A Beginner’s Guide to Online Security Breaches

Another day, another leak. Should you care? Are you prepared?

June 1, 2016 9:00 am

Is it 2007?

This week’s big security breach was MySpace.

With a deluge of recent data leaks (LinkedIn chief among them), it’s admittedly hard to keep track.

The U.S. Director of National Intelligence recently ranked cybercrime as the leading national security threat, surpassing terrorism, espionage and weapons of mass destruction. And the costs of credit card fraud are enormous: merchants are losing $190 billion a year, banks $11 billion and customers roughly $4.8 billion.

But even as businesses, merchants and credit card companies patrol accounts and data with advanced security, hackers continue to adapt and outfox them.

Herein: a rundown of the most common types of attacks, and what you can due to limit their impact on your personal data.

The EMV chip is not a silver bullet
October 1, 2015 was the official date that merchants were to adopt the EMV chip and PIN-compatible payment terminals (i.e., slotting your card in, rather than sliding it). But many small-scale businesses and enterprises haven’t updated their terminals, leaving them vulnerable to malware attacks; in fact, a Hartford Financial Services agency survey indicated that 86% of them haven’t yet upgraded to the recommended system.

And then there’s the fact that transitioning into a new technology can yield tons of implementation errors. Even with the added security, hackers are avoiding point-of-sale methods, shifting their strategy towards exposed online transactions and mobile wallets.

In short, the old magnetic stripes contained a cache of stored information that never changed, thus enabling whoever accessed the data to hawk it. EMV chips, on the other hand, create unique transaction codes that can only be used once. Since mobile payment methods don’t have the EMV barrier, hackers are now targeting e-commerce sites. Case in point: the eBay breach.  

Beware of EHRs
Healthcare organizations are also prey. Patient medical data has a coveted street value on the black web. Electronic health records (EHRs) maintained by insurers and hospital networks are susceptible because of their diffusion (assisted by the Affordable Care Act) throughout the internet and the mobile applications being developed to process them.

What’s in your patient records? A wealth of personal information: financial payment records, insurance data, social security numbers … And while sweeping hacks are the marquee focus, smaller breaches resulting from employee errors contribute to accidental penetration like the mishandling of records or losing sensitive information.

In March, cybercriminals extorted cancer patients at 21st Century Oncology, heisting sensitive patient data including social security numbers. And MedStar Health Network’s database was recently looted.  

Open season on institutions
Corporate robbery is spreading because the value of individual account records has ebbed due to market saturation from prior security breaches — Target, Heartland Payment Systems and TJX being the most notorious.  Account freezes are commonly used to solve fraudulent activity, so hackers are now shifting attention towards larger data sets, which are more versatile on the darknet. Thirty eight percent of corporations have reported some form of cyber-extortion.

Universities also withhold masses of records. Recently, at the University of Central Florida in February, cybercriminals accessed names, birthdates, social security numbers and other figures from some 63,000 individuals associated with the school. And due to a security penetration of LinkedIn in 2012, users are currently being notified to change passwords because their personal information could still be circulating.

New types of war
Cyber-espionage between nations can also cause collateral damage to individuals. There have been numerous recorded incidents of corporate and government infiltration and disruptions of military operations. This information potentially exposes millions of personal and business records and IP addresses. One notable public sector breach was the Office of Personnel Management hack in 2015. And aggressors may also target corporate enterprises to expose delicate employee and client intelligence.

The Trump card
Presidential campaigns are also a select target. Because strategies are driven online and by big data analytics, hackers could expose funding sources or other compromising information of contributors or even candidates’ foibles. Vice president nominee Sarah Palin had her personal email account invaded during the 2008 election cycle — and Hillary Clinton is of course a more recent cautionary tale.

V for vendetta
Not all cyber-raids are motivated by financial gain — many are the result of controversial ideology. Anonymous, an interconnected nexus of “hacktivists,” has no uniform conviction, with operations ranging from absurdist pranks to political activism (think Fight Club meets your IT department). Another is LulzSec, a black hat organization claiming responsibility for breaching Sony Pictures in 2011 and the CIA website offline. These entities, however, have scaled-back their presence over the last couple years. But the Ashley Madison breach — claimed by The Impact Team — indicates a reemergence, objecting to the company’s values and spurious identity protection. The impact of these crusades can cause serious character assassination.  

There is no hard-and-fast rule for avoiding these attacks. At the very least, you should educate yourself about the security practices of companies that you do entrust with your information. Have they been attacked before? Do they conform to the latest standards? What does their alert protocol consist of?

Just remember: hackers, like nature, always find a way. Be vigilant out there.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.