On August 21 UPS announced that it had been hit by a credit/debit card breach in 51 stores throughout 24 states. A spokeswoman for UPS says the information includes names, card numbers and postal and email addresses from about 100,000 transactions between Jan. 20 and Aug. 11, 2014. The virus was discovered by the company after receiving a bulletin in July from the Department of Homeland Security.
It is one of many large retailers who have been hit by cyber thieves who use viruses to capture financial card information. That information is then later used to create fraudulent credit cards to quickly buy large ticket items and gift cards at retailers or sold via black market websites to other thieves. Millions of people have been notified due to well-known breaches at Target, Neiman Marcus, and most recently Supervalu.
This week Community Health released that it too had a breach but it was not of medical or financial records rather personal identifying data such as names, Social Security numbers (SSN), birthdates, addresses, and phone numbers. This was clearly information gathered by admission workers and was stolen using a new Heartbleed virus which takes advantage of a security flaw allowing hackers to access the company’s computer system. An estimated 4.6 million patients are affected by this breach.
Which type of breach should cause greater concern? All experts point to the Community Heath Systems breach.
Jay Foley of ID Theft Info Source explained the differences between them. “Credit and debit card breaches require immediate attention to stop thieves from draining money out of existing accounts. The card owner may be upset upon seeing unauthorized charges on an account but will not be held responsible for those items. The big losers are the card issuers and the companies who end up eating the loss. Once the cards are replaced the risk to a person no longer exists.
“The Heartbleed virus takes advantage of what was ‘secure communication’ between two computers. These hackers have shown that it is possible to both redirect communication between two systems and steal log-in credentials (username, password). In Community Health, SSNs were stolen which means a risk exists for the rest of that person’s life and beyond. The compromised information opens the door to all types of identity theft including new lines of credit and loans, creation of criminal records, and forging documentation for people who need to live and work under a false identity.”
From a risk management point-of-view the two types of security problems might look similar to the public but cyber security experts are far more concerned about the Heartbleed virus which can be used against any entity that requires users to log-in and input data into a company-wide system.
“We never had any tangible proof of an attack until now,” said David Kennedy, founder of TrustedSec LLC, a security consulting company.
In an exclusive interview with Larry Ponemon he talked about his level of concern regarding this breach. The Ponemon Institute studies data breaches and their impact on business, the public and governmental agencies.
“This is a very serious development. Heartbleed is somewhat unique and much more dangerous than other malware attacks. What makes Heartbleed so dangerous is the fact that this type of malware bypasses the SSL or SSH certificate. This event provides strong evidence that China has enormous skill and capabilities in targeting and successfully attacking US-based healthcare organizations. Beyond the theft of valuable information, the brazen move by Chinese attackers was likely done to test the limits of U.S. companies to secure sensitive health information. In short, this is a big deal!”
The group suspected of being responsible for the attack has a history of stealing intellectual property from healthcare companies, and security specialists say it’s unusual for such thieves to turn to personal data. However it is clear that this virus can be used against any system that has one individual sending sensitive information to another.
What steps should you take to avoid further exposure? The responsibility lies both on you and on the companies you interact with.
While many companies have patched their systems, some have not. Until they patch the flaw, changing your password won’t protect you. John Sileo, CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer and well-known speaker on identity theft, internet privacy, and technology defense suggests the following:
“Recognize that any passwords you entered over the past two years could be at risk, including those you use for banking, webmail, social media and any other online accounts. This does not just affect banking passwords. Change your password now and then change it again after the provider has made needed changes. Make sure that the password is long, strong, alpha-numeric-symbol based and that you vary it between sites.” A strong password should be easy to remember but hard to replicate by someone who knows you.
There is a Heartbleed Bug Test that will give you some assurance that a retailer or financial provider has solved the problem. If not, you may want to contact them to find out their timeline.