Press Releases

TRACESECURITY REPORTS 95% OF FINANCIAL INSTITUTIONS TESTED STILL VULNERABLE TO BOTH PHYSICAL AND VIRTUAL DATA THEFT

More Than 1,000 Bank Heists in Five Years Led by Security Expert Jim Stickley Reveals Sensitive Data Can Be Compromised Within 30 Minutes or Less

BATON ROUGE, La. – (Sept 9, 2008) – TraceSecurity, the leading provider of comprehensive IT risk assessment and security compliance solutions, revealed today its five-year statistics on Social Engineering and Penetration Testing. The statistics show that 95% of U.S. financial institutions’ sensitive data including bank account records and social security numbers could have been robbed on average in 30 minutes or less.

Between 2003 and 2008, TraceSecurity’s engineering team, headed by co-founder and CTO Jim Stickley, compromised the security of more than 1,000 financial institution branches. As an independent auditor for regulated industries including the financial services sector, TraceSecurity estimates that tens of millions of consumers’ personal identity could have been stolen if the attempts had been legitimate.

Statistics were based on a core group of TraceSecurity’s more than 800 U.S. customers which had asset sizes ranging up to $2.7 billion in 48 states and represented an average of four or more branch locations.

“Personally, I've been able to bypass security policies, procedures and technology of any bank or credit union where I've performed social engineering engagements 100% of the time,” said Stickley, co-founder and CTO of TraceSecurity and author of the newly released book The Truth about Identity Theft. “My job is to help companies understand and improve their security, and that’s exactly what happens with the tests we performed on financial services firms.”

The tests from which statistics were drawn focused on three Best Practice solutions: Penetration Testing, Remote Social Engineering and Onsite Social Engineering. Penetration Testing employs hacking attempts on the company’s network through the Internet to check for vulnerabilities that may exist whereas Social Engineering tests include phishing, pharming, pre-text calling and onsite impersonation of a trusted third-party.

TraceSecurity engineers often disguise as a fire marshal or pest inspector as part of their onsite Social Engineering engagements. They’re able to gain entry 95% of the time into bank areas that often contain sensitive data which can be easily compromised.

Backup tapes storing sensitive data were cited as the easiest target to steal while being undetected by bank employees. Other items stolen in the test heists included loan applications, miscellaneous hardware such as laptops, cell phones and PDAs, keyboard data and more containing common information such as social security numbers, banking/account numbers, addresses/contact information, mother’s maiden names, driver license numbers and credit card numbers.

“When in disguise, TraceSecurity engineers were only questioned on a couple of occasions,” said Stickley referencing the five-year statistics. “One example included a situation where the engineer posed as a fire marshal was questioned by a bank employee married to a fire marshal; another example was an engineer who was busted when he showed up dressed as a pest inspector similar to the uniform I was wearing on the front cover of a recent industry magazine.”

While government regulations such as FFIEC, NCUA, HIPAA, SOX, FCA and others recommend employing social engineering engagements, it’s not mandatory unlike testing for vulnerabilities and adherence to the Information Security Program.

“Financial institutions are often under attack via physical breaches or the Internet,” said Stickley. “That’s why it’s important to take a proactive approach like more companies are doing today, and hire experts who understand the nuances of cyber crime and data heists. It takes only one branch location for all customers’ sensitive data to be at risk, and recent data breaches have shown these losses can amount to billions of dollars – a huge cost for what’s usually a small, avoidable error.”

 

About TraceSecurity
TraceSecurity is a leading provider of security compliance and risk management solutions. The company helps organizations of all sizes to achieve, maintain and demonstrate security compliance while significantly improving their security posture. Key to TraceSecurity’s success is the company’s comprehensive patent-pending methodology that helps clients address all of the critical components of a successful security compliance program; people, process and technology.

TraceSecurity delivers its solutions through an integrated software-as-a-service platform backed by expert professional services and comprehensive security awareness programs. The company’s flagship offering, TraceCompliance Manager, is the first comprehensive solution to automate regulatory compliance audits, board level reporting, policy management, vulnerability assessment, and employee education and testing. The company’s expert professional services include onsite security audits, and social engineering. The security awareness programs include an exhaustive set of standard offerings as well as custom designed courses. With over 800 clients, TraceSecurity supports the risk management and security compliance efforts of organizations in financial services, healthcare, insurance, government and other regulated sectors. For more information, please visit
www.tracesecurity.com.  

# # #

Note: TraceSecurity is a trademark of TraceSecurity, Inc.

FOR IMMEDIATE RELEASE:
Wendy Parish
Freestyle Public Relations
515-223-4343
wendy@freestylepr.com

Next Steps

Newsletter Signup