The possibility of identity theft has become a reality for tens of millions of credit and debit cardholders. Yesterday, Heartland Payment Systems, a major payment processing company, revealed that its secure systems had been hacked and that the private data of millions of individuals may have been stolen. This is said to be the largest data breach ever.
The N.Y. Time reports that those responsible for the massive theft could be part of an “international ring of hackers that are introducing breaches at a number of financial institutions.” With an operation of this magnitude, it seems likely that this is the case–that the breach was a result of highly organized criminal entities. But, more commonly, the theft of personal data is not so far-reaching or as complex. An, often, it is the result of actions by an insider–an employee–who leaks the data for revenge or for money, or both.
For example, in December of 2008, an employee of Certegy Check Services, physically removed 2.3 million consumer data records to resell. The former employee sold consumer information to a data broker, who then sold it to a number of direct marketing companies.
Another example occurred in September of 2008, when Countrywide Mortgage notified the FBI that a former employee had sold customers’ personal information to a third party, including names, addresses, social security numbers and application information. The FBI arrested the employee and reported that as many as two million people may have had their data stolen.
Then there was the case of the unauthorized sale of Britney Spears’ sealed psychiatric information to the National Enquirer by an employee of the UCLA Medical Centre. The employee was later prosecuted for the breach, was is believed to have been a series of disclosures over a period of several months.
Employers who’ve not yet implemented an effective procedure for responding to the unauthorized access of employees’ personal data should consider the Heartland story a real wake-up call about the realities of identity theft. No one is immune from a potential security breach. But everyone should know what to do if one does occur.