Last week, federal authorities announced the arrest of 19 individual associated with a data and identity theft ring.  This group, associated with an online forum at carders.su, specialized in stealing personally identifiable information and then offering it for resale.  The group, which was based in Las Vegas, also offered counterfeit cards for sale.  The arrests are part of a long-term operation called Operation Open Market, which targeted fraudsters and data thieves that were selling information.  While these 19 arrests are the most recent, the federal authorities report that there have been 50 individuals indicted during the course of the operation, which took place across several states.  The 19 arrested last week were described as employees or associates of the Carder.su identity theft ring.

“The actions of computer hackers and identity thieves not only harm countless innocent Americans, but the threat they pose to our financial system and global commerce cannot be understated,” said James Dinkins, executive associate director of ICE Homeland Security Investigations. “The criminals involved in such schemes may think they can escape detection by hiding behind their computer screens here and overseas, but as this case shows, cyberspace is not a refuge from justice.”

These arrests serve as an important reminder that identity thieves and so-called “carders” are not slowing their work.  While the media may have turned its attention to issues of hacktivism and state-sponsored corporate espionage, the carders continue to infiltrate companies and steal individual credit card details in order to counterfeit and resale the information.  If anything, the increased attention on the more sensational types of attacks have offered cover to carders to continue their “more mundane” crimes with little scrutiny.

The arrests highlight the need for companies to maintain their vigilance with respect to the protection of their customers’ data.  While the threat landscape has changed quite a bit, the threat posed by carders and identity thieves has not abated.   According to the Verizon 2011 Investigative Response (IR) Caseload Review,  personally identifiable information and financial information were the top targets of data thieves, followed by trade secrets and authentication credentials.  Clearly, the need to protect sensitive data of all kinds is still of paramount importance.

How can companies help mitigate their risk of exposure?  One of the most important steps that companies can take is to take inventory of the data currently being stored and make a business decision as to whether the company really needs to maintain that data.  If you don’t need it, don’t store it.  Often, companies continue to store data “just in case.”  Storing this data, though, can increase the liability associated with a compromise of customer information.  Additionally, there are a number of services, including ProPay’s ProtectPay®, that allow companies to process payments without processing, storing, or transmitting sensitive payment data.   Understanding the data that is being stored, and working to minimize the sensitive data kept onsite can help to reduce the consequences of a data breach, not to mention can significantly reduce the burden of complying with the PCI DSS.

Dr. Heather Mark, PhD. SVP Market Strategy