Recent breaches at Epsilon and Citibank are evidence that criminals are not just going after financial information anymore; they are increasingly profiting from stealing all kinds of customer data, especially email addresses. By accessing personally identifiable information (PII) such as email addresses or social security numbers, thieves can sell the information on the black market or move forward with highly lucrative phishing or other scams on their own. In fact, according to analyst firm Frost and Sullivan, the global black market for email addresses and national ID numbers is now worth about $5 billion.
A big reason for this growing problem is security investments in the financial industry are largely driven by regulations. Understandably, banks tend to shy away from making the investment unless it’s a requirement. Regulations like PCI-DSS and guidelines from FFIEC ensure that financial institutions invest in strategies to protect financial information like credit card and account numbers, but there is no industry standard for protecting PII. There should be.
The criminal fraternity knows most of the data security focus at financial institutions is on protecting credit card and account numbers, so they have appropriately shifted their strategy to take advantage of low-hanging fruit in the form of email addresses that are less protected. In the past, an email address in the hands of a hacker just meant you could get a heck of a lot of SPAM, which is hardly dangerous compared to the consequences of a hacker having your account number and siphoning money out of your account. But now, once a criminal has access to an email address, he can email that person directly pretending to be their bank through a very convincing email and persuade him or her to hand over their account number and password.
The hackers responsible for the Epsilon breach were particularly savvy because they stole names and email addresses from a company that they knew had the data from specific banks including CitiBank, JP Morgan Chase and Barclay’s Bank. So when account holders at these banks receive a nicely-formatted email that’s not only personalized but comes from a site they’re registered with, there’s a good chance they’ll click links and answer questions they might not have done had the request arrived in a less familiar form.
Bottom line: these breaches and others involving email addresses all could have been prevented had the banks treated their PII data as preciously as if it were financial information. Since there are fewer available guidelines on protecting PII data, institutions should look to more established regulations and apply their guidelines for securing sensitive data. By protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Some publically available guidelines like PCI DSS 2.0 are a good place to start to establish an internal PII data security policy that is run by the corporate security office.
At the technical level, another big reason these breaches continue to plague us is because most institutions still focus their data protection strategies on securing the network where the data is stored rather than protecting the actual data. At a minimum, PII should be protected with up-to-date encryption techniques; however, tokenization is now touted by industry analysts and security experts as providing the strongest data security available today. This is because it replaces the data with a completely random token that can’t be decoded through an algorithm. So even if a cybercriminal gets access to it, he can’t unscramble it to make any use of it.
Cybercriminals will continue to have a field day with PII data until banks fight back by putting the same energy they’re putting into protecting account numbers and other financial information. With no signs of regulations to protect PII in sight, financial institutions and their vendors need to take the initiative on their own to avoid data breaches that are not only costly, but detrimental to brand reputation. Fortunately, the situation is completely within their power to combat based on available guidelines and technologies that are proven to work with financial data.
Suni Munshani is the chief executive of Protegrity, a data security solutions provider.