Author Archive: jkouns

2015 Reported Data Breaches Surpasses All Previous Years

Risk Based Security has released the Data Breach QuickView report that shows 2015 broke the previous all-time record, set back in 2012, for the number of reported data breach incidents. The 3,930 incidents reported during 2015 exposed over 736 million records.

Although overshadowed by the more than one billion records exposed in the two previous years, 2015 also ranks #3 in total reported exposed records.

The 2015 Data Breach QuickView report shows that 77.7% of reported incidents were the result of external agents or activity outside the organization with hacking accounting for 64.6% of incidents and 58.7% of exposed records. Incidents involving U.S. entities accounted for 40.5% of the incidents reported and 64.7% of the records exposed.

The report also revealed that individuals’ email addresses, passwords and user names were exposed in 38% of reported incidents, with passwords taking the top spot at 49.9% of all 2015 breaches. This is especially troubling since a high percentage of users pick a single password and use it on all their accounts both personal and work related.

You can get your free copy of 2015 Data Breach QuickView report here:

A Breakdown and Analysis of the December, 2014 Sony Hack

Another incredibly far-reaching in-depth compromise of Sony Pictures has happened, this time by a group known as the Guardians of Peace (GOP). The new compromise has all of the excitement of the old events and more, as blaming North Korea for the attack in retaliation to a movie being released by Sony Pictures is all the rage. Risk Based Security has been keeping an updated timeline of the breach, analyzing the leaked documents, and providing links to additional information.

If you are looking for a comprehensive resource on the Sony Hack then please visit the following page:

Hacking Exposed 78% Of All Records Compromised In First Half Of 2014

Mid-year 2014 data breaches exposed over 502 million records far exceeding the mid-year point in 2013, the previous all-time record setting year.

We are pleased to announce the release of the next installment of Risk Based Security’s Mid Year Data Breach QuickView report.

The report shows that 2014 is on pace to replace 2013 as the highest year on record for exposed records, and the recently reported exposure of 1.2 billion email addresses and user names has not been included. The 1,331 incidents reported during the first half of 2014 exposed over 502 million records, nearing 61% of the 814 million records exposed in 2013.

The Data Breach QuickView report also revealed that individuals’ user names, passwords and email addresses were exposed in 57% of reported incidents, with passwords taking the top spot at 70.1% of all Mid-year 2014 breaches.

Risk Based Security’s research suggests that organizations in all industries, regardless of size, should take an active approach to review their networks for security vulnerabilities in their applications, infrastructure and third party libraries. By doing so, organizations can reduce the time of exposure they are facing with many of today’s threats.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of the first half of 2014’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

First Quarter 2014 Exposes 176 Million Records

Troubling Trend Of Larger, More Severe Data Breaches Continues

We are pleased to announce the release of the next installment of Risk Based Security’s Data Breach QuickView report. Analysis of data compromise activity for Q1 2014 shows that, while the number of incidents taking place remains comparable to Q1 2013, the number of records lost per incident is on the rise. The total number of records exposed in the first quarter of 2014 exceeded 176 million – or roughly a 46% increase compared to the number of records loss in Q1 2013.

The report also highlights the continuing trend of targeting user names, e-mail addresses, and passwords. Although this type of information in and of itself typically doesn’t hold the same value as Social Security or credit card numbers, this data can be the keys to opening up the doors that access more valuable information. The continued focus on this type of data may be indicative of more complex or better-planned attacks currently happening involving third-parties and on the horizon.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

SQL Injection Leads To Leak

Earlier today, a hacker identified as ProbablyOnion2 (who recently breached has posted data from a large job seeker website resulting in over 36,000 accounts being published online.

We have created a DataLossDB incident and you can read the full details in the Risk Based Security post.

Over 822 Million Records Exposed In 2013

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here.

Looking Through the Cloudy PRISM

As you have no doubt heard, a lot of fuss has been made over the past couple days involving both NSA, Verizon, and Facebook, as well as several other companies and governments. Here, we want to provide a concise overview of the information available at this point, along with some links to additional reading about the program that is known as “PRISM”.

On June 6, 2013, the Guardian published an article that suggested a classified order was issued on April 25, 2013 that allowed the United States government to collect data until July 19, 2013 and then hand it over to the NSA. This order was issued to Verizon, and it’s existence was not allowed to be spoken of. Currently, the documents revealed only cover Verizon, but there may have been similar orders involving other companies, not just ones that provide phone service. PRISM, a program allowing the NSA access to company data, was originally enabled in December of 2007 by President Bush under a U.S. surveillance law and then renewed by President Obama in December of 2012. This program was started to aid anti-terrorism efforts and there are claims by the government that it has already prevented a terrorist plot in Colorado.

These documents reveal that the NSA is performing massive data mining covering millions of U.S. citizens. Wired reported the collected data includes phone numbers of both parties involved in the phone call, the time and duration of the call, the calling card numbers used in the call, and the International Mobile Subscriber Identity (IMSI) number which applies to mobile callers. The location of the calls may have been recording using cell tower data. Data that was NOT collected includes names, addresses, account information, and recordings of call content. There is heated debate whether this metadata is sensitive or not. On the one hand, no names or call content suggests that your fundamental privacy is intact. On the other hand, consider that the government knows you “spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.”

Edward Snowden has been identified as the whistleblower who released the documents that exposed this classified order. He had access to these documents as an employee for the NSA, which he had been working for over last four years as a contractor from outside organizations, including Booz Allen and Dell. When Snowden released the documents he stated, “I can’t allow the US to destroy privacy and Internet freedom.”

This article by the Guardian highlights multiple comments made by President Obama about the issue. He called this a “very limited issue” when discussing these disclosures of the NSA accessing phone data. In an attempt to deflect criticism, the President also stated that he had privacy concerns regarding private corporations as they collect more data than the government.

Both Facebook and Google denied any previous knowledge of the PRISM surveillance program after concerns they may have been part of the program. Many other technology companies thought be be part of PRISM issued similar statements saying that they did not allow the government “direct access” to their systems. However, theNY Times reports that Google, Microsoft, Apple, Facebook, Yahoo, AOL, and Paltalk all negotiated with the government and were required to share information due to theForeign Intelligence Surveillance Act (FISA). The Guardian also states that Microsoft has been a part of this information sharing program since the beginning in December of 2007 and was joined by Yahoo in 2008, Google, Facebook and PalTalk in 2009, YouTube in 2010, Skype and AOL in 2011, and Apple in 2012. At this point, it is a game of “who do you trust?” The government who finds such data incredibly valuable, or the corporations that sometimes rely on such data for their business model (e.g. Facebook).

In an article by Mark Jaquith, he mentions how important the details are in this situation. There are two different reports on how PRISM actually works; one says the government can directly and unilaterally access company servers to take data and the other is just an easier way to transfer data requested by court orders. The majority of reports are pointing toward the second method describing the way that PRISM works. If this is true, the transfer of data is moderated and indirect making it basically a lock box to securely pass information through. Now, that this has been brought to light we hope more details will continue come to the surface to provide clarity.

As with many big information leaks, the emotions and politics quickly take hold and begin to dominate the argument. Veterans of the Internet are largely not surprised by the PRISM news, due to fleeting memory of ECHELON, Carnivore, and likely other initiatives that never came to light. Regardless, the PRISM program represents a serious threat to individual privacy and every citizen should be concerned.

Written by eabsetz

Nothing is certain but death, taxes and identity theft.

As we are well into tax season, there has been a trend of articles in the news involving identity theft and tax fraud. Individuals are stealing information from various sources, which are not only businesses, but also straight out of mailboxes in order to commit identity theft and file false tax returns. Some of these criminals have been reported to net as much as $11 million with their schemes before being caught. 641,690 incidents had been identified by the IRS as of September 30, 2012.

Each of these incidents are a concern. However, all are not reported in DatalossDB as we require data loss incidents to have a steward organization. Therefore, we submit only to our database the schemes where personal data is stolen from an organization or business, but discard those where the data is stolen out of mailboxes as they don’t fit our requirements.

Here are some snippets of the latest cases we have seen in the news; these cases include both ones DatalossDB would and would not catalog. There seems to be a trend in state employees and tax preparers stealing information to file false tax returns themselves or to sell the personal information to others.

In one case in Alabama, a state employee obtained identification information from a state database from October 2009 until April 2012. That is two and a half years in which she went undetected while working with co-conspirators to file over 1,000 false tax returns and receiving fraudulent returns totaling $1.7 million.

In Los Angeles County, the Department of Public Social Services had an employee, who as a receptionist had access to the systems to input data and assistance requests. She took screenshots of 132 applicants’ PII (Personally Identifiable Information), and with the help of her husband and friends filed 65 tax returns in 2011 netting a total of $357,704.90 in fraudulent claims.

In Silver Spring, MD, two brothers running a tax service together stole identities from Puerto Rican residents to submit fraudulent claims through their business. They filed 13 false returns totalling $43,264.

Another tax preparer used information of previous clients and deceased persons in order to defraud the IRS and taxpayers for over $200,000 from 2003 to 2008.

The largest case we’ve seen, which is currently awaiting sentencing, took place in Fort Lauderdale and involved the filing of around 2,000 false tax returns from October 2010 until June 2012. This particular identity theft tax fraud scheme pulled in over $11 million.

To many, this might seem like a great way to make money. Here are some of the punishments that have or will befall these criminals. If convicted, the Alabama state employee is facing 20 years for each wire fraud count, 10 years for each computer fraud count, 10 years for conspiracy to file false claims, 2 years for aggravated identity thefts, fines, and mandatory restitution. The tax preparer, who used client and deceased persons information, was sentenced to 60 months in prison and paying full restitution amounting in excess of $200,000. As for the case where the scheme pulled in around $11 million, one of the women involved is looking at possibly being sentenced to 351 years. That is around 6 lifetimes of prison!

The IRS is taking action in response to the increase in tax related identity theft over the last few years. They have activated new identity theft filters, and are working with over 130 financial institutions to help identify identity theft schemes. The IRS has also trained over 35,000 people, who have direct contact with taxpayers, in ways to help identify red flags associated with identity theft, and they have doubled the employees in their tax related identity theft department.

Multiple resources including the IRS are recommending a few things to help keep your identity safer. Make sure that you do not carry your Social Security card around in your wallet or purse; if you do, take it out and place it somewhere secure. In fact, it is a good idea to take any documents containing personal information and secure them in your home. Many businesses ask for your Social Security number, even if it is not mandatory information. It is best to not automatically provide it every time you are asked. Never give out your personal information over the phone or email; the IRS does not contact taxpayers either way to acquire information. Monitoring your credit report on a regular basis can help to identify identity theft, hopefully before the loss becomes severe.

Written by eabsetz

Knock, knock. Who’s there? No one.

As we mentioned in our last post, trying to contact and confirm organizations that have reportedly been breached can be time-consuming and frustrating. When that organization is a hospital and we cannot reach anyone or get a response, it’s especially concerning.

Yesterday, I tried to contact [Redacted] Hospital. I went to their site for contact info, but they had no phone directory or email directory by department or office. So I called their main number and asked for IT. I was sent to voicemail. I hung up, called back, and asked the operator to stay on the line until I got through to a person in IT or the Privacy Compliance Officer. Eventually, I heard a male voice, who told me that he was the “service desk.” The “service desk” was not IT. I subsequently learned that they are an outsourced IT partner.

I explained that the hospital had apparently suffered a hack via SQL injection and I could email him a link to the data so that IT could investigate and take action to secure the server better. I gave him my name, email address, and phone number, and told him that I was with the Open Security Foundation.

He told me didn’t have an email address for me to email him the link, but that he would open a ticket. He had no email address to give me? Seriously? On the one hand, not accepting an emailed link from a stranger makes good security sense, but on the other hand, how could I send them data and details without an email address? I usually paste some dumped data into the body of the email with the link to the full paste. So now, not only could I not directly reach the responsible parties, I could not even send them any data to pursue.

The service desk employee opened a ticket and sent me a copy of it. That was almost 24 hours ago. The two individuals he directed the ticket to were the hospital’s System Administrator and Technical Analyst, neither of whom have contacted me by email or phone, even though my contact details were in the support ticket.

In this case, the data were dumped on the Internet at the beginning of December 2012, so maybe they know already, but since the data are still live and in any event, they have no idea what data I called about, maybe they don’t know. The data do not appear to be patient data, but they are personally identifiable information. And if those data were vulnerable, what other data might still be vulnerable?

Another staff member from OSF also tried to reach them last night – through the hospital’s on-site contact form. That form doesn’t have a pull-down menu to direct the message to particular subjects or departments.

It shouldn’t be so difficult to contact the responsible party when there’s been a breach. So here are some “best practices” recommendations for HIPAA-covered entities to add to their checklists:

1. Provide a dedicated phone number and email address to report privacy or security breaches and prominently post those contact details on the home page of your web site.
2. Ensure that the phone number and email address are monitored 24/7/365.
3. Establish a written policy that all such contacts or messages are to be acknowledged within 1 hour.
4. Follow up and let the individual who reported the problem know what steps you have taken.
5. If you use a contact form on your web site, have a pull-down menu for subjects, and have one of them be “Privacy or Security Concern.”

Every hospital tells patients that they take the privacy and security of their information seriously. I wouldn’t believe them if they don’t respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn’t believe any hospital that doesn’t even return a phone call when you have left them a message that they may have a security problem with their public-facing server.

Responsible hospitals should facilitate reporting privacy or data security concerns. So what has your organization done to facilitate reporting of breaches?


Fool us once, shame on you. Fool us twice, we implement policies!

It had all the makings of a sexy data breach story. An individual with the Twitter nick of @TibitXimer claimed to have exploited a vulnerability on Verizon’s server and dumped about 300,000 records out of an estimated 3,000,000 customer records allegedly acquired.

ZDNet trumpeted the headline, “Exclusive: Hacker nabs 3m Verizon customer records.” They reported:

“A hacker has posted around 300,000 database entries of Verizon customers to the Web, after exploiting a vulnerability in the cellular giant’s network.

The hacker, going by the name @TibitXimer on Twitter, told ZDNet earlier this evening that the hack was carried out earlier this year on July 12, which allowed him to gain root access to the server holding the customer data. Tibit gained access to a server with little difficulty after working with another hacker to identify the security flaw.”

The problem is that although none of it was true, @TibitXimer’s claims and ZDNet’s repetition of the claims were repeated all over the Internet.

One day later, @TibitXimer was gone from Twitter and a more accurate version of the story started to emerge. In statements to other media outlets such as, The Next Web, and Forbes, Verizon spokesperson Alberto Canal explained that Verizon’s systems had not been breached at all, there was no vulnerability exploited, no root access gained, and that the data dumped were old data from an incident a few months ago.

To add insult to the reputation harm that Verizon could have suffered, the incident wasn’t even Verizon’s incident. It turned out that a third party marketing firm that Canal did not name had accidentally leaked a sales lead list and the list had simply been copied and posted at the beginning of August. Most of the names on the list were not even Verizon customers, according to Canal. The same data were re-posted this week and claimed as a new “hack.”

Not such a sexy story anymore, right? And ZDNet is certainly not the only media source to believe a hacker’s claims that were subsequently determined to be totally untrue. We’ve been fooled, too, at times, as has Lee Johnstone, who recently had to correct a report on Cyber War News that a hacker named “Hannibal” had leaked 1,000,000 Facebook account details in retaliation for #OpIsrael.

Over the past year, the problem of false claims has reached almost epidemic proportions, which is why, over the past few months, started implementing policies requiring us to obtain – or at least make a good faith effort to obtain when possible – a statement from an allegedly breached entity either confirming, denying, or clarifying and correcting a hacker’s claims of a breach – *before* we decide whether to add a report to the database.

Sometimes, as in this case, it is relatively easy to reach a media contact and get a response. In other cases, particularly with small entities involved in claimed hacks overseas, it is not so easy, and we may send several e-mails that go unanswered before we try to decide whether to include a claimed breach or not. If you login and read individual entries, you may even see a Curator’s Note in the Comments section indicating that we tried and failed to reach anyone by e-mail to confirm the report.

Deciding whether to include a report when we cannot reach anyone is headache-inducing, to say the least, as we realize that with this less than perfect system, entities might suffer reputation harm through no fault of their own. We have therefore also implemented the ability to fully delete entries from the database should we later learn that a claim was totally false.

Another policy we recently implemented involves putting (DISPUTED) in the summary line for an incident if there is a real dispute as to whether a breach occurred or not. There may be times when an entity insists they have not been breached but we find the evidence in a data dump to be compelling and decide to include the report. This was the case, for example, in the reported hack of, where they denied it to and others, but analysis of the data dump and information still available on their site led us to the decision to include the report. At other times, a reported breach may be part of litigation and where the defendant denies the claims, we may decide to include the report but note it as DISPUTED.

Trying to confirm the numerous claimed hacks that appear on Pastebin or other sites on a daily basis is a time-consuming process that slows us down in providing timely reports and has put even more pressure on our resources that are already constrained. However, we believe that it needs to be done to ensure data quality. And so, as 2012 draws to a close, we have already added over 1,400 incidents (and that number does not include the Fringe incidents) for the year, but there are hundreds more still to process. Whatever number you see on the Stats page for December 31st will likely be significantly under our real total for the year until we can catch up.

On that note, I wish you all a Happy and Healthy 2013. And let’s hope that next year, things slow down for us!