This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.
Another day, another hard-to-fathom data debacle. When Citibank disclosed two weeks ago that personal identification numbers to an untold number of debit cards had slipped into the wrong hands, it hastily blocked debit transactions in Canada, Russia, and the United Kingdom to head off any draining of accounts. It was a protective measure-but also an admission of weakness somewhere along Citibank's security chain.
In the past few weeks, some of the largest U.S. banks-including Bank of America, Washington Mutual, and Wells Fargo-have had to reissue debit cards, all because of data theft. The banks haven't come clean with all the details about what went wrong. In the case of Citibank, Gartner analyst Avivah Litan contends the gaffe was the result of data being stolen from a company that stores PINs.
Olatunji Oluwatosin was sentenced to 16 months as part of the ChoicePoint investigation.
Photo courtesy of AP
Whatever the reasons, the banks join the growing list of companies whose reputations have taken a knock because of their inability to secure sensitive customer data. After last year's long list of personal-data compromises, we might have guessed that things would be getting better by now. But we would be wrong. It's enough to make any business or technology manager charged with data protection diligent, humble-and paranoid.
The consequences of vulnerable data management practices are becoming clearer with every new instance of exposed Social Security numbers, purloined PINs, and hacked accounts. Last month, one IT worker at Providence Health System in Portland, Ore., was fired and three others quit following the theft of computer tapes that held sensitive patient information, including addresses, phone numbers, and Social Security numbers. Staffers at the health care concern routinely brought the tapes home to back up the data on systems there. Predictably, the tapes were stolen from a van parked outside one of their residences.
Providence's gaffe shows how the financial and legal aftereffects of a breach spread like a bad rash. A company official told the Portland Oregonian that he expects the case, not including litigation costs, to cost from $7 million to $9 million. That includes providing affected patients with access to credit monitoring and restoration services. There's also the prospect of civil lawsuits by state agencies or individuals whose data was stolen, potentially costing millions more. "I'm looking at this case-monitoring it," says Shannon Smith, senior counsel with the Washington state attorney general's office. Smith has an eye on Providence because the company has operations in Washington. Generally speaking, she says, "it's an unfair business practice for a company to fail to take reasonable measures to secure the personal information of customers or other consumers."
ChoicePoint CEO Derek Smith has had a long year of explaining after his company sold data to scammers.
Photo courtesy of AP
Reasonable measures include quickly notifying customers. Providence took three weeks to inform patients about its stolen tapes. Circling this mess are litigation attorneys; at least one proposed class-action suit has been filed against Providence already. Company officials didn't return phone calls to answer questions.
People's Bank in Bridgeport, Conn., offers a harsh lesson for companies that know they have a security risk but haven't yet fixed it. The bank earlier this year was switching from shipping backup tapes by courier to a system that transmits data to credit bureaus electronically using an encrypted format to eliminate the risk of lost or stolen tapes. "When we heard about similar incidents in the industry last year, we identified this as an operational risk and took steps," CTO Srihari Makkala says.
Too late. In January, the company disclosed that UPS lost a tape containing data on 90,000 customers who use its personal credit-line service. The tape contained names, addresses, and Social Security and checking account numbers. The bank maintains the data can't be read without access to sophisticated mainframe hardware and software.
Still, it's ugly PR and expensive. People's Bank is footing the bill for customers who need to sign up for credit monitoring and restoration services, and shelling out for a major consulting firm to perform an end-to-end review of its security procedures. The inspection will go beyond IT systems and include everything from premises security to the way employees handle documents, such as faxes, that bear customer data. Without providing specifics, Makkala says total costs could be substantial. "When something like this happens, we don't want to put a price on reputation, but it's significant," he says. "It's high risk and high cost."
It's unclear if the bank will try to recoup any costs from UPS, since the investigation is ongoing. A UPS spokesman calls the loss "an unfortunate occurrence" and says UPS uses special security measures for sensitive packages, but he declined to detail them or say whether they were used in this instance.
People's Bank has its encryption system running, but it still exchanges physical media with the Internal Revenue Service and others that aren't ready for encrypted files. "We're at the mercy of the institutions on the other end," Makkala says.
Beyond the immediate sting, data breaches can result in a loss of future business. "There's no telling what's gone in the opportunity column," says Frank Caserta, chief security officer at Acxiom, a data management provider that had files containing names and other information on millions of credit card holders stolen.
A spammer in Florida, Scott Levine, last month was sentenced to eight years in prison for his role in the theft, which occurred in 2003. Levine, 46, used his firm's limited authorized access into Acxiom's systems as a gateway into more closely guarded files. "Permissions were set incorrectly and that made the files visible," Caserta says. The judge presiding over Levine's trial determined the theft resulted in actual losses to Acxiom of about $850,000, but the damage goes beyond that. "The cost to your reputation is huge," says Caserta. "If you can't maintain trust in a business like ours, you're out of business."
After the theft became public, prospective customers took more time than usual in deciding whether to do business with Acxiom. "We suffered some delays," Caserta admits. No Acxiom employees lost their jobs because of the incident, which Caserta says was the result of a relatively minor technical glitch. "You can't just go on a witch hunt because you need a body to hold up," he says. However, some people have since been let go in unrelated incidents for violating security policies, either knowingly or through carelessness. "There have been other areas where someone breaks a rule, and by God, the discipline for that is swift and understood," Caserta says.
Acxiom also has paid a price in terms of the increased staff and management hours devoted to quelling customers' concerns about its security. The number of clients asking to audit Acxiom's security systems has increased dramatically. "They do a deep dive on security at every level," Caserta says. The company hired consultants to perform SAS 70 and other audits of its security and related IT processes.
New York Sen. Schumer frets about personal data in public records.
Photo courtesy of UPI
Regulators Get Tough
Companies that lose customer data also risk fines and other penalties from the Federal Trade Commission. The FTC sued B.J.'s Wholesale Club in September for failing to protect consumer information. Hackers were able to exploit vulnerabilities in the company's firewall and steal data drawn from the magnetic strip on credit and debit cards used by its customers. Thousands of fraudulent purchases at other stores were traced to the data thefts.
The costs are starting to mount. According to its most recent quarterly report, B.J.'s took $10 million in charges to cover expected claims by banks that issued the cards containing the stolen data. The banks were forced to reimburse card holders for the purchases made in their names. As of October, banks were seeking $13 million in compensation-a number that could increase as more scam purchases are linked back to the original data theft. B.J.'s is looking to recover some of its losses from IBM, claiming that when it upgraded card-processing software, it told IBM to deactivate a feature that retains magnetic strip data so that a transaction can be processed offline. It's that data that was hacked. IBM declined to comment.
B.J.'s settlement with the FTC requires it to hire an external auditor to scrutinize its security systems every two years for the next two decades. That's similar to the penalty levied against CardSystems Solutions, which processes credit card transactions, when thieves broke into its systems and stole data resulting in millions of dollars in fraudulent purchases. The FTC has mandated that CardSystems, which was acquired by Pay By Touch in December, implement an IT security program and submit to an external security audit every other year for the next 20 years.
Top 10 Customer Data-Loss Incidents
No. of affected
Date of initial customers disclosure
June 17, 2005
June 6, 2005
DSW Shoe Warehouse
March 8, 2005
Bank of America
Feb. 25, 2005
Wachovia, Bank of America, PNC Financial Services Group, Commerce Bancorp
April 28, 2005
May 2, 2005
Georgia Department of Motor Vehicles
March 9, 2005
University of Southern California
July 19, 2005
Dec. 28, 2005
Note: As of March 2006
Data: Privacy Rights Clearinghouse, InformationWeek
ChoicePoint paid dearly earlier this year when it agreed to pay $15 million in fines after unwittingly selling more than 100,000 consumer credit reports to thieves posing as legit customers. The FTC said the company didn't have "reasonable procedures" for screening customers.
Government data breaches can be costly, too. The state of Rhode Island was forced to take down its online vehicle registration system in January after hackers stole user information, including credit card numbers. The state is looking to hire a chief security officer to prevent a repeat, but it could be a long search. "It's tough finding someone. The private sector can afford to pay more than we can," says Beverly Najarian, director of the state's department of administration.
Businesses, schools, and government agencies need to get the problem under control. Paranoia over unintended data disclosures is apparent and appropriate-what's needed now is greater urgency in putting a stop to them.
The State of IT & Cybersecurity Operations 2020Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!