Kroll Cyber Security Blog – A Dialogue on Data Security

A recent Chicago Tribune article, titled “Data breaches persist despite heightened security,” brings to the forefront the persistent and growing problems resulting from data breach. While the article focuses specifically on breaches that have hit the Chicago area, the themes presented here are ones that are echoed – and in some cases, accelerating – across the country:

• Despite increasing awareness of the need for cyber security, data breaches continue to make headlines.
• Aggregated data, increased connectivity, and convenience of mobile devices all contribute to the ease with which data can be accessed electronically.

National Taxpayer Advocate (NTA) Nina Olson delivered her annual report to Congress last month and, for the sixth time since 2004, identity theft has been included as a Most Serious Problem. As might be expected, the problem has only grown worse, but the surprise is just how bad it’s gotten: The Taxpayer Advocate Service (TAS) says its case receipts have increased more than 650 percent from 2008 to 2012. The IRS itself saw a 78 percent increase in identity theft cases last year alone.

For most individuals, a password is something of a nuisance – we’re cautioned to avoid writing them down or storing them electronically, which necessitates something that is easy to remember. And it’s not at all unusual to use the same password for multiple personal accounts including those accessed at work.

If we’ve just described your habits, don’t feel too bad – it’s only human nature, as evidenced by the increasingly common lists of passwords that come out from time to time. But it’s still a highly risky practice. When it comes to password cracking, hacker capabilities have grown by leaps and bounds.  

After the death of a family member or a loved one, it may be unfathomable to think that identity theft could still occur, but sadly, decedent identity theft is a very real problem. The identity theft of deceased individuals occurs when an imposter uses the Personal Identifying Information of the decedent to commit fraudulent acts, such as obtaining credit or medical benefits, setting up utilities, and filing taxes.

The hacker group known as GhostShell reports having compromised the networks at dozens of top universities potentially exposing many hundreds of thousands of personal records.  To validate its claim, the group has apparently posted more than 120,000 personal records to the internet site Pastebin, a popular site used by hackers to post stolen data.  Initial reports indicate that the attackers exploited a well-known vulnerability in Microsoft SQL to carry out the attack.  As alarming as these claims may be, what may be of greater concern is the group’s statement that it observed many instances of injected malware in the systems it accessed, which suggests that other attackers may also be inside or at least have access to sensitive network information, including credit card data.