Via MSNBC RedTape -
It's being called the worst data leak of the information age. Earlier this month, U.K. officials had to admit they'd lost computer disks containing personal information on almost half the country's population, including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose -- consumer bank account numbers.
It's a data scandal fit for tabloids. The price tag put on the loss is already $500 million. Prime Minister Gordon Brown had to issue a public apology, and the head of Britain's Revenue and Customs office was forced to resign. The U.S. audience might have missed the initial news because the story broke during the Thanksgiving holiday. But the obvious question floating across the Pond is this: Could something that dramatic happen in the United States?
Yes, most experts say. And the consequences here would be even worse.
The computer disks lost by British officials contained intimate details on every family in the United Kingdom that claims the child benefit -- a government subsidy payment that goes to every household with children. The disks were lost while being sent between government agencies. The information on them included the names, addresses, dates of birth, insurance numbers and banking details. In all, data on 25 million of Britain’s 60 million citizens were on the disks.
That amount of the data loss is staggering -- just shy of half the nation's population.
"We've never had anything like this," said Avivah Litan, a bank security analyst with consulting firm Gartner. The stolen Veterans Administration laptop may sound comparable in number (26 million), but the type of data lost in that incident -- Social Security Numbers -- pales in comparison to the lost U.K. tapes, Litan says.
...
To really understand the importance of the U.K. leak, it's important to understand how valuable raw bank account information is. In a report written soon after the U.K. incident, Litan said Social Security numbers sell for as little as $5 on the ID theft black market. But live bank account information can sell for as much as $400.
Why? It actually takes some effort to turn Social Security numbers and even credit card numbers into cash. Social Security numbers are only a building block that can be used to apply for credit. Card companies have sophisticated tools designed to catch fraud as it happens, including software that spots unusual purchases and stops criminals in their tracks.
But banks have no such protections on checking account transactions, Litan says. In fact, anyone with a bank account number and routing number can print up fake checks and start draining consumer accounts. Banks don't even process checking account transactions in real time.
Instead, they are batch-processed, generally once each day, through a system called ACH, or Automated Clearing House. So there really is little defense against a large-scale checking account theft. Millions of checking account numbers falling into criminals’ hands would be difficult to combat.
"ACH is an accident waiting to happen," Litan said. "It's the 'not-talked about-network,' but it has a lot of vulnerabilities. ... Big banks are more worried about check fraud than anything else."
But even if lost bank account numbers never fell into criminal hands, the hassle and cost of such an incident would be enormous for both banks and consumers.
Whenever a large-scale theft of credit card numbers is revealed -- such as the theft of nearly 90 million account numbers from TJ Maxx -- card-issuing banks generally adopt a wait-and-see attitude. Sophisticated systems allow them to flag potentially stolen card numbers and watch carefully for signs of fraud.
There is simply no parallel system for bank account numbers, Litan said. So a similar incident in the United States might force banks to close and re-issue millions of checking accounts, at enormous expense.
"The impact on people's personal lives would just be untold. If you've ever had to change your credit card number you know it's a pain in the butt. When you talk about bank account numbers you multiply that tenfold," Weiss said. Consumers might spend days, or even weeks, unable to pay their bills or reliably access cash, he said. "It's a lot harder to issue someone new bank account numbers than new credit card numbers. ... It's safe to say this kind of thing (could cause) a recession."
No comments:
Post a Comment