Data Theft Paper

Data Theft Paper
Data theft is when information is unlawfully copied or taken from a business or individual. This information is user information such as passwords, social security numbers, credit card information, other personal information, and confidential corporate information. Within this paper several examples will be giving as, I explore how data theft has affected individuals and organizations. What can organizations and individuals do to protect them from becoming victims of this type of fraud. When stolen data happens such as people’s identities or an organization’s information the potential harm is huge with major economic and legal implications. The worst thing about the data theft is that it can remain undetected. It is devastating when you find out as a boss that an ex-employee has stolen the company information for personal gain, profit, or to ruining the company completely. A survey released by Information Week (informationweek.com) and Accenture in July 2007 showed that 89 percent of 1,010 U.S. companies still felt vulnerable to data theft (McNurlin, Sprague, & Bui, 2009). For example the Boeing Company had an ex-employee who illegally downloaded thousands of pages of significant business documents to his computer. It was anticipated if any of those documents had gotten into the wrong hands of Boeing’s competitors it could have cost them $5 to $14 billion dollars (McNurlin, Sprague, & Bui, 2009). In 2008, a data theft survey was done and more than 60 percent of U.S. workers who left their employers took some data with them. According to a February 24 article in The Economist. In the recession, many laid-off employees who feel like they have nothing to lose by walking off with data they no longer have any rights to use (Crews & Wiseman, 2009). Nearly all healthcare organizations responding to a survey -- 96% -- reported that patient or related information has been lost, stolen, or otherwise compromised within the last two years. The number of data breaches involving protected health information rose by 32% from 2010, according to interview data published online by the independent privacy and data protection group the Ponemon Institute. Three out of 10 respondents (29%) said a data breach resulted in medical identity theft -- up 26%. And two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches (Medpagetoday, 2010). The issues of insider attackers are becoming quite a test. According to Greenemeier, criminals inside the organization are not the most common security problem (McNurlin, Sprague, & Bui, 2009). Attacks by insiders of a company can be expensive and tremendously damaging to the company’s reputation. Some examples of possible criminal acts from inside a company: * An employee illegally accesses employees’ emails to steal information that could be used for malicious intent. * An employee who is angry about the low bonus he received and tries to ruin the entire company’s computer system by deleting delegate data records. * A system administrator is not happy with his life and decides to change the code of legacy systems, creating bad data. * A marketing salesperson steals sensitive data and sells them to a competitor (McNurlin, Sprague, & Bui, 2009).
Inside criminals may have certain warning signs an organization should be aware of like mental health disorders, personalities that conflicts with authority, history of behavioral violations in the workplace, or personal financial problems.
Personal individuals’ data theft has gotten outrageous. In recent weeks the news reported two big data collectors companies that collect people’s personal information and has sold detailed personal information on nearly 500,000 people to buyers who have absolutely no business getting it. As early as 2003, the U.S. Census Bureau reported that two-thirds of American households have at least one computer, with about one-third of adults using computers to manage household finances and make online purchases [U.S. Census Bureau2005]. These statistics suggest that many computers store data on personal finances and online transactions, not to mention other confidential data such as tax records, passwords for bank accounts, and email. We can estimate that these figures have risen dramatically since the 2003 survey. Sensitive information stored in an insecure manner is vulnerable to theft. According to the most recent CSI Computer Crime and Security Survey [Richardson 2007], 50 percent of the respondents have been victims of laptop and mobile theft in the last 12 months (Diesburg & Wang, 2010). In October 2009, FBI arrested 33 people in “Operation Phish Phry” an international investigation of suspects’ who allegedly stole around 2 million from bank accounts in the United States over a two year period. The suspect allegedly use sham websites with Bank of America and Wells Fargo logos to trick customers of those banks into entering their usernames and passwords (Calman & Feigelson, 2010). According to Javelin Strategies( Identity-theft), a research firm that reports on identity theft, incidences of the crime increased by 11% from 2008 to 2009 changing the lives of 11 million Americans(2010). 1 in every 20 Americans are victim to this crime. The odds go up if you are a young adult or a small business owner. This is because people in these groups tend to engage in riskier activities that can lead to them being victimized. Especially young adults who are away in college that uses library computers or share computers in their dorm rooms with roommates and others who they do not know well. Small business owners, who tend to complete a large amount of financial transactions by mail or over the Internet, will sometimes use their personal accounts and home address to aid in processing these transactions. The Federal Trade (FTC), which is responsible for taking complaints from victims and sharing them with law enforcement agencies, has noted that identity theft is a major problem. Millions of Americans are being affected each year, and victims may face substantial costs and time to repair the damage to their good name and credit record. It is estimated that the record of 3.3 million people from the guarantor of US student loans have been victims. The information that the victims’ loss was names, addresses, social security numbers and dates of birth, this data was confirmed by the Educational Credit Management Corporation (ECMC), which stated data theft from their headquarters in Minnesota.
Some of the biggest data theft in the last five years:
2007-
1. T.J. Maxx - In a carefully planned and long drawn out operation, Albert Gonzalez stole sensitive information belonging to more than 100 million customers of T.J. Maxx, an American departmental stores chain. The hack was carried out over a period of 18 months, ending in 2007. As many as 45.6 million credit and debit card numbers were stolen. Unlike other entries in this list, this wasn’t an entirely remote operation. Instead, poorly secured in-store computer kiosks were exploited to gain access to company’s networks.

2008- 2. Hannaford Bros. Supermarket chain - In March 2007, another supermarket chain was compromised. Hannaford lost credit and debit card numbers, expiration dates and PIN numbers of 4.2 million customers. The leak has led to over 1,800 reported incidents of fraud. The culprit was once again Albert Gonzalez. This time around he broke in by using SQL-injection attack.
2009-
3. Check Free Corporation - Check Free, an online bill payment service, fell victim to a DNS hijacking scheme in December, 2008. However, the incident didn’t come to light until January 2009. The company’s website was redirected to a Ukrainian website that hosted Trojan horses that were designed to steal data from customers. Since, Check Free lost control of its website, the exact extent of the damage couldn’t be calculated. However, an estimated 5 million consumers might have been affected.
2010-
4. Gawker – In December 2010, Gawker Media blogs were hacked by a group called Gnosis. Not only did this group go on to give interviews to competitors of Gawker Media, but it also uploaded the entire database of 1.3 million registered users (with usernames and hashed passwords), and confidential staff conversations to a torrent website. The breach prompted many other web services (like Twitter and LinkedIn) to carry out forced password resets for affected members.
2011-
5. Epsilon - Epsilon is a leading email marketing service provider that has dozens of tier-1 companies as its client. On March 30, a hacker succeeded in gaining access to a subset of Epsilon clients’ customer data. Data stolen included names and email addresses. Epsilon maintains that only 2% of its customers were affected, and hasn’t disclosed exactly how many records were breached. However, given that the affected clients include big names like CitiGroup, Best Buy, and JPMorgan Chase, this breach might turn out to be the biggest ever ( Techie-buzz, 2011).. Different ways organizations can provide data security, so they will not be affected by insiders are, IT security staff needs to work closely with other organizational departments like the HR department, promoting the use of encryption, and enforcing the most rigorous audit policy for mission-critical data. Personnel security should have a policy in place that identify who has authorization to enter a physical room and access data. Application security needs to be provided for software, hardware, and firmware applications to be secured from unauthorized access. Operating system security for IT staff to make available to all users a security guide for every operating system used in the organization. Network security need to add communication devices like network bridges which will serve as a gateway to the organization’s platform to restricted hackers. Middleware and Web Services security, IT security should review the middleware blueprints and define a cohesive view of security across diverse middleware systems, and provide a starting point to spread out the policy for middleware security. Facility security there would be a physical room where the information systems are installed should be fully protected with entry locks, security guards and cameras. Egress security should be enforced for a policy to be in place to take out vulnerable documents which should be given to personnel. Any vulnerable documents printed on paper should be stored in a secure place, unused documents should be shredded. Different ways to protect individuals from identity theft are to think like a thief. Before you throw anything away, look to see whether it has any valuable identifying information that could be used by someone to steal your identity.
Shred it- Think twice before you let bills, receipts, statements and solicitations leave your house in one piece. Shred financial and medical statements, pre-approved credit card offers and other solicitations, preferably with a cross-cut shredder.
Stash it- Rather than throw away receipts and other documents at the airport, shopping center or at work, bring them home and shred them.
Lock it up- To avoid thieves who steal credit card offers from your mailbox or, worse, take bills waiting for the postal carrier and then doctor the checks, get a locking mailbox. If you're home a lot, you can instead get a device lets you know when your mailbox has been opened.
Financial diligence- Protecting your credit and your banking and brokerage accounts is particularly important and worthy of special effort. Among other things, keep your checkbook out of sight and keep blank checks in a secure place.
Checkups- You needs to monitor all your financial accounts on a regular basis, looking for any unusual transactions. You need to report any improper charges or withdrawals to your bank account immediately. In addition, sign up for email alerts for your bank and credit card accounts, so that you'll get a text message or email if large or unusual transfers are made or your balance is unusually low (Smart money, 2011).

Conclusion For organizations it can be very difficult to deal with insiders’ threats especially when it can cost them millions of dollars. While as identity theft is becoming the fastest growing crime in the United States, with over a million victims each year. I have given you examples of both an organization and individual data theft. How miserable ex-employees have taking their employer’s data for personal gain. How hackers and ordinary day-by-day people are stealing other individual personal information making them victims of identity theft. I have given you ways to how an organization can secure their data from being stolen and saving the organization millions of dollars from these discontent people. I have given you ways for individuals to protect them from becoming victims of identity theft. It is becoming a big issue for data theft and the best ways to avoid becoming a victim is to make sure all your Is’ are dotted and all your Ts’ are crossed in the organization’s IT security and as an individual making sure you protect your personal information.

Reference
Crew, A. & Wiseman, D.D. (2009, October). To catch a data thief. Hrmagazine, 54(11), 1-70. Retrieve from EBSCOhost.
Diesburg, S.M, & Wang, A. (2010, November 3). A survey of confidential data storage and deletion methods, ACM computing surveys, 43(1) 2-37. Retrieved from EBSCOhost.
Feigelson, J., & Calman, C. (2010, April 1). Liability for the costs of phishing and information theft. Journal of Internet law, 13(10), 1-26. Retrieved from EBSCOhost.
How to protect yourself from identity theft. (2011, August). Retrieved by http://www.smartmoney.com .
McNurlin, B., Sprague, R. & Bui, T. (2009). Information systems management in practice (8th, ed.), Upper Saddle River, New Jersey: Prentice Hall
Petrochko, C., (2011, December). Ponemon Institute. Retrieved by http://medpagetoday.com
The biggest data theft in the past five years. (2011, November). Retrieved by http://techie-buzz.com .