The High Cost Of Data Loss

Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.

The Losers, by Paul McDougall
The Victims, by Elena Malykhina
The Goods, by Larry Greenemeier
The Crooks, by Aaron Ricadela
The Law, by Marianne Kolbasuk McGee
Timeline: Mistakes Galore
Interactive Presentation: Personal Data Sieves
How many ways are there to expose sensitive personal data? One company misplaces a backup tape; another puts customers' Social Security numbers onto mailing labels for anyone to see. Others lose laptops, inadvertently post private information online, or leave documents exposed to prying eyes. The possibilities are endless-- as we're learning with every new revelation of a data breach or hack or inexcusable lapse in secure business practices. By one estimate, 53 million people--including consumers, employees, students, and patients--have had data about themselves exposed over the past 13 months.

This sorry state of affairs is taking its toll: fines, lawsuits, firings, damaged reputations, spooked customers, credit card fraud, a regulatory crackdown, and the expense of fixing what's broken. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.

InformationWeek Download

The Losers
Another day, another hard-to-fathom data debacle. When Citibank disclosed two weeks ago that personal identification numbers to an untold number of debit cards had slipped into the wrong hands, it hastily blocked debit transactions in Canada, Russia, and the United Kingdom to head off any draining of accounts. It was a protective measure-but also an admission of weakness somewhere along Citibank's security chain.

In the past few weeks, some of the largest U.S. banks-including Bank of America, Washington Mutual, and Wells Fargo-have had to reissue debit cards, all because of data theft. The banks haven't come clean with all the details about what went wrong. In the case of Citibank, Gartner analyst Avivah Litan contends the gaffe was the result of data being stolen from a company that stores PINs.

Olatunji Oluwatosin was sentenced to 16 months as part of the ChoicePoint investigation

Olatunji Oluwatosin was sentenced to 16 months as part of the ChoicePoint investigation.

Photo courtesy of AP
Whatever the reasons, the banks join the growing list of companies whose reputations have taken a knock because of their inability to secure sensitive customer data. After last year's long list of personal-data compromises, we might have guessed that things would be getting better by now. But we would be wrong. It's enough to make any business or technology manager charged with data protection diligent, humble-and paranoid.

The consequences of vulnerable data management practices are becoming clearer with every new instance of exposed Social Security numbers, purloined PINs, and hacked accounts. Last month, one IT worker at Providence Health System in Portland, Ore., was fired and three others quit following the theft of computer tapes that held sensitive patient information, including addresses, phone numbers, and Social Security numbers. Staffers at the health care concern routinely brought the tapes home to back up the data on systems there. Predictably, the tapes were stolen from a van parked outside one of their residences.

Providence's gaffe shows how the financial and legal aftereffects of a breach spread like a bad rash. A company official told the Portland Oregonian that he expects the case, not including litigation costs, to cost from $7 million to $9 million. That includes providing affected patients with access to credit monitoring and restoration services. There's also the prospect of civil lawsuits by state agencies or individuals whose data was stolen, potentially costing millions more. "I'm looking at this case-monitoring it," says Shannon Smith, senior counsel with the Washington state attorney general's office. Smith has an eye on Providence because the company has operations in Washington. Generally speaking, she says, "it's an unfair business practice for a company to fail to take reasonable measures to secure the personal information of customers or other consumers."

ChoicePoint CEO Derek Smith has had a long year of explaining after his company sold data to scammers

ChoicePoint CEO Derek Smith has had a long year of explaining after his company sold data to scammers.

Photo courtesy of AP
Reasonable measures include quickly notifying customers. Providence took three weeks to inform patients about its stolen tapes. Circling this mess are litigation attorneys; at least one proposed class-action suit has been filed against Providence already. Company officials didn't return phone calls to answer questions.

People's Bank in Bridgeport, Conn., offers a harsh lesson for companies that know they have a security risk but haven't yet fixed it. The bank earlier this year was switching from shipping backup tapes by courier to a system that transmits data to credit bureaus electronically using an encrypted format to eliminate the risk of lost or stolen tapes. "When we heard about similar incidents in the industry last year, we identified this as an operational risk and took steps," CTO Srihari Makkala says.

Too late. In January, the company disclosed that UPS lost a tape containing data on 90,000 customers who use its personal credit-line service. The tape contained names, addresses, and Social Security and checking account numbers. The bank maintains the data can't be read without access to sophisticated mainframe hardware and software.

Still, it's ugly PR and expensive. People's Bank is footing the bill for customers who need to sign up for credit monitoring and restoration services, and shelling out for a major consulting firm to perform an end-to-end review of its security procedures. The inspection will go beyond IT systems and include everything from premises security to the way employees handle documents, such as faxes, that bear customer data. Without providing specifics, Makkala says total costs could be substantial. "When something like this happens, we don't want to put a price on reputation, but it's significant," he says. "It's high risk and high cost."

It's unclear if the bank will try to recoup any costs from UPS, since the investigation is ongoing. A UPS spokesman calls the loss "an unfortunate occurrence" and says UPS uses special security measures for sensitive packages, but he declined to detail them or say whether they were used in this instance.

People's Bank has its encryption system running, but it still exchanges physical media with the Internal Revenue Service and others that aren't ready for encrypted files. "We're at the mercy of the institutions on the other end," Makkala says.

Opportunity Costs
Beyond the immediate sting, data breaches can result in a loss of future business. "There's no telling what's gone in the opportunity column," says Frank Caserta, chief security officer at Acxiom, a data management provider that had files containing names and other information on millions of credit card holders stolen.

A spammer in Florida, Scott Levine, last month was sentenced to eight years in prison for his role in the theft, which occurred in 2003. Levine, 46, used his firm's limited authorized access into Acxiom's systems as a gateway into more closely guarded files. "Permissions were set incorrectly and that made the files visible," Caserta says. The judge presiding over Levine's trial determined the theft resulted in actual losses to Acxiom of about $850,000, but the damage goes beyond that. "The cost to your reputation is huge," says Caserta. "If you can't maintain trust in a business like ours, you're out of business."

After the theft became public, prospective customers took more time than usual in deciding whether to do business with Acxiom. "We suffered some delays," Caserta admits. No Acxiom employees lost their jobs because of the incident, which Caserta says was the result of a relatively minor technical glitch. "You can't just go on a witch hunt because you need a body to hold up," he says. However, some people have since been let go in unrelated incidents for violating security policies, either knowingly or through carelessness. "There have been other areas where someone breaks a rule, and by God, the discipline for that is swift and understood," Caserta says.

Acxiom also has paid a price in terms of the increased staff and management hours devoted to quelling customers' concerns about its security. The number of clients asking to audit Acxiom's security systems has increased dramatically. "They do a deep dive on security at every level," Caserta says. The company hired consultants to perform SAS 70 and other audits of its security and related IT processes.

New York Sen. Schumer frets about personal data in public records

New York Sen. Schumer frets about personal data in public records.

Photo courtesy of UPI
Regulators Get Tough
Companies that lose customer data also risk fines and other penalties from the Federal Trade Commission. The FTC sued B.J.'s Wholesale Club in September for failing to protect consumer information. Hackers were able to exploit vulnerabilities in the company's firewall and steal data drawn from the magnetic strip on credit and debit cards used by its customers. Thousands of fraudulent purchases at other stores were traced to the data thefts.

The costs are starting to mount. According to its most recent quarterly report, B.J.'s took $10 million in charges to cover expected claims by banks that issued the cards containing the stolen data. The banks were forced to reimburse card holders for the purchases made in their names. As of October, banks were seeking $13 million in compensation-a number that could increase as more scam purchases are linked back to the original data theft. B.J.'s is looking to recover some of its losses from IBM, claiming that when it upgraded card-processing software, it told IBM to deactivate a feature that retains magnetic strip data so that a transaction can be processed offline. It's that data that was hacked. IBM declined to comment.

B.J.'s settlement with the FTC requires it to hire an external auditor to scrutinize its security systems every two years for the next two decades. That's similar to the penalty levied against CardSystems Solutions, which processes credit card transactions, when thieves broke into its systems and stole data resulting in millions of dollars in fraudulent purchases. The FTC has mandated that CardSystems, which was acquired by Pay By Touch in December, implement an IT security program and submit to an external security audit every other year for the next 20 years.

Top 10 Customer Data-Loss Incidents
Company/Organization No. of affected Date of initial customers disclosure
CardSystems 40 million June 17, 2005
Citigroup 3.9 million June 6, 2005
DSW Shoe Warehouse 1.4 million March 8, 2005
Bank of America 1.2 million Feb. 25, 2005
Wachovia, Bank of America, PNC Financial Services Group, Commerce Bancorp 676,000 April 28, 2005
Time Warner 600,000 May 2, 2005
Georgia Department of Motor Vehicles 465,000 April 2005
LexisNexis 310,000 March 9, 2005
University of Southern California 270,000 July 19, 2005
Marriott International 206,000 Dec. 28, 2005
Note: As of March 2006
Data: Privacy Rights Clearinghouse, InformationWeek

ChoicePoint paid dearly earlier this year when it agreed to pay $15 million in fines after unwittingly selling more than 100,000 consumer credit reports to thieves posing as legit customers. The FTC said the company didn't have "reasonable procedures" for screening customers.

Government data breaches can be costly, too. The state of Rhode Island was forced to take down its online vehicle registration system in January after hackers stole user information, including credit card numbers. The state is looking to hire a chief security officer to prevent a repeat, but it could be a long search. "It's tough finding someone. The private sector can afford to pay more than we can," says Beverly Najarian, director of the state's department of administration.

Businesses, schools, and government agencies need to get the problem under control. Paranoia over unintended data disclosures is apparent and appropriate-what's needed now is greater urgency in putting a stop to them.

-- Paul McDougall

The Victims
We've lost control over our identities," says Eric Drew, who speaks from experience. Three years ago, while in the hospital battling leukemia, his name, Social Security number, and date of birth were used by another person to ring up $10,000 in fraudulent charges on credit cards opened in Drew's name.

It was an inside job. A lab technician who had tested Drew's blood at the Seattle Cancer Care Alliance gained unauthorized access to the hospital's computer records and used Drew's personal information to open credit card accounts. The technician, Richard Gibson, later turned himself in to the police and pleaded guilty to violating the Health Insurance Portability and Accountability Act. Gibson became the first person charged under HIPAA with misusing a patient's medical information for financial gain.

"It's disturbing that financial institutions issued credit cards without any [due] diligence that the real Eric Drew was in a hospital," Drew says.

Unfortunately, Drew's situation is all too familiar. There have been 8.9 million adult victims of identity fraud in the United States over the past 12 months, according to a report issued earlier this year by Javelin Strategy and Research and the Better Business Bureau. That's down slightly from the 9.3 million victims a year earlier, but not a sign of great progress. The problem "is not lessening significantly," says Beth Givens, director of the Privacy Rights Clearinghouse, a watchdog group that tracks data breaches that could lead to ID theft.

Givens partly blames creditors that are too willing to extend credit to people they don't know well enough and who are sometimes impostors working with false identities. "The credit evaluation process is automated," she says. "They're not looking for obvious red flags."

J. Alex Halderman, a doctoral candidate in computer science at Princeton University, about a year ago received a letter from the University of California, Berkeley, where he had been accepted as a graduate student in 2003, advising him that his personal data had been compromised. A university computer had been stolen that contained files with names and Social Security numbers of applicants and others at the university.

Berkeley warned people affected by the breach to be on the lookout for scam artists who might try to contact them under the pretense of being affiliated with the school. Halderman was shocked that two years after he applied to UC Berkeley, the application remained susceptible to a data breach. "It's amazing that data can be on file for years, even when you think you're finished with it," he says. "There's no way to take it back."

Although there was no evidence that Halderman's personal data was misused, he had a fraud alert placed on his credit file. That service lasted only 90 days, however, and he still worries that his information may fall into the wrong hands.

Lambert gets word that his personal information may have been stolen from ChoicePoint.

Warren Lambert gets word that his personal information may have been stolen from ChoicePoint.

Halderman checks his credit record regularly. The experience has left him feeling that laws do a poor job protecting people from identity theft. "You should be able to put a lock on your credit record that would require you to provide a secret PIN known only to you if you're applying for a loan," he says. Unfortunately, most states let people lock their records only after they've been victimized.

Keith Ernst of Durham, N.C., had his debit card number posted to an Arabic-language bulletin board on the Web in 2004, making it easy to reach through simple search engine queries. Several charges were rung up on his card, including a laptop purchase and an attempted tuition payment. "I got a phone call out of the blue saying that someone is using my debit card," Ernst says.

Ernst doesn't know how his debit card number got on the Web; he suspects it had something to do with a purchase he made on the Internet. He canceled the card and the bank restored the money that came out of his checking account, but Ernst learned a lesson. "I now use credit cards instead of debit cards when I shop online. I also pay a lot more attention to the vendors that I'm buying from," he says. "I would never buy from an unknown vendor."

Consumer confidence suffers at the hands of hackers and ID thieves and lax data protection measures. That means businesses ultimately feel the pain of their own negligence.

-- Elena Malykhina

The Goods
Hackers and careless package delivery services grab the headlines when sensitive data is lost or pilfered, but often all that's needed to steal an identity are a Web browser and a search engine. Government agencies, educational institutions, and businesses digitize paper records and post them to Web sites but too often don't scrub documents of sensitive information.

No one seems to know how often Social Security numbers and other personal information are carelessly posted on the Web, but government agencies from the Department of Justice to village clerks have slipped up. In December, InformationWeek reported that certain pages on the Justice Department's Web site included the names and Social Security numbers of people involved in department-related legal actions.

Justice acknowledged the personal information shouldn't have been publically available, and the documents are now blocked from view. The Social Security numbers, however, still can be accessed using general-purpose search engines. Other tricks for bypassing controls include clicking on cached or HTML links and copying text from Adobe PDF files into Microsoft Word.

Levine turned limited access to Acxiom systems into major theft

Levine turned limited access to Acxiom systems into major theft.

The list of government entities and businesses that have made sensitive data available to the public is long. The Web site for Florida's Palm Beach County Clerk and Comptroller lets people access deeds, military records, and other documents containing personal information. A programming error last year in the University of Southern California's online system that accepts entrance applications left the personal information of as many as 280,000 prospective students accessible. The Suffolk County, N.Y., clerk's office posted property records with thousands of homeowners' Social Security numbers on its Web site.

"Having someone's Social Security number is having the key to that person's identity," says Dana Lesemann, VP and deputy general counsel at Stroz Friedberg, a consulting firm specializing in computer forensics. Thieves use a name and Social Security number to get other information and then order credit cards, take out mortgages, and apply for other services using the victim's identity.

There aren't any laws prohibiting the collection and use of Social Security numbers, though people who use them for identity theft can be prosecuted for fraud. Bills were introduced in Congress last year to establish criminal penalties for buying and selling Social Security numbers and are now in committee (see story, "The Law").

When sensitive information is freely available to the public on the Web, it's often the result of carelessness and rarely a technology problem. As with most aspects of security, training in the proper use of technology and data-handling policies is essential, says Lesemann, who has studied the ways PDF files in particular can be exploited to gain access to sensitive information. "Everyone uses PDF files, but no one understands the pitfalls."

Businesses create PDF files using scanned images, digital photos, and text documents. It's possible to restrict the way PDFs are viewed, printed, and edited, and a common way to block PDF content from view is to place a black box over a portion of the image. However, the black box is actually a layer within the PDF, so the sensitive information is still there-and still at risk. A U.S. military report issued last year on the topic of an investigation into the fatal shooting of an Italian agent escorting a freed hostage through a checkpoint in Iraq included several black boxes blocking sensitive information. A PDF of the document was posted on the Web but was pulled when the military realized visitors could remove the black boxes by copying the text into a Word document, Lesemann says.

A better understanding among business and government employees of how to properly scrub documents would go a long way toward resolving the problem.

An industry has formed around the search for sensitive information. Sites, including Identity Crawler, People-Search, Records Registry, and, make public data revealed by errors, lapses in privacy and security policy, and carelessness. These sites, which are used by private investigators and others, collect Social Security numbers and other personally identifiable information in any number of ways, including trolling the Web for unsecured documents.

--Larry Greenemeier

The Crooks
As the volume of online banking and shopping continues to rise, and the Internet's reach makes it easier than ever to fence ill-gotten goods, hacking has gone professional. And businesslike cyberthieves who divvy up the labor and set up and dismantle scams in a matter of days have proven elusive.

But the bad guys don't always get away. In January, Bulgarian police arrested eight people in connection with an international phishing operation. Microsoft, which assisted in the investigation, said the group is part of a criminal network that steals personal information and commits fraud online. The group had sent E-mail forged to look as if it came from MSN customer service reps, then used purloined credit card information to buy goods and receive money transfers worth more than $50,000.

Last August, the FBI, along with Turkish and Moroccan police, arrested the authors of the Zotob and Mytob worms, which left infected PCs open to becoming part of zombie networks that could send spam, launch denial-of-service attacks, or swipe personal information. The FBI says the worm authors pilfered credit card numbers used to buy merchandise.

Yet many online data theft cases remain unsolved. In June 2004, organized criminals in Russia figured out a vulnerability in Microsoft's Web server software that let them append a small amount of Java code to objects sent by several hundred E-commerce companies' servers running Microsoft's Internet Information Server. That code installed keystroke-logging software on Internet users' copies of Microsoft's Internet Explorer browser in a way that went undetected by antivirus packages. When those users visited the Web sites of banks such as Citibank and Wachovia, the keystroke-logging software captured their user names and passwords.

Researchers traced the scam to a group called the "hang-up team," but U.S. and Russian law enforcement have yet to make an arrest. "It was a clear turning point" from nuisance attacks to under-the-radar crimes for the sole purpose of capturing personal financial data, says Marcus Sachs, a deputy director in the computer science lab at SRI International and a cybersecurity consultant to the Department of Homeland Security.

Launching investigations quickly by combining consumer complaints with data from the FBI and technology companies is key to making arrests, says Dan Larkin, unit chief of the FBI's cyber division. With cyber- crime, "the trail is pretty fast and fleeting, and the rules of evidence don't really apply on the international scale," Larkin says. The FBI has arrested more than 20 online data thieves since January, he says.

What's taken the place of publicity-seeking malware attacks is software written and distributed by professional criminals, and the resulting damage threatens to disrupt consumer confidence in online commerce.

But not all cyberthieves are pros. Jayson Harris, a 23-year-old Iowa resident, pleaded guilty in January to wire fraud and other charges for collecting data from Internet users by setting up sites that mimicked Microsoft's MSN billing Web site. And earlier this month, James Green, a former security guard on hire to General Motors, was arraigned on eight counts of obtaining, possessing, or transferring personal identity information, according to The Associated Press. He's accused of using his position with a private security firm to steal Social Security numbers of about 100 GM employees and sending them E-mails posing as a representative of GM's program for evaluating company vehicles.

Many phishing scams, in which thieves lure Web surfers to bogus sites where they're tricked into revealing personal financial information, originate in some of the former Soviet republics. Experts believe cases in which credit card numbers have been stolen from companies' servers have their roots there as well. Tim Cranton, a senior attorney and director of Internet safety enforcement programs at Microsoft, says the cybergangs operate like organized criminal networks in which members have different jobs-one may harvest E-mail addresses, while another installs code onto targeted PCs-and they communicate across national borders.

Tech vendors keep fighting back. Microsoft is expected this week to disclose 10 lawsuits against alleged phishers and plans for about 100 actions in the next month, part of a new global phishing enforcement initiative.

--Aaron Ricadela

The Law
When it comes to laws protecting consumers against identity theft and other data fraud, the states rule. That's not to say that congressional leaders aren't tripping over one another to propose national legislation, but most of those bills are DOA.

More than 20 states have data-protection laws, many of them modeled on the one in California. It's thanks to these state laws that we have our current understanding of how often companies lose data; before them, companies kept most of these mishaps out of public view. California law, for example, requires organizations to notify consumers if a breach or mishap puts data at risk.

Congress hasn't done much, despite speeches by the likes of Sens. Specter and Leahy

Congress hasn't done much, despite speeches by the likes of Sens. Specter and Leahy.

Photo courtesy of Getty Images
They're not uniformly strict-for instance, Georgia only requires data brokers to notify consumers of a data loss, and Indiana requires state agencies to do so. But California law also lets consumers put "security alerts" on their credit reports, which notify lenders using the credit report that the person's identity may have been used fraudulently. And it lets people put a freeze on their credit reports, aimed at preventing thieves from using them to get new credit.

Since California passed its law in 2003, 12 more states have passed statutes allowing consumers to restrict access to their credit reports. Some states, including Texas and Vermont, only let people who already have been identity theft victims freeze their credit reports. Twenty-seven states have new security-freeze laws or modifications to strengthen existing laws pending, including Texas.

New Jersey, whose security-freeze laws went into effect in January, probably has the strongest safeguards. It requires credit bureaus to allow quick placement and lifting of freezes at minimal cost for consumers, so they can allow legitimate parties a kind of open-and-shut access to their records. New Jersey also prohibits any private or public entity from publicly posting or displaying a Social Security number or any four consecutive numbers of a Social Security number. The law also prohibits Social Security numbers on mailings, and on Web sites, unless another authentication device or number is required to access the site.

In the past two years, more than a dozen bills have been introduced in the U.S. House and Senate that, if passed, would supersede existing state laws. Some of the federal proposals are stripped-down versions of state laws that would mean fewer breaches qualify for disclosure; under some, a data breach would have to be deemed a serious threat to consumers before the offending company would have to go public with information about the incident. Other proposals exempt certain kinds of companies.

Among the tougher bills is one introduced last summer by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., which would require companies to establish policies to protect customer data and rigorously vet third parties that process their data. Rep. Barney Frank, D-Mass., has proposed legislation requiring parties such as retailers to notify consumers of data breaches that involve credit cards. Today, they can tell the credit card companies, which can inform consumers and leave the retailers out of it. Frank wants to let consumers punch back: "Consumers should know where a break occurs and be able to take their business elsewhere, knowing that," a spokesman for Frank says.

With more courts, state agencies, and even town governments moving to the Web, they're exposing Social Security numbers, home addresses, and other identifiable personal information. Sen. Charles Schumer, D-N.Y., proposes legislation that would let some government entities, such as county clerks, omit certain personal information from public records.

Despite all this activity, Congress isn't likely to pass any sweeping laws. Several House and Senate committees, including banking, commerce, and judiciary, are considering various bills, but getting their members to compromise-especially across party lines-will be difficult in the short term. Says one source involved with identity theft issues, "There isn't a lot of agreement."

--Marianne Kolbasuk McGee

Multimedia Resources
Personal Data Seives

Interactive Presentation: Personal Data Sieves

Get Macromedia Flash Player
Requires Macromedia Flash 6.0 or greater

  • Timeline: Mistakes Galore

  • Blog: Social Security Numbers On The Justice Department's Web Site Could Lead To Identity Theft

  • Blog: A Privacy Imperative For 2006

  • Blog: The Perfect Going-Away Gift From 2005: More Consumer Data Breaches

  • Poll: Government And Data Privacy

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service