Free identity protection from breached companies falls short

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Frank J. Ohlhorst, Third­Cer­tain­ty

Free iden­ti­ty theft mon­i­tor­ing has become some­thing of a de-fac­to con­so­la­tion prize for peo­ple whose per­son­al infor­ma­tion gets stolen by data thieves.

These free ser­vices, paid for by the breached com­pa­ny, may help some folks sleep bet­ter. But secu­ri­ty experts say they may come into play too late – and cov­er­age cer­tain­ly does not extend long enough — to mit­i­gate expo­sure to the worst forms of iden­ti­ty fraud.

The lat­est exam­ple: hack­ers stole driver’s license num­bers and oth­er per­son­al data for 50,000 dri­vers work­ing for the Uber per­son­al trans­porta­tion ser­vice that’s pop­u­lar in Cal­i­for­nia and sev­er­al oth­er states.

The com­pa­ny said only a small per­cent­age of cur­rent and for­mer Uber dri­vers were affect­ed. And it announced that those vic­tims are eli­gi­ble to receive a free one-year sub­scrip­tion to Experian’s Pro­tect­MyID Alert iden­ti­ty-mon­i­tor­ing ser­vice.

Uber dis­closed this breach in a blog post pub­lished Feb. 27. Hack­ers got into their data on May 13, 2014, but it wasn’t until Sept. 17, 2014 that the breach was dis­cov­ered.

That means the Uber dri­vers’ stolen data has been out in the wild for nine months. It also means Uber could have dis­closed this, and start­ed deliv­er­ing fraud pro­tec­tion to the dri­vers, five months ago.

What’s most dis­con­cert­ing is how long it took Uber to inform those impact­ed by the breach,” says Brett Helm, CEO of DB Net­works, a data­base map­ping ven­dor. Helm added, “Two months of inac­tion might as well be two years when it comes to per­son­al data exposed in a breach, the poten­tial for dam­age is almost unimag­in­able.”

Nas­ti­est fraud

The most wor­ri­some  expo­sure faced by the vic­tims is new account fraud. This is the nas­ti­est type of iden­ti­ty theft. A stolen Social Secu­ri­ty num­ber or valid driver’s license num­ber can enable a fraud­ster to pig­gy­back onto a victim’s good name and cred­it his­to­ry to take out new loans, tap med­ical ser­vices and per­pe­trate oth­er scams. This type of vic­tim­iza­tion can be very dam­ag­ing and time-con­sum­ing to unrav­el.

While the breach at Uber may have last­ing con­se­quences for some 50,000 com­pa­ny dri­vers, a much larg­er breach at Anthem Health report­ed ear­li­er in Feb­ru­ary could poten­tial­ly expose about 80 mil­lion of the company’s cus­tomers to new account fraud.

Much like Uber, Anthem is sup­ply­ing affect­ed par­ties free iden­ti­ty theft mon­i­tor­ing, via All­Clear ID, for a full 24 months, twice as long as Uber.

How­ev­er, two years of mon­i­tor­ing isn’t near­ly enough, con­tends Michael Sabo, mar­ket­ing vice pres­i­dent at data­base map­ping ven­dor DB Net­works.

If your cred­it card is lost in a breach it’s rather easy to get it replaced,” says Sabo. “But your iden­ti­ty is per­ma­nent. Anoth­er year of iden­ti­ty mon­i­tor­ing is sim­ply not enough. Affect­ed indi­vid­u­als could be at increased risk for decades.”

As with the Uber inci­dent, the breach at Anthem may have start­ed many months before the com­pa­ny real­ized an attack was under­way. Secu­ri­ty expert and author Bri­an Krebs sug­gests that the breach may have start­ed as long ago as April 2014, mean­ing that user data was exposed long before any action could be tak­en.

Quick con­fes­sion

How­ev­er, unlike Uber, Anthem was much quick­er to respond to the threat once detect­ed. Anthem said that the breach was detect­ed on Thurs­day Jan. 29 and called IT foren­sics spe­cial­ist Man­di­ant, a sub­sidiary of Fire­Eye, to look into vul­ner­a­bil­i­ties of its com­put­er sys­tem. What’s more, the com­pa­ny con­tact­ed the FBI as soon as sus­pi­cious activ­i­ty was rec­og­nized, even though the com­pa­ny was not oblig­at­ed to report the breach for at least sev­er­al more weeks.

Anthem received praise for quick­ly alert­ing author­i­ties. FBI spokesman Joshua Camp­bell sin­gled the com­pa­ny out as “a mod­el for oth­er com­pa­nies and orga­ni­za­tions fac­ing sim­i­lar cir­cum­stances.”

The main les­son, accord­ing to DB Net­works’ Sabo: “The quick­er an orga­ni­za­tion responds to a breach and asks for help, the quick­er the com­pa­ny can regain the trust of its cus­tomers and employ­ees.”

As for Uber, the com­pa­ny is now pur­su­ing legal means to track down those respon­si­ble for the breach. The com­pa­ny is attempt­ing to gath­er the IP address­es of every per­son who may have accessed a GitHub repos­i­to­ry used by Uber, where it sus­pects that attack­ers may have gained access to a secu­ri­ty key that could unlock the impact­ed data­base.

Going after GitHub adds insult to injury” said DB Network’s Helm. “Data­base keys, cer­tifi­cates or oth­er secu­ri­ty ele­ments should nev­er be stored any­where that is acces­si­ble by the pub­lic. It seems that Uber made a real rook­ie mis­take with that”.

 

Health­care data at risk — a three-part series:

Part 1, Jan. 5: Why med­ical records are easy to hack, lucra­tive to sell
Part 2, Jan. 7, How thieves and scam­mers are cash­ing in.
Part 3, Jan. 9:  How the Inter­net of Things will exac­er­bate expo­sures
Guest essay: Why hos­pi­tals need to go beyond HIPAA com­pli­ance to secure data


Posted in Data Privacy, Data Security, Identity Theft, News & Analysis