RealTime IT News

How Much is Too Much Data Loss?

Congress returned this week to a burgeoning issue likely to concern the financial health of millions of Americans: What can be done about skyrocketing incidents of identity theft and data loss?

But even before representatives could haul the first Fortune 500 executive in front of a microphone on Thursday, media conglomerate Time Warner announced the mysterious disappearance of 600,000 names and Social Security numbers of workers dating back to 1986.

And the list of companies reporting breaches reads like a "Who's Who" of industry. The most notable of the recent mishaps includes the disappearance of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America, the theft of more than 300,000 customers' personal information at Reed Elsevier, a subsidiary of data broker LexisNexis, and the loss of transaction data belonging to around 180,000 customers of fashion house Polo Ralph Lauren.

A string of universities also has fallen victim to breakdowns in the past few months.

At best, these occurrences appear to have increased because of recent " full disclosure" laws, security experts say.

At worst, experts believe criminals consider identity theft an easy mark. A way to make a lot of money by taking advantage of an imperfect system. One in which no one ever thought there was a problem.

Now, thieves continue to snatch Social Security numbers at will and are becoming more aware of the enticing targets.

"That seems beyond comprehension to me that that happened with one of the biggest banks in the country," said Senator Jim Bunning (R-Ky.).

His comments came in mid-March and, as reported by internetnews.com, he was grilling Barbara Desoer, a Bank of America executive vice president, in a Senate Banking Committee hearing.

"Five, maybe 10, but 1.2 million [accounts]?"

Maureen Kelly, director of product marketing at data-loss prevention firm Vontu, believes a combination of actions have created this perfect storm, setting forth an unprecedented amount of theft and media coverage and creating an image of the business community in disarray.

"The black market for this type of information is there and continues to grow," she said, "and criminals are realizing what they can do quickly with the information."

The breach disclosure bill making its way through the House and Senate is based on California's legislation, which requires a business or government agency to notify an individual in writing or by e-mail when it is believed that unencrypted personal information has been compromised.

And those numbers are huge. Nearly 10 million Americans were victims of ID theft last year, according to the Better Business Bureau.

Marcie D Terman, director of business development at DataFort, says that is just the tip of the iceberg, and warns that more SMBs are failing to cope with this issue. And it isn't just on a technological level.

The approximately 40 backup tapes lost by Time Warner went missing while on the back of a truck in transit to a storage facility.

This type of information has a way of going missing in numerous ways, said Kelly. Either hackers try to steal it, employees pilfer the information or companies simply don't have the appropriate standards in place to deal with the important information.

According to the Gartner Group, 70 percent of security incidents that occur are inside jobs, making the insider threat arguably the most critical one facing enterprises.

One out of every 500 e-mail messages contain confidential information, customer data, employee data, financial information, intellectual property or competitive information," said Kelly. She offered another way to look at it: a company with 50,000 employees, each sending 10 e-mail messages outside the company per day, would incur nearly 1,000 potential data security violations per day.

The Ponemon Institute, a private research company, recently released its 2004 Data Security Tracking Study with alarming results. Of the 163 companies participating, 75 percent, or 122 companies, reported a data-security breach within the past 12 months. The majority of the companies were Fortune 1000.

A recent survey by the FBI and Computer Security Institute found that between 2000 and 2003, about 40 percent of all companies confronted an attempted information snatch each year.