The 2005 Hall of ShameBy Larry Dignan | Posted 2005-12-13 Email Print
These companiesled by CardSystemssuffered some of 2005's worst data-security breaches. Learn from their examples, so you won't show up on next year's list.
All told, it was not a good year for safeguarding customer data. Indeed, 2005 will likely be remembered as the year customer data protection fell down and couldn't get up.
The top inductee for the 2005 Baseline Security Hall of Shame was CardSystems, a Tucson, Ariz. company that processes payments for credit-card issuers and online merchants. CardSystems has spent the last seven months trying to recover from a breach in May that, in terms of sheer numbers, is hard to top. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders were exposed to hackers because CardSystems stored that information longer than it should have.
Although a list of the total number of incidents doesn't exist, well-publicized screw-ups involving the security of data about American companies' most prized possessionstheir customerswere plentiful. There were so many breaches in the first six months of 2005, in fact, that the editors of Baseline decided to open the doors to the Hall of Shame with the July issueand admit new inductees as needed.
Many of these breaches could have been prevented, according to Alan Brill, senior managing director at data security services and software vendor Kroll Ontrack. Brill's suggestions: encrypt data in transit; use better procedures to handle personal information such as Social Security numbers; don't hang on to data longer than necessary; and fortify networks internally and externally, using processes that limit access only to those who need it.
Those suggestions sound like no-brainers, but companies often don't follow them. Why? There's no glory in following those practices. Nevertheless, there is a price to be paid for not tightening security procedures. For instance, ChoicePoint saw its stock drop 15% in February, wiping out $630 million of shareholder wealth, when the company confirmed that it had allowed personal data on 145,000 people to be taken.
On Nov. 8, ChoicePoint revealed in a Securities and Exchange Commission filing that 162,000 people have been warned about "potential fraudulent data access" since the breach was first revealed on Feb. 15.
"These things just shouldn't be happening," says Jim Stickley, chief technology officer for TraceSecurity, an information security software and services company. "There's just no good reason not to have good security policies and practices. A lot of companies are still living with that 'it can't happen to me' mentality."