The 2005 Hall of Shame

All told, it was not a good year for safeguarding customer data. Indeed, 2005 will likely be remembered as the year customer data protection fell down and couldn’t get up.

The top inductee for the 2005 Baseline Security Hall of Shame was CardSystems, a Tucson, Ariz. company that processes payments for credit-card issuers and online merchants. CardSystems has spent the last seven months trying to recover from a breach in May that, in terms of sheer numbers, is hard to top. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders were exposed to hackers because CardSystems stored that information longer than it should have.

Although a list of the total number of incidents doesn’t exist, well-publicized screw-ups involving the security of data about American companies’ most prized possessions—their customers—were plentiful. There were so many breaches in the first six months of 2005, in fact, that the editors of Baseline decided to open the doors to the Hall of Shame with the July issue—and admit new inductees as needed.

Many of these breaches could have been prevented, according to Alan Brill, senior managing director at data security services and software vendor Kroll Ontrack. Brill’s suggestions: encrypt data in transit; use better procedures to handle personal information such as Social Security numbers; don’t hang on to data longer than necessary; and fortify networks internally and externally, using processes that limit access only to those who need it.

What To Do, Next Time

Cardsystems probably wouldn’t have had to jump through so many hoops to keep its customers if it
had only followed a few basic data security rules:

Verify transaction processor security more often. Annual checkups won’t ensure that a processor will purge credit-card information six months after a review.

Be proactive. If CardSystems truly believed its June 17 statement that “our customers and their customers are our lifeblood,” it should have stored its data and kept account numbers from reaching the Internet.

Maintain your security practices. The time to test your security procedures is before you suffer a data breach, not after—when you’ll probably be too busy fighting to keep your business alive.

Sources: TraceSecurity, Kroll Ontrack

Those suggestions sound like no-brainers, but companies often don’t follow them. Why? There’s no glory in following those practices. Nevertheless, there is a price to be paid for not tightening security procedures. For instance, ChoicePoint saw its stock drop 15% in February, wiping out $630 million of shareholder wealth, when the company confirmed that it had allowed personal data on 145,000 people to be taken.

On Nov. 8, ChoicePoint revealed in a Securities and Exchange Commission filing that 162,000 people have been warned about “potential fraudulent data access” since the breach was first revealed on Feb. 15.

“These things just shouldn’t be happening,” says Jim Stickley, chief technology officer for TraceSecurity, an information security software and services company. “There’s just no good reason not to have good security policies and practices. A lot of companies are still living with that ‘it can’t happen to me’ mentality.”

Next page: Security? No Worries!