Protegrity Report Finds Citigroup, Epsilon, Sony Data Breaches Preventable

Protegrity's report contends that recent high-level breaches could have been avoided and suggested tokenization as an effective line of defense.

In an analysis of recent data breachs at Epsilon, Sony and Citigroup, Protegrity observed that cyber-criminals have shifted their focus from targeting financial information to stealing personally identifiable information, the company said in its report released Aug. 17.

The personal information includes names, email addresses, home addresses, health data, passwords and even sensitive corporate information.
Entitled "It's Not Just About Credit Card Numbers Anymore," the Protegrity report took a detailed look at the data breaches and concluded that personal information was "highly valuable" to cyber-criminals but "vastly underprotected." The shift in targeted data is also a reflection of the improved security measures in place to protect financial information, Protegrity said. The report also found "clear evidence" that the same level of attention towards protecting the personal information of employees, and customers is not present in organizations.
"Data breaches are spiraling out of control, and companies such as Sony, Citi and Epsilon are finding out just how expensive it is not protect customer data properly," said Suni Munshani, CEO of Protegrity and author of the report.
Protegrity looked at the malicious attacks to "dissect" each breach to determine how they occurred, how they could have been prevented and what victimized organizations should do next, Munshani said. Approximately 92 percent of all data breaches in 2010 were "relatively unsophisticated" external attacks, and nearly all of them could have been prevented or mitigated relatively easily, according to Verizon's recent 2011 Data Breach report.
"That is a stunning indictment of the data protection methods used by corporations today, even in the face of strict regulatory requirements," Munshani said.
While Epsilon has not revealed details of how the breach occurred, the Protegrity report quoted Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, who said implementing "the right security controls" such as a password, could have prevented the theft.
Epsilon has improved its cloud security, implemented stringent access control rules through two-factor authentication and worked with Internet service providers to "build an unprecedented anti-phishing" tool, Munshani wrote in the report.
Sony had deployed a robust perimeter prior to the breach, but neglected to secure the data in case malicious attackers managed to get a foothold into the network and become trusted insiders, according to Protegrity. The entertainment giant also did not receive an alert about the breach because it wasn't running a full forensic audit system, but discovered it as part of a routine security scan, Munshani said. Citigroup likely was a victim of phishing or some other social engineering attack.
Organizations should treat personal information as sensitive as if it was financial data, and keep careful eye on where the data is going at all times, Protegrity said.
"Data security solutions like tokenization and consistent security policies would have prevented all of the three data breaches mentioned in the report and saved those companies tens of millions of dollars in damages and litigation." Munshani said.
The PCI Security Standards Council supports using tokenization to secure data for the payments industry. The council released its Tokenization Guidelines Supplement on Aug. 12 to outline what merchants can do to protect their data to meet PCI compliance rules, Ulf Mattson, CTO of Protegrity told eWEEK. Storing tokens can help reduce the amount of cardholder data in the environment, which would reduce the effort required to implement PCI DSS requirements, Mattson said.
Under the rules published in the supplement, merchants considering tokenization should perform a thorough evaluation and risk analysis to identify the unique characteristics of their particular implementation, Mattson said.