TEXAS STOLEN DATA DEMAND CREATES HUGE RISK FOR COMPANIESDallasNews.com | News for Dallas, Texas | BusinessStolen data demand puts risk in every swipe

Breaches show you have more to fear than just hackers
04:49 PM CDT on Friday, June 24, 2005

By IEVA M. AUGSTUMS / The Dallas Morning News


As consumers, companies, policy-makers and security experts grapple with the increasingly high-profile problem of mass data thefts, the question isn't where consumer information is vulnerable, but where it isn't.

Data breaches occur nearly every day, from a variety of institutions in a variety of ways. In the last four months, 45 cases of exposed data have had the potential to affect about 50 million consumers, according to the Privacy Rights Clearinghouse.

For many people, the stereotype is of a hacker sneaking account information from the computer network of a financial services company. That's what happened recently when someone penetrated CardSystems Solutions, a transaction processor, and exposed more than 40 million credit card accounts to potential fraud.

But an analysis of the 44 other breaches since Feb. 15 shows that usually isn't the case.

Of the 10 million other accounts exposed in that time:

•One-third came from nonfinancial institutions, including 18 colleges, seven government agencies, six businesses and two medical organizations.

•Two-thirds came as a result of lost or stolen hardware or backup tapes.

•Less than a third were caused by hacking.

"Data theft is the currency choice of cybercrime out there right now, and it's not just happening online," said Christopher Faulkner, chief executive of Bedford-based CI Host, a Web hosting company. "Any time companies are physically moving data from Point A to Point B, they need to know who's moving it and assess any vulnerabilities."

Employee error
The huge numbers involved in the CardSystems case have spawned some harsh criticism.

Also Online

Danger everywhere you go
"What unfortunately happens, time and time again, is employee error," said Kimberly Elting, a privacy and health care lawyer at Jones Day in Dallas. "Laptops get lost, computers stolen out of Dumpsters. Even packages go missing in the mail."

Some experts have called for reasonable industrywide standards of security. Others have called for fines based on the number of consumers affected.

"Data encryption is key," Mr. Faulkner said. "Yes, it adds another step and cost, but we're talking about very sensitive, very mobile data."

The issue has come to the forefront thanks to a California law requiring companies with customers there to disclose data breaches.

The first big case occurred in February, when ChoicePoint, a Georgia-based data broker, reported that it was infiltrated by identity thieves posing as legitimate customers.

Since then, numerous others have come forward, including Citigroup, Bank of America, LexisNexis, shoe retailer DSW, Time Warner, Wachovia and dozens of universities.

But Friday's CardSystems hacking case was the largest yet. The data of 40 million account holders were exposed, with 200,000 known to have been copied from the system.

CardSystems is one of hundreds of processors that help merchants and banks process millions of transactions a day. With a swipe of a credit card, cardholders' names, account numbers and security codes are electronically relayed so that a sale can be authorized, the merchant paid and customer billed.

"People who are doing credit card fraud right now are looking at these types of companies to see if they have any loopholes," said Michael Gibbons, vice president for federal security services at Unisys and the former chief of computer investigations for the FBI. "That's why you have to have a continuous cycle of looking at your company's security requirements."

Out of your hands?
Infiltrators have stolen codes to get into data networks worldwide for decades.

"Mass identity theft isn't new," said Mr. Gibbons, who also supervised the Dallas FBI computer and economic crime squad in the late 1990s. "What's changed is technology. We've opened ourselves up to the world where it's easy to do new business anywhere with clients, but we've also made it very easy to access our data."

Experts have plenty of advice to keep consumers from turning their data over to an identity thief themselves, such as shredding sensitive documents and not falling for Internet scams.

But once you've given your information to a legitimate organization, it's out of your control.

In the CardSystems case, the company said it shouldn't have been holding onto the account information but had intended to study the transactions to improve its operations. In a Citigroup case earlier this month, information on 3.9 million customers disappeared when computer tapes were lost by a courier in transit to a credit bureau.

"All your information is very fluid," said Chris Voice, vice president for technology at Addison-based Entrust Inc., which provides security software and services to companies. "It is moving from one organization to the next. Data is in motion at all times."

Market for stolen data
The boom in data collection has created a marketplace of valuable information stored on thousand of computers nationwide. Retailers, credit card companies, and both financial and nonfinancial organizations all share and sell your data.

"When consumers open up a credit card, they know they will be able to buy stuff in a store," said Federal Trade Commission spokeswoman Claudia Bourne Farrell. "What they didn't realize was that the store was going to get something of value from them."

Consumers can try to stay out of it by paying cash, but that greatly reduces their ability to get credit and participate in the global economic system.

"We all live and breathe by our credit cards," said Beth Givens, founder and director of the Privacy Rights Clearinghouse. "When you open an account, your privacy is out there for everyone."

Data thieves find the information valuable as well. But there are no firm numbers on how many cases of fraud have stemmed from the exposure of 50 million consumers' information in the last four months.

"If it happened the day after a data breach, there's great question of how soon consumers will realize it," Ms. Farrell said. "Sometimes you don't know until somebody contacts you or you stumble across something on your credit report."

In 2004, the Federal Trade Commission received 246,570 identity-theft complaints, up 15 percent from the previous year. Of those, 26,454 were from Texans. But those numbers include only individuals who complained. Often cases are resolved when a credit card company contacts an affected customer.

Will Congress act?
A recent study of Washington opinion leaders showed that many feel that Congress has not done enough to protect consumer data.

The Identity Theft and Assumption Deterrence Act of 1998 makes identity theft a federal crime, and many states have passed similar laws and regulations that provide help in recovery from identity theft.

But eight of 10 senior-level professionals in government, policy, consulting, media and technology said Congress should do more to protect Social Security numbers, according to the report commissioned by Adobe Systems and RSA Security, two companies that sell data protection products.

Three-quarters of the 400 people polled say the same for financial data and credit card numbers.

"Legislation is definitely a driver toward change," said Mr. Gibbons of Unisys. "If we are trying to make it so it's not acceptable to cover up data theft that could impact consumers, creating a behavior change, then legislation is a way to go."

But only 8 percent believe it is "very likely" Congress will pass legislation increasing security requirements for companies that collect consumer data. Such legislation is "somewhat likely," according to 47 percent of the respondents.

It's too early to tell whether anything will come to fruition, but almost every agrees that the situation must be improved.

"No one is particularly safe out there, but it's not like it's the wild, wild west either," Mr. Faulkner said. "If you are a data aggregator, you just don't want to be caught with your head in the sand."

E-mail iaugstums@dallasnews.com


ALMOST A DAILY EVENT

The Privacy Rights Clearinghouse compiled the following cases of mass exposure of financial information since Feb. 15.
Date Organization Type of breach Identities exposed
Feb. 15 ChoicePoint ID thieves accessed 145,000
Feb. 25 Bank of America Lost backup tape 1,200,000
Feb. 25 PayMaxx Exposed online 25,000
March 10 LexisNexis Passwords compromised 32,000
March 11 University of California, Berkeley Stolen laptop 98,400
March 11 Boston College Hacking 120,000
March 12 Nevada Department of Motor Vehicles Stolen computer 8,900
March 20 Northwestern University Hacking 21,000
March 20 University of Nevada, Las Vegas Hacking 5,000
March 22 California State University, Chico Hacking 59,000
March 23 University of California, San Francisco Hacking 7,000
March 28 DSW/Retail Ventures Hacking 100,000
April Georgia DMV Dishonest insider Hundreds of thousands
April 5 MCI Stolen laptop 16,500
April 8 San Jose Medical Group Stolen computer 185,000
April 11 Tufts University Hacking 106,000
April 12 LexisNexis Passwords compromised 280,000
April 14 Polo Ralph Lauren/HSBC Hacking 180,000
April 14 California FasTrak Dishonest insider 4,500
April 15 California Department of Health Services Stolen laptop 21,600
April 18 DSW/Retail Ventures Hacking 1,300,000
April 20 Ameritrade Lost backup tape 200,000
April 21 Carnegie Mellon University Hacking 19,000
April 26 Michigan State University's Wharton Center Hacking 40,000
April 26 Christus St. Joseph's Hospital Stolen computer 19,000
April 28 Georgia Southern University Hacking Tens of thousands
April 28 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp Dishonest insiders 676,000
April 29 Oklahoma State University Missing laptop 37,000
May 2 Time Warner Lost backup tapes 600,000
May 4 Colorado Health Department Stolen laptop 1,600
May 5 Purdue University Hacker 11,360
May 7 Department of Justice Stolen laptop 80,000
May 11 Stanford University Hacker 9,900
May 12 Hinsdale (Ill.) Central High School Hacker 2,400
May 16 Westborough Bank Dishonest insider 750
May 18 Jackson (Mich.) Community College Hacker 8,000
May 19 Valdosta State University Hacker 40,000
May 20 Purdue University Hacker 11,000
May 22 CardSystems Hacker 40,000,000
May 26 Duke University Hacker 5,500
May 27 Cleveland State University Stolen laptop 44,420
May 28 Merlin Data Services Bogus acct. set up 9,000
May 30 Motorola Computers stolen unknown
June 6 CitiFinancial Lost backup tapes 3,900,000
June 10 Federal Deposit Insurance Corp. Not disclosed 6,000
Total: About 50 million
SOURCE: www.privacyrights.org