Earlier this month an anonymous hacker posted files containing personal data on 6 million residents of Chile on Fayerwayer.com, a popular Chilean technology blog. The three compressed files posted by the hacker, who calls himself “Anonymous Coward,” were apparently stolen from a Chilean government agency and included names, addresses, telephone numbers and taxpayer identification numbers, everything a cybercriminal needs to steal their identities.
At the same time, the Hannaford Bros. supermarket chain, located in the Northeast United States, announced that a data breach may have revealed 4 million customer credit and debit card numbers to criminals.
These are just the latest in a long list of data breaches that have exposed customers and taxpayers to identity theft . While businesses would rather keep such incidents private, in the United States and many other nations they are required to publicly disclose data security breaches.
These breaches are much more than an embarrassment. Last October the Ponemon Institute in Tucson, Ariz., found that data theft cost companies $5 million to $50 million per breach. The average total recovery costs were $140 per lost customer record. And this does not include possible lost business due to the damage to the organization’s reputation, which are very hard to quantify. Nor does it include the impact on stock performance. Researchers at Emory University’s Zymand School of Brand Science found that the average stock value fell 0.63% to 2.1% when a company announced a breach.
Addressing the issue
Despite these high costs, many organizations are not taking adequate precautions to address this issue. A survey conducted by Forrester Consulting for the RSA entitled “The State of Data Security in North America” reveals that many businesses are still in a ‘reactive mode’ when deploying data security measures and often struggle with the challenge of creating and implementing planned strategies for data loss prevention. Many businesses still fail to understand the extent, possible impact, and danger of this mammoth problem. IT organizations focused on “putting out fires” and on other threats are not allocating budgets to solve it. For instance, according to blogger-in-chief John Soat, it is still not in the CIO – Top Ten list to do. And often the attitude is that data security is strong in the organization, so it can’t happen here. What they miss is that the organizations that are reporting data theft also had strong firewalls, modern encryption, and updated digital intrusion detection.
So if those organizations had strong security, where is the breach happening? First, the bulk of the confidential information stolen — customer data, employee data, financial information, intellectual property or competitive information – is stored in ERP applications (e.g., Oracle, SAP, Peoplesoft, JD Edwards). These production applications have very strong built-in security, and they are seldom the source of the problem. Too often the problem lies in lax test data management processes that support application development, QA, and test. Test Data Management copies typically are full copies of a production database with no masking of sensitive personal data. They are accessed legitimately by internal developers, consultants, and outsourced developers. All the hacker has to do is get a job in development, carry a key chain USB memory device to work, and walk out the door with a copy of the development database. He doesn’t care if the database is the latest version, even if some data has changed, there is often enough good information to make him rich. And because he has legitimate access, the company may not even know that a breach has taken place until customers start seeing their bank and credit card accounts being drained.
So what can companies do to protect themselves from this major open door in their organizations? Fortunately, Secure Test and Development allow masks sensitive customer data in development databases without destroying their usefulness. Further controls can be realized by monitoring the cloning log via active data auditing, with real-time alerts being sent when suspicious activity is detected.
Securing test and development copies is a vital first step in building data security for the enterprise. Installing a Secure Cloning solution, along with strong personnel policies, can greatly decrease the organization’s exposure and, if a data breach does occur, can demonstrate that the company did make good faith best efforts to secure the data of its customers should it end up in a lawsuit like TJX.