The next wave of terrorism would be crimes perpetuated by breaking into the
data security network, say many experts on international terrorism. Going by
the way American corporations are handling data, it would not be too difficult
a task for the terrorists.
This year, American citizens were stunned to the core by a spate of
revelations that demonstrated how easily their confidential data could be
compromised. The deluge of reports involving data theft has brought to light a
chilling fact: that confidential data were no longer safe with any agency.
What's far more shocking is that the data compromises were not the work of
sophisticated or organized hackers funded by some terrorist network. It was as
ordinary as a careless employee storing customer information on a laptop that
had got stolen, or banks misplacing back-up tapes containing sensitive customer
information while on transit. These incidents question the very fundamentals of
the networked world and point out some shocking truth. First, technology
penetration is woefully poor with banks-supposed to be at the forefront of
technology adaptation-still depending on back-up tapes and storing them at
different locations.
Identity theft is one of the fastest growing crimes in the United States,
affecting about 10 million people. With the recent spate of theft incidents,
this fact has now come out in the open
Second, banks, financial institutions and other public agencies have still
not taken the importance of ensuring information security seriously. Why else
would an MCI financial analyst or a Motorola employee carry sensitive customer
or employee information around in a laptop?
The revelations that have come back to back have shocked the
country and the world community keenly watching the unfolding drama.
The incidents have captured center-stage not because it does not
happen, but because of the frequency and the magnitude of data
compromise. (In fact, frauds resulting from data compromise
constitute an estimated $4-6 billion annually). Identity theft is one
of the fastest growing crimes in the country affecting 10 million
people annually according to federal officials. There was always the
nagging doubt about data compromise, but it was never out in the open
like this.
And it is not that suddenly there has been a rash of illicit activity, it is
just that last year the state of California passed a law requiring companies to
inform their customers about theft of data. In most cases banks have not
actually gone public about their data compromises but have merely informed
customers according to the law.
|
TIP OF THE ICEBERG
Data theft/loss in the US over the last
few months
|
|
Wachovia Bank, Bank of America, Commerce Bancorp, PNC
Financial Services Group: Account information on customers was illegally
sold by bank employees to a man identified as Orazio Lembo, who posed illegally
as a collection agency. 700,000 affected. New Jersey police arrested and
charged nine people, including seven bank employees and Lembo, who operated DRL
Associates, the bogus collection agency.
City National Bank:Third Party data storage
firm, Iron Mountain, lost tapes during transit containing social security
numbers and bank account numbers. Under investigation by US Secret
Service.
Time Warner: Third party data storage company,
Boston-based Iron Mountain Inc., lost the tapes during transport. 600,000
people affected. The US Secret Service is investigating.
LexisNexis: Unauthorized users breached the
system 59 times using stolen passwords, and grabbed data. 310,000 people
affected. The company has notified individuals whose information may have been
accessed and ill provide them with credit-monitoring services.
Visa Card, MasterCard: Hacker gained access to
CardSystems Solution database, third-party processor of payment card
transactions, and installed a script that acts like a virus searching out
certain types of card transaction data. 40 million people affected. FBI
criminal investigation and the Federal Financial Institutions Examination
Council (FFIEC), a group composed of five federal banking regulators, has
launched a probe into the CardSystems Solutions incident. Visa to review
CardSystems contract. MasterCard is giving CardSystems “a limited amount of
time to demonstrate compliance with its security compliance.
Motorola: A routine burglary of smash and grab
from third party service provider ACS’ office. The stolen computers housed
data on at least some of Motorola’s 30,000 employees, including their social
security numbers and hire dates.
ChoicePoint: It was plain fraud. Someone
fraudulently provided authentication to the system.00,000 people
affected.
CitiGroup: The account and payment history data
was lost in transit by United Parcel Service Inc. The tapes, which also
contained social security numbers, covered CitiFinancial Branch Network
customers and about 50,000 customers with closed accounts. 3.9 million people
affected. Citigroup mailed letters to customers about the problem and said it
has received no reports of unauthorised activity, and that there was “little
risk” of the accounts being compromised.
Bank of America: Loss of back-up tapes during
transit. 1.2 million people affected. Federal law enforcement officials
investigating.
MCI Inc: Social Security numbers that was on a
laptop taken from a car in Colorado Springs. 16,500 current and past employees
affected.
University of California, Berkley: An individual
stole the computer from the offices of the school’s Graduate Division.
One-third of the files on the laptop contained names, dates of birth, addresses
and Social Security numbers of graduate students or graduate-school applicants.
98,369 people affected.
U.S. Deptt of Justice workers: Laptop
containing names and credit card numbers of employees. The credit cards were
issued by JP Morgan Chase and Bank One Corp. 80,000 people affected.
Bank of America: Loss of back-up tapes during
transit. 1.2 million affected. Federal law enforcement officials
investigating.
DSW Shoe Warehouse: Cusomter credit/debit-card,
checking account and driver’s license numbers stolen/lost due to hacking. 1.4
million people affected.
Polo Ralph Lauren: Customers who hold
GM-branded MasterCards stolen/lost due to hacking. 80,000 people
affected.
San Jose Medical School: Two computers stolen
resulted in the loss of the names, addresses, social Security numbers, and
billing codes. 185,000 people affected. A former branch manager, Joseph
Nathaniel Harris, at San Jose medical group has been charged of the
theft.
Oklahoma State University: Alumni Address,
Social Security number stolen/lost due to missing computer. 20,000
affected.
PayMaxx: Social security number, credit card
information stolen/lost due to hacking. 25,000 affected.
Ameritrade Holding Corp.: A backup computer tape
with personal information had been lost. 200,000 current and former customers’
details lost.
Nevada Dept of Motor Vehicle: Driver records
stolen/lost due to stolen computer. 8,900 affected.
Northwest University: Alumni address, social
security and other information stolen/lost due to hacking. 21,000 people
affected.
Boston College: Alumni addresses and social
aecurity numbers stolen/lost due to hacking. 120,000 people
affected.
Colorado Health Dept: Medical information was
lost/stolen due to stolen laptop.1,600 people affected.
Carnegie Melon University: Alumni Addresses,
Social Security number stolen/lost due to hacking. 19,000 affected.
|
Meanwhile the months of headlines announcing the theft, misplacement or
hacking of customer data has shaken the confidence of the public at large
triggering a spate of legislation. As a result, eighteen states have adopted
disclosure laws most of them patented after the California State law. While
California is the only state to have a law requiring companies to inform
customers of data theft, that law has now been amended to include the
requirement of companies to inform consumers if paper records or a back-up tape
containing personal information are compromised or lost.
There is also a recent bill by two senators, Senators Patrick Leahy, D-Vt.,
and Arlen Specter, R-Pa., which mandates data-security management steps for
many businesses and a nationwide standard for notifying consumers of security
breaches.
Legislation can be expected to bring about some order to this chaos. But it
would be too simplistic to think that itself would bring about changes in
ensuring customer ID security. It calls for a fundamental change in attitude,
and a commitment from various institutions that safeguarding personal
information of customers is sacred.
Self-regulation is the key
During the same period, another set of incidents hogged the media headlines
for an entirely different set of reasons. This related to a couple of cases of
ID theft and frauds committed by some employees in Indian BPOs. The media hype
and propaganda were not concerning so much the actual crime itself, as much as
it provided an opportunity for the anti-offshoring lobby to feel smug about
their ’I told you so’ attitude.
The recent data copromises have not been the work of organized hackers, but
instances as ordinary as a careless employee storing consumer information on a
laptop that later got stolen
As compared to the rampant data theft in the US, the incidents that took
place in India were really insignificant by any measure. There were exactly
three incidents. One was involving a call center agent in Noida, a satellite
who had misused a customer’s credit card number to shop online. The agent was
subsequently arrested and convicted. The second was the fraud at Mphasis in
which the authorities reacted swiftly and arrested the employees. The third
case was a sting operation by The Sun.
While the first case escaped media attention, the other two were widely
covered by both the domestic and international media. Certain sections of the
media and analysts had jumped the gun and spelled doomsday for the offshoring
industry.
But the Indian service providers came out in the open and took a stand on
the issue rather than push things under the carpet. And that is the most
important learning that corporate America can learn. Unless there is
recognition of the issue at hand, there can be no rectification. The Indian
offshoring industry today acknowledges that any lapse in protecting customer’s
data is not an individual failure, but it smears the reputation of the entire
industry.
This imperative results in a tremendous sense of self-regulation. That is
why immediately after the incidents the industry, law keepers, and the
government immediately swung into action and the guilty were traced and
arrested. The commitment of the authorities is evident from the fact that there
is concern at the highest level. Soon after the Sun sting operation, the Prime
Minister convened a meeting at his own initiative with all the concerned
parties to decide on the course of action. Among other things, the discussions
recommended tightening the laws related to data security in the IT Act of 2000.
Even in the north Indian state of Haryana (near New Delhi), where the alleged
incident took place, the Chief Minister not known to be particularly IT savvy,
stepped in to order a preliminary probe.
Comparatively in the US, although some arrests have been made, there is
still absolute chaos in most cases. Over a period of time, many companies have
acknowledged that the gravity of the crime/negligence may have been far larger
than they first calculated. In some cases, company officials are still clueless
about the crisis on hand.
The most important difference in the attitude of Indian service providers is
that they recognize the concern for the security of customer data. That
recognition has led the industry to institute rules and processes that would
largely ensure date security. Most top tier BPO companies have security
certification like BS7799. From very obvious measures like PCs in call centers
not having memory drives or printers, and not allowing mobile phones, pens or
papers at the workplace to having electronic surveillance and even checking
purses, the BPO industry has taken several precautions. Many CEOs feel that
some security measures like body checking and checking of purses would not even
be tolerated among Western employees.
Finally, even though these cases are isolated, it was enough to get the
industry together to review existing measures and find ways to tap loopholes.
At the same time there is the realization that despite the best measures, there
can be no way to stop an individual determined to break through the system. The
Sun sting operation was a deliberate temptation of an employee to prove a
point. Although there is no excuse for what took place thereafter, it was not a
regular incident triggered by negligence or casual attitude of the service
provider.
