(c/o DK) http://www.dallasnews.com/sharedcontent/dws/bus/stories/062305dnbusdatatheft .36c17608.html
Stolen data demand puts risk in every swipe Breaches show you have more to fear than just hackers 04:49 PM CDT on Friday, June 24, 2005 By IEVA M. AUGSTUMS / The Dallas Morning News As consumers, companies, policy-makers and security experts grapple with the increasingly high-profile problem of mass data thefts, the question isn't where consumer information is vulnerable, but where it isn't. Data breaches occur nearly every day, from a variety of institutions in a variety of ways. In the last four months, 45 cases of exposed data have had the potential to affect about 50 million consumers, according to the Privacy Rights Clearinghouse. For many people, the stereotype is of a hacker sneaking account information from the computer network of a financial services company. That's what happened recently when someone penetrated CardSystems Solutions, a transaction processor, and exposed more than 40 million credit card accounts to potential fraud. But an analysis of the 44 other breaches since Feb. 15 shows that usually isn't the case. Of the 10 million other accounts exposed in that time: One-third came from nonfinancial institutions, including 18 colleges, seven government agencies, six businesses and two medical organizations. Two-thirds came as a result of lost or stolen hardware or backup tapes. Less than a third were caused by hacking. "Data theft is the currency choice of cybercrime out there right now, and it's not just happening online," said Christopher Faulkner, chief executive of Bedford-based CI Host, a Web hosting company. "Any time companies are physically moving data from Point A to Point B, they need to know who's moving it and assess any vulnerabilities." "What unfortunately happens, time and time again, is employee error," said Kimberly Elting, a privacy and health care lawyer at Jones Day in Dallas. "Laptops get lost, computers stolen out of Dumpsters. Even packages go missing in the mail." Some experts have called for reasonable industrywide standards of security. Others have called for fines based on the number of consumers affected. "Data encryption is key," Mr. Faulkner said. "Yes, it adds another step and cost, but we're talking about very sensitive, very mobile data." The issue has come to the forefront thanks to a California law requiring companies with customers there to disclose data breaches. The first big case occurred in February, when ChoicePoint, a Georgia-based data broker, reported that it was infiltrated by identity thieves posing as legitimate customers. Since then, numerous others have come forward, including Citigroup, Bank of America, LexisNexis, shoe retailer DSW, Time Warner, Wachovia and dozens of universities. But Friday's CardSystems hacking case was the largest yet. The data of 40 million account holders were exposed, with 200,000 known to have been copied from the system. CardSystems is one of hundreds of processors that help merchants and banks process millions of transactions a day. With a swipe of a credit card, cardholders' names, account numbers and security codes are electronically relayed so that a sale can be authorized, the merchant paid and customer billed. "People who are doing credit card fraud right now are looking at these types of companies to see if they have any loopholes," said Michael Gibbons, vice president for federal security services at Unisys and the former chief of computer investigations for the FBI. "That's why you have to have a continuous cycle of looking at your company's security requirements." Out of your hands? Infiltrators have stolen codes to get into data networks worldwide for decades. "Mass identity theft isn't new," said Mr. Gibbons, who also supervised the Dallas FBI computer and economic crime squad in the late 1990s. "What's changed is technology. We've opened ourselves up to the world where it's easy to do new business anywhere with clients, but we've also made it very easy to access our data." Experts have plenty of advice to keep consumers from turning their data over to an identity thief themselves, such as shredding sensitive documents and not falling for Internet scams. But once you've given your information to a legitimate organization, it's out of your control. In the CardSystems case, the company said it shouldn't have been holding onto the account information but had intended to study the transactions to improve its operations. In a Citigroup case earlier this month, information on 3.9 million customers disappeared when computer tapes were lost by a courier in transit to a credit bureau. "All your information is very fluid," said Chris Voice, vice president for technology at Addison-based Entrust Inc., which provides security software and services to companies. "It is moving from one organization to the next. Data is in motion at all times." Market for stolen data The boom in data collection has created a marketplace of valuable information stored on thousand of computers nationwide. Retailers, credit card companies, and both financial and nonfinancial organizations all share and sell your data. "When consumers open up a credit card, they know they will be able to buy stuff in a store," said Federal Trade Commission spokeswoman Claudia Bourne Farrell. "What they didn't realize was that the store was going to get something of value from them." Consumers can try to stay out of it by paying cash, but that greatly reduces their ability to get credit and participate in the global economic system. "We all live and breathe by our credit cards," said Beth Givens, founder and director of the Privacy Rights Clearinghouse. "When you open an account, your privacy is out there for everyone." Data thieves find the information valuable as well. But there are no firm numbers on how many cases of fraud have stemmed from the exposure of 50 million consumers' information in the last four months. "If it happened the day after a data breach, there's great question of how soon consumers will realize it," Ms. Farrell said. "Sometimes you don't know until somebody contacts you or you stumble across something on your credit report." In 2004, the Federal Trade Commission received 246,570 identity-theft complaints, up 15 percent from the previous year. Of those, 26,454 were from Texans. But those numbers include only individuals who complained. Often cases are resolved when a credit card company contacts an affected customer. Will Congress act? A recent study of Washington opinion leaders showed that many feel that Congress has not done enough to protect consumer data. The Identity Theft and Assumption Deterrence Act of 1998 makes identity theft a federal crime, and many states have passed similar laws and regulations that provide help in recovery from identity theft. But eight of 10 senior-level professionals in government, policy, consulting, media and technology said Congress should do more to protect Social Security numbers, according to the report commissioned by Adobe Systems and RSA Security, two companies that sell data protection products. Three-quarters of the 400 people polled say the same for financial data and credit card numbers. "Legislation is definitely a driver toward change," said Mr. Gibbons of Unisys. "If we are trying to make it so it's not acceptable to cover up data theft that could impact consumers, creating a behavior change, then legislation is a way to go." But only 8 percent believe it is "very likely" Congress will pass legislation increasing security requirements for companies that collect consumer data. Such legislation is "somewhat likely," according to 47 percent of the respondents. It's too early to tell whether anything will come to fruition, but almost every agrees that the situation must be improved. "No one is particularly safe out there, but it's not like it's the wild, wild west either," Mr. Faulkner said. "If you are a data aggregator, you just don't want to be caught with your head in the sand." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
