Page 1


Identity Theft Prevention and Mitigation Strategies for Organizations Philip A. Bennett Central Washington University IT486: Critical Issues in Info Tech Terry Linkletter, M.S. 3/11/16




Abstract There are few disasters that can cripple a company as quickly as a customer data breach. In any volume, the amount of information exposed can leave victims vulnerable to identity theft. The subject of identity theft is not new, yet it continues to be a threat to the integrity and success of organizations. Despite advances in security technologies, there is a constant risk for a major incident. This paper explores some of the risks that many organizations face in the digital age involving identity theft. The purpose of this report is to assist organizations in developing successful prevention and mitigation strategies.




In the past few years, there have been numerous reports about businesses falling victim to data breaches. For over a decade, hackers have stolen several millions of individual records (see Appendix A for more information on companies and breach numbers). Two of these companies, Target and Home Depot, made the news for several weeks after falling victim to large scale attacks within a short period of time. Within one year, about 154 million records of personally identifiable information (PII) were stolen from these two companies (Weiss and Miller, 2014, pp. 1).

How could someone infiltrate these corporations and acquire so much data? The method of attack in each incident was simple. Hackers obtained a third-party vendor’s credentials to access the networks of each company. The attackers were then able to deploy malware that granted further access into point of sale systems. This malware then silently recorded the information from swiped credit cards, concealed the information by storing it in harmlessly named files, then sent those files to servers outside of the company network (Weiss and Miller, 2014, pp. 4). In both cases, each company displayed similar behaviors. At the beginning of each incident, both Target and Home Depot allowed for some delay before taking action. Target was aware of the breach on November 12th, 2013, but did not act on this evidence until a full month later when notified by the Department of Justice. Target notified its customers of the data breach two months after internally acknowledging its presence (Weiss and Miller, 2014, pp. 4. Home Depot was unaware of a security breach that occurred in April of 2014 until about five months after the



fact. Similarly to Target, Home Depot only took action when law enforcement notified the company of potential compromise. The company released a statement a week after the discovery, yet at that time, the full impact of the data breach was not yet realized (Belangia, 2015, pp. 2). What could be done to prevent these attacks? Plenty, in hindsight, as it is easy to see where Target and Home Depot made mistakes. But how can we apply this information to better harden an organization’s security? We first need to summarize the key issues that allowed these incidents to occur: 1. Proper security measures were not taken with third-party vendor information. 2. These companies were unaware or unresponsive to the initial threat. 3. Action was taken only when it was too late. 4. Customers at risk were not notified soon enough to prevent potential risk. It is this successive chain of failures that caused these data breaches to become as damaging as they were. If proper preventative action was taken at any step of these attacks, it is likely that the damage caused could have been mitigated. With thorough analysis, there is much we can learn from their actions.

The goal of this analysis report is to explore and determine effective strategies for organizations to employ in their security plan. While there may be other, more specific security approaches for certain organizations to take, these strategies are designed to be general enough to be applicable to as many security scenarios as possible. Using the aforementioned data breaches as a basis for development, we can create some points to consider when considering an organization’s security:



1. What methods or procedures can be employed to prevent attacks and protect assets? 2. What are the first steps to take when a breach has occurred? 3. How and when should we announce the news of a data breach?


Before delving into preventative measures that could have been implemented, it is important to consider what methods were already in place at the time of each attack. Both Target and Home Depot were in compliance with the Payment Card Industry Data Security Standards (PCI DSS) prior to the breaches (Radichel, 2014, pp. 5, Miller, 2014, para. 1). The PCI DSS is the regulatory standard set to ensure that all merchants that handle credit card information in any way enforce a secure environment to protect customer data (, 2014). Vulnerability testing is one step of the compliance requirements, but it is by no means an exhaustive test of an organization’s network (Miller, 2014, para. 5-8). While this regulation may require these companies to have testing performed quarterly, the lack of depth involved, such as not testing for anti-virus software, may deliver a false sense of security to all parties involved. Indeed, these minimum standards set by PCI have come under fire in recent years, as setting the bar as low as possible has proven to be a disastrous practice (Miller, 2014, para. 7).

While PCI may have been adequate when it was first established in 2006, it is evident that the program has not adapted quickly enough to handle modern threats. Any company that is serious



about protecting its critical assets should invest in a risk management strategy. A specialized team, either internal or external, should be responsible for regularly determining the threats and vulnerabilities of an organization. As explained by Teri Radichel of the Sans Institute, these threats and vulnerabilities are to include every aspect of the business process. The limited scope of the PCI does not provide a solid foundation for accurately measuring risk (Radichel, 2014, pp. 5-6).

A risk management strategy may include adding new security devices, properly configuring ones that are currently installed, or upgrading critical systems. In our two breach cases, both companies were found to need all of the aforementioned steps to harden their security. Home Depot was using Windows XP, a vulnerable operating system that is no longer supported by Microsoft. The company had an anti-virus enabled, yet it was not properly configured to handle network threats. They were also using older point of sale hardware that did not allow for more secure credit card transactions, leaving swipes and transmissions vulnerable to interception (Hawkins, 2015, pp. 7-8). Target, despite investing heavily in technologies that supported encryption and network monitoring, their systems were rendered ineffective due to improper configuration and insufficient employee training (Radichel, 2014, pp. 8).

This information implies that there is more to maintaining a proper security system than performing a one-time installation and little employee involvement. A broad, multi-step security program should be developed in order to create a robust security system. This program should be considered a living document; the security system should be monitored and updated regularly



and so should the security program. According to the Federal Information Systems Control Manual, there are five critical components in designing a security program: 1. Periodically Assess Risk; 2. Document an entity-wide security program plan; 3. Establish a security management structure and clearly assign security responsibilities; 4. Implement effective security-related personnel policies; 5. Monitor the security program’s effectiveness and make changes as necessary (Garbars, 2002, pp. 2).

These elements involve defining key roles and persons in the security program, assigning responsibilities, establishing a chain of command, defining procedure for working with thirdparty personnel, and enforcing schedules for risk assessments and vulnerability testing. With a strong security program in practice, an organization is well-protected against internal and external threats.

But what should an organization do if, despite all best practices, a breach does occur? This is still a very real scenario for a company with a good security system. In such a situation, preparation and planning beforehand is essential. Establishing an incident response team to handle breaches is a critical first step. This involves selecting internal and external individuals that are trained in how to manage certain aspects of a data breach. Not only does this team include key members like the CIO and upper IT management, but also includes forensics and security consultants, human resource advisors, legal advisors, and first-response security personnel. It is important to



use outside resources when considering security and forensics positions. This is because independent experts are free from any bias that may arise from working within the company. They also provide experience from previous forensic investigations and a fresh set of eyes to analyze the situation. These experts will advise on how to conduct the investigation, determine the scope of the attack, prevent additional data loss, and secure forensic evidence (DLA Piper, 2015, pp. 5-6).

During the investigation, proper documentation of events and actions taken is necessary to the success of a data breach recovery. Make sure to collect information from everyone involved in the discovery or the cause of the breach. Obtaining as much information about the situation is not just good practice. All external personnel will want to know as much as possible in order to best contribute to the recovery effort. This is especially important in regards to legal obligations, as recording everything that occurs during the breach will help protect the company in case of legal action. Good bookkeeping will keep facts organized for when it is time to prepare and deliver notifications (Experian, 2014, pp. 7).

Planning for breach announcements should begin as soon as the incident begins. While some companies may have a sixty day window to carefully craft a public statement, there may be regulations that require notifications to be delivered much sooner. State and Federal law may state that a business must inform all potentially threatened parties within as little as 30 days of breach discovery. If revealing the breach would cause issues in law enforcement investigation, the window for notification may be widened, but it is important to continue to work as if this



leniency was not given. It is up to the affected organization to determine when notifications must be delivered and to whom they need to be sent (Experian, 2014, pp. 9).

When deciding what to reveal in an announcement, consider the legal requirements set at the federal and state level. Some states may require that layman explanations of incidents be included in a notification statement. Other states may prohibit the type and amount of information a company may disclose to the public. With all considerations of the law acknowledged, a company should aim to be informative, but also extend an offer of reparation (Experian, 2014, pp. 10-11). Maintaining goodwill towards affected parties in a timely fashion is essential to ensure that those individuals will continue to do business with the organization. Computer systems can be fixed, but company reputation and consumer confidence is much harder to repair. Impact of Data Breach on Consumer Trust

70% 60% 50% 40% 30% 20% 10% 0% Unlikely to do business with breached companies

Unlikely to do business with company who leaked their information

Have been a victim Would consider of a data breach legal action against companies who lost data

Figure 1. Consumer surveys regarding trusting companies with personal and financial data. Source: (2014).




To summarize the major findings of this report, it is clear that organizations must be proactive in protecting their assets. Thorough planning for the worst case scenario is essential in both preventing incidents and in reducing the impact of a future attack. Security programs must be established, enforced, maintained, and updated in order to be relevant in a world of constantlyevolving threats. Proper documentation must be kept to protect the organization and aid in the recovery process. Finally, customer relations must be maintained. Offering protection services and keeping those affected informed of their situation is a good start for redeeming an organization’s public image. Failure to take necessary preventative measures puts companies in serious risk of losing not only data and resources, but also valuable consumer trust.



Appendix A Year

Organization AOL

Number of Records Breached 92,000,000




US Dept. of Veterans Affairs



TJ Maxx



UK Dept. of Defence


US Dept. of Defense


Heartland Payment Systems


Former employee stole data for financial gain Policy violation at a third-party card processor exposed data Laptop and external hard drive with sensitive data stolen from employee home. Data was not encrypted. Earliest known large data breach. Hackers stayed within the network for 18 months without being detected. Hard disk with a variety of data lost or stolen. Defective hardware containing unencrypted data was returned to contractor. Largest involving credit cards


Sony PlayStation Network


Network was down for over a month to fix


Utah Medicaid






Ebay Home Depot

145,000,000 56,000,000





Default password not reset before server went online with health data Hacker attack on servers Unauthorized access through Point of Sale Systems

Hacker attack Attack originated at self-service 2014 POS terminals JP Morgan Chase Bank 83,000,000 Stolen login credentials used to gain access Sony 50,000 Fewer in number but highly sensitive data 2015 Anthem Blue Cross 80,000,000 Unencrypted data stolen, but none related to financial data Note. Adapted from Srinivasan, S. (2015). Privacy protection and data breaches. Proceedings of Informing Science & IT Education Conference (InSITE) 2015, 429-444.



Belangia, D. W, (Mar. 13, 2015). Data Breach Preparation. Retrieved from on Mar. 8, 2016. (2014). PCI FAQs. Retrieved from on Mar 8, 2016. DLA Piper. (Jun. 2015). Cyber Incident/Data Breach Response – Your Emergency Checklist. Retrieved from _breach_response_checklist_V7.pdf on Mar 8, 2016. Experian PLC. (2014). Data Breach Response Guide. Retrieved from on Mar 8, 2016. Gabars, K. (2002). Implementing an Effective IT Security Program. Retrieved from on Mar 8, 2016. (2015). Customer Loyalty, Trust, and Data Breaches. Retrieved from on Mar 8th, 2016.


Hawkins, B. (Jan. 2015). Case Study: The Home Depot Data Breach. Retrieved from on Mar. 8, 2016. Miller, J. A. (Oct. 22, 2014). PCI Compliance Under Scrutiny Following Big Data Breaches. Retrieved from on Mar 8, 2016. Radichel, T. (Aug. 5, 2014). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved from on Mar 8, 2016. Srinivasan, S. (2015). Privacy protection and data breaches. Proceedings of Informing Science & IT Education Conference (InSITE) 2015, 429-444. Retrieved from on Mar 8, 2016. Weiss, E.N. & Miller, R .S. (Feb. 04, 2015). The Target and Other Financial Data Breaches: Frequently Asked Questions. Retrieved from on Mar. 8, 2016.

Identity theft prevention and mitigation strategies  
Identity theft prevention and mitigation strategies