“It” refers to data. Data Privacy Day, scheduled for January 28, is about keeping data to yourself and out of the hands of cybercriminals. This annual international celebration is designed to promote awareness about privacy and education about privacy best practices. Official sponsors for Data Privacy Day are EBay and Intel, who are joined by a host of partners including Microsoft, Intuit, Comcast, MasterCard, AT&T, Facebook, Google, the International Association of Privacy Professionals, the State of West Virginia and….
Did we leave anybody out? Probably. But it’s a long list because Data Privacy Day is an excellent cause. Without it, literally the financial, social and political structure of society is at risk. HOLD ON. Just remembered somebody we left out —ThreatMetrix™. ThreatMetrix strongly supports Data Privacy Day.
“We have entered a world of unprecedented identity theft and surveillance for monetary gain,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Every site we visit, everything we search for, to everything we now do, buy and share online is tracked by a growing number of powerful players. Unfortunately the evidence suggests that no data is unreachable or un-exploitable by adversaries or advertisers. Whether it be due to data breaches, phishing attacks or over-sharing, the implication is that identity can no longer be relied-on to authenticate a customer online. The distribution of our identities across the net not only threatens our privacy but also makes us all preposterously easy to impersonate.”
We should all be concerned about data security being at risk in today’s cybercrime infested environment. And the list of companies and institutions that have had data compromised continues to grow at an alarming rate. From the criminals’ perspective, it just makes good sense. Why try knocking over a bank with a gun and a good chance of getting caught or killed when you can sit back on a beach six time zones away and with your trusty laptop steal more money in one day than bank robbers Willie Sutton, John Dillinger and Baby Face Nelson and Bonnie and Clyde did in their whole lives?
Just a cursory glance at the number and types of recent breaches that compromised personal data from finance to health records and employment histories underscores the importance of calling attention to this Pandora’s Box.
- Facebook (Social Networks): A computer worm stole 45,000 login credentials from Facebook accounts in the UK and France.
- Yale University (Academic Institutions): 43,000 Yale University faculty, staff, students and alumni names and Social Security numbers were made public via Google because a File Transfer Protocol (FTP) where data was stored became searchable.
- Cyworld (Online Gaming): 35-million records including phone numbers, email addresses, names and encrypted information about the sites’ members were taken from South Korea’s largest social networking site, Cyworld.
- PBS (Communities): Thousands of user names and passwords were compromised when a PBS Website was hacked.
- Patco Construction (Online Banking): $300,000 was stolen from Patco Construction Company’s online bank account when hackers gained access to the company’s account credentials by sending employees email with Zeus, a password stealing trojan, that infected the company’s computers.
- Citbank (Financial Services): 360,000 Citibank customers (originally Citibank said it was 210,000 customers) had their account numbers and contact information stolen by hackers.
- Pittsford, N.Y. (Government): $139,000 was stolen from the hamlet of Pittsford, a town of 25,000 near Rochester, N.Y. when cyberthieves logged onto the town’s online commercial bank account. Initiating a small batch of automated clearing house (ACH) transfers, the thieves covering their tracks by sending the transfers to “money mules” around the country.
- Comerica Bank (Banking): $560,000 of Experi-Metal Inc. (EMI) hard-earned cash slipped away when Comerica Bank let fraudsters waltz away with it.
- Sony PlayStation (Online Gaming): 70-million Sony customers were put at risk when hackers broke into Sony’s PlayStation Network (PSN) and stole credit card details. The security breech caused Sony to take down the network for “maintenance.” Subsequently, 93,000 Sony customer accounts were hacked in a separate incident. Sony believed those customers used the same Sony login credentials to logon to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).
- Sega (Online Gaming): 1.3 million users had personal information put at risk by a Sega online network breach causing the company to temporarily shut down its online network.
- Washington Post (Media): Either 1.27 million, 1.3 million or 1.6 million user IDs and email addresses were ripped off from the Washington Post’s job section.
- Pentagon (Government): 24,000 military files were stolen from a defense contractor doing business with the Pentagon in a cyberattack. On a side note, the Pentagon is now consider cyberattacks as an act of war.
- Zappos (E-Commerce): 24 million customers’ personal information was put at risk when Zappos, the online shoe outlet owned by Amazon, was hacked.
- Toshiba (Computer Manufacturing): 7,520 Toshiba customers’ email addresses, telephone numbers and passwords were stolen by cybercriminals.
- NATO (Government/Military): A Gigabyte of NATO data was stolen by Anonymous which had accessed NATO servers.
- FTC (Government): More than 18,000 cases of child identity theft were reported to the Federal Trade Commission. Children’s identities provide the kind of clean backgrounds that make it possible for thieves to create entire fictional credit histories. Often the theft is not found until the person turns 18 and starts college or looks for a job.
- Credit Card Fraud: Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business? More than $13 million over a 16-month period.
- RSA (Security): After a junior employee at security firm RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. The attack compromised RSA tokens requiring users to enter a unique number generated by the token each time they connected to their networks. Facebook, Amazon, Abbot Laboratories, Charles Schwab, Microsoft — In all 20% of the Fortune 100 had been compromised.
- Online Advertising: An East European cybergang hijacked at least four million computers in over 100 countries. Included in the half-million hijacked computers in the United States were some at NASA. Using these computers, the gang stole $14 million in four years with a PPC and ad scheme based on redirecting traffic and replacing genuine ads with their own.
- Steam (Online Video Game Distribution): In a major hack, 35 million user accounts at Steam, one of the world’s largest distribution networks for online video games, may have been compromised exposing credit card details and billing addresses.
- Stratfor Global Intelligence Service (Security): Stratfor Global Intelligence Service, a company which helps clients with security and is famous for its secrecy and its top-secret client list was hacked resulting in names, emails, credit card details, passwords and home addresses for some 4,000 people being compromised. Additionally, this information was used to have clients involuntarily donate to charity to the tune of a million bucks. The hackers also said they had details for more than 90,000 credit card accounts.
- San Francisco City College (Education): For more than a decade San Francisco City College servers have been stealing personal banking information and other data from thousands, or even tens of thousands, of students, faculty and administrators in what the San Francisco Chronicle refers to as “an infestation” of computer viruses with origins in criminal networks in Russia, China et al.
- South Africa’s Postbank (Government): $6.7 million was stolen from South Africa’s Postbank when cyberthieves accessed a computer from a remote location and hacked into Postbank’s server system using stolen login details for a Postbank teller and a call-center agent.
- Epsilon (Email Marketing Services): Epsilon, a large email marketing services company, reported a data breach that could affect the email addresses of thousands of customers of major banks, retail and hotel chains. This impacted financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware. However, the only Barclays Bank of Delaware customers affected were the ones who have an LL Bean VISA card. In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.
- WordPress.com (Blogs): WordPress.com, which hosts more than 19 million blogs, had its servers compromised and sensitive data taken.
- The State of Texas (Government): 3.5 million Texans had their names and Social Security numbers (and in some cases their dates of birth and driver’s license numbers publicly posted in a data breach at the Texas state comptroller’s office.
- International Monetary Fund (Banking/Government): Damage still not assessed or admitted to by the International Monetary Fund which fell victim to a large and sophisticated cyberattack that led the IMF to cut the link that allowed it and the World Bank to share confidential information.