Index
Abed, Saif, 339
Abstaining from data collection, 54
Accenture firm, 395
Access as risk factor, 33
Access devices
defined, 84
Access Hollywood tape, 304
Account credentials
Account Data Compromise Recovery (ADCR) program, 165
Acquirers in credit card payment systems, 146–147
Acute phase
description, 60
Acxiom Congressional hearings, 109–110
Adapting for cyber insurance, 388
ADCR (Account Data Compromise Recovery) program, 165
Adobe breach, 239
Adobe Reader zero-day exploits, 240
Advanced persistent threats (APTs), 251
Advertising data demands, 36
Advocate Health System breach, 272
Affinity Gambling breach, 181
Affinity Health Plan, Inc. breach, 280
Affordable Care Act, 38
Afghanistan leaks. See Megaleaks
Ahweys, Hassan Dahir, 315
AIDS Trojan, 341
AllScripts data skimming, 46–47
AlphaBay forum, 261
Alternate payment solutions, 228
AMA Code of Medical Ethics, 264
American Bankers Association card replacement costs survey, 226
American Bar Association healthcare breaches report, 280
American Express, 149
Ancestry Group Companies, 279
AncestryDNA service, 279
Android Pay service, 227
Angulo, Jairo, 103
AnnualCreditReport.com, 102
Anonymization and renonymization of data big data effect on, 43–44
Anonymous movement
attacks, 333
Anonymous submissions, 314
Anthem breach
compensation, 103
cyber insurance limits, 379
SSNs stolen, 85
Anthem insurance, 48
AOC (Athens Orthopedic Clinic) breach exposure extortion, 350–352
Apache Struts framework, 71
Apologies
Home Depot breach, 222
ApplePay service
merchant services offerings, 227–228
APT1: Exposing One of China’s Cyber Espionage Units report, 12–13, 382–383
APTs (advanced persistent threats), 251
Ariba system, 188
Arthur, Charles, 307
Ascent cyber insurance, 383
Ashley Madison site breach, 353
Assange, Julian. See Megaleaks; WikiLeaks
Assante, Michael, 116
Asymmetric cryptography, 128–130
Athens Orthopedic Clinic (AOC) breach
Atlantic Health, 283
Attack surface, 11
Attacker tools and techniques
commercial exploit kits, 186–187
password-stealing Trojans, 188–190
Attorney-client privilege in payment card breaches, 172–174
Aucsmith, David, 241
Auditing requirements, 194
Authentication
Avid Life Media breach, 353
AvMed, Inc. breach, 280
Baer, Tim, 216
Baker Hostetler, personal information definition, 7
Banks
payment card breaches, 148–149
Target data breach ripple effects, 223–224
Barlow, John Perry, 332
Barr, Aaron, 322
Bartholomew, Chester, 26
Beazley Group
breach response policy, 378–379
business email compromise cases, 402
BEC (Business Email Compromise), 400–404
“Behind the Scenes of the Recent Target Data Breach” article, 213
Benoit, William L., 61–63, 102
Bernstein, Jonathan, 94
Berry, Michael, 82
Beth Israel Deaconess hospital, X rays stolen from, 137
Betterley, Richard S., 366, 384
Betty Ford clinic, 35
Bhasin, Kim, 179
Big data
Biogen, 48
“Bitcoin: A Peer-to-Peer Electronic Cash System,” 132
Black Hole salvage yard, 254
Blackhole exploit kit, 186–187, 189
Bloomberg, Michael, 355
Bloomberg
Yahoo breach, 13
Blue Health Intelligence, 48
Boothman, Richard C., 299
Booz Allen breach, 395
Borohovski, Michael, 71
Breach Notification Rule, 268–271, 402
“The Brokeback Mountain Factor,” 43
Brookings Center for Technology Innovation report, 261
Brooks, Rebekah, 318
Browsealoud plug-in, 395
Bucci, Steven, 334
Bugs and breaches, 246
Bullock, Steve, 360
Burden of proof in HIPAA, 13
Bureau of Investigative Journalism on WikiLeaks, 330
Burke, Kathleen, 103
A Business a Day game, 338
Business associates, HIPAA impact on, 273
Business Email Compromise (BEC), 400–404
Businessweek
Target data breach, 199–200, 217–218, 220
Butka, Paul, 163
BYOD in health data breaches, 291
California Coastal Records Project, 318–319
Cameron, David, 320
Canadian privacy commissioner, 163–164
CANDOR (Communication and Optimal Resolution) approach for medical errors, 299
Cannon, Stephen, 144
Card brands in credit card payment systems, 150
CarderPlanet.com site, 124
Cardholder Information Security Program (CISP), 152
Cardholders in credit card payment systems, 146–147
Cardinal Health company, 46
Caring, trust from, 62
Carolinas HealthCare System, 38
“The Case of the Purloined Password,” 29
Causey, Marianne, 352
CBA (Consumer Bankers Association) card replacement costs, 223
CCSupplier (pseudonym), 126
CDIA (Consumer Data Industry Association), 105
Center for Technology Innovation study, 285
Cerber ransomware, 345
Cerner company, 47
CGL (commercial general liability) policies, 372–373
Character
Equifax data breach, 72
trust from, 62
Cheaters Gallery, 353
Cheney, Bill, 224
Chief information security officers (CISOs), 115–116
Chip-and-PIN (EMV) cards adoption of, 228–229
ownership, 230
resource requirements, 235–236
ChoicePoint breach
blame game, 96
communications, 98
Congressional hearings, 109–110
consumer compensation, 97
identity theft scares, 82
investigation, 90
lax information control practices, 87
personal information, 83
smoldering crisis, 81–84, 86–87
Chronic stage
description, 60
“A Chronology of Data Breaches” database, 80–81
Church of Scientology attacks, 306
CiCi’s Pizza breach, 12
Cigna, 48
Cignet Health HIPAA investigations, 272
CINDER (Cyber Insider Threat) program, 326
CISOs (chief information security officers), 115–116
CISP (Cardholder Information Security Program), 152
Citadel banking Trojan, 188–190
Citigroup, TJX breach discovered by, 162
Clinical device breaches, 284–288
Clinton, Hillary, 240, 303–304, 311, 330–331
Clinton Apology Tour, 331
Cloud breaches
authentication issues, 398–399
end-to-end encryption, 409–413
large-scale monitoring, 411–412
CMIA (Confidentiality of Medical Information Act), 298
Code of Medical Ethics, 264
Columbia Casualty Company, 375–376
Comey, James, 355
Commercial exploit kits, 186–187
Commercial general liability (CGL) policies, 372–373
Communication and Optimal Resolution (CANDOR) approach for medical errors, 299
Communications
controlling, 218
Equifax data breach, 73
stakeholders, 62
trust, 62
Compensation
Competence
trust from, 62
Computer Security Incident Handling Guide, 58
“Computer Thieves Tamper with Credit” article, 32
Computers, payments for, 139
Computerworld magazine article, 28
Confidential data
cyber insurance, 367
description, 52
Confidentiality of Medical Information Act (CMIA), 298
Congressional hearings on ChoicePoint breach, 109–110
Consumer Bankers Association (CBA) card replacement costs, 223
Consumer Data Industry Association (CDIA), 105
Consumers
payment card breaches, 147–148, 150
TJX breach, 165
Cook, Tim, 228
Cool Exploit Kit, 187
Copycats in megaleaks, 334–335
Cost/benefit analyses, 50
Cottage Health System, 375
Counterfeit Access Device and Abuse Act, 33
Counterfeit Library, 124
Court Ventures breach, 85
Covered expenses in cyber insurance, 378
Cox, Joseph, 253
CRA (Customer Records Act), 298
Credentials
Credit freezes, 105
Credit monitoring
ChoicePoint breach, 97
Credit Union National Association (CUNA) card replacement costs, 223–224
Credit unions, Target data breach ripple effects on, 223–224
Cridex malware, 189
Crisis management
crisis recognition, 59
stages, 60
CrowdStrike firm
campaign attacks, 304
Office 365 mailbox activity logs, 405
Cruise, Tom, 306
Cryptocurrency
denial extortion, 343
Cryptojacking, 134
CryptoLocker ransomware, 342
Cryptome site, 315
CUNA (Credit Union National Association) card replacement costs, 223–224
Custom Content Type Manager plug-in, 395
Customer Records Act (CRA), 298
Customers
payment card breaches, 147–148, 150
TJX breach, 165
CVS Caremark, 45
CVS EMV systems, 232
Cwalina, Chris
breach preparation, 114
ChoicePoint breach, 80, 90–92, 108, 112
security function, 116
Cyber arsenals as supply chain risks, 252–254
Cyber Insider Threat (CINDER) program, 326
Cyber insurance
commercial off-the-shelf breach response, 364–367
confidentiality considerations, 367
covered expenses, 378
data inventory, 370
growth, 361
retention amounts, 377
Cybersecurity by Chubb policy, 377, 381–382
Cybersecurity Framework guidelines, 371
Cybersecurity vendors, breach statistics from, 15–17
D&B (Dun & Bradstreet), NCSS password directory breach, 25–26
Dairy Queen breach, 181
Damballa company, 189
Danchev, Dancho, 139
Dark e-commerce sites, 131–132
DarkReading breach statistics, 14–15
Dart, Tom, 245
Data
inventorying, 51
Data analytics firms demand for data, 38–39
Data Breach Investigations Report (DBIR), 16–17
Data breaches
Data Broker Accountability and Transparency Act, 57
Data brokers
FTC survey, 140
Data flow diagrams, 52
Data laundering, payments for, 139–140
Data-loss prevention (DLP) systems, 52, 292
Data removal for exposure, 315–318
Data Security Operating Policy, 152
Data storage, breaches from, 242
Datamation magazine, 28
DBIR (Data Breach Investigations Report), 16–17
DCCC (Democratic Congressional Campaign Committee), 304
de Janes, J. Michael, 115
De Mooy, Michelle, 277
DeArment, Heidi, 196
Debit card locks, 106
Decryption in denial extortion, 341–342
Deeba, Amer, 164
Defense Information Systems Agency (DISA) Vulnerability Analysis and Assessment Program, 8–10
Deidentification in HIPAA, 276–278
Delavan, Charles, 303
Delays
ChoicePoint breach response, 97–98
Dell Secureworks report on Target data breach, 196, 201, 219
Demand for data, 34
advertising, 36
Democratic Congressional Campaign Committee (DCCC), 304
Democratic National Committee (DNC), 304
Denial extortion
encryption and decryption, 341–342
Deny and defend approach for medical errors, 299
Department of Health and Human Services (HHS)
breach statistics, 14
privacy gap report, 7
Department of Public Health and Human Services (DPHHS) breach, 359
Der Spiegel
Assange interview, 307
Detection in HIPAA, 267
DiBattiste, Carol, 116
Digital Dozen security standards, 152
Digital Millennium Copyright Act (DMCA), 316
Digital signatures, 130
Dingledine, Roger, 131
DISA (Defense Information Systems Agency) Vulnerability Analysis and Assessment Program, 8–10
Discrimination in health data breaches, 296–297
Disposal of data, 53
Dissent Doe (researcher), 244
Distribution in megaleaks, 332–333
DKIM (DomainKeys Identified Mail) signatures, 311
DLP (data-loss prevention) systems, 52, 292
DMCA (Digital Millennium Copyright Act), 316
DNC (Democratic National Committee), 304
Dolinar, Lou, 32
DomainKeys Identified Mail (DKIM) signatures, 311
Domscheit-Berg, Daniel, 316
Donovan, Mike, 365
Dow Chemical breach, 239
DPHHS (Department of Public Health and Human Services) breach, 359
Drake, Paula, 222
DRAMA management
access devices, 84
identity theft scares, 82
knowledge-based authentication, 83–84
personal information, 83
Dread Pirate Roberts (pseudonym), 134
Drug fraud, 296
Drummond, David, 239
Duke, Katie, 293
Dun & Bradstreet (D&B), NCSS password directory breach, 25–26
Durbin, Richard, 235
E-commerce
payment card breach website hacks, 151
E-Gold service, 162
E3 Encrypting Payment Device, 170–171
Easy Solutions company, 178
Economic exploitation in health data breaches, 296
Economic incentives in HIPAA, 267–268
ECTF (Electronic Crimes Task Force), 127
EFF (Electronic Frontier Foundation), 131
EHR (Electronic Health Record) software product, 351
Einstein intrusion detection and prevention system, 10–11
Elavon payment processor, 143–144
Electronic Crimes Task Force (ECTF), 127
Electronic Frontier Foundation (EFF), 131
Electronic Health Record (EHR) software product, 351
Electronic medical record (EMR) systems, 262
Ellsberg, Daniel, 317
EMC breach, 19
Emotet banking Trojan, 247
EMR (electronic medical record) systems, 262
EMV cards. See Chip-and-PIN (EMV) cards
Encryption
asymmetric cryptography, 128–130
dark e-commerce sites, 131–132
description, 198
email, 311
End-to-end encryption
description, 198
Enforcement issues in HIPAA, 266
Engel, Beverly, 211
English, Michael, 171
Enten, Harry, 304
Enterprise/personal interface, 53
Equifax data breach
character concerns, 72
SSNs, 100
Escalation in ChoicePoint breach, 89–90
EternalBlue exploit, 247–248, 252
Ethics in cloud breaches, 406–409
Events
defined, 5
EveryDNS and WikiLeaks, 331
Evidence acquisition
business email compromise cases, 403–404
HIPAA, 270
Exclusions in cyber insurance, 380–384
Experian, Court Ventures breach, 85
Explorys health data analytics firm, 39
Exposure and weaponization
attacker reaction, 322
legal action, 316
megaleaks. See Megaleaks
motivation, 305
Sony Pictures Entertainment breach, 308
technical action, 318
WikiLeaks, 307
Exposure extortion
intellectual property, 354–355
Extortion
health data breaches, 296
Fair and Accurate Credit Transactions Act(FACTA), 101–102
Fair Credit Reporting Act, 33, 102
Family Educational Rights and Privacy Act (FERPA), 349
Farmer’s Market, 132
Faux email encryption, 410
Fazio, Ross E., 188
Fazio Mechanical Services, 177, 184, 187–188, 190
FDA (Food and Drug Administration)
third-party dependencies, 286
Federal Bureau of Investigation (FBI)
account and password management advice, 196
NCSS password directory breach, 25, 29
stolen data investigation, 120
Federal Trade Commission (FTC)
civil penalties, 236
identity theft protection rackets, 107
Feeney, George, 31
Fehr, David, 28
Feinstein, Dianne, 80, 96, 110
FERPA (Family Educational Rights and Privacy Act), 349
Fines for payment card breaches, 159–160
Fink, Steven, 57, 60–62, 94, 111
Firewalls and Internet Security: Repelling the Wiley Hacker, 289
Fisher College of Business on apology elements, 211–212
Flynn, John, 69
Food and Drug Administration (FDA)
third-party dependencies, 286
For-profit standards in payment card breaches, 154–155
Forbes study, 19
Ford, Michael
credit monitoring limitations, 298
HHS fines, 272
remote organizations, 282, 288–290
Fortune magazine
healthcare breaches, 15
4chan imageboard website, 306–307
Four-factor risk assessment in HIPAA, 270–271
Framework for Improving Critical Infrastructure Cybersecurity, 237
Frances (medical record theft victim), 263
Fraud
FreeCreditReport.com, 102
Freedom from Equifax Exploitation (FREE) Act, 57
FuZZbuNch tool, 252
Galloway, John (pseudonym), 87–88
Garrett, James (pseudonym), 87–88
Gartner Phishing Survey, 16, 112
Gas pumps, chip-and-PIN cards use at, 234
Gates, Robert, 325
Geer, Dan, 247
Genesco, Inc. v. Visa case, 172–174
Genpact firm, 396
Genuine statements, 214
Gibney, Ryan, 374
Givens, Beth, 80
Glen Falls Hospital breach, 372
Glickman, Dan, 33
Gonzalez, Albert
Keebler Elves group, 123
POS malware, 191
Goodwill data breach, 10
breach, 239
end-to-end encryption, 413
Google Health, 8
Government-sponsored attack insurance exclusions, 382–383
GPCode malware, 341
Green Hat Enterprises, 161–162
Greenberg, Andy, 357
Greenwald, Glenn, 334
Grothus, Ed, 254
Guardian
hacking exposee, 317
HackerOne company, 67
Halamka, John, 137
Hamrem, John, 116
Hard drive firmware hacks, 249
Harding, Luke, 331
Hardware risks in technology supply chain, 249
Hargave, John, 232
Harm reduction
Have I Been Pwned web service, 139
HB Gary Federal exposure, 322
Health data breaches
HIPAA. See Health Insurance Portability and Accountability Act (HIPAA) lawsuits, 298–299
medical crowdsourcing, 294
mobile workforces, 290
overview, 257
sensitive information, 261–263
specialized applications, 282–283
third-party dependencies, 284–288
Health Information Technology for Economic and Clinical Health (HITECH) Act, 5
Breach Notification Rule, 268
culpability categories, 271–272
description, 7
EMR systems, 262
impact on business associates, 273
Health Insurance Portability and Accountability Act (HIPAA). See also Health data breaches
burden of proof changes, 13
business email compromise cases, 402
health data protection, 264–265
impact on business associates, 273
Health Insurance Portability and Accountability Act (HIPAA) (cont.)
Health Net of California, Inc. lawsuit, 298
“Healthcare Biggest Offender in 10 Years of Data Breaches,” 15
Healthcare Information and Management Systems Society (HIMSS) survey, 273
Healthcare sector
breach statistics, 15
denial extortion, 344
Heartland breach
overview, 167
settlements, 169
Heartland Secure program, 170–171
Heiser, Tom, 250
Henderson, Zach, 49
Henry, Scott, 113
HHS (Health and Human Services)
breach statistics, 14
privacy gap report, 7
Hiltzik, Michael, 72
HIMSS (Healthcare Information and Management Systems Society) survey, 273
HIPAA. See Health Insurance Portability and Accountability Act (HIPAA)
Hippocratic Oath, 264
HITECH Act. See Health Information Technology for Economic and Clinical Health (HITECH)Act
Hodirevski, Andrey, 225
Holder, Eric, 236
Holland, Dawn, 35
Hollywood Presbyterian Hospital, denial extortion incident, 343
Home Depot breach
discovery, 181
lawsuit, 19
Hooley, Sean, 49
Hospitals
“How Home Depot CEO Frank Blake Kept His Legacy from Being Hacked,” 223
Howell, Gary, 149
Hu, Elise, 182
Huffington Post report, 306
Human resources, investing in, 203
Hunt, Troy, 139
Husted, Bill, 94
IBM study, 19
IBM Watson Health, 39
ICIJ (International Consortium of Investigative Journalists)
manifesto, 321
Identity theft
description, 122
scares, 82
Identity Theft business rules, 104
Identity Theft Resource Center (ITRC) data breach report, 260–261
healthcare breaches report, 280
Identity Theft Survey Reports, 16
IDSs (intrusion detection systems), 11
Image
Improving Critical Infrastructure Security executive order, 237
Incidents
defined, 5
Independent Community Bankers of America study, 223
Ingenix data broker, 50
Institute for Advanced Technology in Governments, 241
Insurance industry
cyber insurance. See Cyber insurance
Insurance Insider article, 379
Intel breach, 239
IntelCrawler, 190
Intellectual property, 354–355
Internal data
description, 52
Internal fraud monitoring, 103–104
Internal network payment card breaches, 150–151
Internal Revenue Service (IRS) whitepaper on fraud, 104
International Association of Privacy Professionals, data breach legislation, 166
International Consortium of Investigative Journalists (ICIJ)
manifesto, 321
International Risk Management Institute, Inc. (IRMI), coverage triggers, 376–377
Internet Explorer zero-day exploits, 240
Internet of Things, 283
Internet Security Threat report (ISTR) as resource, 16–17
small business attacks, 183–185, 343
The Interview movie, 309
Introspection, 109
Intrusion detection systems (IDSs), 11
Intrusion prevention systems (IPSs), 11
Inventory
cyber insurance, 370
data, 51
Investigation
business email compromise cases, 401–403
ChoicePoint breach, 90
IPSs (intrusion prevention systems), 11
IPWatchdog study, 230
IRMI (International Risk Management Institute, Inc.), coverage triggers, 376–377
IRS (Internal Revenue Service) whitepaper on fraud, 104
Isaacman, Jared, 231
Isenberg, David S., 43
Issuers
credit card payment systems, 146
TJX breach, 165
ISTR (Internet Security Threat report)
small business attacks, 183–185, 343
ITRC (Identity Theft Resource Center)
healthcare breaches report, 280
J.P. Morgan Chase, 224
Jackson, Lawanda, 34
Jackson Memorial Hospital breach, 257–258
James, Brent, 82
Jimmy John’s breach, 181
Johnson & Johnson company, 81
Jones, Karen, 148
Joyce, Rob, 100
Kaine, Tim, 275
Kaiser Permanante company, 49
Kalanick, Travis, 68
Kalinich, Kevin, 372
Kaptoxa malware, 190
Keebler Elves group, 123
Khosrowshahi, Dara, 68
A “Kill Chain” Analysis of the 2013 Target Data Breach report, 191–192
Kingbin, 128
Kmart breach, 181
Knowledge-based authentication, 83–84
Kolberg, Jason, 227
Korman, Roger, 45
Kosto, Seth, 162
Krebs, Brian
breach revelations by, 204–206
chip-and-PIN cards, 230
CiCi’s Pizza breach, 12
credential theft, 188
password-stealing Trojans, 188
PF Chang’s China Bistro breach, 381
shotgun attacks, 185
Target, breach discovery, 204–206
Target, breach identification, 178
Target, malware leaks, 219
Target, penetration tests, 193, 218
Target, response, 199, 215–216
theft costs, 183
Kremez, Vitali, 138
Krieger, Fritz, 46
Kurtz, George, 241
L-3 Communications breach, 250
LabCorp, 48
Lamo, Adrian, 325
Landon, Jana, 373
Large-scale cloud monitoring, 411–412
Larson, Jill, 354
Larson, Rick, 354
Larson Studios, 354
Lauchlan, Stuart, 391
Laws
breach revelations, 5
Lawsuits
exposure, 316
Le Monde, WikiLeaks data, 330
Leibowitz, Jon, 107
Leigh, David, 331
Lewicki, Roy, 212
LexisNexis Congressional hearings, 109–110
Limits for cyber insurance, 379–380
Liquidity
health data breaches, 262
risk factor, 33
Litan, Avivah
Heartland breach, 169
payment card authentication, 151
two-factor authentication, 192
Lloyd, Edward, 364
Lockheed Martin breach, 250
Lofberg, Peter, 45
Logrippo, Frank, 26
Logs, 2
Office 365, 407
Lohan, Lindsay, 35
Lord, Robert, 261
Los Alamos National Laboratories, 371
Los Angeles Times, ChoicePoint breach report, 95
Lutine bell, 364
Maintain stage, 111
Maintaining cyber insurance, 388
Malware analysis services, 220
Mandated information sharing in HIPAA, 274
Mandiant firm
cyber espionage report, 12–13, 382
Uber extortion, 68
Manning, Bradley. See Megaleaks
Maples, William R., 18
Marketing data demands, 36
MarketWatch, Home Depot breach, 222
Marquis, Oscar, 153
Marsh & McLennan, Inc. breach, 28
Marshalls breach, 161
Masnick, Mike, 319
Massachusetts General Hospital HIPAA investigations, 272
Mathewson, Nick, 131
Maximus Federal Services study, 278
Mayberry Systems, 46
Mayer, Marissa, 391
McAfee
cloud service prevalence, 393
cloud service visibility, 400
medical data report, 261
McCallie, David, Jr., 47
McCann, Michael, 258
McWilton, Chris, 229
Media outlets demand for data, 34–36
Mediametrics company, 24
Medical crowdsourcing, 294
Medical records, payments for, 137–138
Medicare fraud, 137
MedStat Systems, 38
Megaleaks
data products, 329
Manning document copying, 323–325
overview, 323
redactions, 328
timed and synchronized releases, 329–330
volume of data, 327
Mello, John P., Jr., 373
Menighan, Thomas, 45
Merchant Breach Warranty, 170–171
Merchants
credit card payment systems, 146–147, 149
payment card breaches, 150–152
Merkel, Angela, 330
Merold, Bob, 36
Merritt, Chris, 148
Methodist Hospital, denial extortion, 343
Michaels breach, 180
Micros Systems breach, 161
Microsoft software vulnerabilities, 240, 248, 253
Middleton, Blackford, 262
Midwest Orthopedic breach, 243–244
Migoya, Carlos A., 258
Miller, Dave, 232
Milliman data broker, 50
Minimal disclosure strategy in NCSS password directory breach, 25–27
Mitroff, Ian, 59
Mobile workforces in health data breaches, 290
Mogull, Rich, 168
Molina Healthcare breach, 295
MoneyPak payment system, 342
Monoculture paper, 247
Moran, Jerry, 69
Mossack Fonesca law firm breach, 242, 320
Motherboard magazine, Yahoo breach report, 389
MPack exploit kit, 186
Murray, Patty, 297
Muse, Alexander, 44
Narayanan, Arvind, 42
National CSS (NCSS) password directory breach, 23
law enforcement involvement, 25
previous breaches, 29
National Enquirer medical treatment revelations, 34–35
National Institute of Standards and Technology (NIST)
breach definitions, 5
Cybersecurity Framework guidelines, 371
Framework for Improving Critical
Infrastructure Cybersecurity, 237
incident handling guide, 58
National Retail Federation, EMV cards complaint, 236–237
National Security Agency (NSA)
Nakamoto identification by, 44
NotPetya malware, 357
NCSS. See National CSS (NCSS) password directory breach
Near-field communication (NFC), 228
Negotiation tips for denial extortion, 347–348
Neiman Marcus breach, 180
Netflix
hack, 354
Neutrino exploit kit, 187
New York Times
Dun & Bradstreet software, 25–26
Operation Firewall, 128
Pentagon Papers breach, 317
Newman, Lily Hay, 85
News of the World, hacking by, 317–318
NICE Systems breach, 396
Nimda malware, 247
NIST. See National Institute of Standards and Technology (NIST)
Nixon administration, Pentagon Papers breach, 317
NoMoreRansom.org site, 342
Noncovered entities (NCEs) in HIPAA, 278–279
Northrup Grumman breach, 239
Northwestern Medical Faculty Foundation breach, 245
Northwestern Memorial Hospital breach, 293
Notifications
ChoicePoint breach, 95
National CSS password directory breach, 25–27
overnotification, 66
regulated vs. unregulated data, 64–65
NRSMiner cryptominer, 247
NSA. See National Security Agency (NSA)
Obama, Barak, 334
OCCRP (Organized Crime and Corruption Reporting Project), 321
OCR (Office for Civil Rights)
breach statistics, 15
OSHU breach, 397
O’Farrell, Neal, 182
Office 365 accounts
Office for Civil Rights (OCR)
breach statistics, 15
OSHU breach, 397
Office of Personnel Management (OPM) breach, 10–11
Ohio State University apology guidelines, 212
Ohm, Paul, 42
OHSU (Oregon Health & Science University) breach, 397
Oing, Jeffrey K., 373
Oldgollum (criminal), 261
Omnibus HIPAA Rulemaking, 268
Operation Avenge Assange, 333
Operation Firewall, 127
Operation Get Rich or Die Tryin,’ 161
OPM (Office of Personnel Management)
Opper, Richard, 360
Oregon Health & Science University (OHSU) breach, 397
Organization issues in healthcare breaches, 284
Organized Crime and Corruption Reporting Project (OCCRP), 321
Origins of exposures, 313
Overnotification, 66
Palin, Sarah, 333
Palmer, Danny, 345
Panama Papers breach, 242, 320–321, 334–335
PandaLabs report, 186
Pascal, Amy, 309
Passwords
harm reduction, 99
LinkedIn, 394
NCSS. See National CSS (NCSS) password directory breach
strong, 197
Patch problems in technology supply-chain risks, 247–248
Patient issues in healthcare breaches, 283
Paul, Bruce Ivan, 23
Paunch (exploit kit developer), 187
Paylosophy blog, 233
Payment card breaches
attorney-client privilege, 172–174
credit card payment systems, 146–147
Payment card fraud, 121
Payment Card Industry Data Security Standards (PCI DSS)
two-factor authentication, 192–193
Payment card numbers
harm reduction, 99
payments for, 136
Payment cards
access controls, 105
alternate payment solutions, 228
chip-and-PIN cards. See Chip-and-PIN (EMV) cards
fraud detection, 12
Payment processors in credit card payment systems, 149–150
Payments for denial extortion, 342–343
PayPal
merchant services offerings, 227–228
Paysafecard, 342
PCI DSS (Payment Card Industry Data Security Standards)
two-factor authentication, 192–193
PCI forensic investigators (PFIs), 171–172
PDMPs (Prescription Drug Monitoring Programs), 274–275
Peace (hacker), 139
Pentagon Papers breach, 317 Perimeter issues in health data breaches, 289–295
Permission errors in cloud breaches, 395–396
Personal information
definition, 7
Personally identifiable information (PII), payments for, 136
PF Chang’s China Bistro
breach, 181
PFIs (PCI forensic investigators), 171–172
PharMetrics Plus product, 48
PHI (protected health information), 258, 260
Physical access by service providers, 244–245
Physical theft in payment card breaches, 151
Pierre-Paul, Jason, 257–260, 299
PII (personally identifiable information), payments for, 136
Pirate Bay site, 316
Plastic Card Security Act, 166
Point-of-sale vulnerabilities, 161
Pole, Andrew, 6
Ponemon Institute survey
breach costs, 379
breach notifications, 182
corporate brand effect, 19
Popp, Joseph, 341
Portal Healthcare Solutions, LLC, 372
POS systems
PR professionals, benefits, 321
Practice Fusion, 47
PRC (Privacy Rights Clearinghouse)
breach statistics, 14
Premera Blue Cross breach, 297
Prescription drug fraud, 122
Prescription Drug Monitoring Programs (PDMPs), 274–275
Presidio Insurance Solutions, 379
Price Waterhouse Cooper cyber insurance estimates, 361
Prior consent in cyber insurance, 384–385
Privacy Rights Clearinghouse (PRC)
breach statistics, 14
Privacy Rule in HIPAA, 276–277
Private data, description, 52
Profiting from data breaches, 72
Prognos broker, 48
Prognos DxCloud product, 48
Project Chanalogy, 306
Proliferation as risk factor, 33
Proofpoint company, 248
Protected health information (PHI), 258, 260
Protonmail system, 413
Public data, description, 52
Public key cryptography, 128–130
Public records, breach statistics for, 14–16
Public relations in exposure, 319–322
Publicizing breaches, 2–6 Punishment in megaleaks, 333–334
Qualified security assessors (QSAs), 158–159
Quartz magazine on chip-and-PIN cards, 232
Quest Diagnostics, 48
Quest Records LLC breach, 244
Quick, Becky, 213
Rackspace breach, 239
Ragan, Steve, 367
Raiu, Costin, 249
Ramirez, Edith, 236
Ransomware
Raptis, Steve, 377
Reagan, Michael J., 183
Recognition, escalation, investigation, and scoping process, 88
Redkit exploit kit, 187
Ree[4] hacker, 190
Regulated data
Reidentification in HIPAA, 277–278
Reissuing payment cards, 226–227
Remote access
health care vendors, 288
Reputational impact of breaches, 19
Response
business email compromise cases, 401
faux extortion, 357
immediate, 206
Retailgeddon. See also Target data breach
account and password management, 196–197
attacker tools and techniques, 185–191
encryption/tokenization, 197–198
legislation and standards, 236–237
two-factor authentication, 192–193
vulnerability management, 193–194
Retention
medical records, 263
risk factor, 33
Retention amounts in cyber insurance, 377
Reuters, Yahoo breach article, 390
Ribotsky, Mimi Bright, 89
Richey, Ellen, 168
Riddell, Bridget A. Purdue, 298
Ries, Al, 95
Ries, David G., 298
Risk reduction
Risks
cyber insurance assessments, 370–371
Rockefeller, John, 191
Rosato, Donna, 309
Rosen, Elizabeth, 96
Rosen, Jay L., 338
R(x)ealTime product, 46
Ryle, Gerald, 242
S.B. 1386, 93
Sale of stolen data
asymmetric cryptography, 128–130
Sally Beauty breach, 180
Samsung Pay system, 227
Sanders, Bernie, 303
Saunders, Bill, 49
SBC (Service Bureau Corporation), 29
SCA (Sony Corporation of America), 384–385
Scalet, Sarah, 80
Scaling up in technology supply-chain risks, 246–247
Scharf, Charlie, 229
Schneiderman, Eric, 72
Schneier, Bruce
economic incentives, 113
Internet eavesdropping, 412
security complexity, 282
Schnuck Markets breach, 183, 191
School districts exposure extortion, 349–350
Schumer, Chuck, 216
SCM (software configuration management) systems, 251–252
Scope in ChoicePoint breach, 92–93
Scott, James, 345
Scottrade Bank breach, 396
Secret data collections, 31–32
Secret Service in Shadowcrew takedown, 127–129
Security
Security practices exclusions in cyber insurance, 383–384
Security Rule in HIPAA, 265
Security Standards Council (SSC), 154–158
Security standards for payment card breaches, 152–153
Security team myths, 117
Self-insured retentions (SIRs) in cyber insurance, 377
Self-regulation in payment card breaches, 153–160
SERMO social network, 294
Service Bureau Corporation (SBC), 29
Service provider access
data storage, 242
vetting, 243
Shadow Brokers, 252
Shaughnessy, John, 152
Shelf life of medical records, 263
Shirky, Clay, 335
Shmatikov, Vitaly, 42
SIPRNet, 324
SIRs (self-insured retentions) in cyber insurance, 377
Site Data Protection standards, 152
Skyhigh Networks firm, 396
Slammer malware, 247
SleepHealth app, 39
Small business attacks, 183–185
Smart cards. See Chip-and-PIN (EMV) cards
Smith, Brad, 253
Smith, Derek V., 87
ChoicePoint breach introspection, 109
ChoicePoint breach response, 94–95
ChoicePoint breach revelation, 89
information importance, 90
Smith, Larry, 29
Smith, Rick, 56–57, 72–73, 100
Smoldering crises, 81–84, 86–87
Social media in health data breaches, 293–294
Social Security numbers (SSNs)
original purpose, 83
Software configuration management (SCM) systems, 251–252
Software vulnerabilities in technology supply-chain risks, 245–248
Solove, Daniel, 78
Sony Corporation of America (SCA), 384–385
Sony Pictures Entertainment (SPE) breach, 308–310
cyber insurance claim, 367
Sony Playstation network, 373
Sophisticated cyber attacks, 251
Sophos report, 186
Soupnazi (pseudonym), 123
SPE (Sony Pictures Entertainment)
cyber insurance claim, 367
Spectrum Health breach, 293
Spiegel Online, megaleaks report, 329
Spora ransomware, 345
SSC (Security Standards Council), 154–158
SSNs (Social Security numbers)
original purpose, 83
Staff issues in healthcare breaches, 283
Staffing requirements, 194
Stairway to Tax Heaven game, 335
Stakeholders, communications with, 62
Standard & Poor, data breach ratings effect, 19
Standards
payment card breaches, 152–153
Staples breach, 182
State Auto Property & Casualty Insurance Co. v. Midwest Computers case, 372
State governments, 49–50
State of the Auth report, 399
Statistics
cybersecurity vendor data, 16–17
self reporting, 16
Steinhafel, Gregg
CNBC interview, 217
nonapology, 211
repair strategy, 210
response, 207
victim strategy, 209
Stolen data
leveraging, 121
Stroz Friedberg firm, 173
Sudden crises, 81
Suddeutsche Zeitung, Panama Papers leak, 334
Supervalu breach, 181
Suppliers of suppliers, 251–252
Supply chain risks
service provider access, 242–245
Swedesboro-Woolwich School District denial extortion, 343–344
Swedish, Joseph, 379
Sweeney, Latanya, 41–42, 49–50
Sweeney, Patrick J., 62
Sweet Orange exploit kit, 187
Swindoll, Charles, 199
Symantec, 16
breach, 239
small business attacks report, 183–185
Symantec Endpoint Protection, 200
Synchronized releases in megaleaks, 329–330
Syverson, Paul, 131
Takedown requests in exposure, 315–316
Tarbell, Christopher, 134
Target data breach
account and password management, 196
communications crisis, 206–221
data collected in, 6
Fazio Mechanical Services, 177
notifications, 6
personal communications, 212–214
profit losses, 18
response overview, 199
segmentation, 195
Taxpayer Advocate Service, 104, 136
Taxpayer Protection Program hotline, 104
TDO (TheDarkOverlord)
medical record sales, 137–138, 337–338
Netflix hack, 354
Teams
security, 117
Technology companies, hacking, 249–250
Technology supply-chain risks
hardware, 249
suppliers of suppliers, 251–252
Telang, Rahul, 10
Tentler, Dan, 253
Terrorism Risk Insurance Act (TRIA), 363
Terry, Nicolas P., 258
Texthelp developer, 395
TheDarkOverlord (TDO)
medical record sales, 137–138, 337–338
Netflix hack, 354
TheRealDeal market, 139, 337–338
Third-party dependencies in health data breaches, 284–288
Thomson, Lucy, 280
ThreatExpert service, 219
Time releases in megaleaks, 329–330
Timing in cyber insurance, 378–379
TJX breach, 10
Green Hat Enterprises, 161–162
liability, 163
point-of-sale vulnerabilities, 161
TMZ medical treatment revelations, 35
Trading breached data, 274
Transcendence image repair strategy, 240–241
TrapX firm
healthcare breach detection, 283–284, 286
Traveler’s insurance, 372
Trend Micro
spam research, 187
Trojans, 189
TRIA (Terrorism Risk Insurance Act), 363
Triggers
Trojans, password-stealing, 188–190
Trump, Donald, Access Hollywood tape remarks, 304
Trust
3 C’s, 62
Truven Health Analytics, 50
Truven Health System, 38
“TRW Credit-Check Unit Maintains Low Profile—and 86 Million Files,” 31–32
Tullman, Glen, 47
Two-factor authentication (2FA)
cloud, 399
smart phones, 100
Tylenol product tampering case, 81
U.S. Bank payment card breaches, 143–144
Ulbricht, Ross, 134
Unencrypted device exclusions in cyber insurance, 384
UnitedHealth insurance, 48
Unprotected personal information, 6–8
Unregulated data, notifications for, 64–65
Unreported breaches
UPS breach, 181
URM company, 227
Usernames, payments for, 138–139
Value-added services in cyber insurance, 386
Value as risk factor, 33
Vanity Fair report, 308
Vartanyan, Mark, 190
VBIR (Verizon Data Breach Investigations Report)
breach discovery methods, 203
healthcare breaches, 284
Vendors in health data breaches, 284–288
Verdugo, Georgina, 272
Verification of exposure, 310–312
Verini, James, 162
VERIS (Vocabulary for Event Recording and Incident Sharing), 18
Verizon
breach detection report, 12
password report, 398
Target penetration tests, 193, 196
Verizon Data Breach Investigations Report (VBIR)
breach discovery methods, 203
healthcare breaches, 284
Vickery, Chris, 395
Victims in exposure, 320
Video Privacy Protection Act, 43
Vietnam War, Pentagon Papers breach, 317
Virginia medical records breach, 275
Visibility in cloud breaches, 400–409
Vocabulary for Event Recording and Incident Sharing (VERIS), 18
Vulnerability management, 193–194
W-2 forms
tax fraud, 122
Walden, Greg, 71
Wall of Shame in HIPAA, 269
Wall Street Journal
ChoicePoint breach, 87
Walsh, Declan, 328
WannaCry ransomware, 247
War driving, 161
Washington Post
Access Hollywood tape, 304
ChoicePoint breach, 82
intercepted emails, 412
Pentagon Papers breach, 317
Washington state medical records, 49–50
Watering hole attacks, 185
Watson Health, 39
Watt, Stephen, 161
Weapons in cyber arsenals, 252–253
WebMD Health, 50
WebMoney service, 162
Website Billing Inc., 149
Webster, Karen, 235
Weld, William, 42
White, Jay, 158
WikiLeaks
description, 307
megaleaks. See Megaleaks
Tor onion routing, 314
Winning as a CISO, 115
Wire transfer fraud, 122
Wizner, Ben, 334
WordPress breach, 395
World Privacy Forum, 113
World’s Biggest Data Breaches & Hacks:
Selected Losses Greater Than 30,000 Records page, 280–281
Yahoo breach, 239
detection, 10
extent, 13
Yaraghi, Niam, 267
Yastremskiy, Maksym, 161–162, 169
Young, John, 315
Zeltser, Lenny, 33
Zero-day exploits preparing for, 246
supply chain risks, 240
Zero-day forensic artifacts, 408
ZeuS-in- the-mobile (ZitMo) function, 189
ZeuS/Zbot banking Trojan, 188–189
Zezev, Oleg, 355
Zurich American Insurance Co., 373