Data breaches that cause huge financial and reputational
damage are rising at an alarmingly pace with, in many instances,
slack data storage security the primary cause. Robin Arnfield spoke
to security expert Sergio Pedro at PricewaterhouseCoopers who had
harsh words for many payments industry players.
Retail and commercial banks, electronic trading networks and
brokerage houses are all vulnerable to data breaches, which result
not just in financial losses but also in lost customer confidence
and seriously damaged reputation. This warning comes through
clearly in a new study undertaken by professional services firm
PricewaterhouseCoopers (PwC) titled Show me the money: Are cyber
attacks damaging client trust to the breaking point?
Indicative of damage caused by data breaches, shares in US
processor Heartland Payment Systems plummeted earlier this year
when news broke that it had fallen victim to what the federal
Department of Justice called the “single largest reported data
breach in US history”. A total of 130 million card numbers were
stolen by hackers in the Heartland breach, which affected five
retailers including 7-Eleven and Hannaford.
According to the US Identity Theft Resource Center (ITRC), the
number of breaches in the US credit, banking, and financial
services industries increased by 150 percent between 2007 and 2008
from 31 to 78. The number of breached records increased by 112
percent from 8.8 million to 18.7 million during the same period,
the ITRC says.
Criminals are using sophisticated tools to break into their
victims’ IT systems, Sergio Pedro, a managing director at PwC, who
legitimately hacks into client systems as part of his job, told
On the prowl for loopholes
Advanced IT skills, significant customisation of what is
effectively commercially-available cyberfraud software, and/or
extensive resources are used in obtaining 95 percent of compromised
records, according to the “2009 Data Breach Investigations Report”
by US telecoms company Verizon Business’s security consulting arm.
Organised criminal groups account for 91 percent of records
compromised, Verizon noted.
These criminals search for any electronic ‘doorway’ which would
allow them to gather customer personal and account information,
Pedro said. Such potential entry points have increased with the
growth of electronic transactions, the global operating model of
financial institutions, and the outsourcing of processing
Potential access points include databases and applications that may
not be considered part of the direct financial transaction chain –
for example, informational websites and other systems which are
connected to, and managed, via the internet. Pedro explained that
stolen customer data is collected systematically by criminal
cartels based in Asia and Eastern Europe which have the ability to
analyse the data, piece together false identities and use these
identities for fraud.
“For example, a criminal might find a phone number and address from
one source and social security number from another,” Pedro said.
“Eventually, he will be able to get enough information to raise a
mortgage. Or a criminal might be able to use stolen brokerage
accounts to manipulate penny shares and make a profit.”
Slack data storage security
According to PwC, the reason that criminals are having so much
success in accessing customer data is the porous way in which
financial institutions store the data.
“When you give your data to an online merchant, the data goes from
place to place, and may be stored in many places,” said Pedro. “If
you place an order online, the data doesn’t necessarily sit on the
Web server that you supplied it to. The data first goes to the
application (system) that services the online site. Then it might
be sent to the distribution company, for example the warehouse
which ships the product. There will be a database for printing
labels, a billing company which bills credit cards, and the data
could also be sent to the merchant’s marketing arm.”
A further weakness in the system lies in data back-up and storage
procedures, he continued. The financial services industry is a
mature industry, with systems that have been developed over the
past 20 to 30 years. Many firms rely on backing up data onto tapes,
which are moved to a storage location either within the firm or to
a facility belonging to another company.
Although the majority of firms, including most credit card
processors, retailers and retail banks, use tape back-up, most do
not spend the necessary money to encrypt their data, Pedro noted.
Furthermore, while large companies use secure transport to move
their back-up tapes, small firms might use an ordinary pickup truck
or car and staff might even take tapes home.
Customer data is further endangered because most companies do not
have an inventory of where data is stored. Fifty-four percent of
financial services organisations do not have an accurate inventory
of where personal data for employees and customers is collected,
transmitted, and stored, according to PwC’s 2008 Global State of
Information Security Survey.
The lax attitude to data storage means that when a breach is
reported, the firm does not know where the data came from.
Updating security after a breach is a significant cost to financial
institutions. After a breach, Pedro puts the cost of locking down
data and restoring the reputation of a firm in the $10 million to
$15 million region.
“If we did the same type of work on a scheduled basis (as part of
an IT security audit), the cost would be considerably lower,” Pedro
noted. PwC starts an IT security audit by mapping the data held by
a company. “We look at the life cycle of data from creation,
through processing, storage and archiving, through to destruction.
We map out who is responsible for the data, and we do this
geographically across borders.”
Once the data has been mapped, PwC offers a two-fold strategy. The
first is encryption of back-up tapes. “If the company loses data
and has to put out a press release to say that it has lost data
that looks very bad,” Pedro said. “But if it says that it has lost
data, but that the data was encrypted, that doesn’t look so
The second strategy is to change the location where back-up data is
stored. For example, PwC might recommend using a strategy such as
peer-to-peer back-up within the organisation. “This involves using
a second set of hardware known as SANs (storage array networks) for
backing up data, thereby eliminating the middle man who is
transporting taped data to a second location,” Pedro said.