a hard time reading regulations, here is a summary of the Identity Theft Protection Act, Act 452 of 2004. This act covers notification of state residents that they are the victims of an unauthorized access of a database with their personally identifiable information or personal health information.

Who has to notify affected individuals? Unless you can determine that a security breach has not or is not likely to cause injury to one or more Michigan residents then you must notify the affected parties.

How will I know if my brief data breach is likely to cause injury? Due to the high percentage of people that end up involved in identity fraud after a breach you probably have to assume that your breach is likely to cause injury unless your data is encrypted.

How long do I have to comply with Michigan’s notification requirements? You are expected to provide notification without unreasonable delay. The law specifically allows a delay in order to determine the size of the security breach and also to restore the integrity of your network. You also can delay if a law enforcement agency informs you that notification will be impede a criminal or civil investigation or jeopardize homeland security.

What constitutes notification? Basically, you’ll be required to provide written notice to an affected individual at their postal addresses. Email can be used to the affected individual as given you permission to do so, or if you primarily conduct your business on the Internet. Prudent business practices would suggest that notification should be conducted by registered mail so that you have a record that the individual was notified and the date they received that notification.

What if I have 25,000 people I must notify and the cost of a registered letter is $10? If the cost of the notification is estimated to exceed $250,000 or notify more than 500,000 then substitute notification rules apply. Substitute notification can be done by email, conspicuously posting it on your website or notifying statewide media. What if I only store their name and password? You are required to notify you store the first name middle initial, and the last name link to one or more of the following data elements, Social Security number, driver’s license number or state personal identification card number, demand deposit or other financial account number, or credit or debit card number in combination with any security code, access code or password that would permit access to any of the residents financial accounts

Video: Data Breach

Cyber Pres GraphicDid you know that 24% of all data breaches affect retail environments and restaurants? (Source: 2013 Verizon Data Breach Report)

The bottom line is: If you own a retail store or restaurant that accepts credit cards (do you know any that don’t?) then you owe it to yourself to spend 13 minutes watching this video!  This might be the most important thing you can do to protect yourself against data theft and associated PCI fines that could put you right out of business.  Like they say, it is what you don’t know that can hurt you.

In the video they talk about insuring that your Point of Sale System, POS, is compliant with the Payment Application Best Practices, PABP, put out by VISA and last revised in February 2012.  In this document they list Payment Application Vendors and the validated PABP versions.  You should check this list for the vendor of your POS.  If nothing else you should at least have the conversation with you vendor to insure that magnetic stripe data, CW2, Pin Blocks from the cards are not stored anywhere in your system.  If that data is stored on your system you should find out what file(s) it is in and remove it from your hard drive.  That is the information that will get you in serious trouble if compromised.  Remember, if you don’t need the data for a business practice, then don’t store it.  It is permissible to store the Cardholder’s Name, Primary Account Information, Expiration date and Service Code, but these need to be stored using PCI DSS.

For additional protection consider purchasing a small cyber liability policy that would pay any fines you might receive and also any notification or forensic costs you might incur if you have a breach.  The pricing has really become affordable and every restaurant and retailer should seriously consider it.

 

California Attorney General Leans Heavily on Unencrypted Data

CYBER LIABILITY – California Attorney General Leans Heavily on Unencrypted Data

I have been preaching for some time now that anyone who handles or transmits Personal Health Information, PHI, or Personally Identifiable Information, PII, should seriously investigate learning how to encrypt their data.  This is especially true for PII pr PHI stored on smart phones, tablets, laptops, thumb drives and other portable storage devices.  Now, in the first of its kind report issued by a state, the California Attorney General, Kamala D. Harris, in “Data Breach Report 2012” issued a stern warning to organizations that ignore that advice.

The AG back s up her warning to companies with a few interesting statistics.  First, it will save you a lot of time and money.  She noted that 28% of the companies that mandatorily reported a breach would not even have to have reported if their data was encrypted.  Second and even more to the point is that 1.4 million Californians out of 2.5 Million with breached information would not have had their financial identity put at risk.

As the keeper of PII or PHI we have the responsibility to protect it from breaches.  If you have already encrypted your data – my congratulations to you.  If you have not started the process – please make steps to do so at once.  Data encryption is the “Get out of jail” card that you will need when your information is breached.

 

Stewart V. Nelson | Senior Risk Advisor

 Kapnick Insurance Group | simplifying insurance

1201 Briarwood Circle | Ann Arbor, MI  48108 | www.kapnick.com

D 734.929.6057 | F 734.994.7326 | C 734.992.6003

Cyber Safety – Think before you click on outside links!

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

Recently, this email arrived in my email box from the head of our IT Department:

——————————————————

SUBJECT: Warning! – Cryptolocker Virus

 I just received the following from one of our support vendors.   The short version is: don’t open attachments or links unless you’re sure they’re legitimate. If there’s any doubt, call the sender and make sure.

 It department

——————————————————

The message went on to describe how, after somehow inducing an unsuspecting employee to click on a link that installs the crook’s software on your network which then connects up with the felon’s , they take control of your network.  Once they have control of your network they alter your back up routines so that it looks like your data is being backed up every day but actually it not!  After a few weeks without back-ups, they encrypt all your data!  Once encrypted, the first person that tries to access the data then gets a message from the attackers that their data and back-ups are not available. Yikes!  Next up – A ransom message is received that demands a ransom for the encryption key to restore all their data.  If the ransom is not paid the data remains encrypted and may even be deleted from the network server.  Consequently, the business owner has no choice but to pay the ransom or lose all their data.  Not a very pretty prospect to say the least, all because someone unwittingly clicked on a link they believed was harmless and meant for them.

I know you are thinking, “I would never click on a link if I did not know who it was from!”  Well what if the crooks added some text to the message that said, “Take a look at the pictures from your son Bobbie’s last high school baseball game,” what would you do?  Think about it for a second. Would you click?  Now it gets a little harder to say, “I would never click on a link that I did not know who sent it. “ Well, the bad news is, that is what the organized crime folks are doing by using information from personal sources like you local newspaper, facebook or Linkedin to find something about your personal or work life to break the ice, and then they have you…and possibly your data.

So the real take away here is – Think before you click on outside links!  The bandits are getting smarter everyday and we have to stay smarter.   Pass the word.

5 Things You Should do if You Get Hacked

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

 

I just read an excellent article by Dennis O’Reilly that explains what an individual should do if you are notified of a possible breach of your personally identifiable information, PII, such as your driver’s license number, social security number, passwords, addresses etc.  Basically, Dennis suggests five things that you should do:

 

 

 

 

  1.  Verify that a breach has occurred.  Some sophisticated phishing schemes will notify you of a breach and then ask you to the change your password for a particular web site.  When you then go to change your password, they steal the new password and then have free access to your account.  So before you change your password it is imperative to call or email the company and make certain that a breach has occurred. Whatever you do don’t click on the emailed link.
  2. If a breach has occurred then you certainly want to act fast and change your password utilizing available techniques to develop strong passwords.  It is a big pain but your web security depends on creating strong passwords of at least nine characters.  Remember to not use a word that is in the dictionary and be sure to add in some numbers and some random characters like $, #, @, %.  These passwords should be changed every three months.
  3. Keep close watch on your credit activity.  It is very important to report any suspicious activities as soon as possible.  If your social security number was compromised then you should pay attention to any new accounts that might be opened in your name.  The best way to do this is to utilize the Annual CreditReports.com free report that you are entitled to each year.  There are three credit reporting agencies so you could receive one free report every four months.
  4. For additional protection you can establish a security freeze on all account activity for about $10 to place and $10 to remove the alert. Any of the three credit bureaus can set up the fraud alert for you.  You should leave these in place for as long as possible.  The hackers may not use your data for a year so it is important to continue tracking credit activity.
  5. The most important thing is to be proactive.  Don’t sit and wait for the company that was responsible for the breach to contact you or to help you in any way.  Take the initiative immediately.

 

I understand that this is a real pain to have to go through these steps to keep the thieves at bay but if you do end up with a stolen identity it is infinitely more of a hassle to get your life back and get your credit rating restored than it is to protect it from the beginning.

Cyber Liability – How will I know I have had a data breach?

Stew Nelson Senior Risk Advisor

Stew Nelson
Senior Risk Advisor

How will I know I have had a data breach?

In my last post we talked about developing an Incident Response Plan.  Hopefully you have started down that path by putting “develop Incident Response Plan, IRP, on your “to do” list.  Well, now I have another “to do” item for you to consider.  After you develop your IRP it may occur to you that “how am I going to know when I have had a data breach?”  This question on the surface may sound like a dumb one but you have to remember that cyber thieves are pretty smart foes and it is not likely that they will leave “broken windows” or “jammed doors” behind as evidence that you have been breached.  In fact, a 2013 report by Trustwave  that examined 450 data breaches and thousands of penetration testing audits found that it took on average 210 days from the actual breach to detection.  This number is up from 90 days in 2011.  It is pretty amazing to think that 5% of the breaches took three or more years to detect the intrusion!

Mobile devices make the job of detection even harder.

IT professionals struggle to balance ease of access to data with keeping data secure.   We all insist on having data at our fingertips with lap tops, tablets and smart phones and even multi-gigabyte memory sticks.  However, unless you are in IT we don’t pay much attention to the risks associated with Bringing Your Own Devices, BYOD, to work.  BYOD changes the whole data security landscape.  Instead of just protecting your data base with a secure firewall you now have to worry about data just “walking out the door!”

Intrusion Detection System Software comes to the rescue.

Intrusion Detection System, IDS, software is like a traffic cop at every on and off-ramp and every intersection in a city keeping a watch on every car passing through a checkpoint for illegal activity.  I know this analogy would probably be outlawed by the ACLU but that is how IDS protects your network.  The system is set to monitor key “choke” points of your network for unusual patterns of network traffic.  To properly set up a system can be very expensive depending on how many computers are in your network and how many other access points a crook could find to get to your data.  I don’t want to get into a technical discussion but I must add that setting up a reliable detection system is beyond the capabilities of the IT staff in most small to mid-size businesses.   So what are we supposed to do?

 

You can find your answer in the “Cloud.”

For most small to mid-size businesses it doesn’t make much sense to try to develop your own security systems when they are readily available from most large data and application hosting companies i.e. cloud providers.  I recently contacted one of our local storage companies and they quoted me $200 a month for a dedicated server complete with firewalls and IDS software.  If I was worried about data security I think that I would definitely be exploring a hosted service for anything I wanted to keep secure.