identity theft problem!

erosjellySecurity

Feb 23, 2014 (3 years and 6 months ago)

89 views

Safeguarding

Personally Identifiable Information (PII)

It happens once every 4 seconds, thousands of times a day,
millions of times a year: That’s how many times experts
estimate there’s a phony charge made with a stolen credit
card number. …and this kind of fraud is just a fraction of the
identity theft problem!

2

Agenda


What’s New With DON Privacy?


Definitions


Elements of a Great Privacy Program


The Basics about Identity Theft


PII Breach Trends and Recent PII Breaches


Phishing


The DON SSN Reduction Plan


Top 10 Privacy Lessons Learned


Final thoughts…


Privacy POC’s



What’s New with DON Privacy?


New DON CIO, Terry Halvorsen, Senior Military
Component Official for Privacy


oversees DON
Privacy Program


SSN Reduction Plan Phase I for Forms
underway


DoD requirement to discontinue posting of last
four of SSN to public facing web


sites (e.g. promotion messages)





What’s New Continued…


Hard Drive Disposal Policy Message


Hard Drive Disposal Poster


In chop, Draft Reduction of SSN Use in DoD
Instruction


Jan
-
Mar 2011 CHIPS Magazine with SSN focus


available today


Consolidation of DON Privacy functions/offices
under review

Privacy Awareness Posters

6

Personally Identifiable Information (PII)

Definition



PII Definition
: “…information about an
individual that identifies, links, relates, or
is unique to, or describes him or her,
e.g., a SSN; age; rank; grade; marital
status; race; salary; home/office phone
numbers; other demographic, biometric,
personnel, medical and financial
information.”
DoD Memo 21 Sep 07




7

Sensitive and Non
-
Sensitive PII


Sensitive PII which may cause
harm to an individual if
lost/compromised


Financial information
-

bank
account #, credit card #, bank
routing #


Medical Data
-

diagnoses,
treatment, medical history


Full Social Security Number


NSPS/Personnel ratings and
pay pool information


Place and date of birth


Mother’s maiden name


Passport #


Numerous low risk PII
elements aggregated and
linked to a name

Non
-
Sensitive PII, all authorized
use under DON policy and
considered “low risk”


Badge number


Job title


Pay grade


Office phone number


Office address


Office email address *


Lineal numbers


Full name



* Cautionary note: Growing
problem with email phishing

8

PII Breaches



A breach is defined by Office of Management & Budget as:


“A known or suspected loss of control, compromise, unauthorized
disclosure, unauthorized acquisition, unauthorized access, or any
similar term referring to situations where persons other than authorized
users and for an other than authorized purpose have access or
potential access to personally identifiable information, whether physical
or electronic”


Reporting required when a known or suspected loss, theft or
compromise of PII occurs:


Use OPNAV Form 5211/13 to make initial and follow up reports


Send to: US
-
CERT
within 1 hour

of discovering a breach has occurred
(*United
States
-
Computer Emergency Readiness Team)


To the DON CIO Privacy Office
within 1 hour


To the Defense Privacy Office


To Navy, USMC, BUMED chain of command, as applicable


DON CIO Privacy Office will determine within 1 working day the need to
notify affected personnel
-

weigh risk of identity fraud.


Within 24 hours provide DON CIO follow up report.


Within 30 days provide DON CIO lessons learned.



Seven Elements of a

Great Privacy Program


Leadership


Risk Management and Compliance


Information Security


Incident Response


Notice and Redress for Individuals


Privacy Training and Awareness


Accountability






Information Security


Build security and privacy controls in early
project development and all stages of
lifecycle


Privacy and security programs are
complementary


must work together


Information security must be a priority
and message continually reinforced


Need to know


Take a “less is more” approach with PII
collection

Incident Response


If your office handles PII, written procedures must be in
place to:


Detect, report and respond to privacy incidents


Timely response and mitigation of risk are critical


The discovering contractor/vendor has an obligation to
report the PII breach


The accountable vendor has the responsibility of working
with DON command to notify affected personnel


Applying lessons learned are key



Privacy Training and Awareness


Training reinforces policy and best practices and
helps create a privacy culture


All contractors under contract with DON must:


Require all employees to complete annual PII training


If responsible for causing a breach:


Proposed policy will require each individual to take PII
Refresher training

Accountability


Take “Big stick” approach or do nothing?


Must be a balance


Focus on correcting human error and malicious intent


Ensure contracts include FAR PII language


Take corrective action where there are program
deficiencies and follow up


Consider Identity theft protection

I

D

E

N

T

I

T

Y


T

H

E

F

T


I S R E A L !

15


Basic Facts About

Identity Theft


FTC reports 8M+ of U.S. adult population has experienced ID theft in ‘10,
expect to see that grow during economic decline; Most fraud costs are
passed to businesses.


In ’05 1.8M cases new account fraud; 6.5M cases existing account fraud.


Account fraud only 23% of the problem!


Crimes are still
more often offline (90%) than online
.


Consumer controls 63% of potential ID theft problem; detects 47% of cases.


Risk is greatest when information was stolen by someone targeting the data
e.g. hacker, burglar.


½ of known ID thieves were known by victim
; ¼ were dishonest
employees.


Social Security numbers are "the most valuable commodity for an
identity thief.“

Can obtain from public records free or buy on internet for
$25 per SSN.


Phishing attacks aimed at ID theft a real and growing threat.


Banks, Pay Pal, bogus job offers


Generation X (25
-
34) highest fraud rate (5.4%); 65+ lowest.


ID theft of children and people who are deceased, a growing problem.


FYI, by law, consumer credit card liability is $ 50.00; Debit card is $50.00 if
reported within 48 hrs; $500.00 if reported w/in 60 days; after 60 days may
lose all $’s in account plus overdraft amount!

16

ID Theft Trends

-

Arrest warrants issued in victims names due to
Financial Crimes


24% to 62% increase
*

-

Fraudulent drivers licenses
-

16% to 32% increase
*

-

Fraudulent employment
-

13% to 41% increase
*

-

Fraudulent tax refunds
-

11% to 59% increase
*

-
Received Government assistance with victims
information
-

6% to 27% increase
*

-
Additional 250,000 to 500,000 Victims of Medical
Identity Theft reported each year
*



These statistics represent the growth from 2006 to 2007

*Information gathered by the IDTRC and Chicago Tribune

17

What Are the Fixes To Reduce ID Theft?

Must have a comprehensive, multi faceted approach.


Reduce/eliminate the supply of SSNs and “high risk” PII
available to thieves


Remove SSNs from all public records


Remove the SSN from DoD and DON forms, when possible


Reduce the display, storage and transmission of SSNs and PII


Improve data and personnel security


Create strict laws that make the sale of SSNs a crime


Reduce the demand for SSNs by minimizing their value to ID
thieves.


Require/encourage adoption of more effective authentication
procedures by financial institutions


Aggressively prosecute ID thieves



TRENDS and PATTERNS


Increase in number of “insider” caused breaches


Confirmed identity theft cases remains low


Rise in incidents involving recall roster and spreadsheet
attachments sent via email and shared drive disclosures


Drop in incidents involving SSNs from 80% to 54% over
the past 12 month period


Decrease in number of impacted personnel by 50% over
the past 12 months


19

Recent Breaches


Used Navy copiers erroneously sold before hard drives
sanitized. Error realized before copiers were received by new
owner and recovered by DON. Contained PII and other
sensitive info. Sep 09


Unencrypted laptop stolen/missing from Naval pharmacy
containing SSNs and patient names. Aug 09


Employee downloaded PII to unencrypted CD, transferred to
new command, soon after arriving lost the CD and filed a
breach report. Oct 09.


Sailor and his civilian girlfriend were allegedly attempting to
steal the identity of multiple staff members. Several staff
members had complained about attempts being made to take
out credit in their names. Jan 10


PO2 sold PII of service members to group who created bogus
tax returns. All returns mailed to same address! Apr 10


Laptops stolen as part of “tech refresh” process. Some DAR
protected, some not. Investigation ongoing. Sep 10






20

PII Breach Media

Improving but
only takes one

Still # 1

Must

have tight controls/permissions

21

PII Breach Media

Sent to recipients “without a need
to know” / unencrypted.

What happens to the digital images when

a copier is turned in?


22

Breach Causes

0
20
40
60
80
100
120
140
160
180
Human Error
Theft
Unknown
Postal
Insider Threat
Hacker
Number of Incidents
23

Type of PII Lost, Stolen or Compromised

0
20
40
60
80
100
120
140
160
180
200
SSN
Medical
Financial
NSPS
Passport
Number of Incidents
24


Phishing

is the process of attempting to acquire sensitive


information such as usernames, passwords or financial account details by


masquerading as a trustworthy entity in an electronic communication.



This is a growing activity within the DON.


Perpetrators ask you to click a link back to a spoof web site. Doing so could
subject you to the installation of key logging software or viruses.


They use fear to motivate you to respond


“your account has been temporarily
suspended due to recent fraudulent activity, we need you to verify your account
information…”


Never open emails from unknown sources or institutions soliciting:


Passwords


Credit card information


ATM/Debit Card number


Social Security Number


Bank/financial account number


If in doubt about validity of the email, call their customer service number.


Notify your network administrator. For NMCI go to
:

https://www.homeport.navy.mil/support/articles/report
-
spam
-
phishing/








Phishing

25









Web portals and shared drives

Blogs

Email

Hackers

Human error

Insider threat

Official and unofficial forms

DON culture

Malicious software

Records management

Disposal
of storage media


IT systems

Contractor services

Data mining

Teleworking

Spreadsheets

Hard drives

Flash storage media

DAR encryption implementation
Budget

and resources

Changing business processes

26

Acceptable SSN Uses

DoD Guidance lists 12 cases for Acceptable Uses of SSNs (Collection, Use,
or Retention):

-

Geneva Conventions Serial Number (on a timeline to to change/eliminate
SSNs from ID cards)

-

Law Enforcement, National Security, and Credentialing

-

Security Clearance Investigation or Verification

-

Interactions with Financial Institutions

-

Confirmation of Employment Eligibility

-

Administration of Federal Worker’s Compensation

-

Federal Taxpayer Identification Number

-

Computer Matching

-

Foreign Travel

-

Noncombatant Evacuation Operations

-

Legacy System Interface

-

Other Cases (with specified documentation)

27


DRAFT DON SSN Reduction Plan


GOAL
: Reduce or eliminate

the use, display, collection,

dissemination or storage of SSNs

across the DON.



Phase 1
-

focus on justifying continued use/collection of SSNs in
official Navy/Marine Corps forms and IT systems.


Phase 2


Where SSNs are still needed and where applicable,
substitute using the Electronic Data Interchange Personal Identifier
(EDIPI).


Challenges:


DoD must provide guidance on the use of the EDIPI
-
must have controls
or we create another SSN
.


Elimination of the SSN or substituting the SSN for another identifier will
incur unfunded program costs.


28

Privacy Lessons Learned


Support and involvement from senior leadership is key.


Aggressive PII compliance spot checks with corrective action
taken are very effective.


Eliminate/Reduce the use, display and storage of all PII

whenever possible.


Mark all documents containing PII with FOUO Privacy Sensitive
warning.


Ensure shared drive access permissions are established and
routinely checked.


Special care must be taken when moving, closing or consolidating
offices that handle PII.


Closely scrutinize employees/contractors that have access to PII.


Paper documents and hard drive disposal methods must be better
defined and tightly controlled.


A command records management program with records disposal
schedule is an effective tool to reducing PII.


Campaign continuously to increase PII awareness.



29

Some final thoughts…


Penalties under the Privacy Act apply to
contractors


Revisions to the FAR under discussion


Consider credit monitoring for vendor caused
breaches


Doncio.navy.mil web site is a great privacy
resource:


FAQs, PIA Gouge, Breach Reporting Forms, Credit
Monitoring Info, Privacy Reading List, Table Of
Consequences, Posters, Tips of the Month


PII Info Alert


30

DON Privacy POCs

STEVE MUCK

DON CIO

DON Privacy Team Lead

Phone: (703) 601
-
0081

Email: steven.muck@navy.mil

MICHELLE SCHMITH

DON CIO

Phone: (703) 602
-
6110

Email: michelle.schmith@navy.mil

STEVE DAUGHETY

DON CIO

Phone: (703) 602
-
6393

Email: steve.daughety1.ctr@navy.mil

ROBIN PATTERSON

OPNAV DNS
-
36

DON Privacy Act Program Manager

Phone: (202) 685
-
6545

Email: robin.patterson@navy.mil

DEBORAH
CONTAOI

OPNAV DNS
-
36

Phone: (202) 685
-
6546

Email: teri.contaoi.ctr@navy.mil

MAJOR PRASSERTH YANG

HQMC C4 CYBER SECURITY DIVISION

Identity Management Branch Head

Phone: (571) 256
-
8862

Email: prasserth.yang@usmc.mil

SAM YOUSEF

HQMC C4 CYBER SECURITY DIVISION

PII/PIA Analyst

Phone: (571) 256
-
8876