Information on Merchant Accounts,
Ecommerce and Credit Card Processing

May 24th, 2007 by Jamie Estep

How many data security breaches will it take?

Filed in: Fraud, Merchant Accounts | 8 comments

I was checking out this chronology of data security breaches this last weekend, and I realized that the amount of breaches that have occurred is absolutely amazing. Over 150 Million records have been compromised in the past two and a half years, and this number doesn’t take into account the fact that the number of compromised records for about 1/3 of the total number of breaches is unknown.

From looking at this we can observe a few solid facts about data security breaches in general. First, the three most common reasons for data to be compromised are lost and stolen laptops and storage devices, disgruntled employees, and hacking.

The Top five data security breaches are:
TJ Max (45.7M) – Massive long-term hack
CardSystems (40M) – Hacking of unencrypted data
U.S. Dept. of Veteran’s Affairs (28.6M) – Stolen laptop (No data has been used to date)
iBill (17.7M) – Inside
Georgia Dept. of Community Health (2.9M) – lost disk

These are breaches relating to banks and financial institutions:
CardSystems (40M) – Hacking of unencrypted data
iBill (17.7M) – Inside
CitiFinancial (3.9M) – Lost backup tapes
Bank of America (1.2M) – Lost backup tape
Wachovia, Bank of America (676,000) – Inside
Providence Home Services (365,000) – Stolen backup tapes
Mortgage Lenders Network USA (321,000) – Inside
Ameriprise Financial Inc. (260,000) – Stolen laptop
Ameritrade (200,000) – Lost backup tape
Fidelity Investments (196,000) – Stolen laptop
Iowa Student Loan (165,000) – Lost laptop while being shipped
Firstrust Bank (100,000) – Stolen laptop
People’s Bank (90,000) – Lost computer tape
MoneyGram International (79,000) – Hacking
Mercantile Potomac Bank (48,000) – Stolen laptop
J.P. Morgan (47,000) – Tape drive missing
PayMaxx (25,000) – Accidentally exposed online
Bank of America (18,000) – Stolen laptop
Premier Bank (18,000) – Stolen data
KeyCorp (9,300) – Stolen computer
North Fork Bank, NY (9,000) – Stolen laptop
Univ. of Michigan Credit Union (5,000) – Stolen documents
Chase Bank and the former Bank One (4,100) – Documents left in desk that was sold
TransUnion (3,623) – Stolen computer
AllState Insurance (2,700) – Stolen computer
Equifax (2,500) – Stolen laptop
Sovereign Bank (Thousands) – Stolen laptops
West Shore Bank (1,000) – Security break
Westborough Bank (750) – Inside
Ceridian Corp (150) – accidentally posted personal data on website
City National Bank (Unknown) – Lost backup tapes
J.P. Morgan Chase & Co. (Unknown) – Stolen laptop
J.P. Morgan (Unknown) – Information found in trash
Bank of America (Undisclosed) – Stolen Laptop
Bank of America (Unknown) – Internet by former contractor
Bank of America (Limited Number) – Stolen laptop
La Salle Bank, ABN AMRO Mortgage Group (2M) – DHL lost but later found backup tape
Wells Fargo (Unknown) – Stolen computer
M&T Bank (Unknown) – Stolen laptop
Matrix Bancorp Inc.(Unknown) – Stolen laptops
U.S. Bank (Small Amount) – Stolen briefcase
VISA/FirstBank (Unknown) – Visa card processor’s compromised data
Home Finance Mortgage, Inc. (Unknown) – Accidentally discarded files
Columbia Bank (Unknown) – Hacking

How we can stop all of this:
The current focus on data security seems to resolve around PCI / CISP compliance and keeping data protected and properly stored. In truth, not storing sensitive data on portable devices would do far more good. The biggest reason of data compromise is stolen or lost laptops containing sensitive information on them. Many of the stolen incidents were from a personal vehicle or their home. Five data loss incidents by a single company (Bank of America) is completely unacceptable. Companies, especially ones where trust is a huge factor (Banks) need to take a much more serious approach to securing information. Only three of these data losses at financial institutions were due to hacking. There really is no excuse for the rest of them.

The next thing that I find particularly upsetting is that a huge overall percentage of the laptops and portable storage related losses were from government agencies, and the majority of all losses happened at universities or other educational institutions. Our government and educational institutions are obviously not being cautious enough with personal information. I wont list all of these because it would take about 10 pages to get them all in.

The bottom line is that everyone needs to take some common sense precautions to data security. The newest two million bit encryption, and all the security in the world isn’t going to help when an employee looses a laptop with sensitive information on it.

8 Responses to “How many data security breaches will it take?”

  1. Bjorn Snorrason May 24, 2007 at 9:35 am

    >How we can stop all of this:
    >The current focus on data security seems to resolve around PCI / CISP
    >compliance and keeping data protected and properly stored. In truth, not
    >storing sensitive data on portable devices would do far more good. The
    >biggest reason of data compromise is stolen or lost laptops containing
    >sensitive information on them.

    The facts we have got to know of recent breaches certainly bear that out. Of course we can never be sure all are reported, although in certain US states there are now statutes requiring disclosure with breaches.

    One of the aspects of encouraging responsible data storage practices is financial liability for those who were negligent. This was recently discussed at techdirt:

    Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?
    http://techdirt.com/article.php?sid=20070412/181810&threaded=true

    In that article, Jim Harper of The Cato Institute states that, “the average person, victim of the average data breach, suffers essentially no harm whatsoever.”

    This is true but it ignores the real victims of this kind of theft – completely innocent online merchants.

    They are the true victims of breaches such as these because unlike card holders or brick and mortar stores, online merchants are entirely liable for card not present transactions even if they are not at fault.

    Without help to protect themselves, merchants are completely vulnerable, and liable.

    As my colleague Thorsten says, the problem is that the costs of such breaches to online merchants is an externality to the card associations such as Visa and MasterCard, to the issuing banks and payment gateways.

    Until they are help liable in the courts for the true costs to all of the parties related to data breaches (not just reissuing of cards), it seems doubtful that we will stop seeing these kinds of data breaches occurring.

    Sad, but I think true.

  2. Jennifer May 24, 2007 at 11:56 am

    One way to reduce the risk of data loss is by backing data online.

    One excellent resource site for online backup and storage is:

    http://www.BackupReview.info

    Here, you will find the top 25 online backup companies along with 400 companies, daily news releases, articles and interviews.

    Cheers,

  3. Chance May 25, 2007 at 1:11 pm

    I’ll be the first to admit I don’t know much about regulatory compliance for banks and other financial institutions, but you think BoA would suffer some sort of penalty 5 incidents in 2 1/2 years?

    It must be nice to have enough money to ignore laws because paying the fines is cheaper and/or easier than correcting the problem 🙂

  4. Pasi May 28, 2007 at 3:28 am

    >The newest two million bit >encryption, and all the security in
    >the world isn’t going to help when
    >an employee looses a laptop with
    >sensitive information on it.

    This is not quite so. The data loss in the cases above where a laptop was stolen could have been quite easily prevented by using modern full-disk encryption solutions.

    If password security is not enough then use two factor authentication to provide even better level of security. Here are a couple of good software providers:
    -Pointsec
    -Utimaco
    -Safeboot
    -Others…

  5. bad credit remortgage February 10, 2008 at 6:27 am

    150m is about half the adult US population. That’s a scary number.

    You’re right about laptops too. It’s not only financial, but look at how many laptops the military loses each year with all sorts of juicy technical information on. And why does no-one ever encrypt their laptops?

    – Gary Webber

  6. Bad Credit Remortgages April 25, 2008 at 10:49 am

    You think you have iy bad in the USA? Here in the UK the amount of security breaches have steadily increased this year. With 2 CDs going missing this year with 100,000’s of of personal details. And then the Ministry of Defence had more information stolen from a briefcase at a fast food outlet. In the second case it was a stolen laptop and hopefully the MoD were using some encryption.

  7. Janni April 30, 2008 at 4:06 pm

    The most devastating data security breaches are those involving organizations that maintain or transmit large numbers files of individual personal identities, such as names, addresses, dates of birth, social security numbers, credit card and other financial account numbers.

  8. Dave Brown July 9, 2008 at 3:56 pm

    I agree with the laptop encryption. I am very fluent with PointSec and know about Safeboot and both are good products.
    I cant say anything about Utimaco since I never worked with it.

    I would not go with a M1cr0$oft full disk encryption because it has been easy to get around it.

    If I worked for bank I would not trust online backup systems. One reason is you dont know the history of employees or the admins of the systems that have physical access to these systems. You cant say for sure that data is wiped above DOD standards or the drives are destroyed after they fail. Way to many things you would not be able to validate.

    Lost or stolen tape backups, come on I know Veritas has a tape backup system that can be configured to encrypt the information written to the tape.

    As for the amount of government agencies that have lost information…..That disappoints me and has for years. The government has been telling Health care and Financial institutions to secure the data and it turns out a majority of the agencies for the government don’t even practice what is being preached. Hmmm, do as they say but not as they do?

    I’m done because I know I could go on for another hour but I don’t currently have the time. I’m busy protecting customer information.