When Christina Guilbert got a call from her bank in March about an attempt to steal money from her account, she was alarmed -- and suspicious. How could someone access her account from an automated teller machine in England when her ATM card was in her home in Boston? Was the caller really a bank representative or a thief fabricating a story in an attempt to get account information from her? "With all of the scams on the Internet, I knew they could try the same thing using the phone," Guilbert says.
Guilbert had the bank rep confirm his identity by providing information on a recent transaction on her account. The bank blocked the attempted withdrawal, but Guilbert, who works at a public relations firm, still doesn't know how the overseas thief got her account information. Guilbert's faith in doing any kind of business online has been destroyed. "I was concerned about shopping online before -- now I won't shop online at all," she says.
The shift to Internet-based customer transactions and electronic storage of customer data provides huge improvements in speed and convenience for consumers and efficiency for retailers and service providers. But it's also creating new opportunities for criminals. With so many ways for personal data to leak out, from a hacker attack to a stolen company laptop, and with identity thieves increasingly effective at quickly exploiting any breach, companies are struggling to hang on to their most precious asset: customer trust.
A scan of news headlines in recent months illustrates the problem, and they represent only the breaches the public learns about. On March 12, GMAC Insurance, a division of GMAC Financial Services, informed about 200,000 customers that personal data, such as Social Security numbers, home addresses and credit scores, was contained on two laptops stolen from an employee's car near Atlanta. One GMAC customer, who requested anonymity, says he placed a credit alert on his credit file with three reporting agencies so he'll know of any suspicious activity. But GMAC has already lost his trust. "I'm moving my business and requesting my information be purged from their database," he says via e-mail.
Also in March, more than 1,400 Canadians were notified by credit-reporting agency Equifax Canada that a data-security breach had exposed their personal information. In November, computer systems containing customer information were stolen from the offices of a consultant doing work for Wells Fargo & Co.
The problem isn't unique to financial companies. San Diego State University officials in March informed more than 178,000 students and employees that their names and Social Security numbers were exposed when hackers accessed a server in the Office of Financial Aid Scholarships. In April, Indiana State University discovered that hackers accessed a backup server that held files containing personal information of students who attended the university from 1991 through 2001 and faculty who worked there from 1995 through 2002.
The Federal Trade Commission reports that the number of identity-theft complaints rose from 86,212 in 2001 to 214,905 in 2003, partly because of data vulnerabilities associated with an increased number of purchases and transactions on the Internet.
The rise in hacker- and criminal-activity related to customer data puts tremendous pressure on business-technology executives who need to create safeguards that prevent such incidents. "The potential black eye that a company could receive is measurable in hard dollars, especially when you tally lost customer business, goodwill with customers, as well as lost future business," says Eric Beasley, senior network administrator at Baker Hill Corp., an application services company that provides hosted loan processing to more than 150 banks. To improve the security of banks' data, Baker Hill installed a Web-application firewall from Teros Inc., software that studies what an application is doing and blocks suspicious behavior -- like a request for thousands of account numbers when the typical request is for two or three at a time -- making it possible to thwart attacks even if hackers use previously unknown techniques or vulnerabilities.
Despite growing concern over identity theft, it appears that companies aren't doing all they can to protect customer data. Only 30 percent of companies use the type of firewall software Baker Hill employs, according to InformationWeek Research's 2003 U.S. Information Security Survey of 815 companies. More than 80 percent use antivirus and network-firewall software, but just 23 percent use vulnerability-scanning tools that detect the security holes used by hackers. Also, only 43 percent of respondents use intrusion-detection systems to spot attacks, and just 40 percent say they've reviewed their information-security policies and measured their effectiveness. Yet new software vulnerabilities surfaced at a rate of more than seven per day last year, for a total of 2,636 documented vulnerabilities, according to Internet security vendor Symantec. What's more, Symantec's Internet Security Threat Report, published in March, says software vulnerabilities are getting easier to exploit, and hackers are attacking them more quickly.
To slow the rising threat of customer-data breaches, companies must become more diligent about security basics: Lock down networks with firewalls and application-security and intrusion-detection systems, and patch newfound vulnerabilities before hackers develop exploits. Sloppy business practices, such as cramming hard drives and notebooks with unencrypted customer data, could be prevented through updated, stringently enforced security policies.
Companies need to review and stringently enforce policies for customer-data security to help thwart hackers who attack application vulnerabilities before companies have had time to patch them or to protect against the possibility of a "zero-day" vulnerability -- a flaw hackers discover before a software vendor knows about it and can issue a patch -- some businesses install application firewalls and intrusion-prevention systems from companies such as Kavado, NetContinuum, Network Associates, Sanctum, Teros and TippingPoint Technologies.
Another threat comes from viruses and worms specifically designed to steal financial or personal information. Many virus writers are no longer satisfied with ego boosts from causing problems with malicious code -- many now want to make money. For example, a version of the BugBear virus surfaced last June that targeted about 1,200 financial institutions around the globe. When the virus penetrated a bank, it attempted to install a backdoor application to allow intruders access. BugBear reportedly infected hundreds of thousands of systems.