I resisted writing about the British Tax Authorities’ blunder disclosed last week when they lost two CDs full of sensitive information (bank accounts and social benefits information) of 25 million UK families. The story received enough mainstream press attention and I was afraid that many of our readers are starting to suffer from "breach fatigue" - hearing all too often about security breaches and missing personal information.
The fundamental reason why the breach occurred are all too common these days - e-mails released by the U.K.’s National Audit Office have confirmed that officials at the Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra (although some experts have said that the cost of "sanitizing" the data could have cost less than the equivalent of $10,000).
Anyway, I could not resist writing about the recent development from the UK for a different reason. As a response to the initial breach, the Revenue & Customs decided that it owed an apology to the families affected by the breach. So it decided to mail them a personalized apology letter. The letter, however, was too personalized - it included name, address, national insurance and child benefit numbers. The information contained in this letter is all that is needed by identity thieves to open bank accounts, claim benefits or even apply for passports on behalf of somebody else.
The UK authorities urge people who received the letters to destroy them after they receive them and read them. But there are a large number of families who will never receive their - either because they moved or because somebody ‘conveniently’ picked the letter out of their mailbox on their behalf.
So what follows next? A second apology letter to apologize for the loss of the CDs and the first apology letter? No, instead the Revenue & Customs authorities are shifting the blame to the concerned citizens who did not receive the letter by saying that they should have updated their mailing address.
Many businesses run their own wireless infrastructures and many know well to protect it. But how do you know when it is time to use a stronger encryption algorithm to protect the data sent wirelessly?
Generally, there are two possibilities. One is to wait until hackers break into your network by exploiting the easy-to-break WEP encryption you have on your wireless network and as a result steak millions of customers’ credit card numbers and personal data. Example: the TJX story.
The second, and the better possibility, is to do it before your (or your client’s) organization is prominently featured in the Wall Street Journal. Example: the TJX story.
Here’s a short excerpt of what should make every IT director to think about switching from WEP to WPA or better.
Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn’t recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.
TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company’s internal transaction database. They did so initially from outside two stores in Miami, the probe found.
- TJX’s Security System Faulted in Canada Probe, Wall Street Journal, September 26, 2007.
This happened to me very recently. I applied to join a certain credit union. The credit union has a wonderful website and, as it should, it has an online application which seems secure enough. I filled out the necessary personal information and submitted my application over the SSL connection. Among the standard questions were few security questions such as mother’s maiden name, favorite teacher, and others. In response to my completed application, I received an email which also seemed to meet adequate financial institution information security and privacy requirements (e.g. no account numbers, login names, passwords, etc. being sent in plain text over email.)
Everything seemed fine. Until the next day when I received a phone call from an "unknown name/unknown number" phone. The lady on the other end identified very politely as X from the credit union, welcomed me to the union, and asked me whether I would be willing to talk with her briefly about my finanical needs and how the credit union may be able to help. This was nice customer service, I thought, and agreed to talk with her for a "couple of minutes." The next thing she asked me was whether I can verify the security information on my account and proceeded to ask me about my mother’s maiden name. The call ended shortly after this question and after I calmly tried to explain to X that asking such questions during an outbound phone call is not a good idea because anybody could, in theory, make this phone call and obtain my security information.
I went to the credit union’s website and was impressed by the thorough explanations they have on Internet security and in the effort they make to "teach" their customers not to respond to phishing emails asking for personal login or financial information. I am sure the credit union has a policy prohibiting outgoing emails from soliciting customers’ security information. But did anyone at the credit union think to put in place the same security policy for outgoing phone calls to customers? Apparently not.
Many information security professionals find it difficult to put a number on the cost of a breach and thus justify requesting more funds in their budget. Here’s a useful piece of information for them - the TJX companies reported that in the first quarter of FY08 (Feb - Apr 2007) the breach cost them $17 million. The main components of the price tag were investigating the incident, upgrading the company’s network security, communicating with its customers, and legal fees.
Note that this cost covers only the three months for the reporting quarter and does exclude lost goodwill which is very hard to estimate but surely the damage to TJX’s reputation is significant. The company estimates that the costs for the next quarter would be similar. But this is not all. In a statement TJX said,
Beyond these costs, TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses.
With the increasing number of lawsuits against TJX the cost will surely increase.
A man in the U.K. was sentenced to 32 months in prison for using MP3 player to capture credit card details from an automatic teller machine.
What he did was to use the MP3 players to capture recordings of modem data traffic from what the Crown Prosecution Service described as a "standalone ATM machine," such as those found in a convenience store or at another location not directly connected with a bank. He then used a computer program to convert the sound files back into text data–including card numbers, and subsequently used that information to re-encode counterfeit or stolen cards.
According to the prosecution, the defendant used the stolen credit cards to spend approximately £200,000 ($400,000). Not a bad payout for a small investment in an MP3 player and a carefully staked out remote ATM. The man was arrested in October 2004, more than two years ago, and we can only hope that banks have taken seriously this threat and have put forward ways to encrypt the information transmitted to and from remote ATMs.
According to documents obtained by WTOP through the Freedom of Information Act request, between 2002 and 2006, the IRS had 478 laptops either stolen or lost.
Of those, 112 computers contained sensitive data, including personal information, such as social security numbers, for U.S. taxpayers. It is unclear how many people could be at risk of identify theft.
We will be installing an automatic encryption system that will encrypt all information on the hard drives, so that the employee does not specifically need to choose individual files to encrypt. This will start in January. A physical security locking cable is also being provided to all employees with laptops, so that they can physically secure their laptops and help prevent the laptops from being stolen.
Also, the IRS has focused on providing security education, training, and awareness of our employees to ensure they recognize the need to protect sensitive information, and how to use the current encryption capabilities that are available on all IRS computers.
Let’s hope they don’t lose many laptops between now and January, assuming they will get the encryption plan working by then.
Not from the Bible of Information Security, but vey useful nonetheless. Comments in italics added by yours truly.
Original ideas by Business 2.0.
Is it just me, or these results are scary (pardon the Halloween-theme lead)? A study commissioned by Cisco Systems on the habits of workers who telecommute (and this access company systems remotely) interviewed 1,000 teleworkers in 10 countries and resulted in some interesting results. My favorite,
One in 10 users noted that they have used, without permission, their neighbor’s wireless Internet connection when working remotely.
Ten percent of telecommuters putting their company accounts and most likely extremely sensitive company information out in the open in plain text for anybody to see? This is troubling, especially for IT managers who support a growing number of telecommuters. Although the survey doesn’t detail how many users use secondary encryption such as VPN tunnel or a secure proxy, my feel is that this number is close to zero. Thus, after spending millions to secure your corporate network from intruders, your company information is flowing in a distant neighborhood’s airwaves for anybody to see in plain text. Scary.
Other results from the survey,
Scary stuff. Happy Halloween!
This should make you think twice.
According to a study, disclosed breaches affect stock price (negatively) for up to a year. According to the study, conducted by an Australian analyst company and a US research company, disclosure of data security breaches can have a significant impact on share prices of publicly traded companies. The study looked at six companies that admitted security breaches and found that the stock prices of those companies fell an average of 5% within the first month following disclosure, and remained between 2.4 and 8.5 percent below after eight months.
These results should not be news. However, they illustrate the need for improved data security, especially when large amounts of sensitive information is stored. In light of pending legislation requiring disclosure of data breaches, companies should think hard about leaving sensitive data unprotected. Unfortunately the study does not conduct a full-scale (and more scientifically-defendable) research with control groups, etc., it suggests that companies (and their officers) may even be liable for breach of corporate duties in failing to prevent breaches and for shareholders’ loss.
Interesting read. More here.
In late June, the Office of Management and Budget (OMB) issued a mandate to federal agencies to take certain measures to protect the privacy and security of personally identifiable information stored on removable devices. A deadline for implementing the OMB’s security mandate was Monday, August 7, 2006. The mandate guidelines were based on National Institute of Standards and Technology (NIST) requirements and inspectors general at several agencies have already begun reviewing compliance with the OMB checklist mandate.
The 45-day deadline imposes requirements that are beyond execution in such a short period of time. Brett Bobley, CIO of the National Endowment for the Humanities, says that he does not think any agency can say it meets every requirement in the OMB memo,
Within the [past] 45 days your goal is to show your IG that you have thoroughly looked through [the] guidelines and determined where you meet it and where you don’t. Once you know the areas where your policies and procedures fall short, you can start to take corrective action.
While Mr. Bobley is correct that full compliance is impossible, the OMB should be proud even if agencies take a serious hard look at their information privacy and security policies and chart plans to improve how data is handled.