Most companies strongly protect their crown jewels: internal sales figures, product development plans, account numbers and customer-transaction information. Typically lower down the priority list are customer-relationship-management systems and databases of clients' contact information.
Hackers' hauls in several recent data breaches, including those launched against Anthem, Morgan Stanley and JPMorgan Chase, primarily involved that supposedly lower-level information: emails, street addresses and phone numbers. (Social Security numbers were stolen from Anthem, too).
Sometimes targeted companies announce the loss of such data as though it should be a comfort — nothing to worry about, folks, your credit card data and account details are safe. And it sounds rational on the surface: most people's contact information exists in the public domain and can be easily found through a Google search.
But they (and perhaps the customers) may be underestimating the threat of that data in the wrong hands, especially if it is used in combination with other ill-gotten information.
"[Financial institutions] are protecting what they regard as sensitive, but in many breaches, somebody else valued the information differently than you did and therefore they were able to get at something you're not protecting strongly because either you don't realize it or to you it's not that important," said Steven Bellovin, a professor in the Computer Science department at Columbia University.
Sensitive consumer data is bought and sold every day and used for phishing, identity theft and online and mobile banking fraud. Using Big Data tools, hackers can pull information from different sources and combine it to create a full consumer record that can be used for social engineering. The fact that a breach is limited to consumer data should be cold comfort.
But fully protecting consumer data is tricky, because so many people in a financial organization need access to it. A Canadian bank, for instance, is said to have once found that many employees were looking up the account information of a famous hockey player out of curiosity. But restricting access to that data was nearly impossible — everyone from the tellers to wealth management advisers needed to be able to call it up. The bank ended up resorting to shaming — publishing lists of all those who had looked up the hockey player's information, for their managers to follow up on, according to a former employee.
"In an era in which customer experience is preeminent for a lot of businesses, there's a fine line and difficult balance between security and convenience," said Joram Borenstein, a vice president at NICE Actimize, which makes fraud-detection software.
Building strong walls around and, some say, within customer databases that make information accessible to those who really need it and no one else is a huge challenge.
A common myth is that encryption (encoding data so it can be read only by those with the right user name and password) is the answer to protecting such data. Most state laws governing personally identifiable information require such data to be encrypted.
Yet many recent hacking attacks in the financial services industry have been conducted through the use of stolen or purchased log-in credentials. Encryption doesn't matter when a hacker can log in as a legitimate user; the system dutifully unencrypts all the data they're entitled to access.
In the Anthem breach, for example, hackers allegedly used administrators' login credentials obtained through spear-phishing, noted Claus Kotasek, CEO at SMS Passcode, a provider of multifactor authentication.
"Too many employees are working remotely to still be relying on passwords alone," he said. "It doesn't make sense. Malicious actors are doing everything in their power to circumvent security, so organizations have to lock down remote access to business apps and cloud services with approaches like multifactor authentication."
Encryption is a piece of the answer. Customer information also needs to be partitioned to fully protect the most sensitive data elements, according to Bellovin.
"The issue here is that a lot of places don't understand how to build a high-assurance database of this type while still preserving its utility," Bellovin said. "You need to structurally separate important parts of your information and have fairly strong walls between them."
This is difficult because some data needs to be commonly shared and available to everyone, he noted. "Many companies, including many financial companies, do all sorts of Big Data analysis," he said. "'Where are my depositors broken down by zip+4 [codes]?' 'Do I see a particular trend?' And so forth."
But there are alternatives. Amazon, for instance, is able to let customers see trends in what others like them are buying without sharing information about those individuals.
A roles-based approach to data access helps, Bellovin said. "The analytic engine doesn't need to know account numbers and personal names; it needs to be able to get at transactional amount and so on."
The person who sends out 1099 forms by necessity has access to everybody's name, Social Security number, balance, interest and so on. "That global permission has to exist someplace or you can't send out 1099s," Bellovin said. "The challenge is how do we divide things up, then how do we build strong walls between the pieces, and how do we build strong doors to get through each of these walls? It's a very complex challenge."
The Morgan Stanley breach was a good illustration of this. A junior financial adviser had legitimate access to 350,000 wealthy customers' account data but used a reporting mechanism in way he wasn't supposed to and downloaded all the information at once. Some of it later showed up on Pastebin, to the company's and clients' great embarrassment.
One answer to situations like these is to not try to restrict access to records up front, but monitor data access and catch inappropriate activity right away, Bellovin suggested. "You have to look at this as part of your system design," he said.
Financial institutions also need to push their security practices to the vendors and partners they work with, noted Borenstein.
"The bottom line is security practices of institutions themselves are not always extended to third parties," he said. "We'll start to see in the not-so-distant future a greater emphasis on third-party sharing."
Another myth is that customer data in a cloud service (e.g. Salesforce, which happens to be used by JPMorgan Chase, Morgan Stanley and many other institutions) is riskier than customer data tightly tucked away into a company's own, on-premise servers. (Salesforce representatives did not immediately respond to a request for an interview.)
"For big financial services firms that are very sophisticated, it's probably a wash," Bellovin said. "For small companies with less expertise of their own, they're probably going to get better security by going with a cloud provider."
Cloud providers tend to do a better job at basic system administration chores such as patching, he noted.
Credit Card Lesson
Richard Moulds, vice president of product strategy for Thales e-Security, suggests more companies should consider adopting the credit card industry's PCI DSS standard, which covers many aspects of security including access policies, user authentication, network segmentation, encryption and antivirus efforts.
"It has made a major impact on the level of security for credit cards," Moulds said. "What we've seen is a gulf steadily emerging between credit card information and everything else. There's no mandate for other sensitive data other than credit card numbers."
He acknowledged that protecting credit card numbers is an easier problem to solve than other types of personal data. Credit card data only includes small chunks of tightly formatted information. And PCI DSS is obviously not infallible.
"Some people might ruffle their eyebrows if you say we should all use PCI to protect sensitive customer data," Moulds said, given the many large-scale card breaches of the past 18 months (e.g. Target, Home Depot, Neiman Marcus). "It's not that the credit card providers and merchants have a waterproof system, but it's ahead of other things. PCI is not perfect, but it's a good starting point for other industries."