100 Million Victims of Data Theft 115
jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."
I was counted twice! (Score:5, Interesting)
Re:I wonder... (Score:3, Interesting)
I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?
Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud
You're correct: theft or loss of a machine doesn't automatically mean identity theft.
First, the machine should be in a working state which is sometimes not the case.
Then, the criminal should realize there may be interesting info on the laptop (most would just format the drive and reinstall OS).
Then he should find it on the disk.
Then know what to do with it or who would be interested in buying it.
As you may suspect, this quickly limits the potential damage from such mishaps.
But there's the other side of the coin: the fact you don't hear of consequences may be a result of too delayed or still undiscovered frauds.
It's like bad food additives (like aspartam): they are deemed safe, simply because by the time damage occurs, noone can link the damage to the cause.
It's possible that people suffered but they either didn't know they data was stolen, how it was stolen, or that their problems are caused by identity theft.
It's also possible that the info is collected somewhere, ready to be abused, but the would-be-criminals are waiting for things to "settle" so they have greater chances of success with their activities.
So it's all very complex, but one thing is simple: keeping unencrypted critical info on portable machines you can easily lose possession of, is terribly bad. It's pure laziness and ignorance, and the solutions to this very basic layer of data protection, are simple and "there", ready for someone to realize they are needed.
I'm not very happy to see the government trying to react in "pieces" by demanding that veteral info breaches are reported.. Why just veteran breaches? I'm not a veteran from any war, is theft of my data less critical? It can be the place where I work, the site I shopped from or my bank: it really should be approached with a generic solution and not a bunch of untimely exceptions to an absurd status quo.
"Identity theft" is a meaningless term (Score:4, Interesting)
This is the basic scenario: A criminal poses as you to borrow money (usually with a credit card), and then whoever lent that person the money asks you to repay it.
Then there are generally 2 consequences for you: debt and reputation damage. The debt itself is usually the lesser of the two problems, since you're not legally obligated to repay money that someone else borrowed in your name. Reputation damage, on the other hand, is incredibly hard to repair. This usually takes the form of erroneous information on your credit report.
Private agencies (Equifax [equifax.com], Experian [experiangroup.com] and TransUnion [truecredit.com] are the majors in the USA) maintain this information of your past financial transactions, and sell it to potential lenders in the form of a credit report. Lenders then use this information to decide how risky it would be to lend you money. These credit reporting agencies err on the side of over-reporting negative information, because a defaulted loan from an under-qualified borrower costs banks and lenders much more than a qualified applicant being turned away. Additional services (like providing reportees an easy way to correct errors) would cost credit reporting agencies much more than their client lenders would be willing to pay for the increased accuracy, so they don't bother implementing them.
The short version is that banks and other lenders knowingly rely on imperfect information about potential borrowers, because it is the most economically sensible thing to do. It's not profitable for them to pay for more accurate information. If they decide not to lend you money, even based on erroneous information, it will likely be very hard to change their minds.
Re:reporting on this subject (Score:2, Interesting)
kill me, Slashdot, for I haven't the nerve myself (Score:0, Interesting)
"Steven?"
Even after 7 years, I recognized her immediately. Julia. Julia McGurren. We had a platonic relationship in our senior year of high school. We shared a few classes and were both on the yearbook team. At first it was a mutual friendship. She got someone who knew the school esoteric layout software, I got female companionship. If it wasn't for the fact that I had been thinking about her almost every day for the past 7 years, I probably wouldn't of been able to tell it was her. What little fat she had carried in high school was gone, accentuating her full breasts and long legs. Her acne was gone, leaving only soft, smooth cheeks. Judging from the lexus she was stepping out of, her post-highschool plan of entering into the medical sciences field had paid off.
The reason she had never left my mind over so many years stemmed from our prom. I was sitting in the yearbook lab, playing snood, when she asked if I had a date for the prom. I said that I didn't, and she responded that she didn't either. Since I was, and still am, and idiot about girls, I went back to playing snood, completely oblivious to the fact that she wanted me to take her to the prom. Completely oblivious to the fact that my silent crush didn't go unnoticed.
Knowing that I didn't owe her money, nor had I ever slipped my tube steak into her (or into any woman for that matter), I realized that the reason she was here wasn't to collect a debt or inform me that I'm a father. She wanted to rekindle our friendship.
I had made the mistake of looking at myself in the mirror before leaving work today. My steady bachelor diet of fast food had given me an ample gut. The grease had only inflamed my acne. My quickly diminishing hairline stood on the crossroads of "hey he's got a big forehead" and "hey look at that bald fuck". my eyes were red from a previous night of playing kingdom hearts II and attempting to create memes on
I looked into her eyes. She wasn't addressing me. She was asking if I was me. I made a tough choice.
"Sorry lady, you must be looking for the previous owner. The real estate agent said he was gone long before I ever moved in."
It only hurt a little bit when her face showed relief.
"That's... that's alright. I figured he probably would of moved by now. Thanks anyways."
"No problem, lady. I hope you find who you're looking for." I said as I shut the door on her.
Trust me, Julie. The Steven in your memory is far superior to this broken shell of a man who pours his heart out on Slashdot tonight.
I found out last week I might be a victim. (Score:3, Interesting)
Their idea of taking care of the problem? Wanting me to register online (!!) or over the phone to be told if I was one of the victims, and also to get a free credit report or get credit monitoring, though they don't seem to think they should pay for that or for any fees I might get if I have been victimized...
Oh, and I only found out because it was in the local news.
Re:We need to think how transactions are processed (Score:5, Interesting)
I solved this problem ages ago. Some guy, actually two of them, invented something called the Diffie-Hellman Public Key Encryption Algorithm. Since then we've had dozens of these show up and now have RSA and DSA/ElGamal out there. Pretty much, with huge (1024 byte!) challenges and hardware devices with your key in them, as well as transferable One Time Pads (so you can let someone else use your credit card once, twice, for $5, for $10...), you can make it so everyone along the way can verify your identity and nobody along the way can pretend to be you.
The system drawn out isn't that complex. It's lazy distributed too; anyone can cache your public key, so anyone can independently verify you over and over again. This means that the store can verify your card isn't a spoofer and not pester the credit card company with it if it is; and if it's not, then the credit card company can also verify your card isn't a spoofer (and that the store isn't sliding in extra charges after you've signed for the price) and not pester the national PKI network with it.
Stupidity (Score:3, Interesting)
You can enforce encryption on every file, strong passwords etc but sooner or later some smuck will print it out and forget to schred the printout when done. So it ends up on some dump available to anyone crawling around looking for something usable.
Designers of company security forget the most obvious and most dangerous threat: stupidity! My personal favorite quote used to illustrate exactly that is the following:
help "them" to want to change (Score:3, Interesting)
THE PROBLEM: It is currently financially worthwhile for some companies to play loose with personal information. The perceived costs of the consequences of poor protection are not sufficient to warrant a change in their way of doing business.
Many merchants / agencies / whatever don't seem to want to provide us additional protections. All it would take is for a few companies who already take security very seriously to sign up for the best star rating listed below, chalk it up to advertising expense, and put the pressure on the other merchants who do not sign up. "Hey! *WE* take your security seriously, and we put our money where our mouth is. If *WE* mess up, we clean it up and pay *YOU* for your inconvenience. Why would you want to deal with anyone else?"
There is a financial opportunity for an enterprising group to make a fortune here. Existing insurance companies provided graduated coverages and fees depending on certain items. I can select how much liability insurance I want for my car. I can pay the insurance company a larger premium for a greater amount of coverage. Alternatively, if I have certain protective measures in place, then my premiums can be reduced. I choose the level of coverage that works for me.
whenever there is a security breach, make a payment to each CONSUMER! Get the consumer to be your best ally in getting merchants to sign up for the protection. So, if a merchant compromises the security of MY information, then the insurance company sends ME a check. I'll leave it as an exercise for the reader on how this could be extended to cover other organizations that have access to personal info such as hospitals or government agencies.)
Also, and VERY important: advertise this feature like crazy - get the consumers to push the merchants to get the coverage along with an easy-to-remember grading scale for consumers to use to assess the degree of protection they are provided by a merchant. It took a few years, but now US car companies are advertising the NHTSA crash test ratings. [dot.gov] I expect the same could work for credit protection.
NOTE: All dollar amounts are pulled out of a hat. I'm just trying to put something concrete out there to use as a starting point for discussion. Obviously, the size of the covered merchant would affect the premiums and payouts, and I have NOT worked those into these numbers. Please offer improvements! The examples listed here might be appropriate for a moderate to large merchant.
Have a graduated scale of costs and coverages that depended on what level of security measures were in place at the time of the loss / theft.
If a merchant takes no security precautions then the insurance company would:
The consumer gets some benefits, even if the merchant makes no great effort to protect the user. It's still better than anything that the consumer is now getting. After a few payouts, word-of-mouth will boost interest by consumers in seeking out at lest this minimal coverage. CEOs and CIOs will start to take notice.
If a merchant takes certain, documented, security precautions ( encrypted DBMSs, firewalls) then the insurance company would:
Re:makes me wonder... (Score:2, Interesting)
I have worked in one of European national telecoms, I had access to full personal data of millions of our clients. Our computers were locked down so we couldn't copy the data on floppy/cd/usb. The network was tightly separated from the rest of the company intranet not to mention the Internet. Our office was monitored.
Before even touching the keyboard for the first time we had two full days of lectures about the relevant personal data protection bill, internal company rules, how to behave in case of security breach and so on.
Yes, personal data security is taken very seriously here. It always amazes me why with you don't have similar set of laws in the US.