Reid-Elsevier's Seisint unit which, as part of its LexisNexis operation, gathers and stores personal data on millions of people and then sells it on to police and legal professionals as well as private organisations, recently suffered a major identity-theft incident. Identity thieves, using a stolen identity and password, had gained personal details about 32,000 individuals. Disturbingly, this was only discovered when a customer complained about a billing problem, which led to an internal check of accounts.
In mid-February, ChoicePoint, a Seisint competitor, announced that identity thieves had accessed the data of at least 145,000 people. In the wake of the incident, the company was investigated, and announced that it would limit the sale of personal data. It has now hired a chief privacy officer.
Last year, a man in Florida was charged with 144 charges of conspiracy, unauthorised access to a protected computer, device fraud, money laundering and obstruction of justice, after hacking into the database of another high-profile data-management and marketing company, Acxiom. It is believed that the hacker intended to use the 8Mb of user data he obtained for his own spamming company. Estimates of the damage caused exceed $7m.
The list goes on. Hackers gained personal information on 59,000 people affiliated to California State University; last April, hackers broke into the computer system of the University of California San Diego compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants; earlier this year 145,000 people were exposed by a breach at ChoicePoint Inc, which collects consumer data. Even at the retail end, DSW Shoe Warehouse, officials acknowledged stolen credit information at 103 of its 175 stores.
Last year more than 9.9m Americans were victims of identity theft. As trends which originate in the UK usually cross the Atlantic quickly, we need to be sure that we learn from these recent highly publicised, embarrassing and costly incidents and protect our data accordingly. It is only a matter of time before it happens here. Clearly, criminals see this as a growth industry, and of course they will target data brokers. Why rob the shop when you can raid the warehouse?
It has been estimated that identity fraud in all its forms will cost governments, businesses and individuals world-wide $2trn by the end of 2005(1).
So, how will the identity thief go about stealing this data, and what can data brokers and other holders of personal information do about it?
The softest point of attack
First, and perhaps most importantly, organisations need to protect against the enemy within. In the case of at least one of the above cases, investigations centred around employees rather than outsiders. Remember, you can have the most sophisticated external perimeter defences available, but they mean nothing if rogue employees can walk out of the door with a £14.99 USB device in their pocket containing valuable confidential data. Our consultants often talk about companies' information security provision being 'like an egg - having a hard perimeter but soft and squishy inside.'
It is also important to remember that the threat may not just come from rogue employees - it may come from careless employees, or those who have not received adequate training and who do not have an appropriate level of awareness. The identity thief will target them using tactics such as:
- SOCIAL ENGINEERING - a phone call to an unaware employee can often yield the logon IDs and the passwords needed to give the bad guy access to the systems and the data
- PHISHING - much publicised recently, another type of social engineering where the user may think that they are responding to a valid e-mail as part of their job, but in fact are supplying the bad guys with the information they need
- PHARMING - a new and sinister tactic in the information security arms race. This is where a user thinks that they are entering data onto a valid web site, but are in fact entering data onto a very similar, or identical site, which could be anywhere in the world.
- TROJANS AND KEY LOGGERS - these obtain logon IDs and passwords and send them to the bad guys. Can you be sure that your staff are sufficiently aware not to introduce trojans into their systems?
- GOOD, OLD-FASHIONED THEFT - keep your eye on that laptop!
The message here is to make sure that your policies, procedures and controls are appropriate, and that your staff are well briefed and security aware.
Do not just rely on your firewalls and intrusion detection devices.
Protecting the perimeter
The hacker will look for access points into the data. These may include (and this list is not exhaustive):
- WEB ACCESS - usually the first point of call for any hacker, who will try to break their way through the web pages, into the web server, and eventually to the main database. Sometimes they may achieve this by attacking the web page itself; at other times by attacking the infrastructure that hosts the web pages. Remember, even though the web-server does not hold the main database, it will certainly be linked somewhere, and this is a potential way in
- PHONE LINES - often called 'war dialling'. Our penetration testing consultants recently (ethically) found their way into an investment bank's data simply by dialling every number in the building
- WI-FI - if you see a strange person driving around pointing a cylindrical box from a famous brand of crisps at your building, the chances are that they are 'war driving' - a practice which involves trying to find a way into any inappropriately configured wi-fi networks that you might have.
Why the snack box? Some bright spark realised that as their insides are made of foil, they make great directional aerials.
Where is the perimeter?
In the old days a factory would enclose itself with a perimeter fence and a security guard would patrol it from time to time, perhaps even giving the gates a good rattle to check that they had not been opened. But what if the product of the factory is information? What sort of fence do you need and how do you rattle the gates? Data companies, such as data brokers, will install firewalls, which are analogous to the chain-link fence; they will install intrusion detection systems, which are analogous to the the security guard peering at the CCTV screen, and they will carry out penetration testing, which is analogous to rattling the gates.
But the question for data brokers is, where is the perimeter? Data brokers have customers, and those customers are connected by electronic means.
Do those customers have the appropriate information security arrangements in place?
Also, what about the mobile workforce? The perimeter now could extend to the local coffee shop, where one of your people is using the wi-fi to catch up on their e-mail. It can extend to the train, where they are using their PDA, and, most worryingly, it can be extended to the home, where the worker is sharing the use of the home PC. A serious concern is maintaining adequate levels of security in a mobile world.
Implications of getting it wrong
The implications of security breaches for data brokers are serious. They could include loss of reputation, loss of income, loss of confidence and cost. In the US, in some cases the biggest impact has been on reputation, but, in at least one case, the financial impact ran into millions.
A data broker's reason for existence is to collect, maintain, and make available information. If that information is compromised or unavailable to clients, it strikes right at the heart of the trust relationship. A debate is raging within the US on whether the data broker should be forced to tell individuals when their data has been compromised. Imagine, getting a call or a letter from a company you have never heard of, to tell you that your personal information has been compromised. Imagine having to make those calls!
Identity theft in its own right is not yet a crime in the UK. However, CIFAS, (the UK's not-for-profit Credit Information Fraud Avoidance System) reports that, as long ago as 2002 (when identity theft was not as high on the agenda), false identity fraud was up 59% and impersonation fraud was up 25%. These are the most rapidly growing types of fraud in the UK.
According to a Cabinet Office report, the British economy suffers a loss of £1.3bn per year as a result of identity fraud.
Scotland Yard's Assistant Commissioner in charge of crime operations said recently, 'It is now comparatively easy to assume the identity of another person and live in the UK without fear of exposure.' He said that identity theft was an integral part of 30-40% of all white-collar crime.
As an individual, I am personally worried that there are faceless organisations out there who hold my personal data for their own commercial ends and who may not have the appropriate information security arrangements in place to protect it. They may well be meeting legislative requirements, including the provisions of the Data Protection Act, - but is that enough?
At some point, government will need to get more involved. This is already happening in the USA. We can no longer rely upon the best intentions of the data brokers.
I predict that there will be at least one highly-publicised case involving a UK data broker within the next year. Perhaps this will give a much-needed wake-up call. Remember that the national identity card database will be with us soon - and this must be a hugely tempting proposition for the identity thieves.
1) The Aberdeen Group Identity Theft: A $2 Trillion Criminal Industry in 2005)
- John Redeyoff is director of information security, NCC Group, Tel: 0161 2095200, www.nccgroup.com PROTECTION AGAINST IDENTITY THEFT CHECKLIST
Executives of all organisations should ask:
- Have we carried out a risk analysis which ensures that we understand the data assets that we hold, the risk of compromise to those assets, the impact of any such compromise and our appetite for risk?
- Are our internal policies, procedures and controls adequate and appropriate to the findings of our risk analysis?
- Are we guarded against malicious internal threats from our staff and our contractors?
- Are our staff adequately trained and briefed in the area of information security? Do we have a security aware culture?
- Are we deploying the appropriate technology to protect us from external attack? Have we protected our perimeter? Do we understand our perimeter?
- Do our partners, suppliers and clients pose a threat to our information security? Are they a back door into our data?
- Are we carrying out regular penetration tests to check our defence technology?
- Do we regularly refresh our risk analysis, policies and procedures to reflect the changing world?
NEW BSIA AUDIT PROCEDURE
The British Security Industry Association (BSIA) has produced a new audit procedure designed to encourage businesses to assess the risk of identity fraud and other information crimes.
"With identity theft on the rise, many companies are unaware of the risks that their businesses face," comments BSIA information destruction section chairman, Simon Pearce. "Disposing of confidential data securely is the key to the reduction of this risk, and the BSIA's Security Waste Audit is designed to make companies think twice about their current attitudes to confidential waste disposal."
A lot of businesses do not realise that the destruction of confidential documents is covered by the Data Protection Act, and that using a conventional waste or recycling company is unlikely to provide the level of security necessary to ensure documents don't fall into the wrong hands."
The 'Security Waste Audit' provides information on shredding standards, the Data Protection Act and the environmental benefits of shredding. For more information on confidential data destruction, or to download a copy of the Security Waste Audit visit