Not a week goes by without another incident hitting the media about confidential consumer information having been hacked or brought out into the public domain. Why are these incidents so common?
The answer is because sensitive personal information, like names, addresses, dates of birth and bank details, is highly prized by the criminal community - they’re proverbial gold dust. Just a limited subset of this information will provide enough detail for criminals to commit a wide range of financial crimes, from out-and-out fraud (eg, bogus loan applications) to sophisticated money laundering operations.
Such is the availability and demand for this information that within the dark and murky corners of the web there are forums and marketplaces that specialise in the sale of this data, often at relatively modest prices.
How the hackers work
So, how do these data breaches occur? Through a variety of means, some very sophisticated, others less so. At the larger end of the scale were the 2013/14 hacking incidents involving a well-known US email provider, when 1.5 billion email addresses were compromised in the largest breach ever seen, which illustrates the scale of the problem. This provided the criminal network behind the hack with enough sensitive customer information to commit fraud on an industrial scale. Just think about how much information flows through a typical person’s email account(s) and how key this is to the running of their everyday life. It may contain details of who they bank with, who they shop with, details of their friends, family and associates.
Other methods employed include the use of malicious computer programs (malware), specifically designed to steal or copy confidential information, such as online banking credentials. We have also seen a rise in the use of phishing emails designed to trick consumers into disclosing sensitive information by being directed to bogus websites. Phishing, as it’s known, is just another means of social engineering, where fraudsters attempt to manipulate either consumers or staff within organisations psychologically to persuade them to release confidential information.
When it comes to cyber-crime, this is low-risk, high-reward territory for the organised gangs involved, which is why this type of crime has seen a surge in recent years. The challenge for law enforcement agencies is the speed and size of these attacks and the complexities of bringing to justice organised criminal groups who may be spread across a number of different legal jurisdictions. What’s more, there is also evidence to suggest that some of these attacks are actually state-sponsored.
The digital age has brought about great changes in how the world operates and allows customers much greater flexibility in how they communicate and interact with their bank or service provider. However, advances in technology have also exacerbated risks in that vast amounts of data can be easily stored, but also easily compromised. The price of data storage has dropped significantly in recent years and portable storage devices, like USB sticks, are now commonplace.
Additionally, the rise of cloud computing has offered both businesses and consumers an easier and more flexible method of storing significant amounts of data using remote servers, all of which are at risk unless access is sufficiently controlled. It’s a real challenge for firms to adequately control and protect all of their digital assets, some of which are held across multiple sites within different geographies.
But, remember, while computer-aided crime has seen exponential growth over the last few years, data lost through more routine, low-tech methods can be just as damaging. A method still favoured by criminals is the interception of post, whether by setting up a fraudulent mail redirection facility or direct theft from letter and post boxes. It may be that a single up-to-date bank statement and utility bill is all that is required to assume another person’s identity to go on to commit all manner of other crimes.
It’s also worth noting that the risk of data loss is not just consigned to external groups. There is a significant fraud risk associated with individuals within an organisation, whether employed on a full-time basis or perhaps as contractors. These staff members may have access to significant amounts of sensitive consumer data and may be tempted to commit fraud due to external pressures like money worries, high levels of debt, gambling addiction and more.
Both data protection and industry regulators have long understood the link between poor data security and financial crime. The FCA, in its most recent Financial Crime Guides, spells out in detail what it expects of firms in this area and what constitutes best practice. This is laid down in overarching requirements contained within the heading of “Systems and controls” in which it requires firms to have adequate safeguards in place to counter the risk that it might be used to further financial crime. Senior management within firms is under a specific obligation to mitigate these risks.
So, bringing these threats together, how can firms control and protect sensitive customer information? There are probably too many potential solutions to go into detail for the purposes of this article, however, a robust information security framework should be established to include the following elements:
These are challenging times for regulated firms when it comes to data security and minimising financial crime - often it’s an arms race between organisations and the criminal gangs looking to steal customer information. One thing is for sure, it’s a challenge that is not going away and is subject to continual change. Get it wrong and the consequences for firms could be far-reaching.
David is ID and fraud consultant at Equifax and can be contacted via firstname.lastname@example.org