When news broke earlier this week that some Citibank Japan customers’ information leaked, many of the bank’s customers probably thought, “Again!?!” But this is not a rare occurrence these days. This time around, it wasn’t even Citibank’s fault; one of the companies it outsources some services to was at fault.
This is the second data breach involving Citigroup, both of which led to the exposure of a great deal of user information. The key difference between the two incidents, however, is the attacker. Someone who wasn’t associated in any way to Citigroup was responsible for the first incident while someone from within an organization Citigroup outsources certain operations to was responsible for the second one.
After a past history of breaches, the 92,400 credit card holders whose data was stolen have a right to be mad. But mad at whom? Past history or not, it’s difficult to be mad at Citibank. It wasn’t the one who lost the data this time after all. At the hackers who stole the data? Maybe. But there are too many of them with a variety of motivation, not all of which are financial. At the outsourcing company? Well, that’s something certainly worth considering.
Too Many Sheep in Different Farms
A big problem for corporations with regard to data leakage has to do with the number of data repositories they need to look at and the different departments within their organizations that are in charge of the said data. In a global company, different security and IT departments, along with several outsourcing companies, have access to data. Therefore, the amount of coordination required to secure the whole thing is huge. Monitoring also becomes as critical as it is difficult. This is where security gaps begin to show. You just can’t keep an eye out on your sheep when you have too many spread out over different farms.
Japan’s track record in terms of data breaches disproves the assumption that most data breaches are done through hacking. According to my colleague Hayashi Noriaki, “The most common cause of information leakage in Japan is loss of documents or devices that contain critical information such as work laptops.” Japanese employees normally bring their work—therefore, their documents and laptops—outside their offices, making losing the aforementioned items fairly common. Information leakage due to hacking, he explains, is very limited.
The fact that externally driven attacks are limited, however, does not mean that there are fewer risks. A data breach caused by someone from inside an organization going rogue is a much bigger concern than one done by someone from outside. An organization can come up with many ways to defend from an externally driven attack. But a member of the organization itself abusing the access he has to certain kinds of information for self gain is something that is certainly harder to solve, avoid, or prepare for.
“The increase in the number of reported breaches may not necessarily be a sign of an increase in the number of breaches,” Hayashi says. The Protection of Personal Information Act, which was implemented in 2005, requires organizations to disclose information of any data leakage to the public. Thus, the increase in the number of reports may not necessarily mean an increase in the number of instances. It could just be that past leakages were not publicly reported.
What to Do?
The advice that follows is valid for any company holding personal data but is especially relevant to those that need to give access to their data to multiple departmental organizations and even to third parties. First, keep a single repository with multiple levels of data access. Also, allow offsite access only to the data from applications that have been vetted from a central auditing organization. In other words, only one department should be responsible for:
- Storing precious data
- Restricting access to it
- Auditing the security of all applications that access the data
I know this is a big challenge when your Tokyo office collects the customer information while your Alabama agency emails prospects. But, when you’re under attack, the weakest link will fall and the more links you have, the higher the chance of some of them weakening. And guess what? Organizations are constantly under hacker attacks these days with attackers consistently pulling at their links, waiting for something to break.
At this point, there is no room for excuses; data security should be a priority.
In 1973, a publishing company filed a damage suit to the Tokyo District Court. This incident involved an outsourced employee assigned as the administrator of the data center of a certain company. The said employee illegally copied the company’s customer list and sold it to the company’s competitor. To this, Hayashi comments, “We can easily say that though the technology may have drastically changed since 1973, the (cyber)criminal’s psychology obviously hasn’t.”