For data minders, 2007 was a year of living dangerously

As the number of compromised records pushed past 217 million, experts spoke less about preventing a data breach and more about responding properly after discovering one.

It used to be that industry experts would talk about ways for companies to prevent a data security breach. But by the end of 2007, with the Privacy Rights Clearinghouse tally of exposed records blowing past 217 million, most were instead talking about how to survive one.

Events point clearly to the fact that no company is immune to the threat of data breach.
Larry Ponemon,
founder and chairmanPonemon Institute

Indeed, data breaches have become such a common occurrence that some believe it's futile to even entertain the notion that a company could achieve 100% protection. A lot of the pessimism has centered around the massive breach retail giant TJX first disclosed in January.

The TJX story continued to unravel throughout the year, exposing weaknesses in the company's wireless security, its failure to meet the basic requirements of the Payment Card Industry Data Security Standard (PCI DSS), and what many saw as a shaky PR response on the company's part.

The biggest lesson of the breaches at TJX and elsewhere is that no company is immune from the threat and businesses need to develop better response plans.

"One of the big missing pieces is the plan for external communications in the event of a data breach," Jim Maloney, former global head of information security at Amazon.com and current CEO of Cyber Risk Strategies, said during one panel discussion on the topic in Boston last fall. "When a data breach happens, you don't want to be scrambling and trying to decide who to talk to and how to restore confidence. You can't just try to wing it."

Data breach news of '07:
Data security breach at Pfizer affects thousands: A Pfizer employee removed files exposing 34,000 people to potential identity fraud, according to the company. It was the third data breach at the company in three months.

Gap security breach exposes data on 800,000: The latest retailer to suffer a security breach is Gap Inc., which blames the exposure of data on 800,000 job applicants on a third-party vendor that manages the information.

Did TJX take the right steps after data breach? Security experts are mixed on whether TJX acted properly following a massive data breach last month. One expert says potential victims should have been notified sooner.

New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations.

Banks agree to settle lawsuits against TJX: Several banking associations have agreed to settle lawsuits connected to the TJX data breach. Specific details of the deal are being kept under wraps.

When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.

One of the first considerations for a company that may have had a data breach is when and if to disclose the incident. Of course, doing so is the law in many states. But at the CSI 2007 security conference in Arlington, Va. the first week of November, experts urged companies not to move too quickly, since a poorly-executed notification can make matters worse.

In a nutshell, Burton Group analyst Eric Maiwald said, the best bet for any IT shop is to store as little data as possible, examine the risk of what the company does need to store; install and use the necessary controls; and "put plans in place so that you know what to do when you have a breach."

Larry Ponemon, founder and chairman of the Ponemon Institute, said each security breach is different but that it all amounts to the loss of confidence and trust, which in turn means a loss of money. Asked about the common failure among data breach victims, he described the "it can't happen here" mentality.

"The attitude is epidemic, but events point clearly to the fact that no company is immune to the threat of data breach," he said. "Failure to take sufficient preventative measures is widespread, and … following a data breach, most companies will invest in the very preventative technologies and programs that might have helped avoid the incident in the first place."

While industry experts agree companies need to start assuming they will someday suffer a breach and must have a plan in place to soften the blow, they note that it's still possible to prevent a breach with some common-sense technological measures. The best example reflects the growing trend of laptops getting stolen or lost. If companies automatically used full-disc encryption on the devices, the loss of one would become a much smaller issue.

"If you allow sensitive information to be stored on mobile computers of any type, encryption is a good idea because it can get you out of having to disclose that the computer was stolen," Maiwald said.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close