Yet another hack, yet another delay in reporting itJune 9, 2011: 3:57 PM ET
Citigroup is the latest to report a security breach, but the hack occurred more than a month ago. It's time for companies to open up about exposures to its systems.
FORTUNE -- Given the number of recent, high-profile network security breaches, it might be tempting to call 2011 the Year of the Hack. The danger is that there's a good chance 2012 might be even worse.
The underlying reason for this is the "lax security posture of many large-scale global companies," the malware expert Tim Armstrong told Security News Daily. It has, he added, "now become almost trivial for a motivated group or individual to find a way in."
The latest known hack, which occurred more than a month ago, was announced this morning: Citigroup (C) said information for about 210,000 customers, or 1% of its credit-card holders in North America, was stolen. The information included card numbers and contact information including email addresses. The bank said other data, such as Social Security numbers, birth date, expiration dates and card verification numbers were not compromised.
In what is becoming a disturbingly familiar pattern, Citi decided not to issue any warnings about the breach when it occurred, or for several weeks following. In fact, it might still be mum if the Financial Times had not broken the story late last night, prompting Citi to confirm it. The company issued a statement to the media, but as of Thursday afternoon, there is no obvious mention on Citigroup's website of the attack, including on its press-release page.
Likewise, Sony (SNY) decided to wait a week to inform its customers in April when its PlayStation Network was breached, reportedly by the "hacktivist" group Anonymous. Earlier this week, RSA Security, a division of EMC (EMC), offered to replace millions of customer secure ID tokens after it became known that a hack into its system back in March exposed its customer, Lockheed Martin (LMT), to a security breach.
Lawmakers are becoming frustrated. U.S. Sen. Patrick Leahy (D-Vt.) this week introduced the Personal Data Privacy and Security Act, which would make it a crime for companies to conceal data breaches, and would create a national standard for reporting hacks, replacing the many disparate state laws now in place.
It's hard to cite any particular reason why there have been so many high-profile hacks recently. Partly, it could be that in the endless cat-and-mouse game between hackers and security teams, the hackers have jumped ahead.
But it's also no doubt partly trendmongering. The Citi hackers are apparently pure criminals, motivated by financial gain. Many of the other recent hacks are so-called "grey-hat" attacks. That is, they're done for publicity, for thrills, just to show off, or to reveal how bad an organization's computer security is. Often they're ostensibly done in support of a cause, as when LulzSec claimed it hacked PBS's Web servers to protest Frontline's coverage of the Bradley Manning/Wikileaks case. That group is apparently responsible for several other recent hacks as well, including on Fox News and Sony.
LulzSec has claimed credit for several hacks on Sony's systems in the wake of the PlayStation breach. The latest came just this morning, when the group reportedly claimed to have lifted 54 megabytes of source code from the Sony Developer Network, along with maps of Sony BMG's internal network. The data was posted to Pirate Bay, the Bittorrent tracker site.
The PlayStation hack likely motivated the subsequent attacks – the company's systems clearly are woefully insecure, making them a tempting target.
Whatever the motivations though, it seems clear that organizations including private companies and governments going to have to invest more in security, and they're going to have to start being more forthcoming when their systems are breached.