Today's AdvisenFPN offered a couple of note worthy items.
First, from the New York Times, an article headlined Bits: Stanford Researcher Finds Lots of Leaky Web Sites/.
The NYT article tells us that scientists at Stanford University discovered that
- If you type a wrong password into the Web site of The Wall Street Journal, it turns out that your e-mail address quietly slips out to seven unrelated Web sites.
- Sign on to NBC and, likewise, seven other companies can capture your e-mail address.
- Click on an ad on HomeDepot.com and your first name and user ID are instantly revealed to 13 other companies
These are, according to the Center for Internet and Society at Stanford Law School, among the leaks found on 185 top Web sites.
If the rest of the Times' copy is accurate, it's all downhill from there.
The entire document is on the NYT Web site at http://tinyurl.com/6cys4fl..
Next, in an in-house story headlined Top Cyber Losses Are Not All Hacks! , Advisen's Research & Editorial group writes that "Not every headline-grabbing cyber loss is caused by sophisticated hackers. A case in point is one of the latest actions captured in Advisen's MSCAd Loss Events database—a $20 million suit against Stanford Hospital & Clinics."
- As reported in last Friday's FPN edition, in an article titled How Did Data About Patients Land on Web? Don't Even Ask," the hospital acknowledged that a breach of 20,000 records occurred on Sept. 8, 2011. The convoluted series of events leading to the breach had no hacker in sight. Instead, a job applicant for a marketing firm posted a spreadsheet containing the medical records on a homework-help website, seeking advice on how to convert the spreadsheet information into a graph. The marketing firm offering the job was a vendor for the hospital's billing contractor.
According to Advisen's MSCAd database, more than half of the largest known data breach events, potentially compromising millions of identities, have resulted from lost CDs and hard drives, stolen laptops, and missing storage tapes.
That doesn't mean that hackers are not a concern, only that hackers should not be the ONLY concern.
Included among the victims are large U.S. financial institutions, private companies abroad, and government agencies in the U.S. and Canada.
A sampling of NON-HACKER damage includes:
- Data CDs lost in transit
- Data DVD and CD improperly disposed of, found on street
- Data storage tapes lost in transit
- Identity theft by help desk worker, ran up $50m of fraudulent charges
- Identity theft from unauthorized sale of customer data
- Identity theft resulting in re-routing of policy proceeds, through call center
- Illegal access by employees & outsiders to credit history data
- Laptop stolen from employee's home
- Lost hard disk drive
- Stolen microfiche tax records
- Unauthorized distribution/sale of personal & financial consumer data
The point being that protecting data is not just an InfoTech function or even a Security function. It is most assuredly a risk management function.
In the above bullet list, how much damage might have been avoided by personnel training and awareness? How much by having, and enforcing, policies and procedures to protect data?
While I am a risk management subject matter "expert," I am not a security guru.