BATON ROUGE, La. (9/10/08)--About 95% of U.S. financial institutions’ sensitive data, including account records and social security numbers, could have been robbed in 30 minutes or less on average, said TraceSecurity, a CUNA Strategic Services provider. Between 2003 and 2008, TraceSecurity’s engineering team compromised the security of 1,000 financial institutions. Had the attempts been legitimate, the personal identity of tens of millions of consumers could have been stolen, the company said. The statistics are based on a group of TraceSecurity’s clients, including credit unions, with asset sizes ranging up to $2.7 billion in 48 states. “I’ve been able to bypass security policies, procedures and technology of any bank or credit union where I’ve performed social engineering engagements 100% of the time,” said Jim Stickley, TraceSecurity co-founder and chief technology officer. The tests were based on penetration testing, remote social engineering and onsite social engineering. Penetration testing employs hacking into a company’s network through the Internet to check for vulnerabilities. Social Engineering tests include phishing, pharming, pre-text calling and onsite impersonation of a third party. For onsite social engineering tests, TraceSecurity engineers disguise themselves as fire marshals or pest inspectors. They gain entry 95% of the time to areas in financial institutions with sensitive data, the company said. Backup tapes storing sensitive data were the easiest target to steal while being undetected by employees. Other items stolen in the test heists include loan applications, laptops, cell phones, personal digital assistants, and keyboard data. “It takes only one branch location for all [members’] sensitive data to be at risk, and recent data breaches have shown these losses can amount to billions of dollars--a huge cost for what’s usually a small, avoidable error,” Stickley said. TraceSecurity provides security risk and compliance solutions.