The Identity Theft Resource Center (ITRC) has published its 5^th annual Aftermath study regarding the effects of identity theft on individuals. Here are a few of the details from the study. Over a five year period, the ITRC reports that 1/3 of identity thefts were perpetrated by someone known to the victim. The next largest number of thefts arose from lost or stolen wallets or PDAs. The cost to a victim of identity theft in 2007 averaged approximately $500 in out-of-pocket expenses for an existing account. If a new account was set up, the average out-of-pocket expenses rose to nearly $1,900. This is a rise of about $500 per victim since 2006. Additionally, only 10 percent of those surveyed discovered they had been a victim of identity theft after being notified by a business.

Click to read more ...

We’ve discussed phishing on this blog in the past, but a recent headline brings the concern back to mind. As expected, identity thieves continue to invent new ways to trick their victims. In this latest attack, phishing is elevated to “whaling” as attackers target executives at large companies. The current scam involves emails with a realistic looking U.S. federal court seal and a link to a subpoena.

Click to read more ...

NetworkWorld reports on Gartner’s 10 key predictions for information technology. The IT predictions range from events developing in 2008 to events in 2012. From an insurance perspective, perhaps one of the most interesting predictions is that 50 percent of business travelers will no longer travel with their laptops. The prediction suggests that pocket devices designed for web-based applications could make traveling with a laptop no longer necessary for many. If true, it could impact security risk, as many a case of reported Identity Theft exposure is linked to a lost or stolen laptop. If employees no longer travel with their laptop hard drives loaded with the personal info of customers, then maybe that portion of the ID theft risk could be minimized. Of course accessing applications via the Internet could create more opportunities for information to mistakenly be left publicly accessible online as well as create more interesting opportunities for web hacks. Learn more about security exposures on our blog and for examples of web hacks, visit the Web Hacking Incidents Database.

The results of a joint investigation into the TJX security breach by Canada’s National Privacy Commissioner and Alberta’s Privacy Commissioner was released on September 24, 2007.  In it, the Commissioners found that TJX collected unnecessary personal information and also retained personal information for an unnecessarily long period of time.  Further, the Commissioners identified TJX’s failure to expedite a transition from what it knew was a weak encryption protocol to a stronger one as a security flaw.  Finally, the report also suggests that TJX did not monitor its systems “vigorously” enough thereby unnecessarily delaying the discovery of the breach.  While TJX does dispute some of the Commissioners’ findings, the concepts regarding the use of personal information, the necessity of implementing the most-up-to-date and secure encryption protocol and the need to monitor systems for breaches are all viable risk management tips.

You may recall, the last time we reported on TJX, the costs of the breach were estimated at $8 million.  Current reports now indicate the total costs of the TJX breach are $256 Million. 

Forrester Research released a report (not free) on Security Breach costs on April 10 of this year. According to Network World, Forrester surveyed 28 companies that experienced a data breach and determined the total average security breach cost as between $90 and $305 per lost record. Of note, the discovery, response and notification costs per lost record were determined to be approximately $50. Earlier, we discussed the results of a Ponemeon Institute security breach study that reported the average total recovery cost as $140 per lost record.

Click to read more ...

The security breach at TJX Companies indeed appears to be headed toward being one of the worst in history – and not just from a risk exposure standpoint. It serves as an example of how many problems a computer hacking incident can cause.

Click to read more ...

The exposure of personal information stored by TJX Companies on its customers may turn out to be the most significant security breach since the ChoicePoint debacle . TJX Companies owns T.J. Maxx, Marshalls and other discount retail stores, and it is reportedly now the subject of an investigation by several dozen state attorneys general, led by Massachusetts Attorney General Martha Coakley . It is also the target of multiple class actions by consumers and banks.

Click to read more ...