informa
/
Vulnerabilities/Threats
News

Shivering in Their Breaches

Afraid of bad publicity, large organizations delay in warning customers of major security failures

1:55 PM -- UPI yesterday reported that the personal information of more than 28,000 Nationwide Health Plans customers has been stolen. Medical claim data, health information, and Social Security numbers were stolen from the Waymouth, Mass. office of Concentra Preferred Systems, a Nationwide subcontractor.

The theft occurred Oct. 26. Nationwide learned of it two weeks later. It sent letters notifying customers last week.

My question is: What took them so long?

In the past week, major security breaches have been disclosed at TJX Co., Moneygram, Canada's CIBC bank, and the Swedish bank Nordea. (See TJX Breach Skewers Customers, Banks and Data Losses Strike Three More Firms.) Even the IRS seems to have misplaced 26 data tapes containing personal information of thousands of Kansas City residents. (See 26 IRS Computer Tapes Missing.)

In all of these cases, the organizations involved took three weeks or more to inform customers of the danger. Nationwide's data has been gone for almost three months. The IRS data was lost in August, but the agency still hasn't informed the individuals whose information was on the lost tapes. Nordea estimates that 250 of its customers have been attacked over the past 15 months, but warnings are only just now going out.

All of these breaches are different, and perhaps in some cases, there were extenuating circumstances. But no matter what the situation, or whose fault it may have been, customers need faster notification when a breach occurs. In cases such as TJX and Nordea, some customers weren't informed of a potential problem until after their accounts had been violated. That's too late in anybody's book.

The fact is that most large organizations are afraid to disclose potential losses of personal information, and they have every right to be. Some experts estimate that a company loses as many as 30 percent of its online and credit card customers after disclosing a security breach. In a study published earlier this month, the Ponemon Institute estimated that each lost customer record costs a company about $182 following disclosure. Clearly, the risks of making such a revelation are incredibly high.

But isn't it just as dangerous to discover a breach and say nothing to customers? If a company notifies customers in time, perhaps some of them will be able to secure their accounts so the thieves cannot use their information against them. At the very least, a prompt disclosure would seem a prudent measure against potential lawsuits alleging negligence by the company that lost the data.

The harsh reality is that many of us have already had our personal data stolen, and have never been told about it. In fact, TrustID earlier this week unveiled a free service that will let users find out if their information is among the two million bits of credit card and Social Security number data reported compromised in recent months. (See Scientific Atlanta Intros USRM.)

There are state laws that require swift disclosure of security breaches, and there should be a national law as well. But even with such laws in place, many companies continue to sweep their breaches under the rug, aware that the business losses associated with disclosure are usually greater than the fines that might be levied against companies that break those laws.

It's a dangerous game, and the stakes could be our personal information. We can only hope that companies will think of their customers' welfare first rather than their own bottom line.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5