A group of security professional peers and I gathered for our yearly casual dinner in downtown Washington D.C. Over the years the discussions reflected the current state of affairs in the security industry. Very quickly, something about this years conversation struck a chord.
A few short years back, we sat at the same table and argued about which device sucked up packets the quickest, however, on this night the conversation was much different. The discussion focused around the fact that security has now reached deep into the pockets of billion-dollar companies and in doing so, has impacted Wall Street and legislation as well.
As I sat there, I wondered if this could be true and if so, how did it progress to this point so quickly? For a moment I pondered back over the course of this year.
On a chilly February morning, I remember the first major data security incident. The big news was that a ring of ”identity thieves” conned ChoicePoint into providing them with access to its databases containing personal information on tens of millions of individuals. Full names, Social Security numbers, and addresses. You name it, ChoicePoint has it — and has sold it.
In the spring of this year, I remember hearing that LexisNexis, a $2.1 billion information services concern, became center stage when news of an information leak hit the public news wires. This particular saga began in February when a group of young hackers sent out a blast of junk e-mail promising an attached file of pornographic images. According to published reports, someone in a police department in Port Orange, Fla., and someone in a constable’s office in Denton County, Tex., took the bait.
By clicking on the link, the two victims downloaded key-logging software onto their computers that recorded every keystroke and every click of their mouse. And when they later logged into their LexisNexis accounts, which police use to obtain background information on criminal suspects, their passwords and user names were captured by hackers.
As spring drew to a close and summer began, CardSystems Solutions became the next to fall victim to a data security breach. The latest and the largest database hack at a credit card processing company had affected 40 million accounts for Visa and MasterCard, while 200,000 records had been stolen, according to one report.
A MasterCard International spokesman said the data security breach at the Tucson-based credit card processing company could have happened because of software security vulnerabilities that were cleverly exploited by the intruders who had managed to install a rogue program to capture credit data on its network.
Are individuals, corporations and the government taking lax security practices seriously?
Just ask John Perry, CEO of CardSystems Solutions, the credit card transaction processing company from whom 40 million credit card records were stolen in June. He told Congress that because of the security breach, his company faced ”imminent extinction” — the result of its two biggest customers, Visa and American Express, having canceled their contracts with the Atlanta-based company. ”CardSystems is being driven out of business,” he said.
According to an independent survey of almost 10,000 adults by the Ponemon Institute, almost 20 percent of those surveyed have stopped using a company because of a security breach that exposed their personal data. The survey also found that 40 percent of the group is thinking of terminating their relationship with such a company and 5 percent had hired a lawyer when they discovered their personal information might have been compromised.
The government has also taken notice.
It’s not every day that Kurt Sanford has the uncomfortable experience of testifying before Congress, defending an industry that has flown well beneath the radar and, thus far, been loosely regulated. But the heat is being turned up on ChoicePoint, LexisNexis and the data-aggregating industry in general.