Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection."— Presentation transcript:

1 Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection 09 City University of New York City College (CCNY) June 5 2009

2 Large Scale Breaches  What is a large scale data breach?  Why are they important?  Where do these breaches occur?

3 Information on Data Breaches  State Breach notification Laws  Federal Breach Notification Laws  Role of State Attorney Generals  Breach notification letters  Civil and criminal prosecutions  Company press releases and announcements  SEC Filings

4 Organizations that track breaches  Open Security Foundation: DataLoss DB project http://datalossdb.org/http://datalossdb.org/  Privacy Rights Clearing House http://www.privacyrights.org/ http://www.privacyrights.org/  Federal Trade Commission http://www.ftc.gov http://www.ftc.gov

5 Breach Incidents 2000-2009

6 Incidents By Breach Type

7 Incidents Business

8 Incidents by Data Type

9 Notable large scale breaches in the Data Aggregation Industry  What is the data aggregation industry?  Who buys information from a data aggregator?  What types of information do these companies provide?

10 Breaches in the Data Aggregation: methods, costs and consequences  Acxiom breaches 2001-2004  Choice Point breaches 2004  LexisNexis (Accurint) breaches 2005,2007

11 Breaches in the Retail and Card Payment Industry  What is the card payment processing industry?  Why is this industry targeted and by whom?  What do you do with 45 million credit card numbers?

12 Breaches in the Retail and Card Payment Processing Industries: methods, costs and consequences  CardSystems Solutions – 45 million card numbers  TJX Companies – 94 million cards  RBS World Pay – 1.5 million financial records  Heartland Payment Systems – 100 million cards

13 Card Payment Industry

14 Monetizing the Crime  Carding sites  Cashing on a world-wide basis  Targeted attacks, e.g., scanners and cameras

15 Breaches and Fraud  Percentage of revenue lost to on-line fraud – about 1.4% for the past six years, 3.6% in 2001  Card present fraud rate continues to decline  ATM fraud is rising(?)  “Identity fraud” is rising (?)  Fraud in international card transactions is unacceptable (One in nine on-line purchases rejected)

16 Large scale breaches: The costs to businesses  Breach notification costs  Class action suites to recover costs  Loss of confidence by business partners and clients

17 Remedies  Industry wide attempts at security – PCI DSS in the payment processing industry  Enhanced roles of the chief information security and information privacy officers  The increasing importance of information privacy polices

18 Challenges  Breach details seldom revealed, even long after the breach.  Until recently, there were no industry wide clearing houses for breach information. (Payments processing Information Sharing Council)  Risks of keeping breach information secret

19 A few IT Community Challenges  Knowing where the data is  Rapid system wide updating and patching  Integration of legacy systems  Automated fraud detection tools at each level  Implementing end-to-end encryption  Better systems for authorization and auditing

20 Law Enforcement Challenges  Immediate notification in the event of a breach  Improved intelligence on carding sites and cashing techniques  Critical need for international law enforcement and governmental cooperation

21 Information Security Policy Challenges  Privacy polices based on need-to-know (limit data collection and retention)  Comingling of systems on public and private networks.  Polices to protect large data repositories

22 Trends  Breach costs will continue to grow  National Breach Notification Legislation is coming (health care now, other sectors soon.)  Breach notification will give FTC and HHS Dept. more authority to regulate the use of PII.

23 Concluding Remarks  Breach notification laws are changing the way organizations view information security and privacy.  Breaches of PII such as SSNs, names, addresses is especially dangerous for individuals.  More on privacy and data breaches at the Center for Cybercrime Studies Center for Cybercrime Studies

Download ppt "Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection."

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.

UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.
Target Data Breach – Cost of the Learning Curve Discuss the recent Target data breach and its impact on the industry as well as individuals January 29/30,

Target Data Breach – Cost of the Learning Curve Discuss the recent Target data breach and its impact on the industry as well as individuals January 29/30,
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.

Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Page 1 Presented Insp. Amos Sylvester Trinidad and Tobago Police Service.

Page 1 Presented Insp. Amos Sylvester Trinidad and Tobago Police Service.
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
1 Information and Systems Security/Compliance Security Day - 2005 The Information and Systems Security/Compliance Program Dave Kovarik.

1 Information and Systems Security/Compliance Security Day The Information and Systems Security/Compliance Program Dave Kovarik.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Preparedness for cybersecurity threats domestic aspects of cyber security Jaan Priisalu.

Preparedness for cybersecurity threats domestic aspects of cyber security Jaan Priisalu.

Similar presentations

Ads by Google