Don't be a data loss victim

Disclosure laws provide a goldmine of information on the causes of data breaches and ways to avoid a costly incident

Somebody was siphoning customer financial data from a chain of gas station/convenience stores.

Watch a slideshow of the 10 worst moments in network security history.
Read a story about seven ways to stop data breaches.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Somebody was siphoning customer financial data from a chain of gas station/convenience stores.

Watch a slideshow of the 10 worst moments in network security history.
Read a story about seven ways to stop data breaches.

The perpetrator covered his tracks so well that that the company which owned the stores didn't even know it had a data breach until customers began complaining about experiencing fraud just days after using a credit card or writing a check at one of the stores.

Verizon's Business Investigative Response team was called in to try to unravel the mystery and track down the hacker. The team, led by managing principal Bryan Sartin, took forensic images of the systems at several store locations and did an in-depth analysis of the information.

Subtle clues in the data pointed toward the point-of-sale vendor that processed payments. In fact, the thief turned out to be an employee of the POS vendor. The hacker had cleverly devised a way to capture a customer's personal financial data at the time of a sale, remove the data from the server, cover his tracks, and then sell the information to other criminals.

He didn't cover his tracks well enough, and ultimately was apprehended and convicted for his crimes.

This sophisticated hack required a high level of technical expertise. But in many cases, the contributing causes of data breaches are so simple that you wonder how the incident could even happen.

For example, in early December 2008, paperwork containing personal and financial information of customers of a mortgage company was found in an office recycling bin in Florida. There were more than 200 file folders containing data that could lead to identity theft. Rather than shred the documents, someone opted to toss them in the bin, showing a complete and stunning lack of common sense.

And the state of New Hampshire's Department of Health and Human Services accidentally exposed the personal health information (PHI) of more than 9,000 people in December when someone mistakenly attached a file containing the data to an e-mail sent to 61 healthcare providers and other organizations.

The attachment contained names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premiums — all data supposedly protected under the Healthcare Insurance Portability and Accountability Act regulations.

Breach blog bonanza

Until about six years ago, we rarely heard anything about harmful data breaches. And that wasn't because there weren't any. It was simply that organizations that were hit with embarrassing data losses kept them secret, or tried to.

That all changed in 2003, when California enacted a disclosure law that requires entities that suffered a data breach to notify individuals whose information may have been exposed or compromised. Since then, 42 more states have adopted similar legislation.

The fear of public humiliation clearly has not resulted in a decrease in data breaches. Quite the opposite. More than 162 million records were reported lost or stolen in 2007 — a 330% increase over the reported 49 million records of 2006.