How Data Breaches Affect Children

How Data Breaches Affect Children

Believe it or not, data breaches do affect children, even as young as infants. The worrisome aspect of recent massive data breaches is that many adults have grown immune to data breach notifications; so much so that nearly half of Americans haven’t even checked their credit following the Equifax breach. If they are not checking their own credit, you can pretty much bet that they haven’t looked into their children’s credit either.

One family of five decided to plug in their entire family’s information into the Equifax data breach checker and were surprised to see that their 7-year-old son’s information was potential stolen.

The theft of a child’s identity is lucrative to a cyber-criminal because it can remain undetected for years, if not decades. Without regular monitoring, a child’s identity that has been stolen may not be discovered until they are preparing to go to college and start applying for student loans or get their first credit card. By then, the damage is done and the now young adult will need to go through the pain of proving that their identity was indeed stolen.

It may be surprising to many but a 2011 report found that children are 51% more likely to be the victim of identity theft than an adult. It was found that one of the victims was only five months old and another teenager had over $700,000 in debt in their name.

And this tax season, cybercriminals on the DarkWeb have been caught selling the social security numbers of infants for just $300 per social to be used on fraudulent tax returns. While data on children has been on sale for many years, this is the first believed case where hackers are specifically targeting newborns and “fresh” social security numbers.

So, what can parents do to protect their children and their credit?

The first step would be to treat your children’s social security numbers just as carefully as you would treat your own. Do not provide it to anyone unless absolutely necessary (doctor, school, accountant). And if you have a teenager, teach them how to be responsible with their social security number as well.

Secondly, if you have reason to believe that your child’s information may have been stolen, you as a parent are allowed to request to see if your child has a credit report and secondly, if they do, by request you can also put a credit freeze on their report.

Image Credit – Freepik

Beware Tax Season Scams

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

Another Day, Another Data Breach – Should We Just Get Used to It?

Another Day, Another Data Breach – Should We Just Get Used to It?

It seems like we can’t go a week without news of a data breach affecting a major company: Target, Home Depot, Yahoo (all 3 Billion account holders), HBO, Equifax (3 times), Deloitte, Sonic, Whole Foods. With the prevalence of personal information being exposed and stolen, people often wonder should we just get used to having our data breached? Should we get used to the fact that cat photos on Facebook are more secure than our social security number?

In short, no! We should never simply accept that the companies are not responsible for the security of the data they collect about us. We should be upset when our data is breached and demand action so that companies begin to take data security seriously. And one of the worst things about data breaches is that nearly all of them end up being far worse than initially reported.

The Equifax hack occurred because the company failed to install a patch for vulnerable systems for over six months after the patch was released. The Security & Exchange Commission (SEC) which ironically issues regulations telling other companies to clean up their technology infrastructure and can fine them for failing to take the necessary cyber-security measures suffered a data breach of its “Fort Knox” system called EDGAR which companies use to file all the important stuff about the business like quarterly earnings, merger & acquisition, IPOs, market news, and more. And Deloitte’s email administrator failed to secure his/her account with two-factor authentication and hackers were able to get in with privileged, unrestricted administrator access and steal millions of email records, many with sensitive information.

With the onslaught of lawsuits and regulatory inquires against Equifax will teach businesses anything, it is that our lawmakers and the people they represent are tired of having their data compromised and soon we can hope there will be real, tangible changes in how businesses consider data security. In its most recent shareholder packages for at least five years, Equifax did not mention data security once as a company priority. This must change and any business that collects personal information must be serious about the protection and should they fail, there must be repercussions because the theft of data can lead to real harm to individuals.

The news of the credit card data breach at Sonic has made many wonder, how are credit cards still getting hacked? The credit cards themselves are fairly secure but when the point-of-sale (POS) system used to process the credit card transaction is compromised, there is little the new chip technology can do to protect the consumer. USA Todayattributes part of the problem to the increase in the use of technology by businesses without the budget and skillset required to secure those new internet-connected POS systems. Companies need to ensure that they not only invest in the new systems but also hire the technical staff or find a trusted partner, like Axiom Cyber Solutions, to ensure that the POS systems are properly protected. Companies that take credit cards need to consider PCI requirements and ask the question, “If I get breached and lose the ability to take credit cards, can my company survive?”

Don’t get used to having your data breached. Demand that businesses protect your data and encourage your lawmakers to consider new legislation that would allow regulation of data security standards and penalties for data breaches.

What You Need to Know about the Equifax Breach

What You Need to Know about the Equifax Breach

Data breaches are bad but the Equifax data breach may be one of the worst. When hackers stole the data on potentially 143 million American consumers from the credit reporting bureau they took everything they needed to unlock the identities of 44% of the American population. And ironically, Equifax was one of the companies that other companies turned to when they were breached. As their website states: “You’ll feel safer with Equifax. We’re the leading provider of data breach services…”

Hackers reportedly used a website vulnerability to steal everything from social security numbers to credit card numbers from May until the breach was discovered on July 29thmeaning the hackers had access for at least two full months. No reason for the delay in informing the public has been given but in some recent large investigations law enforcement has requested companies to wait to disclose the information.

What makes this data breach one of the worst, even though the scale isn’t as large as say Yahoo’s 500 million, is that consumers did not have to directly give their information to Equifax, instead it was provided to them by nearly every bank, credit card, and loan company to make credit decisions. So if you have ever applied for a credit card, loan, or mortgage, your data may have been compromised.

As standard with breaches, Equifax has offered free credit monitoring services for a year if you sign up by November 21st whether your data was accessed or not. But wait, don’t leave and sign up right now! A caveat to signing up for Equifax’s offer of free credit monitoring service from TrustedID, which is also owned by Equifax, is that the terms of service of TrustedID states that if you sign up you cannot partake in any class action lawsuits against the company. And not wasting any time at all, two Oregon residents have filled a lawsuit against Equifax alleging negligence in securing the personal information of consumers.

While a nice gesture and possibly giving Equifax some legal relief as people scramble to sign up for credit monitoring, the data stolen from Equifax can be sold on the DarkWeb for years to come to steal identities. There is no expiration date on information like name, address, date of birth, and social security number… all of which the hackers took. Consumers will need to remain vigilant in checking bank account information and making sure their identities are not stolen for the near and far future. Signing up for a credit monitoring service is definitely a good idea, perhaps not with TrustedID, but as you look, try to find one that doesn’t just look for new account creation. Find a service that monitors open accounts for changes as well as new account creation. You can also look into identity protection insurance services, such as LifeLock, as an additional layer of protection.

As a notable side note: Questions have been raised about the sale of $1.8 Million in stock by three executives of Equifax following discovery of the breach before it was disclosed to the public. The company reports that none of them knew about the breach. That does make one question the cyber-security incident reporting policies of such a large organization.

(AP Photo/Mike Stewart)

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Despite IRS warnings and tons of news, tax season phishing scams have taken in an incredible number of businesses this year. Early in January, I wrote about the dangers of phishing, particularly for W-2’s during the tax season and it seems that each day there is news of another company that has unwittingly exposed sensitive employee data to hackers.

A year ago, the IRS warned companies of falling for the W-2 scams but companies are continuing to fall for email scammers posing as the company CEO or other high ranking executives asking for employee summaries and W-2’s. The W-2 information is valuable to hackers because they can take the information and file false tax returns with a diverted refund before the real person can.

Already last month four companies in Indiana have fallen for the trick. 17,000 employees of American Senior Communities were notified that their payroll processor had fallen for the W-2 phishing scam in mid-January but it wasn’t until employees started having their tax returns rejected in February that the breach was discovered.

Another company in Indiana, Monarch Beverage, discovered that they had fallen for the W-2 phishing scam two years in a row while investigating this year’s breach. During the investigation, the company found that the same information had been erroneously disclosed in April 2016 to a hacker posing as the company CEO.

The stories go on and on about unfortunate employees and companies have fallen victims to increasingly more sophisticated phishing attempts. Phishing actually topped the IRS’ Dirty Dozen list of tax scams for 2017 and the IRS has seen a 400% increase in phishing scams since 2009.

So, what can businesses do to combat phishing scams and protect their employee’s data?

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor, although phishing scammers often send their emails stating there is urgency in the response. But will an extra five minutes to get verbal confirmation from the sender be too much?

Two school districts (Groton, Glastonbury) in Connecticut were victimized by a phishing scam that divulged W-2 information for nearly 3,000 employees. The school district manager in Groton was placed on administrative leave and the Superintendent expressed his dismay in the disclosure stating “We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred.” But in a related incident, the town of Groton also received a similar email asking for the W-2 information for all the town employees but the employee who received the email was suspicious of the request and reported the fraudulent request. You don’t ever see the success stories published in the news, but this employee truly saved the day by being suspicious of unusual requests for sensitive data.

Lastly, sensitive employee data should never be transmitted unencrypted, even internally.

The Worst Data Breaches of 2016

The Worst Data Breaches of 2016

2016 has been quite an interesting year for cybersecurity. Not only was it among the most hotly debated issues in the Presidential election, but the industry itself has seen much activity, both good and bad. Efforts were made to shrink the cybersecurity skills gap,  there was a significant increase in common knowledge of various types of cyber-threats, and combating cyberbullying is set to be one of the main areas of focus for First Lady-elect, Melania Trump.

Despite this prosperity, however, there have been more ransomware attacks and data breaches affecting companies across all industries in 2016 than ever before. Among the most affected are technology, government, and healthcare, and this means that almost all of us could possibly have been touched by one data breach or another. Among the largest data breaches disclosed this year are the multiple Yahoo breaches, the numerous breaches within the healthcare industry, and there was even a breach on the country’s maritime defenders, the US Navy; Each of these has its own precious data that should have been protected. Here, we take a closer look at a few of 2016’s worst data breaches as well as what companies can do in the event they are attacked in the future.

Yahoo!

Breaking earlier this week was the news of yet another Yahoo data breach; only this time, it’s record-breaking. Over one billion (yes, billion with a ‘B’) accounts were compromised in this hack back in August of 2013. This news, coming on the heels of a different breach that affected over 500 million Yahoo users in 2014 (disclosed in September of this year), has turned many against the company, causing the public to discredit the company almost entirely, seeing as their lack of cyber defenses put over a billion of us at risk.

Not only did Yahoo put over 1.5 billion people’s data in the hands of cyber-criminals, but the type of data that was leaked is extremely private information. When asked about the 2013 data breach, Yahoo said, “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (an original string of data that is converted into a seemingly random string of characters) and, in some cases, encrypted or unencrypted security questions and answers.”

As though this isn’t bad enough, of those email accounts that were affected, over 150,000 came from FBI, CIA, White House, and other government and military employees. This means that this data breach has put not only the public’s personal information at risk, but also information related to our national security. “It’s a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security,” a Bloomberg article noted on the Yahoo breach.

Yahoo plans to contact to those users who might have been affected in either of these breaches via email. The company also provides a help link to aid users in recognizing whether or not their accounts have been hacked. Yahoo says that if any of the following are true of your account, you should update your password and recovery information with them.

  • You’re not receiving any emails.
  • Your Yahoo Mail is sending spam to your contacts.
  • Your account info or settings were changed without your knowledge.
  • You see logins from unexpected locations on your recent activity page.

The Healthcare Industry

Healthcare was affected by cybersecurity threats heavily in 2016. Hospitals and other providers were the primary targets of ransomware threats and there were a significant amount of data breaches as well. Though no single breach came anywhere close to the number of infected users as the Yahoo breach, there were many breaches that resulted in the number of users infected adding up quickly.

The largest of these breaches was against Banner Health in Phoenix, Arizona, which impacted 3.62 million individuals. The breach happened over the months of June and July earlier this year. Banner Health discovered unusual activity on its computer servers in late June and found evidence of two attacks. In these attacks, hackers accessed both patient records and credit- and debit-card transaction records from customers who had purchased food and beverages at the hospital. They sent physical letters in the mail to their affected customers to notify them of the breach, but the center’s image took a serious hit after exposing so much of the Phoenix area’s data.

The most recent healthcare related data breach, that hit Quest Diagnostics earlier this month, only exposed 34,000 users. Even though this is a small number compared to some of the other breaches, there are tens of thousands of people whose information is now at risk. Because of this breach, as well as the build up of others in the medical field this year, cybersecurity professionals are devoting much of their work toward protecting the healthcare industry in the future.

U.S. Navy

As though it is not bad enough that the medical field has been so highly targeted by this type of attack, the U.S. Navy was hit by a data breach this year as well. Personal data for more than 134,000 sailors, past and present, was exposed in this breach, including names and social security numbers. The breach occurred because of an unsecured Hewlett Packard Enterprise (HPE) laptop. HPE told the US Navy that one of its laptops operated by a contractor had been “compromised,” however it didn’t provide any further information about how the breach.

Though The Naval Criminal Investigative Service claims that none of the exposed data has been used for any malicious purposes, it has been access by “unknown individuals,” so the Navy is taking this breach very seriously. Navy personnel boss Vice Adm. Robert Burke said in a statement”…this is a matter of trust for our sailors… We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.” Similarly to Yahoo, the Navy plans to email those who might have been affected by this breach in order to prevent any further damage from happening.

How to Avoid Data Breaches in 2017

IT professionals generally emphasize prevention when it comes to securing your company against threats in the cyber-realm, but there is a consensus among these professionals that it is not a matter of if your company will face a data breach, rather when.

Though this may sound ominously pessimistic, it doesn’t mean that you can’t prepare in some way to secure your company and its customers so that they survive the breach unscathed. There is not one single way that this can be accomplished, but by implementing the tips below, your company can fight back and protect its important data when hit with this inevitable hack.

  1. Breach acceptance–When it comes to data breaches, preventative measures have seldom worked in the passed, this is why it is important for companies to accept that a data breach is unavoidable. By accepting the breach, your organization can create a plan to handle this inevitable attack.
  2. Locate your critical data and encrypt it– Encryption of data makes it harder for cyber criminals to steal it. Figure out where your important data, such as names, social security numbers, bank account information, passwords, and other personally identifiable information (PII), is stored and make it as secure as you possibly can.
  3. Store and manage encryption keys– Keep keys secure, in a vault, away from any encrypted data. With these vital keys to your customers’ encrypted data, you need to protect them, so as people come and go from your organization, be cautious as to who you share this key with. Implement a process to limit, change, and revoke any keys from those who have access to them in order to better protect this data. Do not allow anyone to make copies of this sensitive information.
  4. Control user access– Determine who should and should not have access to your data. Implement strong authentication processes for those who you have approved access, so as to make it harder for cyber-crooks to gain access to your data.

Data breaches are going to happen, but by being prepared for when they do hit, your company can be protected. Not only will its client data be secure, but it can also save your company time, money, and prevent a blemish to its public image.

To stay up-to-date on recent data breaches across all industries, click here. To learn more about how Axiom Cyber Solutions can aid in your company’s preparations against data breaches, email us at info@axiomcyber.com.

Hailey R. Carlson | Axiom Cyber Solutions | 12/16/2016]]

Why is HIPAA Data so Valuable to Hackers?

Why is HIPAA Data so Valuable to Hackers?

One of the few things that we all have in common is that we need to take some degree of care when it comes to our health. Healthcare providers—like doctors, dentists, nurses, and more—are there for us to take advantage of their extremely vital services in order to keep up with all aspects of our health. In order to properly know our healthcare needs, these providers need to have some pretty sensitive information about every one of us. But what if that very sensitive information was stolen by cybercriminals with plans to distribute it across the dark web? That’s exactly what could happen when healthcare providers fall victim to a data breach.

Stats

Figure 1: Total HIPAA Compliance’s List of 2015 Healthcare Data Breaches

 

In 2015, the healthcare industry saw more data breaches than any other industry—you can see some of the biggest breaches in Figure 1 above—and data breaches have cost the healthcare industry upwards of $6.2 billion over the last two years. Hackers and cybercriminals target healthcare providers because of the valuable information they have on their patients, often referred to as protected health information (PHI), personally identifiable information (PII), or HIPAA data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting this PHI data and is a regulatory standard across the healthcare industry to this date.

 

Data protected by HIPAA includes health status, provision of health care, or payment for health care that can be linked to a specific individual. This data is valuable to healthcare providers because it is individually identifiable health information related to the patient’s past, present, and future medical conditions—this means it helps the doctor or dentist to make informed decisions about what their patient’s needs are and what means of medical attention are necessary to address these requirements. This is the good side of HIPAA data. However, hackers want this information just as much as healthcare providers, but for a few different reasons.

 

HIPAA data is attractive to hackers and other cybercriminals because it is one of the biggest gateways into stealing a person’s identity.  Even more than credit card information, medical data is the easiest way to steal a person’s identity because of the sheer amount of information that is readily available. Medical records include sensitive information like patients’ full names, social security numbers, credit card numbers, signatures, and more—everything a malicious person would need to steal a person’s identity, or in the case of a data breach, multiple people’s identities. Unlike credit card-induced identity theft, ID theft via stolen medical records does not show up as quickly as credit card fraud. In addition to this fact, healthcare information sells online for ten times that of credit card data.

 

In addition to stealing identities, hackers can utilize HIPAA data that is stolen in health insurance and Medicare fraud. Dark web users who buy full medical files could use patient numbers with false provider numbers to file fraudulent claims with payers. When they do this, the victim does not know about the fraud because bills are being sent to his medical provider without his knowledge and the insurance provider does not know that he is not the one filing.

 

With all of this information needed by healthcare providers, it is their duty to their patients to protect this data. Here are a few ways healthcare providers can protect their PHI from data breaches and attack:

 

  1. Educate staff members—Education is key in all aspects of life, but protecting data is one of the biggest areas where education is required. When staff members know what is and is not HIPAA data, they can take the necessary amount of care in keeping that data safe. Phishing is one of the main ways hackers get into hospitals’ networks, so informing employees of things to look for that could potentially be malicious is vital when it comes to securing your information.
  2. Consider EncryptionBe sure to encrypt both your hard drive and any electronic communication that you can. When hackers have to work harder to get your data, they are likely to skip you and move onto the next, more vulnerable victim.
  3. Protect your network—Having multiple stages of protection is key to keeping your PHI and HIPAA data secure. This includes wired networks, wireless networks, and connected medical devices via IoT. One of the best ways to do this is by installing a next-generation firewall. Axiom Cyber Solutions offers its SecureAmerica® Firewall as well as HIPAA compliance help as a partner to those healthcare providers that need to be HIPAA Compliant.

 

It is important to secure your networks in any industry, but it is even more crucial in those industries where real customers and clients could be compromised in the event of a breach of security. Healthcare has faced many hurdles in cybersecurity recently, but hopefully by creating multiple barriers for hackers to overcome, the industry will see a turn for a safer, more secure environment.

 

Hailey Carlson | Axiom Cyber Solutions | 8/15/2016

Image Source

The Lowdown on the Panama Papers

The Lowdown on the Panama Papers

Law firms pride themselves on being the ultimate safe haven, where men and women alike can count on discretion and privacy when it comes to their most personal affairs. With the recent release of the ‘Panama Papers’, law firms are coming under fire for their cybersecurity or lack thereof. Unfortunately, these data breaches are becoming more and more common for law firms.

On April 3, 2016, 11.5 million confidential documents that provide detailed information on more than 214,000 offshore companies listed by a Panamanian law firm Mossack Fonseca, including the identities of shareholders and directors of said offshore companies. Mossack Fonseca is the fourth largest offshore law firm in the world with more than 40 offices worldwide. Ironically enough, before the Panama Papers leak, Mossack Fonseca was described by the Economist in 2012 as a “tight-lipped” industry leader in offshore finance. In fact, Las Vegas-based subsidiary of Mossack Fonseca is listed as the registered agent for 1,026 firms incorporated over the past decade and a half, many of which have since been dissolved or are no longer active.

These leaked Panama Papers have revealed the hidden wealth from some of the most high-ranking political officials, billionaires, celebrities and star athletes. This is important because the leak shows how the rich and famous can exploit tax shelters and also reveals an unprecedented pattern of corruption worldwide for 40 years. While shell companies inherently are not illegal, they are often used as a method to commit fraud.

The Panama Papers were leaked by an anonymous source who communicated with journalists that Mossack Fonseca was behaving unethically, thus deserving to be shut down. Below is a list of the most important information gleaned from the Panama Papers leak according to the Guardian News.

-Twelve national leaders are among 143 politicians, their families and close associates from around the world known to have been using offshore tax havens.

-A $2bn trail leads all the way to Vladimir Putin. The Russian president’s best friend – a cellist called Sergei Roldugin – is at the centre of a scheme in which money from Russian state banks is hidden offshore. Some of it ends up in a ski resort where in 2013 Putin’s daughter Katerina got married.

-Among national leaders with offshore wealth are Nawaz Sharif, Pakistan’s prime minister; Ayad Allawi, ex-interim prime minister and former vice-president of Iraq; Petro Poroshenko, president of Ukraine; Alaa Mubarak, son of Egypt’s former president; and the prime minister of Iceland, Sigmundur Davíð Gunnlaugsson.

-In the UK, six members of the House of Lords, three former Conservative MPs and dozens of donors to British political parties have had offshore assets.

-The families of at least eight current and former members of China’s supreme ruling body, the politburo, have been found to have hidden wealth offshore.

-Twenty-three individuals who have had sanctions imposed on them for supporting the regimes in North Korea, Zimbabwe, Russia, Iran and Syria have been clients of Mossack Fonseca. Their companies were harboured by the Seychelles, the British Virgin Islands, Panama and other jurisdictions.

-A key member of Fifa’s powerful ethics committee, which is supposed to be spearheading reform at world football’s scandal-hit governing body, acted as a lawyer for individuals and companies recently charged with bribery and corruption.

-One leaked memorandum from a partner of Mossack Fonseca said: “Ninety-five per cent of our work coincidentally consists in selling vehicles to avoid taxes.”

For further information on data breaches and law firms, please refer to one of our earlier articles: https://axiomcyber.com/blog/hacking/law-firms-beware-of-cyber-criminals/

Worried about cybersecurity? Axiom Cyber Solutions can help!

Our cybersecurity experts will secure your business against today’s threats and those of tomorrow. Axiom Cyber Solutions offers vulnerability and penetration assessments, managed firewall services, and cybersecurity & disaster recovery strategic planning services.

Axiom Cyber Solutions strives to make cybersecurity affordable to small businesses that may not have a large IT budget. Starting at just $199 per month, with no long term obligation, Axiom Cyber Solutions has developed a managed cybersecurity program to give small businesses the same protection as large enterprises. We provide a fully configured enterprise class next generation firewall (NGFW) that is plug & play to the business and begins to monitor, manage, and update the firewall as soon as it comes online.

Panama Papers – The World’s Largest Data Leak

Panama Papers – The World’s Largest Data Leak

On Sunday, the International Consortium of Investigative Journalists announced the world’s largest data leak to the public. Kept secret since late 2014, the data leak from the Mossack Fonseca law firm is said to be 2000 times larger than 2010 Wikileaks Cablegate release of US State Department documents. A massive 2.7 terabytes (TB) of emails, database files, and PDFs which equals almost 40 years of documents was collected from the anonymous whistle-blower. In comparison again to Wikileaks, Cablegate was a mere 1.7 gigabytes (GB) of data.

“This is pretty much every document from this firm over a 40-year period,” ICIJ director Gerard Ryle told WIRED in a phone call, arguing that at “about 2,000 times larger than the WikiLeaks state department cables,” it’s indeed the biggest leak in history.

What are the Panama Papers?

The Panama Papers allegedly contain information on 143 politicians, their family members and friends who have been creating offshore companies as tax havens. Fallout has begun with protests in Iceland calling for the resignation of the Prime Minister whose name has been linked to an offshore company in the British Virgin Islands. The Russian government has dismissed claims of wrongdoing and describe it as a “series of fibs” created to discredit Putin ahead of elections. However several countries including the US, Mexico, and Britain have vowed to investigate the possibility of tax evasion.

Why target a law firm?

Axiom has been tweeting lately about how law firms are an attractive target for hackers and that large elite law firms in the US have recently been directly targeted by hackers. And remember our blog post a few months ago about how law firms are being targeted?

Panama Papers proves just how lucrative the data breach of a law firm can be for hackers. Think about all the data that a law firm has: health, financial, intellectual property, and business trade secrets. In the wrong hands, that data would be a virtual treasure trove of information to be sold in the Dark Web.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

Cisco CEO – John Chambers

Law firms cannot take the head in the sand approach to cybersecurity anymore. It’s time for law firms to start assessing their vulnerabilities and planning for a sound cybersecurity infrastructure.

How was the data leaked?

In late 2014, an anonymous whistle-blower contacted the German newspaper Suddeutsche Zeitung stating that they had “more data than you have ever seen” in relation to crimes that the person wanted to make public. At this time, it is not publicly known how the whistle-blower was able to send so much data undetected over such a period of time however Bastian Obermayer, the reporter for Suddeutsche Zeitung who was contacted by the whistle-blower, stated that he “learned a lot about making the safe transfer of big files”.

Obermayer indicated that he communicated through various encrypted channels with the whistle-blower who sent the data in chunks until the 2.7 TB were amassed. Suddeutsche Zeitung contacted the ICIJ and the ICIJ created a secure portal where journalists could research the data. Over 400 journalists kept the information a secret until Sunday when over 100 news outlets published the first articles about the data leak.

Earlier in the day, the Mossack Fonseca website told its customers that their email server suffered an unauthorized breach. The company denies any wrongdoing and has published a lengthy rebuttal to the media reports. A spokesperson has stated that the company may pursue legal action against the news agencies for using the information that was obtained illegally.

It appears that you have had unauthorized access to proprietary documents and information taken from our company and have presented and interpreted them out of context. We trust that you are fully aware that using information/documentation unlawfully obtained is a crime, and we will not hesitate to pursue all available criminal and civil remedies.

Carlos Sousa – Public Relations Director, Mossack Fonseca & Co. (Panama)

The one thing that has not been mentioned yet is the data protection liability suit that the 4th largest offshore law firm in the world may have coming in the near future. Target settled its data breach for $100 million… this one is going to be much larger.

Doom and gloom?

While the Cisco CEO says that there are two types of companies, ones that have been hacked and ones that know they’ve been hacked; the cybersecurity future is not completely doom and gloom for businesses. There are some basic things that businesses can do to better protect themselves.

  • Use endpoint (anti-virus and anti-malware) software on all devices and keep it up-to-date
  • Protect the business with a firewall that inspects traffic both in and out of the business
  • Get a vulnerability and penetration assessment

 

Worried about cybersecurity? Axiom Cyber Solutions can help!

Let our cybersecurity experts secure your business against today’s threats and those of tomorrow. Axiom Cyber Solutions offers vulnerability and penetration assessments, managed firewall services, and cybersecurity & disaster recovery strategic planning services.

Axiom Cyber Solutions strives to make cybersecurity affordable to small businesses that may not have a large IT budget. Starting at just $199 per month, with no long term obligation, Axiom Cyber Solutions has developed a managed cybersecurity program to give small businesses the same protection as large enterprises. We provide a fully configured enterprise class next generation firewall (NGFW) that is plug & play to the business and begins to monitor, manage, and update the firewall as soon as it comes online.

Law Firms : Beware of Cyber Criminals

Law Firms : Beware of Cyber Criminals

“There are two types of law firms: those that know they’ve been hacked and those that do not”, according to Vincent Polley, attorney for the American Bar Association.

What an incredibly powerful statement considering the fallout of cyber attacks amongst businesses these days. The numbers of cyber crimes have only increased for those working in the healthcare and financial field, but due to reluctance from many law firms to report cyber crimes, we do not know if the same can be said for law firms.

1 in 4 law firms are victims of a data breach according to a 2015 study done by the American Bar Association.

law

Many law firms view cyber breaches as something to be ashamed of and many lawyers are hesitant to openly admit to their clients that they have become victims of a data breach. As hard as it may be to report these things, law firms need to report cyber breaches when they happen. A 2015 study by Citigroup’s cyberintelligence unit reported that,

“Due to the reluctance of most law firms to publicly discuss cyber intrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.” The report when on to say that law firms are very appealing to cyber criminals, considering the incredibly confidential data on corporate deals and business strategies. These days, data = money, so it comes as no surprise that cyber criminals are after this data.

Earlier this year, there were reports of fraud related to law firms in where a hacker intercepted important instructions between the closing attorney and the buyer’s agent. The hacker sent out entirely different instructions on the wiring of the money. Unbeknownst to the victims, they then wired their money straight into the hacker’s account. These types of scams are only continuing.

The fallout from a data breach for a law firm can be huge. Not only does it become a huge legal liability, a law firm may even be sued depending on what kind of data was released. If a law firm ignores their cybersecurity issues and refuses to take proactive measures, they can be subject to fines by the FTC.

A law firm could also lose their reputation, as well as the trust their customers and clients have given them. The amount of confidential information that people entrust their lawyers with is insurmountable. Class action lawsuits will follow. The time and money dealing with a cyber security data breach is a huge headache of inconvenience and there’s no guarantee that a law firm will even be able to continue to stay open.

Law firms, no matter the size, must take their cyber security seriously. By getting into the mind of a hacker and mapping out vulnerabilities in your network, you will be taking the necessary proactive steps to protect yourself and your business from cyber criminals. Taking steps to protect your business will make the difference in whether or not a law firms is successfully attacked.

Axiom Cyber Solutions is offering Managed Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own. Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom