A New Age in Corporate Accountability for Data Breaches

Why corporations owe it to you and society as a whole to stop data breaches and fraud

There isn’t an industry safe from data breaches. From banks and credit organizations to hotel and restaurant chains, academic institutions and more, hundreds of millions of individuals have had their personal information stolen – all via the companies with whom they do business.

And although the case for why companies should protect consumer data is clear—companies lose less money and consumer information is safe from predators—what’s not often addressed are some of the more disconcerting aspects of data breaches. What ultimately happens to the stolen data and money? What are companies doing to stop the broader implications of fraud – beyond their bottom lines and brand perceptions? And, do companies have a corporate social responsibility to protect their customers and society as a whole from fraud?

The Stolen Data Lifecycle: From the Cybercriminal Underground to Funding Terrorism and Other Crimes

There’s a large market for personally identifiable information (PII) on the dark web. The most popular stolen record type, PII, includes information such as name, date of birth, social security number, member identification number, mailing address, telephone number, banking account number, etc. Over the years, fraudsters have become more sophisticated in terms of their ability to acquire more than just one PII item.

In fact, the 2017 Equifax data breach revealed not just the names, but the Social Security numbers, birth dates and addresses of almost half of the total U.S. population (143 million individuals)—critical, personal information that is gold to fraudsters. And, although according to The Identity Theft Resource Center the overall number of U.S. data breaches tracked decreased the following year by 23 percent–from 1,632 data breaches in 2017 to 1,244 in 2018–the reported number of exposed records containing sensitive PII jumped an alarming 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 in 2018.

While oftentimes the stolen data is used to drain financial accounts–obviously a more direct use of the stolen credentials–the lion’s share of stolen credentials is made available to the highest bidder on the dark web, with these stolen data dumps “publicized” to fraudsters via a number of web sites, ranging from social media networks to the comment sections of popular gaming sites.

This cybercriminal underground is the marketplace where PII or stolen account numbers can go anywhere from a couple dollars a piece to bulk pricing for credit card numbers, for example. Add to the mix the illegal acquisition of user-generated passwords and PINs, and there’s an even larger draw for this personal information on the dark web.

So, why seek out and buy this data from the dark web? Bottom line: criminals can make significant financial ROI to fund some of the most heinous crimes, giving money to terrorist organizations, organized crime rings, drug and human trafficking operations and more.

Fraud and Corporate Social Responsibility

No law-abiding citizen wants to find out that her personal information is being used to fund terrorism–all because the bank that she trusted to put her money in, the store she shopped at, or the wireless service provider she used didn’t have the right tools in place to protect her and her personal data from fraud.

While consumers definitely need to take it upon themselves to use the available tools designed to protect them–such as using multi-factor authentication, or opting for biometrics over user-generated PINs and passwords, etc.–corporations also need to step up to the plate big time to ensure that they are doing what they need to not only protect themselves, but more importantly their customers. Businesses cannot idly stand by as they provide a gateway to these criminal acts.

Companies have a corporate social responsibility to their customers and society as a whole to make this right. Some businesses and politicians are already recognizing this fact.

The global, voluntary International Standard ISO 26000, a guidance for organizations in the public and private sectors that want to operate in a socially responsible manner, identifies “consumer data protection and privacy” as a key consumer issue that corporations should be addressing. A handful of U.S. lawmakers are working to enact legislation to prosecute companies and their executives who fail to protect consumer privacy, while in Canada, measures have already been taken to remedy this issue.

For instance, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires Canadian businesses to report any breach of privacy (any loss or mishandling of PII that might lead to a real risk of significant harm such as financial loss or identity theft) to the Office of the Privacy Commissioner of Canada. According to PIPEDA, “Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.”

In the U.S., the Corporate Executive Accountability Act, proposed in early April by Sen. Elizabeth Warren (D-Massachusetts), would impose jail time on corporate executives who "negligently permit or fail to prevent" a "violation of the law" that "affects the health, safety, finances or personal data" of one percent of the population of any state. While in spirit this proposal is a nice attempt to address this massive growing issue, it only applies to companies that generate more than $1 billion in annual revenue, and to companies that are either convicted of violating the law or settle claims with state or federal regulators. This ultimately does not address most data breaches given their size and scope. A slightly more aggressive data privacy law proposed by Sen. Ron Wyden (D-Oregon) would give executives up to 20 years in prison for violations of their customers' privacy.

While it is too early to tell whether either proposed legislation will pass, companies themselves should be taking the extra steps in working with authorities to identify and prosecute these fraudsters infiltrating their systems.

For instance, in 2016, Muhammad Sohail Qasmani admitted to laundering over $19.6 million on behalf of the perpetrators of a massive international computer hacking and telecommunications fraud scheme. The scheme included hijacking the telephone networks of U.S. companies and then running up millions in bogus charges. These illicit proceeds were moved across 10 countries–ensuring the dialers and hackers who perpetuated the scheme received their cut.

Similarly, in the U.K., Lee Chisholm was sentenced to two and a half years in jail for repeatedly making calls pretending to be the customer gathering personal information to allow him to take control of accounts. He then used the cards to make a variety of purchases, which he would then sell for a profit. In Chisholm’s case, voice biometrics was used to track his exploits, preventing £370,000 of financial loss.

Without this level of diligence on part of the companies being affected in conjunction with local authorities, these individuals would likely be continuing to commit these crimes today. Unfortunately Qasmani and Chisholm are in the minority when it comes to pursuing, stopping and prosecuting fraudsters. Oftentimes these fraudsters continue to commit their crimes since companies either lack the resources to identify and catch them, or they categorize their fraudulent losses with other normal cost-of-doing-business line-item expenses such as bad debt. Not only is this new accounting norm costly for businesses and their investors, it’s socially irresponsible.

So how do businesses get a handle on this issue?

For starters, they need to understand the fraudulent entry points into their businesses. Fraudsters do not approach account access in a siloed manner. Instead, they take advantage of the growing channels and devices—mobile apps, contact centers, smart speakers, etc.—that pose new entries points for perpetrators. Organizations also need to understand that new and repeat career criminals attempt to steal from institutions every day. If they find a weakness in a channel, they will continue to go back to that channel and then pivot to another one when that initial channel doesn’t work.

Second, in order to truly combat fraud, businesses need to have a cross-channel security approach that stops fraudsters wherever and however they attack. This means investing in the right tools to protect them, and making sure that these technologies are capable of fraud detection, fraud prevention, as well as authentication. Taking a multi-authentication approach is critical. Proven technologies like voice biometrics, as well as behavioral biometrics, device prints, face prints and technologies that can detect social engineering are key to identifying and stopping this fraud.

Third, companies must be socially responsible. They need to stop categorizing fraud as a normal cost of doing business. It is not. They also need to understand that turning a blind eye to this crime is fostering other crimes. As such, organizations must report criminal activity and pursue putting these fraudsters behind bars. Not only is it better for business—it’s the right thing to do.

And finally, this is where biometrics technologies such as voice come into play. By using voice biometrics, anti-fraud teams can now link seemingly unrelated cases to a small number of individuals. Doing so allows them to build solid cases with strong evidence that can then lead to prosecution. By doing so, corporations start having a real, concrete impact in the fight against fraud, putting measures that are not only obstacles or deterrents, but also tools to target the fraud problem to its root.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3