:: Deepquest ::

The big question is: What can entice companies to beef up security? At this point, it’s unclear. But shame can be a good motivator. So, herewith, the first inductees into the Baseline Security Hall of Shame. The running list will be compiled as needed and will run in full in our special year-end issue, “The Year of Living Dangerously.

Lowlight of the Month
The credit records of 3.9 million Citigroup customers disappeared after United Parcel Service lost a box of backup tapes. The card numbers of 40 million MasterCard, Visa, American Express and Discover account holders were exposed to hackers because a Tucson, Ariz.-based transaction processor stored information longer than it should have. The Federal Deposit Insurance Corp., the federal agency responsible for protecting bank accounts, informed 6,000 present and former employees that their personal data had been stolen in 2004.

CardSystems Solutions Inc. of Tucson, Ariz., loses 40 million credit card numbers after an unauthorized individual infiltrates the company’s network and takes customer data. Details about the theft are sketchy. MasterCard International Inc., Visa International Service Association and CardSystems aren’t commenting beyond their statements.

CardSystems says it discovered the breach on May 22 and called the Federal Bureau of Investigation the following day.

The folly of not following procedure?MasterCard and Visa noted that CardSystems stored more data than it should have and violated security protocols. Why was CardSystems allowed to operate if it wasn’t in compliance with card issuer security standards? Apparently, CardSystems was secure at this time last year. Baseline has learned that CardSystems was verified as meeting Visa’s security standards in June 2004, but began storing more data than it should have shortly thereafter.
Now that it has been hacked, CardSystems is “completing the installation of enhanced/additional security procedures.”

What to do next time?Verify transaction processor security more often. Just because a processor is in compliance with Visa and MasterCard security requirements on Tuesday doesn’t mean it will be on Thursday.
Be proactive?If CardSystems truly believes its June 17 statement, in which it said that “our customers and their customers are our lifeblood,” maybe it should have beefed up security before a breach occurred.

Other Hall of Shame Inductees

Bank of America Corp.
The bank loses backup tapes containing 1.2 million federal employee records.

Choicepoint Inc.
Allows 145,000 Social Security numbers and credit histories to be stolen by crooks posing as businessmen.

Citigroup
Loses backup tapes containing 3.9 million credit records. Company says it will now encrypt data.

DSW Shoe Warehouse (DSW Inc.)
Reports that between mid-November 2004 and mid-February 2005, transaction data on 1.4 million credit card accounts and 96,000 checks was stolen.

LexisNexis, a division of Reed Elsevier Inc.
Suffers 59 different intrusions that result in a haul of 310,000 customer Social Security numbers, driver’s license numbers and addresses.

Polo of Ralph Lauren Media LLC
Fashion vendor hangs on to credit card information too long in its point-of-sale systems and loses the personal data of 180,000 HSBC North America customers.

Wachovia Corp.
Edina, Minn., man receives the 1099 forms of 73 individuals who held escrow accounts with the bank. Company launches interactive identity-theft quiz on its Web site.