The Herald of Everett, Washington
Customer service  |  Subscribe   |   Log in or sign up   |   Advertising information   |   Contact us
Heraldnet.com

The top local business stories in your email

Contact Us:

Josh O'Connor
Publisher
Phone: 425-339-3007
joconnor@heraldnet.com

Maureen Bozlinski
General Sales Manager
Phone: 425-339-3445
Fax: 425-339-3049
mbozlinksi@heraldnet.com

Jim Davis
Editor
Phone: 425-339-3097
jdavis@heraldnet.com

Site address:
1800 41st Street, S-300,
Everett, WA 98203

Mailing address:
P.O. Box 930
Everett, WA 98206

HBJ RSS feeds

A lingering crime for all

SHARE: facebook Twitter icon Linkedin icon Google+ icon Email icon |  PRINTER-FRIENDLY  |  COMMENTS
By Deborah M. Todd
Pittsburgh Post-Gazette
Published:
For shadowy cybercriminals who find backdoor access to stores of personal data, the process of hijacking identities and pocketing stolen cash can be instantaneous. For institutions hit by cybertheft, however, discovering that a breach exists, finding the source and stopping the bleeding is usually a monthslong process of investigation that leaves the identities and bank accounts of those affected at the mercy of the thieves.
“Companies want to figure out exactly how a breach happened, but it’s not so simple,” said Charles Wood, Duquesne University assistant professor of information systems management. “Target found out there were problems after some of their customers had credit cards issued under their name in Eastern Europe. (Target) didn’t know how it happened until they launched an investigation and eventually found the vulnerability.”
Thousands of employees of the University of Pittsburgh Medical Center discovered the frustrating aftermath of cybercrime firsthand after a February data breach exposed their names, addresses, Social Security numbers and other W-2 information during the peak of tax season.
What UPMC officials said they initially believed was tax fraud involving a few dozen employees turned out to be an attack that affected approximately 27,000 employees, 788 of whom had false tax returns filed in their names. Last week, UPMC sent out paper and email notices to more than 12,000 employees telling them personal information from their W-2 forms was definitely extracted during the breach. The information of an additional 14,000 may have been viewed during the breach.
A lawsuit seeking class-action status on behalf of employees impacted by the breach was filed in February by Michael Kraemer of Pittsburgh law firm Kraemer, Manes & Associates LLC.
UPMC’s response of notifying all 62,000 hospital employees of the breach and offering professional services and reimbursement to individuals impacted falls in line with industry standards established during massive breaches at retailers Target, Neiman Marcus and, most recently, craft store Michael’s.
But with the scope of UPMC’s breach involving critical Social Security data rather than easily canceled credit card information, some employees are wondering if the company should have found a way to warn those who were directly impacted sooner.
According to Doug Pollack, chief strategy officer for Portland, Ore.-based data breach prevention and response company ID Experts, deciding between the earliest possible notification of those directly affected and blanket notification of all who potentially could be impacted is a tough call.
“It can become a judgment call between speed vs. accuracy,” Pollack said. “It took some time to understand the total scope of the population affected, so that sacrificed immediate notification and might have caused employees to go through troubling issues they could have avoided if they had known sooner.”
On the other hand, Pollack said, the opposite approach of informing victims immediately after discovering data were stolen could have caused panic among thousands of employees who still are waiting on a final verdict regarding the safety of their personal information.
“Most practitioners would prefer not to do creeping notification,” he said. “Best practices tend to be to do enough analysis to understand what happened, then make a judgment call about who to notify. Out of an abundance of caution, most want to notify as broad an audience as they can so they can take steps to protect themselves, whether they are affected or not.”
With or without early notification, affected employees must initiate a relationship with the IRS that begins with identity theft forms and continues for years with an identity theft PIN used to confirm that future tax filings are made by the right person.
Beyond taxes, Pollack said, victims must be on constant guard of bank accounts and credit reports for the foreseeable future to ensure their personal information isn’t funding someone else’s mortgage or luxury vacation.
For corporations hoping to avoid similar attacks, Duquesne’s Wood said old-school paper storage could be the best solution for personal data because it isn’t a question of if a copycat cyberattack will occur; it’s a question of when.
Story tags » CrimeInternet & Cloud

MORE HBJ HEADLINES

CALENDAR

Share your comments: Log in using your HeraldNet account or your Facebook, Twitter or Disqus profile. Comments that violate the rules are subject to removal. Please see our terms of use. Please note that you must verify your email address for your comments to appear.

You are logged in using your HeraldNet ID. Click here to update your profile. | Log out.

Our new comment system is not supported in IE 7. Please upgrade your browser here.

comments powered by Disqus

Market roundup