Another Day, Another BreachMass. Incident is Latest Blow to Banks
Today's headline is about the Commonwealth of Massachusetts, which announced Tuesday that thousands of unemployed residents' names, Social Security and bank account numbers may have been exposed to hackers.
According to a statement from the Executive Office of Labor and Workforce Development, the culprit is a newly identified strain of the computer worm W32.Qakbot, which since April 20 has been infecting networks and computers at the departments of Unemployment Assistance and Career Services, as well as computers at the state's One Stop Career Centers.
How many more of these incidents can any of us read about before our eyes just roll back in our heads?
Add this incident to a staggering string of recent news items, including:
- The Michaels breach - which involves payment card terminals being swapped out at scores of retail stores in at least 20 states.
- The Sony PlayStation hack - which exposed the personal information of up to 77 million users of Sony's PlayStation Network and Qriocity online service.
- The Epsilon e-mail breach - which announced in April that its clients' customer data were exposed by an unauthorized entry into Epsilon's e-mail system - an exposure that impacts the customers of major banks and retailers, including Citi, Chase, Walgreens and LL Bean.
I'll stop there because three is a good number. Unfortunately, I could double that list easily. And we're only talking about recent breaches.
So, what do all of these incidents have in common? Two things: 1) Not one of them involves a breach of a banking institution. Yet, 2) every one of them ends up with banks having to help customers whose accounts might be compromised.
It always comes back to the banks, doesn't it? In every major information security incident we've discussed in recent years - whether it's the Heartland Payment Systems breach or the latest example of corporate account takeover, we're talking about non-banking entities being hacked, and then banking institutions stepping in to help their customers pick up the financial pieces.
There are a couple of concerns that need to be addressed here. For one, these incidents place a huge burden on banking institutions in terms of resources, where the people who have to be assigned to monitor and service the potentially impacted accounts are concerned. And for two, fraud incidents damage consumer confidence in an institution. The average banking customer doesn't know what a Heartland or a Michaels is - but they know their bank. And that's whom they hold accountable when a payment card is replaced for the second time in three years.
Another issue relates to one Tracy Kitten addressed a week or so ago: the notion of "Breach Fatigue." How many more of these incidents can any of us read about before our eyes just roll back in our heads?
This is a delicate balance that we all have to attempt to achieve. We need to make people aware of the incidents, the risks, the potential exposures ... but not make them so scared that they quit banking online or grow so numb that they stop paying attention. The bad guys hope we'll all just turn our heads while they proceed to pick our electronic pockets.
Frankly, I think it's a good time for institutions to initiate some proactive discussion with their customers. Acknowledge these recent incidents - explain them - and then take the opportunity to educate customers about safe practices in the cyberworld. Talk about what banking institutions are doing to ensure security, as well as what customers (corporate and consumer) can do to protect themselves in their own electronic transactions and interactions. Talk about phishing and how to avoid being a victim after your contact information has been hijacked, ala Epsilon.
At the same time, if you've not done so already, get familiar with the components of the FFIEC's pending update to the 2005 online authentication guidance. We don't know exactly when this update will be issued, but we know it's coming, and customer awareness is a huge element of what regulators will demand of institutions.
It's tough, I know. You read a story like this latest one from Massachusetts and your instinct is to just say, "Here we go again." But resist that urge. Stop here, get the news, understand its potential impact, and then put the incident in proper context for your customers.
To paraphrase a quote often attributed to 18th century philosopher Edmund Burke: All that's necessary for the fraudsters to succeed is for good institutions to do nothing.
This is a good time to do something - before we read about the next incident.