8/16/17

By Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America

The fourth annual “Data Breach Industry Forecast” from Experian Data Breach Resolution paints a scary picture of how identity theft is evolving and the new types of security threats that we are likely to face. Companies, organizations and agencies that hold people’s personal information need to be aware of these trends and harden their defenses – and so should consumers.

Watch out for Aftershocks

Did you know that attackers who steal people’s user names and passwords in a data breach may continue to sell them to fraudsters for years afterwards? Why would this information still be valuable? Wouldn’t the breach victims have changed their user names and passwords? Yes, they probably did, but identity thieves know that people often use the same user names and passwords for multiple accounts and may not bother to change them all when one is compromised. So crooks try to log into accounts on popular financial, retail and social media sites with stolen user names and passwords to see if they work, and sometimes they do. Experian predicts that we’ll see an increase in these “aftershock breaches.”

Experian recommends that when people are notified about a data breach and instructed to reset their user names and passwords, they should also be informed about the broader risk if they use the same logins for other accounts. It also suggests using two-factor authentication to verify people’s identities rather than continuing to rely on user names add passwords. This involves taking an added step like sending a text alert to the person or using something that is unique to them, such as a fingerprint. It could help solve the password and user name reuse problem, but it’s still not widely available.

Our suggestions for consumers: Don’t use the same user names and passwords for multiple accounts. It’s convenient but it’s just too dangerous. Ask about two-factor authentication for your accounts.

Cyber-War may be Looming

There’s been a lot of news about cyber-attacks by foreign nations against U.S. interests, from Chinese hackers obtaining the personal information of federal employees from the Office of Management and Budget to Russian hackers stealing emails from U.S. persons and institutions. Experian predicts that state-sponsored cyber-attacks will move from espionage to outright cyber-war, with targeted countries retaliating by launching cyber-attacks of their own. Businesses and individuals will suffer collateral damage if their sensitive information is exposed or the systems they depend on are disrupted.

Experian warns that companies should prepare for “full-on disruption, especially if they are part of the critical infrastructure,” and recommends that they take proactive steps such as shoring up their security measures and purchasing the proper insurance protection. Though this report is aimed at businesses, government agencies and nonprofit organizations also need to be vigilant against cyber-attacks, no matter who is behind them.

Our suggestions for consumers: Back everything up. Keep copies of paper documents in clearly labeled files, and keep electronic records on an external hard drive, updating them as needed.

Healthcare Organizations Will Become Big Targets

Personal medical information is one of the most valuable types of data for attackers to steal because they can sell this sensitive information for big bucks on the “dark web.” Experian predicts that “mega breaches” will move from insurance companies to other parts of the healthcare industry, such as hospital networks, where it is harder to maintain security measures. Another prime target will be electronic health records. Experian says that the portable nature of this information and the fact that many different entities need access to it means that it is highly vulnerable to theft. While there is generally good security for transmitting electronic health records, it only takes one compromised computer or outdated system to lead to exposure. Mobile applications for electronic health records may introduce new vulnerabilities. In addition, Experian warns that ransomware directed at healthcare system operations could have a “catastrophic” effect.

Experian recommends that healthcare organizations ensure that they have proper security measures in place and keep them updated, that they have plans for how to respond to a ransomware attack, and that they have adequate employee training about security.

Our suggestions for consumers: Keep your own computers and mobile devices secure to protect yourself from hackers and malware. Follow these easy-to-understand tips for consumers about online security.

Payment-based Attacks Will Continue

The shift to “chip cards” to deter counterfeiting credit and debit cards has not put an end to payment breaches. This new technology has been slow to roll out, and while many big name retailers have adopted it, some businesses are having difficulty with making the software updates needed to accept payments with chip cards. Experian predicts that attackers may therefore turn their attention to smaller franchised stores. It also warned that attackers are going to use new techniques to steal payment card information using skimmers. These are often fraudulently placed on gas pumps but Experian warns that their use may grow in places such as self-checkout terminals in stores.

Experian says that it is essential for businesses to implement the chip technology as soon as possible. In the meantime, they should to pay close attention to weak spots to catch skimmers quickly.

Our suggestions for consumers: Your cards may have both a chip and a magnetic stripe. Use the chip feature rather than swiping your card whenever possible to protect your account number from theft.

Another prediction in the report is that companies operating internationally will face new pressures to comply with breach notice requirements that will soon take effect in Europe, Canada and other countries. Experian recommends that they do “dry runs” to ensure that they have the right practices in place. Other trends to watch include the potential for crooks to target virtual or augmented reality games to steal personal information, and phishing scams focused on employees.

While the threats that Experian forecasts are daunting and there is no way to prevent identity theft 100 percent of the time, the risks can be significantly reduced by following good security practices.