Thanksgiving bargains are over. Now we have new deals for the eager Christmas and New Year shoppers. I wanted to buy a laptop but gave Black Friday a miss (no way was I going to line up for over a day). I turned up at the Fry’s store on Saturday morning about 90 minutes before store opening hours. I really should have known better. There was already a long queue. I returned home and bought it online.
And then an interesting article popped up on my screen: tips to avoid ruining your Thanksgiving and Holiday season through identity theft. The mantra: don’t fall prey to shoulder-surfing or to phishing. Just adopt best security practices when shopping.
Actually, it’s no longer petty thefts. Over the years it has become an organized crime, so much so that “according to prosecutors, tens of millions of credit and debit card numbers were stolen by the ring, at a combined cost to (retail) companies, banks and insurers of almost US$200m”.
Best security practices also need to be adopted by the corporate sector where the problem of data theft has been going on for years. Earlier this month in a court ruling, TD Ameritrade was asked to make a settlement to its customers who lost their PII data in a data theft case three years ago.
I have written in these columns and elsewhere about this. Data theft is big business. The irony is that data security technologies are fairly well proven. It’s not because the hackers are outsmarting technology; it’s because most companies in industries like retail and personal banking, which are vulnerable to attacks for PII data, have not instituted sufficient measures in place to prevent such attacks. Proof of that: an auto-generated acknowledgement email confirming the purchase once came with the full 16-digit credit card number (and the CVV) intact in their raw form!
Of course, we as a retail customer – whether on-line or from a brick-and-mortar shop – need to adopt standard operating shopping procedures when using the credit card or supplying PII data. Equally, all retail and financial companies also need to implement a comprehensive data security policy. Some have; it’s the “rest of world” business outfits that scare me. Here’s a simple suggestion: start with Data Masking and protect your customers’ PII data. Test environments are a big source of data thefts.
One would think, given the attention it has been getting for nearly a decade, that by this time every large IT Department would have done a thorough due diligence of its security systems and would have instituted necessary controls. Apparently not, if one reads the continuing regularity of security breaches. Take the example of a few weeks back – about an insider’s flagrant abuse to his employer’s computer systems. This news of hijacking is even more frightening than the occasional breach in data theft from insiders.
The good news is that both can be stopped. The bad news is the “ostrich-like” approach that most organizations take – it can’t happen to me, till it actually happens. A CD with sensitive data left in the airline seat pocket is deemed extreme carelessness and the person reprimanded for it. What’s glossed over is the fact that he should not have been allowed to have that data in the first place in his CD, thumb drive or on his laptop. It should never have left the security of the server in the first place.
Secure thy network and your data. It’s been said so many times before that it now sounds hackneyed, except for the lurking fear that tomorrow you or I could be victims with our personal data in the hands of a felon.
Think now about this hijacking incident. If he had not been arrested, he could have deleted some data, and added some, depending on his prevailing state of mind (if he was momentarily insane) or did all of above and modified for criminal purpose, if he was truly malevolent. Imagine if this hijacker was also part of a sinister network and you get the picture!
Of course, a home can be robbed even after locking all doors and windows and installing alarm systems that are kept in working conditions. But at least we know that the probability is minimized. I could say with 99% statistical confidence that security breaches are happening to those organizations that have not undertaken any form of due diligence of access, operational and IT security and consequently have failed to implement a comprehensive security system.
As an IT vendor focused on data management, we are deeply concerned and have decided to do something about this. We are introducing this week a package configured to mask up to 39 columns of sensitive data in non-production systems of Oracle e-Business Suite. It’s pre-built and an out-of-the-box solution. If you want to secure corporate and personnel data in a week in your Oracle eBusiness Suite non-production environments, call us now.