Security plagues retailers

CHICAGO - Within 24 hours of telling the public about a data leak earlier this year, ChoicePoint lost Wall Street's confidence and gained unwanted attention from would-be hackers and thieves.

ChoicePoint's market capitalization plummeted $300 million, and the number of exploratory pings aimed at its servers jumped from 100,000 to a couple of million overnight, said Marty Smith, the company's business information officer and chief architect. The company is still under federal investigation about the breach and is battling financially. Smith laid out his company's landscape to an audience of IT executives at the Retail Data Security Forum, held last week at Marshall Field's department store in Chicago.

Data broker ChoicePoint handles more than 17 billion consumer records. Its services include providing data for identity verification, pre-employment screening, insurance underwriting and asset location. The Alpharetta, Ga., company estimates that about 145,000 consumers may have had their personal information exposed when scammers fraudulently obtained access to its data.

ChoicePoint publicly disclosed the data breach in February. Criminals had set up dozens of fraudulent accounts with ChoicePoint by posing as legitimate businesses needing consumer data.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

CHICAGO - Within 24 hours of telling the public about a data leak earlier this year, ChoicePoint lost Wall Street's confidence and gained unwanted attention from would-be hackers and thieves.

ChoicePoint's market capitalization plummeted $300 million, and the number of exploratory pings aimed at its servers jumped from 100,000 to a couple of million overnight, said Marty Smith, the company's business information officer and chief architect. The company is still under federal investigation about the breach and is battling financially. Smith laid out his company's landscape to an audience of IT executives at the Retail Data Security Forum, held last week at Marshall Field's department store in Chicago.

Data broker ChoicePoint handles more than 17 billion consumer records. Its services include providing data for identity verification, pre-employment screening, insurance underwriting and asset location. The Alpharetta, Ga., company estimates that about 145,000 consumers may have had their personal information exposed when scammers fraudulently obtained access to its data.

ChoicePoint publicly disclosed the data breach in February. Criminals had set up dozens of fraudulent accounts with ChoicePoint by posing as legitimate businesses needing consumer data.

In Chicago, Smith talked about the costs and risks associated with security breaches, and the types of data-fraud schemes perpetrated by organized-crime rings and individuals. Data criminals are after any record that associates the name of a party with another identifier, such as a home address, work address, telephone number, Social Security number, place of birth or a description of the person. "It's amazing to me what little information these people need to commit fraud," he said.

There are technology-related ways to mitigate and control data breaches - from multi-factor authentication and real-time monitoring to honeypots and audit controls, Smith said. In addition, education and awareness are important. Retailers should use technology to track patterns of access and behavior. They also should share information about known or suspected misuse, and get involved with local and national legislative efforts.

Vigilance required

Erik Goldoff, IT systems manager at the HoneyBaked Ham Co., stressed the need for companies to regularly peruse system data, such as server logs and bandwidth histograms, to better understand typical usage trends.

"When a purse gets stolen, it's gone. But when someone steals your data, everything looks the same as it did before, only someone else has a copy of it."

Goldoff's company has hardened its IT assets against internal and external threats by locking down desktops. HoneyBaked Ham requires periodic password changes and doesn't allow users to receive Zip files or install unauthorized software.