The Westin Bonaventure in Los Angeles is the latest publicly disclosed hotel hacker target. Unfortunately, there are likely ten or more hotels hit this month that don’t even know about it. For years now, the hospitality industry has been hit hard with malicious attackers looking to gain access by whatever means necessary – whether via point-of-sale (as they did with the Bonaventure) or directly into a network server far removed from the restaurant or hotel’s location. In fact, according to one leading security vendor, in 2009 hackers broke into hotel networks more so than in any other industry. More importantly, the organizations hit by attacks didn’t discover breaches for an average of 156 days. This Trustwave report was compiled from data breach investigations across the world.
Given their data loss exposures, it is not surprising that some hotel brands have been purchasing network security and privacy insurance for years now. One leading luxury brand has bought such coverage for over six years. The covered claims for some of these insurance purchases have more than paid for the premium. The question remains whether an independent owner or franchisee needs to purchase its own coverage.
First of all, if you are a franchisee, the reservation networks are usually maintained by the franchisor. Why should a franchisee pay for coverage on a system maintained by another party – albeit a party with a strong relationship to the franchisee? To answer that question, the franchisee needs to review its Franchise Disclosure Document (FDD) to ensure that data loss indemnifications are in place. For example, under the FDD, who is liable for a breach if it’s point-of-sale and your employee was somehow negligent?
Secondly, what if your property collects information based on client preferences, health needs, or other sensitive data? Where and how is that information stored? Is it encrypted? Will this information ultimately be safeguarded by your franchisor partner. Although most recent hacks have focused on credit card information given that this financial information is so easy to monetize, what about the “cyber-extortion” threat potential should other sensitive client data be in the hands of those same hackers. Cyber-extortion has become a somewhat common insurance coverage grant.
As is a sound business strategy for any company, a “back up” plan should be in place that takes into consideration the potential your franchisor’s network may likely be compromised at some point. Not only should a back up network security and privacy plan be in place, but all related risks should be quantified. After this risk analysis is completed, an evaluation should be made determining whether separate NSAP insurance makes sense to protect your own interests.
As of March 1, 2010, any company, organization, association or entity that has any sensitive personal information of a Massachusetts resident must now comply with a new law – Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00). This new law impacts an entity even if it is not located in or even does business in Massachusetts – all that is necessary to trigger a compliance obligation is that the firm maintains personal information on Massachusetts residents, including information on any customers and employees.
Taking a page from the FTC’s Red Flags regulations, the new law requires that companies implement a written security plan to protect protected personal information. An employee needs to oversee this security program, it must be regularly monitored, and the efficiency of the program needs to be reviewed at least annually or at any time when there’s a major change in a company’s business practices.
Going further than the FTC and not wanting to disappoint given its name, Massachusetts has actually set forth specific data security standards in its new law. For example, all records containing personal data that are transmitted wirelessly or sent via public networks need to be encrypted. As well, sensitive personal data stored on laptops and other portable devices also must be encrypted. Companies will need to restrict access to records and files that contain personal information to only those employees who need such information to do their jobs.
Third party vendors who contract with businesses after March 1, 2010 are subject to the new law and also need to comply. Those companies who contracted prior to March 1, 2010 are given two additional years to comply. It remains to be seen whether other states will follow suit with Massachusetts but given the reach of the statute, it may not even matter. Between the FTC and MA, good common sense may dictate that your firm implement a written ID theft prevention program sooner rather than later.
In its sharpest defense to date, the Chinese Government – by way of its state-controlled media outlet, Zinhua News Agency – argues that it does not make sense to blame the recent corporate hacking incidents on the Chinese Government. According to the February 24, 2010 People’s Daily article, “China’s attitude toward cyber attacks has been unequivocal and has adopted laws against such crimes, as China is one of the countries that bear the brunt of cyber attacks. It is way far-fetched to say that cyber attacks — even if they were to originate from China or were to be carried out by Chinese citizens — would have the support of the Chinese government.” The authors point out the IP addresses are not necessarily accurate for determining the initial location of a hacking incident given those traced computers can be hijacked from elsewhere. The article closes by saying: “Cyber crimes could cause immense losses for individuals, enterprises and nation-states. Effective supervision and closer international cooperation are ways to boost cyber security. Finger pointing is not.” Although it remains to be seen whether the Chinese Government was behind this latest round of corporate exploits, keeping an open perpective is never a bad idea.
In a February 22, 2010 press release, the Federal Trade Commission states that it notified “almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.”
The agency also released new educational materials that recommend ways to manage P2P risk. Interestingly, the FTC does not suggest that all P2P file sharing software be banned from a business. The recommendation is to evaluate what sensitive data is being used compared with the benefits of using such software. This recommendation fails to appreciate the fact that all P2P software used for a business purpose can likely be replaced with secure search software that does not require opening up your folders to strangers. Moreover, there is no general business purpose for using LimeWire or similar software given such tools are focused primarily on locating free music and video files. In fact, that is why some universities have banned the use of P2P file sharing software for years now. The reasonable assumption is that if music and video does not fit within a scholastic environment, it does not in a business environment.
Several years ago, Information Week did an excellent expose of the P2P risk faced by many businesses. This was a wake up call that was obviously not heeded given the FTC release. In a similar vein, security specialists were warning years ago that there were hundreds of thousands of websites infected with SQL injection exploits. To this day, SQL injection exploits remain one of the most popular tools for hackers to gain database access. Unfortunately, given the “fix” for such an exploit requires some basic coding, it is beyond the expertise or concern of most businesses and individuals.
On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website. The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.
Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information. As well, there were a number of instances of hacking with a few involving compromises of business associates.
It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft. What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.
According to an article in the New York Times, the recent wave of APT attacks on US businesses “have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military.” This conclusion is apparently based on information gained from the forensics investigators. Given that pretty much every entity in China has some ties to the Chinese military, this revelation is hardly noteworthy. What is noteworthy is the fact that the investigation has found no direct linkage to the Chinese government.
In fact, the article goes so far as to state: “the findings raise as many questions as they answer, including the possibility that some of the attacks came from China but not necessarily from the Chinese government, or even from Chinese sources.” A professor at one of the schools had two guesses as to how the attacks may have originated from the Chinese schools: “One is it’s a completely individual act of wrongdoing, done by one or two geek students in the school who are just keen on experimenting with their hacking skills learned from the school, since the sources in the school and network are so limited. Or it could be that one of the university’s I.P. addresses was hijacked by others, which frequently happens.”
As we learn more about these attacks, we will likely find out two things. First, that these attacks have been going on for longer than originally anticipated against a wider net of companies. Moreover, the attacks will not abate any time soon. Second, that the Chinese government was deliberately set up by the actual attackers – one or more sophisticated company or governmental entity. Given that for many years now, the Chinese government has had the luxury of US companies sharing their IP confidences in return for access to Chinese markets, this “blame the Chinese” storyline made little sense from the beginning. More to the point, the Chinese have enough boots on the ground to get whatever information they need in a much more direct way.
According to today’s Wall Street Journal, “data compiled by NetWitness . . . showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.”
Starting in late 2008, the hackers are said to have gotten into corporate networks using social engineering methods. Employees were enticed to click on Web sites with malware or email ads purporting to clean up viruses. NetWitness claims that in more than 100 cases, the hackers gained access to servers holding large quantities of data such as databases and email.
As more firms deploy forensics experts such as NetWitness to audit their networks, we will see more and more Wall Street Journal articles demonstrating just how systemic these breaches are in corporate America. Unfortunately, it is very difficult to “unlearn” clicking on images thrown your way on a computer screen. It takes time and training.
According to a report by McAfee, in the last three months of 2009, about 1,095,000 computers in China and 1,057,000 computers in the United States were infected and made part of botnets used to send spam or attack Web sites. Those numbers are in addition to the 10 million previously infected computers in each country.
Stewart A. Baker, the former assistant secretary for policy at the Department of Homeland Security, points out the obvious in the Washington Post article describing the report when he says the number of botnet computers in a country says more about the vulnerability of the computers than about those who infected them. Indeed, having so many hacked computers may indicate that China is not the source of as much malicious conduct attributed to it. Baker points out: “A nation that might want to use botnets as part of an attack probably would want to have its own computers bot-free and commandeer computers in other countries.” Although it would be easy to cynically surmise that US interests are using Chinese computers while Chinese interests are simply commandeering US computers, we have a wide world of hackers that makes assigning blame much more complicated.
While the blame game plays out, China continues to deny any government role in hacking or network exploits and has purportedly cracked down on “hacking training sites” as per this recent article in China Daily. According to the article, Black Hawk Safety Net was the largest hacker training site in China. It openly recruited members, disseminated hacker techniques, sold Trojan software and maintained online forums. Those who ran the Black Hawk Safety Net were arrested under a new Chinese law that criminalized the offering of online attacking programs and software. The article reports that Chinese Police used more than 50 officers to investigate the case.
Although it remains to be seen whether the widely publicized Google attacks emanating from China were orchestrated by the Chinese Government, it does not really matter. What is clear is that these sort of sophisticated attacks are not going away any time soon. Whether attacks are caused by Chinese nationals, the Chinese Government or other foreign hackers, companies need to put their combat boots on and throw away the old rules of engagement. War is being waged against your business. Protect your digital assets or risk everything. It’s that simple.
After interviewing 5,000 folks, the latest annual Javelin study claims that the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent (or $6 billion) to $54 billion.
The report claims that small businesses are sustaining the most hits: “They suffer identity fraud at one and a half times the rate of all other adults. By using their own personal accounts for business transactions, they are at a greater risk of exposing themselves to identity fraud.” And, the report suggests that because small businesses are more at risk they “need to implement safety precautions online and offline, and should consider employee background screening checks as a precautionary measure.”
According to the report:
The economic downturn is partially to blame for the rise in identity theft, and identity thieves are increasingly using more sophisticated and varied methods to obtain the personally identifiable information (PII) of consumers. Fraudsters are becoming more sophisticated and more aggressive, and their organized approach to online fraud through a myriad of threats and scams makes it harder to detect. Fraudsters are also increasingly targeting – and taking over – multiple accounts of their victims, collectively going after checking accounts, credit card accounts, mobile phone accounts, and Internet accounts in one full sweep.
Using a combination of sophisticated malware, keystroke logging, and phishing attacks, fraudsters are able to use organized crime to steal identities. And social networking has introduced yet another means for consumers to exposure their personal information to wider audiences, providing another avenue for fraudsters to conduct their scams.
When it comes to pointing out security threats and exposures, the report’s above descriptions do not really shine a light on anything new or startling. What is helpful, however, is their pointing out just how widespread and pervasive these exposures are to small businesses – helpful commentary that cannot repeated often enough.
Twitter disclosed yesterday that it had to reset some passwords due to an exploit that really could have hit any company. In essence, certain visitors to a fake peer-to-peer search engine signed up for an account using the same username and password they used on their Twitter accounts. The owners of the fake P2P search engine used this information to access the users’ Twitter accounts. This exploit is not surprising given that a majority of online banking customers reuse their login credentials on other websites. Accordingly, standing alone, this would have little impact on Twitter’s security standing. Unfortunately, there have been more incidents.
On January 5, 2009, several dozen Twitter accounts were hacked, including one belonging to our president. On May 21, 2009, Twitter’s name was used in a phishing exploit that sent users emails notifying them of new followers and included a link to a fake Twitter site. There were also security incidents in April and June. In fact, one analyst has gone so far as to claim Twitter’s security posture is weak enough to be called “security Swiss cheese.”
Why pick on Twitter? Afterall, yesterday our Director of National Intelligence told members of the Senate’s Select Intelligence Committee that malicious online activity is growing at an unprecedented rate. As Dennis Blair put it, “in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time.”
The reason to mention Twitter is because their new user growth has slowed down. Big time. According to a Hubspot Report, Twitter’s new user rate of growth has gone from 13% in March 2009 to 3.5% for October 2009 (the last month tracked).
Although Twitter may have lost steam as a social networking tool simply because the novelty has worn thin, it is also likely the case that its public security failings have slowed growth. It is very likely that the current stagnation in growth is even worse given that it is estimated about 25% of accounts have no followers and about 40% of accounts have never sent a single Tweet. Why bother signing up for something you likely will not even use if you are skeptical of its security? Simply put, there is no reason to take a chance on a new company if public security lapses make you feel insecure about your data.
All of this points to the need for better security; and more importantly, the use of a directed marketing message that highlights security best practices. This strategy would not only serve to benefit social networking companies. All companies holding personally identifiable information need to get their network security and privacy (NSAP) marketing message out to potential clients. In other words, NSAP processes and procedures are not just tied to risk management and compliance, they directly relate to a marketing message that should lead to an increase in profitable new business.