Most companies strongly protect their crown jewels: internal sales figures, product development plans, account numbers and customer transaction information. Typically lower down the priority list are customer relationship management systems and databases of clients' contact information.
Hackers' hauls in several recent data breaches, including those launched against Anthem, Morgan Stanley and JPMorgan Chase, primarily involved that supposedly lower-level information: emails, street addresses and phone numbers. (Social Security numbers were stolen from Anthem, too.)
Sometimes targeted companies announce the loss of such data as though it should be a comfort. And it sounds rational on the surface: most people's contact information exists in the public domain and can be easily found through a Google search.
But they (and perhaps the customers) may be underestimating the threat of that data in the wrong hands, especially if it is used in combination with other ill-gotten information.
"In many breaches, somebody else valued the information differently than you did and therefore they were able to get at something you're not protecting strongly because either you don't realize it or to you it's not that important," said Steven Bellovin, a professor in the Computer Science department at Columbia University.
Sensitive consumer data is bought and sold every day and used for phishing, identity theft and online and mobile banking fraud. Using Big Data tools, hackers can pull information from different sources and combine it to create a full customer record that can be used for social engineering.
But fully protecting customer data is tricky, because so many people in a financial organization need access to it.
"In an era in which customer experience is preeminent for a lot of businesses, there's a fine line and difficult balance between security and convenience," said Joram Borenstein, a vice president at NICE Actimize, which makes fraud-detection software.
Building strong walls around and, some say, within customer databases that make information accessible to those who really need it and no one else is a huge challenge.
ENCRYPTION MYTH
A common myth is that encryption (encoding customer data so it can be read only by those with the right user name and password) is the answer to protecting customer data. Most state laws governing personally identifiable information require such data to be encrypted.
Yet many recent hacking attacks in the financial services industry have been conducted through the use of stolen or purchased log-in credentials. Encryption doesn't matter when a hacker can log in as a legitimate user; the system dutifully unencrypts all the data.
In the Anthem breach, for example, hackers allegedly used administrators' login credentials obtained through spear-phishing, noted Claus Kotasek, CEO at SMS Passcode, a provider of multifactor authentication.
"Too many employees are working remotely to still be relying on passwords alone," he said. "It doesn't make sense. Malicious actors are doing everything in their power to circumvent security, so organizations have to lock down remote access to business apps and cloud services with approaches like multifactor authentication."
STRONG WALLS
Encryption is a piece of the answer. Customer information also needs to be partitioned to fully protect the most sensitive data elements, according to Bellovin.
"The issue here is that a lot of places don't understand how to build a high-assurance database of this type while still preserving its utility," Bellovin said. "You need to structurally separate important parts of your information and have fairly strong walls between them." This is difficult because some data needs to be commonly shared and available to everyone, he noted. "Many companies, including many financial companies, do all sorts of Big Data analysis," he said. "'Where are my depositors broken down by zip+4 [codes]?' 'Do I see a particular trend?' And so forth."
But there are alternatives. Amazon, for instance, is able to let customers see trends in what others like them are buying without sharing information about those individuals.
A roles-based approach to data access helps, Bellovin said. "The analytic engine doesn't need to know account numbers and personal names; it needs to be able to get at transactional amount and so on."
The person who sends out 1099 forms by necessity has access to everybody's name, Social Security number, balance, interest and so on. "That global permission has to exist someplace or you can't send out 1099s," Bellovin said. "The challenge is how do we divide things up, then how do we build strong walls between the pieces, and how do we build strong doors to get through each of these walls? It's a very complex challenge."
The Morgan Stanley breach was a good illustration of this. A junior financial adviser had legitimate access to 350,000 wealthy customers' account data but used a reporting mechanism in way he wasn't supposed to and downloaded all the information at once. Some of it later showed up on Pastebin, to the company's and clients' great embarrassment.
One answer to situations like these is to not try to restrict access to records up front, but monitor data access and catch inappropriate activity right away, Bellovin suggested. "You have to look at this as part of your system design."
