Data Breaches, a 3-part Series: Breaking Breach Secrecy, Part 1

Corporations are deathly afraid of data breaches, but they need to proactively protect themselves and be frank with consumers when they are attacked. Here is help for counseling your organizations or clients.

In a relatively recent data breach case, The Associated Press informed a young college student from Suwanee, Ga., that his personal data, including his Social Security number, were stolen from Metro City Bank when hackers breached the bank's security system. The student, Yoon-Kee Kong, had opened an account with the bank about a month earlier.

The AP got Yoon's name from Prevx, a U.K.-based security firm that successfully had infiltrated a hacker's website operating out of the Ukraine. The website had been serving as a trove, or a stash house, that hackers use to retrieve stolen personal data. This particular trove held personal data from 160,000 infected computers and was adding data from 5,000 newly infected computers every day. What is even more alarming is that it took the Internet service provider nearly a month to shut down the hacker's website.

Reluctant to talk with media, the bank released a statement that it was going to notify its customers and investigate the breach, according to the March 16, 2009, USA Today article, "Cybercrooks' website spotlights extent of identity theft."

Corporations often fail to disclose data breaches or try to minimize their impact. Unfortunately, this unethical behavior often fuels even more breaches.

TYPES OF DATA (SECURITY) BREACHES

In this article, I will use "data" and "security" interchangeably when referring to breaches. Although various definitions of a breach are similar, I will use the one developed by the Identity Theft Resource Center, which has been tracking security breaches since 2005. The group defines a breach as "an event in which an individual name plus Social Security Number (SSN), driver's license number, medical record or a financial record/credit/debit card is potentially put at risk — either in electronic or paper format."

Not all data breaches result in identity theft. Even when it does, the cause-and-effect relationship is sometimes difficult to measure. However, based on numerous major data-breach cases the media has reported in the past six years, it is obvious that the loss of personal information via data breaches, especially the external breaches, has driven identity theft to new heights and resulted in attractive and lucrative profit centers for fraudsters.

Data breaches can be classified by internal and external causes or negligence by a related third party. I selected the following breach cases from the Privacy Rights Clearinghouse website's "A Chronology of Data Breaches."

Internal Data Breaches

Types of internal data breaches include: 1) the improper disposal or protection of personal information, 2) theft of personal information or hardware containing personal information by a current or former employee with the intention to commit fraud, 3) theft of personal information or hardware containing personal information by a current or former employee in which the intention was not to commit fraud, 4) hacking into a network by a former or current employee in which the intent may or may not be to use personal information for fraudulent purposes and 5) internal loss of personal information or hardware containing personal information.

Following are illustrations of each type of data breach:

1. Improper disposal or protection of personal information: In January 2006, The Boston Globe and the Worcester, Mass.-based Telegram & Gazette mistakenly wrapped newspaper bundles for distribution with paper on which was printed customers' personal information from 240,000 credit and debit cards and personal checking accounts.
2. Theft of personal information or hardware containing personal information by a current or former employee with the intention to commit fraud: In April 2008, an admissions employee at New York Presbyterian Hospital was charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property after the employee was accused of selling the personal data of 2,000 patients and accessing nearly 50,000 records illegitimately.
3. Theft of personal information in which the intention was not to commit fraud: In July 2009, a Honolulu hospital employee was sentenced to a year in prison (Class B felony) for illegally accessing another woman's medical records and posting on MySpace that the woman had HIV.
4. Hacking into a network with or without the intent to use personal information for fraudulent purposes: In March 2010, a 21-year-old former student of a public school pleaded guilty to criminal charges after he stole a password from a school employee, hacked into the school district's network and put more than 5,000 past and present school employees at risk of identity theft.
5. Internal loss of personal information or hardware containing personal information: In March 2008, the Rhode Island Department of Administration reported that a computer disk containing Social Security information for 1,400 individuals was lost when human resources staff members relocated to a different city.

External Data Breaches

Types of external data breaches include: 1) theft of personal information or hardware containing personal information by a non-employee with the intention to commit fraud, 2) theft of personal information or hardware containing personal information by a non-employee in which the intention was not to commit fraud and 3) hacking into a network by a non-employee in which the intent might or might not be to use personal information for fraudulent purposes.

Here are cases to illustrate these types of data breaches:

1. Theft of personal information or hardware containing personal information by a non-employee with the intention to commit fraud: In July 2010 at the Emily Morgan Hotel in San Antonio, Texas, it was discovered that identity thieves stole stacks of credit card receipts from one of the hotel's storage rooms and generated hundreds of thousands of fraudulent charges in three different states.
2. Theft of personal information or hardware containing personal information by a non-employee and the intention was not to commit fraud: DentalQuest reported the theft of a laptop that contained a database that held the names and Social Security numbers of more than 76,000 clients.
3. Hacking into a network by a non-employee and the intent might or might not be to use personal information for fraudulent purposes: The University of Maine reported in June 2010 that hackers compromised the names, Social Security numbers and clinical information of 4,585 students who received services from the school's counseling center.

Third Party/Partner Data Breaches

This type of data breach would include the improper disposal or protection of data by a third party or partner (i.e., a vendor or contractor). In North Carolina in July 2010 the Center for Development and Rehabilitation reported that cleaning personnel threw into a recycling bin hundreds of medical records containing medical histories, pictures of patients and Social Security numbers.

HOW SERIOUS IS THE PROBLEM?

The magnitude of the data breach problem is reflected in the number of consumer records that have been compromised. The Privacy Rights Clearinghouse (PRCH), a nonprofit consumer information and advocacy organization, has verified these statistics. PRCH has tabulated a chronology of hundreds of known data breaches in the U.S. since January 2005. Through June 9, 2011, PRCH has estimated that 533 million records containing sensitive personal information have been compromised because of these breaches.

According to the PRCH, "The data breaches noted have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total, because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws."

The PRCH said that its numbers for identity theft breaches are understated for many reasons. It stated, "Some individuals may be the victims of more than one breach, which would affect the totals. In reality, the number given … should be much larger. For many of the breaches listed, the number of records is unknown. … The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. ... Most of the information is derived from the Open Security Foundation list-serve ... which is in turn derived from verifiable media stories, government web sites/pages, or blog posts with information pertinent to the breach in question." Many breaches (particularly smaller ones) may not be reported. "If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere."

This lengthy explanation illustrates how difficult it is to quantify any type of fraudulent behavior. Nevertheless, the statistics are a reliable source in establishing a baseline and measuring trends from year to year. This is extremely important to those who study criminal behavior and especially to law enforcement agencies that develop strategies to control it.

The ITRC supports the PRCH regarding the understatement of security breaches. It mentions that "As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem," according to the ITRC's website.

RELUCTANCE TO FIND OR REPORT BREACHES

The opening case in this article hits at the heart of a global problem plaguing consumers, businesses and nations. Many organizations are reluctant to notify their victimized customers in a timely manner or at all.

Ben Worthen writes in his Jan. 19, 2010, article in The Wall Street Journal, "Private Sector Keeps Mum on Cyber Attacks," that "Despite repeated efforts by the U.S. government to get the private sector to share information about threats, many companies have long kept such incidents confidential." In the article, Larry Ponemon, a security and private consultant with the Ponemon Institute, said, "There is a culture of secrecy around any bad news, and data breaches are always bad news."

Worthen wrote that "businesses have gone public with 37 percent of the 6,998 data breaches they suffered over the last 12 months [2009], according to a survey of more than 1,000 companies by the Poneman Institute. Almost all of these were breaches involving customers' personal information, which recent state laws have required companies to report. Only 10% of the breaches involving sensitive business information were ever disclosed, according to the survey."

The main reason for the poor disclosure rate is that the majority of the state laws give organizations too much discretion in judging whether a security breach should be reported and, as a result, many do not.

Most organizations are reluctant to disclose data breaches because of four major reasons: fear of bad publicity, the effect on stock price if investors bail out, loss of revenue and profits if customers go to competitors and costs to notify customers.

Some of these fears might come to light with the recent unfolding of a massive security breach within Sony Corp. On April 26, Sony disclosed that hackers infiltrated its PlayStation Network and Qriocity online service and gained access to personal data of approximately 100 million customer accounts, including billing addresses, passwords, user-provider names, emails, birth dates, login information, personal histories and possibly 10 million credit card accounts.

Well, as they say, when it rains, it pours. Less than a week after Sony reported that security breach, it announced that hackers infiltrated its network again. To its credit, Sony, a company known for high-quality products, took the high road and reported the breaches and offered customers $1 million worth of identity theft insurance, credit card protection service to affected customers, and 30 days of free access to its Qriocity music-streaming service and its PlayStation Plus online game service.

Even so, Sony has come under heavy criticism. For example, according to the article, "Sony online gaming unit shut down in second attack" by Shan Li in the May 2 edition of the Los Angeles Times, "A congressional subcommittee last week demanded answers to a detailed list of questions regarding security concerns, including when the breach occurred, how much data was stolen and why Sony waited a week before it notified customers."

Daisuke Wakabayashi also reported in a May 18 article in The Wall Street Journal article, "Sony CEO Warns of Bad New World," that Sony CEO Howard Springer defended the delay in reporting the breach. He claims the intrusion occurred on April 20, but he waited until he knew conclusively that personal information had been compromised, which was determined on April 25. Compared with most companies that report breaches, Sony reported it relatively quickly.

Because of the breach, Sony's reputation has taken a big hit. In a recent Game Hunters poll about Sony's breaches that was published in the USA Today article, "Reputations of Sony, PlayStation Brands Take a Massive Pounding," three out of 10 respondents said they "don't trust Sony to protect their personal data." The polled consumers also complained that "Sony should have let them know sooner about the possible compromise of personal and financial data." Another poll on the video game website Kotaku.com, reported that "more than half (51%) out of the more than 11,000 who responded said they had a negative opinion of Sony in light of the hack, and 49% said the incident made them like the Sony brand less," according to the USA Today article.

These responses are, no doubt, emotional to a certain degree. The true effect on Sony's business from the bad publicity will have to be measured over a longer period of time.

The Wall Street Journal reporters Ian Sherr and Juro Osawa reported in their May 16 article, "Sony Hits Restart on Games Network," that "Sony not only has to take technological steps to fix its security, but also has to communicate what it has done," according to Marc Rudov, a branding consultant in Silicon Valley. Sony has responded by saying that it plans to bolster its network security by improving its encryption and adding firewalls.

Cleaning up a security breach can be expensive. For example, Sony reported that it expected to lose about 14 billion yen (U.S. $173 million) from the security breach, according to the May 23 article, "Sony Swings to Big Loss After Natural Disasters" in The New York Times. Ponemon Institute reported in its "2010 Annual Study: U.S. Cost of Data Breach" that the average cost per compromised record was approximately $214 in 2010, including direct costs of $73 and indirect costs of $141. The direct cost to notify a breach victim was $15. Direct costs "represent measurable accounting line items organizations have for specific data breach response activities" including the price to create and send notifications and legal defense costs. Indirect costs included customer acquisition, indirect opportunity costs of direct costs (disruption to normal business operations) and lost customer business due to abnormal churn.

Ponemon invited 400 organizations that experienced loss of customer/consumer data in 2010. Because the purpose of the study was "descriptive inquiry rather than normative inference," Ponemon considered its sample to be non-statistical. Because the study's response rate was relatively low — only 51 organizations participated — there is a non-response bias problem that was not addressed, i.e., Ponemon did not attempt to contact the companies that refused to take part in the study to get them to share information. This also creates a sampling bias problem.

The Ponemon study compared 2010 data breach costs to costs in previous years and reported an increase. This conclusion might not be valid if the companies that reported in 2010 were different than the ones that reported in previous years. Companies have different cost structures and revenue sources, which would make it difficult to compare data breach costs.

Because of limitations of these methodological and statistical problems, the validity and reliability of the results can be questioned and should be interpreted carefully. Nevertheless, Ponemon's annual descriptive study of security breaches is informative and is a valuable and excellent benchmark. Ponemon might consider a follow-up study to survey breached companies included in its survey to determine if any of the costs can be recouped - i.e., a return of abandoned customers.

LACK OF AGGRESSIVENESS IN DISCOVERING DATA BREACHES

The above discouraging news is compounded by the fact that most organizations are not aggressive in finding security breaches. A recent analysis of 500 security breaches by the Verizon Business Risk team (VBRT) in its "2008 Data Breach Investigations Report" concluded that "... it takes much longer for organizations to discover a compromise. Months or years transpired before this realization dawned on the majority of those in our case load. … What factors contributed to this discouraging state of affairs? Firstly, and perhaps most obviously, criminals do not want to be discovered. They have great financial incentive to retain access to corporate systems for as long as possible and will go to great lengths to ensure their activities remain under the radar. Secondly, and perhaps most importantly, organizations are simply not watching. Most breaches [75 percent] are discovered by a third party rather than the victim. … Often, this involves the third party detecting suspicious activity or fraudulent use of compromised data that was later traced back to the victim."

The VBRT study also concluded that "Once data compromise is finally discovered, results show that organizations are rather slow to respond. Containment often takes weeks or months and is rarely accomplished within hours of discovery."

This helps to explain that, even in cases when a breached organization notifies its consumers, it can sometimes be too late for the consumers to avoid becoming identity theft victims. The extended time lag from when the personal information was compromised to when an organization notifies its consumers allows the fraudster plenty of time to convert the transactions to identity theft.

Victimized consumers sometimes become aware of a security breach when they find charges on their credit card statements they cannot account for, when checks bounce because of hijacked debit cards or when they read about it in newspaper articles or hear it mentioned on news programs. Nevertheless, organizations that incur high-risk data security breaches obviously should be required to notify victims as soon as possible to help reduce the potential and real occurrence of identity theft. Even then it may be too late.

COST TO THE CONSUMER

Since 2005, the situation has improved as reported by Michelle Singletary, a national syndicated columnist. In a Feb. 9, 2011, article in The Washington Post article, "Identity-theft statistics look better, but you still don't want to be one," she wrote. "The good news is that last year [2010] the number of people victimized decreased 28 percent, to 8.1 million, according to a report by Javelin Strategy & Research. [Javelin tracks trends in identity theft and reports them annually.] Although that's still a huge number, it's 3 million fewer victims than in 2009. Overall losses from identity fraud also fell last year, to $37 billion, from $56 billion in 2009."

On the bad side of the news, "The average out-of-pocket expense for victims increased 63 percent, from $387 per incident in 2009 to $631 in 2010."

She also reported that you are eight times more likely to become a victim of fraud if you are involved in a data breach, according to James Van Dyke, president and founder of Javelin.

As we can see, the security breach problem is gaining speed every day with no end in sight. Consumers are taken for wild rides, especially when they are not notified in a timely manner - or at all - that their personal data has been compromised. The data breach notification problem is enormous in its current and potential effect on identity theft throughout the world.

In Part 2 of this article, which will be published in the November/December issue, I will provide a more extensive and critical analysis of the strengths and weaknesses of the data breach notification laws at the state level in the U.S.

I will also take a look at the current federal legislation possibilities and three relatively strong U.S. federal bills that did not become law in previous sessions of Congress. I will recommend how these bills can be improved and eventually become law. Keep in mind that when a comprehensive data breach notification law is passed at the federal level, it normally supersedes all similar current state laws. That is why it is so important that any new federal data breach notification law be as strong - if not stronger - than any state law.

Part 3 of this series in the January/February 2012 issue will provide a comprehensive analysis and a new model to classify the security breaches tabulated by the Privacy Rights Clearinghouse since 2005.

Robert E. Holtfreter, Ph.D., CFE, CICA, is a distinguished university professor of accounting and research at a large state university.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.