Presentation is loading. Please wait.

Presentation is loading. Please wait.

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

Published byMarilyn Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION."— Presentation transcript:

1 What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION

2 Why should we care? Certain kinds of data are very valuable to identity thieves ◦ Personal Financial Information (PFI) ◦ Personal Health Information (PHI) ◦ Personally Identifiable Information (PII) ◦ PII = PFI + PHI A breach of PII can be very costly ◦ Loss of reputation ◦ Expenses to remedy the breach ◦ Potential lawsuits ◦ Potential fines and penalties 2 INTRODUCTION

3 What is PFI and PHI? Any government issued ID number is PFI ◦ Social Security Number ◦ Driver’s License Number Any bank issued account number is PFI ◦ Checking/savings accounts ◦ Credit card numbers Most health information is PHI ◦ Diagnosis information ◦ Treatment information 3 INTRODUCTION

4 Legal Requirements 47 states have breach notification laws Laws vary widely from state to state Wisconsin insurance commissioner must be notified of unauthorized access to insured information (December 4, 2006 bulletin) 4 INTRODUCTION

5 Target Breach 5 ALL WARNINGS IGNORED BY TARGET Unknown Date Target’s HVAC vendor’s computer systems were infected through a phishing attack 12-02-2013 Customer credit card information was transmitted out from Target’s computer system 12-15-2013 Target acknowledges a data breach; 40,000,000 credit card records stolen 11-30-2013 Malicious software was detected on Target servers and Target’s security team was notified 12-12-2013 Federal authorities notified Target of the data breach 1-10-2014 Target acknowledges 70,000,000 additional customer records were stolen

6 Target’s woes all started with phishing... (What in the world is “phishing”?) A thief sends an email with a fake link, hoping the user will click it The link could install malicious software (malware) on the user’s computer The malware could transmit sensitive information back to the thief, such as passwords 6 TARGET BREACH LESSONS

7 A sample phishing email Never click on unknown links! 7 TARGET BREACH LESSONS

8 Hackers quickly turn stolen credit card information into cash 8 TARGET BREACH LESSONS

9 Target was subject to Payment Card Industry (PCI) standards The major credit card companies have developed uniform standards for information security practices Any person or company accepting credit cards must comply with some or all PCI standards or face contractual fines and penalties Requirements include: 1.Build and maintain a secure network 2.Protect cardholder data 3.Maintain a vulnerability management program 4.Implement strong access control measures 5.Regularly monitor and test networks 6.Maintain an information security policy 9 TARGET BREACH LESSONS

10 Practice good password management Easy to remember – but hard to guess Change passwords regularly! Use a different password for each system Should be at least 8 characters long Should have upper case, lower case, and numbers 10 Source: Bloomberg BusinessWeek Time to crack passwords? TARGET BREACH LESSONS

11 Recap of Target lessons Users have the biggest role in information security ◦ Don’t click on unknown links in emails! ◦ Change passwords often, and make them hard to guess Your system may be safe – but what about others who have access to your system? (Vendors? Customers?) Don’t ignore the warning signs of a breach ◦ Always conduct an investigation Be extremely careful if you keep sensitive data ◦ Delete unneeded data ◦ Take extra precautions if you store sensitive data 11 TARGET BREACH LESSONS

12 Sentry Insurance breach June of 2006 “A lead programmer/consultant with a nationally recognized computer contractor” 112,198 total records stolen; records from 72 worker's compensation claimants were sold Sentry was notified by law enforcement The data sold over the Internet included people's names and social security numbers 12

13 Grant the least privilege Users should have the least access necessary to do their job role Applies to everyone, including employees – not just consultants and vendors Excessive access is a recipe for disaster 13 SENTRY BREACH LESSONS

14 Use background checks Consider background and credit checks for employees and contractors. Look for: ◦ prior criminal history ◦ illegal drug use ◦ significant credit or financial issues 14 SENTRY BREACH LESSONS

15 Dynacare Laboratories and Froedtert Health breach October 22, 2013: Employee’s car was stolen, containing a laptop and a purse with a USB drive USB drive contained 9,414 PFI records All items were eventually recovered by police, with no evidence that files had been accessed Lawsuits filed by City of Milwaukee and Milwaukee Professional Firefighters Local 215 15

16 Closely manage mobile devices and mobile storage Devices containing potentially sensitive information are getting smaller and smaller – and easier to lose These devices can store massive amounts of data It is hard to control these exposures Don’t forget:  Laptops  Smart phones and tablets  USB drives  Backup tapes 16 DYNACARE BREACH LESSONS

17 Consider encryption Encryption scrambles a computer file. It can be read only by someone who has the right encryption key to unscramble it. In most statutes, encryption is a “get out of jail free card” Customers are beginning to expect encryption 17 DYNACARE BREACH LESSONS

18 What can I do to prevent a breach? Do not retain sensitive information unless necessary; consider encrypting it if you need to keep it Protect that data from access to anyone who does not need it ◦ Password management ◦ Least privilege ◦ Encryption Monitor those who do need it to ensure they are using it properly 18 SUMMARY

19 What if a breach occurs? Investigate every suspected claim of data breach right away Comply with the law Utilize outside help for ◦ Legal guidance ◦ Data forensics Notify in a timely manner 19 SUMMARY

20 20 SUMMARY

21 What else can I do? Engage an information security contractor to help evaluate your security practices If you use other contractors or vendors to service your computer system, check the contract! ◦ Do they assume liability for a breach they cause? Consider a cyberliability insurance policy 21 SUMMARY

22 Extras: Cloud security Many strategic advantages to outsourcing IT services This comes with significant security risks Assess vendors for security controls and look for certifications: ◦ PCI certification ◦ ISO 27000 certification ◦ SOC2 certification 22

23 Extras: Data Loss Prevention DLP technology allows you to see what information leaves your network perimeter Can check e-mail and web traffic Can block or automatically encrypt sensitive data 23

Download ppt "What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION."

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Identity Theft Solutions. ©SHRM 20082 Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.

Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
IT Security Essentials Ian Lazerwitz, Information Security Officer.

IT Security Essentials Ian Lazerwitz, Information Security Officer.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Similar presentations

Ads by Google