#45 – A NEW VENDOR TRANSPARENCY IN CONSUMER DATA THEFT? – CAROLYN TURBYFILL

Carolyn Turbyfill Ph.D.

Carolyn Turbyfill Ph.D.

In the last 6 months, I have been notified by 3 different vendors:  Adobe, Target and University of Maryland University College, of 4 data breaches. 3 of the breaches involved consumer data theft that may have or provably have compromised some of my private information:  i.e. Login credentials; credit card.   The amount of time between the breach and the notification of potentially affected parties has varied between 4 days and 7 weeks.  1 or 5 years of Experian’s® ProtectMyID®, http://experian.protectmyid.com/nh, has been offered to the potential victims of credit card fraud or identity theft as a result of these breaches.

The estimated number of users affected varied between 287,580 to 150 million.  The trend in these breaches appears to be that the more users who could be affected results in a longer delay in the notification of potential victims of credit card fraud and identity theft.   It also appears that the remediation offered decreases with the number of customers compromised.

This new transparency is a far cry from the old “duck and cover” response that had been the norm until new State by State laws were passed, starting in 2002, that require vendors to let their customers know if their data has been breached:  http://finance.yahoo.com/news/u-companies-allowed-delay-disclosure-data-breaches-195219835.html Most of the laws allow vendors to delay the notification to customers, for investigative purposes and also to give the institution time to understand the extent of the intrusion and work with law enforcement.  It also gives vendors and institutions time to develop an informed notification for customers recommending steps the customer should take, as well as making arrangements to assist and protect customers and entities affected.

For me, the first breach notification came from Adobe.  The breach occurred some time in mid-August, 2013:  http://finance.yahoo.com/news/u-companies-allowed-delay-disclosure-data-breaches-195219835.html.The public and customers were notified of the breach on October 13, 2014:   http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html, referencing a blog posting on October 3, 2014:  http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html.  Estimates of the number of users affected vary from 38 million from Adobe to 150 million.

I was notified by my LifeLock service, http://www.lifelock.com/nh, in a physical letter, that my Adobe User Information name had appeared on a hacker website:  http://www.postmanmojo.com/blog/adobes-security-xbreach-impact/. The letter recommended that I should change all of my passwords, everywhere.

The second breach was at Target:  http://www.nbcnews.com/business/consumer/why-did-target-take-so-long-report-data-security-breach-f2D11783300:

“The Target data breach affecting 40 million of the retailer’s credit and debit cards stems back to Nov. 27, two days before Black Friday. So why are we just hearing about it now, three weeks later?:”  http://www.gottabemobile.com/2014/03/13/target-knew-of-data-breach-earlier-than-reported/;

http://pressroom.target.com/news/target-provides-update-on-data-breach-and-financial-performance

The estimates of the number of consumers affected have increased to a range of 70 million to 110 million.  I did receive an email from Target indicating that they were breached and offering 1 year of credit monitoring through Experian.

The Third breach notification came from University of Maryland University College, http://www.umuc.edu, where I am an adjunct professor in their graduate Cybersecurity Program.  The letter sent to me and other affected parties is included in the press release about the breach.  The breach occurred February 15, 2014 and was reported to the public on February 19, 2014:  http://www.huffingtonpost.com/2014/02/19/university-of-maryland-data-breach_n_4819438.html The University contacted all personnel and students about the breach on February 20, 2014 via their UMUC email.  UMUC moved some websites to enhance security and some of the historical links to UMUC information about the data breaches do not work.  UMUC’s estimate of the number of accounts compromised in the February 15 breach is 287,580.

On March 20, UMUC announced another data breach had occurred on March 15:  http://www.umd.edu/datasecurity/.  This link also details the results of the investigation of the first attack and remediation which includes free, five-year membership of Experian’s® ProtectMyID® Alert.   UMUC stated that the March 15 breach was not related to the February 15 breach, and information about only 1 university official was affected.

In summary, over the last 6 months, I have been notified of 4 data breaches, 3 that have compromised my private information.  The delay from the breach to notification of affected consumers has varied between 4 days and 7 weeks.  Experian’s® ProtectMyID® has been offered to the potential victims of credit card fraud or identity theft as a result of these breaches, ranging from 1 year of free coverage to 5 years of free coverage. The estimated number of users affected varied between 1 to 287,580 to 150 million.

While I am happy that vendors are compelled by law to inform those affected by a breach, it appears that the transparency is more opaque (as a function of time delay) as more people are affected and as financial consequences to a vendor are larger.  The one vendor who seems to be the big winner in this new transparency is Experian with ProtectMyID®, which has managed to become the de facto remediation offered to victims of data breaches.

What should individuals and vendors do?  Here are some first steps:

Individuals should:

  • Use pass phrases that include plenty of symbols and numbers.
  • Don’t use the same password everywhere.
  • Use a pass phrase wallet where you can.
  • Change pass phrases often.
  • Use credit cards because they offer better consumer protection than debit cards.
  • Take advantage of remediation offers from vendors.
  • Consider using an identity theft protection service.

Vendors, from the board level to IT personnel should decide what they would do when, not if:

  • You think you may have been breached but don’t know what was taken or changed.
  • You know you have been breached and you may know some of what has been taken.
  • You know you have been breached and you can identify some data that has been taken.
  • You find your customer data has been posted on a website and you had no idea you’d been breached.

One day we all may be an erstwhile Abraham (in the story of Sodom and Gomorrah), looking for 10 people who are untainted by stolen credentials or identity theft.  I’m pretty certain we’d have to look for someone “off the Grid”.  Maybe the Amish have it right after all.  “Weird Al” Yankovic says it best:

Amish Paradise (Parody of “Gangsta’s Paradise” by Coolio)