The High Cost Of Data Loss - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:15 PM

The High Cost Of Data Loss

Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.

The Crooks
As the volume of online banking and shopping continues to rise, and the Internet's reach makes it easier than ever to fence ill-gotten goods, hacking has gone professional. And businesslike cyberthieves who divvy up the labor and set up and dismantle scams in a matter of days have proven elusive.

But the bad guys don't always get away. In January, Bulgarian police arrested eight people in connection with an international phishing operation. Microsoft, which assisted in the investigation, said the group is part of a criminal network that steals personal information and commits fraud online. The group had sent E-mail forged to look as if it came from MSN customer service reps, then used purloined credit card information to buy goods and receive money transfers worth more than $50,000.

Last August, the FBI, along with Turkish and Moroccan police, arrested the authors of the Zotob and Mytob worms, which left infected PCs open to becoming part of zombie networks that could send spam, launch denial-of-service attacks, or swipe personal information. The FBI says the worm authors pilfered credit card numbers used to buy merchandise.

Yet many online data theft cases remain unsolved. In June 2004, organized criminals in Russia figured out a vulnerability in Microsoft's Web server software that let them append a small amount of Java code to objects sent by several hundred E-commerce companies' servers running Microsoft's Internet Information Server. That code installed keystroke-logging software on Internet users' copies of Microsoft's Internet Explorer browser in a way that went undetected by antivirus packages. When those users visited the Web sites of banks such as Citibank and Wachovia, the keystroke-logging software captured their user names and passwords.

Researchers traced the scam to a group called the "hang-up team," but U.S. and Russian law enforcement have yet to make an arrest. "It was a clear turning point" from nuisance attacks to under-the-radar crimes for the sole purpose of capturing personal financial data, says Marcus Sachs, a deputy director in the computer science lab at SRI International and a cybersecurity consultant to the Department of Homeland Security.

Launching investigations quickly by combining consumer complaints with data from the FBI and technology companies is key to making arrests, says Dan Larkin, unit chief of the FBI's cyber division. With cyber- crime, "the trail is pretty fast and fleeting, and the rules of evidence don't really apply on the international scale," Larkin says. The FBI has arrested more than 20 online data thieves since January, he says.

What's taken the place of publicity-seeking malware attacks is software written and distributed by professional criminals, and the resulting damage threatens to disrupt consumer confidence in online commerce.

But not all cyberthieves are pros. Jayson Harris, a 23-year-old Iowa resident, pleaded guilty in January to wire fraud and other charges for collecting data from Internet users by setting up sites that mimicked Microsoft's MSN billing Web site. And earlier this month, James Green, a former security guard on hire to General Motors, was arraigned on eight counts of obtaining, possessing, or transferring personal identity information, according to The Associated Press. He's accused of using his position with a private security firm to steal Social Security numbers of about 100 GM employees and sending them E-mails posing as a representative of GM's program for evaluating company vehicles.

Many phishing scams, in which thieves lure Web surfers to bogus sites where they're tricked into revealing personal financial information, originate in some of the former Soviet republics. Experts believe cases in which credit card numbers have been stolen from companies' servers have their roots there as well. Tim Cranton, a senior attorney and director of Internet safety enforcement programs at Microsoft, says the cybergangs operate like organized criminal networks in which members have different jobs-one may harvest E-mail addresses, while another installs code onto targeted PCs-and they communicate across national borders.

Tech vendors keep fighting back. Microsoft is expected this week to disclose 10 lawsuits against alleged phishers and plans for about 100 actions in the next month, part of a new global phishing enforcement initiative.

--Aaron Ricadela

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
5 of 6
Comment  | 
Print  | 
More Insights
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll