Data Privacy Day is this Month!

 

Perfect for New Years Resolutionists, Data Privacy Day is scheduled for January 28. The annual event, which takes place in a growing number of locations across the globe, encourages businesses and consumers to learn more about their individual data and information security risks. What a terrific resolution for the world to embrace!  

 

 
 
 
 



 

 

 

I'm honored to have worked with the Governor's Office in my home state of Iowa for five consecutive years to secure his declaration of Iowa Data Privacy Day each year to coincide with the global event. Pictured above is the actual proclamation, which I received in my office a few weeks ago. It's exciting to be part of this global effort to prioritize the protection of privacy and data, and I encourage each of you to do the same. If you're curious about the types of information you can share, here's a video of my appearance on a local news broadcast that contains some thoughts.    

 

I'd love to hear how your organization is taking part in Data Privacy Day. Drop me a note at rebeccaherold@rebeccaherold.com and let me know all about it!    

 

What follows in the January Tips Message below are a few of the threats, tricks and traps making it harder to keep our private information to ourselves. Feel free to share any or all of it as a part of your own resolution to elevate awareness. 

 
 

 

Target is the Latest Victim of Malware-Armed Hackers  

Even as you were rushing around preparing for your holiday celebrations, it would have been hard to miss all the news reports about the attack on Target customers' credit and debit card information. 

 

Although more information continues to be disseminated about the attack, we know that some 40 million accounts were exposed. Fraudsters stole cardholder names, card numbers, expiration dates and CVVs. The criminals then use this information for profit by either selling it to other crooks or producing counterfeit credit cards, which they can then use for fraudulent transactions. Those cardholders who had their information stolen and did not act quickly to get their cards cancelled may become victims of a wide range of crimes. 

 

If you aren't familiar with how such hacks can occur, watch this short video for a high-level description of the vulnerability faced by many retailers and other organizations today.

 

What should cardholders who shopped at Target during the exposure window do? Most importantly, check your credit and debit card accounts often. (You can usually do this online at any time instead of waiting for your monthly statement.) You may also choose to call your bank to see if it recommends reissuing your card. Often following a breach of this magnitude, banks will receive notice from Mastercard, Visa and others as to which card accounts have been compromised. 

 


New Phishing Scammers Impersonate Costco

Just yesterday, phishing fraudsters popped their heads into my email inbox hoping to fool me into clicking their links. Had I not known the warning signs of a fraudulent email, I may have done exactly that. Here is a screenshot of the email, and below the image, I've included a list of the red flags that were present in this particular email.  

 

  

Red-flag warning signs that helped me spot this as a fake:

  • The sender's address is from a domain that is not Costco's.
  • Although the domain (davidallbrittonbuildingcontractor.com) actually exists, the business does not have any type of product or service I would have purchased. 
  • The Costco representative I called said they would never send a message like this, and that they don't do business with this particular vendor. (NOTE: I tried contacting the business to let him know it appears his email server has been compromised, but so far I've not heard back from him.) 
  • The Costco logo is a little different than the one on the official Costco website.  
  • There are no details about the alleged order (no order date; no list of the items ordered).   
  • There are misspellings.   
  • The 21-percent refund reduction is ludicrous (If something sounds fishy, that's because it usually is.)

If you receive an email with these warning signs and/or others, do not click any links. If you receive it in your work email, consider forwarding it to the person responsible for information security within your organization. That individual can then check it out and determine how to appropriately warn others in your organization to be on the lookout for similar phishing attempts. 

 

 

To Whom are You Really Emailing?

Nowadays, it's not uncommon for people to have multiple email addresses. Some people even belong to group email accounts in which an email sent to one address is actually received and potentially read by multiple people.

 

Before you hit send, be sure you know exactly where your email message is headed. Even when you're replying or forwarding, take the extra moment to hover your mouse over the address in the "To" field to be sure it's going to the intended address.

 

If you find yourself making this mistake often, consider changing email clients. Gmail, for instance, is notorious for allowing this recipient confusion. Gmail users should also be aware that Google has copies of and access to all email sent using its system. Mr. Snowden provided some proof of that.

 

Businesses especially should always use a proprietary domain for their email (not Gmail, Yahoo, etc., and certainly not a social email address, like those from Facebook). Business owners should always ensure their email provider follows good security practices (e.g., not storing any email on their servers after it is delivered to the client destination).

 

  

 
  

Who's Tweeting Your Every Move?

Around Thanksgiving, Storify turned one man's Twitter rant about a fellow airline passenger into a post for even more of the world to see. You can check it out here. For those of you unable to click outside links, let me share a few of the more outrageous Tweets that were rebroadcast in Storify's online "article:"

 

"Our flight is delayed. A woman on here is very upset because she has Thanksgiving plans. She is the only one obviously. Praying for her."

 

"I sent the lady a glass of wine and a note" [Publishes a Twitter pic of the wine and the note for all to read. It's addressed to "Lady in 7A" and signs off with "Hopefully if you drink it, you won't be able to use your mouth to talk."]

 

After the woman sends the Tweeter a note in reply, he posts a picture of it and then Tweets: "Diane is in her late 40s or early 50s. She is wearing mom jeans and a studded belt and she is wearing a medical mask over her idiot face."

 

Throughout this public string, the Tweeter seemingly shares a fellow passenger's physical description, first name, her seat number and the airline she's flying with. As it turns out, however, the incident was a fake; the Tweeter was making it all up basically for publicity.

 

Fabrication or not, the incident is a good reminder that any time you are in public - traveling or not - you are being surveilled. And it's not just by rarely accessed surveillance cameras anymore. Be careful when you speak and act, as you never know who could be taking offense or looking to embarrass you. 

 

Speaking of Surveillance, There Are Benefits...

Here's a good reason to install surveillance cameras on your home for security purposes: Woman stealing package from porch caught on camera.

 

This is not the first time surveillance cameras have caught thieves in their illegal acts. If you get packages delivered to your home, or have other reasons to increase security, you may want to consider installing a surveillance camera. There are many possibilities available. I will cover this in more detail in the February Tips.

 

  

What You May Need to Know about Your Gifts  

A few warnings for those who found TVs and smartphones under the tree this year...

 

Smart appliances may be too smart for our own good. Take smart TVs, for instance. As this article illustrates, some of these new appliances are particularly vulnerable to hackers. Once compromised, the TVs allow access to account information, including login credentials (which owners may use for access to more than just their smart-TV account). Even scarier, hackers could gain access to front-facing cameras to see everything happening in the room where the TV is connected. Instead of you watching your favorite program, criminals may be watching you!    

 

  

 

As many people get new smartphones for holiday gifts, they will be tempted to sell their old devices. If you're one of them, keep this story, reported by a Virginia ABC affiliate, in mind (Thanks to my friend Chris Duque for pointing out this article.):

 

McAfee online security expert Robert Siciliano did a little experiment; he purchased 30 different devices from craigslist, including laptops, notebooks, iPads and smartphones.

 

"I asked every single person if they re-installed the operating system or reformatted the drive, and they all said yes," Siciliano said. "On more than half of the devices, I found enough information to steal identities or, in some cases, even get people into trouble."

 

  

 

The takeaway? Be mindful that erasing your personal data from your devices requires more than a delete button. Here's a good resource  for learning how to sufficiently wipe your smartphones, tablets, computers and more before handing them off to a stranger. 

   

 

Privacy Professor in the Classroom

I really enjoy educating audiences of all different backgrounds on the how-to's of privacy protection. If you're interested in attending one of my talks, here is an upcoming opportunity:

 

January 9, Webinar: Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things. Register here. (Attendees eligible for 1 hour CPE)

 

Need Help?

 

If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my Compliance Helper site or get in touch with me; I would love to help you!

  

You Have My Permission to Share

 

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.

 

Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.comrebeccaherold@rebeccaherold.com.

 

 


As you make your own New Years resolutions, I hope you'll consider including privacy-risks education on the list. Whether you're in the position to teach or to learn, you will be building a larger awareness of issues that are becoming increasingly important for everyone. I'll continue to do my part as both an educator and a life-long student of data privacy and security... if I can help your organization in 2014, I hope you'll get in touch.

 

 

 

Blessings for a wonderful 2014...Happy New Year!! 

   

Rebecca

Rebecca Herold, CISSP, CIPM, CIPP/US/IT, CISM, CISA, FLMI 
The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564