wo subcommittees of the House Financial Services Committee met recently to heed concerns of corporations, law enforcement officials and the Federal Trade Commission on the growing vulnerability of consumers' financial information. According to the latest data, hacker attacks are increasing and companies must act in order to protect customer information and themselves.

Congress ordered the subcommittee hearings based on three recent cases of major account data theft whereby millions of consumers' information was compromised. One of those cases involved the credit card accounts of more than 10 million customers of Omaha, Neb.-based Data Processors International, a third-party processor for direct mail and Internet retailers ("Hacker Attack Threatens to Cut Consumer Credit Confidence," The Green Sheet, March 10, 2003, issue 03:03:01). A hacker broke into DPI's computer system in early February 2003, the largest credit card security breach reported to date.

Attacks on computers and Internet security such as those by hackers, computer viruses or worms have increased 36.6% from the fourth quarter of 2002, according to Internet Security Systems, Inc.'s (ISS) Q1 2003 Internet Risk Impact Summary Report. So far in 2003, 35% of the attacks have targeted retail Web sites and servers and 12% have targeted financial services companies. And the FTC says we should expect these numbers to rise.

The ISS report states that because of the increasing number of connections and interconnections between standard networks and wireless networks, the number of access points to companies' systems will continue to increase, causing them to become vulnerable and thereby creating new and hard-to-trace paths for attack.

Convicted computer hacker Kevin Mitnick, who served five years in federal prison and now runs Defensive Thinking, LLC, a consulting company that helps businesses guard against hacker attacks, was among the people who testified before the committees.

Mitnick said that assaults on companies holding consumer financial data often go undetected because of poor security and that businesses must improve their computers' defense systems from newly discovered vulnerabilities in security and train employees to spot tricks of identity thieves. He said thieves look for the weakest link in the security chain.

James Farnan, Deputy Assistant Director of the FBI's Cyber Division, said many intrusions are never reported because companies fear lawsuits or loss of business based on the perception that their security is not adequate, The Associated Press reported.

The FTC presented lawmakers with its latest efforts in combating attacks on corporate computers and theft of personal data. Beginning May 23, 2003, when the recently finalized Gramm-Leach-Bliley Financial Privacy Act - Safeguards Rule goes into effect, the FTC will require financial institutions under its jurisdiction to "develop and implement appropriate physical, technical and procedural safeguards to protect customer information."

Companies must have documented security plans and must train employees on how to protect sensitive data. The FTC said it would watch companies to make sure they are in compliance with the new rule.

It plans to publish a self-audit guide to aid all businesses, especially financial institutions, credit issuers, universities and retailers, in their efforts to improve security and increase awareness of how to handle account data and sensitive customer information.