Recent transgressions include the TJX Companies, Inc. breach, which is reckoned to be the largest ever. TJX, the parent of retail chains including TJ Maxx, announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker’s ingenuity. He cited organizations that fail to encrypt data on portable devices, which become lost or stolen.“The fundamental problem is a lack of security awareness,” Johnson said. “Employees weren’t aware of the risk involved, so they didn’t take the appropriate precautions.”The case of HM Revenue & Customs, the United Kingdom"s tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing personal information for 25 million people. In a similar scenario, a laptop containing data on 26 million veterans was stolen in 2006 from the home of a U.S. Department of Veterans Affairs data analyst.
As for active theft, some security analysts report a rise in organized, profit-motivated attacks. Sumit Pal, executive vice president of WithumSmith+Brown Global Assurance, LLC, a security and compliance consulting firm, noted increasing activity among what he termed criminal gangs that steal personal data and sell it for $1 to $10 per record.Marty Lindner, a senior member of the technical staff at Carnegie Mellon University’s Software Engineering Institute, said attacks will continue as long as they are profitable.“There’s no indication that it is becoming less profitable,” he said. The lure of a profitable hit has motivated network assailants to take an unrelenting approach. In the TJX case, for instance, the first unauthorized access took place in July 2005, with subsequent intrusions in 2005 and between mid-May 2006 and mid-January 2007, according to the company’s SEC filing.“One of the things we are seeing with the TJX model is the attacker is persistent,” Gossels said. “In the past … somebody was joyriding. Now, more and more, we are seeing persistent, subtle attacks.”Security Measures
Protecting data from loss or theft starts with an organization understanding what sensitive data it has and where it resides, according to security consultants. “A lot of customers don’t really have a good grip on where all their sensitive data is,” Johnson said. Pal also suggested that organizations classify their data according to sensitivity and educate employees on the policies and procedures for handling various kinds of data.Another mechanism for improving security is to handle only the data that is essential to a given task. According to Johnson, organizations commonly extract data sets for processing that contain much more information than necessary. A company may take a whole Excel file rather than the relevant portions, for example. “Few organizations have policies and procedures in place to scrub the data before it is downloaded or processed,” Johnson said.
Lindner pointed out that an attacker bent on identity theft needs more than a credit card number. The more personal data an enterprise collects, the more conditions become ripe for identity theft. “Don’t record things you don’t actually need,” he said.But while businesses should take care to follow best practices in security, consumers should also share some of the burden.“Consumers are putting a lot more trust in the companies they do business with than I think is a good idea,” Lindner said. “The user/consumer is not spending a whole lot of time understanding the risk they are putting themselves into when they give any kind of personal information to a third party.”Lindner offered the example of a Web-site registration process in which a user is asked to provide his or her mother’s maiden name as the answer to a “secret question.” A truthful answer could help an identity thief. He recommended making up an answer and storing it in a secure manner.“It’s a balancing act,” Lindner said. “Companies need to do more and consumers need to do more.”