&
The Toronto Star
Saturday, January 23, 1999

Air Miles breach not unique

Only a handful of security lapses are ever reported, experts argue

by Robert Cribb

It's one of the corporate world's darkest secrets.

Computer security breaches not only cost companies billions of dollars a year, but sometimes they also threaten our personal privacy.

Even a simple data leak on a corporate Web site exposing basic customer information can provide unscrupulous Net surfers with more than enough information to create false identities, said Kevin Bousquet, a Toronto private investigator and president of The Corpa Group.

"You can own a person. With a name and address I can do a $12 vehicle search which gives me a date of birth. With that, you can get into the credit bureau and then you've got everything - a social insurance number, balance on credit cards, loans, where you're currently banking - the sky's the limit. You can go around to stores and start applying for credit cards under that identity."

It's the kind of science fiction nightmare that's become a reality in the information age as companies rush to join the interlaced network of computers that make up the Internet, say computer security experts.


`Not many (lapses) become public because companies want to cover them up for obvious reasons.'
- Ernst and Young's Cam Johnston

If you haven't heard much about the thousands of computer security breaches that happen every year, don't be surprised. Less than 5 per cent of incidents make the headlines, experts say.

"There are serious security problems out there with many Web sites", says Cam Johnston, principal in information security services with Ernst and Young.

"But not many become public because companies want to cover them up for obvious reasons."

On Thursday, that corporate code of silence was broken by a Toronto software developer who uncovered customer data sitting unprotected on the Air Miles Web site http://www.airmiles.ca including the names, card numbers, home phone numbers, E-mail addresses and home or business addresses of 30,000 Air Miles members.

Air Miles is a rewards program in which cardholders receive points for purchases that can be redeemed for travel and merchandise.

"For a large site dealing in financial issues, it's sheer incompetence on their part", said Terry Hamilton, who unearthed the information during a visit to the site Wednesday.

John Wright, a spokesperson for The Loyalty Group, which operates the Air Miles Program, said the unsecured data prompted the company to shut down the site indefinitely and assign a team of information technology specialists to close the hole and investigate the breach.

Computer security experts say Air-Miles-style breaches are like fleas on elephants - numerous and relatively benign.

Bill Malik, vice-president of U.S.-based research firm The Gartner Group, says there's a vibrant computer crime underbelly comprised of electronic spies who crack code in order to rob companies of corporate secrets, proprietary data and money.

And they're usually not techno-savvy teens breaking in from the outside.

"The vast majority of cases we deal with come from a disgruntled employee on the inside who got passed over for a promotion or got snubbed by the secretary he was flirting with."

"I personally know of well over $1 billion (U.S.) worth of computer breaches last year alone", Malik said.

The Gartner Group said the average company with networked computers spends between 5 and 8 per cent of its information technology budget on computer security.

While that's triple the amount companies were spending a few years ago, it would have to triple again - to between 15 and 25 per cent - to make Internet-linked systems virtually air-tight, he said. And few companies can afford that kind of investment.

That's especially true these days when the Year 2000 computer problem has gripped company technology departments with fear.

As they furiously rush to fix broken computer code that threatens to shut down vital systems on Jan. 1, their attention - and budgets - are being diverted from security concerns, said Ernst & Young's Johnston.

"We are seeing people telling us they can't do anything about security until six months from now when the Y2K problem is handled.

"That's been happening for 18 months. And it's a big problem."


Copyright © 1999 by The Toronto Star. All Rights Reserved. Reprinted with permission.