Thread in Data-Safety Lapses Was Failure to Follow Policy
Vartanian, Thomas P., Fajfar, Mark, American Banker
On Nov. 1, as the business world awaited U.S. District Judge Colleen Kollar-Kennedy's decision on the proposed settlement of the antitrust cases against Microsoft Corp., trading in Microsoft's shares intensified and the price began to rise. Though the judge had said that her decision would be publicly available on the court's Web site 30 minutes after the markets closed, links to the decision were anonymously posted on Slashdot.org at 3:33 p.m.
Another example of malicious hacking? Apparently not. Instead, it seems that the court's Web administrator had not anticipated that someone would try to guess the Internet address of the files containing the decision, which were uploaded to the Web site about 90 minutes early in a directory named "Opinions/2002/Kotelly." Since these files were not encrypted or protected by password, a user of any Web browser could search for files that appeared to contain the decision.
Financial companies are not immune from even the simplest of these errors. A few days after the Microsoft opinion incident, BackWest Corp.'s Bank of the West (BancWest is owned by BNP Paribas) broadcast an e-mail to about 3,500 of its customers in a format that revealed all the e mail addresses to every recipient. Though no other personal or financial information was released, the company apologized (by e-mail) and pledged to implement controls.
Crafting appropriate Internet security procedures is only the first step in compliance for financial services companies. Written procedures are not always followed, so financial companies must provide training, maintain records, and identify new risks.
Regulators have taken notice of these vulnerabilities. In late September the Federal Trade Commission announced an initiative designed to create a "culture of security" among users and providers of Internet services, and publicized a number of ways consumers and businesses could preserve Internet security, such as installing virus protection and guarding passwords.
The importance of maintaining security on the Internet is exemplified by the vigorous reaction to recent, relatively minor, security lapses. Each of these incidents provides useful lessons to banks and other financial outfits that rely on the Internet to reach and serve their customers.
Ziff Davis Media Inc. recently agreed to pay $100,000 to three states and $25,000 in compensation to 50 customers over an online subscription offer. It turned out that names, addresses, and credit card numbers submitted by consumers in response to the offer were stored, in unencrypted format, in a publicly accessible file.
Apparently, one reason for the breach was that Ziff Davis enlarged the information it collected without being sure to implement more robust security procedures. …