When hackers break into social networking sites, medical records databases or entertainment companies, experts say it’s consumers who often end up paying the price.
Systems such as Sony’s gaming network, which was breached this year, have become increasingly attractive for cyber criminals, especially now that video gaming accounts contain such valuable personal details, says Adam Levin, chairman and founder of Identity Theft 911, an identity and data risk management company. “The Sony breach last April merely underscores something obvious: Gaming networks and similar sites are delicious targets.”
Breaches cost organizations millions of dollars, which tends to trickle down to consumers, says Evan Brown, an associate in law firm Hinshaw & Culbertson. “It is inevitable that the costs will be passed on,” he says. Apart from investigative costs, he says, many companies that are the target or victim of a data breach offer credit monitoring services to affected individuals.
The number of personal files being compromised is also on the rise, though the amount of actual cyber crimes this year is lower than last year. Some 30.4 million records were compromised in 2011 in 535 separate breaches, according to the Privacy Rights Clearinghouse. That’s up from 12.3 million in 2010.
Not all breaches involved sophisticated hackers. Those at Sutter Physicians Services in October and military healthcare program Tricare Management Activity in September were the result of the theft of hardware and software, respectively. They underscore the importance of not forgetting the low-tech protections like encrypting files and not leaving back-up disks unattended, Brown says.
Others didn’t involve social security numbers, but did have implications for password security. “Capturing a customer list containing thousands of email/password combinations represents a potential threat to online bank accounts and other web-based services,” says Steve Fox, senior security auditor at IT security business Coalfire.
Pay Dirt asked a range of security experts for the worst breaches of the year. Here they are in no particular order:
Brokerage Morgan Stanley Smith Barney has warned 34,000 accountholders of a data breach that exposed Social Security numbers, account information and addresses, among other data.
The information, stored on two password-protected CDs, was lost en route to the New York State Department of Taxation and Finance in early June, says Jim Wiggins, a spokesman for Morgan Stanley. The package arrived but the CDs did not, and subsequent searches by the department, brokerage and U.S. Postal Service failed to locate them. “We’ve seen no evidence of criminal intent or actual misuse of this information,” Wiggins says. The breach affected less than 1% of the brokerage’s accounts. Account holders whose Social Security numbers were exposed in the breach will receive a year of credit monitoring from credit bureau Experian.
So much for a blasé data breach. Last month’s breach of Citigroup credit card numbers didn’t include the cards’ expiration dates and securities codes, which should have prevented the hackers from using the cards. Even so, this week Citi announced that some 3,400 of those credit cards (about 1% of the total compromised) were fraudulently used to the tune of $2.7 million.
None of the cardholders are held responsible for those charges, says a Citi spokesman. But how did it happen? Citi could not confirm but suggested that some of the customers may have been involved in breaches at other companies that gave the hackers the full suite of information they needed. “I suspect what you’re going to find is this was a very sophisticated hack by a group that’s done more than this,” says Jay Foley executive director at the Identity Theft Resource Center.
Citi’s is among the latest in a series of breaches so far this year. There have been 216 year-to-date, according to the Identity Theft Resource Center, down from 333 in the same period last year. In many cases, fraudsters have grown more sophisticated and are better able to access customer information and remain undetected than in the past, says Phil Blank, managing director of security, risk and fraud for Javelin Strategy and Research. A report out today by Javelin shows that among roughly two dozen of Visa and MasterCard’s largest credit card issuers, the bigger institutions including Bank of America and U.S. Bank are among the best equipped to prevent, detect and resolve fraud. The relatively smaller banks on the list came in at the bottom, including State Farm, Associated Bank and SunTrust. The annual study, which was conducted before reports of Citi’s breach surfaced, ranked Citi in ninth place.
Citigroup late last night announced that a data breach, which exposed customers’ credit card information, impacted around 360,000 cardholders, or about 1.5% of its roughly 23.5 million North American credit card customers. The hackers accessed customers’ names, account numbers and contact information including email addresses.
A Citi spokesman says the company is contacting customers whose information was impacted. In the meanwhile, Deal Journal suggests several ways cardholders can protect themselves: Request a new card, report problems immediately, that sort of thing.
And while yes, Citi cardholders should do all that, they can also take a deep breath: consumers are well-protected against fraudulent credit card purchases. In general, credit card companies hold customers liable for up to $50 of unauthorized credit card transactions and often times they waive those $50 as well, says a spokeswoman for the American Bankers Association.
The letter begins politely as all letters do delivering bad news. Sony’s came with those three little words at the top: “Customer Service Notification.” That’s when you should sit down. It’s usually all downhill from there. Announcements like these informing you that your data has been breached are becoming all too common.
Sony’s letter addresses customers thus: “Dear Valued Sony Online Entertainment Customer.” That’s humble, polite, dignified: 10/10 for a good start. In short, the letter says that the data breach of 77 million PlayStation users now extends to 24.6 million Sony Online Entertainment customers.
Jonathan Bernstein, president of Bernstein Crisis Management, was put off by the technical and sometimes confusing “corporate-speak” in Sony’s letter. “The theft itself undermines Sony’s perceived competency,” he says, “but I think they did a good job, overall, of factually communicating how they were getting back on top of the situation.”
Pay Dirt has already given some rules of thumb for customers whose information was breached. There will be an increasing amount of letters like these from other companies in the months and years to come, so here are the top 5 tips on how best to translate them.
Pay Dirt examines the millions of consumer decisions Americans make every day: What to buy, how much to pay, whether to rave or complain. Lead written by Quentin Fottrell, the blog examines these interactions, providing readers with news, insight and tips on shopping, spending, customer service, and companies that do right – and wrong – by their customers. Send items, questions and comments to firstname.lastname@example.org or tweet @SMPayDirt.