[ISN] Database culture ripe for ID theft

[InfoSec News]

http://www.oaklandtribune.com/Stories/0,1413,82~10834~2325047,00.html

By Mark Jewell
Associated Press
August 10, 2004

BOSTON -- BJ's Wholesale Club Inc. attracts shoppers to its stores by
putting thousands of discounted products under one roof. It wasn't
hard to attract cyberthieves either, with databases that amass credit
card numbers in huge numbers.

The theft earlier this year of thousands of credit card records from
the nation's third-largest warehouse club illustrates the potential
for massive-scale identity theft whenever so much purchase-enabling
information is stored in one place. It also illustrates how difficult
the cleanup can be.

The Secret Service still doesn't know whether the breach was an inside
job or the work of hackers, but it has made some arrests, said Tim
Buckley, a Secret Service agent investigating the case.

The suspects arrested recently in the United States and abroad may
have ties to a large international identity theft ring, Buckley said.  
He declined to say how many arrests have been made or provide further
details.

Meanwhile, financial institutions are still smarting. They've had to
reissue hundreds of thousands of credit cards belonging to BJ's
customers as a precaution against further fraud.

The BJ's case may be the largest retail fraud of its kind based on the
amount of cards reissued, experts say.

Hundreds of thousands of replacements were sent to customers across
the 16 states where BJ's operates, though BJ's says the breach
affected only "a small fraction" of its 8 million members.

Philadelphia-based Sovereign Bank covered about 700 fraudulent
transactions from the BJ's theft and had to reissue 81,000 cards
twice, at a cost of about $1 million, once in May and again in June,
after a glitch occurred with the first batch, said spokeswoman Ellen
Molle said.

"There are some pretty heavy losses out there," said Greg Smith,
president of the Pennsylvania State Employees Credit Union, which
reissued cards to 14,000 of its members at a cost of $100,000.

Visa and MasterCard issuers in the United States, most of them banks,
lost an estimated $820 million from fraud in 2003, up 6 percent from
the previous year, according to a study by Credit Card Management, an
industry magazine.

When BJ's disclosed the breach in a March 12 news release, it said it
had altered its security systems and was confident customers'
information was secure. BJ's, which has 150 clubs and 78 gas stations,
has said the theft would have no material effect on its finances.  
Consumer advocacy organizations say they've received few consumer
complaints.

But the Natick, Mass.-based company now faces claims from some of the
10 to 15 banks that had to replace cards or reimburse consumers for
fraudulent transactions. Investigators and bank officials have
declined to disclose the monetary losses.

As sensitive data about consumers -- not just credit card numbers but
also buying habits and other personal information -- are recorded in
databases, the potential for identity theft on a massive scale is
increasing.

Last week, three men pleaded guilty in North Carolina to charges they
conspired to hack into the Lowe's home improvement chain's data
network to steal credit card information. Lowe's officials said the
men failed to get into the company's national database.

In another case involving a mother lode of data, a Florida man was
charged last month with stealing large amounts of consumer information
from database aggregator Acxiom Corp. -- the second such hack of
Acxiom files revealed in the past year. Prosecutors say the stolen
data was not used for identity fraud but to distribute ads via an
e-mail business the man runs. Such thefts raise costs for credit card
issuers, which typically cover most losses from fraudulent
transactions and limit liability to merchants. The problem is a moving
target because thieves are creating increasingly sophisticated
criminal networks with global reach.

"However they find the numbers, they end up on some computer bulletin
board and are sold," said Buckley.

Lawmakers are responding. A federal law signed July 15 increases
criminal penalties and eases the burden of proof prosecutors must meet
to win convictions in identity theft cases.

The law also establishes a new crime of aggravated identity theft and
sets stiffer punishment guidelines for cases originating from
information stolen in a workplace.

A Michigan State University study to be published later this year
found as many as 70 percent of all identity theft cases originate with
information stolen in a workplace, rather than through hacker
intrusions, home robberies or mail fraud.

The study's author, Judith Collins, an MSU criminal justice professor,
said the tougher sentencing the new federal law requires is a move in
the right direction.

"But it does nothing to pre-empt identity theft," she said.

A California law that took effect last year holds merchants more
accountable for safeguarding customers' card data, but analysts say
few such protections exist elsewhere. Under the California law, banks
and other companies must notify customers when a breach of their
personal information is suspected.

The law requires businesses to limit how and when they display
consumers' Social Security numbers, including a ban on printing a
customer's number on cards needed to access services. Some health
insurers use Social Security numbers as members' ID numbers and stamp
it on membership cards, creating a risk if a card is stolen.

The credit industry "has been relatively slow in taking more security
steps than they already have in place because they sort of felt they
could tolerate the loss," said Robert Richardson of the Computer
Security Institute, an organization for security professionals. New
steps could include employing identification technologies such as
fingerprint scans.

More merchants will disclose security breaches like the one at BJ's if
other states follow California's lead, Richardson said.

Carol Baroudi, a retail and computer security analyst with the
research firm Baroudi Bloor, believes most such cases escape public
scrutiny.

"I don't think this case was that much of an anomaly," Baroudi said.  
"I think the fact that we've actually heard about it is different ...  
BJ's had the guts to come forward. They took the risk that people
would stigmatize them for this."