List of Data Breach Notices Lengthening

Computerworld - The steady stream of data compromises continued unabated last week, with several more companies disclosing security breaches.

One of the biggest snafus involved AT&T Inc., which said that malicious hackers had made off with credit card information and other personal data belonging to about 19,000 customers of the company's online store for Digital Subscriber Line equipment.

In a statement, AT&T said "unauthorized persons" had illegally hacked into one of its computer systems and accessed the customer data. The intrusion, which took place on the weekend of Aug. 26 and 27, was discovered "within hours," and the online DSL store was immediately shut down, according to AT&T.

If there's a continuing lesson to be learned from such incidents, it's that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.

"The bottom line is that the data is leaking and is not being contained in the way it should be," he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added.

Corporate users also need to adopt more "systemic security management" approaches, said Doug Graham, a partner at BusinessEdge Solutions Inc., an IT consulting firm in East Brunswick, N.J. "People want things to be secure, but too often they tend to see security as a problem for the security guys," he said. Instead, the goal should be to make security an integral part of all business processes, Graham said.

Among the companies reporting breaches last week was Philadelphia-based Sovereign Bancorp Inc., which said that three laptop PCs containing confidential information about bank customers had been stolen in two separate incidents in early August. Sovereign spokesman Carl Brown declined to disclose how many people were affected by the thefts, saying only that the number amounts to about 1% of the bank's customer base.

None of the data on the stolen laptops was encrypted, although the systems were password-protected, Brown said. That met corporate security policies, he added.

Mobile network operator Verizon Wireless disclosed that on Aug. 21, an employee accidentally sent an e-mail with an attachment containing the names, cell phone numbers, e-mail addresses and phone models of nearly 5,000 customers to about 1,800 other subscribers. The attachment was supposed to have been an electronic order form.

In an e-mailed comment, a spokesman for Verizon Wireless said the affected customers were informed of the breach but also were advised that the compromised data was unlikely to be of much use to identity thieves.

On Aug. 22, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen. The FMCSA, which is part of the U.S. Department of Transportation, said last week that the laptop is believed to have contained the names, dates of birth, Social Security numbers and other personal data of about 193 people who hold commercial driver's licenses across 14 states.

An FMCSA spokesman said the agency isn't 100% sure that the laptop contained the personal information and only made that assumption based on the system's last interactions with its network.

Security Count

Number of data breaches disclosed by U.S. companies and government agencies in 2006 JANUARY 12 FEBRUARY 12 MARCH 20 APRIL 15 MAY 18 JUNE 41 JULY 31 AUGUST 34 Source: Privacy Rights Clearinghouse, San Diego

Read more about security in Computerworld's Security Knowledge Center.