I spent 35 years in the junk mail industry selling your names and personal data, making a lot of money doing it. That’s the reason companies are so anxious for you to reply to their offers, asking you to “tell them all about yourself.” All about yourself garners over $4 billion annually for junk mailers and data brokers who hawk your private information like any other commodity. Years ago when I started in the business, security was at the bottom of the priority list. Profit was number one.
This has changed in the last few years with the number of personal data breaches soaring, and identity theft becoming the top consumer complaint according to the Federal Trade Commission. The top five states in 2010 were Florida, Arizona, California, Georgia and Texas. South Dakota was last. You can see the full FTC report here. The largest age group hit was 20 to 29, followed by 30 to 39, then 40 to 49. Those age 60 plus surprisingly accounted for only 13 percent.
And then there was the massive hack into RSA SecurID tags in March of this year. RSA provides additional security to 40 million customers to prevent unauthorized access to their data systems. RSA’s SecurID tags are a two-factor authentication solution that provides additional security to its clients. This includes, along with the normal username and password, a key fob or token in randomized code that must also be entered.
The hackers could now possess the keys to circumvent companies’ database protection.
RSA described the attack as an “advanced persistent threat” (APT), an approach that involves “…patient, skilled, well-funded attackers…” It was carried out in three stages. First, “phishing” emails are sent to employees of the target company. In RSA’s case, one opened the message and then opened an attached Excel file. Bingo, malware installed through the backdoor.
Second, the hacker, in control of the employee’s computer, steals his or her passwords and uses them to enter other systems where sensitive data is housed. Three, extracting files from RSA to a hosting provider’s hacked machine, the data is then downloaded to the hacker.
The security industry believes there have been other victims, companies not willing to talk openly like RSA. Those affected by the RSA breach include giants like Amazon, Google, Facebook, Yahoo and Microsoft. Other large corporations were Charles Schwab, Freddie Mac, Wells Fargo, Intel and IBM. Government agencies named were the General Services Administration and the IRS.
Security analyst Brian Krebs said: “The sheer number of corporations mentioned in the list proves that no one is safe from attack.” He added: “That’s why these attacks are called ‘advanced persistent threats.’ They often carry on for years without anyone knowing. But RSA says they feel no damage has been done to the best of their knowledge, and some of its client companies may have fended off the attacks with no damage done. You can see a list of all the companies involved here.
There is a treasure trove of personal data in this list which could yield the bad guys just about any information they wanted on most individuals in the U.S. And this is only the beginning. The key fobs or tokens were on the Internet underground within hours, and many of us won’t know for months, perhaps even years, if our private information is going to be stolen.