Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/26/2007
03:55 AM
50%
50%

Shivering in Their Breaches

Afraid of bad publicity, large organizations delay in warning customers of major security failures

1:55 PM -- UPI yesterday reported that the personal information of more than 28,000 Nationwide Health Plans customers has been stolen. Medical claim data, health information, and Social Security numbers were stolen from the Waymouth, Mass. office of Concentra Preferred Systems, a Nationwide subcontractor.

The theft occurred Oct. 26. Nationwide learned of it two weeks later. It sent letters notifying customers last week.

My question is: What took them so long?

In the past week, major security breaches have been disclosed at TJX Co., Moneygram, Canada's CIBC bank, and the Swedish bank Nordea. (See TJX Breach Skewers Customers, Banks and Data Losses Strike Three More Firms.) Even the IRS seems to have misplaced 26 data tapes containing personal information of thousands of Kansas City residents. (See 26 IRS Computer Tapes Missing.)

In all of these cases, the organizations involved took three weeks or more to inform customers of the danger. Nationwide's data has been gone for almost three months. The IRS data was lost in August, but the agency still hasn't informed the individuals whose information was on the lost tapes. Nordea estimates that 250 of its customers have been attacked over the past 15 months, but warnings are only just now going out.

All of these breaches are different, and perhaps in some cases, there were extenuating circumstances. But no matter what the situation, or whose fault it may have been, customers need faster notification when a breach occurs. In cases such as TJX and Nordea, some customers weren't informed of a potential problem until after their accounts had been violated. That's too late in anybody's book.

The fact is that most large organizations are afraid to disclose potential losses of personal information, and they have every right to be. Some experts estimate that a company loses as many as 30 percent of its online and credit card customers after disclosing a security breach. In a study published earlier this month, the Ponemon Institute estimated that each lost customer record costs a company about $182 following disclosure. Clearly, the risks of making such a revelation are incredibly high.

But isn't it just as dangerous to discover a breach and say nothing to customers? If a company notifies customers in time, perhaps some of them will be able to secure their accounts so the thieves cannot use their information against them. At the very least, a prompt disclosure would seem a prudent measure against potential lawsuits alleging negligence by the company that lost the data.

The harsh reality is that many of us have already had our personal data stolen, and have never been told about it. In fact, TrustID earlier this week unveiled a free service that will let users find out if their information is among the two million bits of credit card and Social Security number data reported compromised in recent months. (See Scientific Atlanta Intros USRM.)

There are state laws that require swift disclosure of security breaches, and there should be a national law as well. But even with such laws in place, many companies continue to sweep their breaches under the rug, aware that the business losses associated with disclosure are usually greater than the fines that might be levied against companies that break those laws.

It's a dangerous game, and the stakes could be our personal information. We can only hope that companies will think of their customers' welfare first rather than their own bottom line.

— Tim Wilson, Site Editor, Dark Reading

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
CVE-2020-15504
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
CVE-2020-8190
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
CVE-2020-8191
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).