Cybercrime

 

 

https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspxHackers Hit Equifax, Compromising 143 Million Americans’ DataGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-09-08T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Hackers breached a crown jewel of the U.S. financial institution this summer, potentially compromising 143 million Americans’ personally identifiable information (PII). </p><p><a href="http://www.equifax.com/about-equifax/" target="_blank">Consumer credit reporting agency Equifax</a> confirmed in a statement released late Thursday that hackers gained access to its systems and compromised consumer data, including Social Security numbers and driver’s license numbers. <br></p><p>“Criminals exploited a U.S. website application vulnerability to gain access to certain files,”<a href="https://www.equifaxsecurity2017.com/"> the statement said.</a> “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”<br></p><p>Along with consumers’ names, Social Security numbers, birth dates, and addresses, the hackers also stole 209,000 consumers’ credit card numbers and 128,000 consumers’ dispute documents.<br></p><p>“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” the statement said. “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”<br></p><p>Equifax became aware of the hackers’ intrusion on July 29, acted to stop the intrusion, and hired a cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. It also reported the intrusion to law enforcement. <br></p><p>“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and CEO Richard F. Smith in a statement. “I apologize to consumers and our business customers for their concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”<br></p><p>To help consumers determine if they have been impacted by the breach, Equifax created a website--<a href="http://www.equifaxsecurity2017/" target="_blank">www.equifaxsecurity2017</a>--to check their status and sign up for credit file monitoring and identity theft protection.<br></p><p>Critics, however, have cautioned consumers about checking their status with Equifax as doing so might waive any rights they have to sue the agency. <br></p><p>This is because in a disclaimer on the dedicated website includes the following statement: “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”<br></p><p>New York Attorney General Eric Schneiderman tweeted that this language is “unacceptable and unenforceable,” and that his staff has contacted Equifax to demand it be removed. He also announced that he’s launching an investigation into how the breach occurred.<br></p><p>“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” <a href="https://twitter.com/AGSchneiderman/status/906197644841766912" target="_blank">Schneiderman said in a statement.</a> “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”<br></p><p>While investigators work to determine the cause of the breach and who was responsible, it’s likely to have widespread ramifications given the number of consumers compromised and the data involved. <br></p><p>In a<a href="https://www.digitalshadows.com/blog-and-research/equifax-breach-the-impact-for-enterprises-and-consumers/" target="_blank"> blog post</a> for cybersecurity firm Digital Shadows, Vice President of Strategy Rick Holland detailed what’s most likely to happen next, including tax return fraud, benefits and medical care fraud, carding, resale of data, and enablement of nation state and hacktivist campaigns.<br></p><p>“There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion,” Holland wrote. “Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.”​<br></p>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Data-Breach-Trends.aspx2017-08-01T04:00:00ZData Breach Trends
https://sm.asisonline.org/Pages/Book-Review---Data-Hiding.aspx2017-08-01T04:00:00ZBook Review: Data Hiding
https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspx2017-07-21T04:00:00ZVulnerability Rediscovery Occurs At More Than Twice The Previously Reported Rate
https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Survey-Of-InfoSec-Professionals-Paints-A-Dark-Picture-Of-Cyber-Defenses.aspx2017-07-07T04:00:00ZSurvey Of InfoSec Professionals Paints A Dark Picture Of Cyber Defenses
https://sm.asisonline.org/Pages/Ukraine-Among-Countries-Affected-by-Petya-Ransomware-Attack-.aspx2017-06-27T04:00:00ZUkraine Among Countries Affected by Petya Ransomware Attack
https://sm.asisonline.org/Pages/Average-Cost-of-Data-Breach-Declines-Globally-First-Time.aspx2017-06-20T04:00:00ZAverage Cost of Data Breach Declines Globally for First Time
https://sm.asisonline.org/Pages/EU-Needs-Comprehensive-Strategy-To-Address-Cybersecurity-Risks,-Think-Tank-Finds.aspx2017-06-09T04:00:00ZEU Needs Comprehensive Strategy To Address Cybersecurity Risks, Think Tank Finds
https://sm.asisonline.org/Pages/Most-Companies-Take-More-Than-A-Month-To-Detect-Cyberattackers.aspx2017-06-02T04:00:00ZMost Companies Take More Than A Month To Detect Cyberattackers
https://sm.asisonline.org/Pages/Hacking-Culture.aspx2017-06-01T04:00:00ZHacking Culture
https://sm.asisonline.org/Pages/IT-Security-Professionals-Admit-To-Hiding-Data-Breaches,-Survey-Finds--.aspx2017-05-09T04:00:00ZIT Security Professionals Admit To Hiding Data Breaches in New Survey
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk
https://sm.asisonline.org/Pages/Hacked-Again.aspx2017-02-01T05:00:00ZBook Review: Hacked Again
https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspx2017-02-01T05:00:00ZRise of the IoT Botnets
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Yahoo-Confirms-Hackers-Stole-at-Least-500-Million-Users’-Data-in-2014.aspx2016-09-22T04:00:00ZYahoo Confirms Hackers Stole at Least 500 Million Users' Data in 2014
https://sm.asisonline.org/Pages/Book-Review---Cyber-Physical-Attacks.aspx2016-09-01T04:00:00ZBook Review: Cyber-Physical Attacks
https://sm.asisonline.org/Pages/Cyber-Trends.aspx2016-09-01T04:00:00ZCyber Trends

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/September-Legal-Report---Coercion,-Marijuana,-and-More.aspxSeptember Legal Report: Coercion, Marijuana, and More<h4>​Judicial Decisions</h4><p><strong>COERCION. </strong>In the first decision of its kind, the U.S. National Labor Relations Board (NLRB) has ruled that an employer committed an unfair labor practice when a manager texted an employee asking whether the employee’s loyalties lay with the company or the labor union.</p><p>RHCG Safety Corp. (Redhook) is a general construction contractor in New York City. During an organizing campaign during the summer of 2015, a construction union attempted to convince employees to vote in favor of union representation. During the campaign, Redhook employee Claudio Anderson needed to take time off to travel to Panama to care for his mother.</p><p>Anderson’s supervisor, David Scherrer, allowed Anderson to take the time off. Before Anderson left for Panama, however, he visited the union’s offices and signed an authorization card indicating that he supported union representation. His mother’s health also improved at the same time, so Anderson decided not to take a leave of absence from work and texted Scherrer about returning to work.</p><p>Scherrer responded, according to NLRB documents, with a text message that asked: “What’s going on with u? U working for Redhook or u working in the union? U got to tell me what’s going on.”</p><p>Anderson texted back that he’d been to the Redhook office that day to speak to Scherrer, but had missed him. He got no response, and two days later Scherrer texted Anderson to tell him he’d given his position to someone else.</p><p>The union then filed an unfair labor practice charge against Redhook, alleging that the company violated the National Labor Relations Act (NLRA) through Scherrer’s text messages.</p><p>The NLRB ruled in the union’s favor, finding that the texts violated the NLRA because they were sent in response to an employee’s inquiry about whether he should return to work.</p><p>“By juxtaposing working with Redhook with working in the union, Scherrer’s text strongly suggested that the two were incompatible,” the NLRB said in its ruling.</p><p>Redhook had also argued that text messages could not be considered “unlawful interrogation.” The board, however, did not find this argument persuasive because previous decisions found that interrogations do not have to be in-person to violate the NLRA—that violations can stem from coercive writings or phone calls.</p><p>Applying these same principles, the NLRB said there was “no reason why [there should be] a safe harbor for coercive employer interrogations via text messages.”</p><p>The board ordered Redhook to reinstate Anderson to his former job or a substantially equivalent position; compensate him for any loss of earnings; cease and desist in interrogating employees about their union activities; and post a notice that the company’s actions violated the NLRA. (RHCG Safety Corp. and Construction & General Building Laborers, Local 79, LIUNA, U.S. National Labor Relations Board, No. 29-CA-161261 and 29-RC-157827, 2017)</p><p><br></p><p><strong>MARIJUANA.</strong> An employer acted illegally when it failed to hire a medical marijuana user because she disclosed she could not pass a preemployment drug test, a Rhode Island state court has ruled.</p><p>The ruling stems from a case brought by Christine Callaghan, who in June 2014 was a master’s student studying textiles at the University of Rhode Island. To meet a graduation requirement, she applied for an internship with Darlington Fabrics—a division of the Moore Company.</p><p>Callaghan met with Darlington Human Resources Coordinator Karen McGrath and signed a Fitness for Duty Statement, which said she would have to take a drug test before being hired as an intern. During this meeting, Callaghan also told McGrath that she had a medical marijuana card in compliance with Rhode Island’s Hawkins-Slater Medical Marijuana Act.</p><p>A few days after the meeting, McGrath and a colleague called Callaghan and asked if she was currently using medical marijuana. Callaghan said she was, according to court documents, so she would test positive on her preemployment drug screening. She also said that she was allergic to many other painkillers, and that she would not bring marijuana into the workplace or use it there. </p><p>McGrath then told Callaghan that a positive test would “prevent the company from hiring her,” the lawsuit said. McGrath and her colleague then ended the call. </p><p>They called Callaghan later that afternoon and told her that Darlington could not hire her because, according to court documents, “Ms. Callaghan put the corporation on notice that she was currently using marijuana, would not stop using marijuana while employed by the company, and could not pass the required preemployment drug test, and thus could not comply with the corporation’s drug-free workplace policy.”</p><p>Callaghan then filed a lawsuit, charging that Darling’s decision not to hire her was a violation of the Hawkins-Slater Act, a violation of the Rhode Island Civil Rights Act, and employment discrimination.</p><p>The suit reached the Rhode Island Superior Court, which ruled in Callaghan’s favor because of the language in the Hawkins-Slater Act that says “no school, employer, or landlord may refuse to enroll, employ, or lease to, or otherwise penalize a person solely for his or her status as a cardholder.”</p><p>Callaghan disclosed to Darling that she was a medical marijuana card holder and user; Darling’s refusal to hire her after she made the disclosure violated state law, the court said.</p><p>Judge Richard Licht also wrote in his opinion that Darling’s position would place medical marijuana users in a worse position than recreational users who might also apply for jobs with the company. For instance, a recreational marijuana user could stop using for long enough to pass the preemployment drug test and not be subject to future tests.</p><p>“The medical user would not be able to cease for long enough to pass the drug test, even though his or her use is necessary to treat or alleviate pain, nausea, and other symptoms associated with certain debilitating medical conditions,” Licht explained. (Callaghan v. Darlington Fabrics, Rhode Island Superior Court, No. PC-2014-5680, 2017)</p><h4>Regulations</h4><p><strong>COMMUNICATIONS. </strong>U.K. communications regulator Ofcom fined mobile network operator Three £1.8 million (approximately U.S. $2.4 million) for weaknesses in its emergency call network that is required to ensure uninterrupted access to emergency services. </p><p>Three notified Ofcom in October 2016 of a temporary loss of service in Kent, Hampshire, and parts of London. Ofcom investigated the issue, and found that emergency calls from customers in these areas had to pass through a single data center to reach emergency services. </p><p>“This meant that Three’s emergency call service was vulnerable to a single point of failure,” Ofcom said in a press release. “Three’s network should have been able to automatically divert emergency calls via back-up routes in the event of a local outage. But these back-up routes would also have failed because they were all directed through this one point.”</p><p>Ofcom issued the penalty to reflect the “seriousness of the breach, given the potential impact on public health and safety,” it said.​</p><h4>LEGISLATION</h4><p><strong>European Union</strong></p><p><strong>ENCRYPTION. </strong>The European Parliament Committee on Civil Liberties, Justice, and Home Affairs has endorsed a new amendment to require end-to-end encryption on all communications. </p><p>The committee released a draft proposal (amendment 16) that recommends introducing regulations to enforce end-to-end encryption on all communications to protect European Union (EU) citizens’ fundamental privacy rights. </p><p>“Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering, or monitoring of such communications shall be prohibited,” the proposal said. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”</p><p>The proposal also calls for a ban on “backdoors” into encrypted messaging apps because electronic communications data should be treated as confidential data.</p><p>If adopted, the proposal would be at odds with the U.K., U.S., Australia, and even some European governments’ stances that technology firms should create backdoors to help fight terrorism.​</p><p><strong>United States</strong></p><p><strong>UTILITIES. </strong>The U.S. House of Representatives is considering legislation that aims to reduce the threat of wildfires to electric transmission and distribution facilities.</p><p>The resolution (H.R. 1873) would amend the Federal Land Policy and Management Act of 1976 to ensure that all existing and future rights-of-way established by grant, special use authorization, and easement for electrical transmission and distribution facilities include provisions for utility vegetation management, inspection, and operation and maintenance activities.</p><p>The resolution would require transmission and distribution facility owners and operators to create a plan for vegetation management that “provides for the long-term, cost-effective, efficient and timely management of facilities and vegetation within the width of the right-of-way and adjacent federal lands to enhance electricity reliability, promote public safety, and avoid fire hazards.”</p><p>The resolution was introduced by U.S. Rep. Doug LaMalfa (R-CA) and, as of press time, had 20 bipartisan cosponsors. </p><p>“Under this legislation, rural electric co-ops, utilities, and municipal power providers will be able to proactively remove hazardous trees before they become problems, not after they’ve caused a fire,” LaMalfa said in a statement.​</p><h4>Elsewhere in the Courts</h4><p><strong>SOLICITATION</strong></p><p>Robert Doggart, 65, of Signal Mountain, Tennessee, was sentenced to 235 months in prison for soliciting another person to burn down a mosque in New York—a violation of U.S. civil rights laws. In February 2015, a confidential source told the FBI that Doggart was recruiting people online to carry out an armed attack on Islamberg, a community in New York that is home to a large number of Muslims. “Doggart specifically targeted the mosque because it was a religious building, and he discussed burning it down or blowing it up with a Molotov cocktail or other explosive device,” according to the U.S. Department of Justice. (U.S. v. Doggart, U.S. District Court for the Eastern District of Tennessee at Chattanooga, No. 1:15-cr-39-CLC-SKL-1, 2017)</p><p><strong>FRAUD</strong></p><p>Three Nigerian nationals were sentenced for their roles in a large scale international fraud network. The men were extradited from South Africa and found guilty of mail fraud, wire fraud, identity theft, credit card fraud, and theft of government property for their role in several Internet-based fraud schemes that used victims to cash counterfeit checks and money orders, used stolen credit card numbers to purchase electronics, and used stolen personal identification information to take over victims’ bank accounts, causing millions of dollars in losses. (U.S. v. Ayelotan, U.S. District Court for the Southern District of Mississippi, No. 1:14cr33, 2017)</p><p><strong>DISCRIMINATION</strong></p><p>Rosebud Restaurants, Inc., will pay $1.9 million and other relief to settle a class race discrimination lawsuit brought by the U.S. Equal Employment Opportunity Commission (EEOC). According to the EEOC, 13 of Rosebud’s restaurants “refused to hire African-Americans because of their race” and Rosebud’s owner “used racial slurs to refer to blacks” in violation of Title VII of the Civil Rights Act of 1964. The settlement requires Rosebud to pay $1.9 million to African-American applicants Rosebud did not hire, along with requiring it to create hiring goals for qualified black applicants and prohibiting it from engaging in race discrimination in the future. (EEOC v. Rosebud, U.S. District Court for the Northern District of Illinois, No. 13-cv-6656, 2017)</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and Stereotypes<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465