High-Profile Data Breaches Raise Security Alerts

The Treasury Department is pushing companies in the financial sector to beef up their data security.

A few recent security breaches, including one last year at Morgan Stanley, have proven once again just how critical it is for national banks and their technology service providers “to perform periodic risk assessments of their information security programs” to prevent and detect security problems, said the Office of the Comptroller of the Currency in an alert last month.

“Most security-related incidents occur because of the lack or failures of basic controls that allow attackers to gain entry into a target environment,” the OCC said in the release. The increasing sophistication of attackers' techniques means that detecting them is becoming more difficult, the agency said. Among the techniques it identified are phishing, which often involves using a fake Website to trick users into providing sensitive data, and the use of malware, where users are conned into downloading software that can be used to spy on them.

“The alert is important because it is further recognition by the federal regulators of some trends that are occurring broadly in the financial industry that are increasingly important to financial institutions,” says Edward Powers, a principal at Deloitte & Touche who leads their security and privacy practice for the financial services industry. “The regulators have been increasingly active around these issues, especially in their interactions with financial institutions.”

The OCC also released advisories in March on best practices for companies in assuring data security. In the releases, the agency recommended authentication measures to minimize the chance that a hacker could steal or guess passwords. Suggestions include increasing login restrictions such as limiting access to working hours or requiring an employee to phone in before login is possible, regular audits of login activities, and policies to ensure stronger passwords.  “Coming out with alerts and advisories broadly around these subjects is further indication of the seriousness with which regulators are taking data security issues,” Powers says.

The financial services sector, or course, is not the only one that is exposed to attacks on corporate data.  All companies that manage accounting or bills online are increasingly vulnerable to hacking, says Nick Fillippi, director of product management at Sendmail. “The need for some kind of an anti-phishing technology is growing exponentially, because for any domain that sends out any type of e-billing statement or account management information, an attacker could spoof the company's e-mail address and request customers' passwords or other credentials,” he says.

Companies got a vivid reminder of just how vulnerable they are when Sony announced last week that an illegal network intruder had stolen  account information of as many as 77 million users, including credit card data, from its popular PlayStation Network gaming site. The company was forced to temporarily shut down the site and is now facing a lawsuit over the data breach.

Such a significant violation of data security, which sent shockwaves through the corporate community, raises tough questions for companies about how to protect sensitive data against highly sophisticated hackers, as well as what the hair-raising consequences of failure to keep data private can do to a company's business and reputation.

“Any time there is a data breach it can bring harm to the business by causing an interruption: It's not just that they're stealing your money or stealing your trade secrets, they can disrupt your entire business for days,” says Heather Egan Sussman, a partner in the law firm of McDermott Will & Emery. “The lesson learned is that there are some major costs and risks to companies that can flow from these criminal attacks.”

“It's not just about disgruntled employees, anymore; now it's about employees who have privileged access within your environment who are susceptible to compromise by these external perpetrators—knowingly or unknowingly.”

—Edward Powers,

Principal,

Deloitte & Touche

If anything, [data breach] cases should raise the awareness among compliance officers about what steps companies should take to protect themselves from these kinds of attacks, says Sussman. “Addressing the human element is critical as part of that defense strategy,” she says.

For example, it's important to train employees about how these threats are getting in the door. Sophisticated hackers use information that is available about employees through their social networks to piece together their profile and use it against them, by sending infected e-mail attachments that the employees are “virtually guaranteed” to open, says Sussman.

Another dimension of the human element that companies should address in data security is the mobile workforce. “You have people on their blackberries, on their iPhones, using their laptops, and as they are traveling around the world, some executives don't even know that they need to turn off their WiFi on their laptop or their mobile devices, because while they could be sitting idly somewhere in a coffee shop, a sophisticated criminal could access their portable device and immediately infiltrate the company system,” says Sussman.

Equally troubling, Sussman says, is hackers “camping out” in a network, either committing a prolonged theft or “waiting for the big hit” of a specific database. “This is no longer just the smash-and-grab, where someone is just after one or two credit card numbers,” she says.

Data security controls are crucial to ensure that customer and company information is protected, says Mary Ellen Presnell, executive vice president of enterprise information management for Wells Fargo. “Sound risk-management programs should generally focus on ‘defense in depth,' relying on appropriately hardened and configured operating environments, robust authentication practices including multi-factor authentication strategies and appropriately complex password requirements,” she says.

Furthermore, third parties and service providers introduce additional dependencies and control requirements and must be included in an effective overall risk-management approach, Presnell says. “Compliance and risk managers should consider controls around user access, appropriate separation of system infrastructure and administration activities, restrictions around remote access, and proactive system monitoring,” she says.

SONY ON DATA BREACH

Below is an excerpt from Sony's announcement of the data breach:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1. Temporarily turned off PlayStation Network and Qriocity services;

2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Source: Sony Announcement.

In general, law enforcement say the criminal threats are emanating from places outside of the United States, with particular concentrations in Eastern Europe and China. Another area of increasing concern, however, is the notion of ‘insider threat'—that is, the risks associated with people who are either employed by the organization or who work for business partners and have access to data and systems. For example, Sergey Aleynikov stole proprietary software from his employer, Goldman Sachs, and Jérome Kerviel fraudulently introduced data into an automated processing system of his employer, Société Générale.

The insider track is also an avenue of attack for criminal elements, Powers says. “It's not just about disgruntled employees, anymore; now it's about employees who have privileged access within your environment who are susceptible to compromise by these external perpetrators—knowingly or unknowingly,” says Powers.

In addition to periodic training of their employees, companies should also consider the development of written data security procedures, says Bruce Colbath, a partner in the law firm Weil Gotshal & Manges. The trend toward increasing regulation of data security at the state level, and a lack of a unified Federal rulemaking is creating new compliance burdens for companies, he says. “Companies should keep up-to-date on regulatory developments, so that they can create and maintain a plan that's compliant with all of the applicable jurisdictions,” Colbath says. “Usually, best practices would be to pick the lowest common denominator, so that you only have one privacy or data security regime in place and that maintains compliance at all levels.”

“The trouble with the data security area is that it is so rapidly evolving—it's difficult for us who practice in the area to stay up to speed with everything that's going on, so I can just imagine the difficulty at the business level,” Colbath says. Industries most impacted by potential data security breeches are those that deal in online transactions or obtain a consumer's personal identifiable information, since that's the information that is most readily used in a nefarious way for economic gain, he says.

Of course, for companies within the Gramm-Leach-Bliley Act regulatory structure, which includes a safeguard rule requiring financial services companies to put a written data security plan in place, it's not a matter of best practices, but rather, it's a matter of required practices, Colbath says.