Industry View

What I Learned From the Top Five Security Events of 2007

Prat Moghe of Tizor Systems draws five key lessons from five data breaches.

By Prat Moghe

Page 2

July 5, 2007: Certegy / Fidelity National Information Services – FNIS , a trusted financial brand, learns that a Certegy employee, has stolen account information and sold it to direct marketers. Although the fiscal pain was minimal, this malfeasance underscores the importance of protecting data no matter where, inside or outside of the business, it is being used. In the reality of today’s multi-partnered, highly distributed business networks, enterprises need to find new ways to secure their data, keeping in mind that these updated data security best practices must keep the data secure while enabling the access needed to stay competitive.

August 20, 2007: Monster.com – Hackers used stolen login credentials to access this popular online job site. Once in, they captured names and email addresses then used that information to execute a ‘spear phishing’ campaign designed to extract financial information and spread scams. The data that was stolen, although personal, would not typically be considered sensitive. The creative thieves used it in conjunction with other data, including Monster’s brand name, to obtain more sensitive data and/or wreak other forms of havoc on unsuspecting job seekers.

September 17, 2007: TD Ameritrade – A hacker (reported as a “compromised computer”), possibly an insider, steals the email addresses of 6.3 million online brokerage customers then targets victims with spam attacks. Accountholders receive pump-and-dump messages. To make matters worse, Ameritrade purportedly knew about the problem months before customers were notified. Another example of spear phishing this breach points out the growing popularity of the approach as a means to extract personal data from consumers. It also makes one question the sanity of withholding breach information from customers—especially for a business that relies on trust to attract and retain customers.

What Does it All Mean?

Well-publicized and large, in terms of number records compromised, these breaches still represent only a small percentage of the breaches that happened in 2007. However, they do represent a large percentage of the important lessons to be learned when it comes to core data security. The following are a few of my top lessons learned:

1. There is no crystal ball for data security.
Data thieves will go to great and very creative lengths to get at data with a high value and we may not be able to anticipate exactly what shape threats to data will take. The Monster breach taught us that just when we think we have a handle on how data thieves are going to behave (and which kinds of data they’re after) they will change the game. So don’t rely solely on a best guess of what the bad guys are going to do next. This data security strategy worked relatively well for a while. It doesn’t work any longer. Which brings us to lesson 2.