How Do Compromises Happen?

Have you ever received a letter or an e-mail informing you that your personal information may have gotten into the wrong hands?   Or perhaps a media report alerted you to a security breach at a company you do business with.  Here are just a few ways that security breaches have occurred:

  • School computer files containing personal information, including Social Insurance Numbers, are hacked.
  • An email, inadvertently sent out to a third-party service provider containing too much information.
  • A bank’s computer back-up tape with customer account data has been lost while being shipped to a storage facility.
  • A dishonest healthcare employee has sold computer files containing patients’ records, including SIN and DoB.
  • An overworked IT Analyst takes shortcuts around Change and Configuration Management processes in the server room in order to save time and money.
  • End users click on links or open attachments that appear to come from someone known and trusted.
  • Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SIN and DoB.
  • A company laptop is stolen from the back seat of an employee’s car. It contains account data on thousands of customers.
  • Offering good customer service to a caller who is having trouble with their account.
  • Advertsing space is sold to a malicious software distributor.  The malware laced ads are carried by legitimate and popular websites.

There are certainly more potential security breaches out there than are those listed there.  Compromise can occur in so many ways.  A compromise can even occur just by surfing the web to a reputable and legitimate website that serves up ads.  The list goes on.  It can happen to anyone, and it is happening all the time.  Even I (security aware as I am) am guilty of at least one of these examples myself.

Your information can be inadvertently compromised without your involvement or knowledge.  Chief of Security at Symantec’s Australian offices, Craig Scroggie learned this lesson recently.  His credit card data was leaked via email when a restaurant attempted to send out its summer menu to its registered clients.  Instead of attaching the menu, it sent out the entire client database, unencrypted.  Scroggie found out about the breach after a follow-up email was sent informing him of the incident.  He had deleted the original email because he did not want to read the menu.  After being informed, he recovered it to see what details were exposed.

If the business that leaks your information is not regulated and mandated to advise you of when that takes place, do you think that they will risk the embarrassment, liability and potential costs of telling you about it?  Most are unfortunately going to keep mum, and ignore the issue, unless it is somehow traced back to them.  Oh, and it eventually will be, so you company owners who put off the added expense of good security, or hide a breach when it happens, be ready.  It’s really just a matter of time before your business gets a visit from the cops.

If enough people are compromised, you just have to look for common transactions.  If 100 people have records showing that transactions took place at one store or restaurant on all of their credit cards, and then shortly after all of the cards were used illegally, there is an interesting clue to follow-up on.  You are better off preparing a breach notification policy now, just in case you need it later on.  That way, the decision about what to do, and who to call has already been made.  No one needs to make a bad descision to save their job or to deflect reputational damage to the company.  Better to be upfront and honest than to be considered incompetent or complicit.

Here are some useful resources: