Despite the hundreds of millions of dollars that organizations have invested in information security technology to secure their critical business-technology infrastructures, the bad news keeps breaking. In the past year, dozens of companies have had to inform their customers that the exposure of their personally-identifiable financial information had placed them at great risk of identity theft. The incidents range from fraudsters successfully establishing bogus access accounts to steal legitimate consumer information to hacked networks to lost backup tapes containing the financial information of millions of consumers.
It’s not just the widely-publicized cases that count. In the past several years the federal government has prosecuted individuals for criminally abusing their insider access. In February of 2005, federal prosecutors indicted an IT manager for gaining unauthorized access to his former employer’s network to read e-mail and causing damage to its systems. Federal prosecutors have also prosecuted and found employees guilty of password trafficking, selling customer financial information —including detailed credit reports -- to organized crime.
Recently, IT managers and even customer service representatives, have been prosecuted and convicted for using their privileged access rights to destroy or steal their company’s information and selling customer financial data to organized crime. High-tech companies aren’t immune, as even network equipment and software manufacturers have had their proprietary source code stolen and made accessible on the Internet.
The sheer scope of the impact is mind-boggling. A recent security breach at a major credit card processor reportedly exposed more than 40 million card-holder names and account numbers. In February, a well-known information-broker revealed that criminals had managed to steal the names, addresses, and Social Security numbers of as many as 145,000 individuals by using previously stolen identities to create 50 fake businesses to access the company’s information stores. In another widely-publicized breach, one of the country’s largest information services providers announced that hackers managed to gain access a database to seize the names, social security and driver’s license numbers, and addresses of more than 300,000 individuals. According to Gartner, 9.4 million U.S. adults were identity theft victims between May 2003 and April 2004. Their financial losses totaled $11.7 billion.
Such data breaches have been announced by some of the country’s well known banks, entertainment companies, telecommunications providers, and universities. And this proves that such breaches can occur at even the most security conscious and diligent companies. The public is learning about security breaches today largely due to California’s Breach Disclosure Law (SB 1386), which went into effect July 2003 and requires companies, with customers who live in California, to make notification if their personally identifiable financial information may have been accessed without authorization. Expect more security breach disclosures when a federal law similar to SB 1386 becomes law.
The human-toll of identity theft on individuals is severe. According to the Identity Theft Resource Center it takes the average victim about 600 hours to prove their identity was stolen and clean their credit reports. And it can be years before most victims attain their financial health. Many victims of identity theft run into trouble getting mortgages, car loans, credit lines, and even employment with a tarnished credit report. In 2003, the Identity Theft Resource Center surveyed 173 identity-theft victims and learned that 4 percent of victims discovered their identities where stolen when they were arrested for crimes committed in their “name.”