Companies That Can't Keep Your Secrets

In the 1990s, Kevin Mitnick was the most wanted cyber-criminal in the world.  These days, Mitnick is wanted for another reason — his expertise.

Demand for Mitnick’s services as security consultant  — a legitimate one — is on the rise because corporate America is growing concerned about the recent rash of cyber attacks on high-profile targets such as Citigroup Inc. (NYSE: C), Sony Corp. (NYSE: SNE),  Lockheed Martin (NYSE: LMT) and RSA.   Their concerns are understandable, as is their interest in the man who was at one time dubbed the world’s best computer hacker.   He spent 2 years on the lam before being arrested by the FBI in 1995.  His exploits were described at length in a book “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It.”  It was later made into a movie.  After being released from prison in 2000, he was forbidden from owning a computer during the three years he was on supervised release.  Authorities also made him delay telling his story.

Mitnick , whose autobiography “Ghost in the Wires” is due to be published in two months, tells 24/7 Wall St. that defending corporate networks from sophisticated attacks from hackers is “extremely difficult to do” because companies need to interact with the outside world through technology such as email.  The ability of a company to fend off cyber-criminals will depend on the sophistication of their security systems.  Since no network can be made totally hack proof, companies are finding it useful to turn to a reformed criminal to gain an edge against active crooks.

“We have  had companies contact us who were quite concerned about their own security,” since the Sony hack, he says, adding that they are worried about having the same thing happen to them.  He declined to divulge the names of his clients.

The timing of the most recent data breaches  may help his book sales, an irony that was not lost on Mitnick, who in his youth wreaked havoc on the phone system. An excerpt from “Takedown” paints a very unflattering picture of Mitnick as a depressed loner who was obsessed with making his mark on the world. “Mastery of a local telephone company switch offered more than just free calls: it opened a window into the lives of other people to eavesdrop on the rich and powerful, or on his own enemies,” the book says.

Those days are long gone, he says.  Though he understands the adrenaline rush that some hackers get for their deeds, Mitnick’s sympathies are clearly with the network owners. “I don’t like to see them get hacked,” he says.

Mitnick’s book, by the way, has gotten a rave review from Frank Abagnale, whose criminal exploits served as the basis for the movie “Catch Me If You Can.”  Like Mitnick, Abagnale has gone straight and is now an industry consultant.

Some companies are also too willing to part with confidential customer information, essentially hacking themselves.   Apple’s willingness to allow developers to create an app to track a users’ location comes to mind. Facebook got into hot water with privacy activists for developing software that recognizes peoples’ faces in photographs so they can be tacked   Chinese hackers have targeted Google’s Gmail system.

Some hackers do it for an intellectual thrill or for political reasons.  Many, though, are thieves.  The game of cat-and-mouse between hackers and computer security teams continues as it did in Mitnick’s heyday.

The stakes are much higher since the amount of personal information stored in computers that is valuable to thieves has mushroomed over the last few decades.  A poll of computer security experts done a few years ago found that 61% didn’t think the data in their control was safe from computer hackers.

An analysis by 24/7 Wall St.  shows that these fears were warranted.

TJX Cos (NYSE:TJX), parent company of  discount retailer TJ Maxx, was a wake-up call for the public about the vulnerability of their personal information online.   Hackers broke into the company’s network during 2005-2006,  and gained access to more than 45 million credit and debit cards numbers.  At the time, the data breach was considered to be unprecedented for both its size and what many consider to be the botched manner in which the incident was handled.  One commentator likened the TJX security team, which reported the incursion in 2007, to the “Keystone Cops,” referring to a band of bugling policemen featured in a series of silent movies from the 1920s.

The metaphor also could apply to Sony Corp. (NYSE:SNE).  CEO Howard Stringer, whose company’s PlayStation Network was hacked earlier this year, made the confidence-shattering declaration that “It’s not a brave new world; it’s a bad new world” and that he was not “100% sure” if anyone was safe online.

And you know what? He was right. Sony, which saw more than 70 million accounts compromised on April 27 from its PlayStation Network and Qriocity services, got hacked again on May 2.  This time the personal information from nearly 25 million Sony Online Entertainment users was stolen.

Sony is far from alone.  Hackers have targeted Lockeed Martin Co. (NYSE:LMT), the world’s largest defense contractor, and Citigroup Inc., one of the biggest banks on Wall Street. EMC Corp. (NYSE:EMC) yesterday named Edward Schwartz as Chief Security Officer of its RSA unit, as it tries to repair the damage hackers caused to its reputation.  RSA’s SecureIDs are widely used by Fortune 500 companies to prevent unauthorized access to their computer networks.  Now the company’s “once-sterling reputation lies in tatters,” according to Reuters.

When people read the 24/7 Wall St. list of companies that can’t keep data secure online, they might be tempted to start hiding their personal information in a hole in their backyards.  That’s ridiculous, of course. Common sense precautions such as changing passwords can mitigate your risk.  Unfortunately, just as a motivated thief can bypass the most expensive security system to enter a house in the real world, hackers are able to evade cyber security systems.

These are 24/7 Wall St.’s list of Companies That Can’t Keep Your Secrets.