Computer Crime Research Center


Computer crime: Data breaches

Date: July 19, 2005
By: CyberArk

Executive summary
Despite the hundreds of millions of dollars that organisations have invested in information security technology to secure their critical business-technology infrastructures, the bad news keeps breaking. In the past year, dozens of companies have had to inform their customers that the exposure of their personally-identifiable financial information had placed them at great risk of identity theft. The incidents range from fraudsters successfully establishing bogus access accounts to steal legitimate consumer information to hacked networks to lost backup tapes containing the financial information of millions of consumers.

It’s not just the widely-publicized cases that count. In the past several years the US federal government has prosecuted individuals for criminally abusing their insider access. In February of 2005, federal prosecutors indicted an IT manager for gaining unauthorised access to his former employer’s network to read e-mail and causing damage to its systems. Federal prosecutors have also prosecuted and found employees guilty of password trafficking, selling customer financial information—including detailed credit reports—to organised crime.

Recently, IT managers and even customer service representatives, have been prosecuted and convicted for using their privileged access rights to destroy or steal their company’s information and selling customer financial data to organised crime.

High-tech companies aren’t immune, as even network equipment and software manufacturers have had their proprietary source code stolen and made accessible on the Internet.

The sheer scope of the impact is mind-boggling. A recent security breach at a major credit card processor reportedly exposed more than 40 million card-holder names and account numbers. In February, a well-known information-broker revealed that criminals had managed to steal the names, addresses, and Social Security numbers of as many as 145,000 individuals by using previously stolen identities to create 50 fake businesses to access the company’s information stores. In another widely-publicised breach, one of the country’s largest information services providers announced that hackers managed to gain access to a database to seize the names, social security and driver’s license numbers, and addresses of more than 300,000 individuals. According to Gartner, 9.4 million US adults were identity theft victims between May 2003 and April 2004. Their financial losses totalled $11.7 billion.

Such data breaches have been announced by some of the country’s well known banks, entertainment companies, telecommunications providers, and universities. And this proves that such breaches can occur at even the most security conscious and diligent companies. The public is learning about security breaches today largely due to California’s Breach Disclosure Law (SB 1386), which went into effect July 2003 and requires companies, with customers who live in California, to make notification if their personally identifiable financial information may have been accessed without authorisation. Expect more security breach disclosures when a federal law similar to SB 1386 becomes law.

The human-toll of identity theft on individuals is severe. According to the Identity Theft Resource Center it takes the average victim about 600 hours to prove their identity was stolen and clean their credit reports. And it can be years before most victims attain their financial health. Many victims of identity theft run into trouble getting mortgages, car loans, credit lines, and even employment with a tarnished credit report. In 2003, the Identity Theft Resource Center surveyed 173 identity-theft victims and learned that 4 percent of victims discovered their identities where stolen when they were arrested for crimes committed in their ‘name.’

Those statistics are even more alarming when one considers that in 2004, the Federal Trade Commission said 635,173 identity theft related complaints were reported.

That figure is considerably higher than the 403,688 filed complaints in 2002. It’s no surprise that consumers are losing trust in e-commerce and how carefully organisations protect their private information.

It’s not just consumers that are losing. According to a survey conducted by the Chamber of Commerce, PricewaterhouseCoopers, and ASIS International, businesses lost between $53 billion and $59 billion between July 1, 2000 and June 30, 2001 due to the theft of their intellectual property.

Set the regulatory demands on information security aside—Basel II, European Union Data Protection Directives, GLBA, HIPPA, SB 1386, and Sarbanes-Oxley—as customers become increasingly security and privacy savvy, sound security policies and trust will increasingly become a competitive differentiator. Gartner predicts that if Internet-based security threats aren’t mitigated, the robust 20 percent annual e-commerce growth rates will be slashed to 10 percent or less within the next two years.

While the myriad of regulations do not dictate what security technologies companies need to set in place, they all demand that business and customer data are adequately guarded.

While it is not possible to eliminate risk, clearly more needs to be done by organisations to reach a higher level of security to protect their intellectual property and their customers’ personally identifiable information. The level of diligence organisations place on securing their business-technology systems simply isn’t high enough—and is one of the primary reasons identity theft cases are soaring. Organisations need to re-evaluate their approach to information security, consider new tactics for protecting digital assets and, most importantly, the trust of their suppliers, partners, shareholders, and customers.

To turn the tide on the skyrocketing lack of trust customers have toward the way enterprises protect their personal information, organisations need to instil security awareness throughout their enterprises. Security culture within an organisation needs to flow from the top down: CEOs, boards of directors, and senior management need to make it clear that information security needs to be an integral part of their daily operations, and that IT security initiatives must be closely aligned with business objectives. Without senior management providing strong security governance, insiders abusing IT resources, system breaches, and careless handling of customer information will continue to proliferate at an alarming rate. Security policy can’t be static; information security policies and procedures need to be dynamic, living documents that are continuously refreshed as both technology, computing infrastructures, and business environments evolve.

In a successful information security program, all three pillars—people, process, and technology must be strong. Senior management lip-service to the importance of security, and the protection of the customer information they are entrusted to secure, no longer suffice. The continuous spate of data breaches clearly shows that simply investing in conventional defences such as anti-virus programs, content filtering, firewalls, identity-management, and intrusion detection and prevention systems aren’t enough. Not enough attention is being placed on the other two pillars of security:

- People (security training and awareness), and
- Process and procedure (security policy),

and no amount of investment in security technologies will make up the difference in the equation.

According to Ernst &Young’s 2004 Global Information Security Survey, less than half their respondents provide regular IT security training to their employees. Only one fifth of respondents believe their enterprises view IT security as a CEO-level priority. The 2004 Computer Security Institute/FBI Computer Crime and Security Survey, which queried nearly 500 organisations with arguably the most sophisticated IT security programs, revealed that, on average, all the respondents believed their organisations invested inadequately in security awareness programs. And these organisations invest heavily in many conventional security defences: anti-virus programs (99 percent), firewalls (98 percent), server-based access control lists (71 percent), and IDS systems (68 percent). One of the most startling statistics from the survey is that even these companies fail to invest in encryption solutions, with only 64 percent encrypting data in transit, and 42 percent using encryption to protect stored files. This raises concerns about just how seriously companies take the task of protecting their own information and the information of their customers’.

Information security managers are well aware of the best practices outlined below. But the question remains: Why aren’t companies better able to secure their intellectual property and the sensitive information they hold about their customers?

Because attaining adequate levels of security is extremely challenging and requires a daily enterprise-wide commitment starting at the highest levels of management. While there is no IT security cure-all, information is ubiquitous, and since organisations will continue to increasingly inter-connect their customers, partners, and suppliers to their business-technology systems more must be done. The biggest obstacles to IT security within organisations today are the lack of senior managements’ commitment...
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2007-02-26 03:18:26 - The information I found here was rather... uomo
2007-02-22 10:59:08 - Nice site you have!... dizionario
2005-09-17 07:16:20 - Your site is realy very interesting! Donny
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo