Data loss can almost always be traced back to inadequate security measures at the organizational level. In some cases, employees are responsible for stealing information, which was the case for Fidelity National. Other times, data is lost because a contractor didn’t follow adequate security practices. Regardless of the different reasons for major data leaks, companies can protect themselves. This article explores the three biggest data leaks for 2007 and how they could have been prevented.
T.J. Maxx Hack Exposes 45.7 Million Credit and Debit Cards
A hacker or group of hackers was successful in stealing 45.7 million credit and debit card numbers belonging to T.J. Maxx and Marshalls customers. The company didn’t announce the breach until January 17, 2007, even though they first learned about suspicious software on their computer systems a month earlier.
The real tragedy is that the hackers had been stealing credit and debit card information since July of 2005. At that point, hackers were able to retrieve information about transactions dating back to January 2003. Some customers who returned goods without a receipt also had their driver’s license number compromised as a result of this breach.
Even though T.J. Maxx hired private investigators to get to the bottom of the problem, it remains unclear how much data has been compromised. Part of the reason is that much of the transaction data had been deleted during the normal course of business before the theft was discovered.
The only arrests that were made in this case are a group of 10 people believed to have purchased data from the hackers. They used the credit card numbers to purchase Wal-Mart gift cards in Florida. According to the local police, they attempted to buy $1 million worth of electronics with those gift cards.
Fidelity National Employee Steals Records of 2.3 Million Customers
In 2007, Fidelity National was reminded that the best security systems don’t account for much when the employees with access to the data can’t be trusted. One of its subsidiaries called Certegy Check Services terminated the responsible employee William Sullivan in May of 2007.
According to the investigation, officials found that Sullivan had copied the information on an external device and removed it from the building earlier that year. The records included names, addresses, phone numbers, bank account, and credit card information of Certegy customers. Sullivan was supposed to have sold the data to an undisclosed data broker. From there, the information was sold to various marketing firms.
Certegy took legal action to compel these marketing firms to stop using the information. There was no evidence that any of the stolen information was used for identity theft. Nevertheless, Certegy notified all 2.3 million affected customers and placed them on a fraud watch. Certegy also notified all three of the major credit reporting agencies in addition to VISA and MasterCard.
Later reports show that 8.3 million customers were affected instead of the 2.3 million originally reported. Sullivan, the employee who stole and sold the information, pled guilty to charges of federal fraud and was sentenced to four years and nine months in prison. He was also ordered to pay a fine of $3.2 million.
Gap Contractor Loses Data for 800,000 Applicants
Using your credit card isn’t the only time your personal information is exposed. In this case of data loss, the people who were affected by the security breach were job applicants for Gap, Old Navy, Banana Republic, and outlet stores in the United States, Puerto Rico, and Canada. People who applied at any of these places between July 2006 and June 2007 may have been affected by the security breach.
One of Gap’s 3rd-party contractors that managed the company’s data reported a stolen laptop in 2007. Contrary to the contractor’s agreement with Gap, none of the information stored on the laptop was encrypted. This means that all of the data was accessible to anyone in possession of the computer.
How You Can Prevent Data Loss with eFileCabinet
It’s important to understand that data loss is not inevitable; while your company may become the target of hackers, that doesn’t mean the hackers will succeed. The first step to protecting your information is to store every file in an encrypted document management system like eFileCabinet.
Next, your company needs to control the information your employees have access to. This can be done by setting up role-based user accounts. Keep in mind that your managers don’t have to have access to all of the data just because they’re managers. The less access your employees have, the less likely it is that there will be a leak. If your employees handle sensitive information, it’s imperative that they undergo and pass a background check beforehand.
Last but not least, your company needs to put in place and adhere to sound document management principles. Your employees should know how documents are created, stored, and transferred. Then it’s your manager’s job to make sure this gets done properly by following the audit trail.
At eFileCabinet, we take cybersecurity seriously. If you have any questions about how we keep your documents safe and secure, please don’t hesitate to call or chat with us.