[ISN] Despite breaches, companies seen as lax on protecting data

InfoSec News isn at c4i.org
Wed Jun 7 01:07:30 EDT 2006


By Aman Batheja
Fort Worth Star Telegram
Jun. 06, 2006

FORT WORTH, Texas - Another week, another huge breach of personal

Dallas-based Hotels.com announced last week that credit-card numbers
and other personal information on about 243,000 of its customers were
on a laptop computer stolen from a car in February.

Last month, the Veterans Affairs Department announced that personal
information of 26.5 million veterans was compromised after a laptop
and disks were stolen from the home of a data analyst. Information on
1.3 million more people who borrowed money through the Texas
Guaranteed Student Loan Corp. was lost in May while in possession of a

Despite the growing list of blunders, most companies still aren't
doing enough to protect their customers' data, according to security
experts. The reasons are largely the prohibitive costs of securing
mobile devices and a lack of public concern.

``Until businesses are held accountable ... legally, financially and
by customer demand for protecting that information, they're not in any
strong hurry to make it happen,'' said Rick Fleming, chief technology
officer with Digital Defense, a San Antonio-based network security

The Hotels.com data breach stems from an audit of the company's
transactions performed by Ernst & Young. The laptop was stolen from
the car of an analyst with the accounting firm. Hotels.com spokesman
Paul Kranhold said the incident occurred in Texas but would not say
where. He would not confirm nor deny news reports that indicated that
the theft occurred in the Dallas area.

The laptop required a password to use it. A file on the computer has
information mostly on customer transactions from 2004, although some
are from 2003 and 2002. The information on the file may have included
customers' names, addresses and some credit- or debit-card
information, according to a statement released by Ernst & Young.

Hotels.com is sending letters to every customer whose data may have
been on the laptop. Ernst & Young has set up a call center to address
questions or concerns involving the incident. The accounting firm has
also arranged for those affected to sign up for a credit-monitoring
service for a full year for free.

The information on the laptop was not encrypted, a practice of
protecting information by transforming it into an unreadable code.  
Ernst & Young spokesman Charlie Perkins said the company had begun
installing encryption systems on all of the company's laptops earlier
this year, but the one with the Hotels.com data did not have the
system yet.

Ernst & Young has promised Hotels.com that it will take extra steps to
protect the company's data in the future, including encrypting
sensitive information. It has set up a toll-free phone number to help
those who may be in danger of identity theft: 866-387-2242.

Encryption is one of the most effective and efficient ways of securing
information on a laptop, said Mike Stute, chief technology officer for
Global DataGuard, a security risk-management company in Dallas.

Companies, especially larger ones, are hesitant to spend up to several
hundred dollars per laptop to encrypt data, Stute said.

``The truth is, the $1,000 laptop is trivial compared to the data on
the machine,'' Fleming said. ``I don't understand why every company
doesn't do it.''

Even a good encryption program is only as safe as the person operating
it. A hacker can easily overcome an encryption system that's protected
by a password if the user picked an easy one to guess, Fleming said.

A more secure system includes an encryption token, a small object that
must be plugged into the laptop's USB port to decrypt the information.  
That type of system can be extremely effective -- as long as the
laptop and the token are kept apart.

Fleming recalled seeing a man in an airport with an encryption token
taped to his laptop, thereby defeating the purpose of having the token
at all.

A slew of large data breaches have surfaced in the past year mainly
because laws passed in several states now require companies to report
these embarrassing mistakes.

California started the trend of data-breach laws in 2003. The Texas
Breach of Computer Security Statute went into effect in September.  
``There's no question that the states are taking the lead on identity
theft,'' said Ed Mierzwinski, consumer program director for the Texas
Public Interest Research Group.

A handful of bills working their way through Congress would make
data-breach notification a national law. Depending on which bill
passes, companies may be required to report any data breaches where
there's a chance for identity theft or fraud, or only when there's a
good chance of misuse of the data.

No matter what laws are passed, Stute doubts that companies will get
more serious about protecting sensitive data until the technology
becomes cheaper and easier to use. He noted that they have little
motivation, considering that most of the major data breaches over the
last year have not appeared to impose any lasting damage to the image
of the company at fault.

``It never seems to stop consumers anyway,'' Stute said. ``It's bad
press, but it doesn't seem to hit home with anybody.''

More information about the ISN mailing list