Friday, August 20, 2010

Privacy and Data Breaches

Why are data breaches a concern?

Any breach of the secure storage of customers’ personal information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim’s name.

Why organizations doesn't take Data security seriously?

Last year’s Heartland Payment Systems’ spectacular data breach stemmed from errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.

But most data breaches do not involve sophisticated hackers. They usually result from not following simple procedures.

In 2009, the UK Financial Services Authority (FSA) fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.

During its investigation into the firms’ data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

In February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime.

The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

In the last four years, the FSA has also fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Avoiding breaches

We can learn from an analysis of breaches notified in the US. Verizon’s 2009 Data Breach Investigations Report concluded:
  • 74 per cent were caused externally, 20 per cent internally;
  • 67 per cent were aided by errors, 22 per cent involved privilege misuse;
  • 69 per cent were discovered by a third-party, 87 per cent were considered avoidable through simple controls.
The five recommendations were:
  • Ensure essential controls are met
  • Have data retention policies: find, track, and assess data
  • Collect and monitor event logs
  • Audit user accounts and credentials
  • Test and review web applications.

No comments: