Lifelock Worries After Employee Data Leaked To Web 145
itwbennett writes "Last week, Phoenix New Times reporter Ray Stein revealed that LifeLock CEO Todd Davis (who famously published his Social Security number in LifeLock ads) had been the victim of identity theft at least 13 times. This week, LifeLock made it clear that it's not so cavalier with its employees' personal data. The company asked the New Times to remove from its website a police report containing a redacted Social Security number, date of birth, address, and phone number of Lifelock employee Tamika Jones. In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"
Fraud Alert != Fraud Immunity (Score:5, Informative)
Not everyone reviews a credit report before issuing any type of credit.
ID thieves can potentially abuse personal information, no matter how many types of fraud alerts you put, there is no guarantee that it will be seen by every third party.
Or the ID thief may employee social engineering and even defeat the 'fraud alert'
Todd Davis' publishing his social security number is a gimmick, and he should understand the risks, and chose to do so anyway, clearly as a publicity stunt.
As CEO and well-known media figure he can probably more easily deal with any ills that result than the average joe, and rely on his company to pay all the money and take all the hassle haggling with creditors of ID thief.
Minor cost well worth the publicity.
His SSN is also more likely to be recognized by banks, and (I suspect) he has little need to himself apply for credit, personally, otherwise he would not do it.
As for other employees of the company.... they have not agreed to this, not agreed to the hassle, and are in a much poorer position to defend themselves against ID theft. They have every right to their privacy, and to not have media organizations publish redacted/legally sealed or legally witheld info.
Re:Fraud Alert != Fraud Immunity (Score:5, Informative)
no matter how many types of fraud alerts you put
Better than a fraud alert is the security freeze [experian.com]. They won't open a new account if they can't see your credit report. The security freeze shouldn't even be a major inconvenience, unless you are one of the champs that applies for every new credit and store card under the sun.
Cringely... (Score:4, Informative)
http://www.cringely.com/2010/05/lifeblocked/
Re:If you really want protection (Score:5, Informative)
Freezing often costs money. And each of those credit bureau charges separately. Could cost one upwards of $30 to place a freeze at all three.
The hassles of "freezing" along with the fees to do so, is another illustration of the financial system being crooked; not designed to protect people, but rather to make credit as easy to obtain as possible with little regard to security.
Ron
Re:Fraud Alert != Fraud Immunity (Score:2, Informative)
I'll agree a security freeze is better.
But a Credit card or Loan isn't the only type of account an ID thief can try to open fraudulently in a victim's name.
They might try to open a checking account instead, which does not involve a CRA inquiry. Instead, the inquiry would go to CheXsystems or similar, which do not provide a 'security freeze' option
The ID thief may also create a bogus instrument, such as a 'checkbook' of fake checks in victim's name.
If the ID thief is up to title fraud, they also may be able to take out certain type of mortgages on the victim's property, without a credit check.
Or "rent" out certain items in their name and not return them. In any case the bad checks /non-returned items will result in probably nastygrams for the victim, telephone calls, threats, possibly attempts at legal action.
Police fail to properly redact data (Score:5, Informative)
Re:Really now? (Score:1, Informative)
No. Actually it went more like this:
Police fucked up redacting a public record when they made it public. The Lifelock employee was made aware of the screw up via a web site which reported the fuck up (and NOT by Lifelock), otherwise, the employee would still be clueless as to why she was getting her identity anally raped hundreds of times a day, despite the (hopefully free) Lifelock "protection" she has signed up for. The Lifelock employee made her superiors aware of this, and probably asked what they could do to have the document removed. The situation was sent up the chain, probably all the way to the CEO, who then sent their corporate lawyers after the web site in question.
Now, had this been a regular customer of Lifelock and not an employee, does anyone REALLY believe Lifelock would have lifted a finger to help this person? There is nothing in the Lifelock service agreement that states they have to scan the web for PDF files which might have accidentally revealing information about their customers. The services that Livelock offer are clearly spelled out, and do not include actively scanning the internet for all possible customer identity leaks occurring in any possible web site or downloadable document.
Here is my guess as to the thought processes of the higher-up's at Lifelock: "Oh shit, one of our own employees has their personal info being broadcasted world wide! When (not if) they get their identity stolen, it will make all the headlines. Quick, lets call the lawyers and try to get this under control before we suffer yet another public relations black eye."
Lifelock is pure snake oil. It sounds great, till you drink it. Then, you suddenly realize it doesn't work, and you are worse off for having tried it, and not only did you lose the money you spent on the snake oil, but now you also have to pay for a doctor to cure you of the poison you just drank.
Re:If you really want protection (Score:2, Informative)
Re:Really now? (Score:3, Informative)
That's what we have in Finland at least. First you have to physically go to the bank to identify yourself and then you get a login/password and a physical list of key-value pairs for online banking. When you start to run out of said keys you go get another list from the bank or order one through mail. Then you change the list using a value from the previous list and input the number of the new key list.
In order to compromise in this system someone would have to have access both to my specific key list and my login/password combination.
Of course that doesn't help at all if someone compromises the bank's systems, but in that case it wouldn't make a difference whether I used online banking or not.
It baffles me that something as simple as (or similar to) this is not being used as I do believe it makes online banking a whole lot more secure.
Re:No different than the DNC registery (Score:5, Informative)
It puts a "fraud alert" on your accounts and renews it every 90 days or however long they last for. Something you can easily do yourself for free. Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.
Re:No different than the DNC registery (Score:4, Informative)
Not entirely true. It theoretically requires banks, lenders, etc do some work before opening a new account. In practice, they usually skip this step. Trust me, I know from experience. I opened a new bank account while I had a fraud alert on my files, yet I was never contacted to confirm that I indeed opened that account. When I pressed the credit reporting agencies on it, I was told that the fraud alert system is more of a "best practice" type of thing, and that companies were in no way obligated to actually follow the guidelines.
Re:Really now? (Score:3, Informative)
You sir, are incorrect. The original PDF [wired.com] from the police department (which was copied by and is still being hosted on Wired.com's website with their follow-up article [wired.com]) has a layer of black 'redaction' blocks, but all the personal data is still there and can be cut-and-pasted.
The reporter sanitized the PDF for the cops by printing it, scanning it, and making another PDF (I would have just raster printed it direct to another PDF file), and replaced the original on the web site with the new one.