2010 Data Breach Prevention and Response:

Transcription

1 (DLP and SIEM) June 2010

2 Audience: Financial institutions, credit and debit card issuers, card networks, security vendors, DLP vendors, SIEM vendors, healthcare organizations, merchants. Author: Robert Vamosi, Fraud and Security Analyst Contributors: Mary Monahan, Managing Partner and Research Director Tom Wills, Senior Analyst, Risk, Fraud and Compliance John Kenderski, Research Associate James Van Dyke, President and Founder Publication Date: June 2010 Price: $1,200 Length: 37 pages 17 charts/graphs Overview Data breaches have become commonplace 26% of U.S. consumers have received data breach notifications. Global criminal networks continue to evolve quickly to develop more sophisticated capabilities. Data loss and breach containment will be an ongoing challenge for businesses. Layered defenses such as data loss prevention (DLP) and security incident and event management (SIEM), covered in this report, can help. This report lists best practices for organizations before, during, and after a data breach. Should an incident occur, the organization needs to take specific actions quickly to minimize losses and curtail the impact to customer relationship. Long term, organizations need to provide not just notification but a complete resolution process. Primary Questions How do customers react to data breaches? What increased risks of identity fraud do data breach victims have? How does a notification letter affect a consumer s relationship with a financial institution? How are data breaches being perpetrated? How does a security reissue affect consumer use of a credit and/or a debit card? What steps should an organization take in advance of a data breach? Are there services for monitoring sensitive data? What steps should any breached company take first? Are there companies that provide data breach services?

3 Methodology This report is based on data collected online from a random sample panel of 3,294 online consumers collected in November 2009, with an overall margin of sampling error of ±1.71 percentage points at the 95% confidence level. Data from a September 2009 telephone survey with 5,000 U.S. adults, including 703 identity fraud victims, was also used in this report. For questions answered by all 5,000 respondents, the maximum margin of sampling error is +/ 1.4% at the 95% confidence level. For questions answered by all 703 identity fraud victims, the maximum margin of sampling error is +/ 3.7% at the 95% confidence level. For questions answered by a proportion of all identity fraud victims, the maximum margin of sampling error varies and is greater than +/ 3.7% at the 95% confidence level. The surveys targeted respondents based on representative proportions of gender, age, ethnicity and income compared to the overall U.S. online population. Rounding (in the underlying numbers) in the figures included in this report accounts for the slight differences in totals. Secondary data from publicly available online sources have also been included in this report.

4 Table of Contents Overview... 5 Primary Questions... 5 Key Findings... 5 Methodology... 7 Introduction: How Data Breaches Impact Financial Institutions and their Customers... 8 Data Breach Notification Laws...12 How Criminals Use Breached Data impacts Overall Fraud Rates...15 Prevention: Have an Incident Response Plan Handy...18 Limit Access to Sensitive Data...18 Where the Data Lives...19 DLP Solutions Vendors...21 Cisco IronPort...21 CheckPoint...21 RSA...21 Trustwave...22 WebSense...22 McAfee Data Loss Prevention...22 Sophos...22 Symantec Data Loss Prevention...22 Trend Miro DLP...22 Create a Data Breach Response Plan...23 Detection: Monitor for a Data Breach...24 SIEM Vendors...26 ArcSight...26 Cisco...26 elqnetworks...26 IBM...26 McAfee...26 RSA...26 Splunk...26 Symantec...26 Trustwave...27 Enact Your Incident Response Plan...27 Determine the Point of Compromise and Secure it...28 Breach Assessment Vendors...28 Resolution: Notification and Resolution...29

5 Table of Contents contnued... Notification and Resolution Vendors...29 Affinion Data Breach...29 Experian...29 Equifax...30 ID Experts...30 Intersections...30 Identity Theft Kroll...30 LifeLock...30 TrustedID...30 Resolution: How Different Companies Handle Data Breaches...31 The Blame Game: Who Customers Blame for a Data Breach...31 Disconnect Between Actual Fraud Caused By Data Breach and Consumer Understanding...32 Case Studies...33 Recommendations...34 Appendix...35 Related Research Companies Mentioned... 37

6 Table of Figures Figure 1: Data Breach Incidents vs. Records Breached... 8 Figure 2: Percentage of Consumers who had Cards Replaced Due to Security Concerns... 9 Figure 3: Consumers with More than One Debit Card or Credit Card Replaced due to Security Issues Figure 4: Number of U.S. Consumers Reporting Card Replacement Due to Security Concerns Figure 5: Consumers Likely Reaction toward Bank after Receiving a Data Breach Notification Letter Figure 6: How Consumers Use of Credit or Debit Cards Is Affected by Security Reissue Figure 7: Victims Top Breached Personally Identifiable Information (PII) Figure 8: New Account Fraud Compared with Existing Non card and Card Account Frauds Figure 9: Fraud Rate Past 12 Months for Consumers Who Received Breach Notification Letters vs. Did Not Receive Breach Notification Letters vs. All Consumers Figure 10: Mean Consumer Costs and Fraud Amounts for Victims Notified vs. Not Notified Figure 11: How Data is Lost Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches Figure 13: Comparison of Detection Internal vs. External Sources Figure 14: Layering Protection with SIEM and DLP Figure 15: Consumers Assignation of Fault in a Data Breach Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those Notified of Data Breach Last 12 Months Figure 17: Breach Victims (Notified Last 12 Months) Fraud Rate vs. All Consumers Fraud Rate... 35

7 Companies Mentioned Companies Mentioned Affinion Kroll ArcSight Lifelock BNY Mellon McAfee Check Point RSA Cisco Sophos CVS/ Pharmacy Splunk Early Warning Services Symantec eiqnetworks TJX Equifax Trend Micro Experian TrustedID Heartland Payment Solutions Trustwave IBM USPS ID Experts Verizon Identity Theft 911 Intersections Websense Windows

8 INTRODUCTION: HOW DATA BREACHES IMPACT FINANCIAL INSTITUTIONS AND THEIR CUSTOMERS One thing is clear: Despite new laws, new standards, and new technology, data breaches remain a problem year after year. When looking at data breach numbers it is important to distinguish between the numbers of incidents (data breaches) vs. customer records (potential victims affected by the data breach 1 ). The two statistics can be very different. For example, one data breach incident (a lost laptop) disclosed in 2009 at Continental Airlines resulted in the loss of 230 records. 2 Another data breach incident (a web hack), was disclosed that same SAMPLE PAGE month at Heartland Payment Systems that resulted in 130 million records exposed. 3 These two January incidents went on to account for 58% of all records lost in 2009; clearly a single event can skew the total number of customer records exposed. Thus the total number of incidents for a given year may rise and fall and be independent of the total number of records breached. It is important to look at both the number of incidents and the number of records breached to see the entire picture. Data Breaches Continue to Increase Figure 1: Data Breach Incidents vs. Records Breached Category /Year Number of reported breaches Records breached 222, 477,043 35,691, ,725,343 Accessed May 25, Note: Adjusted Heartland from 30 million to 130 million as per alleged in Justice Dept. documentation Javelin Strategy & Research 1 It is possible for one victim to have multiple accounts breached, so there is not a one to one correlation between numbers of records and numbers of victims, although it is a good estimator. 2 laptop stolen from office containing finger prints names social security numbers addresses dates of birth and other information 3 malicious software hack compromises unknown number of credit cards at fifth largest credit card processor Copyright 2010 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re transmit or otherwise provide access to the content of this report. 8

9 DETECTION: MONITOR FOR A DATA BREACH Action Items Monitor logs and current activity in real time. Meet at least annually to review internal procedures in the event of data breach and discuss adding new team members to reflect changes in the data landscape at the organization. For data loss attributed to hacking and malware, monitoring the network through the use of security information and event management (SIEM) security information managers (SIMs) or other network monitoring systems can help. One important distinction is that while your company may experience several security events they are not all security incidents. An event can be defined as an anomalous activity detected on the system. For this, individual security tools, such as a firewall or an IDS, may not be adequate. SIEMs monitor a variety of security tools, SAMPLE PAGE collating events to create a real time picture of what is happening on the network. In looking at the information below, physical loss of data often results in fewer records lost than the online loss of data. Misuse, deceit (social engineering) and physical theft are categorized as physical thefts that result in fewer records stolen. Hacking and malware are online threats that result far greater numbers of records lost, and thus are more profitable to thieves. Hacking and Malware Account for Most of the Records Lost Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches Hacking 64% 94% Malware 38% 90% Misuse Deceit 2% 6% 12% 22% Physical 2% 9% Error Enviromental 0% 0% 0% 67% % of Cases % of Records 0% 20% 40% 60% 80% 100% Percent of Consumers Source: Verizon Business RISK Team 2010 Javelin Strategy & Research Copyright 2010 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re transmit or otherwise provide access to the content of this report. 24

10 Customers Don t Connect Breach Notifications with Fraud Among consumers who received a data breach notification in the past 12 months, 19% suffered fraud, yet only 2% attributed their fraud to a data breach. It seems as if consumers are not connecting the dots on data breach notifications to fraud events. They are aware, in the abstract, that their personal records have been compromised, but when they become a victim of fraud they do not make the connection to the earlier breach notification. SAMPLE PAGE The implications of this finding, if true, are shocking. While the idea of notification is to provide an opportunity for consumers to take action to protect themselves, apparently they do not. This suggests that notification is not working. Consumers apparently do not understand that the data breach puts them at increased risk for other types of fraud. It also suggests that consumers who are explicitly notified are at increased need for identity protection services such as fraud alerts, security freezes, credit monitoring, and identity monitoring. Identity protection services vendors need to assist in fully educating consumers about the potential consequences of receiving a data breach notification letter. A Disconnect Exists Between Actual Fraud Caused By Data Breach and Consumer Understanding Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those Notified of Data Breach Last 12 Months 25.0% Data breach victims (notified in the last 12 months) who experienced any fraud in the last 12 months 20.0% 19.5% 20.4% Fraud victims who received a data breach notification (within past 12 months) who selfidentified that their information was obtained through a data breach 15.8% 15.0% 10.0% 5.0% 0.0% 1.9% 0.6% 0.4% October 2008, 2007, 2006, n= 105,109, 97 Base: Data breach victims in the last 12 months Javelin Strategy & Research Copyright 2010 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re transmit or otherwise provide access to the content of this report. 32

11 Place Your Order as Follows: 1) Call us at (925) Ext. 31 2) us at 3) Fax or Mail using the form below: Report Title Publication Date Price Name: Organization: Title: Division or group: Phone: Fax: Address: Signature to confirm your order: Payment Method: [ ] Payment card [ ] Check Enclosed [ ] Invoice me Visa, MC, AE or Disc. card #: Exp date: / Name on Card: Signature: For invoicing, provide PO number: (Invoicing is available to financial institutions or publicly owned firms) Note: Reports are provided in electronic PDF form only. Javelin reports are subject to standard terms and conditions, as described on our web site. Javelin will contact you in the future to provide our free research newsletter or other mailings. If you do not wish to receive our newsletter or other mailings, you may advise us of this. Your contact information will not be sold to other organizations.