Companies That Can't Keep Your Secrets

In the 1990s, Kevin Mitnick was the most wanted cyber-criminal in the world.  These days, Mitnick is wanted for another reason — his expertise.

Demand for Mitnick’s services as security consultant  — a legitimate one — is on the rise because corporate America is growing concerned about the recent rash of cyber attacks on high-profile targets such as Citigroup Inc. (NYSE: C), Sony Corp. (NYSE: SNE),  Lockheed Martin (NYSE: LMT) and RSA.   Their concerns are understandable, as is their interest in the man who was at one time dubbed the world’s best computer hacker.   He spent 2 years on the lam before being arrested by the FBI in 1995.  His exploits were described at length in a book “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It.”  It was later made into a movie.  After being released from prison in 2000, he was forbidden from owning a computer during the three years he was on supervised release.  Authorities also made him delay telling his story.

• Click Here To Skip To The Nine Companies That Can’t Keep Your Secrets

Mitnick , whose autobiography “Ghost in the Wires” is due to be published in two months, tells 24/7 Wall St. that defending corporate networks from sophisticated attacks from hackers is “extremely difficult to do” because companies need to interact with the outside world through technology such as email.  The ability of a company to fend off cyber-criminals will depend on the sophistication of their security systems.  Since no network can be made totally hack proof, companies are finding it useful to turn to a reformed criminal to gain an edge against active crooks.

“We have  had companies contact us who were quite concerned about their own security,” since the Sony hack, he says, adding that they are worried about having the same thing happen to them.  He declined to divulge the names of his clients.

The timing of the most recent data breaches  may help his book sales, an irony that was not lost on Mitnick, who in his youth wreaked havoc on the phone system. An excerpt from “Takedown” paints a very unflattering picture of Mitnick as a depressed loner who was obsessed with making his mark on the world. “Mastery of a local telephone company switch offered more than just free calls: it opened a window into the lives of other people to eavesdrop on the rich and powerful, or on his own enemies,” the book says.

Those days are long gone, he says.  Though he understands the adrenaline rush that some hackers get for their deeds, Mitnick’s sympathies are clearly with the network owners. “I don’t like to see them get hacked,” he says.

Mitnick’s book, by the way, has gotten a rave review from Frank Abagnale, whose criminal exploits served as the basis for the movie “Catch Me If You Can.”  Like Mitnick, Abagnale has gone straight and is now an industry consultant.

Some companies are also too willing to part with confidential customer information, essentially hacking themselves.   Apple’s willingness to allow developers to create an app to track a users’ location comes to mind. Facebook got into hot water with privacy activists for developing software that recognizes peoples’ faces in photographs so they can be tacked   Chinese hackers have targeted Google’s Gmail system.

Some hackers do it for an intellectual thrill or for political reasons.  Many, though, are thieves.  The game of cat-and-mouse between hackers and computer security teams continues as it did in Mitnick’s heyday.

The stakes are much higher since the amount of personal information stored in computers that is valuable to thieves has mushroomed over the last few decades.  A poll of computer security experts done a few years ago found that 61% didn’t think the data in their control was safe from computer hackers.

An analysis by 24/7 Wall St.  shows that these fears were warranted.

TJX Cos (NYSE:TJX), parent company of  discount retailer TJ Maxx, was a wake-up call for the public about the vulnerability of their personal information online.   Hackers broke into the company’s network during 2005-2006,  and gained access to more than 45 million credit and debit cards numbers.  At the time, the data breach was considered to be unprecedented for both its size and what many consider to be the botched manner in which the incident was handled.  One commentator likened the TJX security team, which reported the incursion in 2007, to the “Keystone Cops,” referring to a band of bugling policemen featured in a series of silent movies from the 1920s.

The metaphor also could apply to Sony Corp. (NYSE:SNE).  CEO Howard Stringer, whose company’s PlayStation Network was hacked earlier this year, made the confidence-shattering declaration that “It’s not a brave new world; it’s a bad new world” and that he was not “100% sure” if anyone was safe online.

And you know what? He was right. Sony, which saw more than 70 million accounts compromised on April 27 from its PlayStation Network and Qriocity services, got hacked again on May 2.  This time the personal information from nearly 25 million Sony Online Entertainment users was stolen.

Sony is far from alone.  Hackers have targeted Lockeed Martin Co. (NYSE:LMT), the world’s largest defense contractor, and Citigroup Inc., one of the biggest banks on Wall Street. EMC Corp. (NYSE:EMC) yesterday named Edward Schwartz as Chief Security Officer of its RSA unit, as it tries to repair the damage hackers caused to its reputation.  RSA’s SecureIDs are widely used by Fortune 500 companies to prevent unauthorized access to their computer networks.  Now the company’s “once-sterling reputation lies in tatters,” according to Reuters.

When people read the 24/7 Wall St. list of companies that can’t keep data secure online, they might be tempted to start hiding their personal information in a hole in their backyards.  That’s ridiculous, of course. Common sense precautions such as changing passwords can mitigate your risk.  Unfortunately, just as a motivated thief can bypass the most expensive security system to enter a house in the real world, hackers are able to evade cyber security systems.

These are 24/7 Wall St.’s list of Companies That Can’t Keep Your Secrets.

1. Google
> Security breach: Gmail
> Date: December 2009
> People affected: undisclosed

In January 2010, Google announced that its email  system had come under attack by hackers located in China. According to the company, the primary target of these attacks were Chinese human rights activists. Additionally, intellectual property, such as source code, was obtained by the hackers. Following the event, Google quit providing censored search results in China. In June, 2011, Google detected another series of attacks originating from Jinan, China, according to Reuters. These attacks targeted a number of Gmail accounts, including those of U.S. government officials, Chinese activists, and journalists. The campaign was “disrupted,” however, according to the company.

2. Citigroup
> Security breach: credit cards
> Date of breach: May 2011
> People affected: 200,000

On June 9, Citigroup, one of the world’s largest financial services companies, said that it had been hacked in early May. The data of about 200,000 North American bank card holders was accessed, including names, account numbers, email addresses, and contact information. Customers who were at risk were subsequently contacted by the company. “Experts estimate the cost of replacing credit cards is as high as $20 apiece,” according to the Wall Street Journal.

3. TJX
> Security breach: Retail store’s insecure wireless router
> Date of breach: December 2006
> People affected: 45 to 94 million

On January 17, 2007, US retail leader TJX announced that its computer system had been hacked. Credit card, debit card, and checking information, was accessed by the hackers, as well as social security numbers and driver license information for some. More than 90 million credit card numbers were stolen, according to Wired, and companies, banks, and insurers lost close to $200 million. Eleven men have since been charged for the crimes committed, with “ringleader” Albert Gonzales sentenced to 20 years in prison.

4. Apple, Inc.
> Security breach: iPhone “Location Services”
> Date of breach: ongoing
> People affected: 100 million

Apple’s respect for iPhone users’ privacy was proven lacking after two developers, Alasdair Allan and Pete Warden, created a program which would map out all of the locations that person has traveled with their phone. The point of this program being that the device could be used to monitor the location of users.  The company claims that this feature can be disabled by turning off “Location Services” on the iPhone. According to a Wall Street Journal article published on April 25, however, the phone collects the data even when these services are turned off. A number of politicians have voiced concern over the matter, including  Rep. Edward Markey of Massachusetts, who called for a congressional investigation.

5. EMC
> Security breach: RSA security division
> Date: March 17, 2011
> People affected: millions of people

On March 17, information storage company EMC announced that its RSA security division had been hacked. It was not until June that the company, which had been downplaying the severity of the hack, admitted that the attack appeared to be an attempt to infiltrate military contractors using RSA’s security system and the company’s SecurID tokens had become vulnerable. This means that digital “keys” used to grant access to locked computer systems were copied, giving unauthorized people the opportunity to gain access to those systems. The company’s SecurID product is used by millions of companies, including major companies in the financial services sector.

6. Sony
> Security breach: PlayStation Network
> Date of breach: April 20, 2011
> People affected: Up to 77 million

In April,  Sony’s PlayStation Network, for which there are 77 million user accounts, was hacked by a group called LulzSec. As a result, the personal information of millions of users was exposed. This included names, addresses, phone numbers, network user names, birth dates, email addresses, and passwords for the online gaming network. Sony was hacked again on May 2, and feared that users’ credit card information had been stolen. PlayStation Network services were down until May 15, 2011 as a result of the attacks.

7. Lockheed Martin
> Security breach: phony security keys
> Date of breach: May 21, 2011
> People affected: N/A

Defense contractor Lockheed Martin announced in May that it had been hacked, though the company managed to prevent any critical data from being stolen. The security system was breached by hackers duplicating security keys made by RSA. Rick Moy, president of NSS Labs, an information security company, said in Reuters, “Given the military targets, and that millions of compromised keys are in circulation, this is not over.”

• Also Read: Job Concerns Race Ahead Of Government Trouble Fears

8. Alliance Data
> Security breach: Epsilon
> Date of breach: March 30, 2011
> People affected: 235 million

On April 4, marketing firm Epsilon announced that it had experienced a security breach, exposing the email addresses, and in some cases names, of millions of customers at some of the country’s largest companies, such as JPMorgan Chase, Citibank, Walgreens and Target. Epsilon, a subsidiary of Alliance Data, said the leak of information “could lead to a surge in phishing attacks — e-mails that purport to be from a legitimate business but are intended to steal information like account numbers or passwords,” according to the New York Times. The exact number of those affected is unknown, but according to Reuters the breach could be “one of the biggest such breaches in U.S. history.”

9. Facebook
> Security breach: photo “tagging”
> Date of breach: began December 15, 2010
> People affected: 500 million

Facebook has recently come under fire for its facial recognition software, which attempts to identify users’ faces in photos without them being “tagged.” The feature, which was introduced without permission from users, has been questioned by authorities in Germany, the UK, and Ireland. In the US, a number of privacy groups have been asked to support a complaint to the Federal Trade Commission, according to the Financial Times. The issue is a larger concern for Facebook then it would most likely be for other companies implementing similar features due to the size of Facebook’s user base.

Jonathan Berr and Charles B. Stockdale