The indictment of an alleged master hacker in massive data thefts underscores the role that risk managers play in information technology security, experts say.
Risk managers need to recognize the risk and encourage coordination among various departments involved in dealing with corporate data breaches. Risk managers are key in considering what risk transfer options are best in an IT-related loss, experts say.
An indictment last week by a Newark, New Jersey, federal grand jury accused U.S. citizen Albert Gonzalez, two unnamed accomplices believed to have “resided in or near Russia” and an unindicted U.S.-based co-conspirator of hacking into the computer networks of five U.S. companies in 2007 and 2008.
According to the indictment, the conspirators stole about 130 million credit and debit card numbers and other data from Princeton, New Jersey-based Heartland Payment Systems Inc., which its Web site says processes about 4 billion transactions a year.
They also are accused of stealing an undisclosed number of credit and debit card numbers from Dallas-based 7-Eleven Inc. and 4.2 million numbers from Portland, Maine-based supermarket chain Hannaford Bros. Co. The hackers also hit two other unnamed companies.
The defendants allegedly used so-called “SQL injection attacks” to achieve their ends. Structured query language is designed to retrieve and manage data on computer databases, according to the indictment. The injection attacks plant malicious software, or malware, that sends personal data to unauthorized parties.
Since then, Heartland and Hannaford have upgraded their security systems, spokesmen for the companies said in e-mails. These steps included enhanced data encryption.
A spokeswoman said 7-Eleven's security had been enhanced after the breach, but declined to give details.
In a report filed with the Securities and Exchange Commission, Heartland, the only known publicly traded company in the group, said the cyber attack has been costly.
The case should be of concern to risk managers, observers say.
“The existence of the incident certainly gives rise to risk managers looking into what type of insurance protection they have and to double-check the IT practices and procedures in place to protect against this type of incident,” said Matt Raffner, senior risk analyst at Walt Disney Co. in Burbank, California.
“The first thing is recognizing the risk,” said Jim Whetstone, senior VP technology and privacy at Hiscox USA in Chicago. “It’s a business issue.”
“We encourage companies to have a defensive, in-depth security system. The more layers they have of security, the more of a deterrent it is,” he said.
Risk managers should pre-negotiate rates with forensics firms and law firms so the company is prepared in the event of a breach, he said.
“From a financial statement standpoint, they have to determine how these data breaches will affect their company’s financial statement,” said Kevin Kalinich, a national managing director at Aon Risk Services Central Inc. in Chicago.
Risk managers have to consider the risk financing alternatives, including insurance, and “how they’re going to pay if an incident like this should actually occur,” said Nicholas Economidis, an underwriter with Beazley USA’s technology, media and business service team in Philadelphia.
In addition, the risk manager has to coordinate with each management silo that might be involved, including IT, human resources, financial and legal, “to make them most efficient,” said Aon’s Kalinich.
IT security experts say a constantly improving defense is essential.
“I’m a big fan of what I call security assurance, or hacking yourself,” said Mike Rothman, senior vice president of strategy with Acton, Massachusetts-based eIQnetworks Inc., a provider of security and compliance management software. “The bad guys are testing your defenses every day, and the worst thing for a security professional is to be surprised.”
Companies should use penetration-testing techniques to check vulnerabilities, said Fred Pinkett, vice president of product management at Core Security Technologies in Boston.
Another lesson is that data need to be encrypted even when moved internally, said Richard Wang, manager at SophosLabs U.S. in Burlington, Massachusetts.
“If it’s encrypted, then the criminals can’t do much with it,” he said.
Yet Whetstone noted that a Hiscox review of 60 U.S. companies found only 7 percent implemented end-to-end encryption of sensitive data. Forty-two percent of the companies had suffered a data breach.
Several experts noted that sophisticated criminal organizations, including those from Russia, have gotten into data thefts.
“The real troubling thing is as long as there’s a profit motive, this kind of thing is not going to go away,” said Beazley’s Economidis.