Survey: Half of businesses don't secure personal data

The personal information you give to businesses may not be as secure as you hope, according to a new survey.

Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.

The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry's Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information.

Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.

(Credit: Imperva)

Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees.

"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in a statement. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."

Another problem stems from the priorities of the organization itself. Of those questioned, 55 percent didn't feel their CEO strongly supports PCI DSS compliance, while 52 percent said their company is not proactive in managing privacy or security risks.

On the positive side, PCI DSS compliance has found a certain measure of success. Around 75 percent of those surveyed said their company has achieved some level of compliance, with 28 percent compliant for most of their applications and databases and 25 percent compliant for some apps and databases. Only 22 percent reported being fully compliant.

(Credit: Imperva)

Conducted by Ponemon and sponsored by Imperva, the survey questioned 517 U.S. and multinational IT security professionals who work on PCI compliance efforts for their companies.

Over the past few years, data breaches at large organizations such as T.J. Maxx and Marshalls parent company TJX and Maine-based Hannaford Supermarkets have highlighted the need for better security for credit card and customer records.

[umbrae]

Disgusting... And people wonder why I am so privacy focused and don't trust people with my information.

[n3td3v]

These companies have no idea about information security, thats why they keep having data breaches.

[tektaktyks]

wow,what a surprise...(sarcasm) .Does anybody honestly believes the corporations care about anybody but those who profit from it?

[magicmaster]

Since selling personal data to other businesse are commonplace, and privacy policies are farces, do people honestly believe those firms are going to secure your personal data?

[SergeM256]

There are different levels of personal data. Companies do sell some data to be used for marketing purposes, like name and address; it's relatively harmless and only creates an extra junk-mail. Companies do not sell credit card or banking account numbers that may be used to steal money from your account.

[screamapillar]

@sergeM

In theory they don't... or perhaps the correct wording is, companies 'shouldn't' sell your credit card details... but there are many cases to the contrary. It is why banks introduced the extra security digits on the credit cards (on the back of most but on the front of AMEX but not raised text). It is a constant uphill battle to deal with this.

All that being said, there are very strong laws (as in laws with real teeth unlike the cruddy penalty points in most privacy legislation) relating to disclosure of banking details.

I worked for a design engineering firm that did only Fire & Security. I was a Construction Superintendent for them...one of my jobs was site safety and we had all the construction personnel SS#'s on our computers...when we first went on site we were given new computers with anti-virus and firewall software ...the problem was it expired a year later. My boss the Project Construction Manager would not renew our antivirus or firewall software when they expired. Found out he got a 10% bonus for all the funds that he did not spend... one day he jumped on me for making a decision for spending some money...he said, "You're stealing money from me as I get a 10% bonus on funds that I do not spent on the project." I asked him, "Why don't I get a bonus?" He would not answer that question, just walked away! Two weeks later he was asked in a meeting why he did something...cutting cost by not following the specifications. I spoke up and told him to tell them what he told me. He avoided the question and talked his way out of it but in the process said a few things about me. After the meeting we had it out and I informed him to never question my honesty or integrity ever again! Needless to say after that he just bypassed me in a lot of decisions. I ended buying software for my work computer out of my own pocket to protect the data...but after that I refused to take anyone's SS#...I would only use their state driver's license number. I ended up leaving the company before the project was completed over what I considered security breaches as not only did we have workers SS#?s on our computer systems but also Fire & Security design information for our customer. In some cases it just comes to companies or people within the companies not wanting to spend money for something they know is a valid for personal reasons. In my old bosses case it was for his personal gain?gee why does that not surprise me! year

[screamapillar]

That is an awful story of clear conflict of interest between best practice and personal gain for that manager. Very sad but I dare say all too common - and again, the legislation is just too pathetic to enforce this. It is slap on the wrist style infringements.

This is what makes me really mad about the RIAA and MPAA massive lawsuits. How can we justify these massively disproportionate penalties for sharing a couple songs while having no repercussions to acts like your boss where the very integrity of data as sensitive as social security numbers are not protected? It is very frustrating from a legal stand point.

[telluride]

Solutions:
http://www.pikewerks.com

[Setithefirst]

In a day when many dolts go on Oprah, Jerry Springer, etc. and give all the details of their sordid little lives including their bizarre sexual proclivities and criminal record; there are still some of us who highly value our privacy. Someone recently stole my social security number by stealing a computer at my HMO. I think they never considered burglary in their privacy policy.

[bvdon]

I run a few websites, and I use one way encryption for passwords, and two way encryption for credit cards... and the encryption key is off site. This took about an hour to code/test.

It blows my mind that all these major corps seem to NOT encrypt credit card and other sensitive info. All a hacker needs to do is get access to the drive with the data and their mission is complete. It is astoundingly stupid. I have personally had money taken out of my bank account because my bank card was not encrypted by a major corp.

There needs to be regulation on how personal information is stored.

[screamapillar]

Agreed. It boggles the mind that companies will still ask you to email your credit card details to them and then be surprised when I refuse! As if I'm being paranoid - but i'm like, do you have ANY idea how irresponsible it is to email credit details around?

[krosafcheg]

www.Qualys.com

[pd2care]

I totally agree with the above comment. There should be regulations on mandating how companies hold their sensitive data. I've had funds stolen from my account too and it is not a pleasant experience.

You'd think some people would be morally obligated to enforce some sort of security measure to ensure valuable info does not get leaked. I guess it just goes to show where some people's morals are fixated now-a-days. (Morals, what?.... I don't understand)

[askgees]

Well why would they. It's no tin their interest to spend money securing YOUR DATA. Not to mention in doing so would threaten another business sector. The one created to follow problems with credit. The US is constantly creating industries that have no real viable use other than to create jobs. Building a business that is based on surviving through poor corporate management is guaranteed to fail. This is one of the biggest reasons the fall out from the housing market nearly destroyed the US. Because our structure is nothing more than a house of cards. Billions are spent by consumers every year or trying to protect them self's from ID theft etc. The problem is places like free credit report.com are owned by the same id10ts that failed to secure the (YOUR) data in the first place. It's time for congress to act. Pass laws holding the ones that fail to secure the data accountable for the damages. 3 strikes and you out. The Gov. closes you down. As it stands, the Gov. has failed miserably to regulate ANY BUSINESS and simply expects the citizens to bear the cost. We still have major credit card companies sending monthly statements out in which the credit card number is listed 15 times. Making it very easy to get the number. It doesn?t get any simpler than this. Hold businesses accountable don?t build companies built on BS and poor standards. Fialure is waiting around to corner.

[screamapillar]

Again the conflict of interest ir rife.

[Jeleniaho]

Well, it's always a matter of people who're in charge of security there.
Not much to do for any administrator when the executives say: "Blah, we won't buy any professional data encryption software, we won't enforce any data protection mechanisms, we've got other things to spend the company's money on". It's simple - as long as there's no fear of compromising the internal data flow of the company, they don't care or attempt to look like they care for the customers' security. The way some of these companies handle personal data and sensitive information is just atrocious.
But that doesn't surprise me in the slightest - they'll slip on this security banana peel sooner or later.

[Vegaman_Dan]

Unfortunately a lot of people here are only thinking about electronic records online in databases. This isn't really where places like Marshall's and other retail box stores had issues. Instead it's the physical access to records that are the problem.

An example- one company (nameless here for a very real reason) is a big box home improvement chain. They keep records of all the transactions done at the store in the store's server which syncs with corporate at different times of the day. The network jacks for this store are scattered throughout the store and not secured. Anyone can plug in, peruse the network without any issue. SSID"s for the wireless were broadcast and not secured. You had access to do whatever you wanted- including accessing that server.

Paper records for transactions, merchant accounts, etc- the backroom office was too small to hold that, so instead they get put on a pallet and stored wherever they can- in one case covered with a tarp, put out on the main sales floor and covered with sales merchandise. People buying flourescent lightbulbs on display may not be aware that customer records and personal information are simply in boxes underneath that tarp.

Another area of concern are the POS or point of sale systems. Most of these are running Windows or Linux and not secured. The backs of the machines are not secured and typically point right at the customer. It doesn't take long to insert a USB key into an open port and have it upload your payload of bots or whatever. There's apps out there that will yank data off the system's hard drive in key areas in just a minute or so if you have physical access.

Take a look at the cash register the next time you visit the grocery store. You'll probably see that it has USB ports on there exposed. Plug in your USB key, install the key logger or intercept bot and now you could have a bot installed on that system that keeps a record of every transaction made including your credit card number, PIN, etc, all then sent to a remote system without the owner ever knowing about it. Yes, those ports *should* be disabled, but we're talking about a retail environment here where staff aren't allowed to do anything to the machines and have to call a third party for tech support.

That's the sort of thing PCI compliance is really going for these days. Unfortunately, there's all sorts of ways to game the system. :/