Tuesday, September 9, 2014

(SuperValu) Wrote Me A Letter

   I'm hearing the Joe Cocker version of Box Tops song! (though I always picture John Belushi doing this!)

   I don't want my summer to end, but October is coming soon and, in the US, October is National Cyber Security Month.  This will be the first post of a series on Identity Theft that will carry us into October.

   First of all, the term Identity Theft is a misnomer.  According to Findlaw:
 Theft is often defined as the unauthorized taking of property from another with the intent to permanently deprive them of it. Within this definition lie two key elements:
1) a taking of someone else's property; and
2) the requisite intent to deprive the victim of the property permanently.
The taking element in a theft typically requires seizing possession of property that belongs to another, and may also involve removing or attempting to remove the property. However, it is the element of intent where most of the complex legal challenges typically arise in theft-related cases.
   But, with Identity Theft, your identity is not actually stolen, because you still have use of it.  A more accurate term is Identity Fraud.  Someone is using your identity, without permission, to execute fraudulent transactions or commit other crimes.  And, in many cases it's just aspects of identifying or financial information that is being used fraudulently, like your credit card.

   There's also the term Larceny, but similar to Theft it really doesn't fit here.  And somehow Identity Larceny just doesn't roll off the tongue.

   Back to the main point... Last week I received a letter from SuperValu.  I'm sure that you heard about the well-publicized data breach.  Read more about it here and here.  Of course, that's practically old news now that Home Depot may be setting a new record!

   The letter had the standard blah-blah-blah.  Many people have received this kind of letter, and you may have also.  The elements of the standard message:
  • There was some kind of "criminal intrusion";
  • It may have resulted in the "theft" of CC numbers and/or other card info;
  • They can't tell for sure what, if anything, was actually grabbed;
  • There's no evidence of the data being misused (of course, Target and Home Depot can't say that!);
  • They took "immediate" steps to fix the problems;
  • Even though they aren't sure anything was taken, they are providing 1 year of free credit monitoring.
  • Also included was additional identity protection information and steps to take.
   Now, before you think that I am ripping on SuperValu... let me state that it's exactly the opposite.  I think SuperValu has done a great job here.  They didn't wait to notify the public.  As soon as they had evidence of a problem, they communicated.  And, they didn't deny the problems.  (it's on these two points that Target failed).

   They also didn't say that they were the victim of some kind of "advanced attack" - this, by the way, is almost always "code" meaning the organization didn't implement basic protection and was the victim of a very simple attack.

   And, as an infosec professional, I know that this same thing can happen to any organization.  In security we often say, it's not a matter of if, but when.

   But, we're not discussing breaches... we're discussing Identity Fraud.  Over the next series of posts I'll dive into different aspects of the problem, provide some tips for protecting yourself, and steps to take if your information has been used fraudulently.

   For now, if you received one of these letters from SuperValu, Target, or (coming soon!) Community Health Services or Home Depot... follow the direction in the letter and take the free credit monitoring.

   If you've gotten a letter and would like to share info, please let me know!

1 comment: