Tuesday, April 17, 2007
Invasion of the identity snatchers
Invasion of the identity snatchers
American companies are getting proactive in the identity- theft battle
By Steve Alexander - McClatchy Newspapers
Updated: 04/16/07 7:26 AM
MINNEAPOLIS — In February, Hank and Roma Gerbus received an odd phone call. Last year, the Cincinnati couple had had their computer hard drive replaced at a local Best Buy store and were assured that the old drive would be destroyed. But in February, the couple heard from a Chicago man who said that he had bought their old hard drive at a flea market and that their Social Security numbers were still intact.
Such corporate and government security breakdowns that could lead to identity theft have become almost routine. Since early last year, personal information has been put at risk by 138 security breaches at private companies and government agencies, according to the Privacy Rights Clearinghouse, a San Diego nonprofit. Recently, in the largest known threat to date, a Department of Veterans Affairs laptop computer was stolen, exposing 28.6 million current and former military personnel to potential identity theft.
While consumers obviously worry about such breaches, corporations are probably even more concerned. Richfield, Minn.-based Best Buy Co., which admits that the Gerbus incident occurred but says it is still investigating, is beefing up security spending by $15.5 million this year, the first of a two-year effort to tighten computer security.
It also is in the third year of training employees at its stores about data security under the slogan, “Customer privacy: Know it, respect it, protect it.” The company hires pseudo-hackers to try to break into its networks before real hackers might. Last year, it gave its government relations director an additional title: director of privacy.
Other corporations also are taking action, beefing up computer security budgets and hiring outside specialists to test just how secure their systems are, said Avivah Litan, a computer security analyst at Gartner Research in Stamford, Conn. “Corporations are in a state of panic,” Litan said. “It’s a public relations nightmare.”
Best Buy describes a sweeping computer security project that touches nearly every aspect of data-handling by hundreds of computer systems. And it described 50 “control points” where Best Buy has appointed “data stewards” to strictly monitor which employees can access credit card and other sensitive personal information about the company’s customers.
These efforts come at a time when the potential threat of identity theft looms larger than the reality. A survey last year by Javelin Strategy and Research of Pleasanton, Calif., found that the number of identitytheft victims didn’t increase in 2005, despite a growing list of corporate security breaches that could create future victims.
An American citizen has about a 4 percent chance of being an identity-theft victim, said James Van Dyke, Javelin’s president. The total cost of identity theft in the United States was $56.6 billion in 2005.
“Identity theft is like terrorism — you have to plan for the worst case, because there are so many different attempts being made,” Van Dyke said. “If anything, corporations need to invest more in security all the time.”
Enforcement has fallen mostly on the states. Most have enacted laws that require corporations to disclose security breaches of consumers’ personal information.
The Federal Trade Commission can’t require companies to disclose breaches, but it can recommend federal lawsuits against corporations that have violated consumers’ privacy rights, spokeswoman Claudia Bourne Farrell said. The FTC itself became a victim when two laptops containing personal information on about 110 people was stolen from an employee’s car.
The impact of identify theft on consumer behavior is hard to measure. A Gartner survey last year found that 42 percent of online shoppers worried about security, causing them to spend less.
Best Buy and other big retailers are trying to comply with demanding new credit card security standards backed by Visa and MasterCard. One of the toughest provisions requires corporations to encrypt credit card data at all times, which slows computer systems.
For a corporation as large as Best Buy — the nation’s largest consumer electronics retailer, with 120,000 employees — overhauling computer security is an immense task because of the network’s complexity. One computer system tracks daily sales, while another logs cash-register transactions for later auditing. One system handles credit card transactions, while another keeps track of extended product warranties.
“Our network architecture contains hundreds of computer systems, 50 of which contain customer information for some period of time,” said Brian Martin, Best Buy’s director of system strategy. The latter systems are the focus of a continual review of who can access the information they contain.
Employee laptops pose another challenge. Besides encrypting data on the laptops — which is designed to keep data from being read if the computer is stolen — Best Buy limits how much customer information an employee can carry out of the company on a laptop by making the downloading process laborious.
“You might be able to download 1,000 customer transactions,” Martin said. “You couldn’t download 100,000 transactions.”
Best Buy also is increasing security at the store level, from training employees not to print out a credit card application and leave it on the printer to getting credit card information quickly out of the store.
Best Buy’s stores haven’t always been so security-conscious. In a highly publicized 2002 incident, a computer security firm intercepted non-encrypted Wi-Fi signals from its electronic cash registers, revealing customer information involved in purchases.
Best Buy hired external experts to review security at its stores, which now use encrypted wireless signals, and for greater security use separate wireless networks for sales and inventory data.
American companies are getting proactive in the identity- theft battle
By Steve Alexander - McClatchy Newspapers
Updated: 04/16/07 7:26 AM
MINNEAPOLIS — In February, Hank and Roma Gerbus received an odd phone call. Last year, the Cincinnati couple had had their computer hard drive replaced at a local Best Buy store and were assured that the old drive would be destroyed. But in February, the couple heard from a Chicago man who said that he had bought their old hard drive at a flea market and that their Social Security numbers were still intact.
Such corporate and government security breakdowns that could lead to identity theft have become almost routine. Since early last year, personal information has been put at risk by 138 security breaches at private companies and government agencies, according to the Privacy Rights Clearinghouse, a San Diego nonprofit. Recently, in the largest known threat to date, a Department of Veterans Affairs laptop computer was stolen, exposing 28.6 million current and former military personnel to potential identity theft.
While consumers obviously worry about such breaches, corporations are probably even more concerned. Richfield, Minn.-based Best Buy Co., which admits that the Gerbus incident occurred but says it is still investigating, is beefing up security spending by $15.5 million this year, the first of a two-year effort to tighten computer security.
It also is in the third year of training employees at its stores about data security under the slogan, “Customer privacy: Know it, respect it, protect it.” The company hires pseudo-hackers to try to break into its networks before real hackers might. Last year, it gave its government relations director an additional title: director of privacy.
Other corporations also are taking action, beefing up computer security budgets and hiring outside specialists to test just how secure their systems are, said Avivah Litan, a computer security analyst at Gartner Research in Stamford, Conn. “Corporations are in a state of panic,” Litan said. “It’s a public relations nightmare.”
Best Buy describes a sweeping computer security project that touches nearly every aspect of data-handling by hundreds of computer systems. And it described 50 “control points” where Best Buy has appointed “data stewards” to strictly monitor which employees can access credit card and other sensitive personal information about the company’s customers.
These efforts come at a time when the potential threat of identity theft looms larger than the reality. A survey last year by Javelin Strategy and Research of Pleasanton, Calif., found that the number of identitytheft victims didn’t increase in 2005, despite a growing list of corporate security breaches that could create future victims.
An American citizen has about a 4 percent chance of being an identity-theft victim, said James Van Dyke, Javelin’s president. The total cost of identity theft in the United States was $56.6 billion in 2005.
“Identity theft is like terrorism — you have to plan for the worst case, because there are so many different attempts being made,” Van Dyke said. “If anything, corporations need to invest more in security all the time.”
Enforcement has fallen mostly on the states. Most have enacted laws that require corporations to disclose security breaches of consumers’ personal information.
The Federal Trade Commission can’t require companies to disclose breaches, but it can recommend federal lawsuits against corporations that have violated consumers’ privacy rights, spokeswoman Claudia Bourne Farrell said. The FTC itself became a victim when two laptops containing personal information on about 110 people was stolen from an employee’s car.
The impact of identify theft on consumer behavior is hard to measure. A Gartner survey last year found that 42 percent of online shoppers worried about security, causing them to spend less.
Best Buy and other big retailers are trying to comply with demanding new credit card security standards backed by Visa and MasterCard. One of the toughest provisions requires corporations to encrypt credit card data at all times, which slows computer systems.
For a corporation as large as Best Buy — the nation’s largest consumer electronics retailer, with 120,000 employees — overhauling computer security is an immense task because of the network’s complexity. One computer system tracks daily sales, while another logs cash-register transactions for later auditing. One system handles credit card transactions, while another keeps track of extended product warranties.
“Our network architecture contains hundreds of computer systems, 50 of which contain customer information for some period of time,” said Brian Martin, Best Buy’s director of system strategy. The latter systems are the focus of a continual review of who can access the information they contain.
Employee laptops pose another challenge. Besides encrypting data on the laptops — which is designed to keep data from being read if the computer is stolen — Best Buy limits how much customer information an employee can carry out of the company on a laptop by making the downloading process laborious.
“You might be able to download 1,000 customer transactions,” Martin said. “You couldn’t download 100,000 transactions.”
Best Buy also is increasing security at the store level, from training employees not to print out a credit card application and leave it on the printer to getting credit card information quickly out of the store.
Best Buy’s stores haven’t always been so security-conscious. In a highly publicized 2002 incident, a computer security firm intercepted non-encrypted Wi-Fi signals from its electronic cash registers, revealing customer information involved in purchases.
Best Buy hired external experts to review security at its stores, which now use encrypted wireless signals, and for greater security use separate wireless networks for sales and inventory data.
# posted by raveneye @ 12:43 PM 
