Security Breaches & Security News

To follow Security Breaches and Security News throughout the day, follow me on Twitter

Council data breaches increase by ‘alarming’ 1,600 per cent

BMO Harris warns customers after laptop stolen

Bank vs. Customer Claims Rejected

Cyber-espionage Mahdi virus spreads further in Middle East

Hacker collective leaks one million records, vows ‘hellfire’

Frankenstein malware: a monster stitched together from trusted code

Virus on virus – set a thief to catch a thief

Oracle Releases Fix For Java CVE-2012-4681 Flaw

Latest SAP Security News

How Do You Change an Unhealthy Compliance Culture?

Link spotted between Wiper virus and Stuxnet, Duqu

Kaspersky looks at the wreckage of Wiper malware

More password problems from Windows Registry

Survey Tracks Security’s ‘Bad Mood’ Trend, Need for Improvement

Researchers Identify Second New Java Bug

Second LulzSec Member Arrested for Sony Pictures Attack

Analysis Shows Traces of Wiper Malware, But No Links to Flame

REALLY – Most firms do not protect sensitive data in databases, survey finds

Wils Bell – President
Direct: 407-365-2404

  • Twitter (Follow me for latest Jobs, Breaches, and News)
  • LinkedIn (I accept all security professional’s Invites)

Latest Infosec News

Follow my Twitter feeds for daily breach and security news.

Researchers uncover causes of hack

NASA denies Iranian cyberattack

Absinthe 2.0 Jailbreak for iOS 5.1.1 Devices Released

New York Lawmakers Want Anonymous Comments Banned

FBI Warns Top Firms Of Anonymous Protest Hacks on May 25

The Virtual Sky is Falling!

Internet Fraudster Back in US After Being Fugitive for 12 Years

Join the Fight Against Cyber Spying Proposals in the Senate   

UK’s new cookie law came into effect Sunday

Yahoo and TalkTalk confirm human error as weakness security link

Flame proves cyberwarfare is active

Why Boards of Directors Don’t Get It

Mass. Hospital Pays Breach Settlement

Insider Case Exposes Security Lapses

Fighting Hackers With Public Relations

Olympic-themed spam emails carries malicious PDF  

Wils Bell – President
Direct: 407-365-2404

  • Twitter (Follow me for latest Jobs, Breaches, and News)
  • LinkedIn (I accept all security professional’s Invites)

Security Breaches, Security News & More (week ending 2-17-12)

Follow my Twitter feeds for daily breach and security news.

Wils Bell – President
Direct: 407-365-2404


  • Twitter (Follow me for latest Jobs, Breaches, and News)
  • LinkedIn (I accept all security professional’s Invites)

Breaches & Information Security News

Follow my Twitter feeds for daily breach and security news.


Ernst & Young loses 401k information of bank employees

Food and beverage industry has unsavory history of data breaches

Disaster Recovery is health industry’s biggest headache

2011 review: CNI targetted, spam down, botnets up

Attackers Using Fake Google Analytics Code to Redirect Users to Black Hole Exploit Kit

Role of Ethics in IT Security

Data Loss Doesn’t Always Mean Getting Hacked

Hackers Infect WordPress Web Sites

VeriSign Hacked – But Why?

Number of patient record data breaches nearly doubled last year

Why Infosec Forced Me to Get an MBA

The Most Technologically Secure Super Bowl Ever

Acts of Terrorism vs. Cyber Threats: New Offense Scenarios

How to Win Friends and Steal Their Facebook Accounts

How To Spot A Fake Facebook Friend Profile

New Guidance on Payments Processing

Healthcare Breaches: Behind the Numbers

Verisign Breached Several Times in 2010

Wils Bell – President
Direct: 407-365-2404


  • Twitter (Follow me for latest Jobs, Breaches, and News)
  • LinkedIn (I accept all security professional’s Invites)

Breaches From Across the Net Week ending 1-13-12

Follow my Twitter feeds for daily breach and security news.



Wils Bell – President
Direct: 407-365-2404


  • Twitter (Follow me for latest Jobs, Breaches, and News)
  • LinkedIn (I accept all security professional’s Invites)

Breaches and Security Articles from Around the Web

Breaches and Security News from around the web as posted through  my Twitter Account.

Follow me on Twitter


Application Security Guide For CISOs

GSA Final Rule Requires Vendor Proof of Security

More than 51,000 security pros employed in Q4, up from 37.000 employed in Q1, study says

FBI Warns: Game Over

Cisero’s sues processor and bank over pass-along fines following alleged breach

Ramnit Worm Threatens Online Accounts

Cyber Attacks May Be Revealed to Investors as SEC Rules Push Disclosures

Researcher Releases New Version of P0f Fingerprinting Tool

Gamers Seek Beta Versions, Download Malware Instead

US and China headed for CYberWar in 2012: 




Breaches & Security News From Around the Web 12-06-11

Breaches and Security News from around the web as posted through  my Twitter Account.

Follow me on Twitter


Ex-Army researcher links Conficker to Stuxnet

Russian media, election watchdog silenced through cyberattacks

Small firms have fewer resources to deal with more cyberthreats, House panel told

MIT researchers: US needs single agency to protect electric grid from cyberattacks

Getting Past Security’s Fuzzy Math ROI

Is the Security Response System for SCADA-ICS Broken?

Holiday Shopping At Work Raises Risks

Raytheon Acquires Cybersecurity Firm Pikewerks

Executives Lack Confidence in Infosec Strategies

Controls Have to be Executed Perfectly Every Day

Carrier IQ Controversy Spawns Lawsuits

FBI Warns of New Fraud Scam

Congress Probes TRICARE Breach

Organizing a Breach Notification Team


Wils Bell

Bell (at )


Breaches & Security Articles From Around The Web 12-2-11

If you missed my Twitter (Security_REC)  posts on Security News and breaches this week, here’s a recap:

AT&T and Sprint acknowledge use of Carrier IQ

Norwich Airport database breached

FBI Warns of Coordinated Malware and DDoS Attacks Designed to Drain Bank Accounts

Twitter snaps up Marlinspike’s mobile encryption startup

Carrier IQ Rootkit Logs Everything on Millions of Phones

Health Care Data Breaches Increase by 32 Percent: Ponemon Report

Hackers accessed city infrastructure via SCADA – FBI

Data breaches in healthcare organizations are rising more than 30 percent year 

Survey – More patient data breaches, less security, and more headaches for patients

Breach Response: Reputational Risk

RIM PlayBook Jailbroken, Researchers Claim

Two Million Requests from Infected Systems In Week After Ghost Click Takedown

One-quarter of firms hit by cybercrime, survey finds

Adobe issues security warning for Adobe Flex SDK

Twitter snaps up Marlinspike’s mobile encryption startup

Carrier IQ smartphone software logs your every move, says researcher

Is PCI Effectively Preventing Fraud?

Fraud Scheme Hits Grocer

Duqu hackers scrub evidence from command servers, shut down spying op

Criminals sabotaging Cyber Monday, security experts warn

Interviewing Advice

I hope everyone had a great and safe 4th of July holiday.  Our weather was wonderful here in central Florida and several friends joined my wife and me for a party around the pool followed by some great food off the new Weber grill. (It was great cooking over charcoal again after all the years of gas)

The Friday before the holiday, I had a candidate speak by phone with the CISO at a client of mine.  My client is a mid sized organization that realizes they are way behind in their Infrastructure Security and want to bring in a top talent to get them where they need to go.  They had already talked with two other candidates earlier in the week that I had presented and wanted to talk with the third and last person before heading out for the holiday.

 The Candidate Feedback

Friday afternoon, I got a call from my candidate telling me he thought the conversation had gone very well. He was able to answer many technical questions and provide ideas how they would handle the upgrade to new security and so forth. The client really liked his ideas and they seemed to hit it off very well. In fact, they even joked around a bit at the end of the conversation. He felt that my client would want to have him fly in for an interview.

 The Client Feedback

On Tuesday, when we all went back to work, the client called and said they would like to invite candidate #1 and #2 in for on site interviews.  This was great news and I then asked about candidate #3.  Would they also like to invite him in?

The short answer was not at this time.  The client said his skills and experience were great and were equal to the other candidates interviewed through me, but he had turned the client off at the end of their conversation.

Here’s What Happened

During the first 95% of the phone interview, he presented himself well in regards to his current and past duties. He was clear and detailed on the approach he would take to complete the task the position required. They were getting along very well, so well in fact that my candidate decided to share what he though were a couple of humorous anecdotes.

They were funny to the candidate, but the client was not as amused and felt the candidate’s professionalism left something to be desired.


When you are on a phone interview you are speaking with a hiring manager / authority.  They are not your friend or buddy today. They may become your boss soon and perhaps later a friend, but not today.  They are on the other end of the phone to learn about you, your experience and personality.

In this economy, most employers are going to phone interview multiple candidates to screen down to a couple to invite onsite for an interview.

Phone interviews need to be handled as professional as an on site interview since they are generally the first step in the process. To be eliminated from the interview process for telling what you think are humorous stories is purely a waste.

In coming days, I’ll right a posting about the no-no’s on interviews both phone and on site.

A Funny Thing Happened During the Interview

A Unique Security Interview

During a conversation today I was reminded of a situation that in some regards was funny and on the other hand was actually rude. It does have a lesson to those employees of companies involved in the interview process.

Here’s what happened. I had a position here in Florida for a senior hands-on technical Security candidate. The client was a solid company with operations around the USA, Caribbean and Central and South America. Even though this company had many bilingual employees due to their different business locations, it was not required on this particular position.

Since the candidate (let’s call them Dave”) I recruited was available ASAP,  had recently relocated to Florida and was local, the employer scheduled an in-house interview for one afternoon. ( I’d known Dave for several years since I recruited him for another opportunity when he lived in the Carolina’s. Still has his Carolina accent.)

The day of the interview arrived and Dave was off to meet everyone. Dave called me on his drive home from the interview  to share his thoughts of the company, the position, the people, etc. He met with Human Resources and got all the HR information and was taken on a brief tour of the facility by another HR representative on the way to interview with the technical security staff  and manager. Dave was taken to a conference room where  the manager and 2 project managers were all waiting to conduct a group interview, even though the interview  itinerary was stated differently, but no big deal.

Here’s where it begin to get a little funny and rude at the same time.  All three employees of the client were asking Dave questions related to the job.  As usual, the questions started out relatively easy and progressed quickly to more difficult questions since Dave was able to answer correctly without any issues. He knew he were doing well. He knew he knew more than the project manager he would report too. He knew the manager thought he would not be challenged for long in the job. He knew he blew away all the other candidates  interviewed thus far, and many other insights.

Now you ask, why would these employees conducting the interview discuss these comments directly in front of Dave. Simple, they were speaking Spanish. Yes they were interviewing in English, but discussing amongst themselves their comments about the candidate. How rude was that, but the fact that Dave was able to understand about 75% of the Spanish was the funny part.

Yes, here’s someone with a Carolina accent that had a real good handle on understanding Spanish. He had worked for a firm in the past with many Latin American clients and  spent 5 years travelling south and picked up Spanish enough to understand people fairly well.

Dave thought it was a real insightful interview situation that most people would never experience, while also being rude.

One we jot to the actual job,  regardless of the rudeness factor, Dave stated that the client indeed had some real security  issues, as I had indicted. Once those issues were resolved over the next many months, the job would not be challenging.  Even though he was ready to go to work, this was not going to present a long-term opportunity. (The client still made him an offer, even though I said it was not necessary)

The overall  problem I saw was the client was discussing Dave and his answers and comments right in front of  him in a language they thought he did not understand. Whether he understood or not I felt and he felt it was rude. Would that have been the normal work environment and atmosphere. In fairness, I did share with the CIO that Dave turned down the position based on opportunity, but for future reference he night want to discuss with his managers their interview style.

I supposed the moral of the story would be never assume anything, like you are not being overheard or understood by those around you.

Have a great Wednesday.

A Cattle Call Approach to Recruitment

I Wish Employers Understood

A couple of months ago I heard about a company rebuilding their web presence and was in need of senior  Security Architect.  I called the CISO and left a voice mail  introducing myself and as a Security Search Firm. I indicated I would send my company Brochure and a link to the web site for their review. I was pleasantly surprised a few days later when I had a voice mail from the CISO (let’s call them John”) saying he would like to talk. When we spoke I had high hopes of picking up the search, which I hand already seen on their career page.

Well, I reach John and yes one of his managers was indeed still  looking for a security architect. They were frustrated in the fact this position had been open for over 7 weeks and the resumes from HR were not close to what was needed skills wise. I was sure my expertise could help identify quality talent, I told John. That’s when the shoe hit the ground. I was informed that all recruitment services must go through the HR department.  John had no control over that aspect of the process, but would  introduce me to the manager, which they connected me with while I was on the phone. Once John got off the call, the other shoe hit the ground. “I appreciate John introducing you, but we have a list of  approved vendors.  Please send your information and we’ll keep it on file” I was informed. I don’t go away that easy, so I let the HR manager know that I am not a general recruiter. I am president of and as the name implies we a  Security Search Firm. We have the ability and expertise to fill this job. Didn’t matter what I said. They had their vendors and they would let me know if I could help in the future. I let John know the outcome of the call.  He was also disappointed.

About 2 weeks ago I got a call from someone in HR (not the manager) asking if I could be available that afternoon for a conference call with the HR Manager and 2 Security managers to discuss the position since they were not getting the resumes they needed. Of course, I could and I was emailed the details to call for the CC.

At 2 pm I called in to enter the CC, but the code number to join the conference I was given was wrong.  I quickly reached the HR rep from earlier and was given the corrected code and called again. It was now 3 minutes after 2pm and when the automated system let me into the conference it announced to me “You are caller number 14  in the conference”.  You have to be kidding I thought. Am I just one of lots of recruiters on this call?  I must be part of a  “Recruiting Cattle Call”. What a waste of my time, but since I was already there I’ll listen.  The  HR Manager was already discussing  salary and other HR information before the  Security Managers detailed the job. It was good information, but nothing I didn’t already understand from a technical standpoint. The Security managers then asked for questions from those listening. I had a couple questions, but  I thought I would sit back and listen to what others asked. Like I suspected about 8 people (recruiters) asked question that made it so clear they had no idea what a security architect is and how to screen their skills.  At this, why would I want to spend valuable recruiting time on a search for an employer that utilizes the Cattle Call recruiting method. I did conduct a quick follow up call with the HR rep and was informed the others on the call were their approved vendors, the same ones that have not filled the job yet.

Time is money and the recruiting process is no different. Employers should try to fill their open jobs on their own if possible, but after 3 months of the efforts of the approved vendors with no success, perhaps it’s time to engage a “Security Headhunter” to fill the position.  In this case, it appears that the approved vendors just are not specialized in getting the correct talent  and I would not work on a search with 10 plus other firms. My time is to valuable to spend in a cattle call search process.

If you are not getting qualified resumes in your recruiting process, then you should change your process.

Moral of the story:  Make the decision to bring a “Security Search Firm” into your process at this point. You’ve given your other resources plenty of time with no success. Sometimes, as employers, you need to make an investment in your search with an exclusive search  that will actually results in a “search assignment” where candidates are recruited for your specific  job, not simply posting jobs to the Internet and see who replies.

I shared these thoughts with the HR manger and the CISO, but nothing yet. (the position is still open)  Perhaps next month the employer will decide to move forward on a real search assignment.

Have a great Monday!

Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

Hackers bait Zeus botnet trap with dead celeb tales

UPDATE: Idaho Power says Mercer breach affected over 375,000

UK insurer hit with biggest ever data loss fine

Judge approves Countrywide Financial ID theft settlement

Laptop stolen from U Kentucky had info on newborns and mothers

UConn notifies 10,174 applicants of laptop theft

Bank of America settles Countrywide data theft suits

College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell
President, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Phone Interviews are “Very Important”

Phone Interview are a Key Part of the Interviewing Process

As you can imagine, I speak with many security candidates every day in the process of doing my job for client companies.  Over the years, these 1,000’s of phone interviews have allowed me to become somewhat of an authority on phone interviewing and I wanted to share  some tips, observations and stories that may help you during this aspect of the  interviewing  process. These tips are for both talking with a recruiter or an employer. Hope they help.

1) Keep your scheduled appointment or contact ASAP

Yes, I know that we are all really busy, but if we have a scheduled time to speak please try to keep it. Many times this is the first impression I have of you. I understand that your schedule can change at the last second due to problems at work, but please try reaching me thru email, text, or phone just to give me a heads up. We can reschedule,  just let me know. Also, there’s no worse feeling than having you scheduled to speak to a client of mine at say 1 pm and I see the client’s # come up my caller ID at 1:05 only to hear them say you were not at your phone when they called.

2) Cell phone charged, conference room available, Etc.

Yes this happens more times that I like to admit. I’ll be talking on a scheduled call and the candidate says that their cell is going dead. Ouch.  I also have people chased out of conferences rooms since they failed to check the availability. Also, when talking on a cell if you go outside the building, please be aware that many times traffic and / or wind noise can be a real issue to the person on  the other end. Try sitting in your car. That generally works well as long as you have a good signal.

3) Never ever eat while interviewing!

Yes this does happen. I’ll be interviewing a potential candidate and they are eating.  Not only does this sound bad on the phone, it really give a bad impression to me or an interviewer.

4) Give the interviewer your full attention.

Many times I speak to candidates while they are home or in the car driving.  I understand that you may need to ask me to hold on while attending to children or other issues, but doing it several times is not good.

5) Interrupting the interviewer is never good.

Let’s face it, we all interrupt each other from time to time. It must be human nature, but constantly interrupting an interviewer is one of the worst things you can do. It happens to me on many occasions. I can barely get a sentence out before someone starts talking again. They don’t listen to my entire question before trying to answer and many times I have to ask the question again. This is incredibly annoying.

As I stated above, I have done 1000’s of telephone interviews over my career. Probably over 25,000, so I can speak on the subject with authority.

Remember, there are several candidates to interview for an open position. Several are interviewed by phone to determine who will get a second interview and / or in house interview. When you look at it this way, it’s obvious to see that a phone interview by me or an employer is a method of eliminating candidates for a particular job. That’s why so much is based on the conversation.

Whether the call is for 15 minutes or a full blown hour or two call, I learn a great deal about you and how you conduct yourself, how you share your skills, and how you will represent yourself to a client of mine if I get you an interview.

Wils Bell
Information Security Recruiter, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
LinkedIn Profile:
Twitter: security_REC

Top 10 Cyber Crime Jobs

The  Cyber Crime Organization

This morning while reading my daily dose of security breaches to post to my Twitter account I came across a great article from an FBI study that discusses the make up of a Cyber Crime organization. The Top 10 Positions, if you will.

It really made me think back to the days that hackers where young kids, bored, sitting at a computer seeing what mischief they could cause. Oh, how things have changed.

As I talk to clients daily and discuss the issues of Cyber security it makes me really wonder how many firms really think about hackers being in a “Cyber Crime Organization”. Clients have their internal IT and Security departments with a variety of talent who create applications and those that protect the applications, and data and networks and so forth. Well, so do Cyber Criminals.

As I tell my clients, Cyber Criminals are very smart and sophisticated. You need to be smarter and more sophisticated. These criminal enterprises are run like a business. They are staffed with top talent that are dedicated to the job, yes their criminal job! By having these enterprises setup and running, they can and do strike within hours of an opportunity making itself available.

Here is a look at how the” Top 10″ positions within a Cyber Criminal Organizations according to the FBI.

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise.

2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.

3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.

4. Hackers, who search for and exploit applications, systems and network vulnerabilities.

5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.

6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.

7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.

9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.

10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

As I said earlier, this is no longer a bored teenager looking for mischief.

Wils Bell

Information Security Recruiter, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404

Most Organizations Now Suffer Cyber Attacks

Most Organizations Now Suffer Cyber Attacks

A recently released study by Symantec states that most organizations now suffer Cyber attacks!

The study revealed that 75 % of organizations experienced cyber attacks and 42 % of organizations rate security as their top issue.  They rate rate it higher than natural disasters, terrorism, and traditional crime combined.

Cyber attacks, which are often very effective,  cost enterprise businesses an average of $2 million per year, according to the report. The study was based on 2100 CIO’s, CISO’s and IT Managers in 27 counties and was done in January 2010.

The study also indicated that all organizations, small to large  are concerned. This is a change from the past.

I  hope this last statement is accurate since so many small to mid size firms I deal with many times don’t seem to realize they are at risk. They have the “It always seems to happen to the other guy mentality”.

Wils Bell
Information Security Recruiter, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Cell: 407-718-7764
LinkedIn Profile:
Twitter: security_REC

PCI Standards Not Doing Enough

PCI Standards Not Doing Enough

Visa, Inc. has begun testing new security measures with retailers and banks that goes beyond the current standards set by PCI.  This PCI (Payment Card Industry) standard has been the private sector’s attempt to regulate itself, but it no longer is thought of as strong IT Security. Way to much Debit and Credit card information is being breached by “so called” certified PCI compliant organizations.

According to Rep. Yvette Clarke (D -NY) the PCI Compliant Standard is not worthless, but is not currently sufficient to protect company data. She stated:” I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”

As an example, last February a third party certified a major grocery store chain (Hannaford Bros ) PCI Compliant one day AFTER it was informed of the system intrusions that had begun two months earlier. Hannaford Bros. later indicated that they would be spending “millions” of dollars upgrading security after the breach of 4 million plus credit and debit accounts.

As most of you know, these breaches are happening more and more. Remember Heartland, the card processor?

The cost to companies for data breaches as I wrote about in an earlier blog can be staggering, not to mention your loss of brand name.

What about the multiple lawsuits that follow these types of breaches.  They could put these companies out of business.

How many employees could lose their jobs for something they had no control over?

PCI Standards need to be updated and the compliancy and technology followed 24/7, 365 days a year.

By:  Wils Bell, President

LinkedIn Profile:, Inc.

Security & Risk Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976



Security Breach Leaves 45,000 Exposed

Another University Security Breach

On Tuesday of this week, Cornell University notified 45,000 current and former members of the University community that their names and social security numbers had been exposed.

How: A university owed laptop was stolen earlier in the month.

A member of the University’s “Technical Staff” had access to the laptop which contained the sensitive data. They had the laptop for the purpose of correcting file processing transmission errors.

The files on the computer containing the names and social security numbers were not encrypted and the laptop was left in a physically unsecured environment, which violates University policy.

Even though the data on the laptop contained “no other sensitive data ” besides the names and social security numbers it is unbelievable that the data was not encrypted.

The university has stated that they feel they have identified all affected individuals and will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the security breach.

As I have written before in this BLOG, Data Breach Can Cost You Millions of dollars and this does not include your brand reputation.

Individuals affected by this security breach include 22,546 students (10,597 of whom are alumni) and 22,731 faculty and staff members (of whom 4,284 are retirees or other separated employees.

University officials indicated that thus far non of the exposed data has been abused, however once again this data breach draws attention to the far boarder issue of the security of private information in this digital age.

The university also indicated that last June another Cornell computer used for administration purposes was hacked and the university notified 2,500 students of the incident and that person information may have been breached.

As noted in other postings, it appears that many times when a Data or Security Breach is brought to light, the affected organization also indicates that this is not their first incident.

Wils Bell – President, Inc.
POB 620298
Oviedo, FL 32762
PH: 407-365-2404
Fax: 407-956-4976



Twitter: Security_REC

Data Breaches Can Cost You Millions

Think your organization is safe from data breaches?

Consider these facts:

● The average cost to a company in 2008 for a data breach was over $6 million dollars which only included rebuilding their brand, rebuilding their image and attempting to retain customers.

● Based on approximately 40 companies that experienced a breach of consumer information, the average cost per consumer /customer record was $200. Considering the fact that each breach averaged a little over 30,000 records the cost adds up quickly.

● Sadly, over 80% of the companies surveyed had already had a breach prior to the 2008 incident.

The $200 per record are from such expenses as setting up credit monitoring for customers, helpdesk hotlines to field consumer inquiries and of course consumer notification. What the $200 does not cover was the damage that can occur to a company stock price.

Last year a major credit & debit card processor, Heartland Payment Systems, came clean about a major breach affecting millions of consumers. Their stock price fell over 40% to a 52 week low.

The whole point of this is that consumers do not like it when they hear a company has had a data breach. Let’s face it, people don’t like it when they see that a company has lost their personal data. It shows a lack of concern for security and or privacy.

In this economy can you as an organization really afford to lose customers because of a data breach. Get yourself an IT Audit and see where you’re vulnerable, and yes you probably are in several areas. In today’s world, you can get top Security & Risk Auditing services at a fraction of the cost of what the major Auditing firms charge. Bigger is no longer better.
If you could hear the stories I hear from my  Security & Risk contacts you would call for an  Auditing firm to be at your door tomorrow.
Remember, getting your company name all over the Internet and nightly news is great unless it’s for a data breach of customer personal information.

By:  Wils Bell, President

LinkedIn Profile:, Inc.

Information Security Recruitment Since 1990
Phone: 407-365-2404

eFax: 407-956-4976


Identity Theft Ring Busted in NYC

In New York a corporate identity theft ring has been busted! This scam ran between October 2007 and February 2009 and it is estimated that one financial institution alone lost close to $1.5 million.They were exploiting the identities of local corporations, schools, hospitals and churches to run a check fraud scam.

Lead investigators believe that 18 suspects made million of dollars through identity theft of workers from an estimated 300 + New York-based companies and organisations. They purchased data from corrupt bank insiders and used the stolen identities to lay the foundation for this successful scam. It involved cashing thousands of counterfeit payroll checks. The identity thieves also “helped themselves” to the bank accounts of individual victims by utilizing the stolen data obtained. The thieves would then makes transfers of funds to other banks accounts and various locations under their control.

Using specialized software, scanners, check stock, magnetic ink and company logos the thieves forged counterfeit checks which were then cashed by members of the gang.

The gang of thieves was led by alleged leader Jasper Grayson, 25, and James Malloy, 26, according to an unsealed indictment. Some former employees of JP Morgan Chase Bank, TD Bank, and HSBC Bank are charged with stealing the personal data of identity theft victims and providing the details to other members of the gang.

The investigation is continuing.

Once again, where were the checks and balances that allowed this fraud to continue for 18 months without detection.

By:  Wils Bell, President

LinkedIn Profile:, Inc.

Information Security Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976


Cloud Security – Are You Prepared?

It appears most companies are not prepared for Cloud Computing Risk and Security.  It’s not clear if companies don’t have the means to verify that Cloud service providers are actually providing the security they say they are or companies have failed to provided adequate processes to test themselves. 

Remember, it’s the corporation whose data is breached that is ultimately liable for the breached data, not the service provider that agreed to protect it adequately. Granted, managing the security of cloud computing is a new area and it will take time to mature the process, but liability still falls back to the corporation not the service provider. (see my post on Data Breaches Can Cost you Millions)  Over 80% of  companies responding to a survey admit they do not have formal process in place to audit how well a service provider is living up to there security standards.

The technology of how we work and play is changing and companies are adapting to data flows in more places to achieve more objectives in complex regulatory environments. All these new circumstances take time and resources to deal with and the fact that Information Security budgets are shrinking (another post this week) does not help this issue.


By:  Wils Bell, President


LinkedIn Profile:, Inc.

Information Security Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976




A Chronology of Data Breaches

If you’re like most organizations, you feel you are protecting your data.  Well, take a look at this article –A Chronology of Data Breaches on Privacy Rights Clearinghouse  that lists major Data Breaches going back to 2005.  It really opens your eyes

A few excerpts from the article:

What does the Chronology of Data Breaches contain?

The data breaches noted have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver’s license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries.

What does the Total Number indicate?

The running total ( 261,774,380) we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected.  Some individuals may be the victims of more than one breach, which would affect the totals.

Is the Chronology of Data Breaches a complete listing of all breaches?

No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Most of the information is derived from the Open Security Foundation list-serve (see below) which is in turn derived from verifiable media stories, government web sites/pages, or blog posts with information pertinent to the breach in question. Many breaches (particularly smaller ones) may not be reported. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere.


Hopefully you and your organization will never experience this, but I’m sure these organizations thought the same thing. 

By:  Wils Bell, President

LinkedIn Profile:, Inc.

Information Security Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976


Virginia Data Breach and Ransom

Cyber Thief Asking $10,000,000

According to a posting on, the on-line clearinghouse for leaked documents, hackers  in late April broke into a Common Wealth of Virginia state Web site used by pharmacists to track prescription drug abuse. The cyber thief deleted records on more than 8 million patients and then replaced the site’s homepage with a ransom note. The note demanded $10, 000,000 for the return of the records.


The ransom stated:

“I have your sh*t!

In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.)”

It truly stretches the imagination to believe outside cyber thief’s could break into a state-run website and destroy the “original data” and its backup, which presumably would be  (should be!) stored off-site. This attack was the latest incident to involve the mass storage of EMR (electronic medical records). When not secured properly, EMR’s are easier to steal than paper records. Late last year, pharmacy prescription processor Express Scripts offered a $1,000,000 reward for information leading to the arrest of hackers who threatened to disclose stolen records belonging to millions of their patients.

Several security pros says that at a time when botnets are quietly stealing truckloads of  corporate and financial data  and quietly disappearing off into the dark world of cyber crime, data being kidnapped and held for ransom is not among the top threats enterprises should be worried about.  In all actuality, the largest threats are the ones that attempt to  be in stealth mode, leaving no trace if you will for the victims to identify.

That said however,  the current administration’s push  to digitization medical records to lower the cost of health care could open the door for exploitation.  Assuming these groups of extortionists aren’t bluffing when they say they’ve acquired EMR’s, then theft / ransom of this personal data may become more frequent as paper records are digitized.


By:  Wils Bell, President

LinkedIn Profile:, Inc.

Information Security Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976