You’d be forgiven for muttering an exasperated “enough” after hearing about the latest large-scale data security breach to hit the financial services industry.
It has, after all, become a sad routine, differentiated only by the number of victims and the size of the financial damages. The Identity Theft Resource Center (ITRC) reported a nearly 50 percent increase in data theft in 2008 over the previous year. As a result, 35.7 million Americans had their personal records exposed. And these numbers likely are underestimating because many cases are never reported.
Because the alarm bells have been strangely silent, allow me to take this opportunity to ring them — loudly. It’s time for corporate America to get serious about protection.
As the size and scope of successful attacks continue to increase, we apparently will need all the protection we can get. In fact, the latest breach could end up being the biggest one yet. The New York Times reported hackers planted malware inside Heartland Payment Systems possibly as early as May of last year, and it took until December before the company became aware of it.
Heartland typically processes 100 million transactions per month on behalf of 250,000 U.S. businesses. It doesn’t take a math genius to conclude that the potential loss of data easily can exceed the previous champ, TJX, which lost 45 million credit and debit card numbers about two years ago.
Although the Heartland incident — in which hackers apparently used rogue code to steal card numbers, expiration dates and bank codes to facilitate card duplication — once again victimized a financial services organization, the true impact is much broader. That’s because confidential data in any form is currency. Robbers no longer need to knock off armored cars in broad daylight. They simply have to inject malware into victims’ networks and buy enough storage to hold the data — our data — as it piles in.
When news of another data theft breaks, the response pattern usually is the same. The victimized companies vow to tighten their security to prevent a recurrence. Account holders and other clients whose data is now floating out there receive assurances that they won’t be liable for any losses that result. Everyone else breathes a sigh of relief. They shouldn’t.
In many ways, the ho-hum response to large-scale cybercrime cases is our own fault. After all, unless we were in the headlines, it simply didn’t concern us. Or did it? The sad truth is we’re going to have to change our collective attitude because, even if we’re not directly victimized, we are all already paying the price. One case of co-opted data ripples throughout the industry and touches victims everywhere, where we often least expect them to be. Heartland supports a quarter of a million businesses, mostly in retail. The level of interconnectedness in today’s economy means there’s hardly a supply chain out there that isn’t going to be affected in some way.
Burgeoning security costs and reduced inter- and intra-organizational flexibility only serve to hamper our collective ability to freely engage in trade and commerce. If e-commerce greases the skids of commerce, large-scale data theft has the opposite effect — it’s like spilling glue. And we’d all be better off if the glue wasn’t spilled in the first place.
It costs infinitely more to respond reactively to an incursion than to invest up-front in tools and processes that match the scope of the technology being deployed. Security best practices have evolved in a haphazard manner, and we’ve left it up to individual institutions to decide to what degree they want to buy in. We regulate the color of butter more closely than we do financial security standards. All the while, we’re building the systems equivalent of high-performance cars without sufficient brakes, air bags and other safety systems.
To his credit, Robert Carr, Heartland’s CEO and founder, is trying to turn a negative into a positive. Since the news broke, he’s reached out to industry leaders to discuss ways of working together to build more comprehensive protections against cybercrime. Even before his company was victimized, he had been advocating for industry-wide, end-to-end encryption of all customer-related data to further boost payment security.
He gets it. The question remains whether everyone else gets it, too, and whether we’re all willing to invest the resources necessary to get ahead of this growing threat. The answer? We have no other choice.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at editor (at) certmag (dot) com.