by Felicien | Dec 3, 2018 | Education
Heads up if you’ve stayed or made reservations at a Marriott or Starwood property over the last decade. A major security issue was just announced and the scope of the problem is actually quite astonishing. Here’s what you need to know about the Marriott International data breach.
What is the Marriott Data Breach?
On November 30th, Marriott International announced that the private information of up to 500 million guests became compromised. The breach is one of the largest in history and brings up a variety of concerns regarding consumer privacy safety.
They noted that an internal tool recognized a data breach in September, but wasn’t able to confirm the issue was part of the Starwood database until November. Further investigation revealed that the problem has happened since as far back as 2014 and that the exact breadth of the issue isn’t yet known.
Who is Affected by the Marriott Data Breach?
To be blunt, 500 million people is a lot. If you’ve traveled on business in the past or regularly stay at the hotel chain’s properties, your personal data is likely compromised. Additionally, those who merely made reservations but never actually stayed the night are also included in the breach.
According to NBC News, Marriott also reported that for 327 million of those people, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Encrypted credit card information is also likely stolen, but the company isn’t yet sure if the thieves were able to reveal account numbers.
An additional report also suggested that employee information might have even been compromised, especially in situations where workers took advantage of employee discounts to stay at hotels around the globe.
What is Marriott Doing After the Data Breach?
While the initial statement from the company was vague, they have taken steps to improve the situation by hiring the public relations firm Kroll. Those concerned about being part of the Marriott data breach may check for more information at a website provided by the hotel chain.
Maryland Attorney General Brian Frosh is opening an investigation into the incident, citing the company headquarters in his state as the reasoning for his inquisition. Additionally, New York planned to look into the incident and other states where the company has properties are likely to follow. There is no word yet on how the breach is being reviewed internationally.
Furthermore, within hours of the news, a class action lawsuit for 12 billion dollars was filed by Ben Meiselas of Geragos & Geragos. The suit is on behalf of two plaintiffs who feel duped by the company not immediately admitting there was a security issue. In other cases in the past are any indication, there’s likely to be a settlement out of court soon.
What Can Other Companies Learn from Marriott’s Data Breach?
At this time, it is hard to tell what other companies can learn from Marriott International’s data breach since news of the incident is still relatively recent. Other companies have faced similar issues in the past, such as Yahoo’s admission earlier this year that the three billion accounts had information hacked and Under Armour’s data breach of 150 million MyFitnessPal user accounts. Those companies were able to provide customers with free credit monitoring to try to earn back trust, but time will still tell on how it affects each firm’s reputation overall. Both have made attempts to increase application cybersecurity.
In short, if you have made a reservation or stayed at a Marriott Hotel or Starwood property in the last few years, it is wise to invest in some version of identity theft monitoring. Also, consider additional discussion and concerns with your lawyer general and by making a claim on Marriott’s data breach website.
by Felicien | Nov 30, 2018 | Education
How Marriott Got Caught In A 500-Million Person Data Breach
Were You Affected? (Your Questions Answered)
What Do We Need To Know About The Marriott Breach?
Another big corporation got hooked. This time it was Marriott International. They just revealed that their Starwood reservations database of 500 million customers was hacked and that the personal information of up to 327 million guests was stolen. And, this has been going on since 2014!
How Did This Happen?
On September 8, 2018, Marriott was alerted about an attempt to access the Starwood guest reservation database.
They contacted leading security experts to help them determine what occurred. Marriott said that the hacker copied, encrypted and removed their customers’ data.
On November 19, 2018, Marriott was able to decrypt the data and learned that it was from the Starwood guest reservation database.
Marriott acknowledged that the encryption security keys for this data may have fallen into the hands of hackers. This allowed them to access the massive amount of data. Secure systems lock up data and should store the encryption keys in a location that’s separate from the confidential information.
Some good questions to ask here are:
“How did the criminals get Marriott’s encryption keys?
“Why did it take so long for Marriott to reveal the breach?” They learned about it in September which is over two months ago.
And, this was a 4-year long breach! “Why didn’t Marriott know that their customers’ data was being stolen over this long period?”
Maybe we’ll find out the answers to these questions, and perhaps not. What’s for sure is that you are on your own when it comes to protecting your confidential data.
How Do I Know If My Data Was Stolen?
If you are a Starwood Preferred Guest member and your data was stored in the Starwood property’s database (which includes Sheraton, Westin and St. Regis hotels, among others) you need to be on alert.
As mentioned, this data breach goes all the way back to 2014 and includes names, passport numbers, email addresses and payment information for approximately 327 million travelers – a “big catch” for any hacker. Even your date of birth, gender, reservation dates and communication preferences may be included in the breach.
Should I Contact Marriott?
Marriott set up a website and call center for customers who were impacted by the data breach. Email notifications are also being rolled out.
Marriott is also offering affected customers the option to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert if your personal information is found. If you live in the U.S., you’ll also be offered fraud consulting services
What Else Should I Do?
If your data was stolen, you should observe for incidents of identity theft. Also, watch for phishing emails where hackers try to impersonate someone you trust to take information or money from you.
Arrange For Security Awareness Training For Your Employees
If your business data was involved, make sure that you arrange for Security Awareness Training for your employees to train them to recognize phishing attempts. This includes:
Baseline Testing to assess the Phish-prone percentage of your employees through a free simulated phishing attack.
Training For Your Users with content that includes interactive modules, videos, games, posters, and newsletters.
Simulated Phishing Attacks that utilize best-in-class, fully automated, simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
Reports with statistics and graphs for both training and phishing for your management to review.
Whether your business was involved in the breach or not, Security Awareness Training for your employees is always a good idea. Another good idea is to sign up for Dark Web Scanning Services.
Get Dark Web Scanning For Your Confidential Business Data
The Dark Web is a secret internet society that’s only accessible to a select group of criminals. Criminals use it to take stolen data (like the Marriott/Starwood customer information) and dump it on the black market for sale. Dark Web Scanning is a sophisticated monitoring solution that helps businesses of any size detect cyber threats that expose their stolen business accounts, email addresses, payment information, and other confidential data that’s on the Dark Web. It also does this in real time and detects any of your compromised credentials or information before criminals can use it for profit or other crimes.
Don’t Count On The Marriott’s Of The World To Protect Your Business Data – You Must Do This Yourself
Contact us for information about Data Protection, Security Awareness Training and Dark Web Scanning.
We have a Suite of IT Security Solutions to help you keep your business data secure.
by Felicien | Nov 30, 2018 | Education
No industry is exempt from data breaches that lead to widespread fraud. However, the healthcare industry faces unique challenges since it is not always easy to determine the impact of the breach on patients as well as the healthcare organizations that serve them. The problem starts with isolating where the hack originated in the first place. With so many organizations having access to patient demographic and insurance data, this can be the most time-consuming aspect of the entire fraud investigation process.
Healthcare: A Unique Form of Identity Theft
Most patients are aware that their healthcare provider and their insurance company have access to their personal medical data. Providers need the information to diagnose and treat the patient while insurers require it to pay the patient’s claims. What many fail to realize is that a large number of third-party organizations could have access to the data as well. Pharmacies, medical equipment providers, home healthcare organizations, and supplemental insurance providers are just some examples of companies with access to patient data.
The problem in healthcare is that a cybercriminal intent on stealing the medical data of another person can piece it together from a variety of sources that the victim of identity theft does not even know to exist. Some in the healthcare IT industry refer to this as synthetic identity theft. By taking small pieces of information obtained from a healthcare report and combining it with information stolen elsewhere, hackers can easily scam the healthcare system. In fact, the problem is so widespread that millions of cases of fraud take place every quarter.
What Healthcare Providers Can Do
No healthcare administrators like to admit that a security breach took place on their watch. It may look to them like hackers gained access to private patient data and then did not use it. Unfortunately, that is rarely the case. Healthcare fraud differs from financial fraud because most criminals go on to use stolen credit, debit, and other banking information right away. With healthcare fraud, they need more time to piece together a forged identity before they start inflicting real damage. The CEOs of healthcare organizations are often too quick to claim that no one used the stolen information in a nefarious manner.
Obviously, it is better for healthcare IT departments to be proactive rather than reactive. This starts with knowing every location of a patient’s healthcare data. For example, a single patient could have an electronic medical record, a paper medical record, new test results not yet transferred to the medical record, and old information stored in boxes or machines that have not been used in years. To prevent medical fraud, healthcare providers must make it a priority to know the locations of all data about a patient and take adequate steps to protect it.
Sometimes health organizations are unaware a breach has taken place until a patient complains that someone used their information to obtain numerous prescriptions or to commit insurance fraud. Once alerted to it, they need to take immediate action to stop the current fraud and prevent it from happening again. This includes taking measures such as strong encryption with medical records and guarded access to paper records.
Besides a lack of inventory, part of the problem is the current patchwork approach to healthcare privacy laws. Organizations should push the federal and state governments to create uniform standards for improved patient protection.
How to Help Patients Protect Personal Health Data
Healthcare providers must work hard to gain patients’ trust in the current climate. One way they can facilitate this relationship is to provide patients with reminders about safeguarding their own information. Here are some typical examples:
Request a new medical card with a different identification number if the original has been lost or stolen
Submit a police report after the theft of a wallet or purse
Report any information on the explanation of benefits forms that appears suspicious such as services the patient does not remember receiving
Check medical records at least once a year to ensure accuracy
Always have the most current copy of medical records available
Providers should also consider publishing an annual notice to members outlining their privacy policy and the steps they take to prevent theft of patient data. Holding open meetings and taking questions from patients is another way to assure them that the organization is serious about protecting them from identity theft in a healthcare setting.
by Felicien | Nov 30, 2018 | Education
In Part 1 and Part 2 of the 2019 Cyber Security planning series, we looked at the evolution of technology and the future of cybersecurity defense systems. There has been a steady evolution of defense options to curtail the rising efforts to commit cybercrimes. In this segment, we look at emerging and enhanced threats moving forward.
Four Primary Cyber Security Risk Areas For 2019
Cybersecurity preparedness relies on year-over-year planning and strategic implementation. That means corporate decision-makers must cull together key staff members who include IT support team leaders, department heads and primary stakeholders. Determined preparation for 2019 relies on a rich, interdepartmental understanding of company goals, system needs and actionable knowledge of cybersecurity policy and protocols.
Knowledge equals power in the cybersecurity sector and arming employees with information about how and why measures are taken to protect vital information remains job one. That being said these rank among the biggest anticipated threats facing companies in 2019.
Ransomware Expected To Thrive In 2019
Cybercriminals have steadily made a shift away from direct systems hacks and are more inclined to plant encrypted files that take over a company’s data and require payment to send a code to unlock them. The FBI reportedly claims that upwards of 4,000 ransomware attacks are carried out every day. That figure is expected to escalate in the coming years.
Most ransomware attacks are conducted by prompting a user to inadvertently click on a malicious link or website that results in infection. Although only a fraction of ransomware incursions are reported, cybercriminals generally ask for $200 to $3,000 in bitcoin payments to send a cure. These are some of the ways an IT support team can mitigate ransomware attacks.
Incident Plan: Create an actionable ransomware protocol that employees can initiate in the event of an infection.
Critical Backup: Allow for multiple backup iterations of data in secure system locations.
Anti-Virus: Maintain cutting-edge preventative antivirus programs and conduct timely system scans.
Restrict Internet: Ransomware attacks commonly occur by employees visiting unsecured sites and opening spam emails. Each workstation requires appropriate restrictions.
Third-Party Risk Heightens In 2019
Consider for a moment that more than half of all breaches are initiated through third-parties, often vendors. Organizations generally have hundreds of business partners on a variety of levels. Many of these enjoy daily engagement through electronics and direct links to an outfit’s systems. From ordering products to pay invoices to basic communication, there could be thousands of points of contact between your servers and third-parties.
Moving forward, hackers will be increasingly targeting vulnerable systems to steal sensitive information to sell or ransom. Companies that do not secure their data at a high level can act as a backdoor into other servers. Once today’s hacker has infiltrated one of your vendors, they can email ransomware and other infections programs undetected. Cyber theft efforts are more likely to be successful because employees open vendor communications with confidence. These are some of the key steps organizations may want to consider for 2019.
Personnel Changes: Work with business partners to communicate staff turnover and take cybersecurity measures to prevent technology access after departure.
IT Glitches: Monitor systems appropriately and avoid support gaps.
Share Responsibility: Develop an agreed upon cybersecurity policy and protocol with vendors and other third-parties to minimize potential cross-company breaches.
Terminate BYOD Policies In 2019
We are all well aware of the headlines regarding high-ranking government officials using personal devices. In many instances, the federal government considers using a personal electronic device for work purposes a direct and discernable security threat. Despite that glaring warning, the number of companies that allow employees to Bring Your Own Device (BYOD) has grown exponentially in the last few years.
The convenience of a values staff member having tangible connectivity 24-7 seems to outweigh any risk. In the past, this policy may not have brought about a negative result. But cybercriminals are well aware that an employee Smartphone is now a doorway into a company’s system.
What makes BYOD even more problematic moving forward is that an average of 22 percent of workers misplaces their electronic device. Compounding that misstep, only about 35 percent use a password or PIN to secure it. This vulnerability does not even account for purposeful theft of a staff member’s device. Businesses would be wise to change course on the BYOD practice in 2019 by taking the following steps.
Stop: End the practice of BYOD entirely.
Company Only Devices: Issue secured company devices that are maintained by the IT support team.
Common Cyber Security Threats Expected To Increase In 2019
Cybersecurity breaches have proven to be costly for companies and organizations in every sector. The loss of time, productivity, and damage to reputation are exponentially expensive. Many of the seemingly low-level nuisances are expected to become high-level threats in the coming years. Decision-makers would do well to address these issues with the same determination as others in 2019.
Flawed Software: Glitchy programs are emerging as a gaping hole for hackers to infiltrate otherwise secure systems. It’s imperative that all applications are patches and updated accordingly. Outdated programs should be promptly removed.
Phishing: A reported 76 percent of all businesses are the target of phishing ploys at some point. It’s imperative outfits train employees to recognize and alert the IT support team when suspicious emails are received. Phishing scams are expected to become more sophisticated moving forward.
Update Passwords: The lack of complex passwords has lured hackers to attempt to breach systems through staff logins. It’s crucial to plan routine password changes at set times during 2019. Company systems should also require passwords to include at least one number and one symbol.
Cornerstones Of 2019 Cyber Security Planning
It takes strong cyber Security planning to minimize the growing threats to innovation, productivity, and profitability. With hackers using every conceivable means to gain access to critical data, it’s easy to lose sight of the forest through the trees. In terms of planning cybersecurity in 2019, an organization’s leadership team would be wise to consider their efforts under these four foundational ideas.
Deter Threats: Consider a 2019 cybersecurity plan in term of its potential success at avoiding data and systems breaches. Ask the simple question: How does this policy or protocol make hacking more difficult?
Protection: When implementing a 2019 cybersecurity plan, it should serve to insulate systems, infrastructure, components and data from intrusion. Does the plan effectively achieve these goals?
Detection: Thwarting a data or systems breach often begins by recognizing the imminent threat. Each facet of the cybersecurity plan should include measures of detection.
Adaptability: Each year, companies across the world take strategic measures to stop cybercriminals from negatively impacting their organization. Each year, hackers counter IT support strategies to commit crimes. A well-conceived cybersecurity action plan should include ongoing oversight, articulate new and emerging threats and have the agility to withstand them and make necessary changes.
It’s essential for an organization to understand cybersecurity as a process. Cybercriminals are continually looking for creative ways to steal valuable data, and industry leaders are tasked with ongoing cybersecurity planning.
by Felicien | Nov 29, 2018 | Education
The integration of the Microsoft (MS) digital ink function and digital pen provides companies with a way to improve collaboration, increase out-the-box creativity, and drive innovation. Have you given thought on how your organization can create better cooperation among your different work teams essential for driving new product development, opening up new markets, or managing workflow? If you have, you need to invest some time and effort learning how digital ink can be of assistance to your company.
About Microsoft Digital Ink
Microsoft digital ink allows a digital pen accessory to write on the surface of a pen-enabled device. These include laptops, notepads, notebooks, and Windows-based handheld devices. This capability allows the creator to share notes, capture your thoughts, and your ideas in real-time. This benefit is of great importance when your team members find themselves limited by space or the ability to use a fully attached keyboard.
You have the need to put together elaborate sales presentations in MS-PowerPoint or jot down quickly a sales quote for a potential customer in MS-Excel. The use of digital ink allows your workers to do this in less time then it takes to format a slide or complete a spreadsheet. It takes their handwritten notes and scribbles and converts them into a presentation that gets attention.
How Digital Ink Creates Collaboration
Imagine a massive project of yours that requires the input of stakeholders from different teams within your company. Accounting for financial projections, engineering for logistical support, and business planning for managing the project’s timetable, all of these disciplines need the ability to communicate with each other to keep the project on time and within budget.
You can take the traditional route of calling time-consuming meetings that require members of the project team to sit in the same room, away from their other duties and responsibilities. Or you can install Microsoft digital pen and allow input and updates come into the project from all over without the need for lengthy meetings or huddles that take time and people resources away from their jobs, reducing their productivity and increasing your costs.
Is Microsoft Digital Ink Easy to Use?
The digital ink application is both intuitive and easy to use. It is a simple plug-and-play application that requires nothing more than the digital pen itself as the peripheral device and a machine that is digital pen enabled. Your end-users will remark at how easy it is to simply draw, doodle, write, and express their ideas in any application using digital ink, and share that information between their colleagues.
The Bottom Line
The bottom line for you and your business is this: your competitors, especially younger entrepreneurs and competitors, are already employing next-generation technology. They are doing so as a way to gain market share and increase their competitive advantage.
You need to up your technology game to hold on to your customers, maintain relevancy, and attract the type of workforce that will grow your business. With so much riding on you and the decisions you make, Microsoft digital pen is a straightforward solution for you to consider and implement company-wide.
You can not afford to stay stuck in old practices in favor of new tools that make life easier for your teams. The investment you make in digital ink will pay huge dividends in the future, regarding better deployment of your people resources and greater freedom to innovate.
