Data Breaches

Credit Card Data Breach

The office supply chain Staples is investigating a potential breach of credit card data. According to Mark Cautela, Staples’ senior public relations manager, “Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Security specialists believe the hackers are using a form of the same malicious software, Backoff, used in the Target and Home Depot assaults, among others.

The malware, Backoff, made headlines this past summer. According to Crosman (2014), “One of millions of malware mutations out there, Backoff tries to break into point-of-sale networks and steal credit card data; 600 retailers have reportedly been hit.” Crosman adds that the concerns about Backoff surface as cyber-attacks against financial institutions and retailers are growing more frequent, more sophisticated, and more widespread. Many banks have recently fallen victim to “masquerading,” a combination of social engineering and confidence scam that uses high-tech tools and generally results in wire transfer fraud. Backoff-like malware is said to have been behind several recent high-profile retailer breaches, including those at Target, P.F. Chang’s, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.

“Enterprises are now coming to the conclusion that they are either already compromised, or will soon be,” says Aviv Raff, CTO at APT defense firm Seculert. “It’s not a matter of ‘if,’ it’s a matter of ‘when.’ The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.”

In August, the U.S. Secret Service warned that 1,000 U.S. businesses may have been infected by Backoff malware, although at that time, only a handful of related breaches had come to light. The same month, the Department of Homeland Security issued a warning to all businesses that use POS systems, urging them to scan their systems for signs that they’d been compromised.

References:

Crosman, P. (2014). How ‘Backoff’ malware works and why banks care. Retrieved from http://www.americanbanker.com/issues/179_149/how-backoff-malware-works-and-why-banks-should-care-1069180-1.html

Schwartz, M.J. (2014). Staples launches breach investigation. Retrieved from http://www.govinfosecurity.com/staples-launches-breach-investigation-a-7459

Weise, E. (2014). Staples in Northeast likely breached with ‘more to come’. Retrieved from http://www.usatoday.com/story/tech/2014/10/21/staples-breach-northeast/17663941/

Advertisements

Delivering the correct medicine to healthcare patients – the holes in the checks

administering medicine

Drugs and medicines administered to patients in hospitals, care homes and psychiatric wards need to be done according to the instructions issued by the doctor or consultant in charge of the patient. These medicines are issued by the nurse(s) in charge and there is a heavy reliance and trust based on them to dispense the correct drug(s) and in the correct dosage, according to the instructions given. Situations can arise where the wrong medicine is administration, the medicine is given in the wrong dosage (either too little or too much), the medicine is given at the wrong time (either earlier or later than the scheduled time) or it is missed completely. These situations can be for any reason, including unusually busy times on the ward, changes in shift or simply because of general complacency or lack of knowledge of the nurse. These inconsistencies in receiving medicine(s) can be extremely harmful to the patient, especially if they are children, elderly or in intensive care units. When a medicine is administered, it is simply recorded on the patients chart (usually attached to the patient’s bed) with the time of administering and the signature of nurse. The time put down is not necessarily correct.

A biometrics solution, such as palm vein can help to eliminate the inconsistencies with administering medicines to patients, ensuring that patients receive the medicine that they need at the right time. Using a palm scanner, a nurse can ‘check-in’ at a patient’s bedside. This can then be recorded as the time at which the medicine(s) were given to the patient. The palm vein technology will detect whether the nurse who has ‘checked-in’ has the authority to give this patient his medicine. If the scanner has recorded a reading of another non-authorised nurse, this will be flagged up immediately. On successfully checking-in, a nurse is able to see a list of the medicine(s), the times at which they should be administered and the correct dosage that should be given to the patient. If the palm vein reading is false, i.e. is a reading of a person that is not authorised or does not exist in the database, details of the medication, including dosages will not be revealed. This method of administrating medicine makes it virtually impossible for the nurse to make any accidental errors or for unauthorised persons to have access to the patient’s records. Alerts are triggered in the solution to alert the nurse’s station if the time is approaching for the next dose to be given to the patient or if the next dose has been missed. Nurses are able to them immediately correct the oversight.

The palm vein technology is a highly secure and contactless biometric solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate for places like hospitals, care homes and psychiatric wards where security and hygiene cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (globalsales@wct-inc.com)

Trust of Hospital workers – how security can be breached

 

surgical equipment

 

This blog addresses the issues that arise with employee access to confidential data, medicines and surgical equipment, and restricted areas

When patients are admitted in to hospitals, they put the trust of their lives in to the hands of the medical team who are there to help and treat them. The patients believe that no intentional harm should come to them while in the hospital care. Details of their treatments and personal information should be kept private and confidential, and in accordance to data protection acts.

A case in the USA was reported where a nurse had tampered with the patients IV bags. These IV bags contained painkillers which the nurse wanted for her own use. However, in taking small amounts of this painkiller from multiple bags using a syringe, she was transferring bacteria to each patient that was then given these bags. The nurse tampered with these bags in a storage room and not by the patient’s bedside. This act of tampering with the IV bags resulted in 23 patients being infected.

A case in Canada was reported where it was found that surgical equipment had been tampered with. In this case, the item was found before it was used; however, it could have had disastrous implications if it had been used. Sterilizing of medical equipment is carried out by more than 60 people at this particular hospital, so identifying the person responsible would be an extremely difficult task.

Several audits have been carried out on hospital devices, with the results finding that they are vulnerable to security threats, including the uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access. A password in the wrong hands can have catastrophic implications, including patients being left vulnerable to their medical records being accessed.

Each of the cases and audit mentioned above identify different ways in which harm can be caused to a hospital patient. A biometric access control solution such as palm vein can be implemented to prevent and eliminates such cases from occurring. By using a palm vein technology solution, a hospital employee is tracked when accessing highly secure areas such medical cabinets, surgery room, surgery instrument cupboards, patient rooms, and hospital computers and networks. By attaching devices to these areas, hospitals can ensure that the correct medication is getting to patients at the right time and without being tampered with. Unauthorized people will no longer have access to hospital computers; a palm scanner connected to a computer acts as the sign-on mechanism for the user, without any password required. This method for logging into a computer can also be extended to applications on the computer or hospital network.

The use of fingerprint authentication is not a suitable or reliable form of authentication for use within hospital environments. Fingerprints are worn away over time or can be damaged by cuts or burns. Unlike palm vein technology, fingerprint authentication is not a contactless form of authentication. Hospital workers would be required to touch a glass panel in order for the reading to be made. This makes it possible for viruses and bacteria to be transferred.

The palm vein solution is a highly secure and contactless biometric solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate government workers, authorised personnel and third-party contractors where security cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on globalsales@wct-inc.com.

References:

http://www.canada.com/story_print.html?id=5fbd3e6d-175d-4f68-b293-1de5954aa4ac&sponsor=

http://www.dailymail.co.uk/news/article-1367241/Nurse-suspected-infecting-23-patients-stealing-drugs-IV-bags-syringe.html

http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

Government workers and their unsecured technology devices

Data security breaches - laptop and USB

This blog addresses the issue of confidential government information and data being lost after being taken by trusted personnel out of Government offices

 

With dependencies on technology, we have all started using mobile phones, laptops, tablets etc. as a means of communication. Threats of malware and viruses attacking our devices have been investigated in depth and are still a hot subject of research and investigation. However, what hasn’t been discussed are ways in which to eliminate unauthorised access to a device that arise when a government worker loses a device in their possession which contains confidential information.

Over the last several years, there have been a number of cases reported in the United Kingdom where Government workers, authorised personnel or sub-contractors of government agencies have lost, had stolen or left their technology devices, including Laptops, memory sticks and external hard drives on public transport, in car parks, fast-food chains or from military sites.

All the devices that went missing contained extremely highly sensitive and Top Secret data. In one particular case, an authorised person lost a memory stick containing the medical records of more than 6000 prisoners and ex-prisoners. The data was encrypted, however the password was written on a note which was attached to the memory stick.  In July 2008, the Ministry of Defence confirmed that 121 computer memory sticks 747 laptops have been lost or stolen in the previous 4 years.

Although the loss or theft of these devices is difficult to control, biometric solutions such as PalmVein can help to eliminate unauthorised access to the sensitive and Top Secret data that these devices hold. By using a palm scanner, authorised personnel are able to log-in to the devices without the need for passwords. The palm scanner is also used as way to open certain government related applications or even documents that are password protected without the need for a password. The biometrics scan of a personnel’s palm acts a single sign-on mechanism. Each sign-on to a device is recorded for auditing purposes. This is especially important if there are multiple authorised personnel accessing the same device. Any unauthorised personnel trying to access the device will also be recorded for future auditing. This method on access a device eliminates the need to use password.

With advancements in technology, many laptops and mobile phones nowadays have a biometrics enabled security access option, in the form of a fingerprint scanner. Although this is a secure method, it is not always the most accurate and is prone to flaws. If, for example a person is trying to access his own laptop using fingerprint recognition technology, any changes in his fingerprint, such as cuts or a worn-away finger-tip (due to burns or prolonged use of keyboards etc), will deny this person access to the device.

The palm vein technology is a highly secure and contactless biometrics solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate for use by end customers as well as for bank employees where security cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (globalsales@wct-inc.com)

 

References:

BBC (2009, May). Previous Cases of Missing Data. Retrieved from http://news.bbc.co.uk/2/hi/uk_news/7449927.stm

House of Commons Defence Committee (2009, March). Ministry of Defence Annual Report and Accounts 2007-08. Retrieved from

                http://www.publications.parliament.uk/pa/cm200809/cmselect/cmdfence/214/214.pdf

 

 

The rise of card skimming at ATM’s

Finance Identity Theft - ATM

This blog addresses the issue of card skimming as a way of stealing a person’s PIN number for debit and credit cards

Since the introduction of the debit/credit card PIN number, Fraudsters have used more and more sophisticated methods and techniques of obtaining the card data, including the highly secure PIN number.  Using small electronic devices called skimmers, which can have a built-in camera, fraudsters have been able to read card data from card readers found in all retail stores and eateries at point-of-sale locations or bank ATM’s.

The skimmer is generally placed around the card slot in an ATM and reads the card data that is held on the magnetic strip, while the card is being processed by the ATM. In the meantime, a tiny camera which is built in to the skimmer or positioned elsewhere on the ATM reads the PIN as it is keyed in by the cardholder. Once the Fraudster has this card data, they are able to carry out several types of transactions, including online purchases.

At some ATM’s, after a bank customer inserts their card and their PIN, it can seem as though that the card has been ‘eaten’ by the ATM. The card is not released back to the customer, nor is the cash that they may have requested to withdraw. Bank customers are left angry and frustrated as they will need to re-order a new replacement card. This often requires two weeks before receipt. In the meantime, the bank customer can only make payments in cash, meaning frequent trips to the Bank or withdrawing large amounts of cash (which in some countries can be extremely dangerous).

A palm vein biometrics solution would act as a deterrent and could drastically reduce card fraud. By installing palm scanners at ATM’s the requirement for a PIN number could be removed. Instead the palm vein reading would act as the identity confirmation. Not only does this reduce card fraud, but it also makes it easier on the user from having to remember multiple PINs. Overtime, the requirement to insert a bank card into the ATM could also be abolished as the palm reading would be associated with the user’s bank accounts.

For a bank customer to access his account whilst at a bank, the need to give a card to the bank teller would be a thing of the past. Instead, by providing a palm reading, the bank teller will automatically be shown details of the customer’s bank accounts. No further identification (such as driving license, passport etc.) would be required.

This could also be taken further for use in locations where point-of-sale terminals are used, such as within retail stores, restaurants, leisure & entertainment places. A palm reading of a customer can be taken in order to process payment transactions. This method of payment can replace the need for a card reading machine/card swipe on the till where a PIN or signature is still required. There will be no need to worry about card details (including the CVC code commonly found on the back of cards and required for online payment transactions) being stolen. 

Unlike the fingerprint recognition solutions, the palm vein technology is a highly secure and contactless biometrics solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate for use by end customers as well as for bank employees where security cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (globalsales@wct-inc.com)

 

References:

Commonwealth Bank of Australia. ATM Card Skimming & PIN Capturing. Retrieved from https://www.commbank.com.au/personal/apply-online/download-printed-forms/ATM_awareness_guide.pdf

Identity Theft

Finance Identity Theft - Social Security

This blog will address the growing concern of identity theft with regard to data losses associated with financial institutions. This entry will also discuss the data protections measures implemented by these organizations.

 

To an identity thief, somebody else’s Social Security number is a ticket to riches. These nine digits hold the key to stolen credit and create a huge hassle for the individual who actually holds that number. According to a recent study, 70 percent of the biggest credit card issuers in the U.S. use Social Security numbers in at least some cases as a way to verify a customer’s identity when he or she contacts the company. Additionally, financial institutions collect your Social Security number when you fill out a credit card application (or open a bank account), so they already have the numbers on hand.

Before computers were a household standard, using SSNs might not have been such a high risk. However, today it’s simply too easy for a hacker to track down those numbers, and data breaches like Citi’s credit card unit that led to $2.7 million in fraudulent charges prove that even big financial institutions aren’t resistant from the work of motivated hackers. Consumers should not assume that their bank is protecting their Social Security number adequately. It may be available for hacking and some banks may be inappropriately using it as a password verification for identity management.

Even if the bank has solid IT security, though, using a Social Security number for identity management purposes makes that information vulnerable. Unfortunately, it’s not much safer for financial institutions to use truncated versions of customers’ SSNs. The last four digits are the hardest for thieves to guess, so that’s the part of the number they really want anyway.

Social media is also to blame for another crumple in the process of correctly identifying credit cardholders and weeding out would-be fraudsters. Issuers used to use security questions like, “When did you graduate high school?” or “What’s your pet’s name?” to try to verify that a customer was who he or she claimed to be. Now, that sort of data is available to anyone with a Facebook account and a few free minutes. Now, banks are beginning to ask more complicated questions, like which bank you got your last auto loan from and how much your mortgage payment is. These kinds of questions, while not foolproof, do a better job of stumping identity thieves.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (globalsales@wct-inc.com)

References:

White, M.C. (2011). How Banks Are Aiding and Abetting Identity Theft. Retrieved from http://business.time.com/2011/07/08/how-banks-are-aiding-and-abetting-identity-theft/ 

HIPAA and Data Breaches

Data security breaches - laptop firewall

This blog will address the many law suits that occurred because of HIPAA violations due to data security breaches. It will also take a look at the methods used by those who breach the data.

Due to the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health Act, HIPAA-covered entities and associated businesses are required to provide notification following a data breach of protected health information. Groups reporting breaches that compromised the protected health information of 500 individuals or more must be posted by the Department of Health and Human Services. Since the 2009 rule, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more.

New York Presbyterian Hospital (NYP) and Columbia University (CU) have recently agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date. It appears that with this judgment, many healthcare organizations are beginning to take patient identity management and security more seriously.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the protected health information of 6,800 individuals, including patient identity, status, vital signs, medications, and laboratory results. 

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing protected health information.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient protected health information.  Because of a lack of technical safeguards, deactivation of the server resulted in the information being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the information of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of protected health information on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP health information.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of patients’ protected health information.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (globalsales@wct-inc.com)

References:

U.S. Department of Health and Human Services. (2014, May 7). Data breach results in $4.8 million HIPAA settlements. Retrieved from http://www.hhs.gov/news/press/2014pres/05/20140507b.html