Enterprise data systems are proving to be porous, as a number of breaches over the past few months have affected not only large banks, but major organizations outside of financial services as well.
An August breach at Citigroup's Japanese card unit was followed by another one in the same month, which was caused by leaks at retailers that the bank did not identify. Bank of America, which was affected by the same breach, responded by issuing new debit cards.
To a certain extent, Citi lucked out in Japan, since the compromised data included names, addresses, birth dates and gender. That's certainly not information a bank wants in the hands of crooks, but they can do much more damage with personal identification numbers and card security codes, which the bank was able to protect from the hackers in Japan.
In another breach at Citi, in May, more than 360,000 accounts were affected and almost 220,000 cards were replaced. As with the Japan breach, hackers were able to access names of consumers and other contact information, but they did not obtain card security codes, which are usually necessary to commit crime.
Citigroup, of course, isn't alone. A former Bank of America employee was arrested in California and charged with selling customer data the employee allegedly stole in May, including driver's licenses, Social Security numbers, PINs and maiden names. One victim told the Los Angeles Times that crooks had used information to order new checks and execute money transfers.
At the online marketing company Epsilon, a subsidiary of Alliance Data Systems, someone hacked into the files of clients including Capital One Financial, JPMorgan Chase and the supermarket chain Kroger. Another retailer, Michaels Stores, suffered a data leak after PIN-pad tampering allowed hackers to gain access to personal ID numbers, impacting dozens of stores across the country.
Credit unions have also been struck. In June, dozens of credit unions replaced debit cards after holders reported fraudulent use, including Century FCU, First Class CU, Firefighters CU, and PSE CU, as well as banks such as KeyBank and First Merit. In this case, stolen card information was used to create fake debit cards.
Sony's PlayStation Network temporarily shut down after a breach affected as many as 77 million users, and even the U.S. Senate was targeted by hackers after a breach this spring.
Beyond the stresses on IT and business units, the breaches have also led to political pressure, as a couple of bills that failed to become law in the past have resurfaced in the current Congress for consideration. Sen. Patrick Leahy, D-Vt., and Rep. Mary Bono Mack, R-Calif., have pushed legislation that would require timely disclosure of breaches-Citi was criticized for a gap of several weeks in its public announcement of the May breach-as well as disclosures about how inaccuracies in enterprise databases are corrected.
While there are lots of software and strategies in play to combat breaches, security experts generally agree that beyond making security a centralized focus that stretches across the entire enterprise, there's no best practice or single tech play that can protect an institution-requiring the mix of strategies such as the ones discussed in our poll.
"No one possesses that one silver bullet that will make us more secure. Data breach prevention is an ecosystem with lots of players," says Murray Walton, chief risk officer at Fiserv. "Understanding the problem is a full-time job."