158 Million Records Exposed (And Counting)

Lucas123 writes "According to the The Privacy Rights Clearing House 158 million records have been exposed over the past two years as a result of inadequate security. Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies — or simply careless users — create new security holes, according to Bob Scheier at Computerworld."

Fixed?

Nothing for you to see here, please move along

Phew, at least they fixed the problem quickly!

Re:Fixed?

Yeah, it's all fixed. What the summary failed to mention is that those 158 million records were 158 million individual breakins for 1 record each. It actually was the same guy's record each time. So, it's not that bad. Sucks to be that guy, though.

i read it somewhere else

but all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again. but as long as consumers shoulder that burden, or even a part of it, it will continue, as the consumer is not the one in a position to fix any of the problems that lead to identity theft

Re:i read it somewhere else

I agree to an extent, you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password.

Re:i read it somewhere else

So who is "responsible" then if a phisher puts up a fake website that looks like YourBank.com? Is YourBank responsible for your stupidity at falling for the phish?

What about a DNS attack, where legitimate customers going to the legitimate YourBank.com site are redirected to a man-in-the-middle site? Everything looks legit (albeit slow) and it's a near-picture-perfect real-time clone of the bank's site and the user's account info. Who has to pony up in this case? Linksys/Cisco for making a router susceptible to DNS hijacking? IE or Firefox for somehow not recognizing the MITM? Verisign for legitimately issuing a certificate to a hacker that he then later misused?

At some point a lot of these fall into the category of technological failings. Are we suddenly going to see disclaimers on routers and ethernet switches claiming "Not suitable for secure financial transaction data"?

The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication. Shut down commercial use of the internet. Not a likely scenario.

The next best solution would be to train employees and end-users how to safely transact business over the internet. Joe Sixpack can't even identify every button on his TV remote control -- what are the chances he can learn how to check certificates for authenticity? Even if he could be trained, would you then shoulder the responsibility for training him how to spot hacks just in time to have a new hack come out and steal his account information anyway? "Mr. Trainer, I followed your instructions exactly and I still got hacked. Here's a lawsuit for damages due to your incompetence."

And before you place too much faith in IPV6 to solve all these problems, you should take a look at every other piece of technology claiming to solve security problems. They're all flawed -- some more than others. It's just that we don't know IPV6's vulnerabilities yet.

Re:i read it somewhere else

"The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication."

Because, as we all know, fraud and identity theft did not exist before the advent of the internet.

Re:i read it somewhere else

They can't make companies that consume financial information responsible for it 100%, because the big huge wide open hole is the consumer themselves. They can type their password into a fake website faster than you can say 'anbesol' and what fault of the bank's is that? None. Consumers need to be smarter, BUT banks or merchants SHOULD be liable for any data exposure due to negligence. Which is something else entirely. If it's bad security practice on behalf of the institution, or someone accidentally left the firewall open, then they should eat the cost of cleaning up their spill. But, if someone misuses a login because you were dumb enough to phish out your password, or you got keylogged, sucks to be you.

Re:i read it somewhere else

"all you have to do is pass a law...and it would never happen again"?

Oh, if it were that easy. Pass a law and Windows bugs are fixed. Pass a law and dishonest employees will never steal again. Pass a law and a hard drive will never be misplaced, or a delivery service will never lose a tape en route, or a destruction service will never hire a corporate spy.

California (and a few other states) has a law requiring notification. Minnesota has almost exactly the law you would like requiring the leaking parties to be responsible for the costs, yet continues to have breaches.

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

Re:i read it somewhere else

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

You're missing the point.

Right now, the companies whose data is stolen have no financial incentive to beef up their security, but they have plenty of PR incentive to cover up breaches. If such breaches were to hurt their bottom line, the shareholders would make them take their security seriously.

As for the effectiveness of laws, look at Sarbanes-Oxley: corporations have created whole departments just to manage compliance. Sure, they bitch and moan abotu the hassle, but they comply because it's the law. Why can't they be obligated to put the same effort into customer data security?

Re:i read it somewhere else

As many people will point out, at some point you have to take responsibility for your own information. It's not the data breaches themselves that are really the issue, but the fact that once your data gets into the wild, it can be used for nefarious and often illegal purposes, and that's there is no easy way to deal with the problem. Anyone who gets their identity stolen literally spends years writing letters and making calls to various companies to indicate that in fact their identity was stolen and they are not responsible for the misuse of it. When it comes to clearing things up with the major credit monitoring services, it can be downright frustrating to get them to make necessary and factual changes to your credit report in order to get the matter cleared up.

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect (remember: your SS# is not supposed to be used as any kind of identifier except for tax purposes) and more importantly, how that data should be stored (mandatory encryption).

Re:i read it somewhere else

By making something more than the knowledge of 16 digits required for a loan (which is what they're doing when they authorize a credit transaction). Or even deducting the money directly from my account. Or, God forbid, knowing 9 measly digits from my SSN, as if that somehow were a secret.

It continually baffles me that credit card numbers are assumed to be somehow secret, despite the fact that you hand a waiter making $2.15 an hour a little piece of plastic with that number written on it without a thought.

The customer is in no position to create a new technology that ends this "open secret" way of verifying identities. There are much better mechanisms available, using public-key cryptography and some combination of passwords (entered into a smart card, not passed over the Internet), biometrics, and physical identity tokens.

That's up to the credit card companies. The reason people steal the numbers is that all they have to do is steal the number. Make it harder to steal and they'll stop stealing it. Until then it will continue to shock me that mere knowledge of a password which is regularly transmitted all over the place, and can be stolen from my wallet or my mail, is used as an identifier.

They blame it on the customer because they can, not because it's the customer's fault.

Solution is simple...

At a state level (We could never get our Fed legislative critter to do something for the people) have a 'data protection' right. Bottom line: You lose data: you pay the people who's data you had. You fail to notify the people you pay double. If the information is actually used, damages are double plus ACTUAL / ON GOING losses.

Bottom line: Lock up your data!. We learned this back in the days of the wild west. Now we must - relearn; reinvent the safe for the 21st century data.

Sucks

My own information, including bank account numbers, has been stolen and sold. I received a letter from a company I've never done business with, explaining how it wasn't their fault that they lost information I didn't give them, and trying to reassure me that nothing bad would happen.

The people running these companies should be considered criminally negligent. Maybe then they'll start to take security seriously.

At least you knew!

Well, at least you knew who and where the information was leaked.

In my case, I got a letter from my credit card saying that a merchant whom I had transacted with, was the source of a breach. No more information on when this occurred, who the merchant was, how many people were impacted or how long they knew of the situation, before they informed me. Instead, the Credit Card company re-issued me a new credit card, at 'my request' prior to me doing or asking for anything.

The letter in fact was so unsettling, it was written to evoke a feeling that I had somehow reported fradulent activity... I called the company and spent 45 minutes before realizing that there was one of me and a seemingly unending supply of pod-people who kept repeating the same line to me. I obtained my own credit report a few weeks after and guess what, the aforementioned account was "closed at the customer's request".

The outrage in me continues, and I wonder what kind of risk I'm exposed to, but I don't know what to do against an army of droid? May be a letter will do some good? How much time should I invest in all of this without the faintest glimmer that anything will happen?

I second your thoughts on higher penalties. With credit cards being an increasing singular means of carrying out transactions, I would certainly modify my business behaviors with people who are not careful with my information!

stats on what the breaches were

http://www.privacyrights.org/ar/DataBreaches2006-A nalysis.htm [privacyrights.org] human/software incompetence took up 44% in the public sector, hackers 52% in higher education and theft(s) were 55 and 57% for private and medical respectively

Numbers

I'm guessing that's a global number (RTFA? who has time... besides me), but if that was just America, that would be more than half [cia.gov] of the population... wonder how many of those numbers are dupes.

Always going to be a problem

Data breaches are always going to exist.
The big question is: What can be done to minimize the impact of the breaches.
The short answer - make it harder to get credit cards, loans, etc.

Once you change the way that money is handed out by financial institutions, all that stolen data becomes worthless.

But... that will never happen. Easy access to credit is the lifeblood of the debt driven American economy. So really, no matter how much moaning goes on about fraud, they still want a system that allows everyone to easily have access to debt at the drop of a hat.

Hum...

Did I do the math wrong or does that add up to just over 200,000 a day give or take.

2 years = 365*2 = 730
158,000,000/730 = 216,438.36

wow thats a lot of data to be "compromised." I think some of these people should have had better measures in place to prevent this type of thing. Others just shouldn't piss off there staff to the point that they sell company information to the highest bidder. Especially when that information is mine.

I am getting spam to my gmail account

and NOBODY knows about the account because I have NEVER used it to send mail to ANYONE not referred to it in any other email or web communication.

This is REALLY sad.

And there are potentially 22 million more

That they've counted and not included in the total. What I've learned from reading over the list, is that I shouldn't trust and government agency with sensitive data. Ever. Private industries seem to be fairing better (or not uniformly reporting their issues). My data has been exposed thanks to the VA theft a while back, my wife's was recently compromised by a third party check clearing service that we weren't knowingly doing business with.

And to top it all off, there's talk in some areas about sending private data over sees to cut the costs of processing it locally. I bet that won't get screwed up at all.

Don't use personal info for identification!

Your date of birth, your mother's maiden name, and miscellaneous other personal facts should be of no value to criminals. Identity theft should not be a serious problem. It is easy and cheap to construct systems that do not directly rely on personal information.

As long as brain-dead morons at financial institutions and in government insist on using personal information for identification we will have issues. This is such a flawed approach that it really is negligent.

Security is an illusion

When it comes to your personal information there is no thing as security once it has left your control. None of it is really protected. Companies engage in "security theater" to give the appearance of protection but that is a sham. Why? THERE IS NO PENALTY FOR BREACHES.

Genuine security costs companies millions of dollars. Insecurity costs them NOTHING. They could expose every single piece of every person's information and it would have no penalty. None.

The government and corporations have no interest in protecting your information. So much is in the wild already that it makes no difference to them. 158 million people? What's 50 million more? 100 million more?

Stop complaining about this. The horse was out of the barn a long time ago. Security and privacy are illusions. They are gone and they are NEVER coming back. Your security and privacy have no value to the government or corporations.

TJX

One thing I'm surprised I haven't seen here is the TJX breach http://it.slashdot.org/article.pl?sid=07/08/16/207 215&from=rss [slashdot.org] caused by insecure terminals for job applications. The data that was stolen was not given online, but by giving a credit card to a clerk in a store. 45 million credit card numbers were stolen in this breach, which is nearly one third of the 158 million reported here. This is not a case of a consumer being duped by a phishing scam or DNS attack, this was a corporation not taking security seriously. In the end, it was the trusting consumers that were harmed.

Need a New form of ID

A lot of the problems are based n antiquated systems still out there storing (then) not so sensive data loosely. The problem created itself when institutions used this old passive ID (name, SSN) as THE ID.

If I were "king 'o the world" I would get some international org together to develop an ID standard, then require all employers, agencies, and lenders and such to convert over (say in five years) to use that for all transactions, etc. Also set up laws and education curriculum about "your ID" and punish those who abuse them.

Kludging together christian names, birthdates and social security numbers may have been a neat hack in the 60s but it's a bit outdated now. The only way to get past it is if we can reinvent a better wheel (Yeah, Im a programmer).

Pay the customers who get hurt

I've said it before [slashdot.org] and I'll say it again, there's a great opportunity here for an enterprising business to make money by providing insurance against ID theft, IF THEY PAY THE AFFECTED CUSTOMERS!

Summary: Leverage best practices and reward for it AND involve the customer to demand better protection.

Imagine if insurance companies offered a policy that would:

• clean up the customer's credit,
• reimburse for losses,
• AND pay an "inconvenience fee" TO THE CUSTOMER whenever data is lost.

This might play out as follows:

Mary: "Hey Joe! Why are you still dealing with "OldFoo, Inc." after they lost your data? You spent so much time and money trying to get it cleaned up! I just heard that "NewFoo, Inc." has insurance that not only will clean up from any mistake they make, but it will also pay me $100.00 for my inconvenience! Why don't you check it out?"

Joe: Calls up NewFoo, Inc. and gets the scoop on the protection plan.

Mary: "So, did you call?"

Joe: "Sure did, and I'm sure glad I did, too! I just found out that NewFoo underwent a comprehensive security review and got a 3-star rating! Because they put new security measures in place, they will now pay ME up to $1,000.00 if they lose my data!"

Mary: "That's great news! I wonder what the ratings are for the other companies I do business with?"

Joe: "That's easy, all you have to do is go to ID-Theft-Star-Rating.com and look them up!"

Now, insurance companies are not around to lose money. They provide all kinds of risk coverage. They have developed means to assess risk, provide varying amounts of coverage, and charge appropriate premiums to cover those costs. Many will even come out to your site(s), perform a risk assessment, provide recommendations for how to mitigate them, and would offer lower insurance premiums or better coverage (payments) as a result.

For example: I can pay *higher* premiums on my car insurance to increase my coverage. I can pay *lower* premiums if I install a car alarm. Or, I could combine the two to end up with more protection for the same money.

IANAIG (I Am Not An Insurance Guy) so this is surely over-simplified, but I believe it could form a good starting point for discussion. Comments?

weakest link

security is only as good as the weakest link. unfortunately, this means, in general, as the number of people in the chain grows, the number of vunerabilities increase... seemingly exponentially.

Could this be for another reason?

Tracking the numerous laptops left with huge databases of personal information out of various government agencies,... one is left to wonder why anyone is surprised by all this data theft. Didn't someone send out a memo?

Could it be, that the Total Information Awareness project (TIMA), run by federal criminal John Poindexter, just went privatized? Could it be that he and other people are doing an end-run around spying on citizens, and creating a massive database for this purpose and subsidizing the costs with taxpayer money and sales of information to private companies?

Is there anything in the current law to stop them -- other than catching them red handed with grabbing the laptops out of someone's car?

Reporting agency

Is there a reporting agency that we can contact regarding blatent disregard for personal data? A friend works for a foot doctor (podiatrist,sp). The dosctor forces a different nurse to take the laptop home with them, and return it to the office the next day. The doctor has multiple office locations, so he cannot leave it locked in the current office.

Glass walls

So how long until all of it is stolen ? There are only 300 million people in the US.

Gartner says identity theft is up 50% since 2003

According to TFA, "approximately 15 million Americans were victims of identity-theft related fraud in the 12 months ending in the middle of 2006. According to Gartner, that's a 50% increase since 2003, and the average loss per incident was $3,257, more than twice the level for the same period a year earlier, according to the survey."

So at least at first impression, the routine leaks of personal information correlate with increased identity theft. Of course it might just be coincidence ...

jon

Not THE Bob Scheier?

It sucks to be Bob Scheier, saddled with a cheap copy of Bruce Schneier's name and writing about security. Scheier's like the Chery to Scheneier's Chevy.

Coincidentally...

I just started reading The Art of Deception by K. Mitnick today. Good read.