The credit records of 3.9 million Citigroup customers disappear after United Parcel Service loses a box of backup tapes. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders are exposed to hackers because a Tucson, Ariz.-based transaction processor stored information longer than it should have. The Federal Deposit Insurance Corp., the federal agency responsible for protecting bank accounts, informed 6,000 present and former employees that their personal data had been stolen in 2004.
It was a rough June.
Every time you think screw-ups involving the security of data about American companies' most prized possessions - their customers - can't get worse, a new, bigger one comes along.
Preventing these issues isn't that complicated, says Alan Brill, senior managing director at data security vendor Kroll Ontrack: Encrypt data in transit; use better procedures to handle personal information such as Social Security numbers; don't hang on to data longer than necessary; and fortify networks internally and externally, using processes that limit access to only those who need it.
But there's no glory in following those security practices. ChoicePoint may have seen its stock drop 15%, wiping out $630 million of shareholder wealth in February, when the company confirmed that it had lost personal data on 145,000 people. But most companies roll the dice and then play the victim card when they are hacked or snookered into handing over personal information to crooks.
"These things just shouldn't be happening," says Jim Stickley, chief technology officer for TraceSecurity. "There's just no good reason not to have good security policies and practices. A lot of companies are still living with that 'it can't happen to me' mentality."
The big question: What can entice companies to beef up security? At this point, it's unclear. But shame can be a good motivator. So, herewith, the first inductees into the Baseline Security Hall of Shame. The running list will be compiled as needed and run in full in our special year-end issue, "The Year of Living Dangerously."
Nominations for the Hall of Shame can be sent to baseline@ziffdavis.com.
LOWLIGHT OF THE MONTH
CardSystems Solutions, Tucson, Ariz., loses 40 million credit card numbers after an unauthorized individual infiltrated the company's network and took customer data. Details about the theft are sketchy. MasterCard, Visa and CardSystems aren't commenting beyond their statements.
CardSystems says it discovered the breach on May 22 and called the Federal Bureau of Investigation the following day.
The folly of not following procedure. MasterCard and Visa noted that CardSystems stored more data than it should have and violated security protocols. Why was CardSystems allowed to operate if it wasn't in compliance with card issuer security standards? Apparently, CardSystems was secure at this time last year. Baseline has learned that CardSystems was verified as meeting Visa's security standards in June 2004, but began storing more data than it should have shortly thereafter.
Now that it has been hacked, CardSystems is "completing the installation of enhanced/additional security procedures."
What to do, next time. Verify transaction processor security more often. Just because a processor is in compliance with Visa and MasterCard security requirements on Tuesday, doesn't mean it will be on Thursday.
Be proactive. If CardSystems truly believes its June 17 statement - in which it said that "our customers and their customers are our lifeblood" - maybe it should have beefed up security ahead of a breach.
CardSystems is far from alone when it comes to information security woes.
BANK OF AMERICA
The bank loses backup tapes containing 1.2 million federal-employee records.
CHOICEPOINT
Allows 145,000 Social Security numbers and credit histories to be stolen by crooks posing as businessmen.
CITIGROUP
Loses backup tapes containing 3.9 million credit records. Company says it will now encrypt data.
DSW SHOE WAREHOUSE
Reports that between mid-November 2004 and mid-February 2005, transaction data on 1.4 million credit card accounts and 96,000 checks was stolen.
LEXIS-NEXIS
Suffers 59 different intrusions that result in a haul of 310,000 customer Social Security numbers, driver's license numbers and addresses.
POLO RALPH LAUREN
Fashion icon hangs on to credit card information too long in its point-of-sale systems and loses the personal data of 180,000 HSBC North America customers.
WACHOVIA
Edina, Minn., man receives the 1099 forms of 73 individuals who held escrow accounts with the bank. Company launches interactive identity-theft quiz on its Web site.
