The UK’s Data Protection Act celebrated its 10th anniversary in July. The occasion has prompted heated debate among privacy rights campaigners and government lobbyists, many of whom feel its provisions are now inadequate. This issue and the wider systemic problems surrounding data security have been thrown into sharp relief by a catalogue of breaches in which data has been lost through carelessness, by accident or, more worryingly, through theft.
The problem is now endemic throughout both the public and private sectors. Privacy Rights Clearinghouse, a non-profit US-based consumer organisation, reports that the number of consumer records containing sensitive personal information involved in security breaches in the US alone since January 2005 now totals 233 million.
Many banks and financial services firms feature on Privacy Rights Clearinghouse’s extensive list of such incidents. The past six months alone have seen a number of such cases, with both Prudential and card issuer GE Money disclosing incidents in January. These were followed in April by HSBC and Bank of Ireland, both of whom admitted losing information relating to thousands of customers.
These episodes were soon eclipsed by Bank of New York Mellon, however, which went on to announce in May that back-up tapes containing details on 4.5 million customers had been lost.
Perhaps most notably, however, July saw the UK FSA issue its first fine to a stockbroker for poor data security controls. The watchdog’s actions in this case reflect its ever-hardening resolve to pursue and punish those firms failing in their obligation to protect customer data. Such firms are not hard to find.
Serious and widespread
In its first and extremely lengthy report on the state of data security in UK financial markets, published in April, the FSA registered its dissatisfaction with the “serious and widespread” lack of security controls, policy and practice encountered when conducting its research. These poor controls explain, in part, why data breaches accounted for one-third of cases dealt with by the FSA’s newly created Financial Crime and Intelligence Division during 2007.
Nevertheless, there is little evidence to suggest that the banking community is more culpable than any other industry when it comes to data security breaches. However, as trusted custodians of high volumes of personally identifiable customer information and extremely valuable financial data, the risk associated with data breaches is far higher than in other industries.
Research from privacy think tank Ponemon Institute finds, for example, that the overall cost of a data breach for a financial services firm, including detection of the breach, lost business, technology changes and other associated costs, is 17% higher than in other industries, totalling an eye-watering £55 ($110) for every record. Evidently, institutions in which customers place high expectations of trust have more to lose, both in terms of reputation and long-term costs.
For watchdogs such as the FSA and the UK’s Information Commissioner’s Office, independent guardian of consumer information, the cost to business is a lesser concern than the cost to clients and customers. This cost grows in line with the increasing incidence and variety of financial fraud and identity theft, the profitability of which has given rise to a highly sophisticated international black market devoted to the theft and trade in personally identifiable information.
Much like stolen appliances and electrical goods, data is now bought and sold in public houses and clubs, as well as online and through sophisticated criminal distribution networks. But with the average market value of a record worth an estimated £30, trading in stolen data is far more profitable: the FBI estimates that the global trade in personal information is now worth more than the international drugs trade. Nor is it distinct from such activities.
Increasingly, governments are uncovering the links between global data theft and other criminal activity, in particular global terrorism, according to Phil Dunkelberger, CEO of data protection specialist PGP Corporation and a founder of the US-based Cyber Security Industry Alliance.
A commodity for criminals
Not all financial organisations, however, understand the true value of data as a commodity for criminals, says the FSA. This may be leading them to overlook major points of vulnerability within their organisations, in particular the threat of malicious insider activity. The UK’s fraud prevention service, CIFAS, believes that fraudsters often solicit the help of existing employees in their attempt to procure valuable data. Urs Fischer, vice-president and head of IT governance and risk management at pension and life insurer Swiss Life, says the internal threat is his number one concern. “For me, the danger is coming from the inside,” he says.
There are a range of perimeter controls that organisations can use to protect against threats from external intruders, such as hackers. But organised criminals directly targeting certain institutions will likely operate through someone internal holding legitimate access to the data, says Mr Fischer. The tactics deployed in such instances might include social engineering, a tried and tested method in which fraudsters effectively ‘trick’ employees into revealing information, or though financial inducement. “Incompetence is one thing, but you can build awareness. I think [the threat] is more malicious,” he says.
For retail banks, the vulnerabilities in this regard are frequently found in third-party relationships, including outsourcers, contractors, consultants and business partners. Such instances account for almost 40% of data breaches.
“Every data breach we have ever experienced has involved a third party,” says one head of security at a major bank. Such breaches are found to be the most expensive kind, costing £59 a record, says the Ponemon Institute.
Third-party breaches
The most well-publicised instances of third-party breaches have occurred in call centres, in which workers have privileged access to databases containing huge swathes of information. In such environments, the combination of low-income work combined with a high staff turnover is found to make staff more vulnerable to recruitment by organised criminals. Paul Davie, founder and COO of Secerno, a software company that specialises in protecting database information, says that police believe more than one in 10 call centres in Glasgow have been infiltrated by organised gangs.
This particular phenomenon is found elsewhere. The most in-depth research into this phenomenon has been conducted by Carnegie Mellon University’s Computer Emergency Response Team (CERT). In its recent Crimewatch survey conducted for the US Secret Service, it found that two-thirds of insider-enabled data theft involved an external colluder to whom the information was sold. In half of these cases, says Dawn Capelli, a senior researcher at CERT, the individual was actively recruited for the task.
Ms Capelli cites multiple cases in which outsourcers or subcontractors are involved. In one such case, a credit card company experienced a data breach that actually occurred within an entity that was two parties removed: in this instance, the perpetrator was employed by a company to which the credit card organisation’s chosen outsourcer subcontracted data analysis work. This devolution of responsibility is not uncommon: as such, says one banking security chief, banks frequently “have no control” over the parties through whom vast volumes of data is passed on a regular basis.
Elisabeth Antonsson, head of IT security risk management at Nordea Bank, and member of the Information Systems Audit Control Association Membership Board, says this issue has become a focus for bank security teams.
“It is very important to be in control. You can’t outsource IT security responsibility,” she says. “I have seen cases in which the move to outsource a function happens too fast. When you enter into a contract that fast you seem to lose control of the security.”
The growth of such relationships reflects what commentators frequently refer to as the ‘de-perimeterisation’ of organisations, in which both technological and cultural changes are pushing data towards the periphery.
This trend is also having a hugely adverse impact on firms’ operational capacity to control the whereabouts of their data. Remote working and mobility, in particular, have put paid to the notion that an organisation operates a pre-determined boundary within which data can be contained: nowhere is this more amply demonstrated than in the number of cases in which laptops containing data have been lost.
Likewise, small storage devices such as USB sticks capable of holding entire databases full of information have only emerged during the past two years, meaning that employees are now able to physically walk away with volumes of information with a level of ease never before possible.
These rapid technological developments have fostered dysfunctional IT estates in which “compliance around data security is shambolic”, says Peter Barrett, responsible for business development of financial services at Fujitsu. Banks have “servers in cupboards all over the country: they have no idea what’s on them and, some of them, they don’t even know exist”, he says.
This problem is compounded by the way in which banks are building out their business lines. In an attempt to more effectively cross- and up-sell products, banks are collecting far more personal data about customers than ever before. Regulatory requirements, such as Know Your Customer and Treating Customers Fairly, also demand that banks procure and retain detailed information about their customers and clients.
Meanwhile, many organisations are increasingly acting as lead-generators for products provided by third parties, meaning the exchange of data between numerous parties continues to increase. “A lot of these deals come from the marketing guys and they can happen very quickly,” says one source. “The technology doesn’t catch up and so therefore the process can go awry very quickly.”
An extremely active and lucrative market in personal data, combined with technological and cultural developments intent on disrupting data management, makes for a tremendous challenge. This is not aided by lack of a clear regulatory framework in many countries, particularly in the UK where notification of a data breach is not legally mandatory. This inhibits the ability of the banks to undergo thorough and meaningful risk assessment of the problem. It also means that many security chiefs are not able to procure the proper funding for necessary IT projects, according to one banker.
Full disclosure
Moreover, a lack of accountability means that some banks are not being fully transparent. The FSA and other security experts believe that many banks are not disclosing their data breaches – assuming, that is, the bank is even aware of those that have occurred.
Professor John Walker, former chief security officer at Experian and a director at security association, the ISSA, says that decisions regarding disclosure are being made by self-interested parties who are not acting according to the FSA best practice guidelines.
“I know of several banks that have lost data, but internal reviews tend to downgrade it and then suppress it,” he says. “When breaches occur, the firms are not thinking about the impact on the customer: it is a public relations issue.”
The FSA is growing restive, however. One source says the watchdog is looking to make an example of a bank on the subject of data security, and “hang them out to dry”. But following the past year’s tribulations, Downing Street is pressurising the FSA to go easy on the banking community, says the source.
But movements at other government levels are threatening to shake things up. The House of Lords Science and Technology Select Committee has been particularly vocal on this point, calling for a notification law similar to that found in the US. Cross-bench peer Lord Merlin Erroll, a member of the Committee, says the Lords called for the law in order to cast much-needed light upon the issue.
“The real reason we recommended the data breach disclosure law was because we wanted to know the scale of the problem, because right now we don’t know how big it is,” says Lord Erroll.
Many parties, including bankers, feel that a more stringent regulatory line is long overdue. Ghassan Youssef, corporate information security and business continuity manager at Banque Audi, SAL, is unequivocal on the point of disclosure. He believes that it is a matter of corporate social responsibility to inform all stakeholders when a data breach has occurred. “We are the custodian for our clients’ information. The ultimate owner remains the client,” he says. “Therefore, he should be informed immediately on anything that happens to him, his account, his information, anything.”
Whether the public, regulators and banks are fully prepared for such disclosure, however, is another question. But the pressure is now on to become fully transparent regarding data breaches. This may yet provide the first critical step in addressing this ever-pressing problem.
