Data Breach: The New Old Bogeyman

The digital storage of client, customer, and employee personal information has helped countless industries improve their services, enabling them to offer convenient features to speed up transactions, tend to a customer's needs, and have quick access to an employee's vital information.

It should be a win-win situation but high-profile security breaches makes such efforts risky business.

International Intrigue and Suspense

The story line had it all: surreptitious installation of a Trojan program, a single compromised low level account giving access to millions of records with names; addresses, and credit card information; attempts to sell the acquired data on underground criminal linked websites. Best Western seemingly had a huge problem on its hands according to Scotland's The Sunday Herald.

A data leak of 8 million records would have ranked it among the largest ever recorded and would have certainly cost the company financially, not to mention a severely damaged reputation to contend with. The story painted a grim picture, noting that anyone that stayed in a Best Western affiliated hotel in Europe over the past two years may have had their information compromised.

It would seem, if Best Western is to be believed, that the story has been overblown. A company statement claims that a reservation system was compromised by a Trojan horse but the system only had access to one hotel in Berlin, Germany and the total number of people who's information was likely compromised is not in the staggering millions range but likely many fewer.

All's Well that Ends Well?

The company's policy of limiting the duration of time that they keep records in their reservation systems may have saved them from more leaked data. It's a sensible balance between convenience for everyone and the risk you'd run keeping your customer's data on a machine that has a direct connection to the web at large. How such a Trojan got on their system is anyone's guess but the fact that it could be reached at all is disconcerting.

The larger problem is the number of data breaches and general loss of data stored on portable drives is a growing problem and likely to continue to make news. Privacy Rights Clearing House maintains a sizable list of data breaches, both large and small, that have occurred in the US over the past three years. Hacking, stolen laptops, and the good old inadvertent posting of information seem to be the most popular methods for data to get out in the wild.

A good number of these breaches wouldn't be of much worry if a simple encryption scheme were a part of the security procedure when dealing with portable drives. Another good chunk could have been prevented if there were proper firewall setups and timely patched software to stop unauthorized access from remote connections. Hindsight is always 20/20 but some breaches are so blatantly obvious that you have to question how so many people fouled things up so badly.

There is of course the problem with people having too much privilege. Proper controls on the amount and types of information specific accounts can access are a good thing to have when so many workers and contractors need information to perform their duties. Insiders absconding with data is just as damaging to a company's reputation as foolishly hosting it on a web server for the world to see.

But Wait, There's More

The simple fact is that a data breach is an expensive event. A recent study found that last year each compromised customer record cost a company $197, mostly from lost business. And that figure is up from the cost of a leaked record in 2006 so the cost of a failure to maintain control over customer records is likely rise further.

It's now far cheaper, and prudent, to hire a security consultancy firm to make sure all of your ducks are in a row as any breach can have far more costly effect. A thorough security audit by outsiders is more likely to point out what your organization is doing wrong when dealing with records and your security procedures in general.

It's either that or deal with the costs of notifying those affected, loss of reputation, and gearing up a team of lawyers should your former customers decide you're a target ripe for a lawsuit.

With the amount of personal data stored these days, some basic measures can keep information safe from prying eyes. Securing data should be of top concern for anyone handling someone else's information. And while putting in measures to make sure it's all squared away nicely does add some cost the price of doing business, not keeping tabs on who is granted access and keeping that data safeguarded will likely ending up costing some far more than you bargained for.

This article was first published on EnterpriseITPlanet.com.