Lee Coppack says that the information that companies hold is as valuable as money for hackers and criminals. The consequences for businesses can be embarrassing and expensive
In September this year, US hacker Albert Gonzalez pleaded guilty to the first of many charges against him for the theft of more than 130 million credit and debit card numbers from retailers and restaurant chains. In January 2009, a Turkish court had sentenced another hacker to 30 years in prison for his role in the theft of 45 million identities from credit card transactions by nine US retailers.
The threat to data is sufficient that the Global Risk Report, compiled annually for the World Economic Forum meeting in Davos in January, included it among global risks for the first time in 2009. Yet, thousands of corporate data breaches every year apparently go unremarked and even unnoticed.
In a survey by PwC, 35% of the 7,000 senior executives interviewed in 119 countries, admitted they didn’t know how many security incidents had occurred. KPMGs Data Loss Barometer published in September 2009 recorded almost 2,300 data loss incidents affecting more than 700 million people in one calendar year, but said that the majority of breaches went unreported.
‘Having someone hack into your customers’ details could be very expensive, running into tens of millions of pounds for a company doing business in the United States, and the exposure is growing in Europe,’ states Dawn Simmons, Jardine Lloyds Thompson partner. ‘The brand damage could also be horrific.’
Tom Ilube is CEO of information security consultancy Garlik, and former chief information officer of the online bank Egg. He explains that hacking into corporate databases is a business. ‘There are people who collect personal information for a living and then they trade it for others to exploit.’
Stealing, selling and using stolen data to get new credit cards, mobile phones, car and property has become an industry in its own right. A report by the internet security company Symantec, The Underground Economy published in November 2008, provides a fascinating and detailed look at what is now highly developed market. It says there are 70-100 websites that deal in huge volumes of personal data for sale. Also on offer are new programs to exploit the weaknesses in company IT security or web sites to access even more data.
Ilube says, ‘With a retail company, the hackers are not trying to get into their financial systems, where the risk management has tended to focus, but into their customer information systems and get a copy of their databases. They've been doing this for the last couple of years in a very determined way.’
Outsourcing IT increases vulnerability. An independent survey of 180 businesses across various businesses on behalf of Veracode, a provider of an application risk management platform, published in April 2009 found that more than 62% had suffered a security breach in the previous 12 months as a result of vulnerabilities in important software applications. It blamed lack of control during software development, especially for open source and third party supplied programs for vulnerabilities.
‘Considering that 50% of companies are using custom-off-the-shelf software or outsourced code to handle sensitive data, this indicates why the risk and resultant fallout from breaches is so great.’ stated the findings by Forrester Consulting, which carried out the survey.
Not surprisingly, given the amount of sales through the internet, hackers also trying to get at customer databases through company websites. Ilube explains that the initial testing of weaknesses is automated; bots (short for robots) probe corporate site security and then complete the job manually for particularly promising sites.
Dawn Simmons explains there are many ways that a breach of data security can cost a business dearly, including:
• Notification of the breach to every affected customer, now required under US law and possible in future in the EU
• Reissue of all credit and debit cards
• Forensic investigation and repair of weaknesses in IT security
• Defence costs for investigation by statutory and credit card regulatory authorities and possible fines and penalties
• Loss of future revenue from damage to reputation
• Public relations activities to restore reputation
• Class action against directors and officers if the value of the company fails to recover.
“Thousands of corporate data breaches every year apparently go unremarked and even unno-ticed
One of the companies caught up in Albert Gonzales’ scam, the US TJX Companies, owners of discount stories TJ and TK Maxx, in June 2009 announced a settlement of the investigation by the attorneys general of 41 states into criminal intrusions into TJX’s computer system in 2005-6. TJX agreed to pay:
• $2.5m to establish a new data security fund for the states to use to advance effective data security and technology
• $7.25m in settlement and states’ expenses.
Although the company hadn’t been found guilty of breaking consumer or data protection laws, it settled the case to avoid the continuing distraction it was causing the business. TJX had already settled consumer class actions in 2007 after the stolen information was resold and used to fuel various frauds. In total, TJX Companies' took a $107m after tax charge for the costs of dealing with the intrusion and $21m non-cash charge.
Simmons advises, ‘Cyber insurance is geared to such a catastrophic loss. It will include cover for most of the heads of loss, including fines where legally possible, most of which aren’t covered under other policies such as general liability.’
She says limits of up to $100m are available in the London market, an amount which does not seem so extraordinary in light of the TJX case, and the $32m a very large breach of its data cost the US Heartland Payment System, in the first half of 2009 alone, according to a company statement.
Ilube argues that the most effective risk management for large companies is a change of focus. ‘Putting the breach right is not so much a technical difficulty as the shift of mind to what is valuable.’
There is a tendency, Ilube says, for banks and others holders of blocks of client information to think of it as theirs to hold and exploit. ‘They think of it as belonging to them. It will take a shift to realise that personal information isn't ours but belongs to our customers and that we are holding it in trust and that it has intrinsic value.’
He advises that companies do not necessarily need more sophisticated technology but should use what is available effectively to make it more difficult for the data fishermen to access their systems, and so they will go elsewhere ‘because they will go after the easiest target’.
Paul Howard, head of insurance and group risk management at the supermarket chain Sainsbury’s, challenges the view that big retailers may not pay enough attention to the value of the customer data they hold. ‘It’s something any organisation with customer information has to be aware of. The risk to reputation is very important.’
Yet, the specialist insurer Hiscox found that 38% of Fortune 500 companies failed to acknowledge the threat of a data breach in the risk factors section of their annual SEC filing, it revealed in a report published in April 2009. Of the companies that did include the risk of a data breach in their report, 26% failed to mention the consequential financial impact while a further 49% failed to identify the reputational impact. The research concentrated on 250 companies within the Fortune 500 in those industry sectors such as air travel, banking, healthcare, retail and utilities that would be expected to handle significant amounts of personal data.
Theft of customer data may be the most common threat, but customers are not the only potential victims of identity theft; directors and senior executives figure high among criminals’ targets. Ilube warns that criminals specifically target directors and executives to use their identities in phishing or corporate frauds, as the names of real people are more credible than made up ones. ‘If you are managing the risk, you need to think how the names of the executive team might be used in the online world. If not today, then it is pretty sure they will be in the next few years, and you need to consider how to protect the reputation of senior and perhaps second and third tier executives.’
One reason directors are especially at risk, at least in the UK, is the amount of personal information provided in annual reports and statutory filings with Companies House. Thanks to changes in the Companies Act 2006, companies can now provide a service address for directors which is not their home address but they must complete a new form to notify Companies House.
Another protective measure for directors is to file for protective registration with CIFAS, the UK fraud protection body to which the major banks and credit card issuers belong. Protec-tive registration is intended for people who are at particular risk of identity fraud. It means there will be a flag against the person’s entry on the CIFAS database and any applications for credit, insurance or other products will be subject to additional verification.
Besides conventional criminals, says Ilube, there is evidence of states being interested in what companies in other countries are doing especially if they are active in military or critical infrastructure. PwC’s E-espionage report published in August 2009 confirms this danger.
It warns: ‘“E-espionage now poses a threat not just to a business’s reputation, but to its very existence. And the onset of the global economic downturn is now magnifying this threat still further.’
In a knowledge driven business environment, the report states, a company’s core intellectual property is often core to its value, and is increasingly stored in digital form or on enterprise wide systems. E-espionage raised the risk of a company losing its assets and market share in a few key strokes. ‘Preventing this from happening by ensuring intellectual property is well protected is clearly a board level duty,’ said PwC.
Data losses increase
The global recession has led to an increase in intellectual property theft, says Malcolm Mar-shall, partner, information protection and business resilience, KPMG in the UK, in the latest issue of the firm's Data Loss Barometer.
The report's findings include:
More than 110 million people were affected by data loss during the first six months of 2009 (a large portion of this figure relates to the breach at Heartland Payment Systems, where more than 100 million credit/debit card details were allegedly accessed by hackers
Theft of laptops is the most common of all data security breaches. But the total number of incidents has almost halved since 2008 (or fewer are being reported because they have be-come commonplace)
It is likely that many national governments may mandate the public notification of data loss incidents in Europe where the e-Privacy directive has introduced a data breach notification requirement.
Lee Coppack is a risk management and insurance writer and researcher.