Nov. 30, 2007 at 8:15 AM ET
It's being called the worst data leak of the information age. Earlier this month, U.K. officials had to admit they'd lost computer disks containing personal information on almost half the country's population, including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose -- consumer bank account numbers.
It's a data scandal fit for tabloids. The price tag put on the loss is already $500 million. Prime Minister Gordon Brown had to issue a public apology, and the head of Britain's Revenue and Customs office was forced to resign. The U.S. audience might have missed the initial news because the story broke during the Thanksgiving holiday. But the obvious question floating across the Pond is this: Could something that dramatic happen in the United States?
Yes, most experts say. And the consequences here would be even worse.
The computer disks lost by British officials contained intimate details on every family in the United Kingdom that claims the child benefit -- a government subsidy payment that goes to every household with children. The disks were lost while being sent between government agencies. The information on them included the names, addresses, dates of birth, insurance numbers and banking details. In all, data on 25 million of Britain's 60 million citizens were on the disks.
That amount of the data loss is staggering -- just shy of half the nation's population.
"We've never had anything like this," said Avivah Litan, a bank security analyst with consulting firm Gartner. The stolen Veterans Administration laptop may sound comparable in number (26 million), but the type of data lost in that incident -- Social Security Numbers -- pales in comparison to the lost U.K. tapes, Litan says.
Toby Weiss, president and CEO of Application Security Inc., says consumers may have grown a bit numb to large-scale data losses now, with their spectacular multi-million-long lists of victims.
"Wow, when you're talking about names of children and their addresses, and bank account information, this is a whole different kettle of fish," he said. "The fact that it's so much important information in one shot, we've never had anything to compare with that."
Hot items on the black market
To really understand the importance of the U.K. leak, it's important to understand how valuable raw bank account information is. In a report written soon after the U.K. incident, Litan said Social Security numbers sell for as little as $5 on the ID theft black market. But live bank account information can sell for as much as $400.
Why? It actually takes some effort to turn Social Security numbers and even credit card numbers into cash. Social Security numbers are only a building block that can be used to apply for credit. Card companies have sophisticated tools designed to catch fraud as it happens, including software that spots unusual purchases and stops criminals in their tracks.
But banks have no such protections on checking account transactions, Litan says. In fact, anyone with a bank account number and routing number can print up fake checks and start draining consumer accounts. Banks don't even process checking account transactions in real time. Instead, they are batch-processed, generally once each day, through a system called ACH, or Automated Clearing House. So there really is little defense against a large-scale checking account theft. Millions of checking account numbers falling into criminals' hands would be difficult to combat.
"ACH is an accident waiting to happen," Litan said. "It's the 'not-talked about-network,' but it has a lot of vulnerabilities. ... Big banks are more worried about check fraud than anything else."
But even if lost bank account numbers never fell into criminal hands, the hassle and cost of such an incident would be enormous for both banks and consumers.
Whenever a large-scale theft of credit card numbers is revealed -- such as the theft of nearly 90 million account numbers from TJ Maxx -- card-issuing banks generally adopt a wait-and-see attitude. Sophisticated systems allow them to flag potentially stolen card numbers and watch carefully for signs of fraud.
There is simply no parallel system for bank account numbers, Litan said. So a similar incident in the United States might force banks to close and re-issue millions of checking accounts, at enormous expense.
"The impact on people's personal lives would just be untold. If you've ever had to change your credit card number you know it's a pain in the butt. When you talk about bank account numbers you multiply that tenfold," Weiss said. Consumers might spend days, or even weeks, unable to pay their bills or reliably access cash, he said. "It's a lot harder to issue someone new bank account numbers than new credit card numbers. ... It's safe to say this kind of thing (could cause) a recession."
New tools being tested
Richard Oliver, executive vice president with the Federal Reserve Bank in Atlanta, has spent the last 10 years studying electronics payments and hosting conferences on payment security. He said the bank electronics payment association, called NACHA, is currently testing tools that would allow improve bank check fraud prevention tools.
"There are efforts under way to make ... these transactions more secure," he said. While not as alarmed about the prospect of large-scale fraud as some others, he added "obviously, there's a problem."
Still, cleanup from even a relatively benign data loss -- where fraud was very unlikely -- would be very costly for banks, he said.
"It's certainly $10 to $20 per account," he said. "And it could go higher."
One saving grace for the United Kingdom in light of the data leak is the concentration of the banking industry there. Five banks control about 90 percent of all accounts in England, making it quite a bit easier for banks to collaborate on fraud prevention. In the United States, where there are 10,000 banks, regulations prevent any institution from controlling more than 10 percent of all depositors, Litan said.
"It's much easier for crooks to get by in the U.S., where there's 10,000 targets," she said.
That means a data loss such as the U.K. incident would be even more dire here in the states.
While there's no U.S. government program that's analogous to the U.K. child benefit program, plenty of federal agencies hold vast amounts of personal information, including bank account numbers, said Larry Ponemon, a privacy researcher who runs The Ponemon Institute. The IRS, for one, controls data every bit as rich as that lost in the United Kingdom. So does the Social Security Administration, which has millions of bank account numbers for direct deposit payments.
"Absolutely, it's possible," for a similar event to occur in the here, Ponemon said. In fact, it may have already happened, he said.
Despite aggressive disclosure laws requiring companies and agencies to admit to consumers when data is lost or stolen, Ponemon believes the vast majority of such incidents still go unreported.
"My gut says 80 percent," he said. "Actually, it's more than my gut, that's based on four years of research." In his studies, three-fourths of all companies admit to some kind of data leak. If all of them disclosed the leaks, the stream of press releases would be never-ending.
Exact threat is hard to determine
Still, despite spectacular news stories involving lost data and isolated stories of bank account thefts, clearly there has not been any large-scale raiding of consumer bank deposits by criminals. That leaves most analysts, and event the Federal Reserve, at a loss to describe how real the threat is.
"The issue nobody has their hands around is, 'How big a problem is this, actually?' Oliver said. "We see dramatic instances of theft. But the Fed has tried to do studies on check fraud, and it's very hard to get financial institutions to be forthcoming, and to get our hands on how big a problem this is."
Weiss, the security firm CEO, is concerned that if the U.S. banking system doesn't take the chance to learn from Britain's incident, we may all find out when it's too late. In his mind, the incident proves even the largest organizations are still far too cavalier with personal information.
"This is a continuation of a trend we are seeing in the market. … The big question is: How did so much data wind up on a portable medium?" he said. "How could someone pull down that much data without alarm bells going off? Whatever we're doing obviously isn't working. There is too much data moving around way too much."