Personally identifiable information (PII), or sensitive personal information (SPI) defines a class of information that can be used on its own or with other information to identify, contact, or locate a single person, to identify or impersonate an individual.
Hardly a week goes by that an industrial scale theft of customer identity data is reported.
How does it happen? Why would anyone waste time in stealing identity data? How can it be sold without getting caught?
The largest case of identity theft in the US was committed by Philip Cummings – a help desk employee of Teledata Communications of Long Island New York. Teledata provided a third party credit score download services used by the major American Banks.
As an administrator, Cummings had access to systems and databases to generate credit scores and view the report which contained personal information data. As well he had access to bank login credentials including passwords.
Cummings hovered up and sold the identity data to identity theft syndicate.
The syndicate had the details to enable them to
- Change a cardholder’s address
- Apply for a new credit card to replace a missing card.
The new card was shipped to a syndicate address.
- Stole no more than $5,000 the victim’s credit card to avoid the chances of prosecution.
Some 30,000 people in the US and Canada were afflicted with damages in the millions of dollars.
There are a number of failings in the way personal information was managed, accessed and defining who can do what.
The basic best practices for managing PII data and includes:
- Design the internal network, databases and access applications under the assumption that hackers will steal personal information.
- Controls are in place to ensure that a specific user can be emailed or disabled from performing specific functions.
- For cases of third party support, the support engineers never have direct access to the enterprise production systems. The exception being if a contract with a third party for production infrastructure and systems support grants a specific person the right to deploy a specific release into production.
- Third parties are provided logs to support monitoring of their application. All PI data is scrubbed from the logs.
- A separate system is available by which the third party system can be reviewed and modified Once bugs are fixed, the changes are published in the production system by the corporate systems deployment team upon validation of the change.
- All data containing personal information whether at rest in a database or in transit such as exchange of data with a business partner or online customer access is encrypted.
- Production data is never used in test systems.
- Reports are generated by each system detailing who accessed what system and what type of data was accessed and how it was distributed.
- Filtering out potential malware from eMails and blocking phishing attempts.
- Limit the size of eMails and attachments.
- Train staff never to open eMails from unknown senders.
- Set daily withdrawal limits. Notify the account holder of the activity with the capability of reporting fraudulent transactions.
- If the access of PII data is originated from the internet, the person whose data is being accessed is notified via eMail. The eMail should never contain PI data.
There are a number of reasons why these measures are never implemented.
- Not a corporate priority
- The potential impacts to the business operations, reputation and future business in the event of an identity theft incident are not appreciated or the risk is “managed” with no mitigation.
- High cost of remedying existing databases, networks and applications to security manage PI data.
Had these policies been in place, Cummings would never have gained access to production systems which managed PI data.
It should be noted that Cummings sold the credit reports to a group of hackers. A hacker stole $1,000 a fraudulent credit card charge. The card holder was caught in a situation where fraud cases under $5,000 in Florida are not investigated. Only when the FBI realised the complainant was part of a much larger fraud case that the complaint was taken seriously.
On a final note, Bank customers should regularly check their statements for unexplained purchases.