Some years ago, I was given the job of covering information security for a weekly IT newspaper. Excited by the challenge, and hearing repeated rumours of a multi-million pound computer fraud, I set about calling police, banks, security experts, systems integrators, and investigators. Over a period of several months, I diligently spoke to them all.
In the process, I came across another case involving an inside security breach, that actually came to court, and resulted in a tearful and quite unjustified acquittal. But only about £20,000 was lost.
Dozens of security technology providers took me to lunch, promising to reveal all, but ultimately all they talked about was their products. Consultants whispered darkly about the “big heist”, which had involved city banks, Russians and tens of millions. But none could name even one victim let alone a perpetrator.
Reporting on computer security breaches, if not always crime, is altogether more interesting today. Let’s take, for example, just the last quarter:
• In April, the personal records, including addresses, telephone numbers, criminal convictions, sexual orientation and religion of some 35,000 junior doctors were accidentally posted on an NHS web site.
• Also in April, an employee of Halifax Bank filled his or her briefcase with a printout containing details of 13,000 customers. The brief case was stolen.
• In March, TK Maxx, the retailer, admitted that details from 45.7 million credit cards had been stolen from its data centres in the US and UK.
• In February, Nationwide Building Society was fined nearly £1 million after a laptop containing large quantities of sensitive customer data was stolen.
These are just the most recent (publicly disclosed) cases. Over the past 18 months, Information Age has reported on the accidental exposure of 40 million bank account records by payment card processing company CardSystems; 145,000 records lost by Choicepoint, a data broker; and the accidental publication of 800,000 records by the University of California. It goes on: Bank of America, Citigroup, Time Warner, MCI LexisNexis: all were made to issue humiliating apologies when data was compromised.
As we have pointed out before, the news of all these breaches is not the result of a dramatic deterioration in security defences, nor of an upsurge in crime (although there is some evidence of that). Rather, it can be put down to two factors. First, technology is much more widely used, and more centralised, than it was five, ten or fifteen years ago. And second, organisations find it much harder to keep things quiet.
This second fact, of course, makes life more interesting for a reporter, but that is a side issue. Widespread coverage of breaches is important because it will ultimately make the company (and its employees and customers) more security aware.
In the wake of recent security breaches, analysts such as the Butler Group have called for UK laws that force companies to publicise news of such breaches.
They are right to do so. Consider how most of the big, recent breaches came to light. In the US, there are two laws which force organisations to publish details of security breaches. One is the California Breach Law (SB1386), which requires organisations doing business in California to tell customers about possible security breaches. Similar laws are planned for other states. The second is Sarbanes-Oxley, which obliges executives to keep informed about material aspects of their business, including security breaches.
In this environment, more businesses are reporting security breaches. But it is not watertight: TK Maxx does business in California, but it kept quiet for a couple of months, perhaps because adverse publicity might have hurt Christmas and January sales.
In the UK, the NHS breach was reported, not to Parliament by a contrite junior minister, but by Channel 4 News; while the Nationwide and Halifax breaches might not have come to light if they had not been required to report the thefts to the police.
There is, incidentally, a remarkable pattern about all these thefts: in almost every case, including TK Maxx, executives have said that no real damage was done. They even seem to make light of the problem: Nationwide never explained why an employee had details of so many customers at home on a laptop; the NHS incident was described as “a teething problem”.
Analysts believe that, in spite of the changing sentiment and harsher laws, two thirds of security breaches still go unreported. When it comes to it, many executives take the path of least resistance. That is why those analysts and security groups calling for mandatory disclosure are right.