Data Breaches Pass 100 Million Mark: Is Your Data Safe?

Andrew Miller • December 15, 2006

In December, a milestone of sorts was reached when Boeing Co. disclosed that a laptop containing names, SSNs, home addresses, phone numbers and dates of birth of 382,000 current and former employees had been stolen from an employee's car.

The theft pushed the number of records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. The number of individuals affected isn't known, because some individuals may be the victim of more than one breach.

The Boeing incident followed an even bigger one at UCLA, where hackers gained access to a database containing personal information on 800,000 current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information.

Some of the largest breaches have involved financial institutions or payment processors, including Ameritrade, Bank of America, Citigroup, and the granddaddy of them all, CardSystems, where a breach exposed 40 million payment card records.

At a recent forum sponsored by the Identity Theft Assistance Center, participants stressed that every company that handles sensitive consumer data must have a plan to deal with potential data breaches in order to protect consumers against identity theft and to maintain consumer confidence.

â€œEvery company has an obligation to look at the way they do business in this regard, from securing data within the organization, to dealing with third parties, such as business partners and vendors,â€ said Robert Shiflet, senior vice president of card services operations at Bank of America.

Thereâ€™s an increasing awareness of the different types of risks associated with data breaches including loss of consumer confidence, litigation, and regulation. â€œCompanies are responding by making major investments to protect data, but we all recognize the bad guys are equally committed to thwarting those protections,â€ said Anne Wallace, executive director of ITAC.

The forum featured speakers from government, industry, academia, research organizations, law and public relations to identify trends and to share â€œbest practicesâ€ on how to prepare and respond to data breaches. Among the findings were that intentional breaches, such as the hacking of a companyâ€™s information systems, result in more cases of identity theft than unintentional breaches, such as data stored on a stolen laptop. The potential for identity theft depends on the properties of the data that's been breached, e.g., account numbers alone are insufficient to commit identity theft. Companies are implementing policies to segregate data to prevent thieves from acquiring sufficient data to perpetrate identity theft. While there's debate about the best methods to notify consumers in the event of a breach, there is consensus that companies must communicate quickly and candidly with consumers about the circumstances of the breach.

Companies should have policies and procedures in place regarding data breaches. The internal response team should represent multiple disciplines within the company, including information technology, security, legal and public relations.

WesCorp, the largest corporate credit union in North America with more than $24 billion in assets and 1,000 member organizations, had implemented perimeter security technologies such as firewalls and intrusion detection to protect its sensitive member data. Yet these weren't enough; also needed was a database security system that alerts management to business risks from security violations and suspicious data activities, and also provides the audit trail required for changing government regulations.

WesCorp member databases change each day, either as a result of financial transactions, customer information updates or internal application installations and patches. With each change comes new potential holes that can compromise data integrity and security.

â€œThe missing piece was a way to understand who or what is accessing the data to ensure the security, integrity and availability of the database and assets," says Chris Hoff, WesCorp's chief information security officer.

It installed a database security system that examines patch levels, accounts, permissions, grants, configuration settings and a myriad of other settings that can provide unintended access to data or holes in security. WesCorpâ€™s next step is to implement software that learns user behavior in order to distinguish between normal data access activities and malicious acts. With this knowledge, the software will be able to detect specific threats and automatically alert managers. The result will be faster response to unexpected changes in activity.