By Brian McGinley
In the spirit of the Olympic Games under way this summer in London, we’ve opted to award gold, silver and bronze medals to companies and government institutions for their performance in the 2012 (In)Security Games.
Find out which organizations experienced the thrill of a well-designed privacy plan and which ones endured the agony of an easily prevented data breach. The goal is simple. We want organizations to get smarter about data security to better protect consumers’ personally identifiable information.
We’ll spotlight medalists in a number of events, including the Consumer Protection Decathalon and the 100-meter Privacy Dash. But the first event is Data Vulnerability. The year 2011 was a big one for world records in this category. Remember the Sony or Epsilon breaches, to name but a few? Preparing for this year’s games we wondered about the level of competition.
There were a lot of strong contenders. Corporate America gave it a good effort with a significant number of data breaches. Hackers and digital con men bent on stealing consumers’ personal information seemed to make gains this year, too. Nearly 400 breaches already have been reported this year, with about 19 million customer records affected, according to Privacy Rights Clearinghouse.
So without further ado, the medals go to:
Gold: Global Payments Inc.
Global Payments, which processes card transactions for merchants, exposed more than 7 million consumer records, although the company claims only 1.5 million credit cards were exposed. The breach happened when records were wrongfully exported from its North American processing system. Security violations were so rampant here that the major credit card companies removed Global Payments from their list of third-party vendors that meet their joint security standards. A gold medal worthy performance, indeed.
Everybody’s favorite professional social networking site came out swinging this summer. Some 6.5 million user passwords were stolen, and the corporate response was tepid at best. The password dump, as i's called, was made freely available in an online hacker forum, and it took third-party security wonks to figure out it belonged to LinkedIn. I's unclear how much damage this information will cause users. But the breach warrants a silver medal because prevention was so darn easy. LinkedIn used a run-of-the-mill weak encryption process and should have known better.
A hacker snuck into the popular discount shoe site’s servers in January and left with 24 million records. Despite the big loss, Zappos clearly had a response plan on the books—and used it following the breach. Their reaction gained favorable coverage in the security press and probably mitigated some of the damage. Thereby, what could have been a gold medal performance took only the bronze.
I've said it before, and I'll say it again. Security isn't a path taken; it's a destination reached. Learn more about how to build smarter security into your management practices with my three-part series on 21 Steps to Smarter Security.
With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.