Corporate e-mail privacy still a concern

July 2, 2001

The e-mail system at one of the nation's leading money managers operated on the Internet for months with little security, giving outsiders access to messages containing confidential financial data, passwords and employees' personal information.

The communications at Wilshire Associates Inc. of Santa Monica, Calif., which manages about $10 billion of investor money, dated to early last year and included numerous notes to company chief executive Dennis Tito, his banker and his lawyers. They also included information about bank transactions Tito made to pay for becoming the first tourist in space.

Wilshire officials said in interviews that they mistakenly set up their e-mail system outside the security firewalls protecting their computer networks. They blamed a software bug for the error and shut off access to the mail server -- and began notifying users -- after the Washington Post brought the problem to their attention.

Company officials said they have no evidence that anyone misused any of the e-mail. But security specialists said the lapse illustrates that many companies -- not just those that have fallen victim to well-publicized hacker attacks -- are failing to do enough to protect networks containing sensitive business or consumer information.

Officials at a Carnegie Mellon University clearinghouse for security problems said the number of reports it has received about computer intrusions rose from 2,412 in 1995 to 21,756 last year.

Recently, Microsoft Corp. warned that millions of Internet computer servers could be vulnerable to attack and be controlled by hackers because of a flaw in its server software. Microsoft then sent out 150,000 e-mail alerts, released a software patch and dispatched account managers to assist its largest customers.

In recent months, a hacker downloaded thousands of personal medical files from an unprotected university hospital computer, Chinese hackers vandalized hundreds of commercial and government Web sites to protest the loss of a Chinese pilot in a collision with an American spy plane, and two Russians were indicted for allegedly stealing 16,000 credit card numbers from Western Union. Authorities said most attacks never come to light.

"It's a chronic problem," said Kevin Poulsen, editorial director of SecurityFocus.com. "We can extrapolate that we're seeing just a tiny little tip of a pyramid of vulnerabilities."

A recent survey of more than 500 companies and government agencies by the FBI and the Computer Security Institute concluded that breaches "have the potential to do serious damage to U.S. economic competitiveness."

"The risk is substantial, particularly for those companies that don't take security seriously," said Ron Dick, director of the FBI's National Infrastructure Protection Center. Dick said the problem is caused in part by a shortage of experienced computer systems administrators and to the unwillingness of companies to spend enough time and money to protect databases and networks linked to the Internet.

"You have to protect the integrity of the information on your systems," Dick said. "And many, many companies are not doing that."

In part to measure the extent of the problem, federal authorities last year began requiring banks, credit unions and other financial institutions to routinely report electronic break-ins. About 65 incidents have been reported so far.

Financial industry officials said they are taking new steps on their own to protect systems containing sensitive commercial and consumer data. And they are sharing information with one another about suspicious computer activity in an early-warning system.