The recent theft of data from some 40 million credit-card accounts in the United States is another reminder of the insecurities of the digital world. Electronic commerce continues to rise in volume but consumers, retailers, financial institutions and other parts of the business chain have not yet adjusted to the demands of this new environment. Foolproof security is impossible — just as in the bricks-and-mortar world. Maximizing protection requires efforts by all parties involved in a transaction — customers, businesses and every participant in between.
Rising numbers of Japanese are online: Japan’s Information and Communications White Paper reported that there were about 79 million Internet users at the end of 2004, an increase of nearly 100 percent in five years. They like to shop. According to a government survey, Japan’s business-to-business e-commerce grew 33 percent in 2004 from the previous year to reach 102.7 trillion yen. Business-to-consumer e-commerce expanded 28 percent to 5.6 trillion, yen and the consumer-to-consumer e-commerce market for Internet auctions last year reached 784 billion yen. Nearly two-thirds of Internet users use credit cards to settle transactions. But the exploding use of credit cards is not restricted to the online world: According to the Japan Consumer Credit Industry Association, by the end of fiscal 2003, 263.6 million credits cards had been issued in Japan, more than two for every citizen.
Vulnerabilities are growing. In mid-June, it was reported that hackers had breached the security of CardSystems Solutions, Inc., a U.S. company that processes credit-card transactions, and gained access to more than 40 million credit-card numbers. This revelation followed the admission in February by ChoicePoint Inc., a data broker, that identity thieves posing as legitimate customers had cracked its defenses and made off with consumer data. Since the beginning of the year, more than 15 large-scale data breaches have been reported in the U.S.: Nearly 50 million accounts in total have been compromised.
The impact of the CardSystems theft has already rippled through Japan. It is thought that information on more than 140,000 holders of credit cards issued in Japan may have been included in the theft. Some Japanese credit-card companies have reported that the stolen data was used to produce counterfeit cards, which have resulted in purchases of a number of items: The Ministry of Economy, Trade and Industry estimates the losses have already reached 110 million yen.
Of course, most fraud does not cost the consumer anything; they do not have to pay false charges made to their account. But identity theft can take years to untangle.
Data theft is not new. Every few months there seems to be a report of some incident. In February, NTT DoCoMo announced data leaks on 24,600 of its clients. In August of last year, high-speed Internet provider ACCA Networks revealed that it had lost data on some 340,000 customers. In June, Cosmo Oil Co. said it feared personal data on 923,000 of its 2.2 million registered credit-card users had been leaked.
According to a survey last year, nearly one in 10 major Japanese firms said it or its group of companies had experienced leaks or losses of data featuring customers’ personal information in the past two years.
Sometimes hackers are to blame; other times it is misrepresentation by thieves — asking for data by claiming to be someone else, as occurred in the ChoicePoint case. Other times, disgruntled employees may be stealing or selling data. And sometimes, pure carelessness can be the problem, as when briefcases are left on trains, laptops are stolen from cars or data tapes are lost in the mail. Each problem represents a different weakness in the security chain; all have to be strengthened.
Some solutions are easier than others. Businesses and individuals should be encrypting data more often. Individuals need to change passwords regularly and stop using easily discovered ones. Using the same password for multiple accounts is courting trouble. Most important, companies need to treat data like a precious commodity. Three years ago, a survey of Internet users at Japanese companies showed that one-fifth used software that left them vulnerable to hackers.
Management must recognize the serious consequences of lax security. Companies should be required to notify consumers immediately when data is lost. That will put consumers on notice that they are vulnerable and encourage them to pressure data providers and managers to be more careful.
Preventing theft will become increasingly difficult as data becomes more deeply integrated into our daily lives. It is the infrastructure of modern society. Thus far, though, individuals, businesses and governments are lagging in their appreciation of this building block of 21st-century life.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.