Just before Thanksgiving, the U.K.'s department of revenue and customs announced it had lost personal records of 25 million citizens with information including names, addresses, insurance account numbers, and bank accounts. That's right, bank accounts for nearly half the British citizenry.
In the aftermath, outraged customers are flocking to their bank to change account numbers or close accounts all together. Not only is this a personal nightmare for British citizens, banks are experiencing a corporate nightmare dealing with the results of a government agency data breach — not a bank's breach.
In a note responding to the incident, the research firm Gartner Inc. said that bank account numbers typically sell on the U.S. black market for as much as $400 and proposed that the criminals in this case are likely to pursue the lost data as vigorously as the authorities.
Gartner also proposed that U.K. banks only will be affected if the lost data does, in fact, fall into criminal hands. Unfortunately, U.K. banks already are feeling the brunt of the panic, which will result in costs that easily could climb to over $500 million. Perception is reality in this case.
Instead of simply watching in horror, U.S. financial institutions should view this incident as a precautionary tale and take action.
First of all, they should put additional pressure on the federal government to implement proper security measures here.
Secondly, they should encourage a national data breach bill currently held up in congressional committee. This bill would standardize the sea of fragmented data breach laws currently on the books in 36 states, making it less costly for all organizations to do business.
Another measure U.S. financial institutions should take is to shore up their own security measures. Nearly all banks are now compliant with the authentication requirements of the Federal Financial Institutions Examination Council, but a logical next step is to implement a real-time, online fraud detection system.
These systems help defend customers against online fraud even if their second factor of authentication has been compromised. Because the U.K. incident involved such rich data, it is possible that many fields in a typical knowledge-based authentication environment could be compromised using information in the same lost file if that was the only security measure in place. A real-time fraud detection solution that scans for anomalous behavior and doesn't touch the back-end applications while monitoring all the data is extremely valuable in these cases.
In addition, financial institutions can take steps to shore up their own internal data security measures. A layered approach that includes strong authentication, internal data handling procedures and encryption at all points are all good places to start. In the end, laptops, USB drives, and disks with sensitive information likely will go missing at some point, so it is critical to shore up security regardless of what "accidents" or employee errors may occur.
When a large-scale data breach like this one occurs, it is always good to check your security plans and capabilities to see if they are adequate, even if the breach is not necessarily your own.
