Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

March 3, 2014

The long reach of the data breach

It happened more than 1,500 times in 2013. Someone in a firm's IT department found an odd piece of malware on a server, or a bank got a call from a major retailer warning that some debit card records had been compromised, or a laptop computer containing a list of social security numbers went missing. Data breaches at Target, Michaels and Neiman Marcus made headlines in 2013, but those big retailers aren't the only ones that have suffered from information insecurity.

Preliminary numbers from the Massachusetts Office of Consumer Affairs and Business Regulation show that 1,555 data breaches in 2013 affected more than 1.1 million Bay State residents. The number of incidents has grown consistently since the state started tracking the numbers in 2007, although the number of residents affected has bounced up and down.

Not all the breaches involved Massachusetts-based companies, but there were 145 that affected Central Massachusetts businesses.

“From a consumer standpoint, the reason it's serious is the big fear when your credit card information or social security number or name are stolen (and) that sometime in the future somebody is going to take out credit in your name, take out loans, mortgages,” said Barbara Anthony, undersecretary of the Office of Consumer Affairs. “Unraveling the financial chaos that an identity theft can result in is just a nightmare.”

After Framingham-based TJX Cos. Inc. suffered a major data breach in 2006, the state passed a law requiring extra security measures for companies that hold onto that kind of personal data. Since then, Anthony said, there's been progress in keeping information secure. For example, she said, the number of laptops and other portable devices with sensitive information reported stolen dropped from 147 in 2008 to 40 in 2012.

“It does seem like there is some greater due diligence taking place on the commercial end of things,” she said.

But she said some companies don't take requirements like encryption of personal data seriously until they're victimized by data thieves.

Even businesses' best efforts can't always keep personal information safe. Of the Central Massachusetts breaches in 2013, the vast majority, 134, were reported by banks, almost always because of an incident at a partner company. Banks that issue debit cards are vulnerable whenever a merchant or card processor's records are stolen.

For example, Natick-based Middlesex Savings Bank reported seven breaches, all involving information stolen from merchants that processed its customers' debit cards. Chuck Bauer, the bank's executive vice president and chief technology officer, said every time such an incident occurs, the bank evaluates it and decides whether it needs to issue new debit cards to customers who may have been affected. It can be tough on banks, he said, because those that issue cards are ultimately liable for any fraud that could take place when data is stolen. And, beyond that, there's a question of trust.

“Our issue really gets down to trying to convey to the cardholder that the data breach didn't happen at the bank,” he said. “We are reissuing the cards because the breach happened somewhere else.”

Aside from the incidents that hit financial groups, the breaches Central Massachusetts businesses faced in 2013 ranged from simple error — patient data faxed to the wrong office or employee information mistakenly included in an email — to clearly malicious acts, such as malware installed on a company system or unauthorized use of an employee's email to view a firm's data.

Even the smallest and least technologically active businesses can be at risk.

Last February, someone broke into records at Anderson's Statewide Driving School in Framingham and swiped a stack of 5-x-8-inch cards with student information. Co-owner Janet Anderson said the cards only held the names of the school's teenage students, not social security numbers or financial information. But, under state law, the school still had to send letters describing the situation to the more than 400 affected families. Employees of the tiny business worked several weekends to get all the letters out, then had to handle hundreds of calls from concerned parents.

“It was a nightmare,” Anderson said. “It was an absolute nightmare. We thought we were going to lose our minds.”

When it comes to the big retail breaches of credit and debit cards, the U.S. is now following other parts of the world in shifting from cards that use magnetic strips to a design with a microchip. Visa and Mastercard are set to begin using the so-called “chip and pin” systems next year.

For other businesses, there are simple steps to help keep data secure. Michelle Drolet, founder of Framingham data services provider Towerwall, said key moves include enforcing strong password policies, keeping patches and virus pattern files up to date, and ensuring IT workers sign in with individual user names, not with a generic “admin” names and passwords. When working with third-party companies like IT firms, Drolet said, companies should be sure it's someone they can trust, and follow that up by limiting their access to company systems.

“If I'm only supposed to be working on the SQL server, then only let me go there — not to the file or exchange servers,” she said. “Segment me and put me into that one area.”

Drolet said employee education on technology matters is also important. “It doesn't matter if you have two people or 2,000 people,” she said. “Every employee needs to be part of your security program.”

Sign up for Enews

WBJ Web Partners

Related Content

0 Comments

Order a PDF