Identity Theft Case Underscores IT Security Flaw in Financial Services Sector

Security expert offers perspective on largest credit information theft case in history

• By Matt Migliore
• 12/11/2002

Using inside access to the computer systems of three major credit bureaus—Experian, Equifax and TransUnion LLC—Philip Cummings, 33, was able to download credit information, which he sold to individuals who used it to buy merchandise, order credit cards, and take money out of bank accounts. Currently, losses are estimated at about $2.7 million, a figure that is expected to rise as the credit information continues to circulate.

From a technology standpoint, the security breach occurred because Cummings was able to use his position in help desk support to gain access to the passwords of Teledata’s clients, which in turn allowed him to tap in to the computer systems of the aforementioned credit bureaus.

For companies that have, or are considering, a working relationship with a financial services firm, the scheme raises the question: How secure are information systems in the financial services sector?

Pretty secure, according to Leo Cole, director of security market management for IBM Tivoli. “In general, security practices in the financial sector are among the best in the commercial market."

However, he notes, security holes do exist, and companies need to be careful not to assume that because information security is strictly regulated in the financial services community, they needn’t be as thorough in their evaluation of potential partners as they would typically be in other industries. “[Companies] need to be diligent about understanding their service providers' practices for security and privacy and take those practices into account when selecting a provider.”

Currently national and international regulations govern security in the financial services sector. So far, though, no charges have been brought against any of the companies involved in the Teledata case, which may signal stronger regulations to come.

Ultimately, though, Cole feels it is the demands of customers –--not new regulations—that will ensure the security of financial data going forward. “Just as important as regulatory pressures, the financial sector is held to high security and trust standards by their customers.”

Currently financial institutions are required to undergo a formal security audit as part of their annual financial audit. However, given the insider nature of the Teledata incident, existing security audit procedures were unable to prevent the theft. Cole suggests additional auditing may be required by companies operating in the financial services community to limit insider threats in the future. “The most effective way to prevent insider misconduct is to audit employees' security-sensitive actions and review the audit records frequently to detect suspicious activity.”

Still, Cole believes security in the financial services sector is strong, comparatively speaking. “Security practices tend to be stronger in the financial sector than most other sectors due to the high trust requirement of their customers. Stronger regulations would not necessarily improve the security of financial organizations more effectively, for example, than customer requirements and market competition.”

For the enterprise considering a working relationship with a financial organization, Cole recommends enlisting the help of a knowledgeable professional services firm to help with best practices, if the enterprise is unsure of the financial services provider’s level of information security.