Five data leak nightmares
- 08 January, 2008 10:20
Data breaches cost companies an average of US$197 per record in 2007, according to a study by the Ponemon Institute. The average cost of a data breach was US$6.3 million, up from US$4.8 million in 2006.
And that just covers direct costs. A well-publicized data breach can also translate into lost business opportunity to the tune of US$128 per leaked customer record, according to the Ponemon study. No wonder companies are rushing to shore up their defenses against data leakage.
In this package of stories, we will describe the five worst data leak nightmares, chronicle the rapid consolidation in the data leak market, profile five key data leak companies and interview a leading expert in data loss prevention.
Nightmare 1: Film at 11A high-profile data breach can cost your company millions. Just ask TJX.
When The Home Depot lost a laptop containing personal information on 10,000 employees, it was just the latest in a string of high-profile data-leak incidents. The Veterans Administration, TJX, Monster.com, Fidelity National Information Services, Pfizer, AOL, Ameritrade -- the list goes on and on.
This nightmare gets much worse if you are at fault and not simply a victim of hackers. Consider one of the most publicized data-leak victims: TJX. The attack was certainly the fault of hackers, but according to Carol Baroudi, research director, security technologies for Aberdeen Group, TJX must shoulder some responsibility.
"TJX should never have stored magnetic stripe information in their databases," Baroudi says. "It was a flawed storage policy. They didn't even realize they were putting personal information at risk."
Worse still, TJX didn't discover the breach. Visa did. The TJX breach has gone from a bad dream to a recurring nightmare, with the company hit by lawsuit after lawsuit, the latest one being an October court filing by credit card companies alleging that the breach hit 94 million credit cards, twice as many as TJX has acknowledged.
Another example is AOL. The AOL data leak wasn't the result of bad policy, but rather of good (albeit misguided) intentions. At the time of the leak, AOL had a nascent research site to which it posted users' search histories to spur further research. This move inadvertently exposed the Web surfing habits of many users.
Yes, AOL kept its users' identities secret, but anyone who bothered to dig into the nitty-gritty details of those searches could figure out who was browsing for what, since people often search for themselves, close friends, their hobbies, organizations they belong to, and businesses near them.
AOL employees didn't intend to harm the organization, but these unintentional incidents can be just as bad -- if not worse -- as malicious ones.
Nightmare two: Messaging misfires
Not protecting e-mail can lead to serious data leak problems
George Washington University (GWU) Hospital came close to a data leak that could have had national security implications. Vice President Dick Cheney was scheduled to visit the hospital, and the Secret Service attempted to send a risky unencrypted e-mail that could have compromised his safety.
"The Secret Service sent an e-mail to those coordinating the visit to inform us about which route they would take through the building, including which elevators," says Amy Hennings Butler, assistant director, security systems operations at George Washington University. "In our opinion, that kind of sensitive information should not be sent through the Internet -- especially as a clear-text e-mail."
GWU dodged this data-leak bullet because it had previously installed a data-leak prevention (DLP) product from Reconnex, which triggered an alarm. The DLP system responded to some of the text, as well as the lack of encryption, which allowed IT administrators to block the message. The agent who sent the e-mail most likely violated the Secret Service's own data security policies, but it was the university's security that caught it.
"E-mail is still the biggest problem, by far," says G. Oliver Young, an analyst with Forrester Research. "It's ubiquitous, huge amounts of information travel over it, and it's easy to forward documents, without even thinking, that contain sensitive information."
Certain industries, such as healthcare and financial, are ahead of the curve when it comes to e-mail security because of regulations like Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act. Because of this, they've moved beyond the Band-Aid approach of creating policies and trusting the training employees.
"Even with strong policies, people may not realize they are sending out sensitive data," says John Vander Velde an officer and manager of IT for Lake Michigan Financial Corporation, a holding company for community banks in northern Michigan.
"We put a risk matrix together, Vander Velde says, "and we quickly realized that our biggest risk is e-mail. Even a well-trained employee could inadvertently send out information that could be captured or sniffed."
A July 2007 survey by Forrester's consulting arm, for instance, found that of those surveyed (308 IT professionals at U.S. enterprises with more than 1,000 employees) a third had investigated e-mails that they believed had leaked confidential data in the past year.
Commissioned by Proofpoint, the survey also found that respondents estimated that approximately 20% of outbound e-mails contain "content that poses a legal, financial or regulatory risk." Meanwhile, more than a quarter of the companies surveyed had terminated an employee for violating corporate e-mail policies in the past year, while 45% had disciplined employees for violating policies.
Lake Michigan Financial concluded that it needed technology as a line of defense beyond policy and training. The company eventually turned to a DLP product, in this case from Proofpoint. "Solutions like this should benefit the financial industry as a whole," Vander Velde argues. "Even if they're rolled out on an institution-by-institution basis, the benefits should be far-reaching. Accenture found that the biggest risk to mobile workers isn't poor Wi-Fi security or war driving -- which is what most mobile security plans focus on -- rather it's employees who simply forget their laptops, PDAs and mobile phones in taxis.
Nightmare three: Taxi cab confessions- Losing a laptop, cell phone or USB drive is more common than you think
Lake Michigan Financial's second-leading worry is portable data. Using GFI EndPointSecurity, Lake Michigan Financial prevents users from downloading sensitive data to USB drives or CDs.
"Vista was not up to par to control things at a granular level," Vander Velde says. "We had some departments that used portable storage for backups or so they could work from home." Vander Velde noted that employees did complain at first, because it interrupted their workflows. By offering alternative, secure storage and remote-access options, Lake Michigan Financial made most of them happy.
According to Baroudi at Aberdeen, most organizations are just getting around to the risks associated with lost laptops and haven't even begun thinking about removable storage. The risks, though, tend to be different.
"The difference between a laptop and a USB drive is that with a USB you're intentionally moving data," she says. Thus, the risks tend to be with insider attacks and IP theft. The hope is that training and policies will at least give workers pause before they download sensitive data. "With a laptop, you may not intend to move data to a less secure place," she says.
In fact, according to Accenture's mobility practice, that less secure place is often a taxi. Accenture found that the biggest risk to mobile workers isn't poor Wi-Fi security or war driving - which is what most mobile security plans focus on - rather it's employees who simply forget their laptops, PDAs and mobile phones in taxis.
USB drives, old hard drives and the laptop left in the front seat of a car all pose huge risks. Home Depot, Pfizer and the VA all ran into trouble when laptops holding confidential information were stolen. Without preventing sensitive data from ever getting on these portable devices in the first place, it's nearly impossible to secure against an opportunistic thief or simple forgetfulness.
Nightmare four: Blabber-blogs - Internal blogs are great, unless employees start spilling company secrets
Web 2.0, VoIP, and other new technologies are driving security pros crazy - at least at those organizations on the ball enough to pay attention to them. Take something as simple as blogging.
At Microsoft, the blog Mini-Microsoft has stirred up a bunch of controversy. According to the blog's author, a Microsoft employee who wishes to remain anonymous, the blog was started as a forum for "exposing lunch-time conversations of a lot of people going over the issues and concerns they had about Microsoft."
In our e-mail interview with Mini-Microsoft's author, he says, "You see a lot of deep, well-thought-out, constructive criticism from the inside. I can't say this goes anywhere, even today. . . Two years ago, when a lot of the concerns became public, something got done. Would it have happened without the blog? Maybe. Probably not, though."
Aberdeen's Baroudi has a problem with anonymous corporate blogs. "Anonymous blogs are irresponsible. If you feel that strongly and you're unwilling to put your name to it, it loses credibility. If you put your name to it, there's a dialogue."
Could Mini-Microsoft be as effective minus the cloak of anonymity? "Absolutely not," Mini-Microsoft wrote. "If I had started this blog under my real name then I would be shut down quickly by people who would just question how a person working on XYZ could possibly have a say about [an unrelated] project.
"There'd be more criticism for who I was and what my responsibilities are. 'Hey, why don't you blog about how your feature bar is broken?' That's human nature. The mystery allows an assumption of knowledge and provides permission to ponder. And I can't say it would be seen as career empowerment for the leadership up the chain from me."
Advocate blogs pose a serious dilemma for IT security. The anonymous soul-of-the-company ones like Mini-Microsoft are highly valued by employees. Whistle-blower blogs like those from Los Alamos National Labs are even more valuable because they exposed the dysfunctional practices that threatened national security.
However, these blogs do pose risks. If confidential data is leaked, for instance, management has a valid reason to worry. PR and marketing executives tear their hair out figuring out how to respond to the bad press that often accompanies these blogs.
Most organizations, though, simply have no idea how to handle these blogs, and, as a result, most either ignore them or make the mistake of trying to shut them down - which usually worsens morale and generates more bad press.
Other new technologies present equal quandaries. Take IBM's Many Eyes, which is essentially a mashup application for visualizing data. "There is a lot of data there that probably shouldn't be," said Forrester's Young. "You can find sales forecasts and corporate income statements." Many Eyes doesn't always show where the data is coming from, but much of it isn't hard to figure out.
There is even data from government agencies, including the CIA. If the Secret Service can't be trusted not to send out unencrypted itineraries, it's not a stretch to worry about what it's posting on Many Eyes.
Nightmare five: Downsizing disasters - Data theft increases during mergers, layoffs and reorganizations
When a company announces a merger - or worse, downsizing - employee loyalty can be undermined. "The amount of data offloading during these events is huge," says Robert Yonowitz, a partner with Fisher & Phillips, a law firm that specializes in labor and employment law.
Often, organizations plan poorly for these events, worsening the problem. For example, if a company announces a 10% staff reduction but doesn't say who is safe and who isn't, then the risk of data theft goes up significantly.
If your company isn't expecting to downsize or reorganize anytime soon, don't think that you can rest easy. The same dynamics are in place, albeit on a much smaller scale, any time key employees change jobs. When an employee leaves the company, that person has usually been planning for a month or two prior, which is when most data theft occurs.
According to Yonowitz, 90% of the data loss cases he sees involve customer lists. For instance, when marketing or sales representatives move to competitors, they often promise to bring business with them.
Business relationships fall into a nebulous area. Legally, the company owns the business relationship and the key information the employee gleaned while on the job, but the employee certainly has the right to maintain and update the personal relationships that underpin those larger business relationships.
It's OK, then, for an employee to announce a job change to key contacts. That person could very well be violating a non-compete clause, though, if the announcement is more like a solicitation.
The instances that companies lose sleep over, though, usually go well beyond relationship gray areas. "These cases aren't just about people taking names and addresses, but what I call the 'customer playbook,'" Yonowitz says. "These are things like buying habits, contract terms, expiration dates on those contracts, and the status of potential deals that haven't yet closed."
Time is of the essence in these cases. Yonowitz estimates that 90% of the damage is done within two weeks after the employee's departure. If you don't catch the data loss quickly and respond right away, the damage will already be done.