Last year was an embarrassing one for business in terms of safeguarding personal data, and companies, including retailers, are bracing for another rocky year in 2008.
“My guess is that it will be worse,” said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, a San Diego-based nonprofit organization that tracks data breaches. More than 67 million records containing sensitive information on customers and employees were put at risk for fraud through theft, improper disposal or just lax security in the United States last year, according to Privacy Rights Clearinghouse.
The organization has not yet finalized its data breach count, but it’s clear 2007 will go on record as the worst 12 months since it began tracking incidents following the ChoicePoint debacle in 2005. (ChoicePoint Inc., a national provider of identification and credential verification, was the victim of criminals posing as legitimate businesses who obtained personal information on some 140,000 of ChoicePoint’s consumers.) And, added Stephens, retailers that discovered breaches late last year may choose to wait until after the holidays to disclose them, as TJX Cos. Inc. did in January 2007, when it revealed that up to 45.7 million customer accounts were put at risk.
One industry source said another major retailer, which he declined to identify, is currently dealing with a significant data breach and had not yet announced it.
“I am pessimistic because 85 percent of all retail locations are not secure,” said one retail chief information officer, who requested anonymity.
Stephens said a growing vulnerability he’s observed involves credit and debit card swipe terminals at the cash register, which can be easily removed, modified and returned to transact business without anyone’s notice, all the while capturing PIN, or personal identification numbers, for data thieves. The technique is called “skimming” and while it does not constitute an intrusion to a retailer’s central database, it does yield data that can be sold for identity theft, often to organized crime outfits overseas.
Another growing threat to data security is increased use of mobile devices like memory sticks, laptops, cell phones and personal data assistants, according to a survey by Ponemon Institute released last month.
Although 87 percent of technology employees surveyed said they know company policy prohibits copying data to a memory stick, 51 percent of them admit doing it anyway. Some 39 percent of respondents said they lost a mobile device containing corporate data and most — 72 percent — failed to report it immediately.
More than half of respondents, 56 percent, believe their employer could never determine the type of data that was stored on a lost device. The survey was conducted on behalf of RedCannon Security.
The costs of recovering from a data breach are on the rise, up 8 percent in 2007, and that follows a 43 percent surge the previous year, according to a separate Ponemon survey. This second survey polled companies in 15 business sectors that lost confidential data in 2007, and asked them to quantify their breach-related costs. Broken out as a group, retailers said their cost was $145 for each record or credit card account exposed to risk and that covers legal, technology and administrative expenses as well as lost business. Lost business accounts for 65 percent of the total cost and respondents said customer churn rates blamed on a breach event were 2.67 percent in 2007, up from 2.01 percent in 2006.
Also on the rise are breaches blamed on third-party companies, which are typically more costly than lapses that are self-inflicted. In 2007, 40 percent of breaches were traced to outside parties versus only 29 percent of incidents blamed on outsiders in 2006, according to the survey, which was released in November and sponsored by security software companies PGP Corp. and Vontu.