When Christina Guilbert got a call from her bank in March about an attempt to steal money from her account, she was alarmed--and suspicious. How could someone access her account from an automated teller machine in England when her ATM card was in her home in Boston? Was the caller really a bank representative or a thief fabricating a story in an attempt to get account information from her? "With all of the scams on the Internet, I knew they could try the same thing using the phone," Guilbert says.

Guilbert had the bank rep confirm his identity by providing information on a recent transaction on her account. The bank blocked the attempted withdrawal, but Guilbert, who works at a public-relations firm, still doesn't know how the overseas thief got her account information. Guilbert's faith in doing any kind of business online has been destroyed. "I was concerned about shopping online before; now I won't shop online at all," she says.

The shift to Internet-based customer transactions and electronic storage of customer data provides huge improvements in speed and convenience for consumers and efficiency for retailers and service providers. But it's also creating new opportunities for criminals. With so many ways for personal data to leak out, from a hacker attack to a stolen company laptop, and identity thieves increasingly effective at quickly exploiting any breach, companies are struggling to hang on to their most precious asset: customer trust.

A scan of news headlines in recent months illustrates the problem, and they represent only the breaches the public learns about. On March 12, GMAC Insurance, a division of GMAC Financial Services, informed about 200,000 customers that personal data, such as Social Security numbers, home addresses, and credit scores, was contained on two laptops stolen from an employee's car near Atlanta. One GMAC customer, who requested anonymity, says he placed a credit alert on his credit file with three reporting agencies so he'll know of any suspicious activity. But GMAC has already lost his trust. "I'm moving my business and requesting my information be purged from their database," he says via E-mail.

Also in March, more than 1,400 Canadians were notified by credit-reporting agency Equifax Canada Inc. that a data-security breach had exposed their personal information. In November, computer systems containing customer information were stolen from the offices of a consultant doing work for Wells Fargo & Co.

The problem isn't unique to financial companies. San Diego State University officials in March informed more than 178,000 students and employees that their names and Social Security numbers were exposed when hackers accessed a server in the Office of Financial Aid Scholarships. In April, Indiana State University discovered that hackers accessed a backup server that held files containing personal information of students who attended the university from 1991 through 2001 and faculty who worked there from 1995 through 2002.

The Federal Trade Commission reports that the number of identity-theft complaints rose from 86,212 in 2001 to 214,905 in 2003, partly because of data vulnerabilities associated with an increased number of purchases and transactions on the Internet.

The financial fallout from exposing customer data can be huge, Baker Hill's Beasley says. Photo by Bob Stefko

The rise in hacker and criminal activity related to customer data puts tremendous pressure on business-technology executives who need to create safeguards that prevent such incidents. "The potential black eye that a company could receive is measurable in hard dollars, especially when you tally lost customer business, goodwill with customers, as well as lost future business," says Eric Beasley, senior network administrator at Baker Hill Corp., an application-services company that provides hosted loan processing to more than 150 banks. To improve the security of banks' data, Baker Hill installed a Web-application firewall from Teros Inc., software that studies what an application is doing and blocks suspicious behavior--like a request for thousands of account numbers when the typical request is for two or three at a time--making it possible to thwart attacks even if hackers use previously unknown techniques or vulnerabilities.

Despite growing concern over identity theft, it appears that companies aren't doing all they can to protect customer data. Only 30% of companies use the type of firewall software Baker Hill employs, according to InformationWeek Research's 2003 U.S. Information Security Survey of 815 companies. More than 80% use antivirus and network-firewall software, but just 23% use vulnerability-scanning tools that detect the security holes used by hackers. Also, only 43% of respondents use intrusion-detection systems to spot attacks, and just 40% say they've reviewed their information-security policies and measured their effectiveness.