The Biggest Information Security Incidents of 2007

Lessons Learned from Some of the Worst Disasters
The Biggest Information Security Incidents of 2007
The year started with jaw-dropping news of the TJX data breach â" as many as 96 million customers impacted. And it ended with the quieter (but no less disturbing) announcement of a possible insider breach at Commerce Bancorp. In between, we had stops in Asia, where the Bank of India was hacked, and the UK, where a government bureau lost discs containing 25 million personal records.

It was a banner year for information security incidents, which proved to be indiscriminate. No national boundary, employee group or trusted service provider is exempt. And no breach is worth its cost in damages, reparations and loss of reputation. From these incidents, we draw 10 lessons learned to guide financial institutions in 2008:

See Also: Ransomware: The Look at Future Trends

1. Information Security is a business issue.

2. Risk assessments need to be organization-wide and business focused.

3. Compliance does not equal security.

4. Customers implicitly expect security and privacy, more so from a bank than any other trusted institution.

5. Technology can enable security. But technology alone can not guarantee security.

6. Trust, but verify. This applies to your Third-Party Service Providers (TSPs).

7. Security breaches are costly, but indirect costs (i.e. reputation, customer confidence) are the heavier burden.

8. Appropriate Incident Response can control the extent of damage and must include prompt, open communication to customers, stakeholders and the news media.

9. Awareness is the key. Understand what works and repeat it (indefinitely).

10. Learn from otherâs mistakes. Donât repeat them.

That said, here are â...

8 Biggest Information Security Incidents of 2007

#8. Monster.comâs Summer of Stolen Data

Being unemployed is bad enough, but imagine having your identity attacked while looking for a job. Thatâs what happened to several hundred thousand job seekers who posted their resumes on Monster.com this past summer. A Trojan horse called Infostealer.Monstres was found by information security experts to have stolen more than 1.6 million records belonging to several hundred thousand people from Monsterâs website and job search service. The stolen data was then used to target the Monster.com users with credible phishing emails that planted more malware on their machines. What is unnerving to the experts was the sophistication of the attack on such a well-known web brand.

#7. UK Government Department Loses 25 Million Juvenile Records

In November the UK government arm of Revenue and Customs disclosed it had lost records on 25 million juvenile benefit claimants. The department head resigned after learning that the computer disks containing personal information were sent in the regular mail. The disks, which were not encrypted, disappeared while in transit to the country's National Audit Office. The disks included bank details and national ID numbers. Analyst firm Gartner Inc. predicts the processes of closing accounts and establishing new ones to protect against potential fraud resulting from the breach could end up costing British banks upward of $500 million. Financial institutions should also note the cost of breaches is nearing $200 per record. The potential for fraud resulting from this data loss could take years to uncover say experts.

# 6. Midwest Bank Hacked

Commerce Bank N.A., a regional bank with more than $15 billion in assets operating in five Midwest states was lucky that when it stopped a criminal hack into one of its customer databases in October, only 20 customer records were taken. Sophisticated fraud detection software at the bank detected the hacking. Many times hackers will attempt to get into networks through web vulnerabilities on bank websites that then allow them access into the network and bank databases. Undetected, the damage could have been far worse.

#5. TD Ameritrade Holding Corp.

The brokerage company disclosed in September that someone had broken into one of its systems and stolen contact information such as names, addresses and phone numbers belonging to its more than 6.2 million retail and institutional customers. However, Social Security numbers and account numbers that were also stored in the same database appeared to have been left untouched. The stolen data was apparently used for the purposes of sending stock-related spam.

#4. Commerce Bancorp Employee Releases Customer Data

The New Jersey-based Commerce Bancorp notified some of it customers in November that their identities may have been compromised. The bank said that only a small segment of its 3 million customers were affected when an employee gave out confidential customer information, including names, addresses, account numbers and social security numbers.

#3. Bank of India

When Bank of Indiaâs website was compromised in August 2007, as one of the largest banks on the Indian continent, it demonstrated that every institution offering transactions via a web site can be prone to a similar attack. One security expert called the attack â-a shot across the bowâ" for U.S. financial institutions. Geographical boundaries donât present any barrier to attackers and state or country specific banking regulations donât come into play. Bank of Indiaâs website became a bot machine for anyone visiting its official website.

#2. Fidelity National Information Services

Personal information on more than 8.5 million consumers was compromised when a senior database administrator working at Certegy Check Services Inc., a subsidiary of Fidelity National, illegally downloaded the data and sold it to a broker for $500,000. Fidelity National, which is separate from the better known Fidelity Investments, first announced in July that only 2.5 million records were taken when it divulged the breach. Less than a month later, that number grew to 8.5 million, according to Securities and Exchange Commission filings. The data was apparently resold to a direct marketing company -- not to ID thieves or other fraudsters. The Certegy employee caught pilfering the data has since pleaded guilty.

#1. The TJX Breach

It was one of the first data breach stories of 2007, and to date it still is the record-holder. The story line: Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in a data breach, possibly going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. The bottom line: Industry analysts predict the price tag of the breach could go as high as $1 billion when all the settlements are paid. By TJX's own estimates, the company has already spent or set aside close to $250 million for costs stemming from the incident. Certain banks have settled with the retailer, and TJX has strengthened its network security and overall security posture.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network