A Review of the Types and Trends of Data Breaches Involving Financial Institutions
August 28, 2009 - Linda McGlasson, Managing Editor
http://www.bankinfosecurity.com/articles.php?art_id=1730&pg=1
There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.
In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.
The good news, Foley says, is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations. "This means they're doing a better job of controlling and protecting their data," she says.
The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers, and its loss is costly to consumers.
Granted, there aren't any other breaches on the Heartland scale, but there still have been some significant ones: Namely, an incident in February, when a defunct payments gateway was found to hold roughly 19,000 active credit card numbers. And then in May, a Countrywide insider breach resulted in potential compromise to 4,000 account numbers. And then there are the many breaches where the number of records exposed is unknown.
What happens when organizations are breached? Opening new lines of credit is the most frequent financial crime, with 67 percent of identity theft victims reporting this happened to them in 2008, Foley says. Last year, fraud cost consumers $1.8 billion, according to the Federal Trade Commission, and 26 percent of consumer complaints were related to identity theft.
Types, Timeline of Breaches Including Heartland -- the poster child for 2009 data breaches -- the 46 financial services-related breaches tracked by the ITRC this year are divided into seven types:
Insider theft: 12 breaches;
Skimming: 8;
Missing paper documents: 10 of the breaches
Exposure of data on the Internet: 4;
Accidental breaches: 2;
Stolen or missing hard drives/laptops: 5;
Outside network intrusions: 2;
Unknown cause: 3.
A review of breaches shows that May so far has been the busiest month of 2009 with 10 reported breaches. March is the second-busiest month, with 8 reports, while August so far has seen 7.
Breach data is collected by the ITRC through multiple ways, including from state attorneys general offices, news media and other data breach reporting entities. To see the ITRC's entire analysis of data breaches across industry, visit the nonprofit organization's website.
Examples of Breaches Each of the 46 breaches involving financial institutions is detailed in the accompanying timeline and listing. Here is just a sampling of the types of incidents the ITRC has collected:
Insider Theft - A man posed as an Air Force reservist got 4,000 account numbers from Countrywide Financial in Forth Worth, TX and used them to steal $500,000 over a two-year period. Investigators tracked the case to his accomplice, a female customer service rep at Countrywide. Along with the account numbers being used, personal identities were compromised in the scheme, say investigators, who arrested Isaac McCrumby, 29 an unemployed R&B singer, in April. McCrumby used a fake Air Force ID to cash the bogus checks and pass bad credit cards.
Skimming - A band of thieves rigged Sovereign Bank ATMs in Staten Island, NY in May with skimmers so that they could steal account and password information from bank customers. The thieves placed hidden cameras to film victims typing in PIN codes.
Paper Documents Missing/Found - On Aug. 4, a Holiday Inn in Wichita, KS reported finding client records from a defunct local mortgage-brokerage firm, Morrison Financial Corp., in its dumpster. Information included Social Security numbers, bank accounts and photocopies of drivers' licenses and checks. The mortgage company shared parking with the hotel.
Accidental Exposure - In January, AES, the service provider for Student Loan Xpress, says it "inadvertently transmitted names, addresses, SSNs and dates of birth to another student loan lender" with which AES contract. The other lender said it destroyed all information mistakenly received.
Exposure Via Internet - A major credit card company, CompuCredit/Aspire is investigating how 120 customer credit card statements made available online on May 11. Account information including SSNs was involved. Further information from CompuCredit reveals it was a computer processing error that created a single image file of 120 account statements.
Hardware Stolen/Missing - Two desktop computers were stolen from the office of Sullivan and Schlieman Wealth Management, LLC, a financial advisor in Alpharetta, GA on March 27. In a letter to the New Hampshire Attorney General's office informing the AG of the breach, the company says that personal information of LPL Financial clients including names, addresses, financial account information and Social Security numbers "may have been breached." LPL Financial in Westlake, OH was not notified of the theft and exposure until April 29. Affected clients were notified in May.
Unknown Cause - Bank of America Corp. and Citigroup Inc. have issued new credit and debit cards to Massachusetts customers after running into data-safety concerns. Charlotte-based BofA and Citigroup each recently issued replacement cards to consumers in August, telling them in letters that their account numbers may have been compromised by an undisclosed third-party.
How to Handle a Breach For financial institutions, a breach can be devastating to reputation and the trust, so communication is key, says David Chamberlin, director of issues and crisis management for MLSWorldwide, a public relations firm that has handled data breach communications for large breaches, including the recent Radisson Hotels & Resorts incident.
"In any crisis, it is natural to want to avoid criticism and blame," Chamberlin says. "However, communicating in a timely and honest manner will ease fear and suspicion among customers, and help reduce the odds of escalation in news media and online."
This communication will also help demonstrate one of today's most important tenets of business: transparency. "One of the easiest ways to lose customers in a crisis is to fail to acknowledge the situation at hand," Chamberlin says. "Consumers will forgive mistakes, but rarely will they absolve an organization that does not act responsibly."
Even if an institution is not to blame for the breach, it still has a responsibility to protect its customers. "As such, demonstrating responsible behavior can help manage the crisis - and is a necessary first step to rebuilding reputation following a crisis," he says.