In May 2012, the Commodity Futures Trading Commission (CFTC) was the victim of a fairly high profile security breach. The breach occurred when a CFTC employee opened a suspicious email that turned out to be part of a “phishing” scheme. Phishing is a type of cyber crime where a hacker, posing as a legitimate company, gains access to a user’s private information when that user opens the fake email.
These emails often appear to be messages from large, well-known organizations that you may or may not be affiliated with or a customer of, such as cellular service providers, banks, or insurance agencies. The messages often contain fake bill statements with requests for payment, or requests for password or address changes. Once a user clicks on the email or the links provided in the email, the hacker gains access to personal information that can then be used for identity theft and other kinds of fraud.
In an official statement by the CFTC, chief information officer John Rogers revealed that the personal information stolen by the phishing scheme was largely social security numbers. However, Rogers asserted that CFTC operations would not be affected by damages due to the breach. This is, in general, is true for large organizations and corporations who can often afford to absorb the high cost of these setbacks. Rarely will these breaches affect them in the long run. Smaller and mid-sized organizations, on the other hand, often have difficulty rebounding from data breaches and are always at a greater risk to phishing schemes and other types of data loss.
Here at Townsend Security we recommend to everyone who has a personal or work email to take care that they are sending and receiving messages from reliable sources. Red flags to look for include emails with offers that seem “too good to be true”, receiving a bill you don’t expect, unsolicited offers from any organization, or requests to change any type of personal information through a link provided in the email.
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.