What follows is my podcast with Don Ulsch, Privacy Subject Matter Expert for Jefferson Wells. Don has more than 25 years of diverse experience in risk management and privacy and recently published the book, "Threat, Managing Risk in a Hostile World," and in this podcast we go into detail the recent explosion of ID thefts.
Listen to or download the 9:18 minute podcast below:
--------- TRANSCRIPT ---------
Now, can you just give me a quick overview of what exactly happens so that 40 million personal records were just recently compromised?
Yeah, absolutely. We don't know a tremendous amount because those details will be released at different points during the trial. But we do know that approximately 11 criminals and that's really, what they are. I mean these were real criminals around the world, Eastern Europe, Asia, and the U.S. are accused of the theft and sale of approximately 40 million credit and debit card numbers, conspiracy to commit these frauds, and there were the actually theft related crimes.
There are a series of computer related crimes that they could also be charged under, fraud and identity theft. And basically, what they did was that they were able to penetrate into the wireless computer networks of a lot of companies, TJX Companies, BJ Wholesales Clubs, OfficeMax, Boston Market a restaurant, Barnes and Noble, the Bookstore, Sports Authority, Forever 21, and DSW.
So they actually were able to install sniffer programs that were used to capture these credit and debit card numbers as well as the passwords, and then they were able to process that, sell those cards, and people who would buy those cards could simply go to ATMs, or wherever and receive cash in return for the transaction.
That's a big number of companies, sort of a mis-Fortune 500, I guess. Now, I can imagine a lot of companies are thinking, I've been spending a lot of money on security but why in the world does this keep happening to us?
It's a good question and it's a question that a lot of companies do ask because a lot of them as you say, they say, hey, we're spending a sizeable piece of our budget. And there are a number of reasons that it is not working as well and that they're not as well defended, as they believe would be justified by the amount of the expenditures in security. And the reasons are this:
This is a very complex set of crimes and I believe that it will be proven during this trial that we're going to see the emergence and the overtones of things like organized crime, narcotics trafficking, possibly terrorist financing, which are all elements of money laundering. And so it's globally distributed, there are multiple legal, and adjudication jurisdictions. There are multiple compliance requirements that often create conflict so there are lots of people involved across a lot of countries.
Many of these crimes take place beneath the traditional radar screen. Companies have a false sense of security and so if they keep doing one thing and they think its working, a lot of times they don't look at what else might be happening in that environment so all of a sudden they get hit with this big crime, it goes on for several years potentially, like these went on, I think, for approximately three years and it could be very devastating for these companies.
But the process of laundering money is multilayered and that really is part of this complexity. There are levels of anonymity when these people are doing these transactions so it's very hard sometimes to actually see who's doing what to be able to identify them immediately and to go out and stop them from doing it.
So a lot of companies spend money on treating elements of the problem but we don't see a lot of companies treating this as holistically as they might and that is part of the problem. It's sort of like if you take a patient that is ill and you treat them for pneumonia when they actually have cancer but that you haven't identified and that's part of the problem.
That's interesting. So then what would you say do companies need to do to start addressing the whole problem to stop this from happening?
Well, the key thing, Peter, is really this. The number one issue is you've got to get a certain level of recognition that this is a problem, number one and that you can be impacted by it. So you've got to get the attention of the board of directors, either the audit or the risk committee, or the CEO and get them to acknowledge that this is a problem.
So it requires examining the condition and the situation, looking at these crimes, what is the business impact of that where it's happened before, and then translate that into what is the potential business impact for your organization? And you need to look at that potential impact from four different ways. What is the financial impact, the regulatory or statutory impact, the reputational impact, and the legal impact?
Because when these things occur, those are the four areas that are going to translate into what is the business impact on your organization. If you take, for example, that there is a certain cost per compromised file, numbers vary but lets say its between $200 and $300 per file and you start looking at multiplying that number by 40 million cards, that's a big number, its in the $200 to $300 million dollar plus range and that's before you start looking at any of the civil litigation costs and settlements that may occur and we know that those are occurring as a result of these crimes.
The other thing is that that it requires a transition. In my view, it requires a transition from a regulatory-based privacy program to a risk based privacy program. And what I mean by that is that that a good compliance doesn't necessarily make for good security. But good security will usually make for good compliance plus give you the additional benefit of providing improved integrity in your information environment.
So if you are working to provide a strict regulatory environment that may be good when the regulators come in, but it's not good enough to prevent or reduce the likelihood that these crimes are going to occur in your environment.
Gotcha. That actually makes a lot of sense. Now, there are other key risks out there that companies are looking the wrong way on or just simply aren't addressing that they need to know about now?
Well, I'll you what seems to be attracting a lot of interest when I go around the country and speak at a number of different private and public forums and that is the concern over intellectual property and trade secret theft. And there's actually linkage between identity theft and intellectual property and trade secret theft.
And here's the linkage. Both personal information and intellectual property and trade secrets have value when it comes to money laundering. So organized crime views these things personal identification, and intellectual property, and trade secrets as legal tender or actually illegal tender. So it doesn't matter to them what the actual product is, or the element, or the component.
All they know is that if they take that and sell it illicitly after they've stolen it; it provides revenue for them. So if we look at what happens to personally identifiable information that is acquired through identity theft and we look at the theft of intellectual property and trade secrets, it does often involve organized crime, international narcotics trafficking, which provides a lot of the terrorist financing around the world.
And the linkage here is clear. There's approximately $1.5 trillion of annual drug profits produced every year. Those drugs profits need to be turned into clean money. And identity theft and the theft of intellectual property and trade secrets is just simply one way in which to do that. Now, what's also driving intellectual property and trade secret theft is the demand for countries to join the engaged, join global electronic commerce, join the developed nations, and move from the developing nation status to a developed nation status, and that puts information at risk.
So if you look at, for example, China's Program 863, it is literally a blueprint of all the technology, the engineering, and energy products and designs that are required to move to that next economic level in a developed nation. So I am looking at the rise of economic espionage as being the next great threat.
So now, you already sort of given us an idea of the future, but will there ever be a time when these attacks will be done, or through, or over?
No, I don't think so. I mean the history of conflict and crime is very long and it dates to the beginning of history and that's why we're not going to see an end to this. We may find a change in tactics, which are driven by technology and culture. We may see a change in the actual targeting of the certain types of information but as long as information has value, then we are going to see a risk to that information. That's very clear to me.
Leave a comment