BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Top 10 Security Breaches of 2008

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Ghost of Christmas Past (TJX) Still Casts Specter on Present and Future

December 22, 2008 - Linda McGlasson, Managing Editor

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

From Hannaford to Countrywide to the Bank of New York Mellon, 2008 has been a year of high-profile security breaches in or impacting the financial services industry. Here's our list of the top 10 - and lessons that should be learned, so we aren't back revisiting these issues in '09.

1. TJX Case Winds Up, Arrests Made

Earlier this year, The TJX Companies (parent of retailer TJ Maxx) settled in federal court and paid out millions to its federal regulator, the Federal Trade Commission, banking institutions, credit card companies and consumers to bring to a close the court cases that had threatened to overwhelm the company.

The August arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit cards brings law enforcement closer to closing what is still the largest hack ever. The U.S. Department of Justice brought charges against 11 alleged hackers from around the globe. Some of the hacking gang were nabbed and brought to the U.S. to face trial alongside three U.S.-based defendants. Two of the defendants, Christopher Scott and Damon Patrick Toey, have already pled guilty in the case. Others including the ringleader, Alberto Gonzalez, await trial.

Lesson Learned: The wide-range of the perpetrators brings to light something that those in the cyber intelligence realm have known for some time: Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

2. Bank of New York Mellon

An unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing on Feb. 27, after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank of Connecticut, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

Lesson Learned: For Bank of New York Mellon, know that when data is released to a third-party that their security is as good or better than yours. Encryption isn't just something that is good for the data held at an institution; it's also something to consider for data that leaves the institution.

3. Hannaford Data Breach

In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.

The affected banks and credit unions were forced to reissue the credit and debit cards. Within two days of the breach announcement, two class action suits had been filed on behalf of customers against the retailer. The retailer claims its systems were PCI-compliant and had passed a PCI assessment shortly before the hack was discovered.

Lesson Learned: The case is still open, and forensic reports by security investigators brought in by Hannaford have not been made public. The PCI Security Council has pledged that if the PCI requirements are found to be wanting in light of the report, they will make changes to tighten the requirements. Cases such as Hannaford may be the impetus behind legislation to require prompt notification of a data security breach.

4. Countrywide Insider Theft

In August, a former Countrywide Financial Corp. senior financial analyst, Rene Rebollo, was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. How he did it over a two-year period was to download about 20,000 customer profiles each week onto flash drives, working on Sunday nights, when no one else was in the office. Rebollo then took the excel spreadsheets to business center stores to email to buyers.

Countrywide, now owned by Bank of America, was already facing money and reputation issues because of the subprime loan meltdown before it faced the insider threat of Rebollo.

Lesson Learned: While Countrywide and Bank of America now know firsthand what a rogue insider can do, other institutions need to do a better job of monitoring their employees and creating asset controls. As the economy continues to produce layoffs, this threat may become even more so, as fearful employees look to cash in on their trusted status and take data just in case they face unemployment.

5. GE Money Backup Tape Goes AWOL

1 | 2 | 3

View On 1 Page

Next Related Article:

Marcus Ranum on Today's Top Threats

What do you see as the worst security breach of 2008?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Until we start encrypting sensitive information at the "data level" as it's collected, used and stored through end of life (such that no "insider" can access it, let alone download or otherwise take it) we'll continue to see more of these types of breaches. Technologies like format-preserving encryption are available now to effectively address the problem.

With all these break-ins being reported, are there any plans to move to an EMV (chip card) environment to protect the consumers? Is this a viable security solution in this time of economic crunch?

I'd like to hear more on the alleged World Bank break-ins. http://www.foxnews.com/story/0,2933,435681,00.html

How about the hacking of computers belonging to the McCain and Obama campaigns?

Or what the real story is on the Department of Defense USB device ban?

I'll bet the worst security breach of 2008 hasn't been discovered yet or publicly reported if it has been discovered.

Topics of Interest

Compliance

How to Prioritize Risk & Justify Security Investments
Understanding Man-in-the-Browser Attacks and Addressing the Problem

Physical Security

Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Physical Asset Management & IT Security

ATM

BankInfoSecurity.com Week in Review: Aug. 6, 2010
BankInfoSecurity.com Week in Review: Aug. 20, 2010

FHFA

FHFA: Issues Subpoenas for PLS Documents

Cloud Computing

Cloud Computing: The Case for Certification
Secure Image Transport: 'Buy, Don't Build'

Skimming

BankinfoSecurity.com Week in Review: July 31, 2010
BankInfoSecurity.com Week in Review: Aug. 20, 2010

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Avoid Negligent Hiring - Best Practices and Legal Compliance in Background Checks
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Intrusion Inc.

Solutions For:

Compliance, Email Security, Network Security
SafeNet, Inc.

Solutions For:

Compliance, Identification and Authentication, Network Security

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management