Apply today for a FREE subscription to CIO Magazine!
Thu, Feb 1, 2007 16:34 EST
|
Posted by: Information Col... Topic: InfrastructureBlog: Information Collective
Current Rating: |
If you haven’t noticed, there is something different about the security breach disclosed last month by TJX Cos. Some Massachusetts banks have linked fraudulent credit card purchases to the security breach at TJX, during which hackers nabbed possibly millions of credit card numbers.
Not such a big deal, you say? Well, as far as most security experts I have talked to in the past couple of years have said, matching a specific incident of credit card fraud to a specific security breach incident is unprecedented. Has any bank ever been able to prove that a significant number of fraudulent credit card purchases came from a specific corporate security breach? So far, no. But it is exactly this kind of “connecting the dots” that security experts say needs to happen for companies to begin to take information security more seriously.
The Massachusetts Bankers Association (TJX is based in Framingham, Mass.) claims it has connected the dots. A small bank that is an MBA member linked a spike in fraudulent credit card purchases last month to the TJX break in. How did they do it? MBA execs won’t give details and won’t release the name of the bank, but MBA spokesman Bruce Spitzer says that last month that small undisclosed bank noticed 22 incidents of fraudulent credit card purchases on an undisclosed number of their customers’ accounts. That may not sound like a lot, but for the small bank, it represented a big spike in fraudulent purchases. Bank officials contacted the customers and asked if they had shopped at a TJX store. All said they had. Spitzer says the MBA, which has 250 member banks, intends to pursue the recovery of any costs from the fraudulent purchases and says it can directly link the credit card misuse to the TJX breach.
If so, that’d be huge. Until now, there has been no smoking gun, and it remains to be seen whether the MBA, or a bank acting on its own, or Visa or Mastercard can make such a connection. It will be difficult to do. To date, more than 100 million identities have been stolen or exposed since February 2005. That's when the Privacy Rights Clearinghouse began tracking security breaches after data collector ChoicePoint announced that 145,000 accounts had been stolen from its databases. Defense attorneys can make the argument that the card numbers could have come from other breaches.
Until Feb. 1, Wall Street hadn’t viewed security breaches as a big financial threat. On Jan. 18, the day the Wall Street Journal reported TJX’s security breach, TJX’s stock price dropped from a little less than $30 a share to a close of about $29.50. By the next day, the stock price had recovered its losses and climbed beyond $30 a share. A week later, another Wall Street Journal article followed by an article in the Boston Globe the next day (both reporting on the widening credit card fraud and possible link to the TJX breach) drove TJX stock back down below $29.50, where it closed Jan. 30.
That 1.7 percent decrease in TJX’s stock price is in line with the percentage price drops for other companies that have announced similar security breaches. A study by Emory University and the Ponemon Institute found that when a company announces a security breach, its stock price drops between 0.6 percent and 2.1 percent. Not a heavy hit.
But on Feb. 1, TJX stock closed down more than $1 – another 3.6 percent – to $28.49 a share, on volume that was three times the daily average. The drop was attributed to a class action lawsuit filed the day before by AmeriFirst Bank in Union Springs, Ala., against TJX, and to a call by U.S. Rep. Ed Markey (D-Mass.) for the Federal Trade Commission to investigate any negligence by TJX. Over a five day period, TJX fell more than 5 percent. Now we’re talking about some serious money. Are investors starting to connect the dots, too? Are they beginning to worry that the damage to TJX’s reputation may be hard to recover from? And are banks no longer willing to shoulder the costs?
If so, that will signal a big shift in past thinking about security breaches. In the past, investors (and company executives) knew banks and credit card companies would cover fraudulent purchases, not the company that experienced the security breach. More important, they knew that law enforcement had yet to pin a specific credit card crime to an individual security breach, making it difficult to bring criminal charges. The cost just has not been there. No wonder that some companies delay announcing a breach, although many company executives explain that they are doing so because law enforcement requested they keep the breach silent until they can investigate.
But the big secret is that a large portion of companies choose not to announce a breach, security experts and lawyers say, because the chance of getting caught is so slim. That fact may help explain why about one in six companies admit to not complying with California’s 4-year-old security breach notification law even if they are require to do so, according to the Global State of Information Security survey conducted by CIO Magazine and PriceWaterhouseCoopers. And why many companies do not adequately protect private data.
The banking industry is becoming exasperated by being the one left holding financial bag, and TJX may be the first to feel the industry’s wrath. We’ll have to wait and see. But without a higher likelihood that a company could get caught for not notifying customers of a security breach or for not following standard, industry-accepted security procedures to protect personal information, the breaches will continue to occur.
Do you view the risk of not notifying customers in case of a data breach, or not deploying strong security measures, worth taking? Or is the tide beginning to turn and you feel you need to bolster your security measures?
-- Allan Holmes
Connecting the dots and linking them to a particular security breach is important as it will lead to making the custodians of data accountable for its security and breaches.
It is an irony that the banking industry currently pays for the sins of other businesses. It is similar to asking the auto industry to pay up for road accidents.
I worked there for three years. During that time it was made clear to me, more than once and by Paul Butka (now CIO), among others, that while TJX was writing policies regarding data security, the policies were not to interfere with the speed of any software rollouts. Repeated suggestions that we hire QA people to test our security were ignored.