- The Washington Times - Monday, May 23, 2005

NEW YORK - Stealing Social Security numbers and other sensitive data isn’t always a cloak-and-dagger, ultrasophisticated operation: It’s often a low-tech job made easier by carelessness and flimsy safeguards.

Plenty of inexpensive measures can protect data from the large-scale theft that big banks, data merchants and other companies have recently disclosed.

But “security and privacy, for a lot of large organizations, are an afterthought, not a priority,” said Evan Hendricks, who publishes the newsletter Privacy Times.

Consider the latest headache for some large banks:

Wachovia Corp.and Bank of America Corp. say they have notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees purportedly sold account numbers and balances to a man who then sold them to data-collection agencies. Nine persons have been arrested in New Jersey in the case.

Or consider MCI Inc.’s privacy problem:

An MCI laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. The car was parked in the analyst’s home garage. The computer was password-protected; the company would not comment on whether the data was encrypted.

Encryption, which is relatively inexpensive, would make all those records all but impossible to access.

After a previous embarrassment, Bank of America Corp. is testing different encryption methods. It lost backup tapes in December containing the Social Security numbers and account information for 1.2 million federal workers, including senators and 900,000 Defense Department employees.

Time Warner Inc. also could have avoided a black eye had it encrypted backup tapes that contained the names and Social Security numbers of 600,000 current and former employees lost after the tapes were misplaced by Iron Mountain Inc. The storage-service company had been transporting the tapes by van.

After disclosing its loss, Time Warner said it would begin encrypting its employee data. (Iron Mountain, in a press release encouraging encryption, said it performs more than 5 million pickups and deliveries annually and has lost backup tapes only four times this year.)

Such losses go to the heart of information-technology security, whose importance is magnified as more data is concentrated in ever smaller packages.

That the backup tapes in the Bank of America case were shipped as commercial air cargo shows the bank didn’t understand their worth, said Jim Harper, director of information-policy studies at the Cato Institute think tank.

Companies should also clean up their data before sending it to an outside party, said Jim Stickley, chief technology officer at TraceSecurity Inc., a Louisiana security company. Credit unions in San Diego sent their customer databases, including Social Security numbers, to a marketing firm. When the marketing firm was robbed, the numbers were stolen, he said.

Investments in security measures must be weighed against the potential payoff for an attacker, said Dan Geer, chief scientist at Verdasys Inc., a computer-security company based in Waltham, Mass.

After a data theft by an insider that cost it millions, data broker Acxiom Corp. added a chief security officer, reconfigured its electronic files, added more encryption and increased both internal and customer audits, said Jennifer Barrett, the company’s privacy leader.

The insider, contract employee Daniel J. Baas, was sentenced to 45 months in prison in March for stealing encrypted password files. Acxiom said the theft cost it $5.8 million, including employees’ time and travel expenses, security audits and encryption software.

After ChoicePoint Inc. said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people, its stock dropped precipitously from $48 a share the day before the announcement to the current price of about $39.

A simple Google search on some of those company names came up empty but ChoicePoint “never had a system in place for really checking them,” Mr. Hendricks said.

The company should have verified its clients’ identities by visiting their offices and looking at their books, said Avivah Litan, vice president for payments and fraud research at Gartner Inc.

ChoicePoint said it has hired a retired Secret Service agent to help revamp its verification process. The data broker has also said it would limit access to Social Security numbers, birth dates and driver’s license numbers.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide