Personal and corporate data are walking out the door inside laptops. The situation is as much physical security as it is logical security.
Forget those office supplies or the designer shirts; thieves seem to have an easier time stealing data.
And forget about security video, card access controls, biometrics and burglar alarms; multi-millions of personal files and multi-millions of dollars of reputations are draining from business and government organizations through online and laptop theft.
There’s TJX Cos., the Framingham, Mass. retailer, which may have let loose 45 million credit and debit card files during a period of time now disputed. While the initial data breach is being investigated, so is the timeline of reporting the break-ins.
TJX, which owns TJ Maxx and Marshalls, among other retail operations, told the SEC that it found out about the data theft in mid-December 2006. That firm says it delayed public notification at the direction of the U.S. Secret Service until January 2007. However, investigations in Florida, Massachusetts and Connecticut are ongoing and some investigators have reported that, in Florida at least, there may have been data break-in evidence as soon as March 2006.
Arrests Already Made
There have been arrests in Florida of a handful of people traced to millions of dollars of merchandise losses linked to TJX. The retailer stands by its timeline. However, the number of records stolen has grown and there’s no doubt that the harm to the business has also grown.Fortunately or unfortunately, the TJX breach – while covering what possibly is the largest number of impacted people – is nothing new.
Just in late March, for example, a laptop computer assigned to the U.S. Army Training and Doctrine Command and containing the names, Social Security numbers and payroll information of roughly 16,000 civilian employees was lifted from an employee’s vehicle parked outside her home.
Uniquely, this theft included potential protection from a “new-age” security scheme using a password linked to a CAC or common access card. Army officials have assured people in the database that a thief cannot access the information with both the CAC and password, but security experts contacted by Security Magazine disagree.
The Army took it on the chin before this recent incident when, in November, a laptop with data on about 4,600 high school seniors was stolen.
Then in early April, in Chicago, two laptop computers were taken from the Chicago Public Schools’ central office. They contained the names and Social Security numbers of about 40,000 teachers and district officials.
What’s happening and what is harming enterprises and government/military agencies is identity theft. This new kind of crime grabs headlines but is fairly complex compared to petty theft, bank robberies or even conventional business fraud.
Reluctant to Report
Two out of three identity theft victims are over age 40, according to analysis of more than 11,000 verified cases of identity theft processed by the Identity Theft Assistance Center (ITAC). The analysis shows only one out of three victims are ages 18 to 39. “Our data – which represents verified cases of identity theft – shows older than recent data from the Federal Trade Commission complaint database, which shows only two out of five victims are over age 40,” said Anne Wallace, ITAC executive director. “It could be that younger people are more likely than older people to file a complaint with the FTC.”She added that older consumers have a larger “identity footprint,” both online and offline, through transactions and the accumulation of goods, products and services.
Of course, concerning retail security, database theft is not the only threat. There is a growing involvement of organized and often offshore gangs centering on retailers.
So retailers, especially the largest firms, have caught the gang crime drift. Last month, the National Retail Federation (NRF) and the Retail Industry Leaders Association teamed up with the FBI to combat the alarming rise in organized retail crime. The collaboration has produced the Law Enforcement Retail Partnership Network (LERPnet), a secure national database that launched in early April to allow retailers to more easily share retail crime information with each other and with law enforcement.
According to the NRF's 2006 Organized Retail Crime survey, 81 percent of retailers said they have been a victim of organized retail crime, and nearly half (48 percent) said they had also seen an increase in organized crime in their stores.
What LERPnet allows retailers to do is to share information with law enforcement agencies nationwide, so that detectives have the opportunity to research crimes in neighboring cities, counties and states. By accessing the system’s Web interface, retailers can report incidents of theft and alert other retailers to them as well, in what the NRF says is a secure and confidential manner.
What is the Security Advisory Board?
Flip to the back of the magazine and you’ll find a list of names with prestigious titles after them. The Security Advisory Board allows the editors of Security Magazine to dig deeper into issues and find out what the experts think. They are our sounding board for trends in the industry and allow us to offer our readers credible information.Security Magazine has just acquired three additional sources. Security Magazine is pleased to announce these new exceptional additions to the Security Executive Council (SEC) and Security Magazine’s Security Advisory Board.
SEC Member Advisor:
Jeffrey J. Berkin
Deputy Assistant Director
Federal Bureau of Investigation
Security Executive Council Member
Jeffrey J. Berkin is a deputy assistant director of the Federal Bureau of Investigation, assigned to the Security Division at FBIHQ, in Washington, D.C. He is responsible for 1,000 staff employees and several thousand contractors, dedicated to assuring physical, personnel and information systems security for the FBI’s 30,000 employees and 700 facilities worldwide.
Entering on duty with the FBI in January 1983, Berkin was first assigned to the Minneapolis Field Office, where he investigated violent crimes and was a SWAT Team sniper. Following a transfer to Los Angeles, Berkin was promoted and transferred to FBIHQ, where he served in the Office of the General Counsel, in the Counterintelligence Division and the Inspection Division. In 1997, he was selected to supervise a counterespionage squad at the Washington Field Office, and in that capacity served concurrently as a deputy branch chief in the Central Intelligence Agency. Prior to his appointment to the Senior Executive Service in mid-2002 as deputy assistant director, Berkin served as the assistant special agent in charge of the FBI’s Milwaukee Field Office, where he was responsible for all FBI operations throughout the state of Wisconsin.
As deputy assistant director, Berkin has executive oversight responsibility for the FBI police, consisting of nearly 300 uniformed officers. He is also responsible for the development of policies, plans and programs for critical mission assurance and continuity of operations for the FBI. Other business areas within Berkin’s purview include force protection, physical security, executive protection, security clearance matters, the polygraph program, security training and awareness activities, the security certification and accreditation of information systems and the FBI’s Enterprise Security Operations Center, which provides real-time security monitoring of the entire FBI information system infrastructure.
After receiving his preparatory education at the International School of Geneva, Switzerland, Berkin attended the College of William and Mary, where he obtained his A.B. in philosophy. He also holds the degree of Juris Doctor from American University, and is admitted to practice law before the Supreme Courts of the United States and Virginia. He is a member of the International Association of Chiefs of Police, ASIS International and is a life member and former assistant chief of Company
14 of the Fairfax County, Va., Fire and Rescue Department. Berkin is now also a member of the Security Executive Council, a cross-industry organization of security professionals devoted to advancing strategic security practices.
SEC Staff Advisor:
Elizabeth Lancaster Carver
Member Services and Projects Mgr.
Security Executive Council
Liz Lancaster Carver is manager of member services and projects for the Security Executive Council. Carver’s primary role is to help members quickly maximize the value of Council membership – first by gaining in-depth understanding of individual member priorities, goals, interests and expertise. As members’ direct communication link to development of Council strategic initiatives, she is key to the process of helping members make an impact in the areas of security that are important to them, their business and industry.
Carver brings 18 years of combined security and business experience in investigation, access control system consulting, design and project management, security server finance, sales and administration, commonwealth and public/private corporation emergency response planning, uniform guard services and corporate security staff training and development, executive travel safety and risk assessments. Carver has held positions with the Massachusetts Department of Correction; assigned to the Office of Investigations institutional internal affairs division; Applied Risk Management LLP as a senior technical consultant; Boston Scientific Corporation as manager of security integration; Astra Pharmaceuticals LP as security project leader; and Stratus Computer Inc. in continuous availability server sales and finance.
Carver holds a master of arts, 1995, and a bachelor of science, 1992, in Criminal Justice Administration from the University of Massachusetts, Lowell. She is a member of Women in Criminal Justice Organization, Mass.; Risk Analysis Group Integrated Risk Solutions, Boston, N.Y.; Balanced Scorecard Collaborative, Lincoln, Mass.; ASIS International, Boston Chapter.
SEC Faculty Advisor:
Richard A. Lefler
Security Executive Council Emeritus Faculty Member
Richard A. Lefler is a Security Executive Council Emeritus Faculty member and the managing partner of the Business Security Advisory Group. He previously held positions with American Express as a vice president for investigations, vice president for worldwide security, and chief security officer. His responsibilities included program development and management for the security of employees, facility protection, investigation of attacks on financial products, coordination with federal, state and various foreign police agencies and areas in which security concerns existed.
As a member of the SEC Emeritus Faculty, Lefler helps design strategic security programs, solutions and tools utilized by security executives from leading companies and government agencies who are members of the Security Executive Council. Recent projects include several Board of Directors and executive leadership presentations:Communicating the Business Value of Corporate Security, The Business Case for Unified Risk Oversight, and The Strategic Plan and Process for Corporate Security.
Lefler continues to consult with companies on several areas of security and financial product fraud protection as well as security program design and alignment with business objectives. He is a past president of the International Security Management Association and served for several years on the board of directors. He is a member and served on the Advisory Board for the International Association of Financial Crime Investigators and is a former member of the US State Department Overseas Advisory Committee.
