Educational Newsletters

2020 Prediction: Senior ID Theft to Get Significantly Worse


By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS: senior identity theft/ senior fraud / cybercrime / personal privacy

Whenever I speak publicly about cybersecurity and identity theft, I always share the latest research reports or identity theft trends to look for recent patterns that can help consumers and businesses mitigate their risks against identity theft. 

Based on the first half of this year – where 11 of the largest 13 data breach events occurred at medical or healthcare organizations (please see here) affecting nearly 24 million healthcare related records, I believe senior identity theft and fraud will get significantly worse in 2020. 

According to Protenus, a healthcare compliance analytics company, (please see here) this healthcare industry data breach pattern includes 503 incidents affecting nearly 15.1 million patient records in 2018 and 477 data breaches affecting 5.6 million patient records in 2017. 

When you think about lost or stolen Personally Identifiable Information (PII), most people think about credit card information, bank account information, taxpayer identity theft and refund fraud, utilities identity theft and fraud, and credential identity theft such as driver’s license or passport fraud. 

Very few people think about medical identity theft in general and senior identity theft in particular. 

However, when the collections firm American Medical Collections Agency (AMCA) – which services laboratories, hospitals, physician groups, billing services and medical providers throughout the United States – experienced a data breach including Labcorp affecting 7.7 million patients and Quest Diagnostics affecting 11.9 million patients, I wondered how safe and secure all American consumer billing records really are? 

Another interesting statistic comes from the 2019 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book where 39% of fraud complaints and 15.9% of identity theft complaints impacted seniors (60 years or older) in 2018 (please see here).       

However and at first glance, if you add the mature market (50 – 59 years of age), the “Identity Theft Reports by Age” from the FTC Consumer Sentinel Network shows a three year average of 36% of identity theft victims were 50 years and older. 

  • 50 years of age and older – 31.3% in 2018
  • 50 years of age and older – 36.6% in 2017
  • 50 years of age and older – 40% in 2016

While there were “only” 14.4 million identity theft victims in 2018, which represented a drop from the record-breaking 16.7 million victims in 2017, it is estimated that out-of-pocket fraud costs for victims more than doubled in 2 Years to $1.7 billion

The FTC report also showed that younger people reported losing money to fraud more often than older people – but older people lost nearly twice the amount to fraud.

To conclude, nearly 50 million health related records have been reported stolen from over 1,000 data breaches over the last 30 months. 

With National Cybersecurity Awareness Month taking place in October, I believe senior identity theft and fraud will rise in 2020!

Who’s the Insider Threat at Your Company?


By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS cybersecurity / cybercrime / insider threat / personal privacy 

I just attended the Blackhat 2019 Conference – which is the largest information security event in the world – on August 7-8 and listened to a very informative presentation by John Grim Managing Principal – Americas, Verizon Threat Research Advisory Center or VTRAC on the recently released Verizon’s Insider Threat Report

Grim began the presentation by highlighting Verizon’s five insider threat categories including the following:

  • The Careless Worker
  • The Inside Agent
  • The Disgruntled Employee
  • The Malicious Insider
  • The Feckless Third Party

As a side note, I had to look up the word “feckless” which has a number of meanings including irresponsible, incompetent, inept, and lacking character.

Grim defined insiders as “full- and part-time employees, independent contractors, interns, and other staff, as well as business partners and third parties with some level of privileged access.”  He also said that “human resource controls, security access principles, training and third-party management controls can mitigate risks.”

According to Verizon’s Insider Threat Report, “twenty percent of cybersecurity incidents and 15 percent of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization, with financial gain (47.8 percent) and pure fun (23.4 percent) being the top motivators.”

In addition, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

To put all this in perspective, Capital One’s recent data breach was impacted by the very insider threat or “feckless third party” when an irresponsible, former Amazon employee lacking character and integrity is now being charged with computer fraud.

Just as I wrote in a recent LinkedIn post about Capital One’s data breach event that the question should be “who’s in your wallet?” – I believe every business and organization, based on Verizon’s Insider Report should be asking “who’s the insider threat at your company?”

To conclude, Verizon offers organizations an opportunity to “identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.”

You can go to this link to read Verizon’s Insider Threat Report.

Sincerely,

Mark

Apps Are a Bigger Personal Privacy Threat than Facebook


July 2019

KEYWORDS cybersecurity / cybercrime / social media / apps / personal privacy

Four years ago I wrote an article titled “Are apps and social media putting your privacy at risk?” (please see here) where I asked readers when was the last time they read the terms and conditions or adjusted the privacy settings of their smartphone apps or social-media accounts?

On Wednesday (July 24, 2019) the Federal Trade Commission (FTC) announced that Facebook “will pay a record-breaking $5 billion fine to resolve a government probe into its privacy practices and the social media giant will restructure its approach to privacy” (please see here).

The FTC also said that Facebook’s “data policy was deceptive to ‘tens of millions’ of people who used Facebook’s facial recognition tool and also violated its rules against deceptive practices when it did not disclose phone numbers collected to enable a security feature would be used for advertising.”  I will get back to facial recognition in a moment.

So when you think about why consumers use apps and social media, you think about convenience, entertainment and networking opportunities.  Common app examples include requesting transportation, adjusting our home thermostat, accepting a LinkedIn invite, posting on social media or playing a game.  This is the reality of our evolving lifestyle and is the world that we live in today.

Another reality is that our everyday app use and access to social media increases our personal privacy risks.  For example, while you are thinking about convenience, entertainment and networking opportunities – so are the cyber thieves and ID theft criminals who are leveraging your social networks and apps to do their dirty work. Common social media examples include fake LinkedIn invites, fake Facebook accounts, fake Twitter accounts, fake reviews, and even fake news.

Over the last few years, cybersecurity research has shown that most social media scams were manually shared, where the scam spread rapidly. These scams are lucrative for cybercriminals because people are more likely to click something “posted by a friend."  The mobile threat, including mobile apps, have also been ripe for attacks, as many consumers associate cyber threats with their PCs and neglect even basic security precautions on their smartphones.

Consumers need to be reminded that apps and social media can track your search engine history, purchasing habits, geographical location, and even look into your files and contact list – all without your knowledge and sometimes without your permission.  The type of personal information being collected and sold includes your smartphone's unique device ID, phone's location, phone number, your age, gender, likes, dislikes, search-engine habits, e-mails, usernames and more to third party marketers and data brokers.

So, returning to facial recognition and the extremely popular facial recognition app called FaceApp, you may want to read this article titled All your friends are posting aging selfies with FaceApp – a Russian app that's raising privacy concerns (please see here).

Essentially, FaceApp is a photo editing app where you can see what you would look like with a beard, gray hair, and even wrinkles.  Unfortunately, to use FaceApp you have to give it permission to access all your photos along with access to Siri and Search.  In addition, FaceApp has access to refreshing in the background – “even when you are not using it, it is using you,” according to Rob La Gesse, former vice president at Rackspace, who shared his FaceApp thoughts on Facebook on Wednesday, July 17, 2019.

Based on the above, here are my five tips to help you minimize your privacy risks:

Limit and/or eliminate sharing your personal information online.

  • Increase your privacy awareness by reviewing and adjusting your privacy settings.
  • Be aware that some apps reset your privacy settings during major upgrades.
  • Learn more on how the apps you have installed use your personal information and for what purposes.
  • Consider using "privacy assistant software" to help keep your privacy preferences current.

I will conclude by asking the same question again:  when was the last time you read the terms and conditions or adjusted the privacy settings of your smartphone apps or social-media accounts?

Sincerely,

Mark

4 Data Breach Best Practice Tips for Small Businesses


June, 2019

According to a June 4, 2019 Security Magazine article titled Data Breaches Cost $654 Billion in 2018 (please see here https://www.securitymagazine.com/articles/90320-data-breaches-cost-654-billion-in-2018), “cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations.”

Personally identifiable information (PII) was the most targeted data, with 54 percent of stolen PII being date of birth and/or Social Security Numbers.

In addition, “name and physical address (49 percent) and personal health information (46 percent) were the second and third most commonly compromised type of PII in 2018.”

Based on the above, and the just released 2019 Verizon Data Breach Investigations Report (DBIR) where Verizon found that 43% of data breaches happened to small businesses, I have listed below my four data breach best practice tips to help small businesses prepare for and mitigate their exposure to a data breach event.

Best Practice #1 - every small business needs to understand the cybersecurity threat landscape.

Staying on top of all the security news and knowing the latest security trends is a time consuming and challenging task.  I recommend regularly reading Brian Krebs (please see here https://krebsonsecurity.com/) who is the author of a daily blog covering cybersecurity, data breach and cybercrime trends.

Best Practice #2 - is to have a written information security and governance policy and to update this policy each year.  Once complete, have every employee – even small businesses with two to five employees – sign this information security policy document acknowledging that they have read, understand and agree to the policy.

Best Practice #3 – is to have a data breach risk management plan in place. The lack of cybersecurity preparedness, the lack of data breach planning and the lack of employee privacy training have made small businesses a target for cyber criminals. Your data breach risk management plan should include pre-breach planning with a focus on an information security risk assessment and employee education and awareness.  It should also include post-breach planning with a focus on state and federal breach notification laws and a list of incident response vendors such as your insurance broker, legal services, forensic services, and public relations.

Best Practice #4 - every small business owner should consider having a cyber liability insurance policy which can help protect your business from cybercrime and a data breach event.  The CEOs and CIOs of Equifax and Target were not fired because they were hacked or breached, they were fired for their failed management response to their breach events.  Cyber insurance can help your business be resilient and compromise ready.

With the threat environment changing so quickly, chances are your security policies and procedures (if your business has security policies and procedures) are not keeping up; just as state and federal laws are not keeping up with the newest technologies.

These four best practices will help your small business respond to new threats along with the changing regulatory environment.  

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.

Your Cell Phone Number is a Threat to Your Personal Privacy


April, 2019

I read with great interest an article titled Phone numbers are the new Social Security numbers (please see here) that highlights how "cellphone numbers have become a primary way for tech companies like Facebook to uniquely identify users and secure accounts, in some ways becoming a proxy for a national ID."

The article goes on to say that cellphone numbers are becoming Americans' latest national identification number as Congress mandated that consumers could take their phone number from one provider to another.

This means that consumers can have a de facto "cellphone number for life" system.

Think about how your cell phone number / smartphone is used as a personal computer to do your banking, watch movies, and more including the following:

 - Texting
 - Email
 - Social Media
 - Camera
 - Banking
 - Reading news
 - Online shopping
 - Checking the weather
 - WhatsApp
 - Watching videos on YouTube

Now think about how your smartphone is also a potential threat to your personal privacy. While you can install some privacy related apps, you still give up most of your privacy.

Here are some examples of how your personal privacy can be at risk through your smartphone:

 - Geotracking — a smartphone is able to locate itself via the integrated GPS chip. While disclosing location data may seem harmless, it is still an invasion of privacy. This data can be used to build a profile on you or a family member, which can subsequently be used for a phishing attack.

 - Wi-Fi tracking — as cellular connections often falter indoors, retailers have offered free Wi-Fi to their shoppers. While consumers click to accept the terms of service, an invasion of privacy is taking place as retailers can determine which departments the shoppers have visited and how long they spent there.

 - Microphone eavesdropping — every smartphone has a microphone, and it's another security risk. While the main concern for many of us may be someone eavesdropping on private conversations, microphones also can be used for data collection.

So let's conclude with your personal privacy risks related to your cell phone number.

The next time someone asks you for your cellphone number, remember that it is increasingly used to connect to private information maintained by all types of companies including financial institutions, retailers and social networks.

Your cell phone number can also be used to monitor and predict what you view and purchase online or even what you watch on television.

It is important to know that your cell phone number is not regulated and no companies are mandated to keep it private. Studies indicate that half the U.S. population no longer have a landline. Many consumers in the 20-30 year age bracket have never had a landline. Many young consumers have no credit history and therefore no link to their social security number.

On the other hand, most teenagers are equipped with a cell phone number at the average age of thirteen years old. That cell phone number often remains with them for decades providing a detailed digital identification system of information.

This detailed digital identification system of information applies to all of us, so be smart with your cell phone number and who you share it with.

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.