Data Theft Versus Hardware
Theft"> The network intrusion highlights the continued effort of hackers and malware code writers to target massive databases of consumer information which can be sold to other parties to carry out identity fraud and other crimes. While a majority of the high-profile data incidents reported over the last several years have involved lost or stolen laptop computers, or misplaced backup storage tapes, there have also been a string of incidents which reflect criminal attempts to steal valuable corporate information.In April 2005, retailer DSW Shoe Warehouse reported that hackers broke into a company database and stole the names and credit card numbers of approximately 1.4 million individuals, along with checking account information of an additional 96,000 customers. The event led the company to settle charges levied against it by the U.S. Federal Trade Commission that it had not properly protected the information, and in its financial earnings the firm reported costs between $6.5 million and $9.5 million related to responding to the event. During the same month, officials at banking giant HSBC North America notified an estimated 180,000 individuals that their General Motors-branded MasterCard account information may have been stolen from point-of-sale terminals at retailer Polo Ralph Lauren. One of the major catalysts behind the wave of data theft incidents reported over the last several years has been the adoption by at least 33 U.S. states of legislation similar to the California Security Breach Information Act, passed in 2003, which requires businesses to disclose potential data exposure to customers and regulators. There are currently at least four bills pending on Capitol Hill which seek to establish national data protection measures that have requirements similar to the California bill, known widely by its numeric designation, 1386. Experts observed that data theft incidents such as the one reported by TJX are far more dangerous to the consumers than the rash of lost or stolen laptops that have also been reported over the last several years. Dr. David Taylor, vice president of data security strategies at security software maker Protegrity Corp in Stamford, Conn., said there is little doubt that the information stolen directly from computer databases will be utilized in criminal activity more often, and more quickly, than data residing on misplaced equipment. Homeland Security admits privacy errors in its anti-teror effort. Click here to read more. "The hardware thieves just want to steal the box and sell it in a majority of the cases Ive seen, whereas with the information theft theres a far greater risk of identity fraud, because the criminals have set out to find the valuable data itself," Taylor said. "Were seeing that there is also increasingly fast turnaround on the use of the stolen data as thieves know that more companies are keeping a closer eye on their networks and reporting suspicious activity to customers and law enforcement sooner than in the past." Despite the growing awareness, and threat, of the data break-ins, Taylor said that many companies that have not directly experienced information thefts remain less likely to improve their defenses. He also believes that many IT security professionals wont recommend additional data protection technologies to their employers because of fears that it will reflect poorly on their previous recommendations. "Companies that havent had a breach still take the ostrich approach when budgeting for data protection, burying their heads in the sand, and often spend only one-tenth of what we see companies allocating to data security after a breach," said Taylor. "Security pros are afraid that pushing hard for additional tools will make their existing work and the technologies theyve purchased look flawed, which is a shame because these people who best understand the technology side of the equation are trying to distance themselves from the problem."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
While the event that touched off the current attention on data thefts employed more traditional means of scheming, as scammers merely duped workers at consumer database broker ChoicePoint into giving them access to sensitive records over the phone in Feb. 2005, there have been several other high-profile incidents through which technological means have been used to steal the data.