Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
I'd like to know how the creation of two customer accounts allowed access to other customers' information including Social Security numbers and driver's licenses. Perhaps we'll never know due to the sensitive nature of certain data breaches. It's important to note the attacker(s) did not access customers' actual Fidelity accounts.
Given the extent of data breaches and stolen identities, I do not think I would ever see online voting for federal and state elections, like how some of the advanced countries are able to have.
The insurance industry uses 3rd party services from Infosys/McCamish and it had a breach. But companies have been tight lipped about it and the news is coming out like cockroaches. Those that have admitted so far are T Rowe Price/TROW, NY Life, Principal Life Insurance Co., Prudential Insurance Co. of America, Oceanview Life and Annuity Co., TIAA, Fidelity, etc.
Recently, I learned that even health insurers were affected, not just life insurers.
Why is the response to customers to offer credit monitoring after the breach?
How about offering it prior, as part of the customer relationship?
One of my CU banks does just that.
Identity theft is a billion dollar business for thieves and a billion dollar loss for the rest of us. In fact, it is the most common type of consumer fraud complaint made by Americans. According to the FTC, cleaning up the mess after an identity theft has occurred costs the average consumer approximately $1,000. To provide our Members with additional account safeguards, iTHINK Financial includes a comprehensive Identity Theft Protection Program and Credit Monitoring Service with our myChoice Checking account at no additional cost.*
Credit Karma/INTU also offers FREE credit monitoring. It uses 2 of big 3 - Equifax & TransUnion. One can check credit as often as needed.
I still signup for FREE credit monitoring offered by the breached companies, but I know that I am not getting much beyond what I get from Credit Karma already.
Breached companies think that they are doing something in response to the breach. But they should all be fined by someone - reasons for many breaches are poor cybersecurity practices.
A good preventive that would help protect customers from fraud resulting from data breaches would be for the credit 'agencies' to lock all customer records by default to make it harder for criminals to open accounts in their name.
Unfortunately, letting other companies mine consumer credit records for their own advertising is simply too damn profitable for the credit 'agencies' so it's up to consumers to figure out how to do that -- if they can be bothered.
I locked my accounts at the 5 major 'agencies' several years ago after the OPM breach and didn't look back. Some upsides? No junk mail, preapproved credit card offers, and absolutely zero letters or correspondence from a certain association once as I headed into and crossed a certain age. The only (minor) downside? If you buy a car, get a mortgage, open a new credit card, etc. you need to check which 'agency' does the credit check for that bank/dealer so you can unlock your record at a given 'agency' for a few hours, otherwise the credit check won't go through.
With so many breaches, if a co did not have a breach, it should really feels left out / unimportant. What is the reason for cybersecurity firms or HACK to exist?
Do only companies that have top trade secrets or companies with social security numbers get hacked?
I notice defense industry and social media companies (or MAG 6) do not seem to get hacked - goes towards YBB point about cybersecurity practices.
With so many breaches, if a co did not have a breach, it should really feels left out / unimportant. What is the reason for cybersecurity firms or HACK to exist?
Do only companies that have top trade secrets or companies with social security numbers get hacked?
I notice defense industry and social media companies (or MAG 6) do not seem to get hacked - goes towards YBB point about cybersecurity practices.
Defense industry must comply with DOD cybersecurity requirements in many ways. Plus they have very deep pockets to pay for staff/tools to do the job. And, most if not all DOD contractors don't have 'public facing' systems for business transactions -- other than their informational webpages that don't really tie to anything 'critical.' Anything sensitive is more than likely compartmentalized and not touching any network that touches the outside world.
The MAG 6 also have deep pockets to pay for security staff/tools and are therefore much better positioned than most government agencies and commercial sites of all sizes.
After 30 years in this industry I can tell you the vast majority of cybersecurity incidents are the result of not following best practices that we've preached for DECADES. Sure, there are always new vulnerabilities and such, but even then many times the effects of those can be mitigated if we're just doing good cyber-101 type activities. (don't get me started on this......)
Some reported breaches have involved not using encryptions for personal and login info, employees falling for spoofing. This is inexcusable in this day and age.
In fact, many banks and card co now warn that if you fall for spoofing, your losses may not be covered.
But companies will spend big money on cybersecurity when they know that there may be penalties. Otherwise, a breach happens and then they just arrange for 1-2 years of free credit monitoring.
BTW, the Fed and FDIC are warning and monitoring banks on cybersecurity issues.
Rick, so, it comes down to lack of consequences. The more hacks happen, it seems to give permission to others to spend less time, money, and energy on cybersecurity.
Same issue with misinformation perpetuated by social media companies. Lack of consequences.
Rick, so, it comes down to lack of consequences. The more hacks happen, it seems to give permission to others to spend less time, money, and energy on cybersecurity.
Same issue with misinformation perpetuated by social media companies. Lack of consequences.
Yep. My example is this: If the Equifax data breach, which impacted EVERY CITIZEN (and politician) IN AMERICA didn't spawn meaningful cybersecurity reforms, nothing will. It's like how enough politicians believed the killing of innocent school kids in Sandy Hook with automatic weapons was okay, b/c nothing meaningful has resulted in the aftermath of that (or any number of other) incidents, either. So yes, i am a cynic, both on contemporary cybersecurity and politics.
Making it worse is the recent trend to hold CISOs personally responsible for criminal/civic lawsuits resulting from incidents happening on their watch. This is despite CISOs rarely having the authority, resources, staff, or budget to do anything significant ... they've become high-tech eunuchs of the IT world with all the responsibility but little authority. You couldn't pay me enough to become a CISO/CSO again these days! (Years ago I turned down a nice CSO gig on Wall Street b/c I could tell they just wanted an 'expert' to blame when the inevitable occurred.)
Social media (well media generally) is a slippery slope here, because of the First Amendment. Legally speaking, I 'get' that ... but I also 'get' the need for companies to police genuinely false information and go after accounts that engage in threats. Unfortunately, what one party sees as responsible action taken for the public good, the other side decries as 'censorship' of 'free speech' while simultaneously bleating about shutting places (Google, CBS/ABC News, etc) down for the public good.
The insurance industry uses 3rd party services from Infosys/McCamish and it had a breach. But companies have been tight lipped about it and the news is coming out like cockroaches. Those that have admitted so far are T Rowe Price/TROW, NY Life, Principal Life Insurance Co., Prudential Insurance Co. of America, Oceanview Life and Annuity Co., TIAA, Fidelity, etc.
On the health side of breaches, you can add Change Healthcare. I'd never heard of them, but I received a long notice in the mail a week ago (dated Sept 23). Like McCamish, they seem to be tight lipped about their industry customers.
We are sorry to tell you about a privacy event. This letter is from Change Healthcare ("CHC"). We work with many doctors, health insurance plans, and other health companies to help provide health services or benefits. This event may have involved your data.
What happened? On February 21, 2024, CHC found activity in our computer systems that happened without our permission. We quickly took steps to stop that activity. We [did x, y, and z after the horse had left the barn].
On March 7, 2024, we learned a cybercriminal was able to see and take copies of some data in our computer system. This happened between February 17, 2024 and February 20, 2024. ...
What information was involved? We have told our business customers about this event. Starting on June 20, 2024 we began notifying our business customers ... We encourage you to remain vigilant ... The data that may have been seen and taken includes contact information (such as name, address, DOB, phone #, and email) plus one or more of the following:
Health insurance data (such as ... ID numbers ...)
Health data (such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment)
Billing, insurance claims and payment data (such as ... account numbers, billing codes, payment cards, financial and banking ...)
Other personal data (such as SSN, driver's license ...)
... Why did this happen? A cybercriminal accessed our computer system without our permission.
No, that's only what happened. Why it happened is, as others have said, that this company did a cost benefit analysis. It decided that it was cheaper not to put in dollars to train people on best practices (I agree with @rforno that this is the biggest hole) and tighter security and instead pay the petty fines (if any) assessed for this negligence.
First amendment is to be applied to humans and not to machines. The vast majority of perpetration of falsehoods on social media is by machines (bots), though some by humans. Why are we giving free speech to machines? Because we have lazy citizens, enabling lazy politicians, enabling greedy citizens. The lack of enforcement of the distinction between rights for humans vs machines is making us self destructive.
How does Elon Musk, as owner of X, allowed to post and perpetuate the kind of stuff he posts on X without consequences? Is any newspaper or magazine owner / editor allowed to do the same?
Lazy humans enable greedy humans, greedy humans (current form of social media) enable dictators. Greed can be of money or anything in excess of moderation.
There has never been a dictator without enablers. Consequences are coming for lazy humans.
@msf, yes I just signed up to two years of credit monitoring as a result of the Change Healthcare Breach, but prior to that I froze my credit with all 5 credit bureaus that MFO members discussed here in past threads.
@BaluBalu: Per SCOTUS ruling many years ago, corporations are considered people, so whatever they 'say' (or cause to be put out there on their platforms) can be considered their 'freedom of expression.'
The bigger problem is that in recent years, facts have been replaced by 'feelings' in the public square and in many people's minds and anyone challenging those 'feelings' (often reinforced in echo chambers online and in the media) becomes the enemy and is not to be believed, let alone acknowledged.
"Don't Look Up" was a brilliant but depressing satire of where this kind of society is heading.
Rick, when humans rely primarily on feelings, without regard to facts, that is laziness. People are not born lazy; they become lazy.
There can be role for collective feelings in an optimally functioning society. E.g., You need leaders for order in evolving societies; those leaders use the collective feelings as a tool to motivate / implement facts (vaccines, medicines, infrastructure, electricity, etc.) to advance society for the collective good. Useful feelings can be like country, religion, etc. (made up stuff but collectively agreed). But when citizens get lazy, then facts do not matter and they run only with personal (not collective) feelings, and if you are unlucky, a manipulative person exploits it. We can see this in our personal lives at the micro level.
First amendment is to be applied to humans and not to machines. The vast majority of perpetration of falsehoods on social media is by machines (bots), though some by humans. Why are we giving free speech to machines? Because we have lazy citizens, enabling lazy politicians, enabling greedy citizens. The lack of enforcement of the distinction between rights for humans vs machines is making us self destructive.
How does Elon Musk, as owner of X, allowed to post and perpetuate the kind of stuff he posts on X without consequences? Is any newspaper or magazine owner / editor allowed to do the same?
Lazy humans enable greedy humans, greedy humans (current form of social media) enable dictators. Greed can be of money or anything in excess of moderation.
There has never been a dictator without enablers. Consequences are coming for lazy humans.
Comments
customers' information including Social Security numbers and driver's licenses.
Perhaps we'll never know due to the sensitive nature of certain data breaches.
It's important to note the attacker(s) did not access customers' actual Fidelity accounts.
The insurance industry uses 3rd party services from Infosys/McCamish and it had a breach. But companies have been tight lipped about it and the news is coming out like cockroaches. Those that have admitted so far are T Rowe Price/TROW, NY Life, Principal Life Insurance Co., Prudential Insurance Co. of America, Oceanview Life and Annuity Co., TIAA, Fidelity, etc.
Recently, I learned that even health insurers were affected, not just life insurers.
https://www.mutualfundobserver.com/discuss/discussion/61692/tiaa-outage
https://www.mutualfundobserver.com/discuss/discussion/62710/data-breaches-at-t-rowe-price-ny-life
How about offering it prior, as part of the customer relationship?
One of my CU banks does just that. IBM SECU became IThink Financial
https://ithinkfi.org/personal/services/credit-monitoring-and-identity-theft-protection
I still signup for FREE credit monitoring offered by the breached companies, but I know that I am not getting much beyond what I get from Credit Karma already.
Breached companies think that they are doing something in response to the breach. But they should all be fined by someone - reasons for many breaches are poor cybersecurity practices.
A good preventive that would help protect customers from fraud resulting from data breaches would be for the credit 'agencies' to lock all customer records by default to make it harder for criminals to open accounts in their name.
Unfortunately, letting other companies mine consumer credit records for their own advertising is simply too damn profitable for the credit 'agencies' so it's up to consumers to figure out how to do that -- if they can be bothered.
I locked my accounts at the 5 major 'agencies' several years ago after the OPM breach and didn't look back. Some upsides? No junk mail, preapproved credit card offers, and absolutely zero letters or correspondence from a certain association once as I headed into and crossed a certain age. The only (minor) downside? If you buy a car, get a mortgage, open a new credit card, etc. you need to check which 'agency' does the credit check for that bank/dealer so you can unlock your record at a given 'agency' for a few hours, otherwise the credit check won't go through.
Do only companies that have top trade secrets or companies with social security numbers get hacked?
I notice defense industry and social media companies (or MAG 6) do not seem to get hacked - goes towards YBB point about cybersecurity practices.
The MAG 6 also have deep pockets to pay for security staff/tools and are therefore much better positioned than most government agencies and commercial sites of all sizes.
After 30 years in this industry I can tell you the vast majority of cybersecurity incidents are the result of not following best practices that we've preached for DECADES. Sure, there are always new vulnerabilities and such, but even then many times the effects of those can be mitigated if we're just doing good cyber-101 type activities. (don't get me started on this......)
In fact, many banks and card co now warn that if you fall for spoofing, your losses may not be covered.
But companies will spend big money on cybersecurity when they know that there may be penalties. Otherwise, a breach happens and then they just arrange for 1-2 years of free credit monitoring.
BTW, the Fed and FDIC are warning and monitoring banks on cybersecurity issues.
Same issue with misinformation perpetuated by social media companies. Lack of consequences.
Making it worse is the recent trend to hold CISOs personally responsible for criminal/civic lawsuits resulting from incidents happening on their watch. This is despite CISOs rarely having the authority, resources, staff, or budget to do anything significant ... they've become high-tech eunuchs of the IT world with all the responsibility but little authority. You couldn't pay me enough to become a CISO/CSO again these days! (Years ago I turned down a nice CSO gig on Wall Street b/c I could tell they just wanted an 'expert' to blame when the inevitable occurred.)
Social media (well media generally) is a slippery slope here, because of the First Amendment. Legally speaking, I 'get' that ... but I also 'get' the need for companies to police genuinely false information and go after accounts that engage in threats. Unfortunately, what one party sees as responsible action taken for the public good, the other side decries as 'censorship' of 'free speech' while simultaneously bleating about shutting places (Google, CBS/ABC News, etc) down for the public good.
Le grade sigh.
In a sense this is old news as well. While Change Healthcare is just now getting around to obliquely notifying end users, it was forced to notify HHS months ago about its HIPAA breaches. HHS put out this lengthy notice in July.
https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
Change Healthcare is a subsidiary of Optum, which is the administrative/technology services arm of UnitedHealthcare Group (UNH). The other arm is the more familiar health insurer United Healthcare. Optum's reach goes way beyond United Healthcare. No, that's only what happened. Why it happened is, as others have said, that this company did a cost benefit analysis. It decided that it was cheaper not to put in dollars to train people on best practices (I agree with @rforno that this is the biggest hole) and tighter security and instead pay the petty fines (if any) assessed for this negligence.
How does Elon Musk, as owner of X, allowed to post and perpetuate the kind of stuff he posts on X without consequences? Is any newspaper or magazine owner / editor allowed to do the same?
Lazy humans enable greedy humans, greedy humans (current form of social media) enable dictators. Greed can be of money or anything in excess of moderation.
There has never been a dictator without enablers. Consequences are coming for lazy humans.
Thanks to all for keeping us informed.
@BaluBalu: Per SCOTUS ruling many years ago, corporations are considered people, so whatever they 'say' (or cause to be put out there on their platforms) can be considered their 'freedom of expression.'
The bigger problem is that in recent years, facts have been replaced by 'feelings' in the public square and in many people's minds and anyone challenging those 'feelings' (often reinforced in echo chambers online and in the media) becomes the enemy and is not to be believed, let alone acknowledged.
"Don't Look Up" was a brilliant but depressing satire of where this kind of society is heading.
There can be role for collective feelings in an optimally functioning society. E.g., You need leaders for order in evolving societies; those leaders use the collective feelings as a tool to motivate / implement facts (vaccines, medicines, infrastructure, electricity, etc.) to advance society for the collective good. Useful feelings can be like country, religion, etc. (made up stuff but collectively agreed). But when citizens get lazy, then facts do not matter and they run only with personal (not collective) feelings, and if you are unlucky, a manipulative person exploits it. We can see this in our personal lives at the micro level.
Only consequences cure laziness.
https://www.cnn.com/2024/10/14/business/nobel-prize-economics-acemoglu-johnson-robinson/index.html