Authentic8 Blog Category: Identity

Book Review: What They Really Do With Your Medical Data

Thumbnail: Book Review: What They Really Do With Your Medical Data - Illustration for Authentic8 blog review of Our Bodies, Our Data by Adam TannerSECURITY, IDENTITY, NEWS

Happy Data Privacy Day.  A new book provides an in-depth look at the commercial trade in patient medical data.  Sensitive data, a vibrant market, and not much cause for celebration.


A while ago, I wrote about the wave of data breaches at healthcare organizations and medical identity theft that is impacting millions and what we can do to protect ourselves better.

One of the readers of that post was acclaimed journalist Adam Tanner, who has reported on data collection and consumer privacy since 2012.

Adam and I have had an ongoing discussion on data privacy and security matters since we met a few years ago.  He was covering the issue for Forbes, and I had a chance to brief him on our secure browser solution.

A few weeks ago, he kindly directed my attention to an unknown - to me, at least - aspect of our personal medical records. I thought our medical data was sacrosanct.  Protected by regulatory

How Medical Identity Theft Works, and How it Can Impact You

Image: Patients in Waiting Room with Chart: Indivituals Impacted by Healthcare Data BreachesIDENTITY, SECURITY

The healthcare industry currently tops the target list of cyber criminals, according to IBM’s 2016 Cyber Security Intelligence Index [PDF]. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data (Ponemon Institute) reveals that 89 percent of healthcare organizations and 60 percent of their business associates experienced data breaches over the past two years.

Recently, ransomware attacks (incidents where hospital data are encrypted and only released after a ransom is paid) have dominated the headlines. But most data breaches within the healthcare industry involve an even more lucrative target: medical records and related Personal Identifiable Information (PII), like Social Security numbers.

What does this mean for you? Medical identity theft via computer comes at staggering cost to the victims. They have to pay a steep price to get their life back: on average more than $ 13,000, according to one study. To make matters worse, victims can find themselves cut off from their doctors or get misdiagnosed,

Can You Trust Your Tax Preparer?


IRS forms can suck the joy right out of a wonderful April day. Do you prefer online tax filing? Guess what: so do cyber criminals. Also on their target list: CPAs and local tax preparer offices.

The IRS expects damages from tax refund fraud - somebody filing for a refund, using a stolen identity - to rise to $21 billion this year. This increase is in part due to the widespread use of e-filing services by taxpayers.

While such services make filing for a refund easier, some Internet tax filing platforms are also known to fuel tax fraud. Organized scamsters use them to automate their scheme online.

That tax refund you expected? The one that’s long overdue? It may have been paid out already, but to somebody else: to a tax scam artist.

As a victim of tax refund fraud, up to nine months can pass before you finally receive your money. That’s on average how long it takes

Your data has been leaked - now what?


The math isn’t good. Since 2013, more than 1 billion records containing personally identifiable information (PII) have been compromised. From credit card purchases at hardware stores to government background checks, your data is on servers completely outside of your control. And it appears that the owners of those servers haven’t cared about securing your data as much as you have. So your data has been leaked. Your world is changed, and here are 6 steps to take to get back in control of the situation -- a few of them immediately, the rest over time.

Do this TODAY!

Acknowledge that you are a victim. Say it to yourself: “My data has been stolen and will probably be sold to the highest bidder.” That realization should permeate your behavior. Where you used to click links, enter passwords in fields, or throw official-looking mail in the trash, now you can’t. Try to assess everything you receive from the perspective of

Protect Yourself from the Anthem Data Hack



This article isn’t for everyone - only eighty million of you (or 78.8 million to be more precise). That’s the whoppingly huge number of Anthem Health Insurance customers whose personally identifiable information (PII) is now in the hands of internet thieves. If you’re a current or former Anthem subscriber (or a Blue Cross Blue Shield subscriber who received services from Anthem), crooks probably have your full name, birth date, member ID data, street address, phone number, email address, and employment information.

Armed with your PII, these criminals (or the people who buy your PII on the black market) are cooking up ways to steal from you. Here’s a partial list of what they might be considering:

  • Registering for credit cards under your name and going on shopping sprees.
  • Foisting their income taxes on you. If a fraudster gives their employer your social security number, you’re on the hook to the IRS for the crook’s

Trusting third parties can lead to second-rate security


Over the weekend, news broke that hundreds of thousands of individual users of SnapChat (many under the age of 18) fell victim to compromise through a third-party service called SnapSaved, reportedly perpetrated by the same group responsible for leaking the celebrity photos. And Dairy Queen revealed that they were the latest in a growing list of retailers that have had customer credit card information stolen as a result of malware installed by hackers using stolen passwords from third-party contractors. Just yesterday, hackers claimed to have stolen almost 7 million Dropbox credentials by compromising a third-party site.

The common thread: the victims, whether individuals or a large company, trusted third parties and paid a steep price as a result. It’s true that adoption of web apps has lead to an increase in productivity and even, according to this report, security. But reliance on third parties also magnifies the damage that unauthorized access can cause. Businesses of all sizes can protect themselves

Does changing your password really make a difference?



One of the most common pieces of advice in the wake of a major security breach is to change your password. Often. Let’s take a look at a competing argument: Don’t change your password because frequent changes won’t really keep you safe. The basic gist is this: regularly changing your password gains you nothing because if you’re not already compromised, you’re just swapping out a secure password for another secure password.

Earlier this year, Kirk Lennon published a blog espousing this point of view. But it’s nothing new. In 2010, Computerworld offered similar advice, and in 2012, Gizmodo published this tongue-in-cheek piece balancing security needs with sanity.

If someone compromises your account through script hacking, they’ll most likely change your password immediately to solidify their control of your account. Ultimately, frequent password changes offer minimal security benefit with more inconvenience. And the more often you change your password, the more likely it is that

How did hackers access critical infrastructure in the Code Spaces attack?



Last week’s catastrophic Code Spaces compromise reminded us just how vulnerable our systems can be. We have talked about some of the lessons learned in the aftermath of the attack, but the question remains: how did the initial compromise happen?

Generally, when bad guys gain access to a system, it happens in one of four ways:

  1. Brute Force: They try thousands of username/password combinations until one works. Amazon locks users out after a number of unsuccessful login attempts, so in the case of Code Spaces, this is not what happened.
  2. Log Into An Infected Machine: If a user logs into their account from an infected machine, the bad guys can easily capture their information and use it to gain greater access.
  3. Phishing: Phishing and spear phishing attacks are getting more sophisticated every day. If even one employee is tricked by one of these attacks and voluntarily types their information into a bogus form, the entire system can be compromised.

Recycling is good for the environment, not your passwords



This is not a proper password manager.

We all do it. Between the web apps that you want to have (Gmail, Facebook, Twitter) and the ones you need to have (Outlook, online banking, insurance), it's natural to want to keep things simple by having a handful of passwords that are easy for you to remember and use over and over again. In a recent survey, more than 55% of users admitted to recycling passwords (often in combination with the same username).

There are problems with that. First, chances are that your password isn't very hard to crack. Even a minimally acceptable "strong" password should have at least 8 characters, numbers, letters, and symbols without having any complete words or names. Sorry, but "123456" just doesn't cut it (because it was the most common password used in 2013).

Second, no matter how secure your password is, if it gets stolen, lost, or hacked, every single website that uses that password is

Sharing is caring: How marketing teams can share web accounts while increasing security

2014-06-05_Silo_Twitter_MarketingIDENTITY | SECURITY

What’s your company’s Twitter password? If you know the answer to that question (or if it’s written on a Post-It), then your brand is at risk.

In terms of moving to the cloud, marketing is probably the most aggressive function in any organization. Every new communication channel or social network adds risk to your business... whether it’s a hijacked Twitter account or an important file that was downloaded to the wrong computer by mistake.

It used to be that marketing campaigns would take weeks to plan with several more weeks to analyze results. Today, a single tweet or post can go from concept to execution in seconds - sometimes with very negative results. Your company’s brand is in the hands of any employee, contractor, or agency who has one of your passwords.

But marketing is probably the most ill-equipped team to deal with the threats of these emerging technologies. From AdWords to Zuora, each web