Gartner: IT departments lack finances to protect data

By Bill Brenner, Senior News Writer 06 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In many cases IT departments aren't getting the necessary financial support from upper management. Avivah Litan, vice president, Gartner Inc.

The Stamford, Conn.-based research firm said in a report released Tuesday that 15 million Americans suffered from identity theft between mid-2005 and mid-2006. That's a 50% increase since 2003, when the Federal Trade Commission (FTC) reported 9.9 million American identity theft victims. The people Gartner surveyed weren't affected by the more recent TJX breach, but that company's mistakes mirror the failures of other merchants to protect customer data, said Avivah Litan, a vice president at Gartner.

"This survey shows that the efforts of IT professionals to protect customer data aren't working very well," she said. "It has taken a lot of work to get companies compliant with the PCI Data Security Standard (PCI DSS) and in many cases IT departments aren't getting the necessary financial support from upper management."

TJX data breach: Data breach at TJX could affect millions TJX breach worse than initially feared Data breach law could put financial burden on retailers If customers don't act, data will remain at risk ID theft victim to TJX customers: Mind your data

Litan's research included an online survey of 5,000 U.S. adults. Based on feedback from those respondents, she found that:

• The average victim lost $3,257 in 2006, up from $1,408 in 2005.
• The percentage of funds consumers managed to recover dropped from 87% in 2005 to 61% in 2006.
• The average loss on new account fraud more than doubled from $2,678 in 2005 to $5,962 in 2006.
• Unauthorized charges to credit cards rose nearly fourfold from an average of $734 in 2005 to $2,550 in 2006.

"Hackers are exploiting Internet auctions, non-regulated money transmittal systems, the ability to impersonate lottery and sweepstake contests, and other types of imaginative scams," Litan, said. "The thieves have also discovered the weakest links in the U.S. payments systems. Typically the weak links are found among the five or more million businesses that accept electronic payments from consumers, and the consumers themselves."

Electronic theft of sensitive information is a leading cause of credit card, debit/ATM card and bank account transfer fraud, she said.

Using the TJX breach as an example, she said one of the retail giant's biggest mistakes was storing credit card data it didn't need to store. Several auditors who check companies for violations of the PCI Data Security Standard (PCI DSS) made the same observation last week, and said TJX will almost certainly pay a heavy financial price for its PCI DSS violations.

Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.

The breach was worse than first thought, TJX officials admitted two weeks ago. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.

Of course, TJX is only one of many companies to have disclosed a serious data breach. According to a list tallied by the Privacy Rights Clearinghouse (PRC), more than 104 million records containing sensitive personal information have been involved in security breaches since early 2005.

Regardless of the method used to steal data to commit new account fraud, Litan said this kind of fraud can be largely prevented if companies use identity verification and scoring services.

Tags: Identity Theft and Data Security Breaches,  Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary