The Biggest Information Security Incidents of 2007

Linda McGlasson, www.CUInfoSecurity.com
January 7, 2008 | COMMENTS

The year started with jaw-dropping news of the TJX data breach – as many as 96 million customers impacted. And it ended with the quieter (but no less disturbing) announcement of a possible insider breach at Commerce Bancorp. In between, we had stops in Asia, where the Bank of India was hacked, and the U.K., where a government bureau lost discs containing 25 million personal records.

It was a banner year for information security incidents, which proved to be indiscriminate. No national boundary, employee group or trusted service provider is exempt. And no breach is worth its cost in damages, reparations and loss of reputation. From these incidents, we draw 10 lessons learned to guide financial institutions in 2008:

1. Information security is a business issue.

2. Risk assessments need to be organization-wide and business-focused.

3. Compliance does not equal security.

4. Customers implicitly expect security and privacy, more so from a bank than any other trusted institution.

5. Technology can enable security. But technology alone can not guarantee security.

6. Trust, but verify. This applies to your third-party service providers (TSPs).

7. Security breaches are costly, but indirect costs (i.e. reputation, customer confidence) are the heavier burden.

8. Appropriate incident response can control the extent of damage and must include prompt, open communication to customers, stakeholders, and the news media.

9. Awareness is the key. Understand what works and repeat it (indefinitely).

10. Learn from other's mistakes. Don't repeat them.

That said, here are the eight biggest information security incidents of 2007 . . . .

No. 8. Monster.com's Summer of Stolen Data.

Being unemployed is bad enough, but imagine having your identity attacked while looking for a job. That's what happened to several hundred thousand job seekers who posted their resumes on Monster.com this past summer. A Trojan horse called Infostealer.Monstres was found by information security experts to have stolen more than 1.6 million records belonging to several hundred thousand people from Monster's website and job search service. The stolen data was then used to target the Monster.com users with credible phishing e-mails that planted more malware on their machines. What is unnerving to the experts was the sophistication of the attack on such a well-known web brand.

No. 7. U.K. Government Department Loses 25 Million Juvenile Records.

In November the U.K. government arm of Revenue and Customs disclosed it had lost records on 25 million juvenile benefit claimants. The department head resigned after learning that the computer disks containing personal information were sent in the regular mail. The disks, which were not encrypted, disappeared while in transit to the country's National Audit Office. The disks included bank details and national ID numbers. Analyst firm Gartner Inc. predicts the processes of closing accounts and establishing new ones to protect against potential fraud resulting from the breach could end up costing British banks upward of $500 million. Financial institutions should also note the cost of breaches is nearing $200 per record. The potential for fraud resulting from this data loss could take years to uncover say experts.

No. 6. Midwest Bank Hacked.

Commerce Bank N.A., a regional bank with more than $15 billion in assets operating in five Midwest states, was lucky that when it stopped a criminal hack into one of its customer databases in October, only 20 customer records were taken. Sophisticated fraud detection software at the bank detected the hacking. Many times hackers will attempt to get into networks through web vulnerabilities on bank websites that then allow them access into the network and bank databases. Undetected, the damage could have been far worse.

No. 5. TD Ameritrade Holding Corporation.

The brokerage company disclosed in September that someone had broken into one of its systems and stolen contact information such as names, addresses, and phone numbers belonging to its more than 6.2 million retail and institutional customers. However, Social Security numbers and account numbers that were also stored in the same database appeared to have been left untouched. The stolen data was apparently used for the purposes of sending stock-related spam.

No. 4. Commerce Bancorp Employee Releases Customer Data.

The New Jersey-based Commerce Bancorp notified some of it customers in November that their identities may have been compromised. The bank said that only a small segment of its 3 million customers were affected when an employee gave out confidential customer information, including names, addresses, account numbers, and social security numbers.

No. 3. Bank of India.

When Bank of India's website was compromised in August 2007, as one of the largest banks on the Indian continent, it demonstrated that every institution offering transactions via a website can be prone to a similar attack. One security expert called the attack “a shot across the bow” for U.S. financial institutions. Geographical boundaries don't present any barrier to attackers and state or country specific banking regulations don't come into play. Bank of India's website became a bot machine for anyone visiting its official website.

No. 2. Fidelity National Information Services.

Personal information on more than 8.5 million consumers was compromised when a senior database administrator working at Certegy Check Services Inc., a subsidiary of Fidelity National, illegally downloaded the data and sold it to a broker for $500,000. Fidelity National, which is separate from the better known Fidelity Investments, first announced in July that only 2.5 million records were taken when it divulged the breach. Less than a month later, that number grew to 8.5 million, according to Securities and Exchange Commission filings. The data was apparently resold to a direct marketing company—not to ID thieves or other fraudsters. The Certegy employee caught pilfering the data has since pleaded guilty.

No. 1. The TJX Breach.

It was one of the first data breach stories of 2007, and to date it still is the record-holder. The story line: Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in a data breach, possibly going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. The bottom line: Industry analysts predict the price tag of the breach could go as high as $1 billion when all the settlements are paid. By TJX's own estimates, the company has already spent or set aside close to $250 million for costs stemming from the incident. Certain banks have settled with the retailer, and TJX has strengthened its network security and overall security posture.

Linda McGlasson is managing editor for www.CUInfoSecurity.com , an online educational portal dedicated to educating the credit union information security community. Reprinted with permission.