The Biggest Information Security Incidents of 2007Lessons Learned from Some of the Worst Disasters
It was a banner year for information security incidents, which proved to be indiscriminate. No national boundary, employee group or trusted service provider is exempt. And no breach is worth its cost in damages, reparations and loss of reputation. From these incidents, we draw 10 lessons learned to guide financial institutions in 2008:
1. Information Security is a business issue.
2. Risk assessments need to be organization-wide and business focused.
3. Compliance does not equal security.
4. Customers implicitly expect security and privacy, more so from a bank than any other trusted institution.
5. Technology can enable security. But technology alone can not guarantee security.
6. Trust, but verify. This applies to your Third-Party Service Providers (TSPs).
7. Security breaches are costly, but indirect costs (i.e. reputation, customer confidence) are the heavier burden.
8. Appropriate Incident Response can control the extent of damage and must include prompt, open communication to customers, stakeholders and the news media.
9. Awareness is the key. Understand what works and repeat it (indefinitely).
10. Learn from otherâ€™s mistakes. Donâ€™t repeat them.
That said, here are â€¦
8 Biggest Information Security Incidents of 2007
#8. Monster.comâ€™s Summer of Stolen Data
Being unemployed is bad enough, but imagine having your identity attacked while looking for a job. Thatâ€™s what happened to several hundred thousand job seekers who posted their resumes on Monster.com this past summer. A Trojan horse called Infostealer.Monstres was found by information security experts to have stolen more than 1.6 million records belonging to several hundred thousand people from Monsterâ€™s website and job search service. The stolen data was then used to target the Monster.com users with credible phishing emails that planted more malware on their machines. What is unnerving to the experts was the sophistication of the attack on such a well-known web brand.
#7. UK Government Department Loses 25 Million Juvenile Records
In November the UK government arm of Revenue and Customs disclosed it had lost records on 25 million juvenile benefit claimants. The department head resigned after learning that the computer disks containing personal information were sent in the regular mail. The disks, which were not encrypted, disappeared while in transit to the country's National Audit Office. The disks included bank details and national ID numbers. Analyst firm Gartner Inc. predicts the processes of closing accounts and establishing new ones to protect against potential fraud resulting from the breach could end up costing British banks upward of $500 million. Financial institutions should also note the cost of breaches is nearing $200 per record. The potential for fraud resulting from this data loss could take years to uncover say experts.
# 6. Midwest Bank Hacked
Commerce Bank N.A., a regional bank with more than $15 billion in assets operating in five Midwest states was lucky that when it stopped a criminal hack into one of its customer databases in October, only 20 customer records were taken. Sophisticated fraud detection software at the bank detected the hacking. Many times hackers will attempt to get into networks through web vulnerabilities on bank websites that then allow them access into the network and bank databases. Undetected, the damage could have been far worse.
The brokerage company disclosed in September that someone had broken into one of its systems and stolen contact information such as names, addresses and phone numbers belonging to its more than 6.2 million retail and institutional customers. However, Social Security numbers and account numbers that were also stored in the same database appeared to have been left untouched. The stolen data was apparently used for the purposes of sending stock-related spam.
The New Jersey-based Commerce Bancorp notified some of it customers in November that their identities may have been compromised. The bank said that only a small segment of its 3 million customers were affected when an employee gave out confidential customer information, including names, addresses, account numbers and social security numbers.
#3. Bank of India
When Bank of Indiaâ€™s website was compromised in August 2007, as one of the largest banks on the Indian continent, it demonstrated that every institution offering transactions via a web site can be prone to a similar attack. One security expert called the attack â€œa shot across the bowâ€ for U.S. financial institutions. Geographical boundaries donâ€™t present any barrier to attackers and state or country specific banking regulations donâ€™t come into play. Bank of Indiaâ€™s website became a bot machine for anyone visiting its official website.
Personal information on more than 8.5 million consumers was compromised when a senior database administrator working at Certegy Check Services Inc., a subsidiary of Fidelity National, illegally downloaded the data and sold it to a broker for $500,000. Fidelity National, which is separate from the better known Fidelity Investments, first announced in July that only 2.5 million records were taken when it divulged the breach. Less than a month later, that number grew to 8.5 million, according to Securities and Exchange Commission filings. The data was apparently resold to a direct marketing company -- not to ID thieves or other fraudsters. The Certegy employee caught pilfering the data has since pleaded guilty.
#1. The TJX Breach
It was one of the first data breach stories of 2007, and to date it still is the record-holder. The story line: Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in a data breach, possibly going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. The bottom line: Industry analysts predict the price tag of the breach could go as high as $1 billion when all the settlements are paid. By TJX's own estimates, the company has already spent or set aside close to $250 million for costs stemming from the incident. Certain banks have settled with the retailer, and TJX has strengthened its network security and overall security posture.