If you didn’t hear it on the news, you probably got an email from Anthem letting you know that your personal information has been exposed in a massive data breach that impacts over 80 million people served by the medical insurer. According to Anthem’s own website established to address this breach, no medical records or credit card information was stolen (that they know of) which is a faint blessing in the face of what was stolen: names, addresses, birthdates, social security numbers, phone numbers, email addresses and employment history. In other words, everything a thief needs to steal your identity.
What this means for you:
As before with other large data breaches, there’s not a darn thing you could have done to protect yourself from the attack. If you just happened to not be a current or former Anthem-covered individual, it’s likely your information was stolen previously in any of the numerous other breaches from last year. Anthem will be offering free credit monitoring to all affected individuals, something that is going to sting their deep pockets signicantly, but will do little good in the long term. Why? Well, unlike credit card numbers, addresses or phone numbers, 80 million people aren’t going to change their names, dates of birth or social security numbers. Identity thefts can outwait the one year of monitoring (still unconfirmed, one year is my guess) that Anthem will provide. You can bet a large number of people won’t continue that service on their own dime, but you might want to consider factoring this type of fee permanently into your annual budgets. Or at least until someone can figure out how to secure our identities and credit better.
From a business standpoint, Anthem’s plight illustrates an important lesson. Though current legislation recommends this sort of data be encrypted, it is not a requirement. Shouldn’t Anthem have taken the extra step to protect your data? Does the government need to mandate common sense and best practice? Will Anthem’s current nightmare convince you to enforce more strict security practices in your own work and personal life? I don’t think you need me to tell you that if you want a prosperous and sustainable business protecting your sensitive data is no longer a recommendation, it’s a requirement.
First the country’s largest bank has a huge data breach, and now the nation’s largest bond insurer admits that it inadvertently exposed sensitive customer information through its website. As an example of the old maxim, “Man has no greater enemy than himself,” MBIA, Inc. allowed unfettered access to a subset of very sensitive customer information (think: customer names, account and routing numbers, balances and dividend amounts) via a poorly configured webserver that opened up this data to the general internet. Access was so unrestricted as to allow search engines to index up to 230 pages of information that also included administrative login credentials that could lead to much more significant security breaches throughout the MBIA infrastructure.
What this means for you:
Today’s technology is a resounding testament to how innovative humans are, but equally apt to demonstrate just how fallible we can be. In the digital world, a simple mistake can lead to millions being compromised in life-affecting ways. Most of you aren’t responsible for millions of customers or their data, but imagine if you had to contact your hundreds or thousands of customers with the bad news that “due to a configuration error” their data was leaked to the internet, and probably in the hands of cybercriminals. Whether it is thousands or millions, it would still be a nightmare, especially if your business isn’t big enough to be able to count on the data breach fatigue that has allowed Target, Home Depot and JP Morgan to sail past titanic failures in security. In the end, your security boils down to one thing: humans, not machines. Knowing this, you should always hope for the best (we will get better at this) and plan for the worst: we’re going to make a lot of mistakes along the way!
Telecommunications giant AT&T disclosed on June 13 that three employees of one of its vendors used their privileged access to hack a server containing sensitive customer data, including Social Security Numbers, birth dates and cellular phone numbers. Thus far, AT&T hasn’t revealed how many are affected by this breach, and for the moment it appears that the hackers gained unauthorized access for the purposes of unlocking older generation AT&T phones for use on other carrier networks. The breaches happened in April, but AT&T is only just now notifying affected customers.
What this means for you:
Unlike previous data breaches, the exposed customer data hasn’t appeared for sale (yet!) on the internet black market, but AT&T is offerring a free year of credit monitoring as a mea culpa to its affected customers. If you were affected by this breach, you should have already received a notice from AT&T of the potential exposure. This latest breach demonstrates an important point about security: no matter how much you invest in protecting your perimeter, serious threats may already be behind your “firewall”. As an individual, there is very little you can do to help AT&T be more secure, but you can take your credit history and activity seriously, and always keep your eyes peeled for unusual activity on any online account, regardless of whether they are financial services or not.
Thanks to the commoditization of computer hardware, it’s possible to buy a serviceable laptop that costs less than $500 brand new. This has resulted in many companies relaxing the restrictions they had on their purchase and use, but a small healthcare provider in North Idaho learned a harsh lesson that hardware costs are the least of their worries when it comes to losing a laptop. The Hospice of North Idaho recently had a laptop stolen that contained unencrypted, sensitive personal information on over 400 of their patients, and because this is a violation of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services is slapping the non-profit hospice with a $50,000 fine.
What this means for you:
Even if you aren’t a healthcare provider, being aware of the data on your company’s laptops should be a top concern, regardless of whether you think the data doesn’t fall into the protected class outlined by HIPAA. Mobile electronics, like laptops and smartphones are a prized target of thieves, on top of being ridiculously easy to damage and/or misplace all on their own. If your laptops are used heavily on the road, you should consider encrypting some or all of the data on the device, as well as making sure employees are using physical security devices like cable locks whenever the laptop is set down for more than 5 minutes, even if in a “secured” working environment. If your smartphone has access to any company or customer data, you should have auto-locking enabled and at least a 6-digit pin or password to unlock it. Cable locks won’t stop a determined thief, but it will deter most casual theft, and data encryption + passwords will make sure you never have to have that meeting with a client (or worse, a prospect) to let them know that their data might be at risk.
Image courtesy of “cooldesign” / FreeDigitalPhotos.net
We’ve already seen way too much of some politicians and celebrities on the internet, but it seems human foolishness knows no bounds where the internet is concerned: sharp eyes have spotted a trend of people posting things like driver’s licenses, debit cards and other items with sensitive personal information in plain view on the internet through services like Twitter and Instagram. The reasons for posting these images aren’t immediately clear – and frankly, there isn’t a single logical explanation that doesn’t make these folks out as complete fools.
What this means for you:
In case you aren’t clear as to why this is a bad, bad thing – posting your sensitive personal information on the internet is tantamount to building a gigantic neon sign over your head that says, “Steal my identity, please!” To all the people who are doing this – STOP. Put down your smartphone (ironic, eh?) and step away from the internet. Go stand in the corner and put on that funny, pointed cap. Congratulations, you’ve just earned the Dunce of the Year!
Parents – if you have a teenager with their own smartphone and they’ve just earned their driver’s license or their own credit card, make sure they aren’t taking a picture of that shiny new card and posting it on the internet to brag to their peers. It might be a good time for a little security chat – and will be a lot more comfortable than that other chat you’ve been putting off for awhile now, right?
In yet another instance of high-profile data loss, the National Aeronautics and Space Administration (NASA) has announced that a laptop containing unencrypted, sensitive data was stolen. Ahead of a final determination of the extent of the data exposure, NASA has warned its 300,000 employees and contractors to be extra cautious and that they may be at risk for identity theft.
As a result of this theft and previous data exposure incidents, the organization has established a new policy that all laptops will be encrypted from this point forward, and until the encrpytion can be enforced, all laptops with sensitive data can no longer be removed from NASA facilities.
What this means for you:
The NASA laptop in question was password protected, but you may not be aware that gaining access to data on a password-protected laptop is trivial when you have the actual device in your physical control. Though it does add overhead to overall performance of laptops, encrpyted data partitions or even full-drive encryption is the only way to truly safeguard data on mobile devices, and a compromise that savvy organizations are willing to make in order to allow their knowledge workers the mobility required in today’s technology environment. If you or your knowledge workers work with sensitive data, whether it be employee records or client data, you should review your organization’s privacy and security policies to ensure you are properly protecting yourself from a damaging security breach and data loss.