Caught by detection, but too late to stop thieves from accessing over 200,000 customer credit card credentials. Citi is a big company under strict federal security guidelines, and compliant as far as we know, at least up until this latest discovery. As I read these reports, I recognize that compliance is needed – companies don’t take action just because there’s a threat. But having worked for one of this country’s largest banks year ago, I know security is taken seriously at firms like Citi. The problem is, you can’t really keep every door closed and locked, every day. Especially when insiders can be paid off. In this case, there is no report of insider cooperation (that doesn’t mean there isn’t any), however we’ve seen this before – a website used as the open door to gain access to sensitive data. The world demands access to their “stuff” through portals, VPNs, and through the use of personal computing devices that now include smart phones and iPads. Can companies really keep data safe? It’s almost impossible to lock down every access point and still provide access. Software has bugs in it, and bugs represent holes to be exploited. Foreseeing this in every case is just not reasonable.
What an we expect going forward?
According to experts – “The expertise behind the attack, … is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.
The “… demand for the data is on the rise. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation.” New York Times…
It’s been some time since Albert Gonzalas made his way into larger companies including the historical breech at TJX. Recent news has focused more on politically motivated attacks by Anonymous and the LulzSec group – attacks that didn’t target financial information and seemed to be motivated by something other than ID Theft. This article brings us back to the bigger issue that has plagued companies for over a decade – tens of thousands of hackers and hacker groups targeting financial information that will in turn be sold online for billions, and in recent reports, over a trillion dollars in revenue.
It would seem that, while companies can be doing a lot to beef up security, it is simply not true that some IT group out there has their company covered. Technology companies must be equipped to address this either internally of through partners. Application providers can greatly increase their value by having security experts on staff, and managed services providers should be approaching their offering from a security point of view. Data center experts, unified communications, SMB resellers and larger enterprise consulting groups; everyone should be thinking – Security.
© 2011, David Stelzl