The Baseline Security Hall of Shame

The credit records of 3.9 million Citigroup customers disappeared after United Parcel Service lost a box of backup tapes. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders were exposed to hackers because a Tucson, Ariz.-based transaction processor stored information longer than it should have. The Federal Deposit Insurance Corp., the federal agency responsible for protecting bank accounts, informed 6,000 present and former employees that their personal data had been stolen in 2004.

It was a rough June.

Every time you think screw-ups involving the security of data about American companies’ most prized possessions—their customers—can’t get worse, a new, bigger one comes along.

Preventing these issues isn’t that complicated, said Alan Brill, senior managing director at data security vendor Kroll Ontrack Inc. His recommendations include: Encrypt data in transit; use better procedures to handle personal information, such as Social Security numbers; don’t hang on to data longer than necessary; and fortify networks internally and externally, using processes that limit access to only those who need it.

But there’s no glory in following those security practices. ChoicePoint Inc. may have seen its stock drop 15 percent, wiping out $630 million of shareholder wealth in February, when the company confirmed that it had lost personal data on 145,000 people. But most companies roll the dice and then play the victim card when they are hacked or snookered into handing over personal information to crooks.

“These things just shouldn’t be happening,” said Jim Stickley, chief technology officer for TraceSecurity Inc. “There’s just no good reason not to have good security policies and practices. A lot of companies are still living with that ‘it can’t happen to me’ mentality.”

The big question is: What can entice companies to beef up security? At this point, it’s unclear. But shame can be a good motivator. So, herewith, the first inductees into the Baseline Security Hall of Shame. The running list will be compiled as needed and will run in full in our special year-end issue, “The Year of Living Dangerously.”

Nominations for the Hall of Shame can be sent to [email protected].

Lowlight of the Month

CardSystems Solutions Inc. of Tucson, Ariz., loses 40 million credit card numbers after an unauthorized individual infiltrates the company’s network and takes customer data. Details about the theft are sketchy. MasterCard International Inc., Visa International Service Association and CardSystems aren’t commenting beyond their statements.

CardSystems says it discovered the breach on May 22 and called the Federal Bureau of Investigation the following day.

  • The folly of not following procedure—MasterCard and Visa noted that CardSystems stored more data than it should have and violated security protocols. Why was CardSystems allowed to operate if it wasn’t in compliance with card issuer security standards? Apparently, CardSystems was secure at this time last year. Baseline has learned that CardSystems was verified as meeting Visa’s security standards in June 2004, but began storing more data than it should have shortly thereafter.

    Now that it has been hacked, CardSystems is “completing the installation of enhanced/additional security procedures.”

  • What to do next time—Verify transaction processor security more often. Just because a processor is in compliance with Visa and MasterCard security requirements on Tuesday doesn’t mean it will be on Thursday.
  • Be proactive—If CardSystems truly believes its June 17 statement, in which it said that “our customers and their customers are our lifeblood,” maybe it should have beefed up security before a breach occurred.

    Other Hall of Shame Inductees

    Bank of America Corp.

    The bank loses backup tapes containing 1.2 million federal employee records.

    Choicepoint Inc.

    Allows 145,000 Social Security numbers and credit histories to be stolen by crooks posing as businessmen.

    Citigroup

    Loses backup tapes containing 3.9 million credit records. Company says it will now encrypt data.

    DSW Shoe Warehouse (DSW Inc.)

    Reports that between mid-November 2004 and mid-February 2005, transaction data on 1.4 million credit card accounts and 96,000 checks was stolen.

    LexisNexis, a division of Reed Elsevier Inc.

    Suffers 59 different intrusions that result in a haul of 310,000 customer Social Security numbers, driver’s license numbers and addresses.

    Polo of Ralph Lauren Media LLC

    Fashion vendor hangs on to credit card information too long in its point-of-sale systems and loses the personal data of 180,000 HSBC North America customers.

    Wachovia Corp.

    Edina, Minn., man receives the 1099 forms of 73 individuals who held escrow accounts with the bank. Company launches interactive identity-theft quiz on its Web site.