IRS Data Breach
Everyone in the U.S. has probably heard about the breach that the Internal Revenue Service (IRS) disclosed this past week. For those unfamiliar with the event, criminals reportedly located in Russia used personal identifiable information (PII) of taxpayers (possibly obtained as a result of healthcare data breaches such as the ones suffered by Anthem and Premera earlier this year) to obtain transcripts of the individuals’ prior tax return filings.
They tried to get roughly 200,000 returns. They succeeded about half of the time.
They used the information obtained to file fraudulent tax returns for 2015, and received more than $50 million in refunds from the IRS.
It remains to be seen whether the IRS did anything wrong. The criminals were able to access the system because they had (or could guess) the answers to security questions on the IRS website. You’ve seen these types of questions: “What is your mother’s maiden name?” and “Where was your first job?” are typical. You’d be amazed to learn how easy it can be to get information like that from social media sites like Facebook. Once they had all of the necessary information the criminals were able to walk right through the front door of the IRS site, so to speak.
Depending on how clumsy the criminals were, it may have been possible for the IRS to see that numerous requests for tax returns were originating from computers located in Russia. My guess is the thieves covered their tracks. In any event, the moral of the story is companies should try to adopt security measures that are less easy to defeat.
Ordering a Taxi with an App on Your Phone is Great, but . . .
Earlier this month Meru Cabs in India learned that logs of users’ PII obtained from the company’s smart phone app for booking taxis had been breached. The data included users’ mobile numbers, email addresses, pickup and drop locations, masked credit card numbers, and payment notification logs. The unencrypted logs were available on a publicly accessible web server. It isn’t clear how long the information was accessible, but the company reportedly resolved the problem within an hour after learning about it. Other reports suggest that the fix took longer.
A few important takeaways from this:
1. Companies need to be careful about how they implement mobile apps.
Mobile apps can be a critical part of the business of a company like Meru Cabs. That being the case, a company may be tempted to rush a mobile app out before the app and/or supporting systems are fully ready. From what I’ve read, I don’t think there was a fault in the Meru Cabs app. The problem seems to have been on the servers with which the app communicated. While it is dangerous to extrapolate too much from what may have been a simple transitory mistake, this breach is a good cautionary tale and reminder: companies need to take the time to carefully configure mobile apps and supporting systems, and design them from the outset with privacy in mind.
2. A breach like this can really hurt.
Meru Cabs is a good-sized company. They operate more than 3,000 taxis and serve more than 1 million passengers a month in four cities. A mobile app gone bad could significantly damage its reputation. (Don’t believe me? I’ll bet Starbucks might.) An event like this could require expensive PR efforts to restore its good name. It could also result in significant lost business while the company’s reputation is being repaired. Meru Cabs was recently attempting to raise $100 million to fund expansion of its business. Reputational damage could have impacted that effort.Chances are the company has no insurance that would respond to PR and business losses. (I don’t think any insurance product would cover investor funding the company was unable to get.)It is important for companies with similar risks to understand that insurance is available for reputational loss. Done properly, the policy will be a highly customized product developed through extensive consultation with the client and the underwriters. Lockton’s Global Technology & Privacy Practice has experience with such products and can assist interested companies.
3. Data breaches are a global problem; they can happen anywhere.
With so many high-profile data breaches happening in the U.S. over the past couple of years, it would be easy to overlook the very real risks that exist in the rest of the world. Cyber risk truly is a global problem.
Australia Privacy Management Framework
Earlier this month the Office of the Australian Information Commissioner (OAIC) issued its Privacy Management Framework. The framework sets out the OAIC’s expectations with respect to companies’ compliance with the Australian Privacy Principles. It establishes a four-step process that companies should undertake to assure they are meeting their privacy obligations.
It is noteworthy that the framework stresses compliance with the OAIC’s guidance regarding data breach notifications. The guidance strongly recommends notifying affected individuals when a breach “creates a real risk of serious harm to the individual.” This stops short of a mandatory notification requirement such as those that exist in the U.S., but it may well signify a regulatory expectation that notice will be given. Companies in Australia may ignore that at their peril.
Any company located or doing business in Australia needs to become familiar with the Privacy Management Framework as soon as possible.
Ponemon Data Breach Report Released
The Ponemon Institute’s annual reports on the cost of data breaches are always eagerly anticipated because they provide benchmarks used by many to evaluate the potential financial ramifications of a breach. Their global and country-specific 2015 Cost of Data Breach Study reports are available here.
White Papers You Should Read
Members of Lockton’s Global Technology & Privacy Practice have recently published two excellent white papers.
Inside the Mind of a Cyber Underwriter, written by the Lockton London office’s Max Perkins, gives an underwriter’s point of view on the current cyber insurance environment. Max provides excellent and very timely advice for companies navigating these turbulent times.
Michael Born in Kansas City wrote The Law Firm Cyber Landscape. Michael does a fantastic job of covering the cyber risks a law firm faces, how a firm’s existing insurance might or might not respond, and the benefits of a specialized cyber policy.