Data Theft by Partner Companies on the Rise

28 August 2008—If you’re the owner of a retail-store chain or a financial-services company, it is your responsibility to keep your customer’s credit card number or social security number safe. But how can you control what goes on outside your company’s doors? Your credit card machine’s vendor could overlook a software vulnerability. Or an employee at the call center handling your customer-service calls could turn sour on his employer.

Data breaches involving trusted third parties—business partners, vendors, suppliers, and contractors—are alarmingly on the rise, according to a recent investigation by the security team at Verizon Business. While studying about 500 incidents worldwide between 2004 and 2007, the RISK Team found that cases involving partner organizations, willing or unwitting, went up fivefold, reaching 44 percent in 2007. Hackers and other outsiders, meanwhile, were directly responsible for close to 80 percent of the breaches. (There was some overlap among the cases.)

The market for stolen data has exploded in recent years, says Bryan Sartin, director of the investigative response team at Verizon Business. In early August, the U.S. Federal Bureau of Investigation cracked down on one of the largest identity-theft cases involving an organized international ring of criminals. This ”information black market” is fueling the increase in partner breaches, Sartin says.

For example, he says, criminals can find out the make and model of the cash registers used by a restaurant chain. With this information they can hunt down the company that supports the software system for that cash register model. They could then try to hack into the software system or bribe disgruntled employees at that support company’s call centers.

The Verizon investigators found that in about 57 percent of partner breach cases, the partner organization was an unwitting accomplice. In these cases, an outsider exploited the partner’s connections or information assets. In 21 percent of the cases, the team could not identify specific culprits. A disturbing 16 percent of the cases led back to the deliberate malice of the victim company’s own IT administrators. The other 6 percent were traced to employees who worked remotely or from an off-site facility owned by the victim company.

The upward trend in partner-based breaches is worrisome for more than one reason. The victim company usually finds out about the compromise late because a trusted party logging into its computer system does not set off alarms. Also, partner-side breaches can cause more damage than a random hacker because partners have higher levels of access to the victim organization’s systems and servers, which puts large amounts of data at risk. The Verizon report shows that most partner incidents compromised 187 500 records, compared with 30 000 for external breaches.

Partner breaches seem inevitable in the information age. ”More companies are sharing more information with more partners, which means a higher probability of breaches,” says Sasha Romanosky, a graduate student at Carnegie Mellon University who is studying data breaches.

A few simple measures, however, could prevent partner breaches. Sartin says that a portion of the cases could be avoided if companies simply put some basic constraints on their partner’s access to their computer systems, such as how often they can connect or for how long.

Keeping track of data is also important. In two-thirds of the 500 cases studied by the RISK Team, the victim company had no idea that the data compromised had existed on their system. ”You have to know what information you have before you can start to protect it,” Romanosky says.

These recommendations might work, but there are serious problems that remain, says Peter Neumann, a computer scientist at SRI International, a nonprofit based in Menlo Park, Calif. Among other things, he points out, ”the computer systems themselves are inadequately trustworthy; the burdens on organizations, users, and administrators are enormous; educational and training processes are inadequate; governmental attention to and recognition of the deeper problems is inadequate.”

Finally, organized crime and the information black market, the two big drivers of partner breaches, show no sign of retreating anytime soon. In fact, cybercriminals are always evolving and trying to stay one step ahead of investigators. If things stay the way they are, says Sartin, ”by the end of 2009, partner breaches might exceed external breaches.”