Jackson Lewis, The National Law Review
Medical identity information is worth more than ten (10) times that of financial information on the black market. This gives hackers a financial incentive to obtain such information that is maintained not only by medical providers and pharmacies but also by employers who provide medical insurance coverage to their employees. Employers may hold, in their human resources or other networking systems, not only the medical records of their employees obtained from managing workers compensation claims and other matters, but also, and more importantly, employers may maintain medical insurance registration forms and health insurance billing information on their employees. This is exactly the type of information that is at risk and which increasingly is breached.
Why is medical identity information so valuable on the black market?
Fortune reports, medical identity theft is in demand on the black market. Employer data systems are a goldmine for would-be hackers. Within medical records hackers can find social security numbers, dates of birth, health insurance policy numbers, and other billing information that can be used for financial fraud, but also medical identity theft, where the billing information can be utilized to obtain medical services and prescriptions in the name of the individual whose identity has been compromised.
How can employers protect the medical identity information they hold?
The starting point is doing a risk and vulnerability assessment to gain an understanding of the business’ data privacy and security risks. There are a number of resources available to assist in designing and carrying out an assessment. If the medical information is subject to HIPAA, such as in the case of information maintained with respect to the company’s group health plan for employees, HHS has released security assessment tool. Of course, much of an employee’s medical information maintained by an employer is NOT subject to HIPAA, such as leave of absence records and workers compensation records.
Another source is National Institute of Standards and Technology (NIST) which recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data. For many employers, these tools may be too extensive and simply not practical. This is where a qualified data privacy expert counselor can add value in helping you to appropriately assess your administrative, physical and technical risks. Either way, a necessary and appropriate risk assessment will then lead to the development and implementation of a written information security program.
Of course, getting management, C-suite, support is essential. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. This is not something that should be left up to the IT Department to handle solo. Rather, the buy-in for the need for adequate safeguards and training has to come from the top and key stake holders have to be brought into the planning and assessment early in the process in order to obtain adequate support for building of data safety program and culture of data privacy and security. Accordingly, the protection of all personally identifiable information, including medical information, takes buy-in and leadership from senior management, a careful understanding the organization’s risks and vulnerabilities, knowing what the law requires, coordination with key persons inside the organization and certain third parties outside the organization, frequent and regular security awareness and training, and regular re-evaluation of the organization’s approach for changed circumstances.
Sunday 7 December 2014
Wednesday 3 December 2014
UK - Morrisons employee appears in court over staff data theft fraud charge
Telegraph & Argus
A Morrisons employee has denied abusing his position to fraudulently disclose personal data at the supermarket firm.
Andrew Skelton, a senior internal auditor, denied charges under the Computer Misuse Act, the Data Protection Act and the Fraud Act.
Skelton, 43, from Liverpool, was charged with the offences after an investigation at the Morrisons head office in Bradford.
The supermarket employee appeared at Bradford Magistrates' Court and spoke only to confirm his name, address and date of birth and to enter not guilty pleas.
The court clerk read the charges to Skelton, who stood in the witness box wearing a dark suit, pale blue tie and glasses.
He is accused of using a computer to gain unauthorised access to a programme or data with the intent to commit fraud; knowingly or recklessly disclosing personal data without the consent of the data controller; and conspiring to commit fraud by abusing his position with the intention of causing loss to Morrisons supermarkets.
All the offences are alleged to have taken place between November last year and March 20 this year.
Skelton, of Water Street, Liverpool, was released on bail and will appear at Bradford Crown Court on December 16
A Morrisons employee has denied abusing his position to fraudulently disclose personal data at the supermarket firm.
Andrew Skelton, a senior internal auditor, denied charges under the Computer Misuse Act, the Data Protection Act and the Fraud Act.
Skelton, 43, from Liverpool, was charged with the offences after an investigation at the Morrisons head office in Bradford.
The supermarket employee appeared at Bradford Magistrates' Court and spoke only to confirm his name, address and date of birth and to enter not guilty pleas.
The court clerk read the charges to Skelton, who stood in the witness box wearing a dark suit, pale blue tie and glasses.
He is accused of using a computer to gain unauthorised access to a programme or data with the intent to commit fraud; knowingly or recklessly disclosing personal data without the consent of the data controller; and conspiring to commit fraud by abusing his position with the intention of causing loss to Morrisons supermarkets.
All the offences are alleged to have taken place between November last year and March 20 this year.
Skelton, of Water Street, Liverpool, was released on bail and will appear at Bradford Crown Court on December 16
Tuesday 25 November 2014
Threats To IP Call For A Risk-Based Approach
By Pamela Passman, Center for Responsible Enterprise and Trade (create.org). Article reproduced from IP Watch.
Economic globalization and digitization of information have revolutionized business and allowed for efficiency that was unimaginable a few decades ago. The ability to share information remotely means companies can coordinate with partners remotely, integrate suppliers, track shipments and communicate in real time with customers in distant markets. These trends represent a seismic shift in the way the world works.
But the shift has created new challenges and vulnerabilities that companies are only beginning to comprehend. The information that firms hold and exchange – including intellectual property, trade secrets and customer data – is rich with high value targets for criminal syndicates, governments, competitors, disgruntled insiders and hackers. Today’s business networks, which can include a few, a few dozen or a few thousand partners in various nations, are riddled with access points for motivated trespassers.
Information theft is a real and present danger, and the daily headlines chronicle how it is hitting profits, corporate and brand reputations, and cutting into markets. The rapidly mounting losses caused by these incidents is evidence that the way many companies are addressing the threat – typically with a combination of legal, IT and supply chain tools – tends to be reactive, taking place after the damage is already done.
In this new reality, companies need to take holistic, risk-based approach that recognizes information assets as one of the keys to business success. Fortunately, most companies can leverage a system that they already have in place to address other key risks. Enterprise risk management (ERM), which is widely used to anticipate and grapple with other high-level business risks, can be adapted to address threats to IP and other proprietary information.
The scope and nature of the threat is evolving and growing:
A simple email is sometimes all it takes for a malicious employee to share valuable trade secrets with competitors – assets such as product plans, the findings of expensive research or a unique manufacturing process.
A complex supply chain can open the door for counterfeit parts to enter products and result in health and safety risks to consumers. Fake products and components have been found in virtually every industry – including military equipment, automobiles, pharmaceuticals, food and toys.
A coveted new technology can be copied and immediately distributed around the world. In an increasingly common narrative, it is a departing employee who is arrested after downloading company files with proprietary information on hybrid car technology, solar panel technology, high-tech fabric for military use, and financial system code.
Meanwhile, cyber intrusions that compromise consumer data or payment information for thousands, or millions of customers are skyrocketing. These attacks have increased 66 percent year-on-year since 2009 – and have become much more costly on average, according to PwC’s recently published Global State of Information Security Survey for 2015. Globally, the annual estimated reported average financial loss attributed to cyber security incidents was $2.7 million, up 34 percent over 2013. Organizations reporting financial hits of $20 million or more in 2014 increased 92 percent in that period.
And this is just a partial picture. Some organizations choose not to report detected cyber intrusions for a variety of reasons, while many others are believed to go undetected, the report said.
Getting Out Front
The challenge for companies, as well as governments and other organizations, is to get ahead of the threat by anticipating a potential risk of information theft rather than reacting after it has become an urgent problem. In addition, they need to think beyond their traditional boundaries to be effective.
ERM is the most effective resource that companies possess for doing so. It is designed to help a company shift from dealing with negative events reactively to taking a proactive, preventative approach to the risks that it faces, and for strategically allocating resources to reduce the company’s risks internally and in its end-to-end supply chain.
The framework is widely used to take on issues such as financial stability, quality control, health and safety, environmental and labor issues. The system can be readily adapted to consider the business and compliance risks related to IP. Indeed, it is imperative that threats to these assets, which are now effectively the “crown jewels” for many companies, be considered alongside other key business risks.
The fundamental elements of ERM – though there are a couple of different models – are to systematically “identify, assess and manage” business risks.
For protecting intellectual property it is hard to overstate the importance of first step – to identify risks. This requires a full accounting of company’s intellectual property – that covered by patents, trademarks, and copyrights as well as trade secrets and sensitive data – where it is located, who has access to it.
Identifying vulnerabilities, internally and within the supply chain, is critical to addressing them. The PwC survey suggests that many companies have not done a comprehensive assessment. Just 52 percent of the respondents said they have a program to identify sensitive assets, and just 56 percent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.
The risk-management approach provides a way to rank threats by analyzing the probability of given problems – in this case, misappropriation of IP – and the severity of the damage each would cause.
That assessment in turn provides a return-on-investment basis for a risk management strategy. With respect to IP risk, it helps to focus allocation of resources for investment in IT security, and generates insights for improving IP protection processes, training employees, conducting due diligence on potential supply chain partners and creating contingency plans if sensitive information is compromised.
It is not surprising that companies have rushed to invest in cyber security over the past several years. Theft of sensitive information through cyber attacks are the misappropriation incidents that get the most press – especially those apparently launched by foreign governments.
“(I)n the battle against cybercrime most companies spend the majority of their time and resources building a fence around their internal organization – including their data, systems and personnel,” according to the Global Information Security Survey 2014 published in October by Ernst and Young. “This is a starting point, but the perimeter is no longer stable, and a fence no longer possible.”
Theft by insiders remains more common. In the PwC survey, 57 percent of respondents viewed employees as the most likely source of a cyber attack, and 32 percent said insider crimes are more costly or damaging than incidents perpetrated by outsiders.
Last year’s data breach of Target stores, compromising the credit card and personal information of millions of customers, suggests how third party relationships might prove to be a conduit for theft. That incident reportedly traces back to carelessness on the part of a vendor providing heating, air conditioning and refrigeration services for the big box store.
It is important to note that no company is immune. As larger companies put in place more effective security safeguards, threat actors are increasingly stepping up their assaults on middle-tier companies, many of which may not have security practices that match the maturity of bigger businesses.
The value of the risk management approach is that it helps companies consider the whole business ecosystem and tailor security strategy manage IP risk internally and within the supply chain, as well as guarding against attacks from afar.
It is worth emphasizing that while IT security is essential, it is just one element required to protect IP from misappropriation.
Effective protection also requires buy-in from top leadership, and the input from all business divisions. A cross-functional team is instrumental for identifying important IP and risks, and ensuring policies are in place for handling sensitive information. The policies must be translated into procedures, reinforced by communication and training of employees.
Given today’s interconnected business ecosystem, vast amounts of data is generated and shared with business partners and suppliers, so due diligence of potential business partners should be of paramount importance. And within a business network, companies should also help key partners bolster their IP protection efforts – and to the greatest extent possible, provide training for their employees.
It is without doubt a challenge to account for threats that are ever changing and traversing nations.
But the reality is that the efficiency we have gained through technology and sprawling global supply chains comes with its own weaknesses. Companies must identify their vulnerabilities and manage the risks thoughtfully, or find that their adversaries will exploit them – potentially at a much higher price.
Note: This White paper is available here
Economic globalization and digitization of information have revolutionized business and allowed for efficiency that was unimaginable a few decades ago. The ability to share information remotely means companies can coordinate with partners remotely, integrate suppliers, track shipments and communicate in real time with customers in distant markets. These trends represent a seismic shift in the way the world works.
But the shift has created new challenges and vulnerabilities that companies are only beginning to comprehend. The information that firms hold and exchange – including intellectual property, trade secrets and customer data – is rich with high value targets for criminal syndicates, governments, competitors, disgruntled insiders and hackers. Today’s business networks, which can include a few, a few dozen or a few thousand partners in various nations, are riddled with access points for motivated trespassers.
Information theft is a real and present danger, and the daily headlines chronicle how it is hitting profits, corporate and brand reputations, and cutting into markets. The rapidly mounting losses caused by these incidents is evidence that the way many companies are addressing the threat – typically with a combination of legal, IT and supply chain tools – tends to be reactive, taking place after the damage is already done.
In this new reality, companies need to take holistic, risk-based approach that recognizes information assets as one of the keys to business success. Fortunately, most companies can leverage a system that they already have in place to address other key risks. Enterprise risk management (ERM), which is widely used to anticipate and grapple with other high-level business risks, can be adapted to address threats to IP and other proprietary information.
The scope and nature of the threat is evolving and growing:
A simple email is sometimes all it takes for a malicious employee to share valuable trade secrets with competitors – assets such as product plans, the findings of expensive research or a unique manufacturing process.
A complex supply chain can open the door for counterfeit parts to enter products and result in health and safety risks to consumers. Fake products and components have been found in virtually every industry – including military equipment, automobiles, pharmaceuticals, food and toys.
A coveted new technology can be copied and immediately distributed around the world. In an increasingly common narrative, it is a departing employee who is arrested after downloading company files with proprietary information on hybrid car technology, solar panel technology, high-tech fabric for military use, and financial system code.
Meanwhile, cyber intrusions that compromise consumer data or payment information for thousands, or millions of customers are skyrocketing. These attacks have increased 66 percent year-on-year since 2009 – and have become much more costly on average, according to PwC’s recently published Global State of Information Security Survey for 2015. Globally, the annual estimated reported average financial loss attributed to cyber security incidents was $2.7 million, up 34 percent over 2013. Organizations reporting financial hits of $20 million or more in 2014 increased 92 percent in that period.
And this is just a partial picture. Some organizations choose not to report detected cyber intrusions for a variety of reasons, while many others are believed to go undetected, the report said.
Getting Out Front
The challenge for companies, as well as governments and other organizations, is to get ahead of the threat by anticipating a potential risk of information theft rather than reacting after it has become an urgent problem. In addition, they need to think beyond their traditional boundaries to be effective.
ERM is the most effective resource that companies possess for doing so. It is designed to help a company shift from dealing with negative events reactively to taking a proactive, preventative approach to the risks that it faces, and for strategically allocating resources to reduce the company’s risks internally and in its end-to-end supply chain.
The framework is widely used to take on issues such as financial stability, quality control, health and safety, environmental and labor issues. The system can be readily adapted to consider the business and compliance risks related to IP. Indeed, it is imperative that threats to these assets, which are now effectively the “crown jewels” for many companies, be considered alongside other key business risks.
The fundamental elements of ERM – though there are a couple of different models – are to systematically “identify, assess and manage” business risks.
For protecting intellectual property it is hard to overstate the importance of first step – to identify risks. This requires a full accounting of company’s intellectual property – that covered by patents, trademarks, and copyrights as well as trade secrets and sensitive data – where it is located, who has access to it.
Identifying vulnerabilities, internally and within the supply chain, is critical to addressing them. The PwC survey suggests that many companies have not done a comprehensive assessment. Just 52 percent of the respondents said they have a program to identify sensitive assets, and just 56 percent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.
The risk-management approach provides a way to rank threats by analyzing the probability of given problems – in this case, misappropriation of IP – and the severity of the damage each would cause.
That assessment in turn provides a return-on-investment basis for a risk management strategy. With respect to IP risk, it helps to focus allocation of resources for investment in IT security, and generates insights for improving IP protection processes, training employees, conducting due diligence on potential supply chain partners and creating contingency plans if sensitive information is compromised.
It is not surprising that companies have rushed to invest in cyber security over the past several years. Theft of sensitive information through cyber attacks are the misappropriation incidents that get the most press – especially those apparently launched by foreign governments.
“(I)n the battle against cybercrime most companies spend the majority of their time and resources building a fence around their internal organization – including their data, systems and personnel,” according to the Global Information Security Survey 2014 published in October by Ernst and Young. “This is a starting point, but the perimeter is no longer stable, and a fence no longer possible.”
Theft by insiders remains more common. In the PwC survey, 57 percent of respondents viewed employees as the most likely source of a cyber attack, and 32 percent said insider crimes are more costly or damaging than incidents perpetrated by outsiders.
Last year’s data breach of Target stores, compromising the credit card and personal information of millions of customers, suggests how third party relationships might prove to be a conduit for theft. That incident reportedly traces back to carelessness on the part of a vendor providing heating, air conditioning and refrigeration services for the big box store.
It is important to note that no company is immune. As larger companies put in place more effective security safeguards, threat actors are increasingly stepping up their assaults on middle-tier companies, many of which may not have security practices that match the maturity of bigger businesses.
The value of the risk management approach is that it helps companies consider the whole business ecosystem and tailor security strategy manage IP risk internally and within the supply chain, as well as guarding against attacks from afar.
It is worth emphasizing that while IT security is essential, it is just one element required to protect IP from misappropriation.
Effective protection also requires buy-in from top leadership, and the input from all business divisions. A cross-functional team is instrumental for identifying important IP and risks, and ensuring policies are in place for handling sensitive information. The policies must be translated into procedures, reinforced by communication and training of employees.
Given today’s interconnected business ecosystem, vast amounts of data is generated and shared with business partners and suppliers, so due diligence of potential business partners should be of paramount importance. And within a business network, companies should also help key partners bolster their IP protection efforts – and to the greatest extent possible, provide training for their employees.
It is without doubt a challenge to account for threats that are ever changing and traversing nations.
But the reality is that the efficiency we have gained through technology and sprawling global supply chains comes with its own weaknesses. Companies must identify their vulnerabilities and manage the risks thoughtfully, or find that their adversaries will exploit them – potentially at a much higher price.
Note: This White paper is available here
Sunday 23 November 2014
The elephant in the room
Gene Fredriksen, SC Magazine
Gene Fredriksen is the Global Information Officer at the Public Service Credit Union (PSCU)
We openly discuss and debate security technologies, but many organizations are reluctant to discuss the people-centric issue of insider threat. We are all aware of it, we inherently know the risk to our company, but yet the topic seems to be taboo in many organizations. Whatever your organization or industry, regardless of size or location, we all face the unpleasant reality that we are vulnerable to an insider attack. In an era of team-building and empowerment, most organizations are hesitant to talk about the insider threat because it means that one of our own trusted employees may steal the lifeblood of the organization. The reality is that regardless of your industry, the size of your organization or the type of business you have, the insider threat is a menacing reality. To compound the issue, job consolidation and downsizing in many organizations has resulted in a broader access to sensitive data by many of our employees. Most organizations are adept at knowing when an outsider attempts to access or steal proprietary data, but how do you sense data theft by an employee with legitimate access?
How prevalent is the issue? According to Forrester Research, insiders represented the top source of breaches over the last 12 months. Indeed, 25 percent of those participating in the study said a malicious insider was the most common way a breach occurred. Let's also acknowledge that insider attackers are likely to cause more damage than external attackers. The Open Security Foundation published data showing that while insiders were responsible for only 19.5 percent of incidents, those incidents were responsible for 66.7 percent of all exposed records.
Organizations need to do their part to deter intellectual property theft. It's time for the tough conversations. Involve all levels of management, HR and legal. Admit the susceptibility of your organization to the insider thereat and develop aggressive plans to guard your organization.
The FBI offers the following advice to get started:
At its root, this is a people and cultural issue. We can monitor with technology, but if we hope to fully address this threat we must develop programs that will change the way people think about their obligation to protect company data. Start having the hard conversations with senior management. You will find they are just as concerned with the “elephant in the room,” but may not have known a way to discuss it without violating company culture or seeming like “big brother.”
Further, use external resources to come in and talk about the insider threat. Additionally, take the initiative to help management understand that the insider threat is a pervasive problem that must be addressed. Bring the issue into the light and focus on culture change. The benefits to your organization are very real.
Subscribe to SC Magazine Each issue gives IT Security professionals and business owners knowledge about IT security strategies, best practices, government regulations and current information security tools.
Gene Fredriksen is the Global Information Officer at the Public Service Credit Union (PSCU)
How prevalent is the issue? According to Forrester Research, insiders represented the top source of breaches over the last 12 months. Indeed, 25 percent of those participating in the study said a malicious insider was the most common way a breach occurred. Let's also acknowledge that insider attackers are likely to cause more damage than external attackers. The Open Security Foundation published data showing that while insiders were responsible for only 19.5 percent of incidents, those incidents were responsible for 66.7 percent of all exposed records.
Organizations need to do their part to deter intellectual property theft. It's time for the tough conversations. Involve all levels of management, HR and legal. Admit the susceptibility of your organization to the insider thereat and develop aggressive plans to guard your organization.
The FBI offers the following advice to get started:
- Educate and regularly train employees on security or other protocols.
- Ensure that proprietary information is adequately, if not robustly, protected.
- Use appropriate screening processes to select new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor computer networks for suspicious activity.
- Ensure security (to include computer network security) personnel have the tools they need.
- Remind employees that reporting security concerns is vital to protecting your company's intellectual property, its reputation, its financial well-being, and its future. They are protecting their own jobs.
At its root, this is a people and cultural issue. We can monitor with technology, but if we hope to fully address this threat we must develop programs that will change the way people think about their obligation to protect company data. Start having the hard conversations with senior management. You will find they are just as concerned with the “elephant in the room,” but may not have known a way to discuss it without violating company culture or seeming like “big brother.”
Further, use external resources to come in and talk about the insider threat. Additionally, take the initiative to help management understand that the insider threat is a pervasive problem that must be addressed. Bring the issue into the light and focus on culture change. The benefits to your organization are very real.
Subscribe to SC Magazine Each issue gives IT Security professionals and business owners knowledge about IT security strategies, best practices, government regulations and current information security tools.
Wednesday 19 November 2014
Protect your medical data from identity theft
By Constance Gustke, Marketwatch
Your doctor’s files could be bad for your financial health.
Hackers, notorious for stealing credit and debit-card information from stores, and other thieves are increasingly targeting medical records, which can be more valuable because they include such coveted data as Social Security numbers, birth dates, driver’s license numbers and checking-account numbers, experts say.
Medical-record data offer identity thieves one-stop shopping, says Al Pascual, senior analyst of fraud and security at Javelin Strategy & Research, a research and consulting firm in Pleasanton, Calif.
“There’s so much information that can be used in a variety of ways after it’s stolen,” he says, “such as opening a new checking account, filing fraudulent tax returns or getting a new consumer loan.”
Or even medical-identity hijacking, in which personal information is sold and used to get medical care. The theft can mean canceled insurance plans, damaged credit, misdiagnosed illnesses and unwarranted medical charges that can take over a year to fix.
Medical records typically sell on the black market for about $50 each, says Pascual. The thieves, often hackers from overseas, are rarely caught, and medical clinics and hospitals compound the problem by having poor record security and holding personal data for long periods.
This widespread problem of medical-record theft, which often targets children and the elderly, shows no signs of slowing.
The number of medical identity victims was up nearly 20% last year from 2012, the most recent data available, according to the Ponemon Institute, a research firm based in Traverse City, Mich. About 1.8 million Americans were victimized in 2013, at a cost of $12.3 billion.
One major factor behind the problem: the increasing digitization of medical records.
“Digitized records are much easier to steal than paper ones,” says Deborah Peel, a physician and founder of Patient Privacy Rights, a nonprofit advocacy group in Austin, Texas. “Once you needed a convoy to haul away records. Now all you need is a thumb drive.”
Digitized medical records can now also be stashed in millions of databases, she says, making them harder to correct because they’re in so many different locations if fraud does occur.
This summer, Community Health Systems , a hospital chain in 29 states, had its records hacked by a Chinese group that stole Social Security numbers and other data from 4.5 million patients, according to U.S. Department of Health and Human Services records.
Your doctor’s files could be bad for your financial health.
Hackers, notorious for stealing credit and debit-card information from stores, and other thieves are increasingly targeting medical records, which can be more valuable because they include such coveted data as Social Security numbers, birth dates, driver’s license numbers and checking-account numbers, experts say.
Medical-record data offer identity thieves one-stop shopping, says Al Pascual, senior analyst of fraud and security at Javelin Strategy & Research, a research and consulting firm in Pleasanton, Calif.
“There’s so much information that can be used in a variety of ways after it’s stolen,” he says, “such as opening a new checking account, filing fraudulent tax returns or getting a new consumer loan.”
Or even medical-identity hijacking, in which personal information is sold and used to get medical care. The theft can mean canceled insurance plans, damaged credit, misdiagnosed illnesses and unwarranted medical charges that can take over a year to fix.
Medical records typically sell on the black market for about $50 each, says Pascual. The thieves, often hackers from overseas, are rarely caught, and medical clinics and hospitals compound the problem by having poor record security and holding personal data for long periods.
This widespread problem of medical-record theft, which often targets children and the elderly, shows no signs of slowing.
The number of medical identity victims was up nearly 20% last year from 2012, the most recent data available, according to the Ponemon Institute, a research firm based in Traverse City, Mich. About 1.8 million Americans were victimized in 2013, at a cost of $12.3 billion.
One major factor behind the problem: the increasing digitization of medical records.
“Digitized records are much easier to steal than paper ones,” says Deborah Peel, a physician and founder of Patient Privacy Rights, a nonprofit advocacy group in Austin, Texas. “Once you needed a convoy to haul away records. Now all you need is a thumb drive.”
Digitized medical records can now also be stashed in millions of databases, she says, making them harder to correct because they’re in so many different locations if fraud does occur.
This summer, Community Health Systems , a hospital chain in 29 states, had its records hacked by a Chinese group that stole Social Security numbers and other data from 4.5 million patients, according to U.S. Department of Health and Human Services records.
Friday 14 November 2014
Be Prepared for EHR Breaches, Experts Warn
David Wild, Clinical Oncology News
If you have not yet endured an electronic patient data theft, you most likely will experience one before too long, experts warn. They say the transition to electronic health records (EHRs) has not been accompanied by adequate safeguards, and they are calling on physicians to do more to protect patient data.
“Health care systems will be seeing large-scale hacks of the type we’ve seen with retailers like Target,” said Katherine Downing, MA, the director of Health Information Management Practice Excellence at the American Health Information Management Association, in Chicago. Ms. Downing noted that the FBI recently warned health care providers about the likelihood of such cyber attacks (http://reut.rs/1w9sZSL).
Health data are much more valuable than data from other industries because EHRs typically contain far more information, said Ms. Downing. Indeed, a single complete EHR profile can include information on health insurance, prescription drugs,come to realise financial details and Social Security numbers. That wellspring of information means a record can sell for $50 on the black market, while a Social Security number fetches only $1 (http://bit.ly/1pS2nzz).
Read More . . . .
In Australia Police have no legislative powers to charge private health sector employees or contractors who steal patient data from their employer. In fact there is almost complete ignorance within Governments, at both State and Federal levels, to the lack of powers available to any authority to charge insiders who steal personal information.
Most business owners are not even aware of the issue and only come to realise they have no where to go, except the civil courts, after an event. The civil process is prohibitively expensive for most small businesses particularly after a data theft has robbed the business of its main source of revenue. And if there is no data specific contract, with the insider data thief, there is little to no chance of getting a favourable decision.
If your business is in the private health industry it is only a matter of time before a self entitled insider steals a patient list. To have any chance of preventing insider data theft you need very specific data, IP and indemnity clauses in your agreements. In addition your Privacy Policy with patients should be read, acknowledged and signed by all employees, sub-contractors and anybody else who has lawful access to the business (example cleaners, IT contractors etc.). An indemnity clause should also be included and acknowledged by the signatory.
If you need assistance contact us
If you have not yet endured an electronic patient data theft, you most likely will experience one before too long, experts warn. They say the transition to electronic health records (EHRs) has not been accompanied by adequate safeguards, and they are calling on physicians to do more to protect patient data.
“Health care systems will be seeing large-scale hacks of the type we’ve seen with retailers like Target,” said Katherine Downing, MA, the director of Health Information Management Practice Excellence at the American Health Information Management Association, in Chicago. Ms. Downing noted that the FBI recently warned health care providers about the likelihood of such cyber attacks (http://reut.rs/1w9sZSL).
Health data are much more valuable than data from other industries because EHRs typically contain far more information, said Ms. Downing. Indeed, a single complete EHR profile can include information on health insurance, prescription drugs,come to realise financial details and Social Security numbers. That wellspring of information means a record can sell for $50 on the black market, while a Social Security number fetches only $1 (http://bit.ly/1pS2nzz).
Read More . . . .
In Australia Police have no legislative powers to charge private health sector employees or contractors who steal patient data from their employer. In fact there is almost complete ignorance within Governments, at both State and Federal levels, to the lack of powers available to any authority to charge insiders who steal personal information.
Most business owners are not even aware of the issue and only come to realise they have no where to go, except the civil courts, after an event. The civil process is prohibitively expensive for most small businesses particularly after a data theft has robbed the business of its main source of revenue. And if there is no data specific contract, with the insider data thief, there is little to no chance of getting a favourable decision.
If your business is in the private health industry it is only a matter of time before a self entitled insider steals a patient list. To have any chance of preventing insider data theft you need very specific data, IP and indemnity clauses in your agreements. In addition your Privacy Policy with patients should be read, acknowledged and signed by all employees, sub-contractors and anybody else who has lawful access to the business (example cleaners, IT contractors etc.). An indemnity clause should also be included and acknowledged by the signatory.
If you need assistance contact us
Wednesday 12 November 2014
Identity Theft Is Costing Australia $1.6 Billion
Chris Pash, Business Insider Australia
Identity crime has become one of the most common, costly and disturbing crimes in Australia, according to federal government analysis.
The total economic impact of identity crime to the economy is estimated at more than $1.6 billion each year.
And the use of fraudulent identities continues to be a key enabler of serious, organised crime and terrorism.
In 2011-12 more Australians reported being a victim of identity crime than victims of robbery, motor vehicle theft, household break-ins or assault.
New figures in a government report released today show that each year between 750,000 to 900,000 people fall victim to identity crime resulting in financial loss.
The report compiles data and information from 54 different Commonwealth, state and territory agencies, as well as the private sector.
Key findings:
Now Read at Business Insider: Australian Passports Are Worth A Fortune On The Black Market And Around 9000 Go Missing Abroad Each Year
Identity crime has become one of the most common, costly and disturbing crimes in Australia, according to federal government analysis.
The total economic impact of identity crime to the economy is estimated at more than $1.6 billion each year.
And the use of fraudulent identities continues to be a key enabler of serious, organised crime and terrorism.
In 2011-12 more Australians reported being a victim of identity crime than victims of robbery, motor vehicle theft, household break-ins or assault.
New figures in a government report released today show that each year between 750,000 to 900,000 people fall victim to identity crime resulting in financial loss.
The report compiles data and information from 54 different Commonwealth, state and territory agencies, as well as the private sector.
Key findings:
- The majority of identity crime is classified as credit card fraud and most victims lose less than $1,000.
- The total value of credit card fraud was being driven upwards by card-not-present fraud where a transaction is made using only the credit card details and not the physical card. In 2005-06 there were more than $13 million worth of these frauds, but in 2012-13 that had reached more than $82 million.
- About 1 in 10 identity crime victims experiences mental or physical health issues requiring treatment and around one in 17 is wrongly accused of a crime.
- Intelligence from the Australian Federal Police and the Department of Foreign Affairs and Trade indicate that fraudulent identity documents can be purchased on the black market for as little as $80 for a Medicare card, a few hundred dollars for a birth certificate or drivers licence and as much as $30,000 for a “genuinely” issued passport with fraudulent details.
- Of the 40,000 fraud offences proven each year in Australia, around 15,000 were enabled through the use of stolen or fabricated identities. There are also about 7,000 core identity crime offences proven each year, including activities such as manufacturing fraudulent credentials and false representations.
Now Read at Business Insider: Australian Passports Are Worth A Fortune On The Black Market And Around 9000 Go Missing Abroad Each Year
Monday 3 November 2014
ASIC white-collar crime data ‘tip of the iceberg’ in Australia
news.com.au
THE chairman of the corporate regulator fired a shot across the bow of policymakers this week, describing Australia as a “paradise” for white-collar criminals due to lax penalties.
“In Australia, it’s worth breaking the law to do the trade — it’s a big problem,” Greg Medcraft told a business lunch on Tuesday. “Civil penalties for white-collar offences are just not strong enough.” The Australian Securities and Investments Commission is the body that regulates the financial market and acts as the first line of defence in policing white-collar crimes.
Mr Medcraft, whose comments represent the latest step in a bitter dance between the financial industry and its watchdog, said consumers needed to be “extremely careful” when dealing with financial planners. Ian Ramsay, director of the Centre for Corporate Law and Securities Regulation in Melbourne, agrees with Mr Medcraft’s comments.
He says that while ASIC has become increasingly effective in policing the market, their data on white collar crime represents the “tip of the iceberg”. “There’s a whole lot of stuff that inevitably goes undetected,” Mr Ramsay told news.com.au.
So what does white collar crime actually involve?
Professor Fiona Haines from The University of Melbourne says that regulators have long struggled with a classification scheme — by its very nature it is designed to exist in the shadows of the corporate world. “Defining white collar crime is very difficult,” she said.
Nevertheless, here is your need-to-know guide on some of the types of white collar crime Australia must be tougher on.
Read on . . . .
THE chairman of the corporate regulator fired a shot across the bow of policymakers this week, describing Australia as a “paradise” for white-collar criminals due to lax penalties.
“In Australia, it’s worth breaking the law to do the trade — it’s a big problem,” Greg Medcraft told a business lunch on Tuesday. “Civil penalties for white-collar offences are just not strong enough.” The Australian Securities and Investments Commission is the body that regulates the financial market and acts as the first line of defence in policing white-collar crimes.
Mr Medcraft, whose comments represent the latest step in a bitter dance between the financial industry and its watchdog, said consumers needed to be “extremely careful” when dealing with financial planners. Ian Ramsay, director of the Centre for Corporate Law and Securities Regulation in Melbourne, agrees with Mr Medcraft’s comments.
He says that while ASIC has become increasingly effective in policing the market, their data on white collar crime represents the “tip of the iceberg”. “There’s a whole lot of stuff that inevitably goes undetected,” Mr Ramsay told news.com.au.
So what does white collar crime actually involve?
Professor Fiona Haines from The University of Melbourne says that regulators have long struggled with a classification scheme — by its very nature it is designed to exist in the shadows of the corporate world. “Defining white collar crime is very difficult,” she said.
Nevertheless, here is your need-to-know guide on some of the types of white collar crime Australia must be tougher on.
Read on . . . .
Identity Theft Victims Lose More than Money
Marcy Gordon, CIO Today
Personal data was stolen from 100 million Americans this year in cyber attacks and thefts from retailers, banks, medical centres and hospitals. Many of them will become victims of identity theft.
While the financial hit to people and companies is real, the emotional impact can be "life-altering," says Terrell McSweeny, a member of the Federal Trade Commission, at a conference Wednesday.
It's essential "to remember that there is a human face on each of these ID crimes," she said, speaking at Google Inc.'s offices in Washington, D.C. The conference was organized by the Identity Theft Resource Center, an organization that collects data and provides advice to consumers and businesses on dealing with fraud.
Depending on the information that's stolen, problems go well beyond canceling a stolen card or changing a PIN. Criminals file false tax returns or misuse identities to get cellphone service, open utility accounts and obtain prescription drugs.
Some victims have had their names wrongly invoked in arrest reports and court records of other people's crimes. Victims say the violation brings with it anger, anxiety, sadness, shame and even suicidal thoughts.
While theft of credit card information remains the most common type of cyber fraud, medical identity theft is growing. It can result in victims being billed for medical services and prescriptions they didn't receive, or finding another person's health information in their medical records. Consequently, they can be denied health benefits or insurance.
There hasn't been an organized effort involving doctors and hospitals to combat medical ID theft in the way the financial services industry has done, said Steve Toporoff, an attorney in the FTC's privacy and identity protection division, who also spoke at the conference.
Data Theft Au: In Australia stolen identities have been used to lodge vexatious accusations with the NSW Health Complaints Commission (HCCC) and Police against other innocent victims causing lengthy investigations and false arrests only to find the claims erroneous.
In a recent case, currently before the HCCC and Police, investigators took over 11 months to establish extremely damning vexatious claims against a doctor proved to be false. Whilst the report was made using a stolen identity and the person using the stolen identity is known, NSW Police and the HCCC have so far refused to prosecute.
In a game of political football NSW Fraud Squad claimed the HCCC had to lodge a fraud report with them and the HCCC claimed the Police had to request information from them.
Personal data was stolen from 100 million Americans this year in cyber attacks and thefts from retailers, banks, medical centres and hospitals. Many of them will become victims of identity theft.
While the financial hit to people and companies is real, the emotional impact can be "life-altering," says Terrell McSweeny, a member of the Federal Trade Commission, at a conference Wednesday.
It's essential "to remember that there is a human face on each of these ID crimes," she said, speaking at Google Inc.'s offices in Washington, D.C. The conference was organized by the Identity Theft Resource Center, an organization that collects data and provides advice to consumers and businesses on dealing with fraud.
Depending on the information that's stolen, problems go well beyond canceling a stolen card or changing a PIN. Criminals file false tax returns or misuse identities to get cellphone service, open utility accounts and obtain prescription drugs.
Some victims have had their names wrongly invoked in arrest reports and court records of other people's crimes. Victims say the violation brings with it anger, anxiety, sadness, shame and even suicidal thoughts.
While theft of credit card information remains the most common type of cyber fraud, medical identity theft is growing. It can result in victims being billed for medical services and prescriptions they didn't receive, or finding another person's health information in their medical records. Consequently, they can be denied health benefits or insurance.
There hasn't been an organized effort involving doctors and hospitals to combat medical ID theft in the way the financial services industry has done, said Steve Toporoff, an attorney in the FTC's privacy and identity protection division, who also spoke at the conference.
Data Theft Au: In Australia stolen identities have been used to lodge vexatious accusations with the NSW Health Complaints Commission (HCCC) and Police against other innocent victims causing lengthy investigations and false arrests only to find the claims erroneous.
In a recent case, currently before the HCCC and Police, investigators took over 11 months to establish extremely damning vexatious claims against a doctor proved to be false. Whilst the report was made using a stolen identity and the person using the stolen identity is known, NSW Police and the HCCC have so far refused to prosecute.
In a game of political football NSW Fraud Squad claimed the HCCC had to lodge a fraud report with them and the HCCC claimed the Police had to request information from them.
Saturday 1 November 2014
Six different directors named Roselyn Singh in the same company!
Following the windup of Roselyn Singh's company UTSG Consortium Pty Ltd by ASIC earlier in 2014, appointed liquidators, Cor Cordis attempted to contact the company's director Roselyn Singh. Singh told Cor Cordis she wasn't the Roselyn Singh they needed to speak to, it was another Roselyn Singh and she now works somewhere else.
The liquidators failed to speak to or locate any other Roselyn Singh's listed as directors of UTSG Consortium. Singh also used her middle name "Kamlashni" with another DOB to register as a director making it seven different Singh's acting as directors.
Cor Cordis finally gave up and reported to ASIC all directors refused to cooperate with the liquidators. Singh could be charged for providing ASIC with false or misleading information however an ASIC spokesperson said, in words to the effect;
"they had written to Singh and her associated company's however weren't going to do much about it".
The following UTSG Consortium Directors were listed with ASIC:
Singh stripped UTSG Consortium of its assets, leaving not even enough for the liquidators to call a creditors meeting. Roselyn Singh and son Brendon Singh are now directors at UTSG Global Pty Ltd. Roselyn Singh's DOB and Place of Birth are listed with ASIC as 29/06/1968, SUVA, FIJI.
For more information see The Roselyn Singh File
If you know more contact us
Cor Cordis finally gave up and reported to ASIC all directors refused to cooperate with the liquidators. Singh could be charged for providing ASIC with false or misleading information however an ASIC spokesperson said, in words to the effect;
"they had written to Singh and her associated company's however weren't going to do much about it".
The following UTSG Consortium Directors were listed with ASIC:
| NAME Roselyn Singh Roselyn Singh Roselyn Singh Roselyn Singh Roselyn Singh Roselyn Singh Kamlashni Singh Joanna Matthews Jagwinder Virk Maureen Madhu Brendon Neil Niatmin Wong John Frisken |
DOB 03/03/1973 29/06/1972 29/06/1976 29/06/1968 29/06/1967 29/06/1972 29/01/1967 19/09/1968 04/07/1976 29/01/1967 19/07/1989 06/04/1956 16/12/1960 |
PLACE OF BIRTH SUVA, FIJI SUVA, FIJI SUVA, FIJI SUVA, FIJI SYDNEY, NSW SYDNEY, NSW SYDNEY, NSW AUBURN, NSW INDIA, INDIA Sydney, NSW Sydney, NSW JOHOR BARU, MALAYSIA DUBBO, NSW |
Singh stripped UTSG Consortium of its assets, leaving not even enough for the liquidators to call a creditors meeting. Roselyn Singh and son Brendon Singh are now directors at UTSG Global Pty Ltd. Roselyn Singh's DOB and Place of Birth are listed with ASIC as 29/06/1968, SUVA, FIJI.
For more information see The Roselyn Singh File
If you know more contact us
Sunday 26 October 2014
Insider Threats: Breaching The Human Barrier
By Christopher Hadnagy, Dark Reading
A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.
According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?
I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.
Read more of what Christopher has to say on the insider threat . . . here
A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.
According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?
I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.
Read more of what Christopher has to say on the insider threat . . . here
Saturday 25 October 2014
Roselyn Singh reported to AFP for identity theft.
Prolific fraudster Medical Centre owner Roselyn Singh recently used the identity of a prominent Canberra Doctor to intimidate victims of her various scams. Over 200 text messages were sent from Singh claiming to be the doctor and a lawyer named Sam. After being notified his identity had been compromised the doctor reported the identity theft to Australian Federal Police.
The Canberra doctors identity was first used in 2013, by a business partner of Singh ‘Dr Salmans Baig’, to swindle over $50,000 from a Melbourne Healthcare worker. That incident was also reported to NSW Police by the victim.
What started out as an introduction, by text to a Canberra Doctor with information about Singh, quickly turned to harassment and intimidation. It became clear very quickly it was actually Roselyn Singh sending the texts.
Singh and her associates theft and use of identities to scam, harass or make false accusations to regulatory authorities and Police is a tactic often used against their competitors, unpaid ex-employees and suppliers and other victims of their many scams.
In the words of the executive officer of NSW Health Care Complaints Commission (HCCC), following complaints about Roselyn Singh using stolen identities to lodge vexatious complaints against her medical centre competitors:
"The Commission will respond to any request for information from the Police regarding this matter. The Commission does not intend on pursing this in this instance as it does not concern an issue of public health or safety."
Senior NSW Fraud Police have stated:
"We have not received a report from the HCCC. The HCCC must first make a report to Police before it can investigate any matters concerning vexatious and false accusations causing an investigation".
Singh has also been implicated in the theft of thousands of patients personal information in 2012 and again in 2013. Singh collaborated with competitor medical centre insiders to hack secured systems to steal sensitive personal information of patients.
The HCCC, NSW Police and the OAIC have refused to investigate the data thefts despite detailed reports, witnesses and evidence.
Roselyn Singh’s company UTSG Consortium Pty Ltd trading as Sydney City Medical Centre was wound up earlier in 2014 by ASIC owing creditors and victims of her frauds millions of dollars.
Singh refused to cooperate with the liquidators and was reported for committing an illegal phoenix. Singh immediately started a new entity ‘UTSG Global’ after shifting assets.
Roselyn Singh continues to trade by having her son Brendon Singh and her business associate Dr Salmans Baig act as directors. Her businesses include V Health Plus and Miss Earth Australia located at 40 Park Street Sydney.
If you know more contact us.
Roselyn Singh
The Canberra doctors identity was first used in 2013, by a business partner of Singh ‘Dr Salmans Baig’, to swindle over $50,000 from a Melbourne Healthcare worker. That incident was also reported to NSW Police by the victim.
What started out as an introduction, by text to a Canberra Doctor with information about Singh, quickly turned to harassment and intimidation. It became clear very quickly it was actually Roselyn Singh sending the texts.
Redacted to protect the privacy of the doctor.
Singh and her associates theft and use of identities to scam, harass or make false accusations to regulatory authorities and Police is a tactic often used against their competitors, unpaid ex-employees and suppliers and other victims of their many scams.
In the words of the executive officer of NSW Health Care Complaints Commission (HCCC), following complaints about Roselyn Singh using stolen identities to lodge vexatious complaints against her medical centre competitors:
"The Commission will respond to any request for information from the Police regarding this matter. The Commission does not intend on pursing this in this instance as it does not concern an issue of public health or safety."
Senior NSW Fraud Police have stated:
"We have not received a report from the HCCC. The HCCC must first make a report to Police before it can investigate any matters concerning vexatious and false accusations causing an investigation".
Singh has also been implicated in the theft of thousands of patients personal information in 2012 and again in 2013. Singh collaborated with competitor medical centre insiders to hack secured systems to steal sensitive personal information of patients.
The HCCC, NSW Police and the OAIC have refused to investigate the data thefts despite detailed reports, witnesses and evidence.
Roselyn Singh’s company UTSG Consortium Pty Ltd trading as Sydney City Medical Centre was wound up earlier in 2014 by ASIC owing creditors and victims of her frauds millions of dollars.
Singh refused to cooperate with the liquidators and was reported for committing an illegal phoenix. Singh immediately started a new entity ‘UTSG Global’ after shifting assets.
Roselyn Singh continues to trade by having her son Brendon Singh and her business associate Dr Salmans Baig act as directors. Her businesses include V Health Plus and Miss Earth Australia located at 40 Park Street Sydney.
If you know more contact us.
Insider Threats Still Pose Major Problems For Enterprise
By Frank Ohlhorst, Techrepublic
A survey sponsored by SpectorSoft shows that insider threats are one of the most challenging security issues to deal with for a majority of enterprises.
SpectorSoft, a user activity monitoring and analysis software firm, recently commissioned a survey to identify the top issues surrounding "insider threats" and identify some best practices to deal with those threats. The SpectorSoft 2014 Insider Threat Survey revealed some interesting facts about how enterprises are dealing with the challenges associated with insider threats.
One of the most revealing aspects of the survey is that the majority of enterprises can neither detect nor deter insider threats, making them especially vulnerable to fraud, data breaches, and intellectual property theft. The survey, which tallied the opinions of some 355 IT professionals, showed that some six in ten respondents are not adequately prepared to deal with insider threats.
Commenting on the results of the survey, SpectorSoft chief marketing officer Rob Williams said "The statistics paint a bleak picture when it comes to securing company data against insider threats". Williams added "With so many data breaches happening, C-level executives are coming to the realisation that their jobs could be on the line if company data isn't protected."
While Williams points out that insider threats could result in staff shakeups, there are some more troubling aspects to the menace of the insider threat, such as the crippling costs associated with employee fraud, coupled with the nature of insider threats which are difficult to detect due to the fact that authorised persons are misusing their authorisation.
According to Verizon's 2014 Data Breach Investigations Report, a dramatic increase in attacks has resulted in some astounding costs - where $2.9 trillion in losses globally can be attributed to employee fraud losses globally per year. In the U.S. alone, organisations suffered $40 billion in losses due to employee theft and fraud--but chances are that even more fraud went undetected.
While the numbers are troubling, IT managers need not sit on their hands and hope for the best. Those numbers can spur action and help to justify investments in technologies that can tame the insider threat beast. However, those IT managers need to understand both the consequences of inaction as well as the insider threat landscape and SpectorSoft's survey does an excellent job of spelling those concerns out.
For example, the report shows:
While those survey results should prompt action - some IT managers may be uncertain as to what that action should be. It all comes down to three critical elements, which can be defined as:
SpectorSoft and Verizon have revealed the facts around insider threats, now it is up to IT managers to learn from those numbers and take action, before their organisations become victims of the ever growing menace of insider threats.
A survey sponsored by SpectorSoft shows that insider threats are one of the most challenging security issues to deal with for a majority of enterprises.
SpectorSoft, a user activity monitoring and analysis software firm, recently commissioned a survey to identify the top issues surrounding "insider threats" and identify some best practices to deal with those threats. The SpectorSoft 2014 Insider Threat Survey revealed some interesting facts about how enterprises are dealing with the challenges associated with insider threats.
One of the most revealing aspects of the survey is that the majority of enterprises can neither detect nor deter insider threats, making them especially vulnerable to fraud, data breaches, and intellectual property theft. The survey, which tallied the opinions of some 355 IT professionals, showed that some six in ten respondents are not adequately prepared to deal with insider threats.
Commenting on the results of the survey, SpectorSoft chief marketing officer Rob Williams said "The statistics paint a bleak picture when it comes to securing company data against insider threats". Williams added "With so many data breaches happening, C-level executives are coming to the realisation that their jobs could be on the line if company data isn't protected."
While Williams points out that insider threats could result in staff shakeups, there are some more troubling aspects to the menace of the insider threat, such as the crippling costs associated with employee fraud, coupled with the nature of insider threats which are difficult to detect due to the fact that authorised persons are misusing their authorisation.
According to Verizon's 2014 Data Breach Investigations Report, a dramatic increase in attacks has resulted in some astounding costs - where $2.9 trillion in losses globally can be attributed to employee fraud losses globally per year. In the U.S. alone, organisations suffered $40 billion in losses due to employee theft and fraud--but chances are that even more fraud went undetected.
While the numbers are troubling, IT managers need not sit on their hands and hope for the best. Those numbers can spur action and help to justify investments in technologies that can tame the insider threat beast. However, those IT managers need to understand both the consequences of inaction as well as the insider threat landscape and SpectorSoft's survey does an excellent job of spelling those concerns out.
For example, the report shows:
- 35% of organisations have experienced at least one insider threat, with the following breakdown (the total does not equal 100% as some respondents had more than one type of incident): Data leak: 49%, Fraud : 41%, Data breach: 36%, IP theft: 16% Insider threats were uncovered by: IT department: 41%, Coworker: 34%, Security team: 18%, Partner: 6%, Customer: 1%
- Losses from insider threats most-often cost less than $50,000: 70% of respondents report financial losses of under $50,000, 17% suffered losses of $50,000 to $100,000, 6% lost $100,000 to $500,000, 4% lost $500,000 to $1 million, 3% lost over $1 million
- 61% of organizations say they are not prepared for insider threats (the total exceeds 100% as multiple factors could be cited): Lack of training: 55%, Inadequate budget: 51%, Low priority: 34%, Understaffed: 34%, Lack of technology: 31%
- Even though 49% of respondents say they are trying to detect insider threats, 59% of these respondents admit that they cannot detect them
- 42% say detection is harder than deterrence or detailing an attack. Why? Because it's more straightforward. It's more about technology than psychology
While those survey results should prompt action - some IT managers may be uncertain as to what that action should be. It all comes down to three critical elements, which can be defined as:
- Deterrence: IT managers should draft and implement an acceptable use policy that spells out what is and is not acceptable for employees. That policy should also inform employees that the organisation has the right to monitor activity on company-provided devices and on the company network.
- Detection: IT managers should identify and implement usage monitoring platforms that can provide the forensic information for investigation and also be customised to detect unusual behaviour that indicates fraudulent behaviour.
- Details: IT Managers will find that investigating the details of an attack proves critical for preventing future attacks and also gathering evidence if prosecution is necessary. It is very important to select tools that can recreate the steps involved in an attack and identify the depth of the breach, as well as the amount of potential damage incurred.
SpectorSoft and Verizon have revealed the facts around insider threats, now it is up to IT managers to learn from those numbers and take action, before their organisations become victims of the ever growing menace of insider threats.
Sunday 12 October 2014
Companies Struggle To Deal With Insider Threats
Baseline Magazine
One of the biggest business and technology challenges facing enterprises that are attempting to batten down the security hatches is the ongoing peril of insider threats. In some cases, these breaches occur inadvertently, when employees engage in risky or negligent behavior without realizing the damage it can cause.
But threats also take place due to intentional fraud, hacking or intellectual property (IP) theft. And the nature of insider threats — an authorized person misusing or abusing access to systems and data — makes it extremely difficult to detect such attacks and protect against them.
A recent survey of 355 security professionals conducted by mobile software firm Spectorsoft offers insights into the problem, which, according to industry estimates, amounts to approximately $40 billion a year in losses in the United States alone and about $2.9 trillion globally. Among other things, the survey found that while executives across a wide swath of industries acknowledge the problem and the risks, companies are largely unable to deter insider threats — and the problem is getting worse.
Read more
One of the biggest business and technology challenges facing enterprises that are attempting to batten down the security hatches is the ongoing peril of insider threats. In some cases, these breaches occur inadvertently, when employees engage in risky or negligent behavior without realizing the damage it can cause.
But threats also take place due to intentional fraud, hacking or intellectual property (IP) theft. And the nature of insider threats — an authorized person misusing or abusing access to systems and data — makes it extremely difficult to detect such attacks and protect against them.
A recent survey of 355 security professionals conducted by mobile software firm Spectorsoft offers insights into the problem, which, according to industry estimates, amounts to approximately $40 billion a year in losses in the United States alone and about $2.9 trillion globally. Among other things, the survey found that while executives across a wide swath of industries acknowledge the problem and the risks, companies are largely unable to deter insider threats — and the problem is getting worse.
Read more
Wednesday 8 October 2014
ICO Warns on Leaving Employees Walking Off With Company Info
Steve Gold - SC Magazine UK
The Information Commissioner's Office (ICO) has warned staff that walking off with the personal information of their employer when changing jobs is a criminal offence.
The warning comes in a week when a paralegal - who previously worked at Dewsbury-based Jordans Solicitors - was prosecuted for illegally taking the sensitive information of more than 100 people before leaving for a rival firm in April 2013. The UK data regulator say the information was contained in six emails sent by James Pickles in the weeks before he left the firm.
Pickles had hoped, says the ICO, to use the information - which included workload lists, file notes and template documents but still contained sensitive personal data - in his new position. He was prosecuted under section 55 of the Data Protection Act and on Tuesday fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs.
Commenting on the case, Stephen Eckersley, the ICO's Head of Enforcement, said that stealing personal information is a crime.
"The information contained in the documents taken by James Pickles included sensitive details relating to individuals involved in ongoing legal proceedings. He took this information without the permission of his former employer and has been rewarded with a day in court and a substantial fine," he said.
"Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people's details, then taking them without permission is breaking the law. Don't risk a day in court," he added.
Three main challenges
According to Nigel Stanley, practice director for cybersecurity, risk and compliance with OpenSky UK, there are three main security challenges facing employers when it comes to tackling information theft by staff: governance, policy and procedures.
"Employers clearly need to enforce a security policy, typically using suitable technology, but there are limitations to the technology. An employee could, for instance, photograph the screen of data they are working on. That doesn't mean we shouldn't take precautions, such as locking down USB ports on a machine and so on," he said.
An incident response plan, says Stanley, is something of a must-have in these situations, as it advises managers who to call - eg legal, public relations etc., when an employee data theft situation - or similar security incident - takes place.
Response plans, he adds, are necessary, because - as the Pickles case shows - incidents like this will happen to organisations, since the insider threat is quite prevalent in many organisations.
"I've just completed this process with a client. We developed an incident response plan that advises on who to call, developed a flow chart on what happens, and what actions need to be taken. This is something that all businesses need to think about," he explained.
Tom Cross, director of security research with Lancope, said that research by US-CERT at Carnegie Mellon University breaks down malicious insider attacks into three common themes: disgruntled insiders who damage systems or data; insiders who commit fraud using information they have access to, such as credit card numbers; and insiders who steal intellectual property because they intend to use it in a new job or sell it to a competitor.
"Insiders who steal intellectually property usually do so in the last few weeks of their employment. They often feel a sense of ownership or entitlement to the things that they are stealing, because they worked on them in their jobs," he said, adding that detecting this type of data leakage can be carried out using audit trails on network activity, as well as network monitoring for anomalous data transfers, particularly during the last few weeks of a person's employment.
Toyin Adelakun, vice president of Sestus, meanwhile, says there is a lot more to covering this risk - to corporate entities as well as to individual staff members - than technology.
It is often, he said, best to address the risk in top-down fashion, using people, processes and technology, with dual controls being imposed on personally identifiable information, and the enforcement of policies through the use of IAM (identity and access management) technologies and tools.
Defend your data
Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said that the need to defend data in an employee-company situation is all the more necessary today, when words of agreement do not result in real security.
If a company does not tie down its active directory and its access control lists, he says, it will likely hit security problems.
"Allowing employees to populate open shares containing PCI-DSS data, client data and a plethora of sensitive and business-related data, is becoming all too common," he explained, adding that the appointment of young and inexperienced security managers in our industry is only adding to the potential scale of the problem.
The Information Commissioner's Office (ICO) has warned staff that walking off with the personal information of their employer when changing jobs is a criminal offence.
The warning comes in a week when a paralegal - who previously worked at Dewsbury-based Jordans Solicitors - was prosecuted for illegally taking the sensitive information of more than 100 people before leaving for a rival firm in April 2013. The UK data regulator say the information was contained in six emails sent by James Pickles in the weeks before he left the firm.
Pickles had hoped, says the ICO, to use the information - which included workload lists, file notes and template documents but still contained sensitive personal data - in his new position. He was prosecuted under section 55 of the Data Protection Act and on Tuesday fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs.
Commenting on the case, Stephen Eckersley, the ICO's Head of Enforcement, said that stealing personal information is a crime.
"The information contained in the documents taken by James Pickles included sensitive details relating to individuals involved in ongoing legal proceedings. He took this information without the permission of his former employer and has been rewarded with a day in court and a substantial fine," he said.
"Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people's details, then taking them without permission is breaking the law. Don't risk a day in court," he added.
Three main challenges
According to Nigel Stanley, practice director for cybersecurity, risk and compliance with OpenSky UK, there are three main security challenges facing employers when it comes to tackling information theft by staff: governance, policy and procedures.
"Employers clearly need to enforce a security policy, typically using suitable technology, but there are limitations to the technology. An employee could, for instance, photograph the screen of data they are working on. That doesn't mean we shouldn't take precautions, such as locking down USB ports on a machine and so on," he said.
An incident response plan, says Stanley, is something of a must-have in these situations, as it advises managers who to call - eg legal, public relations etc., when an employee data theft situation - or similar security incident - takes place.
Response plans, he adds, are necessary, because - as the Pickles case shows - incidents like this will happen to organisations, since the insider threat is quite prevalent in many organisations.
"I've just completed this process with a client. We developed an incident response plan that advises on who to call, developed a flow chart on what happens, and what actions need to be taken. This is something that all businesses need to think about," he explained.
Tom Cross, director of security research with Lancope, said that research by US-CERT at Carnegie Mellon University breaks down malicious insider attacks into three common themes: disgruntled insiders who damage systems or data; insiders who commit fraud using information they have access to, such as credit card numbers; and insiders who steal intellectual property because they intend to use it in a new job or sell it to a competitor.
"Insiders who steal intellectually property usually do so in the last few weeks of their employment. They often feel a sense of ownership or entitlement to the things that they are stealing, because they worked on them in their jobs," he said, adding that detecting this type of data leakage can be carried out using audit trails on network activity, as well as network monitoring for anomalous data transfers, particularly during the last few weeks of a person's employment.
Toyin Adelakun, vice president of Sestus, meanwhile, says there is a lot more to covering this risk - to corporate entities as well as to individual staff members - than technology.
It is often, he said, best to address the risk in top-down fashion, using people, processes and technology, with dual controls being imposed on personally identifiable information, and the enforcement of policies through the use of IAM (identity and access management) technologies and tools.
Defend your data
Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said that the need to defend data in an employee-company situation is all the more necessary today, when words of agreement do not result in real security.
If a company does not tie down its active directory and its access control lists, he says, it will likely hit security problems.
"Allowing employees to populate open shares containing PCI-DSS data, client data and a plethora of sensitive and business-related data, is becoming all too common," he explained, adding that the appointment of young and inexperienced security managers in our industry is only adding to the potential scale of the problem.
Saturday 4 October 2014
Medical Data Worth More On The Black Market Than Credit Cards
iHealthBeat
Patients' medical information is worth about 10 times more than credit card numbers on the black market, and medical identity theft often is harder to recognize, according cybersecurity experts, Reuters reports (Humer/Finkle, Reuters, 9/25).
Background
Last month, FBI issued a flash alert warning to health care organizations that they are being targeted by hackers.
In the notice, the FBI said the agency "has observed malicious actors targeting health care-related systems, perhaps for the purpose of obtaining protected health care information and/or personally identifiable information."
The alert came days after Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients.
The CHS incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat, 8/21). Security Experts Weigh In on Patient Data Theft
In interviews with Reuters, nearly a dozen health care executives, cybersecurity investigators and fraud experts explained the appeal of health care data for cyber criminals.
Don Jackson -- director of threat intelligence at PhishLabs, a cybercrime protection company -- said that stolen health credentials can be sold on the black market for $10 each, or about 10 or 20 times more than the price of a U.S. credit card number.
Experts say medical data thieves are most interested in:
They note that thieves can use such data to:
According to Reuters, medical data theft is not as easy to identify as credit card theft, meaning thieves have more time to reap benefits. For example, many patients do not discover their medical data have been stolen until after unpaid bills using a patient's medical ID has been sent to a debt collector who contacts the fraud victim to seek payment (Reuters, 9/24).
Patients' medical information is worth about 10 times more than credit card numbers on the black market, and medical identity theft often is harder to recognize, according cybersecurity experts, Reuters reports (Humer/Finkle, Reuters, 9/25).
Background
Last month, FBI issued a flash alert warning to health care organizations that they are being targeted by hackers.
In the notice, the FBI said the agency "has observed malicious actors targeting health care-related systems, perhaps for the purpose of obtaining protected health care information and/or personally identifiable information."
The alert came days after Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients.
The CHS incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat, 8/21). Security Experts Weigh In on Patient Data Theft
In interviews with Reuters, nearly a dozen health care executives, cybersecurity investigators and fraud experts explained the appeal of health care data for cyber criminals.
Don Jackson -- director of threat intelligence at PhishLabs, a cybercrime protection company -- said that stolen health credentials can be sold on the black market for $10 each, or about 10 or 20 times more than the price of a U.S. credit card number.
Experts say medical data thieves are most interested in:
- Billing information;
- Birth dates;
- Diagnosis codes; and
- Policy numbers.
They note that thieves can use such data to:
- Create fake IDs to purchase medical equipment or prescription drugs that they can resell; or
- File false claims with insurers by combining a patient number with a false provider number.
According to Reuters, medical data theft is not as easy to identify as credit card theft, meaning thieves have more time to reap benefits. For example, many patients do not discover their medical data have been stolen until after unpaid bills using a patient's medical ID has been sent to a debt collector who contacts the fraud victim to seek payment (Reuters, 9/24).
Monday 29 September 2014
Identity theft, credit fraud, on the rise
Yahoo7 / aap
Almost $2 billion worth of credit applications in the past year were flagged as potential fraud risks, with identity theft fast becoming the modus operandi for fraudsters.
Credit information company Veda analysed $1.6 trillion worth of credit applications in the year to June 30 and found that $1.9 billion worth of those applications posed fraud risks.
Veda red-flags applications if any of the details, like address or driver's licence, are associated with a previous known fraud.
Red-flagged applications have increased by 52 per cent in two years and are rising as a percentage of all credit applications, the company says.
Veda's general manager of fraud and identity solutions Imelda Newton said a number of lenders were processing high-risk applications, unaware of the possible links to fraudulent activities.
Ms Newton said identity theft was the fastest growing form of credit application fraud, as fraudsters continuously change their tactics.
"What we've found is that the fraudsters have adopted using stolen identities as opposed to using fictitious identities," Ms Newton said.
"In fact, over the past year, we've seen the use of those stolen identities increase 103 per cent." The information can be collected by fraudsters breaking into people's homes, taking mail from their letter boxes or stealing wallets and handbags, Ms Newton said.
The fraudster then assumes the victim's identity and applies for credit in their name. Ms Newton says people can protect themselves against identity theft by putting an alert on their credit file.
Almost $2 billion worth of credit applications in the past year were flagged as potential fraud risks, with identity theft fast becoming the modus operandi for fraudsters.
Credit information company Veda analysed $1.6 trillion worth of credit applications in the year to June 30 and found that $1.9 billion worth of those applications posed fraud risks.
Veda red-flags applications if any of the details, like address or driver's licence, are associated with a previous known fraud.
Red-flagged applications have increased by 52 per cent in two years and are rising as a percentage of all credit applications, the company says.
Veda's general manager of fraud and identity solutions Imelda Newton said a number of lenders were processing high-risk applications, unaware of the possible links to fraudulent activities.
Ms Newton said identity theft was the fastest growing form of credit application fraud, as fraudsters continuously change their tactics.
"What we've found is that the fraudsters have adopted using stolen identities as opposed to using fictitious identities," Ms Newton said.
"In fact, over the past year, we've seen the use of those stolen identities increase 103 per cent." The information can be collected by fraudsters breaking into people's homes, taking mail from their letter boxes or stealing wallets and handbags, Ms Newton said.
The fraudster then assumes the victim's identity and applies for credit in their name. Ms Newton says people can protect themselves against identity theft by putting an alert on their credit file.
Monday 22 September 2014
Miss Earth Australia - A Scam!
A little investigating reveals what is really going on with this "not-for-profit" event.
Miss Earth Australia was founded over 11 years ago by Maria James. The pageant was run as a lead up event to Miss Earth International and funds raised by the Australian pageant were provided to or supported various local environmental causes including having contestants involved in tree planting and similar activities.
Until 2012 Miss Earth Australia was a registered not-for-profit, well respected event on the Australian pageants calendar.
In 2013 Roselyn Singh offered to sponsor the Australian event and from this point on things start to get really interesting.
Sponsorship has traditionally been raised to pay expenses associated with staging the event including paying a license fee to the owners of Miss Earth events worldwide, Carousel Productions Inc, venue and catering, lighting and sound, video production, suppliers, workers and various other out of pocket expenses. Monies raised through event ticket sales, volunteers, contestants and from donations was then allocated to various local environmental causes.
"Miss Earth Australia" posted the following on their "Official Facebook page for the 2014 event:
14 Sept 2014: a significant milestone of the new Miss Earth Australia pledging tribute to 'Beauty for a Cause'... standing together for life, for love..for humanity...let the good shine so no one is left behind...
The following appears on the official "Miss Earth Australia 2014" website;
The Miss Earth Australia Organisation is a designated 'not-for-profit' entity . . . . .
The current proceeds of profit of Miss Earth Australia 2014 Pageant are dedicated to 'victims of abuse and violence'.
Roselyn Singh, PhD
PRESIDENT
Now lets take a closer look at what Roselyn Singh, business partners Dr Salmans Baig and John Frisken have really been up to since their coup de gra in 2013:
And, just to give these characters (Singh, Baig and Frisken) credibility a bit more of a nudge, Roselyn Singh doesn't actually have a doctorate or any other tertiary qualification. The verifications officer in academic records for University of Sydney, where Singh claims to have obtained her MBA, BComs (Hons) and PhD has no record for a graduate named "Roselyn Singh".
In 2013 Dr Baig used another doctors identity to swindle a Melbourne Healthcare Worker out of over $50,000 and Frisken assisted Singh in producing false evidence to NSW Police to have a competitor to Singh's medical centre arrested. Police have been sued for false arrest and the case is being further investigated.
With the experience Singh has misleading and deceiving almost everybody she comes into contact with maybe she should write a thesis on "how to get away with fraud".
Makes you wonder what Miss Earth pageants around the world might really be up to these days.
Beauty for a cause . . indeed.
If you know more please contact us
Miss Earth Australia was founded over 11 years ago by Maria James. The pageant was run as a lead up event to Miss Earth International and funds raised by the Australian pageant were provided to or supported various local environmental causes including having contestants involved in tree planting and similar activities.
Until 2012 Miss Earth Australia was a registered not-for-profit, well respected event on the Australian pageants calendar.
In 2013 Roselyn Singh offered to sponsor the Australian event and from this point on things start to get really interesting.
Sponsorship has traditionally been raised to pay expenses associated with staging the event including paying a license fee to the owners of Miss Earth events worldwide, Carousel Productions Inc, venue and catering, lighting and sound, video production, suppliers, workers and various other out of pocket expenses. Monies raised through event ticket sales, volunteers, contestants and from donations was then allocated to various local environmental causes.
"Miss Earth Australia" posted the following on their "Official Facebook page for the 2014 event:
14 Sept 2014: a significant milestone of the new Miss Earth Australia pledging tribute to 'Beauty for a Cause'... standing together for life, for love..for humanity...let the good shine so no one is left behind...
The following appears on the official "Miss Earth Australia 2014" website;
The Miss Earth Australia Organisation is a designated 'not-for-profit' entity . . . . .
The current proceeds of profit of Miss Earth Australia 2014 Pageant are dedicated to 'victims of abuse and violence'.
Roselyn Singh, PhD
PRESIDENT
Now lets take a closer look at what Roselyn Singh, business partners Dr Salmans Baig and John Frisken have really been up to since their coup de gra in 2013:
- Just prior the event being staged in 2013 Roselyn Singh claimed ownership of the event, dismissed the original founder and workers who had spent hundreds of hours organising the event and then, to add further insult, refused to pay any of them the wages and expenses owed.
Infiltrating businesses to steal their IP is a particular fraud that originated overseas, was perfected by Singh and used to get the Miss Earth Australia event away from its original owners. We will publish more on this particular scam in a future post.
- Roselyn Singh and her business partner John Frisken set up a new website "missearthanz.com.au" and then stole images and plagiarised most of the content (IP) from the now sacked original owners website.
- Ms Renera Thompson, the eventual winner of the Miss Earth Australia 2013 was asked by Roselyn Singh and John Frisken to pay her own way to the Miss Earth International 2013 event held in the Philippines including airfares and accommodation and to provide receipts for reimbursement. Singh nor Frisken have ever paid the over $10,000 they owe Ms Thompson.
- Miss Earth Australia is no longer a registered not-for-profit event and no monies have been provided to any environmental causes, other causes or charities from either the 2013 or 2014 event.
- Miss Earth Australia was caught passing off on a senior Liberal Party Politician's name and photograph. Singh was told to immediately remove all references to the Politician, Liberal Party logos and any other associated IP from the Miss Earth Australia website and other websites owned or populated by Roselyn Singh.
- Miss Earth Australia was caught passing off on the National Breast Cancer Foundation. Singh was told to immediately remove all references, logos, any other IP from the Miss Earth Australia Website and other websites owned or populated by Roselyn Singh. Read more
- Miss Earth Australia was caught passing off on the Macquarie Networks two leading brands 2GB and 2CH. Singh was told to immediately remove all references, logos and associated IP from the Miss Earth Australia website and any other websites owned or populated by Roselyn Singh. Read more
- Roselyn Singh passed herself off as a lawyer named "Sam" and sent intimidating texts to a supplier. Most suppliers to the 2013 event have never been paid.
- Roselyn Singh and John Friskens' company UTSG Consortium Pty Ltd was wound up by ASIC earlier this year owing millions to creditors and victims of their many scams. Singh refused to cooperate with the liquidators and was reported to ASIC for committing an illegal phoenix. Singh moved the assets to other entities including UTSG Global Pty Ltd.
There are six different Roselyn Singh's and another Singh, using Roselyn Singh's middle name (Kamlashni) as a 1st name, registered as directors with the Australian Securities and Investments Commission (ASIC). You would have to assume John Frisken, Singh's business partner at Miss Earth Australia and a director of UTSG, would have to have known Roselyn Singh had created 7 different identities all acting as directors of the same company. Read More. - Roselyn Singh stripped the Miss Earth Australia 2014 event winner, Dayanna Grageda of her crown with no plausible explanation other than Dayanna supposedly didn't fill in some paperwork which, when investigated, turned out to be a crock - Read Story here.
And, just to give these characters (Singh, Baig and Frisken) credibility a bit more of a nudge, Roselyn Singh doesn't actually have a doctorate or any other tertiary qualification. The verifications officer in academic records for University of Sydney, where Singh claims to have obtained her MBA, BComs (Hons) and PhD has no record for a graduate named "Roselyn Singh".
In 2013 Dr Baig used another doctors identity to swindle a Melbourne Healthcare Worker out of over $50,000 and Frisken assisted Singh in producing false evidence to NSW Police to have a competitor to Singh's medical centre arrested. Police have been sued for false arrest and the case is being further investigated.
With the experience Singh has misleading and deceiving almost everybody she comes into contact with maybe she should write a thesis on "how to get away with fraud".
Makes you wonder what Miss Earth pageants around the world might really be up to these days.
Beauty for a cause . . indeed.
If you know more please contact us
Maintaining your defences
By Stephen Cavey, Australian Ageing Agenda
Recent legislation has put the onus on aged care providers to review their privacy management procedures and ensure the client data they keep is secure, writes Stephen Cavey.
The security of client information is a fundamental concern for health and aged care providers, and is at the heart of the relationships of trust held between consumers and service providers.
In every privacy debate in Australia for the past 30 years, concerns about the integrity and security of client data has been the number one issue. Therefore, the health and aged care sectors understand very well the importance of protecting client data. As an industry, healthcare providers and government agencies are considered leaders among security professionals given the critical nature of the data they protect.
However, the broader technology landscape has shifted dramatically and ubiquitous connectivity has given rise to a broad spectrum of online services, such as cloud computing, or the universal adoption of smartphones, which has changed the way we all do business and the way that customers interact with businesses.
These developments in computing and network infrastructure have fundamentally changed the way security issues are dealt with. This is as true for the aged and health sectors as it is for any other. New powers
Recent government legislation related to privacy in Australia is forcing health and aged care providers to conduct a detailed review of how personal information is being stored. The Australian Privacy Commissioner has been granted significant new powers to punish companies that “leak” personal information.
This is particularly important to small healthcare practices, because the issue of ‘personal information’ extends well beyond the details of ‘client information’ and even beyond a client’s ‘financial information’ such as credit card numbers and bank details.
In an age where identity theft and other fraud-related cybercrime is increasingly a problem, personal information also includes all potential identifiers – names, addresses, birth dates, driver’s licence numbers or other identity documents. Most companies whether they are in the health and aged care sector or in the broader business community are not aware of just how much exposed personal data they retain on their corporate IT systems.
If there is one trend I urge all aged care providers and chief information officers to understand, it is the concept of ‘data centric’ security. Traditionally, IT systems have been protected by creating a secure barrier around your companies’ data to keep unauthorised users out. That is the basic philosophy of perimeter security, and it refers to the firewalls and basic authentication systems that accompany them.
Read more . . . .
Recent legislation has put the onus on aged care providers to review their privacy management procedures and ensure the client data they keep is secure, writes Stephen Cavey.
The security of client information is a fundamental concern for health and aged care providers, and is at the heart of the relationships of trust held between consumers and service providers.
In every privacy debate in Australia for the past 30 years, concerns about the integrity and security of client data has been the number one issue. Therefore, the health and aged care sectors understand very well the importance of protecting client data. As an industry, healthcare providers and government agencies are considered leaders among security professionals given the critical nature of the data they protect.
However, the broader technology landscape has shifted dramatically and ubiquitous connectivity has given rise to a broad spectrum of online services, such as cloud computing, or the universal adoption of smartphones, which has changed the way we all do business and the way that customers interact with businesses.
These developments in computing and network infrastructure have fundamentally changed the way security issues are dealt with. This is as true for the aged and health sectors as it is for any other. New powers
Recent government legislation related to privacy in Australia is forcing health and aged care providers to conduct a detailed review of how personal information is being stored. The Australian Privacy Commissioner has been granted significant new powers to punish companies that “leak” personal information.
This is particularly important to small healthcare practices, because the issue of ‘personal information’ extends well beyond the details of ‘client information’ and even beyond a client’s ‘financial information’ such as credit card numbers and bank details.
In an age where identity theft and other fraud-related cybercrime is increasingly a problem, personal information also includes all potential identifiers – names, addresses, birth dates, driver’s licence numbers or other identity documents. Most companies whether they are in the health and aged care sector or in the broader business community are not aware of just how much exposed personal data they retain on their corporate IT systems.
If there is one trend I urge all aged care providers and chief information officers to understand, it is the concept of ‘data centric’ security. Traditionally, IT systems have been protected by creating a secure barrier around your companies’ data to keep unauthorised users out. That is the basic philosophy of perimeter security, and it refers to the firewalls and basic authentication systems that accompany them.
Read more . . . .
Monday 1 September 2014
Identity theft haunts the health industry
By Laura Shin - Fortune (USA)
Unlike the financial services industry, health care companies lack measures to adequately prevent identity theft, even as they continue to digitize medical records and other sensitive information.
Twelve years ago, when Nikki Burton was 17, she tried to donate blood for the first time. She was denied without explanation. Perplexed, the Portland, Ore. resident called Red Cross headquarters to inquire, only to learn that her Social Security number had been used to receive treatment at a free AIDS clinic in California, rendering her ineligible to donate blood.
Years later, she wondered if, when asked whether she had any pre-existing conditions, that instance of fraud might show up. So she called the Red Cross again. The organization told her that it no longer asked for Social Security numbers and she could donate blood without it. “I said, that’s fine for you guys to receive the donation, but that doesn’t solve the problem of that information existing in your system,” Burton says. “What if it got out?”
In 2013, the health care industry experienced more data breaches than it ever had before, accounting for 44% of all breaches, according to the Identity Theft Resource Center. It was the first time that the medical industry surpassed all others, and stood in stark contrast to the financial services industry, which represented just 3.7% of the total.
Identity theft is so pervasive in health care that, according to a 2013 ID Experts data security survey of 91 healthcare organizations, 90% of respondents had experienced a data breach in the previous two years and 38% had had more than five incidents. The leading causes of a breach are typical for any business: a lost or stolen computing device, an employee error, a third-party snafu. There’s also “Robin Hood fraud,” in which someone knowingly gives a friend or family member information to fraudulently receive health care. But one cause has grown in importance: Criminal attacks have doubled in the last four years, according to the survey. (A good example: the theft of 4.5 million records this month at hospital operator Community Health Services.)
Read More . . . .
Unlike the financial services industry, health care companies lack measures to adequately prevent identity theft, even as they continue to digitize medical records and other sensitive information.
Twelve years ago, when Nikki Burton was 17, she tried to donate blood for the first time. She was denied without explanation. Perplexed, the Portland, Ore. resident called Red Cross headquarters to inquire, only to learn that her Social Security number had been used to receive treatment at a free AIDS clinic in California, rendering her ineligible to donate blood.
Years later, she wondered if, when asked whether she had any pre-existing conditions, that instance of fraud might show up. So she called the Red Cross again. The organization told her that it no longer asked for Social Security numbers and she could donate blood without it. “I said, that’s fine for you guys to receive the donation, but that doesn’t solve the problem of that information existing in your system,” Burton says. “What if it got out?”
In 2013, the health care industry experienced more data breaches than it ever had before, accounting for 44% of all breaches, according to the Identity Theft Resource Center. It was the first time that the medical industry surpassed all others, and stood in stark contrast to the financial services industry, which represented just 3.7% of the total.
Identity theft is so pervasive in health care that, according to a 2013 ID Experts data security survey of 91 healthcare organizations, 90% of respondents had experienced a data breach in the previous two years and 38% had had more than five incidents. The leading causes of a breach are typical for any business: a lost or stolen computing device, an employee error, a third-party snafu. There’s also “Robin Hood fraud,” in which someone knowingly gives a friend or family member information to fraudulently receive health care. But one cause has grown in importance: Criminal attacks have doubled in the last four years, according to the survey. (A good example: the theft of 4.5 million records this month at hospital operator Community Health Services.)
Read More . . . .
Thursday 28 August 2014
Roselyn Singh caught passing off . . again!!
Roselyn Singh owner of Miss Earth Australia has been caught passing off on two of the Macquarie Networks brands 2GB and 2CH.
The Miss Earth home page carousel featured an image showing the logos for 2GB and 2CH and the words "Profiled, Business of the Month August 14". This image appeared when users first arrived at the website for "Miss Earth Australia".
A spokesman for the Macquarie Network said "we do run a business of the month award but this business is not part of it".
In the past week Roselyn Singh has been caught passing off on the National Breast Cancer Foundation, the Macquarie Network and acting as a lawyer named “Sam” to intimidate a creditor and slander a victim of one of Sydney’s largest data and IP thefts perpetrated by Singh and her associates in 2012 and again in 2013.
Redacted image showing some of over 15 intimidating texts sent by Singh using the alias "Sam". Names of victims removed to protect their privacy
Roselyn Singh is a prolific untouchable fraudster who has had numerous complaints against her and her businesses for various fraudulent activities including refusing to pay employees, passing off as a not-for-profit, illegal phoenix, false accusations against competitors causing investigations of innocent persons, data and identity theft.
Unfortunately none of the regulatory authorities, including ASIC, Fair Trading, HCCC, APHRA, ACNC, Fair Work and Fraud Police have considered her misdeeds worthwhile investigating or have the legislative powers to prosecute her despite the weight of numerous complaints, accumulating evidence and victims.
If you know more or are a victim of Roselyn Singh contact us.
Miss Earth Australia passing off on National Breast Cancer Foundation - Read more
The Miss Earth home page carousel featured an image showing the logos for 2GB and 2CH and the words "Profiled, Business of the Month August 14". This image appeared when users first arrived at the website for "Miss Earth Australia".
A spokesman for the Macquarie Network said "we do run a business of the month award but this business is not part of it".
In the past week Roselyn Singh has been caught passing off on the National Breast Cancer Foundation, the Macquarie Network and acting as a lawyer named “Sam” to intimidate a creditor and slander a victim of one of Sydney’s largest data and IP thefts perpetrated by Singh and her associates in 2012 and again in 2013.
Redacted image showing some of over 15 intimidating texts sent by Singh using the alias "Sam". Names of victims removed to protect their privacy
Roselyn Singh is a prolific untouchable fraudster who has had numerous complaints against her and her businesses for various fraudulent activities including refusing to pay employees, passing off as a not-for-profit, illegal phoenix, false accusations against competitors causing investigations of innocent persons, data and identity theft.
Roselyn Singh
Unfortunately none of the regulatory authorities, including ASIC, Fair Trading, HCCC, APHRA, ACNC, Fair Work and Fraud Police have considered her misdeeds worthwhile investigating or have the legislative powers to prosecute her despite the weight of numerous complaints, accumulating evidence and victims.
If you know more or are a victim of Roselyn Singh contact us.
Miss Earth Australia passing off on National Breast Cancer Foundation - Read more
Tuesday 26 August 2014
Miss Earth Australia passing off on National Breast Cancer Foundation
Following a passing off complaint, the organisers for Miss Earth Australia have been told to immediately remove all references to National Breast Cancer Foundation (NBCF), including the NBCF logo, from websites and Facebook and any other communications associated with Miss Earth Australia, V Health Plus - Sydney City Medical Centre (located at 40 Park Street Sydney) and V Plus Foundation.
The organisers claim the Miss Earth Australia Organisation is a "designated not-for-profit entity" however there is no listing with the Australian Charities and Not-for-profits Commission (ACNC).
President of Miss Earth Australia, Roselyn Singh PhD, also claims V Plus Foundation and VHealth Plus are not-for-profit organisations. None of these organisations are registered with ACNC.
Singh is no stranger to the frauds of passing off. Singh has claimed to be a doctor holding a PhD, MBA, BComs (hons), MBBS Forensic Pathology and has passed herself off as owning a number of well established medical centres in Sydney's CBD. Singh holds no tertiary qualifications, never owned the centres she claimed to own and has been reported to ASIC and Fair Trading for passing off, misleading and deceptive conduct and Police for identity theft and false accusations causing an investigation.
A company owned by Singh, UTSG Consortium Pty Limited trading as Sydney City Medical, was wound up by ASIC earlier this year owing millions to creditors, employees and victims of her various scams. Singh was reported by liquidators, Cor Cordis, to ASIC for committing an illegal phoenix.
Last years winner of the Miss Earth Australia Pageant 'Renera Thompson' and various suppliers are still owed thousands from the 2013 event. No one knows what happened to the funds raised by contestants and volunteers for the event.
If you know more please contact us.
Registered Not-For-Profit search.
The organisers claim the Miss Earth Australia Organisation is a "designated not-for-profit entity" however there is no listing with the Australian Charities and Not-for-profits Commission (ACNC).
President of Miss Earth Australia, Roselyn Singh PhD, also claims V Plus Foundation and VHealth Plus are not-for-profit organisations. None of these organisations are registered with ACNC.
Singh is no stranger to the frauds of passing off. Singh has claimed to be a doctor holding a PhD, MBA, BComs (hons), MBBS Forensic Pathology and has passed herself off as owning a number of well established medical centres in Sydney's CBD. Singh holds no tertiary qualifications, never owned the centres she claimed to own and has been reported to ASIC and Fair Trading for passing off, misleading and deceptive conduct and Police for identity theft and false accusations causing an investigation.
A company owned by Singh, UTSG Consortium Pty Limited trading as Sydney City Medical, was wound up by ASIC earlier this year owing millions to creditors, employees and victims of her various scams. Singh was reported by liquidators, Cor Cordis, to ASIC for committing an illegal phoenix.
Last years winner of the Miss Earth Australia Pageant 'Renera Thompson' and various suppliers are still owed thousands from the 2013 event. No one knows what happened to the funds raised by contestants and volunteers for the event.
If you know more please contact us.
Registered Not-For-Profit search.
Friday 8 August 2014
Privacy Commissioner details 'reasonable steps' for data security
By Paris Cowan - ITNews.com.au
The Office of the Australian Information Commissioner (OAIC) has finally released comprehensive guidance on the information security provisions it expects organisations to have in place to ensure they stay on the right side of the Privacy Act.
The new legislation, which applies to all entities turning over more than $3 million in a year, states that in the case of a company’s information stores being violated or destroyed, the entity will be held in breach of the Act unless it took “reasonable steps” to protect that data in the first place. Since March, the OAIC can hand out fines of up to $1.7 million.
But exactly what these “reasonable steps” involve is a question that has puzzled Australian business since the legislation was unveiled.
To address the uncertainty, the OAIC today released a comprehensive guide to avoiding the Privacy Commissioner’s condemnation.
The document is not binding, but the Office said it is the checklist it plans to use when assessing whether an entity is liable for a data breach or whether it has met its obligations under the Privacy Act.
Read more . . . .
The OAIC is inviting feedback on the guidance until Wednesday 27 August 2014.
Our Submission to OAIC.
The Office of the Australian Information Commissioner (OAIC) has finally released comprehensive guidance on the information security provisions it expects organisations to have in place to ensure they stay on the right side of the Privacy Act.
The new legislation, which applies to all entities turning over more than $3 million in a year, states that in the case of a company’s information stores being violated or destroyed, the entity will be held in breach of the Act unless it took “reasonable steps” to protect that data in the first place. Since March, the OAIC can hand out fines of up to $1.7 million.
But exactly what these “reasonable steps” involve is a question that has puzzled Australian business since the legislation was unveiled.
To address the uncertainty, the OAIC today released a comprehensive guide to avoiding the Privacy Commissioner’s condemnation.
The document is not binding, but the Office said it is the checklist it plans to use when assessing whether an entity is liable for a data breach or whether it has met its obligations under the Privacy Act.
Read more . . . .
The OAIC is inviting feedback on the guidance until Wednesday 27 August 2014.
Our Submission to OAIC.
Friday 20 June 2014
Govt Refuses to Support Privacy Alerts Bill
By Allie Coyne, itnews
The Coalition Government has refused to back a reinvigorated bill that would force companies to notify customers of a data breach, saying while it agrees with the concept in principle, the proposed legislation needs more work.
In March this year Labor Senator Lisa Singh re-introduced the lapsed Privacy Alerts Bill, which failed to be heard in the Senate before the upper house closed ahead of the 2013 federal election.
The text of the current Privacy Alerts Bill 2014 is identical to the Privacy Alerts Bill 2013. It seeks to compel entities that suffer a serious data breach - involving personal, credit, or tax file number data - to notify the Privacy Commissioner and individuals affected as soon as possible.
The previous bill received unconditional support from a parliamentary committee investigating the issue, but Coalition senators at the time expressed concerns about a lack of definition around terms like “serious breach” and “serious harm” in the bill, along with the speed in which the legislation was drafted.
Coalition senators today repeated the same concerns in a second reading of the bill in the Senate, arguing that by re-introducing a bill with identical text as the previous "rushed" bill, Labor had failed to address the issues highlighted in the last round of debate.
Data Theft: "The Bill has not been well thought out and has not taken into consideration many of the submissions made by key stakeholders."
Read more . . . .
Data Theft Submission - August 2013
The Coalition Government has refused to back a reinvigorated bill that would force companies to notify customers of a data breach, saying while it agrees with the concept in principle, the proposed legislation needs more work.
In March this year Labor Senator Lisa Singh re-introduced the lapsed Privacy Alerts Bill, which failed to be heard in the Senate before the upper house closed ahead of the 2013 federal election.
The text of the current Privacy Alerts Bill 2014 is identical to the Privacy Alerts Bill 2013. It seeks to compel entities that suffer a serious data breach - involving personal, credit, or tax file number data - to notify the Privacy Commissioner and individuals affected as soon as possible.
The previous bill received unconditional support from a parliamentary committee investigating the issue, but Coalition senators at the time expressed concerns about a lack of definition around terms like “serious breach” and “serious harm” in the bill, along with the speed in which the legislation was drafted.
Coalition senators today repeated the same concerns in a second reading of the bill in the Senate, arguing that by re-introducing a bill with identical text as the previous "rushed" bill, Labor had failed to address the issues highlighted in the last round of debate.
Data Theft: "The Bill has not been well thought out and has not taken into consideration many of the submissions made by key stakeholders."
Read more . . . .
Data Theft Submission - August 2013
Saturday 14 June 2014
Your Biggest Cybersecurity Threat Isn't Coming From the Outside
by Elizabeth Palermo, Business News Daily Contributor
The biggest threat to your company's cyber security isn't malware, phishing scams or even hackers — it's you. In a series of studies published last week, three security research firms asked employees at midsize businesses across America about the biggest threats to corporate cyber security. And while the surveys each pointed to slightly different culprits, the verdict was clear: employees are the weakest link in the security chain.
The largest of the three studies — a Stroz Friedberg online survey of more than 700 information workers — found that senior management may be the biggest threat to an organization's digital well-being. Fifty-eight percent of senior managers reported having (digitally) sent sensitive information to the wrong person. Compare that with just 25 percent of lower-level employees guilty of the same misstep. And more than half of all senior managers in the study admitted to taking files with them after they left a job. Only 25 percent of rank-and-file employees were found to have done the same.
The Stroz Friedberg study also found that 9 in 10 senior managers admitted to uploading work files to personal email and cloud-based accounts, a faux pas that could lead to intellectual property theft and attacks on corporate networks.
The biggest threat to your company's cyber security isn't malware, phishing scams or even hackers — it's you. In a series of studies published last week, three security research firms asked employees at midsize businesses across America about the biggest threats to corporate cyber security. And while the surveys each pointed to slightly different culprits, the verdict was clear: employees are the weakest link in the security chain.
The largest of the three studies — a Stroz Friedberg online survey of more than 700 information workers — found that senior management may be the biggest threat to an organization's digital well-being. Fifty-eight percent of senior managers reported having (digitally) sent sensitive information to the wrong person. Compare that with just 25 percent of lower-level employees guilty of the same misstep. And more than half of all senior managers in the study admitted to taking files with them after they left a job. Only 25 percent of rank-and-file employees were found to have done the same.
The Stroz Friedberg study also found that 9 in 10 senior managers admitted to uploading work files to personal email and cloud-based accounts, a faux pas that could lead to intellectual property theft and attacks on corporate networks.
Sunday 1 June 2014
Insider Data Theft - Is your business safe?
Insider data theft incidents are to be taken seriously. In this digital information age, it has become increasingly important to protect your company's intellectual property. In many business cases IP will be the the most valuable asset on the company's balance sheet.
Job function often requires authorised access to IP assets and it is the misuse of this access that provides the keys to the safe.
One of the most common data thefts is the copying or removal of customer lists by an employee for use at their next job which often is a competitor or to help start a new business as a competitor. It happens so often in Australia that it is almost an accepted norm. In many instances part or all of the employers customer list will be on a company provided mobile device or a BYOD.
Ex-employees often believe they have entitlement to customer lists or other IP if they have contributed to it whilst working for their employer. However, despite this misguided belief, they rarely ask their employer can they remove or copy this information before leaving with it.
Data can be disseminated in seconds and once IP has left the building the encore can be financial devastation for company owners, employees and their families regardless of any legal remedies available to the employer.
Often, following a data theft, ex-employer customers are contacted within hours of an insider leaving their previous employer. The contact is usually by SMS, email or both sent to inform the customer of a change of address for their service or product provider.
One of the most common data thefts is the copying or removal of customer lists by an employee for use at their next job which often is a competitor or to help start a new business as a competitor. It happens so often in Australia that it is almost an accepted norm. In many instances part or all of the employers customer list will be on a company provided mobile device or a BYOD.
Ex-employees often believe they have entitlement to customer lists or other IP if they have contributed to it whilst working for their employer. However, despite this misguided belief, they rarely ask their employer can they remove or copy this information before leaving with it.
Data can be disseminated in seconds and once IP has left the building the encore can be financial devastation for company owners, employees and their families regardless of any legal remedies available to the employer.
Often, following a data theft, ex-employer customers are contacted within hours of an insider leaving their previous employer. The contact is usually by SMS, email or both sent to inform the customer of a change of address for their service or product provider.
It is rare the customer would think any more of the email or SMS than it is a courtesy to update their address book. In a recent case the data thief used her ex-employers company name as part of the reply address in an email to the stolen customer list and built a web page including the ex-employers company name throughout the text. According to personnel at ASIC and Fair Trading this is not regarded as a serious enough matter to investigate for passing off or deceptive conduct.
Unlike embezzlement there is no preventive threat of a fraud charge for the insider data thief. The only recourse is the civil courts, a lengthy often prohibitively expensive road to justice.
In Australia theft of IP by insiders is not a crime. There is no legislation that provides State or Federal Police with powers to charge ex-employee data thieves and complaints to Governing Regulatory Authorities or Associations will be lucky to receive a response let alone a reprimand or some form of sanction for the data thief.
In fact, under recently introduced amendments to the Privacy Act, you and or your business may be heavily fined, by the Privacy Commissioner, for not providing adequate security, over customers personal information whilst the data thief remains immune from prosecution.
Industries most effected by data theft are health, real estate, online shopping, accounting and legal to name some. However all businesses with valuable IP can be at risk of insider data theft.
Pre-planning and developing policies, security measures and employee / contractor agreements are key to preventing or responding to an insider threat or intellectual property theft.
If you need assistance in data theft prevention contact us.
Unlike embezzlement there is no preventive threat of a fraud charge for the insider data thief. The only recourse is the civil courts, a lengthy often prohibitively expensive road to justice.
In Australia theft of IP by insiders is not a crime. There is no legislation that provides State or Federal Police with powers to charge ex-employee data thieves and complaints to Governing Regulatory Authorities or Associations will be lucky to receive a response let alone a reprimand or some form of sanction for the data thief.
In fact, under recently introduced amendments to the Privacy Act, you and or your business may be heavily fined, by the Privacy Commissioner, for not providing adequate security, over customers personal information whilst the data thief remains immune from prosecution.
Industries most effected by data theft are health, real estate, online shopping, accounting and legal to name some. However all businesses with valuable IP can be at risk of insider data theft.
Pre-planning and developing policies, security measures and employee / contractor agreements are key to preventing or responding to an insider threat or intellectual property theft.
If you need assistance in data theft prevention contact us.
Subscribe to:
Posts (Atom)