Hackers would be lucky to get 1% of what a breach
costs an organization, but then they can do this hundreds of times.
Cost of
data breaches increasing to average of $3.8 million
The total average cost of a data breach is now
$3.8 million, up from $3.5 million a year ago, according to a study
by data security research organization Ponemon
Institute, paid for by International
Business Machines Corp.
The direct costs include hiring experts to fix the
breach, investigating the cause, setting up hotlines for customers
and offering credit monitoring for victims. Business lost because
customers are wary after a breach can be even greater, the study
said.
… "Most of what's occurring is through
organized crime," said Caleb Barlow, vice president of IBM
Security. "These are well-funded groups. They work Monday to
Friday. They are probably
better funded and better staffed than a lot people who are trying to
defend against them."
… The cost of a data breach is now $154 per
record lost or stolen, up from $145 last year, according to the
study, based on interviews with 350 companies from 11 major countries
that had suffered a data breach.
… The study found that the healthcare was most
at risk for costly breaches, with an average cost per record lost or
stolen as high as $363, more than twice the average for all sectors
of $154.
(Related) And don't forget the fine!
Last July – and I missed this one at the time –
Stan Diel reported;
A laptop computer including some Sterne Agee Group Inc. clients’ account numbers, Social Security numbers and other personal information has been missing since the end of May and the firm has offered some customers free identity theft protection services as a result, a letter to clients indicates.
In the letter dated June 27 the Birmingham-based investment banking firm indicates that an employee’s laptop went missing on May 29 or May 30, and that it included unencrypted identifying information about Private Client Group customers whose accounts were open as of May 29. It also may have included information about Sterne Agee & Leach clients whose accounts were open between July 1, 1992 and June 30, 2013, the letter states.
It turns out the breach was an even bigger deal
than the media knew at the time. Today, Law360 reports:
The Financial Industry Regulatory Authority accepted a settlement Friday requiring Sterne Agee & Leach Inc. to pay a fine and review its security protocols after a technician left in a restroom an unencrypted laptop containing sensitive information about 352,551 clients.
Sterne Agee will pay a $225,000 fine over the allegations. The regulatory agency said the firm had been aware of the need to protect information stored on laptops for years but that measures to do so were delayed twice pending budgetary approval.
So failure to invest in encrypting laptops cost
them $225,000 plus the costs of the data breach itself? Ouch.
(Related) Another way to seriously increase the
cost of a breach. Ignoring notification but provide the tipster with
a receipt!
Oh my. DataBreachWallofShame.org posted some of
CISO Darknet Group’s attempts to alert Adult Friend Finder back on
March 12 that their data had been stolen and were up for sale. The
alert was pretty clear, and they got a read receipt – but not
actual acknowledgement.
Note that their alert made it clear that FFN did
not have to hire them to get the information:
This is not a hard sell or scare tactic, this is what our organization was built on; CyberHumint methodologies for fraud prevention. This information will be provided to you free and our work pro-bono.
So why didn’t FFN respond?
They would later claim they never got the
notification – despite, apparently, the read receipt.
More than two months later, on May 22, CISO
Darknet Group claims they tried again to notify FFN:
I was just alerted that Adult Friend Finder Network have recently contacted law enforcement concerning your data breach. As you can see from the email below we tried to alert you 2 months ago. We still have access and profile of the bad-actor behind your breach as well as access to all the records compromised.
We can certainly assist should there be an acknowledgment of this alert this time.
And… wait for it… another read receipt –
this time allegedly from Diana Ballou, Vice President, Senior Counsel
– Corporate Compliance and Litigation – but again, no personal
message or request for information.
Read
the emails and see what you think. One disclaimer: I have no way
of verifying the accuracy of any of their claims, but I’m
betting that when a class action lawsuit is filed (or has one been
filed already), these emails are going to come into play.
And not only may they come into play by plaintiffs, but FFN’s
insurer may try to use them to limit their responsibility to FFN.
We’ll see….
Update 1: Friend Finders Network
is standing by their statement that despite the read receipt, the
March 12th alert with the subject line “BREACH ALERT! URGENT!”
was never read and went
to a spam folder.
I don’t see how both things can be true – that
they never read it but issued a read receipt (unless they send read
receipts for everything, including spam) – but aren’t they still
responsible for configuring their spam filters? Does
no one actually go thru the spam folder to catch false positives?
For my Ethical Hacking students. This article
shows the text that is supposed to crash iPhones, but I'll leave it
out of this post since some (one or two) of my loyal readers may use
an iPhone.
A new
iPhone bug lets you crash other people's phones with a single text
message
There's
a nasty new iPhone bug doing the rounds: It's a string of characters
that, when sent in a message, crashes the recipient's phone.
We
first heard about the issue on 9to5Mac, and it apparently affects
only iPhone-to-iPhone communication. After receiving a text with the
particular string of characters, Messages will reportedly crash
repeatedly. It can also force iPhones to reboot in some
circumstances.
For my Computer Security students.
Ransomware
Keeps Growing – How Can You Protect Yourself?
There are plenty
of threats on the Internet, but few can be as scary as
ransomware.
These particularly nasty bits of malware not only infect a user’s
computer, but they end up trying
to get money out of them! It’s a despicable thing to do, but
sadly, it’s part of the world in which we live.
How does ransomware keep growing? How is it
spreading. Everything you’ve every wanted to know about ransomware
is on the infographic
below! Share it with someone you think might fall victim to it.
Via WhoIsHostingThis
So it's not that they won't share the data, it's
that they take too long when they do?
John Leyden reports:
Skype has been called to appear before a court in Belgium after refusing to hand over customer data following a request for assistance in a criminal investigation.
A court in Mechelen near Brussels wanted “data from messages and calls exchanged on Microsoft-owned Skype”, a regulatory requirement that a Belgian telecoms operator would be required to comply with.
The Microsoft-owned firm declined, Reuters reports.
Read more on The
Register.
[From
the Register article:
Willems said that police tell him that the
time spent by Skype processing these law enforcement requests is
becoming a problem.
"It takes for them too long to wait for an
official answer from Skype," Willems said. "It's clear
that they want to create a
precedent as the computer crime units don't want to miss valuable
information in the future."
Curious. Is there a “designated driver”
exemption?
Joe Cadillic has a justified rant about police
going into bars with breathalyzers. The story started in Sacramento
before Memorial Day weekend, but there’s also a bill in the
California legislature that would expand testing.
Joe writes, in part:
How long before police nationwide will go into bars and force people to blow into breathalyzers and check for possible public inebriation or use ‘Drug Breathalyzers’ on innocent people?
California’s ‘Drug Breathalyzer’ bill is set to do just that:
A California lawmaker introduced a bill that would allow law enforcement to use new ‘Drug Breathalyzers’ on people suspected of driving under the influence of marijuana and other drugs.
Like breathalyzers used to test drivers for alcohol consumption, Assembly Bill 1356 would allow police to use oral fluid devices to check drivers for drug impairment.
Read more on MassPrivateI.
[From the
article:
Don't forget DHS
is paying police to set up DUI checkpoints. [DHS,
It's not just for terrorists! Bob]
… These 'Drug Breathalyzers' can't detect if
you've ingested a poppy
seed bagel but will alert police that you tested POSITIVE for drugs!
… Obviously the site of several armed officers
walking into a bar with breathalyzers in hand is a buzz kill, to say
the least.
One of the bar patrons who’s been exposed to the
program explains, “Admittedly we were a bit put off when we were
gonna walk in and saw a bunch of cops with breathalyzers.”
A “bit put off” is an understatement!
While these officers are promising not to “test
and arrest,” the very idea of police entering bars &
restuarants and 'asking' people to submit to breathalyzer tests is
appalling!
For my Firefox using students. Remind me to opt
out in a few months? And with every new version?
Mike Flacy reports:
In an attempt to sell advertising space in a user’s new tab page within the Firefox browser, Mozilla is launching a new platform called “Suggested Tiles” specifically for advertisers. Similar to Google using your Web search history to load related advertisements within Google Adsense placements, Mozilla will look through your visited sites within Firefox to suggest an advertiser site to visit and display it on the new tab page.
Read more on Digital
Trends, and if you’re a Firefox user, do
note the opt-out provisions.
[From the article:
However, there are user protections built into the
new feature as detailed on Mozilla’s Advancing
Content blog. Users will be able to flip off the Suggested Tiles
function by toggling a check box within the browser’s settings.
Users can also completly avoid site suggestions by opting for a blank
page when opening up a new tab within Firefox.
… Regarding the launch of Suggested Tiles
within Firefox, Mozilla is expected to launch the new feature within
the Beta version of the browser relatively soon. The full launch of
the feature to the most current version of Firefox will likely occur
later in the summer.
Perspective.
Internet
used by 3.2 billion people in 2015
Nearly half of the global population will be using
the internet by the end of this year, according
to a new report.
The International Telecommunication Union (ITU), a
United Nations body, predicts that 3.2 billion people will be online.
The population currently stands at 7.2 billion.
… There will also be more than 7 billion
mobile device subscriptions, the ITU said.
It found that 78 out of 100 people in the US and
Europe already use mobile broadband, and 69% of the world has 3G
coverage – but only 29% of rural areas are served.
Keeping
up with the Social Networking industry. Have we reached the
“consolidation phase” so soon?
Snapchat
planning for IPO
… The four-year-old company, which offers a
smartphone app that is popular with teens, declined Facebook's $3
billion acquisition offer in 2013.
(Related)
Twitter
Reportedly in Talks to Buy Flipboard
(Related)
Google,
Yahoo Have Had Talks to Buy Flipboard
For our Criminal Justice stuents.
Sunlight
Foundation – Opening Criminal Justice Data
by Sabrina
I. Pacifici on May 26, 2015
“As part of a new initiative, the Sunlight
Foundation has begun amassing an inventory of public and
privately-produced criminal justice data. The spreadsheet on
this page is a work in progress but we’re publishing it now
with hopes that people can use it for research or reporting and even
contribute to it. Please go through the spreadsheet — so far we
have an inventory started with information from 26 states and the
federal government. When we’re done, we’ll have an inventory of
data from all 50 states and the District of Columbia. You can read
more about this project, submit your own work and feedback [here].”
So I can communicate with my students.
http://www.latimes.com/books/jacketcopy/la-et-jc-clickbait-new-words-dictionary-020150526-story.html
You won't
believe the words Merriam-Webster dictionary just added
“Clickbait” has arrived -- in
Merriam-Webster’s unabridged online dictionary.
The dictionary announced
Tuesday that it has added that word along with about 1,700 other
entries, including “emoji” (small images used in email and text
messages), “jegging” (a legging that looks like tight jeans),
“photobomb” (to jump into a photo as it is being taken) and
“NSFW” (not safe for work).
No comments:
Post a Comment