What I Learned From the Top Five Security Events of 2007

By Prat Moghe, CTO and Founder, Tizor Systems

2007 has been a Blockbuster year in terms of data security breaches.  The scope and sheer volume of the data breaches that have dominated the headlines in the past 12 months mark a new era of data insecurity.  From brand names like TJX and DuPont to the inside threat and the professional data thief, breaches have materialized in every shape and color. In the hopes that history will not repeat itself, let’s analyze these breach events to understand how to better secure data in the future.  Here’s a recap of some of the more memorable breaches: 

January 25, 2007: TJX – This popular off-price retailer now carries the distinction of the largest data breach on record. At last count, 94 million records were affected. To put this into perspective, 94 million is nearly one third of the US population. This event punctuated the efforts of the credit card industry and it’s PCI Data Security Standard. As the number of breached records kept growing (reported estimates were revised three or four times, most recently in October), it became painfully obvious that TJX did not know what was going on with customer data even over a year after the initial breach.  The breached data was eventually linked to fraudulent charges which also intensified the debate over who is ultimately responsible for the financial repercussions of breached data.  The book is far from closed on this one as several state and federal cases are still pending. The incident and fall out has put retailers on notice about inadequate data security measures.

Febuary, 14, 2007: Dupont  –   An insider pilfered the Intellectual Property belonging to this leading chemical firm  in an attempt to take it to a competitor. In addition to highlighting the insider risk in a rather Hollywood way, this breach proves that data breaches are not just about credit card data and financials; chemical formulas and virtually any other proprietary, internal corporate document could cause serious damage in the wrong hands. It also demonstrated the efficacy of monitoring data access to determine if trusted insiders are actually untrustworthy. The details are still a bit fuzzy, but Dupont somehow determined that an unusually large volume of data was downloaded, alerted federal officials and caught the employee before damage was done. In Dupont’s case the outcome was positive, others haven’t fared as well.

July 5, 2007: Certegy / Fidelity National Information Services – FNIS , a trusted financial brand, learns that a Certegy employee, has stolen account information and sold it to direct marketers. Although the fiscal pain was minimal, this malfeasance underscores the importance of protecting data no matter where, inside or outside of the business, it is being used.  In the reality of today’s multi-partnered, highly distributed business networks, enterprises need to find new ways to secure their data, keeping in mind that these updated data security best practices must keep the data secure while enabling the access needed to stay competitive. 

August 20, 2007: Monster.com –  Hackers used stolen login credentials to access this popular online job site. Once in, they captured names and email addresses then used that information to execute a ‘spear phishing’ campaign designed to extract financial information and spread scams. The data that was stolen, although personal, would not  typically be considered sensitive. The creative thieves used it in conjunction with other data, including Monster’s brand name, to obtain more sensitive data and/or wreak other forms of havoc on unsuspecting job seekers.

September 17, 2007: TD Ameritrade –  A hacker (reported as a “compromised computer”), possibly an insider, steals the email addresses of  6.3 million online brokerage customers then targets victims with spam attacks.  Accountholders receive pump-and-dump messages.  To make matters worse, Ameritrade purportedly knew about the problem months before customers were notified. Another example of spear phishing  this breach points out the growing popularity of the approach as a means to extract personal data from consumers. It also makes one question the sanity of withholding breach information from customers—especially for a business that relies on trust to attract and retain customers.

What Does it All Mean?

Well-publicized and large, in terms of number records compromised, these breaches still represent only a small percentage of the breaches that happened in 2007. However, they do represent a large percentage of the important lessons to be learned when it comes to core data security. The following are a few of my top lessons learned:

 1. There is no crystal ball for data security.

Data thieves will go to great and very creative lengths to get at data with a high value and we may not be able to anticipate exactly what shape threats to data will take. The Monster breach taught us that just when we think we have a handle on how data thieves are going to behave (and which kinds of data they’re after) they will change the game. So don’t rely solely on a best guess of what the bad guys are going to do next. This data security strategy worked relatively well for a while. It doesn’t work any longer. Which brings us to lesson 2.

 2. Think inside of the box. 

Assume that your proactive, perimeter defensives will be compromised at some point and have something in place that let’s you know when data is being (or about to be) compromised.  In other words, put a security camera in the vault, in case the locks, guards and security badges fail. Once the TJX (or Ameritrade or DuPont or…) data thieves had access credentials, they pretty much had free run of the data. If any of these organizations had the ability to “see” what was actually happening to the data at the core data servers, there’s a good chance that they would have been alerted to suspicious behavior.

 3. Watch for the signs of information theft.

The insider threat is still a tough and open problem. It’s even tougher now that data thieves are finding more and better ways to masquerade as authorized users.  The Dupont breach helped illustrate that there are information theft signals–unusually large downloads of corporate information is one example. It’s likely that, if we had a window into the TJX breach, we would have seen signs of potential data theft. For instance, data being accessed: at unusual times, data being accessed by users who don’t typically access it or access from unusual IPs.  The same is most likely true of the Ameritrade incident.

 4. What you don’t know can hurt you.

What is universal among the breaches discussed above is the fact that theses organizations did not know what was going on with their data–they didn’t know who was actually accessing it when, from where, etc.  If they had, it could have potentially stopped any one of the aforementioned incidents before major damage was done. Worst case, if the thief/hacker/malicious insider had made away with some (definitely not the large amounts of data loss reported in these breaches) sensitive data; knowing which data was touched, would have allowed, for example, Ameritrade to notify the potential victims immediately and in a meaningful way—and look like they had control over their customer data environment.  The sub-lesson here is: think very carefully about your breach disclosure strategy.

 5. Data paralysis is not data security.

In response to data security threats, data jail is one option. This sounds funny, but one way to secure sensitive data assets is to severely limit access to them. Unfortunately, for most companies, this would be the fast track to business failure. Access to data by the employees or partners who need it when they need it adds up to competitive advantage in today’s business environment. You can’t fault a company that wants to maximize the use of data assets for all stakeholders—availability is one of the main benefits of electronic data. Data security needs to be viewed as an ‘assets in motion’ issue, a balance of access and oversight. It’s a tough problem, but solvable.

This list certainly does not cover all of the lessons to be learned in an active data breach year like 2007. It does highlight what I believe to be the lessons that can be scratched off of the 2008 list–because they are addressable without a major overhaul of enterprise security strategies or data center environments. Also, by mentioning them as examples, I don’t want to give the impression that the companies cited have much worse data security than every other company, because, in reality, it’s likely that these breaches could have happened to many different brand name organizations. But fortunately for the rest of us, we can learn from other companies’ mistakes.

https://blog.tizor.com. With a strong technical background starting at Bell Labs Research, he holds a PhD from UCLA, is a TiE Charter Member, a member of the IBM Data Governance Council and the Vice-Chair of the PCI Security Vendor Alliance. Moghe can be reached at prat.moghe@tizor.com.

Prat Moghe is founder and CTO of Tizor Systems where he leads the technology and market strategy and vision. Prat authors the first data auditing blog at