Fighting data theft on new fronts

Miller (Kroll Fraud Solutions photo)

Beneath the quiet hum of hard drives, the battle continues for control of digital treasure. Companies fight to protect data coveted by increasingly sophisticated information pirates. According to some experts, the war has entered a new phase of complexity.

Jeremiah Miller, director of operations for Kroll Fraud Solutions, said even small bits of data can be exploited by cyber thieves. Kroll Fraud Solutions, in Nashville, Tenn., is a provider of identity fraud solutions. “There are things you can do with a couple of pieces of information to build a more complete profile about somebody,” Miller said. That can include matching names to information left public on social networks such as Facebook, he said.

Cyber criminals armed with customer names and e-mails, for example, can engage in spear phishing. Disguised as communications from a retailer or bank the target uses, these electronic attacks attempt to trick consumers into revealing sensitive information such as account numbers. Miller said information in the health care world is also being targeted.

Larry Ponemon, chairman of the Ponemon Institute, concurs and said cyber thieves may attempt to charge medical care and prescriptions to victims of identity theft. The Ponemon Institute, in Traverse City, Mich., is a research center for data protection and information security policy.

Ponemon said regardless of the depth of a breach, word must be given of such incidents. “The company is still required to give notification and identify the cause,” he said. “They also have to deal with disgruntled and unhappy customers.”

He said there is a growing trend in cyber theft to seek business data. Marketing information, details about members of the board of directors and other internal material can be valuable to thieves. In spite of this shift, Ponemon said regulators thus far have been more concerned with safeguarding consumer information.

“This has been a sleeping giant situation,” he said. “You can make more money focusing on stealing confidential business information.”

Ponemon said thieves are also streamlining their efforts to target higher-value data.

For example, he said malware may be tailored to search only for documents that include such terms as top secret or confidential. Those labels may be used to prevent exposure within a company but they can also point the bad guys to sensitive information. “If I can get trade secrets, a list of high-wealth customers at a bank, that information becomes more valuable,” Ponemon said.

Data thieves have been busy this season. Epsilon Data Management LLC, in Irving, Texas, alerted its clients on April 1 of an unauthorized entry to its e-mail system. Epsilon provides e-mail marketing services to more than 2,500 clients including retailers such as Target Corp. and Best Buy Co. Inc. as well as financial institutions such as JPMorgan Chase & Co. and Citigroup Inc. Customer names and e-mail addresses for two percent of Epsilon’s total clients were affected according to the company. Epsilon said no other personal information was compromised.

Epsilon declined to comment further when contacted but said in a statement it was working with federal authorities and forensic experts to investigate the matter. The company also said it was taking measures to prevent future incidents.

Epsilon is not alone in grappling with data thieves. On April 13, word came from WordPress.com’s owner Automattic Inc. that a “low-level” break-in occurred exposing some of its servers.

OpenBandwidth is hosted on WordPress.com’s servers.

San Francisco-based Automattic did not immediately respond to direct questions regarding the breach. However, Matt Mullenweg, president, issued an alert regarding the incident.

Miller said, in some cases, third-party hosts might not shoulder full responsibility if data breaches occur. “It all depends on what those parties agree upon,” he said. “It is good idea for companies to handle this contractually.”

As a preventive measure, Miller said companies should carefully weigh how long they retain information gathered from customers. “You have much more risk the longer you have it,” he said. He also suggests clearly disclosing to customers how their information will be used to avoid surprises on both sides. “You don’t want to not have the proper consent,” he said.

Some breaches can be slip-ups by employees unaware they left the barn door ajar. Portable hard drives may be misplaced or stolen and passwords written on pieces of paper might be left in public places. Photos shot in the workplace may capture information from screens in the background. “Things like that can happen very easily,” Miller said. “It is almost impossible for employers to prevent that. He recommends instituting company policies to educate employees of such issues.

Ponemon said increased vigilance is necessary as more information channels can be turned into methods of infiltrating data systems. “Any connected device, smartphone, iPad, laptop or USB memory stick has the potential to create two-way havoc,” he said.

Advertisements

About Joao-Pierre S. Ruth
New York tech correspondent for Xconomy, tech writer for Investor Uprising, and aspiring urban fantasy writer. I also make brownies and crème brulee.

One Response to Fighting data theft on new fronts

  1. Pingback: Sony hefting cost of data theft « OpenBandwidth

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: