Breach Erosion

Private data about customers — their social security numbers, credit and debit card numbers – is among the most valuable assets a retailer has.

Yet, despite the publicity surrounding data theft incidents, studies and reports indicate that too many retailers remain vulnerable to loss — through theft or negligence — of sensitive data.

In a 2010 enterprise database security report, Forrester Research estimated that only 21 percent of companies were pursuing advanced data security measures. The others, the report says, “remain soft targets for hackers.”

San Diego-based Privacy Rights Clearinghouse has been tracking data record breaches since 2005; as of mid-July it had chronicled nearly 500 million record breaches across all types of organizations.

The average cost to a business dealing with private data loss is more than $6.6 million, according to the Traverse City, Mich.-based Ponemon Institute. That estimate takes into consideration a wide range of business costs, including outlays for detection, notifications and other after-the-fact responses, as well as the economic impact of lost or diminished consumer trust and confidence.

“Given that the industry has relatively low margins, many retailers tend to under-invest in IT infrastructure and security,” says Phil Neray, vice president of security strategy for Guardium, an IBM subsidiary that provides data protection solutions. “Many assume that if they have implemented basic defenses such as firewalls they are protected. But they don’t realize that the basic safeguards only protect the perimeter and [not] against malicious insiders … [or] cybercriminals who penetrate the firewall through a web application.”

Michelle Dickman, president and CEO of Post Falls, Idaho-based TriGeo Network Security, stressed that “security is a process, not a product.

“You can invest heavily in security devices, policies and procedures, but they’re all susceptible to a knowledgeable insider, human error or determined hackers,” she says. “The key is continuous monitoring of those products and procedures to ensure that they’re effective — and to become alert and respond immediately when they’re not.”

Retailers also may not realize that being certified PCI compliant by an auditor doesn’t guarantee them protection from data theft. The Hannaford Bros. supermarket chain was breached right after being certified as PCI compliant. More than four million credit and debit card numbers were stolen between December 2007 and the breach’s discovery in March 2008; Hannaford subsequently faced a class action lawsuit for failing to have adequate data protection procedures in place.

“Compliance is just a snapshot of one point in time,” Neray says. “If anyone makes any change to your system, it can make you non-compliant. So unless you are monitoring in real-time all access to your sensitive data, you are not really protected.”

Avoiding inside jobs
Vulnerability is intensified by the fact that the majority of data breaches are initiated by insiders – roughly 70 percent, according to a 2009 Forrester Research study.

A March survey of more than 100 IT and chief security officers conducted by the file transfer division of IpswitchFT found that:
• 83 percent lacked visibility into files moving internally and externally throughout their organization, and more than 70 percent had absolutely no visibility into files moving out of their organizations.
• 66 percent had used personal e-mail to send work-related files, resulting in zero security, no audit trail and no visibility.
• More than 25 percent had sent proprietary files to their personal e-mail accounts, with the intent of using that information at their next place of employment.
• Nearly half of the IT executives surveyed said that their companies do not provide employees with a fast-and-effective way to securely send files.
• Only 49 percent of companies have established policies for sending files internally, 53 percent for transferring files externally.

Any employee can bring a personal computer with Internet access into a store and use an external drive like a small USB device to download information from the POS about inventory, backfill, upcoming sales and the like, says Frank Kenney, vice president of global strategy for IpswitchFT. He recalls a breach several years ago in which an associate at a retailer’s help desk data center stole store brand credit card and personal customer information by copying it out of the POS system and pasting it into corporate e-mails that he sent to fraudsters. He was being paid $50 for each piece of information and was only caught when the company’s IT security system created an alert based on the high number of e-mails he was sending. His thefts, Kenney says, ran into the high six figures.

Large breaches often happen because the data management security measures that a retailer is using aren’t designed to recognize when an attack is taking place. Forrester Research reports interviewing “a large retail firm’s database administrator [DBA] who claimed that someone broke into the company’s critical database system and stole private data, and that the breach went undiscovered for 45 days” – virtually the same scenario as the Hannaford Bros. breach.

But a retailer with the correct advanced data security tools in place does not have to wait months, weeks or even days to recognize when a breach is being initiated. Among other things, these tools combine real-time log management, event correlation and endpoint security with unique active responses (automated alerts sent to IT security personnel) and provide automated solutions that can quarantine, block, route and control services, processes, accounts and privileges.

Some applications also block unauthorized connections, like the insertion of a USB device into a company computer or POS terminal. In one instance, TriGeo SIM detected a salesman trying to probe for information on his employer’s network. The SIM software disconnected that person from the network and sent an automated message to the cell phone of the head of security, who instantly started an investigation. In another instance, a contractor with access to a retailer’s network tried to run PWSweep, a program hackers use to steal passwords. Again, TriGeo SIM alerted management.

To most effectively minimize breaches of data as it’s being transferred from one exchange to another, companies need more than technology. They also must “articulate to employees the way data is to be transferred as well as stored,” Kenney says, “and they need to explain why data security is an issue and spell out the ramifications of not complying with the data transfer and storage policies and procedures that they have in place.”