Streaming services like Netflix, Hulu, HBO Now, and Prime Video have revolutionized the way people consume television and movies – and Disney is the latest company to join the craze with its newly-released and much-anticipated Disney+ streaming service. With more than 10 million users creating accounts within the first day the service was rolled out, Disney had to be aware of the extreme cyber threats facing the streaming service. After all, to sign up for the streaming service, users must input their name, email address, phone number, address, and payment card information. In other words, the anticipation of the rollout of the streaming service coupled with the kind of data Disney+ required to set up an account created the perfect breeding ground for malicious hackers to steal data and make a quick profit.

Disney+ Security Incident: What Really Happened?

Within just a few hours from the rollout of the newest streaming service, Disney+ users reported experiencing technical issues including being forced out of their accounts and having their email addresses and passwords changed. Shortly after, ZDNet reported that hackers were selling Disney+ accounts on the dark web from $3 to $11. In response to the backlash, Disney says it takes the privacy and security of users’ data very seriously, “and there is no indication of a security breach on Disney+.” They contend that those accounts impacted by the security incident were due to users recycling old usernames and passwords that were likely stolen during a separate data breach; however, some users have said that they used unique usernames and passwords for their Disney+ account and still got hacked. This points to two key takeaways: preparing your organization against cyber threats and the need to understand the dangers of credential stuffing.

Preparing for a Rollout

Preparing a product or service for market is a lengthy process – and one that can be greatly impacted if security is not ingrained in the creation of that product or service. When an organization, especially an enterprise-level organization like Disney, debuts a product or service that fails to secure the data of its customers, there’s a lot at stake. To prepare your organization against advancing cyber threats, organizations would be wise to start with the following:

  1. Identify Key Assets: What data do you collect? Why? Where is it kept? How is it protected?
  2. Conduct a Risk Assessment: Identify and rank the risks to your organization, determine ways to mitigate those risks, and implement new processes.
  3. Establish an Incident Response Plan: Malicious hackers are on the prowl. You should assume that you’ll experience a security incident at any given time. Make sure you have a thorough and tested incident response plan, so you’re prepared for when not if a data breach occurs.

The Dangers of Credential Stuffing: Users Beware

According to KirkpatrickPrice Director of Audit Delivery, Richard Rieben, the Disney+ breach isn’t a breach of Disney’s infrastructure. Instead, it’s a credential stuffing attack. Why is this attack method so effective for big media companies? In their State of the Internet/Security – Credential Stuffing report, Akamai explains, “The media, gaming, and entertainment industries are prized targets for criminals who are looking to trade in stolen information and access. The accounts are sold in bulk, and the goal for the criminals is to move their goods by volume, rather than single account sales.” Rieben explains, “Password management is key here. If you reuse usernames and passwords across multiple platforms, and then one platform experiences a breach, anywhere you used that email/password combination is now susceptible to attack and account compromise.” What can users do to prevent falling victim to credential stuffing attacks? It’s simple: use unique usernames and passwords, and consider following these password best practices. Companies like Disney, on the other hand, can help their customers avoid falling victim to credential stuffing attacks by implementing security controls like multi-factor authentication.

While it’s too early to tell the impact of this security incident, Disney+’s nightmare debut offers valuable insight into the dangers of credential stuffing. If your organization is planning on debuting a new product or service, let us help you ensure its security. Contact us today to get started.

More Cybersecurity Resources

How Much is Your Data Worth to Hackers?

Password Expiration Policy and Best Practices

Finding and Mitigating Your Vulnerabilities Through OWASP

6 Information Security Basics Your Organization Needs to Implement

The California Consumer Privacy Act will go into effect on January 1, 2020, which gives organizations who have yet to start their compliance efforts less than three months to prepare for the enforcement of the new data privacy law. While ensuring compliance with a new legal requirement is never easy and is often stressful, we’ve come up with seven steps to follow that can act as a roadmap for CCPA compliance.

Preparing for CCPA: 7 Steps You Need to Follow

1. Determine Applicability

One of the major pitfalls that we saw around the enforcement deadline of the EU’s GDPR is that many organizations did not know if the law applied to them because of the ambiguous nature of the law. However, with CCPA, there are set guidelines that define who must comply with the law. Specifically, CCPA applies to for-profit businesses that do business in California, collect California consumers’ personal information, and that meet any of the criteria:

  • Have annual gross revenues of over $25,000,000
  • Buy, sell, or share the personal information of 50,000+ consumers per year
  • Derive 50% or more of their annual revenues from selling consumers’ personal information

If you’ve determined that CCPA does, in fact, apply to your organization, follow the next three steps.

2. Get Executive Support

Having an executive team on-board with compliance is absolutely critical. After all, if there isn’t a tone for compliance set at the top of the organization, why would anyone else think that compliance needs to be engrained in the company culture? Getting your executives on board with CCPA compliance will be the catalyst for ensuring that compliance efforts go smoothly, but it doesn’t stop there.Executives should be sure that they appoint a person or group of people to oversee compliance efforts – someone that fully understands the requirements of the law and can hold the organization accountable for maintaining compliance.  Also, executives need to give the person or group responsible for CCPA implementation the right kind and amount of resources necessary to pursue compliance. Examples of CCPA compliance resources include: data mapping tools, training, data rights software applications, compliance consulting, and time.

3. Review Data Collection and Retention Processes

When was the last time your organization evaluated the type of data you collect or why you’re even collecting it in the first place? Is the data you collect absolutely necessary for your marketing efforts? Does all of the data you collect fuel the services you provide? Are there any data sets that aren’t needed? Reviewing your data collection processes will help you identify areas of potential weakness – like having consumers’ personal information stored that doesn’t actually need to be there or collecting information that you don’t actually use – all of which could prevent you from complying with CCPA. To more efficiently review your data collection processes, we suggest data mapping, which includes asking and answering the following questions:

  • What personal information does your organization collect?
  • How does your organization collect that personal information?
  • Where and how is the personal information stored?
  • Where and to whom is the personal information shared?
  • How is the personal information transferred?

4. Update Your Privacy Policy

It’s not enough to have just a GDPR-compliant privacy policy; CCPA’s privacy disclosures include some unique and particularly precise requirements. To ensure CCPA compliance, then, you’ll need to update your privacy policy to make sure that it includes the following…

  • A description of the new rights afforded to California residents
  • A description of the methods for submitting a personal information or erasure request
  • A link to an opt-out page on your company’s website
  • A list of all of the categories of personal information that have been collecting within the past 12 months
  • The sources of each category of personal information
  • All of the purposes for using each category of collected information
  • A list of the categories of personal information sold in the past 12 months
  • A list of the categories of personal information disclosed for a business purpose in the past 12 months

5. Go Through a Gap Analysis

At KirkpatrickPrice, we always recommend that our clients go through a gap analysis before beginning an audit engagement. Why? Because a gap analysis provides insight into any operational, reporting, and compliance gaps that could hinder your CCPA compliance. A gap analysis is especially important with audits covering something as new as CCPA. Ultimately, a gap analysis asks and answers, “How is my organization doing compared to what’s required?”

6. Complete Remediation

After you’ve undergone a thorough gap analysis, you’ll have to remediate any and all findings before an audit can begin. At KirkpatrickPrice, we provide a Remediation Project Plan that consists of observed gaps, recommended remediation strategies, the required level of effort for remediation, and a remediation timeline. For example, one of your gaps might be that your organization does not currently have any contract that address data processing requirements under the provisions of CCPA (CCPA Section 1798.140(w)). A recommended remediation strategy would be to develop a policy that requires contracting whenever personal data is involved, which would require high-level effort over a 45-day period.

7. Go Through a CCPA Audit

Once you’ve completed the previous six steps, you’ll be ready to undergo a CCPA audit by partnering with a KirkpatrickPrice Privacy Expert to verify your compliance with the law.

At KirkpatrickPrice, we’re committed to helping our clients ensure the security of their data by partnering with you to achieve your challenging compliance goals – including conquering CCPA compliance. If your organization must comply with CCPA, let’s talk about how our Privacy Specialists can help you.

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

More CCPA Resources

Core Components of CCPA

Best Practices for Data Privacy

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Organizations are experiencing increasing commercial pressure from their business customers and individual consumers to provide timely, clear, and adequate breach notification. Now, organizations are facing increasing regulatory pressure to provide timely, clear, and adequate breach notification. One of the most recent regulatory changes apply to the Texas Identity Theft Enforcement and Protection Act (TITEPA). These changes create additional regulatory requirements and force businesses to disclose certain security breaches directly to the state which could lead to regulatory enforcement in response to the breaches.

What is TITEPA?

In March 2019, Texas legislators proposed two data privacy bills that enhance consumers’ data rights and require businesses to responsibly maintain personal information. One bill stalled and one has passed, HB 4390, which was intended to be a consumer privacy bill known as the Texas Privacy Protection Act. Instead, it updates the breach notification requirements in the TITEPA.

HB 4390 aims to protect personally identifiable information that poses privacy risks to consumers. This data could be anything from a Social Security number to cardholder security codes, unique biometric data, physical or mental health information, private communications of users that’s not publicly available, geolocation data, and unique genetic information. Wondering what constitutes a privacy risk under HB 4390? The bill state that a privacy risk is, “Any potential adverse consequences to an individual or society at large arising from the processing of personally identifying information.” These consequences could be financial loss, physical harm, psychological harm, reputational harm, discrimination, etc.

Failure to comply with TITEPA and its amendments will result in civil penalties. These updates to TITEPA took effect on September 3, 2019, with the exception of a few new amendments to take effect on January 1, 2020. Let’s discuss their impact to your organization.

3 Important Updates

The first amendment to HB 4390 requires that Texas residents must be notified of a data breach within 60 days of when the breach occurred. This amendment is significant because it gives a specific time period, instead of the vague, flexible requirement before it, which required businesses notified the impacted individuals “as quickly as possible.”

The second amendment stipulates that if a data breach impacts 250 or more Texas residents, then the business that experienced the breach must provide notice to the Texas Attorney General within the same 60-day notification period of Texas residents. This regulatory notification provides oversight and accountability, and must include a detailed description of the data breach, plus information about how many Texas residents were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified.

Both of these amendments highlight the importance of an incident response plan. If your organization doesn’t know what to do in the face of a data breach, how can you expect to give proper breach notification to impacted individuals and the Attorney General?

HB 4390 also establishes the Texas Privacy Protection Advisory Council, which will study data security laws to prepare recommendations for changes to the Texas Legislature by September 2020, prior to the legislative session beginning in January 2021. The updates to HB 4390 stipulate who will make up the council and how they will be appointed.

Is Privacy Legislation Coming to Texas?

Because HB 4390 is an update to TITEPA instead of the Texas Privacy Protection Act, we’ll still be waiting to see if comprehensive privacy legislation is passed in Texas in the near future. The passage of HB 4390 is a win, though, for making updates to the state’s breached notification law and establishing the Texas Privacy Protection Advisory Council. The recommendations found by the Council (and reported in September 2020) will likely for the basis for privacy legislation in the future – maybe even when the Texas Legislature session begins in January 20201.

Does HB 4390 Apply to You?

HB 4390 applies to businesses who do business in Texas, have more than 50 employees, and collects personal information of more than 5,000 individuals, households, or devices. The applicability of HB 4390 also depends on if the business has an annual gross revenue that exceeds $25 million or derives more than 50% of their annual revenue from processing personal information.

If you complete an audit with us, our auditors are trained to determine if state laws like these apply to your organization and impact your compliance. You may be in compliance and not know it, or you may have some gaps to close before you’re fully there. Hiring an auditing firm that shows you the full scope of your compliance obligations is crucial to becoming a security-conscious organization.

Ready to partner with an auditor who provides you with clear, comprehensive guidance? Let’s talk.

More Privacy and Breach Notification Resources

CCPA vs. GDPR: What Your Business Needs to Know

Preparation and Impact of PIPEDA

Best Practices for Data Privacy

 

How much do you think a buyer on the dark web would pay for stolen data?

How much would you estimate a hacker can profit off of personal data?

The truth is, the price of stolen data is worth the risk for hackers but always costly for organizations that store, process, transmit, or destroy personal data.

How Do Hackers Make Money?

When a system is breached and personal data is stolen, the hacker involved in the malicious activity will typically sell or advertise that data on the dark web. Even if your company is small, a hacker will cast a wide net to obtain stolen information from multiple sources.

If they steal personal data from your organization, it will cost you money – that’s the end of it. It’s up to you to decide if the cost of stolen data is worth it, or if proper information security testing is a better investment.

How Much is Hacked Data Sold For

Symantec released an in-depth Internet Security Threat Report in 2019 that lays out a cost sheet for the most commonly sold personal data.

Here’s how much hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen identity – $0.10-$1.50
  • Medical notes or prescriptions – $15-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35
  • Full ID – $30-100

While these numbers may seem small in terms of individual pieces of data, the total sum of how much is data worth starts to add up.

If you store passport data, how much could a hacker earn by breaching your database? If you process online payments, how much could a hacker earn by skimming your site? The cost of the individual may be minor, but when you view it in terms of entire databases of personal information, the costs can make a huge impact.

The Real Cost of a Personal Data Breach

Let’s take a look at a recent breach that made headlines – DoorDash. The food delivery service was breached in September 2019 when a hacker stole private information of 4.9 million customers and delivery workers which included full names, delivery addresses, phone numbers, digits of credit cards and bank accounts, and hashed passwords.

If we use the data from Symantec’s report that claims, at the cheapest price, full ID packages can be sold for $30, we can estimate that the personal data stolen from DoorDash was worth $147 million. The hacker that breached DoorDash’s system is probably sitting on a good profit right now. Do you want your organization to be the next target for a hacker looking to make a good buck off stolen personal data?

How to Stop the Hacking Money Machine

So, what can you do to protect your organization from fueling the money machine of hackers selling personal data on the dark web?

You can start by annually testing your processes and controls to make sure your system can withstand common hacking tactics, whether that’s through your internal audit team or the external penetration testers who are skilled enough to spot suspicious activity. Staying updated on current hacking tactics provides greater assurance that your employees will recognize an attack early on.

Organizations have a great responsibility to protect individuals’ personal data because they store, transmit, process, and destroy so much of it. Whether it be employee data or client data, you need to have practices in place that secure information and work against a hacker’s tactics.

If you’re interested in learning more about third party penetration testing to mitigate the risks you face, contact KirkpatrickPrice today!

More Data Security Resources

Executive Insight into the Importance of Penetration Testing

What are the Stages of Penetration Testing?

Breach Report 2019 – September

In 2019, State Farm notified policyholders of a cybersecurity attack in the form of credential stuffing, a tactic often used by hackers that relies on a lack of password maintenance. State Farm took proper measures to reset passwords and notify affected parties of the attack, but what if State Farm employees were properly implementing multi-factor authentication practices from the start? Would this attack have even happened? How could State Farm have known its employees weren’t following logical access procedures? They could have watched out for common security gaps and implemented proper procedures before a hacker had any chance at locating their vulnerabilities. Proactive security practices are key to an information security program.

A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from information security experts about where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit? One of the most important SOC 2 audit preparation steps is a compliance gap analysis.

What is a SOC 2 Compliance Gap Analysis?

A compliance gap analysis, also known as a compliance gap assessment, compares an organization’s internal operations and controls with requirements described in regulations and standards. In the case of SOC 2 compliance gap analysis, the organization scrutinizes internal controls and operations to assess whether they conform to the SOC 2 Trust Services Criteria. A gap analysis report is not as thorough or detailed as a SOC 2 report. However, gap assessments help organizations prepare for an audit by identifying and mitigating likely compliance blockers while improving internal security practices.

We believe that when organizations choose to undergo a SOC 2 audit for the first time, it’s important that they complete a SOC 2 gap analysis to determine areas of security improvement. The goal of a gap analysis is to identify areas of weakness in your systems that need to be remediated before completing a SOC 2 audit. 

A process of gap analysis may have helped State Farm to understand its vulnerability to credential stuffing and the likely impact on compliance. When your company conducts a SOC 2 gap analysis, it will have the information it needs to improve information security practices and have a better chance of gaining a SOC 2 attestation.

If your organization is preparing for a SOC 2 audit and you want to understand the most common SOC 2 gaps to watch out for, you’ve come to the right place.

Watch Out For The Most Common SOC 2 Gaps

For most organizations completing a SOC 2 audit for the first time, the typical gap rate is 40–60%. This means that, on average, of the topics covered during a SOC 2 gap analysis, 40–60% contain gaps. The typical organization can expect to see a number of gaps in their information security procedures in places they may not have expected. How can you get ahead of the game? By learning about the most common SOC 2 compliance gaps and assessing your organization’s policies and procedures against them. Based on our data, we believe the most common SOC 2 gaps address these requirements:

Risk Assessment

Organizations should have a formal risk assessment policy that is both implemented and documented. After a risk assessment is completed, the organizational risks must be maintained and addressed regularly.

Business Continuity Plan

A proper business continuity plan needs to be developed in case of an incident that needs an immediate response. After development, the business continuity plan needs to be tested and documented.

Network Scanning and Testing

It’s common for organizations to leave out network vulnerability scanning and penetration testing in their policies, but these tests should be implemented yearly.

Information Security Policy

Developing an information security policy should be a practice that is reviewed regularly and implemented in daily employee activities. Organizations need to keep thorough documentation of any information security policy changes.

Change Management Policy

The procedures for notifying users or clients of system events should be addressed in change management policies and procedures.

Vulnerability Management Policy

Organizations can prepare for a SOC 2 audit by developing a vulnerability management policy that addresses patch management and immediate notification of breaches in vulnerable areas.

Vendor Management

Monitoring third-party vendors by reviewing their compliance with information security and confidentiality, access control, service definitions, and delivery agreements is often an overlooked security procedure. An organization should receive current audit reports from any critical third-party vendors.

Network Logging & Monitoring

Organizations should have proper documentation to define monitoring for alerts from intrusion-detection/intrusion-prevention, alerts from file-integrity monitoring systems, and the detection of unauthorized wireless access points.

Logical Access

An organization’s Logical Access Policy should include roles and full password requirements.

Network Diagrams

Create network diagrams that illustrate all boundaries of the environment, network segmentation points, boundaries between untrusted networks, and all other applicable connection points.

Quick Wins to Jump-Start the SOC 2 Audit

Those 10 most common SOC 2 compliance gaps can seem daunting to identify and tackle when it comes to your own systems, so we’ve put together a few “quick wins” that you can start implementing right now. Quick wins are changes that will have a positive impact in two ways: they will resolve a gap, and they will provide momentum to your compliance effort. Multi-factor authentication is one quick win, which should be implemented as a means of creating a solid logical access security policy. Your organization should enforce MFA for every user in your system. Another area of momentum for your SOC 2 audit is physical security. Video surveillance is an integral security practice, and the surveillance footage should be retained for at least 30 days. Implementing a visitor log that requires all visitors to sign in before entering the office is another crucial element of physical security. Do you have required security awareness training programs that provide thorough explanations of security policies and procedures to all employees? Security awareness is an extremely accessible quick win. As part of the training, all employees should receive the employee handbook that needs to include sections on information confidentiality, background & reference checks, and progressive discipline. A copy of each employee’s Daily Operational Security Procedures should remain updated and available by every employee.

These areas of implementation should give your organization the opportunity to have a few quick wins that help close your SOC 2 compliance gaps. If you’re curious to know more about remediating the most common SOC 2 gaps or preparing for a SOC 2 audit, contact KirkpatrickPrice today to talk with our team of information security experts.

More SOC 2 Resources

What is a SOC 2 Audit?

Go Through a Gap Analysis Without the Stress

What is a Gap Analysis?