58 Banking Breaches in 20102011 Outlook: 'We're Going to See a Lot More Scams'
Of the 58 breaches tracked by the ITRC:
- 9 are related to insider theft;
- 6 are related to missing paper documents;
- 8 were linked to card skimming attacks;
- 5 resulted from stolen or missing hardware;
- 8 are blamed on cyberattacks or outside network intrusions;
- 4 are related to the exposure of data on the Web;
- 6 are linked to an accidental breach;
- 3 were of unknown origin.
'That's Where the Money is'While some breaches were accidental or related to sloppy security, such as the improper disposal of paper files and documents, many involved a malicious or criminal element. Whether linked to an insider, a cyberattack or an ATM skimming device, the incidents prove criminals continue to target financial institutions -- and for good reason.
"It comes down to the old Willie Sutton line, 'Why do you rob banks? Well, that's where the money is,'" says Steve Kenneally, vice president of the Center for Regulatory Compliance within the Financial Policy and Regulatory Affairs division of the American Bankers Association. "I think that was illustrated with all those recent reports in corporate account takeover."
Beyond corporate account takeovers and breaches, whether perpetrated via ACH or card skimming, for instance, is identity theft -- a crime that continues to pay for fraudsters, says Jay Foley, executive director of the ITRC.
"First and foremost, we are going to see a lot more scams," he says. "If I were going to categorize the most sensitive industries, the first one I would go at would be the payment industry -- the payment-services industry -- and that is the companies that process credit card and debit card transactions. Why? Because that is where the money is right at the moment. If a thief can get into your software and can get into your data, they have ready cash right there at their fingertips."
Identity theft is a challenge, and a number of trends are expected to drive its growth in 2011, says Linda Foley, co-founder of the ITRC. "It's escalating and transforming so quickly, I can only make educated predictions," she says. The good news: Overlap between identity theft prevention and data base protection should make combating some of these attacks somewhat streamlined, if financial institutions put the right feet forward.
Breach Trends to Watch in 2011Trends that are expected to drive data breaches and identity theft in 2011:
Crime Rings. Global, organized crime gangs will expand their abilities to gather and sell personal information. Often associated with rings involved in drug and human trafficking, counterfeiting, the movement of stolen goods and selling stolen information, these gangs place big dollar amounts on stolen identities. The global nature of these crimes makes them not only hard to fight, but easy for fraudsters to carry out. In the fall, police scored a goal when international law-enforcement collaboration led to the arrest of money mules in the United States and Europe, but those arrests account for just a handful of the suspects sought by international policing agencies.
Corporate Account Takeover. Criminals will continue to focus on the deep pockets of small and large businesses, educational facilities and school districts and governmental agencies. A recent Fraud Advisory Report for Businesses examined corporate account takeover techniques in which cyberattackers empty business accounts via ACH fraud in mere minutes. Employees and insiders, knowingly and unknowingly, are expected to play increasing roles in these crimes.
Socially Engineered Scams. More sophisticated phishing, vishing and smishing attempts are expected, as well as traditional social engineering schemes. Operation Broken Trust, a global law enforcement operation, resulted in actions against 532 defendants for fraud schemes that harmed more than 120,000 victims throughout the U.S. and involved more than $10.4 billion in estimated losses. Ponzi schemes and investment scams made up the bulk of those cases.
Cybertheft. Cybercrime and hacking will increase, despite active defensive measures. Perpetrators will continue to hack into systems between point-of-sale terminals and network servers, use wireless technology such as Bluetooth and card skimmers that are attached to POS devices and ATMs. Jeremy King, head of European initiatives for the PCI Security Standards Council, says card-skimming techniques are increasing, "posing challenges for detection and law enforcement."
Managing Editor Tracy Kitten contributed to this report.