Another week, another data breach. One of the latest to hit the headlines was Wells Fargo, which recently revealed that personal information on thousands of consumers was stolen.
Then there was the New York-based educational and test preparation provider The Princeton Review, which apparently exposed information on its Web site about 100,000 students based in Florida and Virginia. Another case in the news is InterActive Financial Marketing Group (IFMG), which may have exposed the personal information of more than 92,000 applicants for credit.
The breach cases are becoming frequent enough that Premier Management Services of Charlotte, N.C., recently began offering data privacy and network risk liability insurance to its healthcare facilities clients.
Why are data breach cases become so routine? Experts often see the same problems that lead to these incidents.
Take The Princeton Review. The sensitive data that was accidently available on its Web site was not password protected; it was reportedly available for seven weeks until a competitor discovered the flaw and reported it to The New York Times.
“They didn’t do one of the most absolute minimum things to do — implement password protection,” Rob Sadowski, senior manager of technology solutions at RSA Security told InternetNews.com. Experts stress that users install password protection, even for wireless networks.
“If they’d been thinking of this information as an asset and were considering the risks around it, they would’ve applied that minimum level of protection and probably quite a bit more,” Sadowski added.
According to The Princeton Review, the problem occurred after it had changed internet service providers (ISPs).
In a statement to InternetNews.com, the Review said:
“We devote a lot of attention to the security of our data, and have extensive procedures in place to manage this process. On Monday, we were advised that some information which had been kept safe and secure may have inadvertently been accessible to highly sophisticated computer users.
“A preliminary investigation, launched as soon as we were made aware of this problem, suggests that this occurred due to a breakdown in our normal data security protocols when web hosting was recently migrated to a new provider. The investigation will include the retention of a forensic accounting and security team to review the incident and evaluate our security policy and procedures.
“At this point it does not appear the data was ever widely available. Nonetheless, we have apologized to our customers for this situation, and assured them that access to the information has been closed, and that we are working diligently to put in place any needed remedies to make certain this problem does not recur.”
Richard Gorman, CEO of data security and encryption key management solution provider Vormetric, told InternetNews.com that the data should have been encrypted. “We see this time and time again in universities, colleges and corporations,” he added.
“If you have data in a regular file and it’s not encrypted, which protects you against this type of errors, it’s just a matter of time before you get an error like this where large amounts of data are exposed to people who are not supposed to have access to it,” Gorman added.
The lack of encryption and password protection were bad enough, but exposure of the data for seven weeks took the cake. “They should have monitored their network and their access logs,” Slavik Markovich, chief technology officer of database software security vendor Sentrigo told InternetNews.com.
“If they had, this problem would have been caught after one or two days. It certainly shouldn’t have gone on for seven weeks,” Markovich said.
The real root of the problem is that, like all organizations, public or private, The Princeton Review needs to communicate data. “Data is as critical to business as water is to humans,” Faizel Lakhani, vice president of products for Reconnex-McAfee, told InternetNews.com.
Given that imperative, it’s important that the IT staff know what data should be communicated and whom it can be communicated to, Lakhani said. “Most organizations don’t know what data they can and cannot expose and to whom,” he added. “So asking IT to protect that is like asking a security guard to look out for somebody without specifying who.”
At the other data breach victim, IFMG, which is a division of Dominion Enterprises in Richmond, Va., a server was hacked into and illegally accessed by “an unknown and unauthorized third party between November 2007 and February 2008,” Dominion said in a press release.
Once Dominion learned of the breach, it “secured all our systems, implemented enhanced Website and database security measures, contacted law enforcement and notified all the individuals who may have been affected,” Dominion public relations manager Jennifer Butsch told InternetNews.com.
She declined to give more details about the breach for fear “we might further endanger our computer systems.”
Like many companies whose systems have been breached, Dominion implemented a tactical solution. While that might work temporarily, organizations “must think strategically about security and how it is critical to their business and how it relates to their core business functions” or brace themselves for further attacks, RSA’s Sadowski said.
“The Princeton Review were probably following conventional wisdom around security and weren’t focused on this information or aware of the acute risks they faced if it was exposed,” Sadowki added.
“You have to know what’s important, know where it is, understand the risks it poses, deploy the right security and technology to prevent the risks, and monitor the data and the technology,” Sadowski said.