Top 10 Security Breaches of 2008Ghost of Christmas Past (TJX) Still Casts Specter on Present and Future
Earlier this year, The TJX Companies (parent of retailer TJ Maxx) settled in federal court and paid out millions to its federal regulator, the Federal Trade Commission, banking institutions, credit card companies and consumers to bring to a close the court cases that had threatened to overwhelm the company.
The August arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit cards brings law enforcement closer to closing what is still the largest hack ever. The U.S. Department of Justice brought charges against 11 alleged hackers from around the globe. Some of the hacking gang were nabbed and brought to the U.S. to face trial alongside three U.S.-based defendants. Two of the defendants, Christopher Scott and Damon Patrick Toey, have already pled guilty in the case. Others including the ringleader, Alberto Gonzalez, await trial.
Lesson Learned: The wide-range of the perpetrators brings to light something that those in the cyber intelligence realm have known for some time: Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.
An unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing on Feb. 27, after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank of Connecticut, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.
Lesson Learned: For Bank of New York Mellon, know that when data is released to a third-party that their security is as good or better than yours. Encryption isn't just something that is good for the data held at an institution; it's also something to consider for data that leaves the institution.
In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.
The affected banks and credit unions were forced to reissue the credit and debit cards. Within two days of the breach announcement, two class action suits had been filed on behalf of customers against the retailer. The retailer claims its systems were PCI-compliant and had passed a PCI assessment shortly before the hack was discovered.
Lesson Learned: The case is still open, and forensic reports by security investigators brought in by Hannaford have not been made public. The PCI Security Council has pledged that if the PCI requirements are found to be wanting in light of the report, they will make changes to tighten the requirements. Cases such as Hannaford may be the impetus behind legislation to require prompt notification of a data security breach.
In August, a former Countrywide Financial Corp. senior financial analyst, Rene Rebollo, was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. How he did it over a two-year period was to download about 20,000 customer profiles each week onto flash drives, working on Sunday nights, when no one else was in the office. Rebollo then took the excel spreadsheets to business center stores to email to buyers.
Countrywide, now owned by Bank of America, was already facing money and reputation issues because of the subprime loan meltdown before it faced the insider threat of Rebollo.
Lesson Learned: While Countrywide and Bank of America now know firsthand what a rogue insider can do, other institutions need to do a better job of monitoring their employees and creating asset controls. As the economy continues to produce layoffs, this threat may become even more so, as fearful employees look to cash in on their trusted status and take data just in case they face unemployment.
Early in January, Iron Mountain said it could not find a backup tape that belonged to GE Money, containing information on J.C. Penney customers and 100 other retailers.
The tape was stored in an Iron Mountain vault, says an Iron Mountain statement issued about the loss, and had been requested by GE Money in October 2007. The tape contained the personal information of about 650,000 J.C. Penney customers and the other 100 retailers. GE Money processes credit cards for those retailers. As a records and archive company that specializes in records management, Iron Mountain was at a loss to explain the tape's whereabouts.
Iron Mountain said it was an unfortunate case of a misplaced tape, but asserts that there was no evidence that the information was obtained and used by unauthorized persons. The missing tape also included about 150,000 social security numbers.
Lesson Learned: While GE Money paid for credit monitoring for the 650,000 credit card holders, Iron Mountain may have learned to better monitor where media is located. For the rest of companies that hold information of a personally identifiable nature, there is another reason to keep it safe from prying eyes. The cost of an average data breach can hit a company's bottom line. According to a study conducted by the Ponemon Institute, an independent information security and privacy research group, data breaches are costing businesses an average of $197 per customer record, up from $182 in 2006.
In November, security vendor RSA said it found a single Trojan that had taken more than 500,000 online banking accounts credentials, credit cards and other resources. The company's Fraud Action Research Team added that the hacking gang behind the Trojan may have been operating for as long as three years. The compromised data came from hundreds of financial institutions around the world.
Lesson Learned: The Trojan Sinowal is so tricky that the average institution or customer would not even know that they are infected with it. Taking a professional, defense-in-depth approach to protecting a network and customers is the best remedy.
At the sentencing of a former bank programmer at Compass Bank in Birmingham, AL. in March, it was revealed that the accused had stolen a hard drive with 1 million customer records and used it to commit debit-card fraud. James Kevin Real is now serving a 42-month sentence and was ordered to pay back the more than $32,000 that he and an accomplice withdrew from Compass Bank customer accounts. The bank claimed that the customer records contained limited information, but Real was able to create 250 counterfeit debit cards. He used 45 of them to access and withdraw cash before being arrested.
At the time of Real's sentencing, Alabama was one of 11 states that didn't require companies to automatically notify customers of data breaches.
Lesson Learned: Compass Bank dodged a bullet in terms of cost on this breach. It would have had to notify all 1 million customers of the compromise of their data had the hard drive theft been in a state that requires notification. Other than the 250 customers that Real took money from, no other customers were notified of the data loss. That means that 999,750 of the other 1 million customers weren't notified of the potential risk.
In an attack similar to what hit Hannaford Brothers in March, the Okemo Ski Resort in Vermont said in April it had been hit by hackers that installed malicious software to capture credit card data as it was being processed at the resort. Law enforcement officials at the time said they were investigating as many as 50 other similar incidents in the Northeast.
Lesson Learned: PCI compliance is like a driver's license -- it may mean that a retailer has passed the test for compliance, but doesn't necessarily mean it is in compliance.
Six months after a breach happened at the parent company of the Montgomery Ward website, the company Direct Marketing Services finally began notifying customers that their credit card information was stolen in the hack. At least 51,000 records were stolen out of a database in December, 2007.
Direct Marketing said it had promptly contacted its payment processor and Visa and MasterCard, and it also notified the U.S. Secret Service.
Lesson Learned: Direct Marketing Services was forced into contacting the customers after the company CardCops, an investigative firm that tracks credit card thefts for the financial services industry, found more than 200,000 payment cards being offered for sale on an Internet chat room often visited by card thieves. Better to take the public relations role and confess the breach than possibly face data breach notification lawsuits by consumers and state attorney generals.
The Automatic Teller Machine capers are hitting everywhere. In June, two men were charged with making hundreds of withdrawals from New York City ATMs, grabbing $750,000 in the process, using stolen information from a previous computer intrusion into a Citibank server that processes ATM withdrawals. One of the same accused also allegedly took $5 million in withdrawals from iWire prepaid MasterCard accounts.
Lesson Learned: While Citibank denied the indictment's charge that their server had been breached and blames a third-party transaction processor for the compromise, it still meant it had to notify and reissue new debit cards to those customers that the bank believed were exposed to increased risk.