Tag: Data Breach

Data breaches are becoming more common, and you need to be aware of the risks to effectively protect your business. A breach of consumer data can destroy the trust you have built with your consumers. When your company’s revenue relies on your reputation, consumer trust is your greatest asset. Below are five data breach statistics that you should know, along with some tips on how to protect your company. 1. There were 1,862 data breaches in 2021, breaking the previous record[1] This number surpasses both 2020’s total of 1,108 and the previous record of 1,506 set in 2017. Eva Velasquez, president and CEO of the Identity Theft Resource Center, called the number of breaches “alarming” and went on further to say, “There is no reason to believe the level of data compromises will suddenly decline in 2022.” The rise in breaches underscores the urgency for organizations to ensure compliance with regulations like the California Consumer Privacy Act (CCPA) and HIPAA to properly secure data (or face hefty fines). This is made more challenging as organizations struggle to adapt to more remote work practices while trying to manage the massive amounts of data they hold. Practicing good cyber hygiene is essential to protecting your and your consumers’ personal information. 2. Ransomware attacks in the U.S. alone account for 30% of all cyberattacks last year[2] At Experian, we’ve seen an even higher occurrence of 59% of the events serviced in 2021. These types of events have nearly doubled in the last two years, and at this rate of growth, ITRC said ransomware will surpass phishing as the top cause of data breaches in 2022. Ransomware events take, on average, over 20% more time to begin, which means more lost time and money for your organization. 3. The average ransom demand was $5.3 million which is a 518% increase from the 2020 average of $847,000.[1] A data breach not only costs your organization money, but also your time, resources, and reputation. Hackers are getting smarter and more sophisticated with their attacks and demands making it harder for organizations to respond effectively. Experian’s 2019 Data Breach Consumer Survey Report revealed that if you are breached, consumers want to know about it within 24 hours.[2] If you do not have a response plan in place, a mass notification in an emergency can overwhelm your resources and damage the trust you have built with your customers. 4. 95% of cybersecurity breaches are due to human error[3] Most data breaches can be prevented if you take the right precautions. The best way to avoid a data breach is by providing your employees with proper training, such as phishing awareness. This will help them identify any malicious emails or websites that might expose company information and reduce the likelihood of your organization being hacked. In addition to employee training and awareness programs, organizations should look to bolster their cybersecurity measures with tools like threat detection, multi-layered defense mechanisms, and routine security audits to identify vulnerabilities before bad actors do. 5. 90% of consumers are more forgiving of companies that had a response plan in place prior to the breach.[4] If your organization does not have a response plan in place, it could be game over for your brand. A significant number of survey respondents (81%) would stop engaging with a brand online following a data breach.[5] The expectation from consumers is that a company is always responsible for protecting data. Building consumer trust is key to maintaining lasting customer relationships and managing your company’s bottom line. Should a breach occur, it’s critical for organizations to effectively manage the breach with a comprehensive incident response plan to mitigate the impact on your customers. Unfortunately, data breaching is a problem that is here to stay. At Experian, breaches are our business. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. Learn more about our Reserved Response solution [1] Identity Theft Resource Center. 2021. 2021 Data Breach Report. [2] Verizon. 2021. 2021 Data Breach Investigations Report. [3] Palo Alto Networks. 2021. Extortion Payments Hit New Records as Ransomware Crisis Intensifies. [4] Experian. 2019. Data Breach Consumer Survey. [5] Cybint Solutions. 2020. 15 Alarming Cyber Security Facts and Stats. [6] Experian. 2019. Data Breach Consumer Survey. [7] Business Wire. 2019. 81% of Consumers Would Stop Engaging with a Brand Online After a Data Breach, Reports Ping Identity.

Experian has been a sponsor of the Annual Ponemon Data Breach Preparedness Study for nine years. During this time, I’ve seen companies change their operations to address the influx of increasing threats and evolve their infrastructure to prepare and react. Although I’ve had a front-row seat in this fast-changing situation, somehow, every year, the results of this study still surprise and intrigue me. Speaking of Infrastructure, Let’s Talk Supply Chains The 2022 report explores the value of Business Continuity Management (BCM) and Crisis Management plans to minimize a data breach’s consequences. This topic is similar to one highlighted in our 2022 Data Breach Industry Forecast, which echoes that companies and organizations should expect these two areas to gain momentum, a finding based on predictions that natural disasters will continue to complicate supply chains. Also, the Forecast indicates that infrastructure cyberattacks will increase among the electrical grid and transportation networks. This Year’s Surprise Given all that we know and have gathered about data breaches over almost a decade, it was shocking to learn that this year’s Ponemon study found that only 56 percent of organizations have a BCM plan, and 53 percent have a crisis management plan. I seriously thought those numbers would be significantly higher. It goes to show there’s much more opportunity, learning, and preparation to go around. Cyber Threats and Third Parties The 2022 report also demonstrated third parties’ role in data breaches. We saw that third parties in the supply chain were the cause of 50% of reported breaches, which increased to 53% when looking at only U.S.-based companies. This data point is critical because as dependence on third-party vendors increases to improve customer experience, adapt to remote work, or improve operations, companies need to be more diligent in checking the cybersecurity protocols of their partners. If not, vulnerabilities to cyber threats can increase. Also, a lack of adherence to ever-changing government regulations could cause legal troubles. I’ll close with one last point I found interesting: While 91% of organizations have data breach plans in place, only 56% require an audit of third parties, exposing them to a breach. This information illuminates the point that companies need to consider all facets of their business when planning for a data breach – that’s one thing that shouldn’t come as a surprise.

New Year, New Cyber Threats This is my first blog post of 2022, and I’m afraid the news I’m here to bear isn’t ideal: cyber attack stakes are high. In 2022, hackers are literally betting on a growing market spreading online across the U.S. Before I get into our Data Breach Industry Forecast, let’s take a quick look back. In 2021, we witnessed a sea of change in digital connectivity and activity during the pandemic. As vaccines became widely available and distributed, the recovery, on all fronts, felt close. But now, as new variants continue to develop and spread, it seems like we are in a one-step-forward, two-steps-back scenario—what the Ninth Annual Experian Data Breach Industry Forecast calls the “Cyberdemic Hangover.” As we aim for stability in 2022, companies must continue to secure weak technologies, and consumers must be vigilant in their daily digital lives. The 2022 Data Breach Industry Forecast report tells the story of what we’re facing this year better than I can, so I encourage you to download a copy. However, here’s a preview of one prediction to get you started. Hackers Bet on New Gamblers Again, cyber attack stakes are high. The online gambling market reached more than $70 billion globally in 2021. With more U.S. states legalizing online sports, cyber thieves will look to place scams, particularly phishing scams, on the likes of fantasy sports sites and more. The possible targets will add up over the course of the year as this market grows and alternative payments like cryptocurrency become more widely accepted. Experian’s deep expertise in helping companies navigate more breaches over the last 18 years informs the other four predictions. To find out the other areas hackers are hoping to cash in on this year, download the predictions now. Visit our website for Data Breach Resolution and Reserved Response™ insights

Hackers are playing the game of data compromise, and they are winning. At this point, companies of all sizes, from all industries, know that consumers have a growing desire to take control of their data and digital privacy. In case you missed the latest webinar and whitepaper release from Javelin Strategy & Research, it makes three things clear about consumers’ current attitudes about fraud and its impact on businesses. 1. Consumers are much more privacy-aware In 2020, consumers turned to social media and telecommunicating platforms to work, stay in touch with friends and family networks and learn. While the broad-scale increase provided a way for global commerce and connections to continue during the worldwide pandemic, it also accelerated cybercrime. The influx of internet traffic created a ready-made environment for fraudsters to profit from consumers in a big way, primarily through scams. Scams were so profitable that they accounted for $43 billion of the $56 billion reported ID fraud losses last year.1 2. Consumers blame Financial Institutions for fraud. It’s the main reason they leave.  When consumers experience fraud, they blame their financial institutions, even if the loss has nothing to do with the institution or its business’s responsibility to the consumer. This attitude shows that consumers hold FIs accountable for their data protection. And when they don’t get it, they take their expectations and their business elsewhere. The data shows the proof. In 2020, 38% of consumers closed a bank account affected by fraud, with 69% saying their primary FIs did not resolve their fraud concerns or losses.1 As the saying goes, perception is reality, and in the case of fraud, consumer thoughts have real consequences for organizations. 3. Consumers leave when breaches happen This point is simple: consumers leave even when personally identifiable information (PII) or other data is not stolen. Be prepared with a playbook or be ready to lose consumer trust To improve the customer experience, build trust and reduce risk, companies need a playbook — a fraud resolution and breach response playbook — a solid plan that falls under their existing business and continuity disaster recovery plan. Why? Because consumers need to know and, more importantly, trust that companies are prepared to react quickly and deliver resolution when a network intrusion occurs.  According to Javelin Strategy & Research data, fraud resolution is the best way to retain customers and members. In addition, consumer perception of cybersecurity plays a significant role in consumer attrition and retention. Again, even if personal information is protected, if your organization is attacked, consumers are more likely to stop doing business with your organization, even if no data was compromised. This means cybersecurity and fraud prevention empowerment is a game-changer, driving 22% of consumers’ satisfaction ratings with online banking.2 When building your playbook, consider two core things:  1. Make sure it’s well-developed A comprehensive fraud resolution and breach response should include a solid approach to collaborate with consumers when fraud occurs. Ensuring your plan includes fraud, cyber, and marketing communications teams will help your company act swiftly and build consumer confidence. 2. Don’t just encrypt data; strengthen perimeter security.  Strong perimeter security will ensure safe interactions with consumers. Even if personal information is protected, consumers will perceive a penetration of the network as a breach and will be more apt to stop doing business with your company. At Experian, preparedness is our business. We know how important fraud resolution and breach response is to your customer’s experience. Developing a solid playbook is key to that experience, building trust and reducing risk. To learn more, read the Giving Consumers Control and Enhancing Fraud Prevention whitepaper, watch the Empowerment and Fraud Prevention are Key webinar and find out how to protect your business with Experian’s Global Data Breach Solutions. 1 Javelin Strategy & Research. March 2021. 2 Javelin Strategy & Research. June 2021.

As today’s fastest-growing form of criminal activity, cybercrime is expected to cost organizations $6.1 trillion worldwide this year alone,1 with attacks on enterprises now occurring every 11 seconds2. But despite increasingly widespread growth in corporate IT security awareness, the importance of putting a sound data breach preparation plan in place for protecting your customers’ privacy and data can’t be underscored enough. Given the scale of IT security threats, it bears reminding: Network compromise is now largely a matter of when, not if for most businesses. As a result of this shift in security and operating environments, it’s important for enterprise leaders to note the six key reasons that most data breach responses fail: No Budget: Despite the seeming inevitability of a data breach, most companies’ average annual budget for a consumer response is exactly $0. Many companies and security teams believe they are fully prepared or won’t be targeted. But with losses due to ransomware attacks up 225% lately in the US alone3, it can be an expensive gamble to make. Never Tested: Even if a company does have a data breach response plan in place, it’s not usually been stressed-tested via live exercises and drills. Having a plan in place is a great first step, but unless you test it in a live breach simulation or exercise, you can’t be certain the plan will be successful. Unknown Impact: It can be hard to know how much of your customer population has been impacted by the breach. Your plan needs to be flexible enough to accommodate both small and massive breaches. No Estimate: Data breach responses also fail because there is no estimate for the scale of phone calls, emails, and complaints that may be received. To put things in perspective: A small data breach is MUCH different and easier to remedy than a one involving millions of records. Slow to Respond: By law, firms that suffer a data breach must now report the incident to government authorities within 72 hours. Failure to address increasing regulatory compliance and information sharing needs (which demand greater oversight and overhead from organizations), can come with hefty fines. No SLAs: Companies often don’t have the necessary agreements to guarantee the infrastructure and staff to assist consumers with resolving their cases. Having a dedicated, guaranteed number of call center agents ready to go when a company experiences a data breach is invaluable. To improve your odds of successfully defending against and responding to breaches, you’ll want to focus on strengthening four areas of operations: Guarantee Resources: Ensure that you have dedicated security resources and prepared to react to threats on the turn of a dime. Your SLAs should include well-trained, certified call center agents and the infrastructure ready to go. This should include scalable and high quality identity protection services to resolve harm to your customers. Readiness Testing: Failing to plan (i.e. not stress-testing your recovery plan prior to incidents occurring) is like planning to fail. By rehearsing your disaster response and recovery strategies, you’ll be able to identify any points of failure and shortcomings that you can improve upon before actual concerns arise. Regulatory Needs: Emphasize quick and accurate responses to regulator inquiries by understanding the specifics for your industry and business. Communications: Having a corporate communications plan ready to go in real-time is also key. Connect with your communications team to create a communications response plan prior to any incidents occurring so that all you largely need to tweak are specifics on the day of the event. According to studies by IBM, companies can save $1.2 million off the cost of data breaches by having an incident response plan in place and extensively testing it before cyber threats strike. Bearing this in mind, the best defense against digital dangers is a good offense. Experian’s Reserved Response™ was created to help organizations take a proactive approach to data breach response planning. Deploy it to put an end-to-end game plan in place and implement a step-by-step playbook that workers can follow in the event of  an incident. You’ll also guarantee that your organization gains the necessary manpower, infrastructure, and response readiness needed to ensure ongoing network resilience and a speedy recovery should disaster strike. 1 Cybersecurity Ventures, Annual Cybercrime Report 2020 2 Cybersecurity Ventures, Cybercrime to Cost the World $10.5 Trillion Annually by 2025 3 Cyberreason, Ransomware: The True Cost to Business Study 2021

Ransomware needs to be on your radar. Here’s why. Ransomware review Ransomware is a cyberattack where cybercriminals take over an organization’s computer network with malware. Once they assume control, the criminals demand a ransom to restore the victim’s encrypted data access. With an estimated generation of $412 million in 2020 alone1, the frequency  of these attacks is growing. At Experian, we handle many data breach cases and know that 7 of 10 breaches involve ransomware. This summer, NetDiligence dedicated a panel at its Cyber Risk Summit on the Lifecycle of a Ransomware Event and invited us to talk about our solutions to help business leaders prepare to minimize interruptions spurred by ransomware. The lifecycle of a ransomware attack includes five stages: 1. Attack Bad actors attack to discover assets, take data, extort it for direct payment, or profit from reselling data on the dark web. They can also launch a ‘double-take’ attack: first collecting ransom to access data and demanding secondary payment to keep it off the dark web. Hackers prey on company networks, searching for vulnerabilities and accessing encrypted files through phishing or planting malicious links to infect the network with malware. More than double the global rate of 14%2, U.S ransomware attacks have become more aggressive, accounting for 30% of all cyberattacks in 20202. At Experian, we’ve seen an even higher occurrence, with 59% of the events serviced 2021 to date involving ransomware. 2. Discovery Once attackers infiltrate a system, they demand a ransom for the decryption key to unlock the encrypted files. Companies usually discover the attack through a ransom note emailed to an executive, a file left on a server, or even a flashing warning on all connected computers. If they leave a message including their contact information, ransom sum, payment delivery time, and consequences for unmet conditions, such as tipping off the media, releasing stolen data, or selling it on the dark web. Next, companies will contact their cyber insurance carrier to log stolen information, get systems back online, navigate legal issues, and facilitate hacker negotiations. Since only about one-third of companies have cyber insurance, most will rush to hire cybersecurity counsel post-attack3, amounting to more stress and delays since it can take months for large companies or those without backups to determine the extent of the damage. At Experian, almost all events involving ransomware take about 20% more time to begin breach notification. Whether there is an incident plan in place or not, companies experience immense panic. 3. Negotiation Typically, a company will hire a professional, either directly or through their cyber insurance, to negotiate with hackers. While hackers expect price haggling, the ransom price could still be hefty. According to the cybersecurity firm, Coveware, the average ransom was $154,000 in Q4 2020, down from $230,000 the year before4. But hackers can drive up the price. Prime example: JBS, the world’s largest meat processor, paid an $11 million ransom in June 2021 to prevent customer data from being compromised. In a perfect world, the ransomware negotiation process goes this way: Establish communication with the attackers Obtain proof of decryption Obtain data exfiltration proof Negotiate a (huge) discount Celebrate Unfortunately, negotiations can be tricky, and the process rarely goes this way. Sometimes attackers go “dark” or request additional payments. Additionally, decryption tools may have bugs that skip mapped network drives or skip folders with long paths and unusual characters. An investigation is key to determine how hackers got in, what was exposed, and if they still have access—knowing exactly how and what was compromised will help in the negotiation. 4. Settlement After the ransom negotiations are over, companies must carefully consider the strategy behind the decision to pay or not to pay the ransom. The FBI generally discourages ransom payments because they may entice other criminals to engage in ransomware and paying does not guarantee data recovery. Additionally, the Office of Foreign Asset Control (OFAC) has payment bans and restrictions that support national security that must be upheld or face fines. At this stage, companies need to ensure that the ransom settlement does not violate constantly evolving regulations. If companies settle, the payment will typically be delivered via cryptocurrency like Bitcoin since it is harder to detect the payees. The hackers will mix the bitcoin for others diluting the currency flow and making it difficult to trace. 5. Post-Event For many companies, the settlement is just the beginning of ransomware attack costs. Companies will also have to pay to restore back-ups, rebuild systems and implement stronger cybersecurity controls to avoid future attacks. As discussed at the Cyber Risk Summit, here are five recommendations for companies to enforce tighter cyber control: Advanced Endpoint Monitoring System Restrict Remote Desktop Protocol (RDP) Regularly Update Software and Operating Systems Implement Password Management Policies Establish and Update Incident Response Plan and Ransomware Playbook Ransomware is just getting started. To minimize the impact of an attack, companies create a proactive preparedness plan. Determining to protect and scan for threats, establish negotiation and payment rules, and external breach communications, is critical. Breaches are our business at Experian. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. To learn how Experian’s Reserved Response solution can prepare your business for a data breach, click here. Sources:  1 Washington Post, “How Ransomware Attacks Work”, July 2021 2 Verizon 2021 Data Breach Investigations Report 3 Washington Post, “Ransomware Axa Insurance Attacks”, June 2021 4 Covewave, “Ransomware Marketplace Report”, Q4 2020

The ongoing COVID-19 pandemic has facilitated an increase in information collection among consumers and organizations, creating a prosperous climate for cybercriminals. As businesses and customers adjust to the “new normal,” hackers are honing in on their targets and finding new, more sophisticated ways to access their sensitive data. As part of our recently launched Q&A perspective series, Michael Bruemmer, Experian’s Vice President of Data Breach Resolution and Consumer Protection, provided insight on emerging fraud schemes related to the COVID-19 vaccines and how increased use of digital home technologies could lead to an upsurge in identity theft and ransomware attacks. Check out what he had to say: Q: How did Experian determine the top data breach trends for 2021? MB: As part of our initiative to help organizations prevent data breaches and protect their information, we release an annual Data Breach Forecast. Prior to the launch of the report, we analyze market and consumer trends. We then come up with a list of potential predictions based off the current climate and opportunities for data breaches that may arise in the coming year. Closer to publication, we pick the top five ‘trends’ and craft our supporting rationale. Q: When it comes to data, what is the most immediate threat to organizations today? MB: Most data breaches that we service have a root cause in employee errors – and working remotely intensifies this issue. Often, it’s through negligence; clicking on a phishing link, reusing a common password for multiple accounts, not using two-factor authentication, etc. Organizations must continue to educate their employees to be more aware of the dangers of an internal breach and the steps they can take to prevent it. Q: How should an organization begin to put together a comprehensive threat and response review? MB: Organizations that excel in cybersecurity often are backed by executives that make comprehensive threats and response reviews a top corporate priority. When the rest of the organization sees higher-ups emphasizing the importance of fraud prevention, it’s easier to invest time and money in threat assessments and data breach preparedness. Q: What fraud schemes should consumers be looking out for? MB: The two top fraud schemes that consumers should be wary of are scams related to the COVID-19 vaccine rollout and home devices being held for ransom. Fraudsters have been leveraging social media to spread harmful false rumors and misinformation about the vaccines, their effectiveness and the distribution process. These mistruths can bring harm to supply chains and delay government response efforts. And while ransomware attacks aren’t new, they are getting smarter and easier with people working, going to school and hosting gatherings entirely on their connected devices. With control over home devices, doors, windows, and security systems, cybercriminals have the potential to hold an entire house hostage in exchange for money or information. For more insight on how to safeguard your organization and consumers from emerging fraud threats, watch our Experian Symposium Series event on-demand and download our 2021 Data Breach Industry Forecast. Watch now Access forecast About Our Expert: Michael Bruemmer, Experian VP of Data Breach Resolution and Consumer Protection, North America Michael manages Experian’s dedicated Data Breach Resolution and Consumer Protection group, which aims to help businesses better prepare for a data breach and mitigate associated consumer risks following breach incidents. With over 25 years in the industry, he has guided organizations of all sizes and sectors through pre-breach response planning and delivery.

Preventing account takeover (ATO) fraud is paramount in today’s increasingly digital world. In this two-part series, we’ll explore the benefits and considerations of a Defense in Depth strategy for stopping ATO. The challenges with preventing account takeover Historically, managing fraud and identity risk in online banking has been a trade-off between customer experience and the effectiveness of fraud controls. The basic control structure relies on a lock on the front door of online banking front door—login—as the primary authentication control to defend against ATO. Within this structure, there are two choices. The first is tightening the lock, which equals a higher rate of step-up authentication challenges and lower fraud losses. The second is loosening the lock, which results in a lower challenge rate and higher fraud loses. Businesses can layer in more controls to reduce the false positives, but that only allows marginal efficiency increases and usually represents a significant expense in both time and budget to add in new controls. Now is the perfect time for businesses reassess their online banking authentication strategy for a multitude of reasons: ATO is on the rise: According to Javelin Strategy & Research, ATO increased 72% in 2019.1 Users’ identities and credentials are at more risk than ever before: Spear phishing and data breaches are now a fact of life leading to reduced effectiveness of traditional authentication controls. Online banking enrollments are on the rise: According to BioCatch, in the months following initial shelter-in-place orders across the country, banks have seen a massive spike in first time online banking access. Users expect security in online banking: Half of consumers continue to cite security as the most important factor in their online experience. Businesses who reassess the control structure for their online banking will increase the effectiveness of their tools and reduce the number of customers challenged at the same time – giving them Defense in Depth. What is Defense in Depth? Defense in Depth refers to a strategy in which a series of defense mechanisms are layered in order to protect data and information. The basic assumptions underlying the value of a Defense in Depth strategy are: Different types of transactions within online banking have different levels of inherent risk (e.g., external money movement is considerably higher risk compared to viewing recent credit card transactions) At login, the overall transaction risk associated with the session risk is unknown The risk associated with online banking is concentrated in relatively small populations – the vast majority of digital transactions are low risk This is the Pareto principle at play – i.e., about 80% of online banking risk is concentrated within about 20% of sessions. Experian research shows that risk is even more concentrated – closer to >90% of the risk is concentrated in <10% of transactions. This is relatively intuitive, as the most common activities within online banking consist of users checking their balance or reviewing recent transactions. It is much less common for customers to engage in higher risk transaction. The challenge is that businesses cannot know the session risk at the time of challenge, thus their efficiency is destined to be sub-optimal. The benefits of Defense in Depth A Defense in Depth strategy can really change the economics of an online banking security program. Adopting a strategy that continuously assesses the overall session risk as a user navigates through their session allows more efficient risk decisions at moments that matter most to the user. With that increased efficiency, businesses are better set up to prevent fraud without frustrating legitimate users. Defense in Depth allows businesses to intelligently layer security protocols to protect against vulnerability – helping to prevent theft and reputational losses and minimize end-user frustration. In addition to these benefits, a continuous risk-based approach can have lower overall operational costs than a traditional security approach. The second part of this series will explore the cost considerations associated with the Defense in Depth strategy explored above. In the meantime, feel free to reach out to discuss options. Contact us 1Identity Fraud in the Digital Age, Javelin Strategy & Research, September 2020

DID YOU KNOW: 74% of organizations believe their data breach response plan could be more effective if they incorporated what they learned from previous breaches?1 The COVID-19 outbreak has accelerated digital transformation and upended business and life as usual. As the threat of cybercrime and data breaches continue to disrupt businesses during this time, being prepared for an incident is a must for organizations of all sizes. Experian’s new and improved Data Breach Response Guide is here to help you defend your network and prepare for a data breach with insights and the latest industry trends. This year, we also have a new feature to help you quickly and effectively prepare for a data breach. The new Experian Reserved Response™ Hub delivers a digital, self-service destination to create, plan, prepare and pressure-test your data breach response plan. Companies that access the Hub can: Download data breach readiness reading materials Access proven notification templates Get the FAQ template and pre-breach incident checklist Access multiple levels of Experian Reserved Response™ services See Experian Reserved Response™ guarantees (with SLAs) for manpower, infrastructure, and response readiness And more! Data breach incidents can happen to any business, of any size, at any time, all over the world. On average, organizations can save $2 million if they have an established incident response team with a plan that has been tested extensively, according to the IBM and Ponemon 2020 Cost of a Data Breach Report. Failing to respond to a breach properly can cause brand damage, customer migration, executive termination, and more. Experian Reserved Response™ is the only program that guarantees SLAs and can have your plan ready in as little as three days. With over 17 years of experience managing tens of thousands of data breaches, we’re here to help you plan and pressure-test your response process. To get Response Ready™, download our latest Data Breach Response Guide and access to our new Reserved Response Hub today. 1 PwC. 2020. Digital Trust Insights Pulse Survey

Enterprise Security Magazine recently named Experian a Top 10 Fraud and Breach Protection Solutions Provider for 2020.   Accelerating trends in the digital economy--stemming from stay-at-home orders and rapid increases in e-commerce and government funding--have created an attractive environment for fraudsters. At the same time, there’s been an uptick in the amount of personally identifiable information (PII) available on the dark web. This combination makes innovative fraud and breach solutions more crucial than ever.   Enterprise Security Magazine met with Kathleen Peters, Experian’s Chief Innovation Officer, and Michael Bruemmer, Vice President of Global Data Breach and Consumer Protection, to discuss COVID-19 digital trends, the need for robust fraud protection, and how Experian’s end-to-end breach protection services help businesses protect consumers from fraud.   According to the magazine, “With Experian’s best in class analytics, clients can rapidly respond to ever-changing environments by utilizing offerings such as CrossCore® and Sure ProfileTM to identify and prevent fraud.”   In addition to our commitment to develop new products to combat the rising threat of fraud, Experian is focused on helping businesses minimize the consequences of a data breach. The magazine noted that, “To serve as a one-stop-shop for data breach protection, Experian offers a wide range of auxiliary services such as incident management, data breach notification, identity protection, and call center support.”   We are continuously working to create and integrate innovative and robust solutions to prevent and manage different types of data breaches and fraud. Read the full article Contact us

Experian’s 7th Annual Data Breach Preparedness Study is available now, and its findings show organizations struggling in a few areas that are sure to see data breach activity increase this year. New to report this year: we surveyed IT and IT security, compliance, and privacy professionals in both the U.S. and the EMEA to compare the regional differences amongst organizations and their outlook around data breach preparedness. A few themes that stuck out in the study this year were: Spear Phishing and Ransomware 69% of respondents had one or more spear phishing attacks in 2019 Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31% to 23% 36% of respondents say their organizations had a ransomware attack last year with only 20% feeling confident in their ability to deal with it The average ransom was $6,128, and 68% of respondents say the ransom was paid Confidence in Data Breach Response Plans From a reputation standpoint, only 23% of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach Only 38% of respondents believe they are effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence Global Data Breaches Only 34% of respondents say they are confident their organizations are able to respond to global breaches, as breaches increasingly become international in scope Read the full results of Experian's 7th Annual Data Breach Preparedness Study and see how you compare to other organizations when it comes to data breach preparedness. Download the full study

Be warned. I’m a Philadelphia sports fan, and even after 13 months, I still relish in the only Super Bowl victory I’ve ever known as a fan. Having spent more than two decades in fraud prevention, I find that Super Bowl LII is coalescing in my mind with fraud prevention and lessons in defense more and more. Let me explain: It’s fourth-down-and-goal from the one-yard line. With less than a minute on the clock in the first half, the Eagles lead, 15 to 12. The easy option is to kick the field goal, take the three points and come back with a six-point advantage. Instead of sending out the kicking squad, the Eagles offense stays on the field to go for a touchdown. Broadcaster Cris Collingsworth memorably says, “Are they really going to go for this? You have to take the three!” On the other side are the New England Patriots, winners of two of the last three Super Bowls. Love them or hate them, the Patriots under coach Bill Belichick are more likely than any team in league history to prevent the Eagles from scoring at this moment. After the offense sets up, quarterback Nick Foles walks away from his position in the backfield to shout instructions to his offensive line. The Patriots are licking their chops. The play starts, and the ball is snapped — not to Foles as everyone expects, but to running back Corey Clement. Clement takes two steps to his left and tosses the ball the tight end Trey Burton, who’s running in the opposite direction. Meanwhile, Foles pauses as if he’s not part of the play, then trots lazily toward the end zone. Burton lobs a pass over pursuing defenders into Foles’ outstretched hands. This is the “Philly Special” — touchdown! Let me break this down: A third-string rookie running back takes the snap, makes a perfect toss — on the run — to an undrafted tight end. The tight end, who hasn’t thrown a pass in a game since college, then throws a touchdown pass to a backup quarterback who hasn’t caught a ball in any athletic event since he played basketball in high school. A play that has never been run by the Eagles, led by a coach who was criticized as the worst in pro football just a year before, is perfectly executed under the biggest spotlight against the most dominant team in NFL history. So what does this have to do with fraud? There’s currently an outbreak of breach-fueled credential stuffing. In the past couple of months, billions of usernames and passwords stolen in various high-profile data breaches have been compiled and made available to criminals in data sets described as “Collections 1 through 5.” Criminals acquire credentials in large numbers and attack websites by attempting to login with each set — effectively “stuffing” the server with login requests. Based on consumer propensity to reuse login credentials, the criminals succeed and get access to a customer account between 1 in 1,000 and 1 in 50 attempts. Using readily available tools, basic information like IP address and browser version are easy enough to alter/conceal making the attack harder to detect. Credential stuffing is like the Philly Special: Credential stuffing doesn’t require a group of elite all-stars. Like the Eagles’ players with relatively little experience executing their roles in the Philly Special, criminals with some computer skills, some initiative and the guts to try credential stuffing can score. The best-prepared defense isn’t always enough. The Patriots surely did their homework. They set up their defense to stop what they expected the Eagles to do based on extensive research. They knew the threats posed by every Eagle on the field. They knew what the Eagles’ coaches had done in similar circumstances throughout their careers. The defense wasn’t guessing. They were as prepared as they could have been. It’s the second point that worries me when I think of credential stuffing. Consumers reuse online credentials with alarming frequency, so a stolen set of credentials is likely to work across multiple organizations, possibly even yours. On top of that, traditional device recognition like cookies can’t identify and stop today’s sophisticated fraudsters. The best-prepared organizations feel great about their ability to stop the threats they’re aware of. Once they’ve seen a scheme, they make investments, improve their defenses, and position their players to recognize a risk and stop it. Sometimes past expertise won’t stop the play you can’t see coming.  

Any responsible business manager knows that protection business and client data is a vital part of running a success organization. Now a new report identifies key factors that can improve a company’s ability to avoid hacks and prevent data breaches. And here’s the good news: These tactics really work. During 2018, the number of personal records exposed in data breaches soared — a total of 446.5 million pieces of data – an increase that was more than double the number of records breached during 2017, according to the Identity Theft Resource Center. The business, healthcare and financial sectors were the top three sectors hit, with hacking being the most common form of attack. But among the companies surveyed in the latest annual study sponsored by Experian Data Breach Resolution, there are important signs of hope. Despite the startling increase in the number of records stolen by data thieves – a gain of 126 percent – the number of survey participants reporting a breach increased by just 5 percent. This trend demonstrates that while hackers might be grabbing more data when they do manage to crack a database, the smaller increase in total breaches reported in the survey indicate that a growing number of institutions are improving their abilities to fend off cybercriminals. What’s their secret?  To encourage more effective strategies to handle and prevent breaches, “Is Your Company Ready for a Big Data Breach?” uncovers several important lessons learned from companies that are successfully insulating themselves – and their customers – from data theft.  Prevention is the best response: The overarching lesson that researches found is that an effective data breach response plan starts with preventing breaches in the first place, rather than reacting after customer and business data has been stolen. Of the 643 U.S. business people surveyed who work on privacy, compliance and IT security, 29 percent reported that their organizations had prevented any breach involving more than 1,000 records for the past two years. Rate your plan: The Ponemon researchers found that the percentage of companies that find their data breach response plans to be very effective increased from 42 percent in 2016 to 52 percent in 2018. Not surprisingly, more people at organizations that didn’t report a breach rated their response plans as effective – 62 percent – while 45 percent of those at companies that suffered data theft nonetheless felt their plans were effective.  Money matters: Ponemon researchers found that more investment in cybersecurity technology seemed to pay off. One of the most common factors among companies that prevented breaches was increased spending on technology to detect and prevent attacks. Of companies that prevented breaches, 73 percent increased their tech spending, versus 61 percent of those companies that were breached.  No train, no gain: An even bigger improvement came from training employees and making them aware of privacy and data protection issues and practices. The likelihood of a data breach was significantly reduced when awareness training specifically targeted employees and other stakeholders in business processes who work with or access sensitive or confidential personal data. At organizations that implemented training, 79 percent avoided a breach versus 69 percent of those that were hacked.  Cybersafety starts at the top: Executive engagement also matters. Making data security a priority among C-suite executives and corporate board members translates into keeping records safer. The study found that 54 percent of executives and 39 percent of directors were knowledgeable and engaged in planning data breach responses. At companies that were breached, 49 percent of executives and 32 percent of board members were involved with cybersecurity response.  Sharing is caring: Another key finding in preventing breaches is that organizations that sharing their insights and experiences in handling and preventing breaches improved their cybersafety. Operations that participated in learning about data protection and hacks from industry peers and government agencies were more likely to avoid a breach – 59 percent of those who joined sharing programs didn’t suffer an attack, while 46 percent of those participating experienced a breach.  Cybersafety is a process: Finally, organizations that want to stay cyber-safe might want to adopt the Boy Scout motto, “Be Prepared.” Companies that successfully prevented a data breach took several preventive measures to guard against attacks. That includes conducting regular reviews of physical security and access to confidential information, instituting third-party cybersecurity assessments, making data breach response part of their business continuity plans and creating backup websites that can be activated to provide content and information should a breach occur. For the study, Ponemon researchers surveyed 643 professionals working in information technology and security, compliance and privacy who deal with data breach response plans in their organizations. The entire comprehensive survey of cybersecurity practices – “Sixth Annual Study: Is Your Company Ready for a Big Data Breach?” – is available to download now. The Ponemon Institute, headquartered in Traverse City, Michigan, conducts independent research on data protection and emerging information technologies. Experian Data Breach Resolution helps businesses of all sizes manage the risk of fines, customer loss, negative press and litigation due to a breach of data, and is a subsidiary of Experian, the global leader in consumer and business credit reporting and marketing service operating in 80 countries. Download the Ponemon study Learn more about our Data Breach solutions

From malware and phishing to expansive distributed denial-of-service attacks, the sophistication, scale and impact of cyberattacks have evolved significantly in recent years. Mitigate risk by employing these best practices: Manage third-party risks. Regularly review response plans. Opt in to software updates. Educate, educate, educate. Organizations must adopt stronger, more advanced technical solutions to protect sensitive data. While enhanced technology is necessary for defending against data breaches, it can’t work independently. Learn more

From malware and phishing to expansive distributed denial-of-service attacks, the sophistication, scale, and impact of cyberattacks have evolved significantly in recent years. With data breach as the new normal, organizations must adopt stronger, more advanced technical solutions to protect sensitive data. While enhanced technology is necessary for defending against data breaches, it cannot work independently of precautionary, often-overlooked measures like risk assessment, threat information sharing, or employee awareness and education. Even with the most cutting-edge defense systems in place, companies can’t underestimate the importance of employing fundamental security practices to mitigate cyber threats. In a climate where the risk of a data breach continues to grow, preparation is critical. “The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?,” sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute, examines how organizations stack up in data breach preparedness. Organizations can help mitigate risk by employing the below best practices: Manage third-party risks: A cyberattack on partners or vendors can have dire consequences for an organization, regardless of how exhaustive its own security measures may be. The risk resulting from a third-party’s lax security measures is too great to ignore. However, only 48 percent of organizations conduct assessments on third-party cybersecurity tactics. Regularly review response plans: The threat and severity of data breaches are continually changing. Keeping a pulse on vulnerabilities is vital for any company. However, 40 percent of respondents say they don’t have scheduled times to review and update their data breach response plan. A staggering 26 percent report not reviewing or updating their organization’s plan after implementation. Opt-in to software updates: Outdated software exposes areas susceptible to infiltration, increasing a company’s risk of attack. Despite such risk, only 26 percent of respondents say employees are required to update software systems regularly. Organizations should require that all employees have the most up-to-date software available. Educate, educate, educate: Data breaches caused by employee negligence are a concern of 80 percent of respondents. Because of their access to a company’s computers, systems, and networks, employees must be actively involved in an organization’s data breach defense. Organizations should conduct regular training and awareness programs on the consequences of mishandling sensitive confidential information. Data breach preparedness is a multifaceted effort that requires cross-company support and involvement. Organizations can’t rely solely on technological solutions to thwart cyber threats. Having a solid response team in place and a well-defined process are fundamental elements of a data breach response plan that, though seemingly basic, should never be overlooked. Download our Fifth Annual Data Breach Preparedness Study