How Data Breaches Affect Children

How Data Breaches Affect Children

Believe it or not, data breaches do affect children, even as young as infants. The worrisome aspect of recent massive data breaches is that many adults have grown immune to data breach notifications; so much so that nearly half of Americans haven’t even checked their credit following the Equifax breach. If they are not checking their own credit, you can pretty much bet that they haven’t looked into their children’s credit either.

One family of five decided to plug in their entire family’s information into the Equifax data breach checker and were surprised to see that their 7-year-old son’s information was potential stolen.

The theft of a child’s identity is lucrative to a cyber-criminal because it can remain undetected for years, if not decades. Without regular monitoring, a child’s identity that has been stolen may not be discovered until they are preparing to go to college and start applying for student loans or get their first credit card. By then, the damage is done and the now young adult will need to go through the pain of proving that their identity was indeed stolen.

It may be surprising to many but a 2011 report found that children are 51% more likely to be the victim of identity theft than an adult. It was found that one of the victims was only five months old and another teenager had over $700,000 in debt in their name.

And this tax season, cybercriminals on the DarkWeb have been caught selling the social security numbers of infants for just $300 per social to be used on fraudulent tax returns. While data on children has been on sale for many years, this is the first believed case where hackers are specifically targeting newborns and “fresh” social security numbers.

So, what can parents do to protect their children and their credit?

The first step would be to treat your children’s social security numbers just as carefully as you would treat your own. Do not provide it to anyone unless absolutely necessary (doctor, school, accountant). And if you have a teenager, teach them how to be responsible with their social security number as well.

Secondly, if you have reason to believe that your child’s information may have been stolen, you as a parent are allowed to request to see if your child has a credit report and secondly, if they do, by request you can also put a credit freeze on their report.

Image Credit – Freepik

Beware Tax Season Scams

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

Another Day, Another Data Breach – Should We Just Get Used to It?

Another Day, Another Data Breach – Should We Just Get Used to It?

It seems like we can’t go a week without news of a data breach affecting a major company: Target, Home Depot, Yahoo (all 3 Billion account holders), HBO, Equifax (3 times), Deloitte, Sonic, Whole Foods. With the prevalence of personal information being exposed and stolen, people often wonder should we just get used to having our data breached? Should we get used to the fact that cat photos on Facebook are more secure than our social security number?

In short, no! We should never simply accept that the companies are not responsible for the security of the data they collect about us. We should be upset when our data is breached and demand action so that companies begin to take data security seriously. And one of the worst things about data breaches is that nearly all of them end up being far worse than initially reported.

The Equifax hack occurred because the company failed to install a patch for vulnerable systems for over six months after the patch was released. The Security & Exchange Commission (SEC) which ironically issues regulations telling other companies to clean up their technology infrastructure and can fine them for failing to take the necessary cyber-security measures suffered a data breach of its “Fort Knox” system called EDGAR which companies use to file all the important stuff about the business like quarterly earnings, merger & acquisition, IPOs, market news, and more. And Deloitte’s email administrator failed to secure his/her account with two-factor authentication and hackers were able to get in with privileged, unrestricted administrator access and steal millions of email records, many with sensitive information.

With the onslaught of lawsuits and regulatory inquires against Equifax will teach businesses anything, it is that our lawmakers and the people they represent are tired of having their data compromised and soon we can hope there will be real, tangible changes in how businesses consider data security. In its most recent shareholder packages for at least five years, Equifax did not mention data security once as a company priority. This must change and any business that collects personal information must be serious about the protection and should they fail, there must be repercussions because the theft of data can lead to real harm to individuals.

The news of the credit card data breach at Sonic has made many wonder, how are credit cards still getting hacked? The credit cards themselves are fairly secure but when the point-of-sale (POS) system used to process the credit card transaction is compromised, there is little the new chip technology can do to protect the consumer. USA Todayattributes part of the problem to the increase in the use of technology by businesses without the budget and skillset required to secure those new internet-connected POS systems. Companies need to ensure that they not only invest in the new systems but also hire the technical staff or find a trusted partner, like Axiom Cyber Solutions, to ensure that the POS systems are properly protected. Companies that take credit cards need to consider PCI requirements and ask the question, “If I get breached and lose the ability to take credit cards, can my company survive?”

Don’t get used to having your data breached. Demand that businesses protect your data and encourage your lawmakers to consider new legislation that would allow regulation of data security standards and penalties for data breaches.

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Despite IRS warnings and tons of news, tax season phishing scams have taken in an incredible number of businesses this year. Early in January, I wrote about the dangers of phishing, particularly for W-2’s during the tax season and it seems that each day there is news of another company that has unwittingly exposed sensitive employee data to hackers.

A year ago, the IRS warned companies of falling for the W-2 scams but companies are continuing to fall for email scammers posing as the company CEO or other high ranking executives asking for employee summaries and W-2’s. The W-2 information is valuable to hackers because they can take the information and file false tax returns with a diverted refund before the real person can.

Already last month four companies in Indiana have fallen for the trick. 17,000 employees of American Senior Communities were notified that their payroll processor had fallen for the W-2 phishing scam in mid-January but it wasn’t until employees started having their tax returns rejected in February that the breach was discovered.

Another company in Indiana, Monarch Beverage, discovered that they had fallen for the W-2 phishing scam two years in a row while investigating this year’s breach. During the investigation, the company found that the same information had been erroneously disclosed in April 2016 to a hacker posing as the company CEO.

The stories go on and on about unfortunate employees and companies have fallen victims to increasingly more sophisticated phishing attempts. Phishing actually topped the IRS’ Dirty Dozen list of tax scams for 2017 and the IRS has seen a 400% increase in phishing scams since 2009.

So, what can businesses do to combat phishing scams and protect their employee’s data?

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor, although phishing scammers often send their emails stating there is urgency in the response. But will an extra five minutes to get verbal confirmation from the sender be too much?

Two school districts (Groton, Glastonbury) in Connecticut were victimized by a phishing scam that divulged W-2 information for nearly 3,000 employees. The school district manager in Groton was placed on administrative leave and the Superintendent expressed his dismay in the disclosure stating “We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred.” But in a related incident, the town of Groton also received a similar email asking for the W-2 information for all the town employees but the employee who received the email was suspicious of the request and reported the fraudulent request. You don’t ever see the success stories published in the news, but this employee truly saved the day by being suspicious of unusual requests for sensitive data.

Lastly, sensitive employee data should never be transmitted unencrypted, even internally.

Why is HIPAA Data so Valuable to Hackers?

Why is HIPAA Data so Valuable to Hackers?

One of the few things that we all have in common is that we need to take some degree of care when it comes to our health. Healthcare providers—like doctors, dentists, nurses, and more—are there for us to take advantage of their extremely vital services in order to keep up with all aspects of our health. In order to properly know our healthcare needs, these providers need to have some pretty sensitive information about every one of us. But what if that very sensitive information was stolen by cybercriminals with plans to distribute it across the dark web? That’s exactly what could happen when healthcare providers fall victim to a data breach.

Stats

Figure 1: Total HIPAA Compliance’s List of 2015 Healthcare Data Breaches

 

In 2015, the healthcare industry saw more data breaches than any other industry—you can see some of the biggest breaches in Figure 1 above—and data breaches have cost the healthcare industry upwards of $6.2 billion over the last two years. Hackers and cybercriminals target healthcare providers because of the valuable information they have on their patients, often referred to as protected health information (PHI), personally identifiable information (PII), or HIPAA data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting this PHI data and is a regulatory standard across the healthcare industry to this date.

 

Data protected by HIPAA includes health status, provision of health care, or payment for health care that can be linked to a specific individual. This data is valuable to healthcare providers because it is individually identifiable health information related to the patient’s past, present, and future medical conditions—this means it helps the doctor or dentist to make informed decisions about what their patient’s needs are and what means of medical attention are necessary to address these requirements. This is the good side of HIPAA data. However, hackers want this information just as much as healthcare providers, but for a few different reasons.

 

HIPAA data is attractive to hackers and other cybercriminals because it is one of the biggest gateways into stealing a person’s identity.  Even more than credit card information, medical data is the easiest way to steal a person’s identity because of the sheer amount of information that is readily available. Medical records include sensitive information like patients’ full names, social security numbers, credit card numbers, signatures, and more—everything a malicious person would need to steal a person’s identity, or in the case of a data breach, multiple people’s identities. Unlike credit card-induced identity theft, ID theft via stolen medical records does not show up as quickly as credit card fraud. In addition to this fact, healthcare information sells online for ten times that of credit card data.

 

In addition to stealing identities, hackers can utilize HIPAA data that is stolen in health insurance and Medicare fraud. Dark web users who buy full medical files could use patient numbers with false provider numbers to file fraudulent claims with payers. When they do this, the victim does not know about the fraud because bills are being sent to his medical provider without his knowledge and the insurance provider does not know that he is not the one filing.

 

With all of this information needed by healthcare providers, it is their duty to their patients to protect this data. Here are a few ways healthcare providers can protect their PHI from data breaches and attack:

 

  1. Educate staff members—Education is key in all aspects of life, but protecting data is one of the biggest areas where education is required. When staff members know what is and is not HIPAA data, they can take the necessary amount of care in keeping that data safe. Phishing is one of the main ways hackers get into hospitals’ networks, so informing employees of things to look for that could potentially be malicious is vital when it comes to securing your information.
  2. Consider EncryptionBe sure to encrypt both your hard drive and any electronic communication that you can. When hackers have to work harder to get your data, they are likely to skip you and move onto the next, more vulnerable victim.
  3. Protect your network—Having multiple stages of protection is key to keeping your PHI and HIPAA data secure. This includes wired networks, wireless networks, and connected medical devices via IoT. One of the best ways to do this is by installing a next-generation firewall. Axiom Cyber Solutions offers its SecureAmerica® Firewall as well as HIPAA compliance help as a partner to those healthcare providers that need to be HIPAA Compliant.

 

It is important to secure your networks in any industry, but it is even more crucial in those industries where real customers and clients could be compromised in the event of a breach of security. Healthcare has faced many hurdles in cybersecurity recently, but hopefully by creating multiple barriers for hackers to overcome, the industry will see a turn for a safer, more secure environment.

 

Hailey Carlson | Axiom Cyber Solutions | 8/15/2016

Image Source

Panama Papers – The World’s Largest Data Leak

On Sunday, the International Consortium of Investigative Journalists announced the world’s largest data leak to the public. Kept secret since late 2014, the data leak from the Mossack Fonseca law firm is said to be 2000 times larger than 2010 Wikileaks Cablegate release of US State Department documents. A massive 2.7 terabytes (TB) of emails, database files, and PDFs which equals almost 40 years of documents was collected from the anonymous whistle-blower. In comparison again to Wikileaks, Cablegate was a mere 1.7 gigabytes (GB) of data.

“This is pretty much every document from this firm over a 40-year period,” ICIJ director Gerard Ryle told WIRED in a phone call, arguing that at “about 2,000 times larger than the WikiLeaks state department cables,” it’s indeed the biggest leak in history.

What are the Panama Papers?

The Panama Papers allegedly contain information on 143 politicians, their family members and friends who have been creating offshore companies as tax havens. Fallout has begun with protests in Iceland calling for the resignation of the Prime Minister whose name has been linked to an offshore company in the British Virgin Islands. The Russian government has dismissed claims of wrongdoing and describe it as a “series of fibs” created to discredit Putin ahead of elections. However several countries including the US, Mexico, and Britain have vowed to investigate the possibility of tax evasion.

Why target a law firm?

Axiom has been tweeting lately about how law firms are an attractive target for hackers and that large elite law firms in the US have recently been directly targeted by hackers. And remember our blog post a few months ago about how law firms are being targeted?

Panama Papers proves just how lucrative the data breach of a law firm can be for hackers. Think about all the data that a law firm has: health, financial, intellectual property, and business trade secrets. In the wrong hands, that data would be a virtual treasure trove of information to be sold in the Dark Web.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

Cisco CEO – John Chambers

Law firms cannot take the head in the sand approach to cybersecurity anymore. It’s time for law firms to start assessing their vulnerabilities and planning for a sound cybersecurity infrastructure.

How was the data leaked?

In late 2014, an anonymous whistle-blower contacted the German newspaper Suddeutsche Zeitung stating that they had “more data than you have ever seen” in relation to crimes that the person wanted to make public. At this time, it is not publicly known how the whistle-blower was able to send so much data undetected over such a period of time however Bastian Obermayer, the reporter for Suddeutsche Zeitung who was contacted by the whistle-blower, stated that he “learned a lot about making the safe transfer of big files”.

Obermayer indicated that he communicated through various encrypted channels with the whistle-blower who sent the data in chunks until the 2.7 TB were amassed. Suddeutsche Zeitung contacted the ICIJ and the ICIJ created a secure portal where journalists could research the data. Over 400 journalists kept the information a secret until Sunday when over 100 news outlets published the first articles about the data leak.

Earlier in the day, the Mossack Fonseca website told its customers that their email server suffered an unauthorized breach. The company denies any wrongdoing and has published a lengthy rebuttal to the media reports. A spokesperson has stated that the company may pursue legal action against the news agencies for using the information that was obtained illegally.

It appears that you have had unauthorized access to proprietary documents and information taken from our company and have presented and interpreted them out of context. We trust that you are fully aware that using information/documentation unlawfully obtained is a crime, and we will not hesitate to pursue all available criminal and civil remedies.

Carlos Sousa – Public Relations Director, Mossack Fonseca & Co. (Panama)

The one thing that has not been mentioned yet is the data protection liability suit that the 4th largest offshore law firm in the world may have coming in the near future. Target settled its data breach for $100 million… this one is going to be much larger.

Doom and gloom?

While the Cisco CEO says that there are two types of companies, ones that have been hacked and ones that know they’ve been hacked; the cybersecurity future is not completely doom and gloom for businesses. There are some basic things that businesses can do to better protect themselves.

  • Use endpoint (anti-virus and anti-malware) software on all devices and keep it up-to-date
  • Protect the business with a firewall that inspects traffic both in and out of the business
  • Get a vulnerability and penetration assessment

 

Worried about cybersecurity? Axiom Cyber Solutions can help!

Let our cybersecurity experts secure your business against today’s threats and those of tomorrow. Axiom Cyber Solutions offers vulnerability and penetration assessments, managed firewall services, and cybersecurity & disaster recovery strategic planning services.

Axiom Cyber Solutions strives to make cybersecurity affordable to small businesses that may not have a large IT budget. Starting at just $199 per month, with no long term obligation, Axiom Cyber Solutions has developed a managed cybersecurity program to give small businesses the same protection as large enterprises. We provide a fully configured enterprise class next generation firewall (NGFW) that is plug & play to the business and begins to monitor, manage, and update the firewall as soon as it comes online.

Law Firms : Beware of Cyber Criminals

Law Firms : Beware of Cyber Criminals

“There are two types of law firms: those that know they’ve been hacked and those that do not”, according to Vincent Polley, attorney for the American Bar Association.

What an incredibly powerful statement considering the fallout of cyber attacks amongst businesses these days. The numbers of cyber crimes have only increased for those working in the healthcare and financial field, but due to reluctance from many law firms to report cyber crimes, we do not know if the same can be said for law firms.

1 in 4 law firms are victims of a data breach according to a 2015 study done by the American Bar Association.

law

Many law firms view cyber breaches as something to be ashamed of and many lawyers are hesitant to openly admit to their clients that they have become victims of a data breach. As hard as it may be to report these things, law firms need to report cyber breaches when they happen. A 2015 study by Citigroup’s cyberintelligence unit reported that,

“Due to the reluctance of most law firms to publicly discuss cyber intrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.” The report when on to say that law firms are very appealing to cyber criminals, considering the incredibly confidential data on corporate deals and business strategies. These days, data = money, so it comes as no surprise that cyber criminals are after this data.

Earlier this year, there were reports of fraud related to law firms in where a hacker intercepted important instructions between the closing attorney and the buyer’s agent. The hacker sent out entirely different instructions on the wiring of the money. Unbeknownst to the victims, they then wired their money straight into the hacker’s account. These types of scams are only continuing.

The fallout from a data breach for a law firm can be huge. Not only does it become a huge legal liability, a law firm may even be sued depending on what kind of data was released. If a law firm ignores their cybersecurity issues and refuses to take proactive measures, they can be subject to fines by the FTC.

A law firm could also lose their reputation, as well as the trust their customers and clients have given them. The amount of confidential information that people entrust their lawyers with is insurmountable. Class action lawsuits will follow. The time and money dealing with a cyber security data breach is a huge headache of inconvenience and there’s no guarantee that a law firm will even be able to continue to stay open.

Law firms, no matter the size, must take their cyber security seriously. By getting into the mind of a hacker and mapping out vulnerabilities in your network, you will be taking the necessary proactive steps to protect yourself and your business from cyber criminals. Taking steps to protect your business will make the difference in whether or not a law firms is successfully attacked.

Axiom Cyber Solutions is offering Managed Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own. Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

The Top 5 Cyber Hacks of 2015

The Top 5 Cyber Hacks of 2015

2015 was a busy year for cyber criminals. As the year comes to a close, we are reviewing the top 5 cyber attacks. Unfortunately, by the looks of it, this seems to be just the beginning.

office-of-personnel

1. Office of Personal Management (OPM)
The United States Office of Personal Management announced that they were victims of a data breach in June, 2015. The breach began in March, 2014 and remained undetected until April, 2015. This is one of the largest data breaches to occur in the federal sector, affecting approximately 18 million government employees. Information such as Social Security numbers, names, birth dates, addresses, military records, pension information, and more was leaked. 5.6 million sets of fingerprints were also stolen, putting secret federal agents in harms way. The Wall Street Journal reported that US government officials suspected Chinese hackers were responsible for the data breach. Since this hack, China and the US have had numerous discussions on this issue and are currently their discussing cybersecurity issues.

2. Vtech
Hong Kong toy manufacturer VTech was hit with a very serious data breach in November 2015. VTech is known as a children’s toys manufacturer. Their items include tablets, phones, and baby monitors. This hack was reported by the hacker himself. who gave his findings to Motherboard. Approximately 10 million VTech customers were affected by the data breach. According to VTech’s website, a total of 4,854,209 customer (parent) accounts and 6,368,509 children’s profiles were affected. Customers around the world were affected but the USA saw the highest number of parent accounts, approximately 2 million. The hacker was able to collect photos of children and their parents, including audio recordings, by breaking into VTech’s servers through a SQL injection. VTech immediately began a thorough investigation for this cyber crime. As of December 16th, the authorities in the UK arrested a 21 year old man in connection with the VTech data breach. The investigation is still ongoing.

ashley-madison

3. Ashley Madison
Perhaps the juiciest data breach of 2015, the Ashley Madison website was hacked by a group named the Impact Team. More than 32 million users had their personal e-mail addresses leaked. Ashley Madison, a website that encourages extramarital affairs, found itself in the middle of a huge headache. According to the hackers, the reasoning behind the breach was simple: to prove that Ashley Madison was corrupt and lied to their users for money. Ashley Madison charged their customers a $20 fee for those who wanted to have their profile deleted fully. The hackers were able to prove that the $20 fee did nothing to protect customers and was just a scam for more revenue. This specific hack raises many ethical questions on user data and how companies are handling the user data. Currently, as of December 2015, Ashley Madison hack victims are starting to receive blackmail letters and people are still being affected.

4. T Mobile
This past October, T-Mobile announced that they fell victim to hackers by way of Experian, a credit reporting service. 15 million applicants applied for credit at TMobile and ended up having critical data such as social security numbers, license information, passport info, and more stolen. While no banking or credit card information was leaked, the information that was released can easily allow for identity theft. Although TMobile is offering two years of free credit monitoring to those affected, any cyber criminal could simply wait for the those two years to pass before attempting to do anything.

5. Hacking Team
In July 2015, the Hacking Team, a company who sells surveillance software to law enforcement agencies, had over 400 gigabytes of crucial information stolen. Surveillance data, contracts, emails, and invoices were leaked. Revealed in the leaked data showed the Hacking Team used poor passwords which only assisted the hackers to gain access into the Hacking Team’s servers. Much worse however, was the data that showed the Hacking Team was not afraid to sell their surveillance software to any government worldwide, creating lasting effects by giving cyber criminals better tools to commit their crimes.

How can Axiom Cyber Solutions help your business?
Axiom Cyber Solutions is offering Managed Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own.

Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

Why the FTC Ruling on Cyber Security Affects Every Business Owner

Why the FTC Ruling on Cyber Security Affects Every Business Owner

In late August, the United States Court of Appeals for the Third Circuit unanimously affirmed the Federal Trade Commission’s (FTC) power to regulate cybersecurity under the unfairness prong of the FTC Act (15 U.S.C. §45).FTC v. Wyndham, Case, No. 14-3514. The ruling states businesses must have cybersecurity protection for their customers or be subject to fines. This ruling is especially important for those businesses who keep customer data such as financials.

Philadelphia judges ruled 3-0, giving the FTC the authority to sue Wyndham Worldwide, for cyber breaches in 2008 and 2009. In this case, over 619,000 customers had their personal financial information endangered. It has been reported that more than $10 million of fraudulent charges came after.

 

FTC, 2012. Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.
FTC, 2012. Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

The FTC argued that Wyndham Worldwide was guilty of numerous unfair practices. Not only was Wyndham not storing their payment card information in a safe manner, they were also using easily guessed passwords in their property management systems. The FTC stated that the business lacked cyber security policies, including prevention and incident response plans.

Companies really need to think about the following 5 things when it comes to their cyber security, lest they be subject to fines and headaches:

  1. Businesses should analyze their data and how they collect it, use, and store it. This is especially important for businesses who withhold financial information.
  2. Is the business taking reasonable steps to secure their data? Are they limiting administrative access, assigning secure passwords, limiting access to the network, and regulating access to data?
  3. Companies need to compartmentalize the network and oversee who’s trying to gain access. Firewalls and intrusion detection mechanisms need to be in place to prohibit cyber criminals from gaining access to your network.
  4. Do my service providers offer me cyber security measures? Companies need to do their research on what is offered by their service provider when it comes to information security risks.
  5. What procedures do I have right now that are keeping our security up-to-date? Frequent updates and patches to software should be priority, ignoring these things or going into denial about cyber breaches does not do anyone any good.

The bottom line is, any company that has experienced a cyber security data breach is required to take proactive measures to avoid future breaches. If a company does not take some sort of precautionary steps, they will be subject to fines by the FTC.

And it doesn’t stop at fines. A business can lose their reputation, the trust their customers and clients have given them, Even after all of this, it is still not done. The doors have been opened for class action lawsuits. The years of time and money that have to be spent to deal with the fallout of a cyber security data breach is a huge inconvenience and there’s no guarantee that a business will even be able to continue to stay open. Axiom Cyber Solutions can help businesses of all sizes stay safe from hackers.

Data breaches will continue to rise and will evolve with new social and technological attack vectors. It’s important for any organization or individual with sensitive data to exercise caution and deploy best practices in securing your network. Axiom’s solutions come in different sizes and all of our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come.

For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

2015 has been inundated with cyber-attacks against the healthcare industry. In recent headlines, Excellus Blue Cross Blue Shield stated that approximately 10 million of its customers had their healthcare records compromised.

Not only did critical information such as names, Social Security numbers, addresses, and birthdays get leaked but financial data such as credit card information was also compromised. Additionally, this puts their customers at risk for fraud and identity theft.

Criminal cyber-attacks are rising amongst the healthcare community and despite strict HIPPA guidelines and regulations, many hospitals and healthcare providers are grappling with keeping their patients’ data safe.

Cyber-attacks and data breaches cost the U.S. healthcare system approximately $6 billion annually, according to security research firm, The Ponemon Institute.
KPMG polled over 200 healthcare providers and found that four out of five providers had been hacked.

44% of healthcare organizations have been attacked 1-50 times while 38% have been attacked between 50-350 times in the last year. 13% were attacked more than 350 times.

It doesn’t take a stretch of the imagination to realize just how many additional attacks are left undetected and unreported such as the case with Excellus, wherein hackers first accessed patient records in December of 2013 but weren’t discovered until August of 2015. This gave the attackers nearly two years of running data collection. In the same study, KPMG also found that only 53% of healthcare providers are ready to defend against a cyber-attack.

They listed five issues that healthcare organizations are facing.

1. The adoption of digital patient records and the automation of clinical systems.

2. The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today’s networked environment — and software vendors who push that problem to the provider.

3. The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).

4. The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).

5. The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.

“Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for executives is to advance their institution’s protection to create hurdles for hackers”, according to Michael Ebert of KPMG’s Healthcare & Life Sciences Cyber Practice.

These data breaches and security vulnerabilities cannot and should not be underestimated and there severity and frequency is a cause for concern. Healthcare providers must make cyber security a priority. No longer is this an issue that companies can ignore.

Protecting patient data is critical and the healthcare industry must start preparing and implementing a strategy to prevent these hacks before the U.S. Government begins to levy heavy penalties and fines on those who do not step-up to today’s threats.