By Kim Zetter
February 19, 2009
Days before Heartland Payment Systems admitted to a computer intrusion
that likely exposed hundreds of thousands of consumers to fraud, a group
of volunteer security professionals sniffed out the truth on their own.
For years, researchers with the nonprofit Open Security Foundation have
been scouring press reports, bank websites and other sources for
information on consumer data spills, tallying more than 394 million
records lost or compromised in 1,700 incidents since 2000.
In January, acting on a tip, David Shettler and his fellow foundation
volunteers started looking for customer breach notifications coming from
regional banks around the United States, and quickly found a pattern.
A Jan. 17 story out of Maine indicated that Kennebec Savings Bank was
informing 1,500 customers that their debit cards may have been
compromised on a third party's system. Just two days later, a Kentucky
newspaper reported that the local Forcht Bank had canceled 8,500 of its
22,000 customer debit cards because of an unspecified breach. The more
the volunteers looked, the more cases they found, ultimately discovering
notifications in five states.
"They were issuing a bunch of cards, which suggested this was pretty
big," says Shettler, who is also senior technical services engineer at
the College of the Holy Cross in Massachusetts. "We knew we had kind of
fallen on something."
The foundation is accustomed to reading breach-disclosure tea leaves.
The group is one of a handful of citizen and nonprofit groups that
collect breach data from around the United States and serve as watchdogs
to ensure that poor security practices are exposed and fixed. The
group's work, posted on its DataLossDB website, is used by the
Government Accountability Office and other U.S. agencies, as well as by
identity-theft organizations, consumer rights groups, security firms and
academics. Last year alone DataLoss cataloged 551 separate breaches of
Best Selling Security Books and More!