Losing Money? Watch Your Data Too…

December 9, 2008 by ADMIN

Share |

By Anthony M. Freed, Information-Security-Resources.com Managing Editor

Yesterday another story emerged that has created some buzz regarding the current threats to our nation’s information security, leading off with a recent case of information and identity theft by a company insider at a major financial institution. With the number of layoffs on the rise in the financial field, how safe is any one’s personal financial information anymore?

What exactly is walking out the door, and who is ultimately liable for the losses?

This from Newsweek yesterday, December 8, 2008:

Rebollo’s case isn’t as unique as banks would like to believe. If the wounded financial industry and its confused customers weren’t suffering enough, add another crisis to the list: Cybersecurity and privacy analysts say American banks and financial services organizations are facing a major spike in data breaches, many of which are caused by company insiders siphoning sensitive data for profit.

According to the reports of FBI officials who arrested him in August, 36-year-old Rene Rebollo spent his Sunday nights last summer copying a total of more than 2 million of Countrywide’s customer records to a flash drive and selling the data to identity thieves.

That one should not be a surprise to anyone familiar with the temptations to human nature, and some peoples failure to overcome them. But what about the wholesale mishandling of sensitive, confidential, and proprietary information in this age of print-and-toss business habits? What are the costs?

What of the dozens of boxes of personal financial information, credit reports, social security numbers and other sensitive information that was found in a dumpster behind an apartment complex in Georgia? It had been in the custody of Ameriquest.

Or how about the Division of Motor Vehicles Colorado, the University of Utah Hospitals and Clinics in Salt Lake, Monster.com, the University of Miami and Fidelity National Information Services, who themselves are responsible for more than 10 million private records being exposed to theft or worse - actually being used by identity thieves?

And do you remember when WaMu, the troubled national lender, was discovered to have shipped sensitive loan documents to Mexico in semi trucks with some 10,000 records lost in transit? Don’t underestimate the threat that shrinking budgets and layoffs pose to your data security.

In these heady and uncertain economic times, don’t we want to know where our data is day and night?

Recently I learned an big lesson about the importance of information security and regulated access to systems and data. Unfortunately, it was a painful one, with potentially untold repercussions yet to come. But my experience with unauthorized access is not unique, as literally millions of consumers are threatened with exposure to fraud and identity theft every year.

In this case, it was due to my own carelessness, but for many others the exposure is beyond their control, and are due to lapses in security protocols, inadequate third-party controls, and plain old human error.

Financial companies, banks, government and non-government organizations routinely lose data of the most sensitive nature, exposing hundreds-of-thousands of people to potential financial ruin and personal loss.

More shocking yet is that the black-market value of personal data has produced a healthy trade in people’s personal information, and this is increasing the instances of data theft by employees and staff within these supposedly secure and trusted institutions.

The record unemployment levels in the financial industries, the threat of further bank closures, government sponsored take-overs, and outright buyouts by the competition create an environment rich in the temptation to misuse private information for personal gain.

Aside from the obvious damage to the folks whose data is sold and possibly used for illicit purposes, there is growing concern amongst the corporate executives, boards of directors, and legal departments of these organizations that they also may be exposed to tremendous risk and potential professional liability from these breaches of security.

The threat of criminal liability as well as civil and class-action litigation is greater than ever before.

Then there are also the losses borne by the equity stakeholders in these organizations, the devaluation of their portfolio holdings, the risk of diminished returns, and ultimately insolvency. The losses could begin to reach levels that exceed investors tolerance for risk, and the access to much needed capital may dry up.

I am pleased to announce our new website Information Security Resources, which will examine these issues from both a financial and a technical perspective, examining areas of lax governance and inadequate security protocols, and more importantly we will be offering solutions and best practices advice from some of the leading players in information security and financial analysis in the nation:

Our goal is to help financial industry stakeholders, government regulators, and the public better understand and address the mounting information security threats inherent in the current financial crisis.

Our concern is centered around the failure of organizations to adequately protect regulated systems and data. Our current focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities.

In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. We believe we are among the very first working to highlight this national security problem.

We believe this is the next national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue. We teach you how to find this problem, and fix it.

Our team lead is Kevin M. Nixon a Master Security Architect (MSA); Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified US Domestic and International Regulatory Professional; and Licensed Private Security Consultant.

Kevin has over 25 years of experience in MIS design and development, Information Security, Business Continuity and Disaster Recovery, US and European Regulatory Compliance, and has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee.

Kevin has served on infrastructure security boards and committees including:

♦ Disaster Recovery Work group for the Office of Homeland Security (which developed the National Strategy to Secure Cyberspace)

♦ Executive Board of Directors, Internet Security Alliance (ISA)

♦ Chairman, Best Practices Information Security Management Committee, ISA

♦ Executive Board Member of the Accredited Standards Committee, X9, Inc. (the not-for-profit that develops technical standards, certified by the American National Standards Institute, for the financial services industry)

♦ US Voting Delegate to the International Standards Organization (ISO), Financial Data Protection, Privacy and Security Standards TC68-SC2 & US TC68-SC6

♦ Consultant to the Federal Trade Commission (FTC), on the administration and roll out of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Web Portal, AnnualCreditReport.com.

Kevin’s other contributions include:

♦ Consultant to VISA in 2002 to develop the Cardholder Information Security Program (CISP), the basis for the Payment Card Industry Data Security Standards (PCI DSS).

♦ Co-Author of a 3-Part Series of “Common Sense Security Guides”, including THE COMMON SENSE GUIDE FOR SENIOR MANAGERS - Top Ten Recommended Information Security Practices, 1st Edition - July 2002, Internet Security Alliance, which is now used by the US Department of Homeland Security, National Association of Manufacturers, American Bankers Association, The National Federation of Independent Businesses, The National Cyber Security Alliance, Financial Services Coordinating Sector, TechNet, and US-India Business Council.

♦ The Cyber Security Guide for Executives & Senior Managers

♦ The Cyber Security Guide for Small Businesses

♦ The Cyber Security Guide for Virtual Employees & Mobile Executives

♦ Appeared as Cyber-terrorism Expert on CNBC’s Squawk Box with Mark Haines

♦ Appeared as Identity Privacy Protection Expert on KUCI Radio’s Privacy Piracy with Mari Frank

Kevin’s business experience includes serving as the Banking Security Officer of World Financial Network National Bank. Kevin has held positions of oversight of all regulatory compliance, data security, and data privacy issues, compliance with FFIEC Banking Regulations, and direction of OCC and SAS 70 Audits for his clients.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here:

These icons link to social bookmarking sites where readers can share and discover new web pages.

Share |

Filed under: Anthony M. Freed, Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy

Tags: access, Bailout, Banks, blackmarket, Bonds, breaches, bypass, confidential, Consumers, control, Costs, criminal, cyber terrorism, cybersecurity, Data, Debt, Derivatives, DMV, Dollars, DOW, Economy, electronic database, European Regulatory Alliance, Finance, Financial, flash drives, FTC, governance, hackers, homeland Security, House Ways and Means Committee, ID, Identity, identity thief, Information, InfoSec, insider, ISO, ISR, laptops, law, liability, markets, meltdown, misuse, Monster.com, Mortgage, national security, National White Collar Crime Center, Newsweek, online fraud, outsourcing, paperless, PCI, privacy rights, privacy rights clearing house, proprietary, Rebollo, risk, Security, Senate Armed Services Committee, sensitive, social security number, Stocks, System, systems, Taxpayers, third party, Uncategorized, unemployment, valuation, vendors, VISA, Wall Street

Comments

6 Comments on Losing Money? Watch Your Data Too…

Stocks and Bonds » Blog Archive » Worried About Losing Dollars? You Better Watch Your Data Too … on Wed, 10th Dec 2008 3:57 am

[...] Rebollo’s case isn’t as unique as banks would like to believe. If the wounded financial industry and its confused customers weren’t suffering enough, add another crisis to the list: Cybersecurity and privacy analysts say American banks …[Continue Reading] [...]

Odds ‘n Sods: | Islamic Alert - Islamic Alert: Islam and Terrorism In The Daily News. Islamic Jihad, Islamic Terrorism, Islamic Blogs, The True Nature of Islam. on Fri, 12th Dec 2008 6:12 pm

[...] From Sean M.: Money is not the only thing you can lose in a failing bank [...]

Harry Tran on Sun, 14th Dec 2008 12:21 am

I saw an episode of Manswers, and it might hold some truths, if you were to rob a person with a deadly weapon for $100 you’ll end up getting tossed into prison for a felony. But if you were to steal a few hundred credit card accounts from your companies database than you’ll lose your job and than get tossed into club med.

There is a large disconnect between white collared crimes and real crimes and their punishment even though the damage done to others is just as great.

Nick Maceus on Sun, 21st Dec 2008 5:45 am

Information security of business data and trade secrets makes encryption indespensable.

- Nick Maceus

maceus.com

Nick Maceus on Sun, 21st Dec 2008 5:48 am

PGP is standard for industry to encrypt the contents of business information database systems.

- Nick Maceus

maceus.com

Derek on Wed, 24th Dec 2008 10:59 am

Good article Anthony.. you are speaking plain ol common sense, amazing really how much common sense and basic controls over information are thrown out the window in many of our (supposedly) more trusted institutions. The problem of insider theft of information is definitely on the rise as a result of the huge layoffs going on.. and many of these companies are the same ones that have been saying all along that they did not need controls to monitor and audit insider access to data… guess they are seeing the light now eh? Too bad budgets are being slashed and the purchase and management of the needed controls are being postponed. I wonder how long we can afford to let that happen?

Categories
- Anthony M. Freed (26)
- Bill Brenner (2)
- Bob Violino (1)
- Bozidar Spirovski (23)
- Breach (540)
- Britt Womelsdorf (5)
- By Dr. InfoSec (2)
- Cara Garretson (7)
- CCCNews (1)
- Chorey Taylor & Feil (8)
- Christophe Veltsos (2)
- Christopher Burgess (7)
- CIOZone (26)
- Class Action Lawsuit (111)
- Cloud computing (109)
- Coby Royer (5)
- CTO Forum (9)
- D&O Liability (597)
- Daniel Wallace (5)
- Danny Lieberman (11)
- DataLine (10)
- David Alexander (2)
- Derek Crawford (1)
- Doug Pollack (7)
- due diligence (306)
- Fame Foundry (1)
- FEATURE ARTICLE (428)
- Financial (583)
- Fred Leland (7)
- Gene Kim (3)
- Government (369)
- Greg George (5)
- H1N1 (15)
- hackers (535)
- healthcare (130)
- Heather Bourgoin (1)
- HomeATM (8)
- identity-theft (531)
- IDExperts (17)
- Ike Z. Devji (1)
- Infosec Island Network (34)
- Insider Threat (486)
- Internet Crime Complaint Center (1)
- Internet Security Alliance (67)
- ISR News (321)
- Jacqueline Herships (2)
- Jenni Hesterman (3)
- John M. Salomon (2)
- John Watkins (7)
- John-Patrick Skaar (2)
- Kaliber Data Security and Compliance Consultants (3)
- Kat Sanders (2)
- Ken Leeser (3)
- Kevin L. Jackson (10)
- Kevin M. Nixon (21)
- Larry Ketchersid (1)
- Laton McCartney (7)
- Lauren Taylor (1)
- Linda McGlasson (1)
- malware (497)
- Mark Smail (1)
- Mark Wright (1)
- Mel Duvall (3)
- Michael Eggebrecht (3)
- Michael Lohr (1)
- Michael O'Conner (4)
- MicroSolved (1)
- Mike Duncan (3)
- Mike Meikle (4)
- Mike Spinney (1)
- Military (207)
- national security (449)
- PCI (304)
- PCI Security Standards Council (32)
- Physical Security (11)
- privacy (548)
- Rachel James (10)
- reach (7)
- Rebecca Herold (16)
- Richard Stiennon (44)
- Robert Siciliano (34)
- Sarbanes-Oxley (498)
- ScamStop (2)
- Sean Wilkins (2)
- Semyon Dukach (1)
- Simon Heron (14)
- Software Associates (11)
- Steven Fox (19)
- SUPERAntiSpyware (3)
- Sybase (6)
- Symplified (5)
- The Jester (8)
- The Privacy Professor (16)
- Thomas R. Fox (8)
- Tom Groenfeldt (2)
- Tom McLain (2)
- Trefis (14)
- Tripwire (18)
- Uncategorized (621)
- virtualization (97)
- Webcast (49)

Information Security Resources

Losing Money? Watch Your Data Too…

Comments

6 Comments on Losing Money? Watch Your Data Too…

ISR Headline Index

Recent Comments

Categories