The Baseline Security Hall of ShameBy Larry Dignan | Posted 2005-07-06 Email Print
Tighten your security practices, pronto. You really don't want to join the club that includes these examples of should-have-known-better.The credit records of 3.9 million Citigroup customers disappeared after United Parcel Service lost a box of backup tapes. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders were exposed to hackers because a Tucson, Ariz.-based transaction processor stored information longer than it should have. The Federal Deposit Insurance Corp., the federal agency responsible for protecting bank accounts, informed 6,000 present and former employees that their personal data had been stolen in 2004.
It was a rough June.
Every time you think screw-ups involving the security of data about American companies' most prized possessionstheir customerscan't get worse, a new, bigger one comes along.
Preventing these issues isn't that complicated, said Alan Brill, senior managing director at data security vendor Kroll Ontrack Inc. His recommendations include: Encrypt data in transit; use better procedures to handle personal information, such as Social Security numbers; don't hang on to data longer than necessary; and fortify networks internally and externally, using processes that limit access to only those who need it.
But there's no glory in following those security practices. ChoicePoint Inc. may have seen its stock drop 15 percent, wiping out $630 million of shareholder wealth in February, when the company confirmed that it had lost personal data on 145,000 people. But most companies roll the dice and then play the victim card when they are hacked or snookered into handing over personal information to crooks.
"These things just shouldn't be happening," said Jim Stickley, chief technology officer for TraceSecurity Inc. "There's just no good reason not to have good security policies and practices. A lot of companies are still living with that 'it can't happen to me' mentality."
The big question is: What can entice companies to beef up security? At this point, it's unclear. But shame can be a good motivator. So, herewith, the first inductees into the Baseline Security Hall of Shame. The running list will be compiled as needed and will run in full in our special year-end issue, "The Year of Living Dangerously."
Nominations for the Hall of Shame can be sent to firstname.lastname@example.org.
Lowlight of the Month
CardSystems Solutions Inc. of Tucson, Ariz., loses 40 million credit card numbers after an unauthorized individual infiltrates the company's network and takes customer data. Details about the theft are sketchy. MasterCard International Inc., Visa International Service Association and CardSystems aren't commenting beyond their statements.
CardSystems says it discovered the breach on May 22 and called the Federal Bureau of Investigation the following day.
Now that it has been hacked, CardSystems is "completing the installation of enhanced/additional security procedures."
Other Hall of Shame Inductees
Bank of America Corp.
The bank loses backup tapes containing 1.2 million federal employee records.
Allows 145,000 Social Security numbers and credit histories to be stolen by crooks posing as businessmen.
Loses backup tapes containing 3.9 million credit records. Company says it will now encrypt data.
DSW Shoe Warehouse (DSW Inc.)
Reports that between mid-November 2004 and mid-February 2005, transaction data on 1.4 million credit card accounts and 96,000 checks was stolen.
LexisNexis, a division of Reed Elsevier Inc.
Suffers 59 different intrusions that result in a haul of 310,000 customer Social Security numbers, driver's license numbers and addresses.
Polo of Ralph Lauren Media LLC
Fashion vendor hangs on to credit card information too long in its point-of-sale systems and loses the personal data of 180,000 HSBC North America customers.
Edina, Minn., man receives the 1099 forms of 73 individuals who held escrow accounts with the bank. Company launches interactive identity-theft quiz on its Web site.