By Matt Lidestri
Hackers seem to be everywhere these days – most recently the Epsilon breach, and then the Sony PlayStation network. Millions of records have been exposed. The impacted organizations are notifying consumers and apologizing as fast as they can. Hasn't the banking community seen all this before?
Generally speaking, we haven’t. The Sony PlayStation and online network break-ins represent a higher level of cybercrime that could result in greater losses than we have seen before. Here’s why:
The handful of large breaches of the last few years – TJX, Hannaford and Heartland Payment Systems, to name a few -- had less impact on the businesses and consumers from an identity standpoint. Even the notable Epsilon breach is limited in immediate impact, although the exposed data could be used for future attacks (Epsilon maintains customer records for Best Buy and JP Morgan Chase, among others).
The PlayStation network attack is different because the stolen personal records were more complete, meaning they could be used more easily for identity theft. The attacks were also executed in two days, rather than weeks and years, so the information is both fresh and usable.
The criminals now know where 77 million PlayStation network users reside, how to impersonate these users, apply for credit, and collect a bigger payday. According to an attorney leading a class action suit against Sony, hackers involved in the breach are already offering 2.2 million credit cards, the corresponding three-digit security verification codes and other personal information for sale on underground Internet sites.
Sony may not have paid enough attention to security and risk while developing its PlayStation and Sony online networks. Non-banks do not face safety and soundness examinations conducted by regulators onsite. Many have accumulated astounding amounts of customer information, and put us all at risk.
Apple and Google recently admitted to The Wall Street Journal that they keep records of smartphone calling data, messaging activity, search requests and online activities. Add data collected by iPhone and Android smartphones, which can detect location, movement, direction and proximity to other phones. Put that information into immense commercial databases that also contain names, addresses, etc., and you begin to see the compounding danger.
The promise of providing customer data to retailers who can direct advertising while those customers walk by their stores is too sweet to pass up – especially when smartphones and other mobile devices become our wallets in another 12-18 months.
Criminals are busily engineering their next round of attacks. Will the pain and mistakes of the Sony PlayStation network breach be enough to inspire non-bank holders of customer information to harden their sites and services and be more responsible about what type of data is collected, how it is stored, and restrict access to sensitive data? Those questions are answered every day when we see the news. Meanwhile, many financial institutions are keeping our data safer. They should promote that fact every chance they get, and continue to learn and adapt as events unfold. ■
Matt Lidestri, CISSP, manages internet security and products for Avon, Conn.-based COCC, Inc.