Cyber theft

Rough Notes, Feb 2003 by Zinkewicz, Phil

MARKETING

Insurers provide products for growing exposures, but more client education is needed

In today's rapidly evolving world of e-business, a major area of concern is the frequency and severity of corporate information system breaches. Despite the efforts by companies to protect proprietary and sensitive information, system breaches continue to rise. And, when those violations occur, millions of dollars can be lost, stolen or otherwise unaccounted for. For that reason, independent agents and brokers have a responsibility to inform their clients of the exposures that exist and the coverages that the insurance industry is offering to protect them.

One case of e-fraud began after September 11, when the building that housed District Council 37 Union's credit union (Municipal Credit Union) computers was damaged, severing the credit union's computer link to the core database for several days. As a result, ATMs had no electronic safeguards to monitor ATM activity, allowing a reported 4,000 government and health workers to overdraw their accounts and stiff the credit union about $15 million.

Here are some other examples: In Ohio, a woman was convicted and sentenced to a year and a day for computer fraud. According to court documents in the case, she and an accomplice admitted attempting to defraud Chase Manhattan Bank and Chase Financial Corp. by accessing one or more of those institutions' computer systems without authorization, thereby obtaining credit card numbers and other customer information. Then, they transmitted that information to individuals in Georgia, who used the information to obtain goods and services valued at close to $100,000. The pair admitted that the aggregate credit limits for the targeted accounts totaled approximately $580,700.

In another case, the former chief technology officer of a Manhattanbased computer consulting company was arrested for transmitting threats via the Internet to his former employer. The man charged was allegedly disgruntled over severance terms at the time he left employment. After his termination from the company, the firm began experiencing computer and telephone voice mail disruptions. Certain customers of the company were directed to pornographic telephone services. Finally, the firm's chief executive began receiving e-greeting cards displaying voodoo dolls with skeleton-like figures.

In yet another case in California, a Sacramento man was sentenced to 27 months in prison in connection with an Internet fraud case to defraud Priceline.com and others with credit card information unlawfully obtained from a credit union employee. In addition to his jail time, the miscreant was ordered to pay $116,869.30 in restitution. There are a great many more similar cases such as those, all involving invasion of corporate computer systems.

The Computer Security Institute (CSI), established in 1974, is a San Francisco-based association of information security professionals that boasts thousands of members worldwide. Recently, the CSI released the results of its seventh annual study titled Computer Crime and Security Survey. Following are highlights of the survey, which was conducted with the participation of the San Francisco FBI's Computer Intrusion Squad and which surveyed 503 computer security practitioners in U.S. corporations:

* Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months;

* Eighty percent acknowledged financial losses due to computer breaches;

* Forty-four percent (223 companies) were willing and/or able to quantify their financial losses. These 223 respondents reported close to $456 million in financial losses;

* As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported nearly $171 million) and financial fraud (25 respondents reported nearly $116 million);

* For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

Respondents detected a wide range of attacks and abuses. Here are some examples of attacks and abuses:

* Forty percent detected system penetration from the outside;

* Forty percent detected denial of service attacks;

* Seventy-eight percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems);

* Eighty-five percent detected computer viruses.

Patrice Rapalus, CSI director, says that this study should be a "reality check" for both industry and government. "Over its seven-year span, the survey has told a compelling story," says Rapalus. "It has underscored some of the verities of the information security profession, for example, that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's conventional wisdom, for example, that the threat from inside the organization is far greater than the threat from outside the organization and that most hack attacks are perpetrated by juveniles on joy rides in cyberspace.