Data breaches tied to credit and debit cards accounted for more than 25 percent of all breaches in 2011, according to a new report - a disturbing trend that puts the onus on banking institutions and merchants to bolster payment card security.
While breach numbers overall have declined, with breaches in the financial-services sector accounting for less than 4 percent of all breaches tracked by the San Diego-based Identity Theft Resource Center in 2011, compromises linked to payments cards still need attention, says Karen Barney, head of market research for the ITRC.
"In 2010, in response to an increase in the number of highly publicized skimming attacks, the ITRC started identifying breach incidents involving credit and debit cards," Barney says. "In 2011, 26.5 percent of the total breaches tracked by the ITRC involved credit and debit cards," about the same number reported in 2010.
From 2010 to 2011, the financial sector saw losses linked to debit and credit compromises drop from 18.6 percent to 1.6 percent. But merchants and businesses saw jumps in debit and credit losses, from 4.3 percent in 2010 to 12.9 percent in 2011.
Among some of the notable payments-card breaches in 2011:
- November's point-of-sale breach at California-based grocer Save Mart, which affected more than 20 Save Mart and Lucky Supermarkets, compromising an unknown number of accounts;
- The Michaels POS breach, which in 2011 hit customer accounts in more than 20 states, again impacting an unknown number of accounts.
In both cases, the merchants were criticized for having lax fraud detection and/or consumer breach notification policies.
Other notable breaches, such as the possible compromise of payments cards linked to Sony, e-mail accounts connected to Epsilon and security tokens issued by RSA, have garnered attention from public and private sectors because of consumers' unknown exposure to identity theft.
But debit and credit breaches were not the biggest worries to emerge from the 2011 analysis. Breaches linked to cyberattacks also topped the list.
More than a quarter of last year's data breaches resulting from some kind of hack or cyberattack. [See the ITRC's breach analysis.]
In 2011, 419 breaches were reported, even among states that don't mandate breach notification. Among those breaches, some 23 million records were exposed. Comparatively, 662 breaches were reported in 2010, a decrease the ITRC says is more likely linked to under-reporting than an actual drop in incidents of exposure.
Among the five tracked sectors - business, educational, government/military, medical/healthcare and banking/credit/financial - cyberhacks and compromises of data-on-the-move pose the greatest concern. "There are a number of breaches where we don't know what actually occurred," Barney says.
Hacks rank No. 1 for security vulnerability. But data-on-the-move, which could involve anything from a laptop left in a car to a lost mobile phone or tablet, comes in a close second.
Security Lessons for Banks, Merchants
Fundamentally, organizations can't stop cyberattacks. But they can make improvements to breach prevention and response, even going beyond what state and federal governments require from them. Barney offers the following tips:
- Risk Assessment - "Evaluate several issues," Barney says. "What kind of information is being collected, and does it need to be safeguarded?"
- Enhance Authentication - Never use personally identifiable information, such as birthdates and Social Security numbers, to authenticate users and/or consumer accounts. Protect data with things like dual-factor authentication. Recently updated Authentication Guidelines issued by the Federal Financial Institutions Examination Council call for layered security controls and multifactor authentication practices. Though written for federally regulated banks and credit unions, the authentication standards outlined in the guidance could, and should, serve as a baseline for authentication by any organization in any sector.
- Improve Storage - Determine whether the information is even necessary for business. "Limit or truncate what you can," Barney says. "And determine how long the information needs to be stored, onsite and offsite.
- Define the Data Lifecycle -Come up with a plan for destroying data once it's no longer needed. "How will it be destructed?" Barney asks. "There need to be protocols for electronic and paper files. The importance of shredding paper documents should not be minimized."
In fact, paper documents present a quandary, Barney says. The ITRC tracks paper breaches, which over the past five years have represented 20% of all reported incidents. Yet in most cases these breaches require no formal notification.
"The reality is paper breaches present a higher level of risk of harm, because the information is often ready to use and may even include signatures," Barney says. "Since there is no mandatory reporting for these types of breaches, individuals have no way of knowing they should be concerned about having their information exposed."
Breach Notification Challenges
One challenge uncovered by the breach report: The lack of standard breach notification laws, nationally and internationally. In the United States, interstate variations in notification requirements have made adequate and thorough reporting challenging. "I think a lot of businesses don't really know how many laws they have to deal with," Barney says. [See the ITRC's state-by-state breach analysis.]
Over the last five years, the ITRC has categorized nearly 700 breaches that had national reach. "This field was implemented at a time when breached entities were not being transparent in the information that was being made publicly available," Barney says. "Unfortunately, this lack of transparency continues to this day."
Most businesses and organizations, when complying with state notification laws, have traditionally only notified state Attorneys General of consumers that impacted identities within those states. Breaches that affected consumers across state lines, from the ITRC's perspective, have likely been under-reported.
Some states also appear to be hit more often than others. California, Florida and Texas consistently rank the highest, with breaches in Texas representing 38.3 percent of all data breaches in 2011. "Does this mean these states were hit the hardest?" Barney asks. "We don't think so. They just did a better job of reporting."
But state-to-state reporting variations, among the 47 states that have notification laws, have enabled under-reporting. "Current state notification laws have such a wide variety of loopholes that it is nearly impossible to determine the true extent of the number of breach incidents occurring annually," Barney says.