Cyber criminals increasingly target personal and health information

By Susan Yellin | September 03 2015 09:00AM

The insurance industry lags behind its banking cousins when it comes to cyber security, but is beginning to catch up as cyber criminals find it more lucrative to steal personal and health information than banking data, KPMG experts told a recent seminar in Toronto.

Banks have been investing more into people and financial resources to strengthen their cyber security because they have been targeted for a longer period of time, said Paul Hanley, KPMG’s cyber security lead partner, Canada.

Because banks have been at the forefront of dealing with these issues, it’s helped put them into a stronger position than insurers, Hanley said. “That’s not to say that the insurance companies have been lazy or anything like that – they have obviously been trying to deal with these risks and threats. But I think, quite often, they haven’t had that many resources available – whether funding or people – to be able to deal with this.”

An increasing number of insurance companies – both in the life and property and casualty arenas – are now trying to deal with the ever-growing cyber-security issue, identifying their company strategy and being clear in terms of what they need to do to try to meet those requirements, he said in an interview following the July seminar.

Banking information tends to be easier for cyber criminals to crack, but personal and health data is more profitable in the long run for hackers who gain access to the “dark side of the internet” and, using special hardware and software, sell the information to the underground economy, said Kevvie Fowler, cyber forensics lead partner with KPMG in Canada.

A study Fowler undertook indicates that from 2013 to the present, financial data was much less likely to be breached and stolen than personal and health data.

Longer shelf life

Part of this has to do with the fact that banks have become proficient in identifying fraud and cancelling information very quickly, while there is a longer “shelf life” for personal and health data, he said.

“The shelf life [for financial data] can be anywhere from a few days to a few weeks up to a month. But if you look at personal and health information, it’s very difficult to cancel your identity and your health information. So it’s a longer shelf life,” said Fowler. “The bad guys can actually steal this information and have a longer period of time that they can sell it without the information expiring. That makes it a better target for the bad guys. They might steal 40 million records – odds are they can actually sell 40 million records from a health and personal information standpoint.”

A cyber criminal can use the same information for multiple sites for fraud, said Fowler, noting that while user name and passwords typically sell for $5.60 each, health and medical records are “top of the food chain” selling for $42.62 each.

Hanley said a number of organizations have not been able to get a good handle on how to deal with cyber breaches.

What they should be doing, he said, is creating a well-defined security strategy with specific responsibilities assigned throughout the company. “Organizations have heard about cyber security, they want to do something about it, so they often go ahead and bring in a tool, a piece of technology they hope will be a silver bullet that will protect them and they can go about doing their normal business. That never works. You have to make sure you have a clear strategy in place that is thinking about people, processes and technology.”

Dealing with vulnerabilities

While fixes to current technology or breaches can be costly, there are much less expensive ways to deal with vulnerabilities, including using “patches,” he said. Companies also need to keep up to date about what’s going on in the cyber security world, including talking to competitors and third-party organizations, said Hanley.

Compliance has taken a major shift toward security both at home and abroad. In Europe, said Hanley, a company can be fined up to 2% of global revenues if there is a cyber-security breach. Canadian companies are not immune because if they have offices there or even take data from companies operating in Europe, they may be subject to the same kinds of penalties, he said.

In Canada, the Office of the Superintendent of Financial Institutions (OSFI) has served notice that it not only wants to know from financial services companies what controls they have in place, it also wants to be able to gauge their effectiveness, said Fowler. As well, Canada’s new Privacy Act, which went into effect in mid-June, requires a mandatory breach notification to the Privacy Commissioner plus potentially affected individuals. Previously, a company had to contact the privacy commissioner, who would then notify the clients if a breach had occurred. Now that has changed and both need to be notified, increasing costs to companies. Penalties for knowingly violating the notification requirements can be up to $100,000 a violation.

Even if companies have excellent cyber security, they can still be hacked via a company’s third-party provider. He suggested firms ensure they conduct their due diligence on the outside party and make sure data is handled appropriately and destroyed according to the regulations.

Rapid technology change has allowed many companies to data mine client information to give them insight into what their customers want. But Fowler noted companies must ensure they have client consent to do this. Recently, Bell Canada was hit with a $750-million class-action lawsuit over alleged breaches of privacy after its subsidiaries allegedly tracked, collected and sold information to their advertisers. Bell cancelled the program.

Hanley said companies now need to think holistically by embedding good security practices across the business, including compliance and IT. “Cyber security is here to stay. It needs to be thought about on an ongoing basis.”

Ransomware gains momentum

While the security industry constantly looks for new and improved ways to deter – or at the very least – shorten the amount of time a company system is hacked, cyber criminals and hacktivists are busy coming up with new ways to breach these more secure systems.

  • One gaining momentum is ransomware. This malware, easily spread through email attachments and compromised websites, encrypts a victim’s data and demands payment to release the encryption key. While typically a few hundred dollars, Fowler said ransomware is likely to increase dramatically this year as it goes after “nano” ransoms of $1 to individual cellphone owners to unlock their mobile devices. (It may sound like small potatoes, but by next year, the global smartphone audience is expected to surpass two billion.)
  • Cyber extortionists will continue as many companies pay up rather than face the consequences.
  • Cyber criminals will increasingly target business customers rather than personal accounts because of the hope of a potentially higher return.
  • Targeted, content-based infections will continue.
  • As the cost of stolen credit card and email credentials falls because of the great supply available on the dark side of the internet, hackers will become more daring in their exploits.
Related to the same topic …