Surprise! You're exposed

Bob Sullivan Technology correspondent • Profile • E-mail

For years, companies have spent millions of dollars trying to keep hackers outside their computer networks.

But the real danger, some say, is not outsiders. It's not even criminals working inside companies. The real danger is a few innocent clicks of the "send" button. 

Companies hemorrhage personal data every day as part of normal business practices, says Kim Getgen, director of marketing of Reconnex Corp., which makes technology to monitor the bits and bytes leaving companies' networks and destined for the Internet.

Word documents, Excel spreadsheets, and e-mails full of Social Security Numbers, credit card numbers, and other personal information are carelessly slung around the Internet, Getgen said.

Rob Douglas, a banking consultant who operates PrivacyToday.com, says he's seen widespread problems with such accidental leakage for years.

"At every company that I have ever interacted with, this is a problem," he said. "When I go into private sector client, I'll say to them at the beginning, I'll bet you my fee that if you let me see the information leaving your network I can find either customer information or human resources information that could be used by ID thieves ... and nobody ever takes the bet."

Screw-ups not rare
The classic case of accidental data disclosure occurred in 2001, when Eli Lilly inadvertently exposed the identity of hundreds of consumers who were taking the anti-depressant Prozac. They had signed up for e-mail based reminders, and in one e-mail, all subscribers were accidentally listed in the "to:" instead of the hidden "bcc:" line.

Similar mistakes are not rare, Getgen said. She described tests Reconnex ran for five large financial services companies in July. The company wouldn't disclose the clients' names, citing confidentiality. During the tests, the firm claims it found over 5,500 instances of a spreadsheet or word processing document sent out of the company with Social Security numbers in plain view. On 6,400 occasions, credit card numbers were sent out, she said. 

The results are typical, she said.  Reconnex technology is used by 60 companies, she said, and nearly 100 percent of the time, they find either credit card numbers or Social Security numbers sent out of the network. "It's rare not to see it," she said. 

There is no hard data on how many companies have unhealthy data practices.  But Howard Schmidt, a former White House cyberczar, who also ran Internet security at Microsoft, eBay, and other firms, said consumers should be aware that many companies don't take good care of their information.

"It depends on the company," he said. "People post things to their Web site so they can work at home. People lose laptops or PDAs with critical data on them. Once I even got a call about a bunch of CDs someone found at a bus stop that were full of customer data."

MORE FROM SECURITY

Security Section Front

U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Chinese military Web site target of cyberattacks FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Facebook hit by ‘Control Your Info’ intruder Twitter phishing ploy goes for ‘Direct Messages’ Red Tape: Your chance to spy on Google Hacking ring caught in $9 million fraud Security Section Front   Add Security headlines to your news reader: