Sarasota, FL, January 6, 2012 / Internal Release - While companies focus their fraud prevention efforts on direct third party fraud, they had better be spending some time on mitigating the risks of account takeover. In a year that began with high profile attacks on Sony and email marketing firm Epsilon, ended with hactivist campaigns and posting sensitive information stolen from Stratfor, all while Federal initiatives in response to data breaches gained momentum, data breaches made headlines more than ever before in 2011. The fact is fraudsters are focusing on account takeovers as a means to commit fraud and they are harvesting accounts through phishing, pharming and data breaches. As estimates range from 400 to 535 data breaches in 2011, with tens of millions of records exposed, The Fraud Practice looks at the impacts of data breaches over the past year and how this may affect laws and regulations in 2012.
Targeted phishing campaigns and malicious emails were a persistent problem in 2011 due to the wealth of information pilfered by hackers, much of which came in data breaches that occurred in April. The first was against Epsilon, who manages email marketing for many large clients, which was the largest security breach ever according to the Privacy Rights Clearinghouse. Estimates on the number of consumer emails taken by hackers range from 50 million to a potential 250 million. Also in April the loose-knit hactivist group Anonymous launched a DDoS attack against Sony, later that month the Sony Playstation Network was taken offline and hacked. Ultimately the data breaches against Sony would result in the compromise over 100 million names, emails, birthdates and addresses along with over 12,000 credit and debit card numbers.
An email address is easier to replace than a credit card, but the effects of the breach can still be very damaging. If a fraudster knows a name and email address, and also that the person gave this email to McDonalds or any of Epsilon’s other clients, then the fraudster can make a more catered and convincing email to dupe the victim of the data breach. Emails purporting to be from a trusted company with which a consumer has previously done business with are being sent with malicious links or attachments, or instead try to trick the recipient into sharing more personal information. Although spam emails in the U.S. decreased by billions overall in 2011 targeted email attacks, or spear phishing, is on the rise (Source: Cisco 2011 Annual Security Report and SC Magazine).
2011 also saw several data breaches and other cyber attacks organized by hactivist groups motivated by making a statement. The group LulzSec orchestrated multiple DDoS attacks, including one that temporarily shut down CIA.gov, in addition to hacking and posting the names and addresses of eight Arizona police officers because the group did not agree with the state’s immigration law. After law enforcement in multiple countries made a series of arrests against those who participated in the DDoS attacks Anonymous organized against Visa, MasterCard and PayPal for not processing payments to Wikileaks the hactivists planned their retaliation. AntiSec, an effort that started in 2011 by LulzSec and Anonymous, hacked and posted 10 gigabytes of information taken from 70 U.S. law enforcement agencies, including the names and addresses of over 7,000 officers, which they explicitly stated was a consequence of the earlier arrests.
AntiSec continued their hactivism campaigns through the remainder of 2011 supporting the Occupy protests. Anonymous hactivists were able to breach the systems of the United Nations and post 1,000 user names and passwords. Anonymous then organized Operation Robin Hood, an effort to steal credit card information from big banks and use them to donate to charities (of course all fraudulent donations will be charged back). AntiSec claimed to have already breached Bank of America, Citi and Chase banks, and although the legitimacy and extent of these claims is still yet to be determined, they are presumed to be exaggerated if not entirely false. It should be noted, however, that Citi suffered a data breach in May, 2011 where the names, emails and card account numbers of 360,000 North American customers were compromised. The hactivist groups ended the year by hacking into the servers of the global intelligence firm Stratfor resulting in their website being shut down for about two weeks and compromising 200 gigabytes of data, according to Anonymous. The hactivists then posted the names, addresses, credit card numbers and hashed passwords of 75,000 Stratfor customers along with the user names, passwords and email addresses of the 860,000 users registered on Stratfor’s site just before the end of 2011.
With the number of high profile data breaches that occurred in 2011 it is no surprise that this topic gained so much media attention, but now with the year coming to a close we can assess the aggregate numbers. The Privacy Rights Clearinghouse estimates that there were 535 data breaches in 2011 which resulted in the compromise of over 30 million records. Since they began tracking data breaches in 2005 they estimate that 543 million records have been compromised as the result of data breaches. The Identity Theft Resource Center (ITRC) provides a lower estimate. As of December 27, 2011 they concluded that 414 data breaches occurred in 2011 resulting in the exposure of nearly 23 million records. Since 2005 the ITRC has tallied 511.5 million exposed records resulting from 3,139 data breaches.