Business identity theft and personal identity theft are very similar. Protected information is stolen by thieves and then used for financial gain. Quite often the perpetrator that steals the information is not the same perpetrator that uses it for financial gain.
The first perpetrator doing the stealing is the hacker that breaks into a system. They take the stolen data and sell it on a website in an area typically known as the dark web. The dark web is not as mysterious as it sounds. A dark website is basically a site that will not come up through a normal search engine inquiry. After the data is posted, a second perpetrator goes to the known dark site and bids on the stolen information, usually credit card or bank account data. How much the second perpetrator pays is based on the quality of the information. Older information is worth less than the newer information. Credit card numbers with expiration dates and CV2 numbers are worth more than those without.
Businesses are different from individuals. Businesses are different from individuals in that businesses hold protected information that belongs to others. Businesses hold information belonging to its employees, customers and suppliers. In addition to names and addresses, quite often the business holds social security numbers, federal identification numbers and bank account numbers used for electronic payments. In addition, business owners and managers quite often assume that the credit and debit card loss protections afforded consumers apply to businesses as well, which they do not. Therefore, the risk of loss due to identity theft for a business is greater than that of an individual.
So how does the identity theft actually occur? In a simple example, the perpetrator scans the Internet for devices (or networks) that are connected to the Internet and do not have the latest versions of firewall and malware detection. Once a device is identified, malware such as one called Brute Force is used to break whatever passwords exist on the device. Another type of malware called RAM Scraper is installed on the device and begins to look for protected information. The ability of malware to identify protected information stored on a device is amazingly powerful. A third type of malware such as Export Data then transmits the protected information back to the original perpetrator.
Ransomware is becoming common. Ransomware is a virus that invades a company’s network and encrypts the data so that users lose access to the data. A message appears demanding a ransom fee of hundreds or thousands of dollars to unencrypt the data. If the ransom is paid in accordance with the instructions in the message, the data, hopefully, is restored. According to FBI cyber division Assistant Director James Trainor, “Paying ransom doesn’t guarantee an organization that it will get its data back – we’ve seen cases where organizations never got a decryption key after having paid the ransom.”
Bank anti-fraud protections are only marginally successful. Businesses should not rely solely on bank anti-fraud protections. Banks have become big proponents of anti-fraud protections and rightly so. However, a recent study by the Ponemon Institute indicated that bank responses when customer accounts have been compromised were only marginally successful.
- 33% of the time the bank was unable to stop the fraud and the money was stolen.
- 28% of the time money was stolen, but the bank recovered only some of the stolen funds.
- 12% of the time money was stolen and the bank recovered all of the funds.
- Most significantly, in only 16% of the cases was the bank able to identify the compromised account and prevent the transfer of the funds.
What does a business do if its data gets compromised? A business must take reasonable measures to keep protected information secure. If a business suspects (or confirms) that protected information has been disclosed, there are two issues that have to be addressed.
- The business must determine the extent of the protected information lost. The business’s IT manager may be able to make this determination. If not, a forensic IT specialist will need to be brought in.
- By law, the parties affected by the disclosure must be notified. The notification letter requires specific language which should drafted by a qualified attorney. An unreasonable delay in sending the letters subjects a business to possible regulatory sanction by the attorney general. If the business does not have current contact information for any of the affected parties, a press release is required.
Have a plan. Rather than assume or hope identity theft will never happen, business owners and managers need to know how their company is safeguarding its data. They should have a plan for how to respond should the business suffer a loss of data. Bert Davis Jr., CPA, CFE, CFF