Today's electronic world is a risky place for your personal data -- and it's not getting any safer. More than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005, according to The Privacy Rights Clearing House, a nonprofit consumer rights organization.
As fast as banks, merchants and consumers add new layers of security to their storage systems and network, say security analysts, new technologies -- or simply careless users -- create new security holes that aggressive and sophisticated identity thieves eagerly exploit. The result, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., is that "things will get worse before they get better."
Attacks against both consumers and retailers have "really grown in the last couple of years," says Litan, who cites a Gartner survey showing that approximately 15 million Americans were victims of identity-theft related fraud in the 12 months ending in the middle of 2006. According to Gartner, that's a 50 percent increase since 2003, and the average loss per incident was US$3,257, more than twice the level for the same period a year earlier, according to the survey.
The number of companies whose customers were targeted by phishing attacks -- a fake e-mail asking for sensitive information -- grew by 20 percent in the second quarter of 2007, says Terry Gudaitis, cyberintelligence director at Cyveillance Inc., an Arlington, Va.-based firm that monitors the Internet for malware and other threats. While such attacks used to target customers of only a few large banks, they now impersonate "credit unions, hotel chains, insurance companies -- it's all over the board," says Todd Bransford, vice president of marketing at Cyveillance.
During the same period, Cyveillance also identified more than 2 million URLs that distribute malicious downloads to site visitors without their knowledge, as well as 2.5 million stolen credit card numbers online.
Criminals are also getting smarter. Larry Ponemon, chairman and founder of Ponemon Institute, which conducts research on privacy and security issues, calls it "inverted customer relationship management," in which criminals target the wealthiest individuals for their attacks.
Some are even buying marketing lists to piece together profiles of "who's got the Platinum [American Express card] and who's got the account with Merrill Lynch and who doesn't," says Litan.
"Hackers are exploiting Internet auctions, nonregulated money transmittal systems and the ability to impersonate lottery and sweepstakes contests," among other scams, wrote Litan in a February 2007 research report.
Theft and fraud?
Hard figures on identity theft and identity fraud (using stolen data to commit a crime) are difficult to come by. A June 2007 report from the Government Accountability Office said that of 24 large data breaches reported in the media between January 2000 and January 2005, only three "appeared to have resulted in fraud on existing accounts, and one breach appeared to have resulted in the unauthorized creation of new accounts."
However, the study noted it's difficult to determine the exact damage, because while at least 36 states require companies to notify consumers of data breaches, victims often don't know their information has been stolen or how it was stolen. Thieves may wait a year or more before using the data, and may use only some of it so as to not alert the card issuer, which could cancel the entire block of stolen cards.
Mary Monahan, a partner, editor and analyst at Javelin Strategy & Research, a research and consulting firm in Pleasanton, Calif., takes a more upbeat view. She says that prevention and awareness by both consumers and businesses helped reduce the number of adult victims of identity fraud in the U.S. from 8.9 million in 2005 to 8.4 million in 2006, and the dollar amount of fraud dropped 12 percent from $55.7 billion to $49.3 billion.
Those figures, however, include all types of identity fraud, the vast majority of which Javelin says result from traditional causes such as lost or stolen checkbooks or credit cards. Rachel Kim, a research associate at the firm, also points out that less than 1 percent of victims whose information has been stolen experience fraud. Despite the publicity of data breaches at companies such as The TJX Companies Inc., she says, the percentage of victims who knew how their data was lost who cited a data breach actually fell from 6 percent to 3 percent from 2005 to 2006.
Given all the unknowns, it's not surprising that even the experts are sometimes in the dark. A December 2006 survey of more than 200 North American security professionals by Enterprise Strategy Group Inc. showed that more than one-third had experienced a data breach at their company in the past 12 months, and another 10 percent didn't know if they had lost data.
One reason concern about identity theft is increasing is that with the expanding adoption of high-speed Internet service, more consumers are spending more time online, where they might share sensitive data.
And just as hackers target consumers they believe to be wealthy, they also take aim at companies they believe to have loose access controls, says Ponemon. Many companies don't maintain the same strict access control for contractors or part-time employees as they do for full-timers, says Mark McClain, CEO and founder of SailPoint Technologies Inc., an identity risk management vendor. "Folks on long-term contracts live outside the employee control system," he says. "It's very ad hoc: Bob hired Joe to help his group, and only Bob knows what access Joe has, and if Bob leaves, nobody knows what access Joe got."
"The old mind-set was that data breaches were the result of nefarious outside hackers, while the latest industry rhetoric blames insider attacks," Enterprise Strategy Group analyst Jon Oltsik says in his June 2007 report, "The Case for Data Leakage Prevention Solutions." However, the report states, breaches can be caused by either internal or external attacks, as well as logical hacking, physical theft and accidents. To reduce this wide variety of risks, he says, "large organizations need layered and extremely flexible defenses."
Just finding where sensitive data sits within the organization and where it's most vulnerable is a daunting task, says Scott Crawford, a research director at Enterprise Management Associates. Customer credit card information, purchase histories and other information might be stored anywhere, from a user's notebook computer to a Fibre Channel storage array at headquarters. "The data may move wirelessly; it may move through public links on the Internet; it may or may not be encrypted within the business and may be encrypted [only] part of the way," he says.
Retailers also often overlook vulnerabilities in devices such as point-of-sale (POS) systems that store data read from magnetic stripes on credit cards and can be accessed from the Internet, and printers that store data on hard drives as part of the printing process, says Gartner in a December 2006 report. The report predicts that by 2008, more than half of attacks against retailers will be directed at POS systems and that by 2009, less than one-third of POS software will comply with prevailing security standards.
While retailers are always reluctant to spend money on security that could otherwise be spent to drive sales, they might be convinced by the news from TJX that a large data breach disclosed in January will cost the company $118 million, says Litan.
Industry regulations such as the Payment Card Industry data security standard are forcing many companies to strengthen their security processes as well as the security tools they use, says Crawford. Visa U.S.A. Inc. says that about 40 percent of its 327 Level 1 merchants -- those that process more than 6 million transactions a year -- have demonstrated their compliance with the standard, up from 36 percent of the 230 Level 1 retailers counted at the end of 2006.
To counter a big spike in the use of counterfeit credit cards, Litan said card issuers, for a cost of about $5 per card, could add strong authentication mechanisms such as a unique password that would be downloaded to the card each time the owner tried to use it. Because the user would need the physical card (and not just the card number, expiration date and security code) to make a purchase, "it wouldn't matter" if companies lost credit card information through data breaches, she says.
Even as companies try to tighten their existing systems, Web 2.0 sites -- such as social networking services where much or all of the content is generated by users -- have become a handy way to distribute malware as well as yet another innocent-sounding business to impersonate in a phishing scheme, says Bransford. "You tend to trust these social networking sites because you belong to them and wind up with malware on your PC."
In the second half of the year, Cyveillance predicts another 10 percent to 20 percent growth in the number of traditional phishing attacks, with more than 80 percent of the attacks aimed at customers of financial services customers.
So what's an IT manager to do to protect sensitive data? "Don't store [information] if you don't need it, encrypt it if you can, and put strong access controls around it -- and then monitor the access," says Litan.
And when you get home, check your own bank statement for any odd-looking transactions.
Tips for avoiding identity theft
-- Just as you did for Sarbanes-Oxley, identify and secure the applications and devices most vulnerable to attack.
-- Track access rights (and access activity) for contractors as tightly as you do for employees.
-- Don't store data if you don't need to; encrypt it if you must store it.
-- Educate and remind all your employees about the need for data security.
Tips for consumers:
-- Monitor bank statements, credit card bills and credit reports for signs of ID fraud.
-- Use up-to-date firewalls and antivirus/antispyware software on all computers.
-- Be wary of performing transactions or spending time on unknown Web sites.
-- Be alert for changes in the look or wording of emails from banks or other institutions, which might signal a phishing attack.