List of data breaches
Jolera recently visited the Identity Theft Resource Center’s website at https://www.idtheftcenter.org/
The ITRC is a non-profit organization. Its mission is to assist identity theft victims at no charge, educate both consumers and organizations on best practices for fraud and identity theft detection, reduction and mitigation and serve as a resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams and other issues.
It was a useful experience and I suggest everyone bookmark the link and visit the site at least once or twice a month to keep up with developments. Let me quickly summarize some of the facts I discovered. We will just focus on a few 2015 breaches to keep things simple:
Nov. 10, 2015- Dow Corning Suspects Internal Data Breach. 4000 employees are possibly affected. Personal information may have been stolen.
Oct 15, 2015- Dow Jones Data Breach Reveals Surprising Shift in Identity Theft Crime. Investigators believe that between August 2012 and July 2015, cyber thieves began accessing information stored on subscribers in the system. This breach was discovered in July 2015.
Oct 1, 2015- Hilton Hotels Suspects Ongoing Data Breach. A pattern of credit card fraud suggests hackers have compromised point-of-sale registers in gift shops and restaurants at many Hilton Hotel and franchise properties.
Sept 23, 2015- Molina Health Data Breach an Inside Job. A CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.
Dell summarized its observations on Cyber Security in its 2015 Annual Security Report in a statement of best practices:
1. Continuously train employees for security awareness.
2. Vigorously employ endpoint defenses. Most network infiltrations begin with a compromised user device.
- Deploy secure mobile access technology that checks the security posture of user
devices before granting network access and enforces policies that grant VPN access
only to trusted users, mobile apps, and devices.
- Deploy secure workspace technology to establish and enforce on-device data
protection policies and app management.
- Implement 2FA ( 2 Factor Authentication) for both administrators and users.
- Protect privileged accounts.
- Manage contractor, partner, intern, patient, and vendor access differently than internal
resources. Control and monitor access rights regularly.
3. Replace traditional or legacy firewalls with a Next-Generation Firewall (NGFW).
4. Invest in a capable intrusion prevention system (IPS).
5. Add an SSL/TLS inspection capability to detect and block malware that is hidden in SSL/TLS-encrypted traffic. [Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet.]
6. Implement continuous threat counter-intelligence feeding security updates to NGFWs and intrusion prevention systems.
7. Deploy an email security solution.
8. Consistently update software.
9. Secure remote work environments by segmenting router access.
10. Implement the same level of defense throughout a distributed enterprise’s locations, including kiosks, executive homes, and remote offices.
Please contact Jolera to arrange for a discussion of cyber-security at your shop. The cost of investing in the time and effort to have this conversation may save you millions.