US PROTECTING CUSTOMER DATA: AN INSTITUTION'S WORST NIGHTMAREBank Technology News | Protecting Customer Data: Grappling With Lost Data, Broken Trust Protecting Customer Data: Grappling With Lost Data, Broken Trust
Data loss is an institution's worst nightmare. And with high profile cases like CardSystems, the largest players are playing damage control with customers-and facing the ire of Congress.

By Michael Dumiak

By force of numbers alone, this year is going to be remembered for a long time as the moment when it became stunningly obvious that customer data is anything but secure. This raises the question: just how much of an effect on customer trust have these security breaches had?

It's true that hacking, identity theft (at some 160,000 incidents last year, according to TowerGroup, notwithstanding plain credit card fraud, which federal figures peg at about 10 million a year), and data loss have been known quantities for quite some time-and that one could fill an Adirondack reservoir with all the ink that's been spilled over phishing attacks in the last two years. But in the space of eight months, more than 45 million accounts have been compromised (the bulk of them from card processor CardSystems), enough to cause red faces at some of the world's largest financial organizations and prompt hearings on Capitol Hill.

While, as yet, these security breaches have not led to a large, directly attributable number of identity thefts or fraud cases, they've come bunched closely enough together to gain public attention and turn information security departments on their ears. As with the rolling thunder of scandal along Wall Street during the past four years, what's ultimately at stake is not cash, or new regulations, or technology. It's trust.

In some of these cases, data has vanished from back-office players the consumer world had no idea even existed. In others, there's a knock-on effect: Citigroup and Bank of America are supposed to be the most secure institutions this side of Fort Knox. If one can't have confidence in them, can one really trust Regional Federal Credit Union down the street? Already in the United Kingdom a survey from software firm Intervoice found that 17 percent of respondents have stopped banking on-line and 13 percent abandoned on-line shopping due to concerns about having their identity stolen; these are fears that really have nothing to do with the actual security of on-line banking. "It's not so much about the loss of data; it's the loss of faith in the system," says security expert Dan Geer, vp and chief scientist at Verdasys, a security software firm. "In terms of the data that's been lost to date, it's largely not [that there's been a lot of theft as a result]. The loss of faith is important." What this will do, sources say, goes to the results waiting for financial companies from regulators and legislators; it will continue to shape the debate over privacy, liability and the sale and transfer of personal data in this country, affect technology investments in security and ultimately be a factor, for good or ill, on the bottom line. "From this point forward the question of data security has become the principal focus for paying attention and for new investment," Geer says. "Our computer systems are becoming more data-centric and less computer-centric; storage capacity and bandwidth are getting cheaper and cheaper."

Bank of America got the ball rolling on the Hill in February by losing tapes containing 1.2 million personal accounts for federal employees, including Social Security numbers, account numbers and addresses. About 900,000 were Defense Department employees, and, ensuring federal hearings, some of those accounts belonged to elected politicians. After that, things picked up in California. A few years earlier the state passed a law requiring notification any time a security breach happens and personal data is compromised. Since California's more than a tenth of the U.S. population, that had the effect of moving the country much closer to the European model of data protection, which frowns on third-party commercial data exchange. And in the last half-year the notices started landing in mailboxes: ChoicePoint, which sells verified credential and identification information, told 35,000 Californians that their names, addresses, Social Security numbers and credit reports had inadvertently gone to Los Angeles County fraudsters. The firm later notified another 110,000 accounts in the rest of the country. Then came 310,000 accounts from LexisNexis, 200,000 from Ameritrade, 1.4 million from DSW Shoe Warehouse. To kick off the summer, Citigroup reported that United Parcel had lost tapes in Texas containing loan information, payment history and Social Security numbers for 3.9 million of its CitiFinancial subsidiary customers. Two weeks later, credit processor CardSystems, which moves information for Visa, American Express and MasterCard, trumped everyone with up to 40 million credit card accounts exposed to potential fraud, and at least 200,000 records stolen by thieves using a parasite computer program.

This horror show has left leaders in technology, regulation, legislation and business scrambling to figure out what happened and how to fix it. One thing that stands out is that in the case of Bank of America, Citi and Ameritrade, the problem's basically that a tape fell off the back of a truck or plane. A Vontu study finds 95 percent of all data loss incidents unintentional. "In all of computer security, people are the problem," says Bruce Schneier, CTO of tech security firm Counterpane and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World. "Human error is the biggest problem."

Clamping down on that in various ways seems to be the business strategy; it has the advantage of being the cheapest alternative, and in the long run will certainly have an impact, says Mark Rasch, who founded and ran the federal cybercrime unit for a decade and is now chief counsel for security software firm Solutionary. "Everyone has high standards; the problem's not the standards. The problem is keeping to them," he says. "Making stuff secure is not a very high priority at most companies; they see it as a necessary evil and a cost. What Washington is going to do is making companies understand that the cost of not providing security is going to far exceed the costs of doing it right the first time around."

This seems likely because, soothing though the responses have been, it remains to be seen just how aggressive financial companies will be in meeting these challenges. Saying the firm's going to improve procedures and take care of customers is one thing, convincing a tough audience with specifics is something else. "We're working to improve tracking procedures. We're working to continue elimination of backup tapes wherever possible and transition more into electronic vaulting-moving data from computer to computer versus physically, by tape," says Bank of America spokeswoman Betty Riess. "We're working with vendors on advances in encryption technology; we're currently testing several encryption solutions. For security reasons, we're not going to go into a whole lot of specifics." Specifics here don't seem to matter: Even as Riess was saying this, 18,000 additional unencrypted names, addresses and Social Security numbers were on the loose as a BofA laptop on loan to a tech support consultant was stolen in a smash n' grab from a car. And it seems unlikely that vague reassurance is going to satisfy a senator who's had his credit card details go missing from baggage claims along with 1.2 million others.

Bank of America, Citi, MasterCard and CardSystems aren't making security execs available for interviews, preferring their work go on behind the scenes. "We're working with UPS to understand how this happened and how to prevent it in the future," Citi spokesman Robert Julavits says in pointing out the firm's strategy. As its tapes went missing, Citi notified affected CitiFinancial customers, arranging for them to be enrolled in a credit monitoring service for three months. Beyond that, should something happen, customers are depending on the firm's in-house Citi Identity Theft Solutions service to straighten things out.

So far, it doesn't seem like this unwitting data dump has led directly to massive foul play, industry spokespeople say. About 750 cases of identity tampering have been reported as a result of the ChoicePoint break. But it looks like the fallout's going to be a little more damaging, as the questions keep coming and lawsuits are certainly in the works. There are at least 10 identity theft, privacy and data protection-related bills winding through Congress, including from the powerful combination of Sens. Pat Leahy, (D-VT), one of the BofA account holders, and Arlen Specter (R-PA), chairman of the judiciary committee. They include measures such as automatic consumer notification when an account is compromised, regulation of data brokers and prohibiting the use of Social Security numbers as identifiers.

Recent hearings on the issue have been painful. "Both Visa and American Express have informed CardSystems this week that they will terminate us as a transactions processor as of Oct. 31, 2005. We are disappointed with these actions and, in light of our diligent efforts to remediate, hope that both Visa and American Express will agree to discuss their decision with us and reconsider, lest we be forced to permanently close our doors," CardSystems chief executive John Perry testified. MasterCard has told CardSystems that it wants a detailed plan to "bring its systems into compliance with MasterCard security requirements" by the end of August, or else. Visa, Amex and MasterCard are showing the right amount of consternation; left unanswered, though, is exactly what these giants were doing while CardSystems was "not in compliance" before the breach?

Schneier calls for a top-to-bottom enterprise security review. "You do have criminals involved here, and they don't care what problem gets exploited. You have to look at everything," he says. This will certainly mean greater use of encryption, and more investments in perimeter software security agents like those built by the Solutionaries and Counterpanes and Verdasyses. Certainly fewer tapes in trucks. This will go against the grain of many bankers who figure there's been fraud as long as there's been credit, and data security is an overblown issue. What it's also likely to do is continue the far-reaching redefinition of privacy and data liability at work in the country, sources say. Writing in New York's Daily News recently, Schneier says not only should the amount of personal data collected be reduced, but that mishandled data should carry liability with it. "Most importantly, we need to make financial institutions liable for fraudulent transactions." (c) 2005 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com