100 Million Victims of Data Theft

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

I don't trust the article

[BadAnalogyGuy]

How can you trust the article when they make the outlandish claim that Boeing makes laptops. They make airplanes, silly.

Yeah, But when they do...

[Anonymous Coward]

....They'll really fly!

I dunno

[BadAnalogyGuy]

Do you really think they'll take off?

Re:

[MarkRose]

I predict they'll be a flying success!

Re:

[extern_void]

Nah Nah Nah they make notebooks, those airplanes are just for undercovering!

We need to think how transactions are processed

[rolfwind]

Right now, it's becoming clear to me that the problem is that the weak chain in the link is that the creditors/banks/etcetera consistently rely on a few lines of data to complete transactions and identify the parties involved, 95% of which is publicly available, the other 5% easily stolen.

I don't know what to do to solve this, any suggestions?

(Way back when, my friend who worked at a Sam Goody used to actually check credit cards when customers bought something on his first day on the job. After the manager caught wind that he denied someone using their friend's mom's credit card, supposedly with permission, he got yelled at and told not to do it again. I can't help but think that the laws are too lax in this area and the industry has little interest fixing it.)

Re:We need to think how transactions are processed

[AoT]

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

On a side note, why is it that I get all these credit card offers from companies whom already have my SSN, I know you got it guys, and they tell me I'm "pre-approved" for credit, and yet I have to send all this info in?

Come on big brother! If'n you're going to know everything about me please dont make me fill out all the damn forms in triplicate!

From TFA

[AlanS2002]

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

From the article: "A stolen laptop at The Boeing Co. has pushed a widely watched tally of U.S. data breach victims past the 100 million mark". Saying that the 100M people are thought to have had data disclosed about them is not the same as saying that 100M people are known victims of identity theft.

I was counted twice!

[Aphoric]

I have been counted at least twice though. I am a veteran and got a letter from the VA with a previous theft, and that was just a few months after I got a letter from Boeing telling me that my info was stolen. Have not heard anything about this latest one, I do appreciate the free credit monitoring I get now, but I am not convinced it would do me any good if someone was really using my info. Plus it is only for one year, that is a relatively short period of time, the info has an unlimited life.

They don't know actually

[Sycraft-fu]

The people who send you preapproved offers have very little info on you, pretty much just name and address. Basically they ask one of the credit reporting agencies for a list of people falling within a given set of criteria. They then send offers to those people. IF you want to take them up you have to give them more info and they get a full rundown of your credit and decide if they still want to give you credit, and if so on what terms (you can be turned down for preapproved cards).

You can opt out of this if you want, you have to contact the credit bureaus and tell them to quit giving out your info for this and they will.

Re:

[marcello_dl]

Come on big brother! If'n you're going to know everything about me please dont make me fill out all the damn forms in triplicate!

many things in life acquire a logic explanation using this axiom: banks want your property, bureaucracy wants your time.

Re:

[FooAtWFU]

many things in life acquire a logic explanation using this axiom: banks want your property, bureaucracy wants your time.

WTF does a bank want with my property? Don't let's be silly. Banks want your money, not your property. They are, in fact, willing to pay you for your money (this is called "interest" on your savings account or CD). They're also willing to sell you money, at a slight markup, so as to obtain more money; this is known as a "loan".

But your property? If you've got a foreclosure on your mortgag

Re:

[marcello_dl]

Federal reserve, BCE... all owned by a network of private banks. They print the money. Normal banks lend each other money, use fractional reserve, (from wikipedia: "Fractional-reserve banking refers to the common banking practice of issuing more money than the bank holds as reserves. Banks in modern economies typically loan their customers many times the sum of all deposits they hold.")

And money is not backed by gold. Money is essentially paper which is trusted to have value, and those who print this paper

Re:

[Anonymous Coward]

I don't know what to do to solve this, any suggestions?

Do it the same way that you make companies care about any other type of public safety issue. Make it very painful for them if they fail to protect the data. If they lose privacy data they should be completely liable for any damages that occur. A couple of major class action lawsuits and we can make it so that companies won't want to collect privacy data except when absolutely needed.

Re:

[TheRaven64]

Companies really need to start learning about security. My date of birth is not a good way of identifying me, because it's on the electoral register next to my name, and is publicly available (Gillette did some good marketing with this, sending a free razor to every male as soon as they appeared on it). Similarly, asking my for my mother's maiden name is not secure. Anyone who knows my name and date of birth can get this quite easily.

One of my banks has quite a sensible system; I select a password, bu

Re:

[Anonymous Brave Guy]

Yep, absolutely. This is the way forward, and it's long overdue. Awards of 100% of real damages plus statutory punitive damages of $100 per victim per incident if negligence is demonstrated would do the trick real quick, I'd imagine.

Re:

[radtea]

Awards of 100% of real damages plus statutory punitive damages of $100 per victim per incident if negligence is demonstrated would do the trick real quick, I'd imagine.

Unfortunately, your imagination does not conform to reality. Punitive measures rarely have a dramatic effect on human behaviour.

This can easily be seen in actual data. Consider the death penalty.

North Dakota has one of the lowest homocide rates in the U.S. [disastercenter.com] and has not had the death penatly since the 1930's [usask.ca]. The homocide rate in Texas is te [disastercenter.com]

Re:

[Anonymous Brave Guy]

For someone so keen on hard evidence, you're making a mighty big jump from what affects individuals who are screwed up enough to kill someone with a firearm and what affects a profit-making business. If you make something painful enough in financial terms, businesses will tend not to do it. Short of making the executives personally liable -- which would be no more constructive anyway by your own argument -- what better incentive would you suggest?

Re:We need to think how transactions are processed

[Ajehals]

This is an old problem - the banks / merchants etc... want to make it easy enough for you to spend your money or to get credit that you do it on a regular basis. If banks decided to make it harder - in order to increase their / your security / privacy then it means that they lose business, especially if they are the first to do it. Basically they don't mind losing a bit of money to make a lot of money.

Of course as long as its easy to get hold of your cash or get credit, someone will want to exploit that to get hold of cash or credit in your name. So making it harder to commit fraud or identity theft is really only beneficial to the customer, which in turn means that the only path to making it harder to commit fraud or identity theft is to introduce legislation or regulation to make it happen. That of course is opposed by the banks and merchants (as they lose out) and opposed by the majority of customers as they don't see that there is a problem until it happens to them.

So yeah, apart from not seeing an easy solution for the banks and merchants, I also don't really see a will to implement any solution which decreases the amount of spending or credit applications, or one that will cost money to roll out (after all most organisations are looking at short term profit not long term strategy's).

Re:kill me, Slashdot, for I haven't the nerve myse

[poopdeville]

I realize this is probably a troll, but I'm responding in case it isn't.

It isn't too late. But you have a tough choice to make. You can either choose to make your life better, or choose to let life push you around. Changing is not easy.

Read Sartre, Camus, Nietzsche.

Pull your ethernet cable, unplug your wireless router. Take some time off of the /b/ scene. Get out of town for a while if you can.

Think about your goals -- both the failed and incomplete. Ask yourself why the failed ones failed. Resolve to fix the problems that caused them to fail. Evaluate your incomplete goals. Make plans to finish them. Commit to your plans.

Exercise is good for you. I don't mean to make fun of your belly. But you obviously need to become stronger to become the man you want to be.

Don't sweat being bald.

You've wasted a lot of time, but you're still young. There's no point wasting any more.

Re:kill me, Slashdot, for I haven't the nerve myse

[Broken scope]

Ahh what the hell.



Well dumbfuck, congratulations. You wasted your god damn life. You ate the fast food. You fucked up. Take your sob story and shove it. Plenty of people have gone through worse shit than you and succeeded. Do yourself a favor. Buy food at the grocery store. Cook food yourself.

You have no excuse for dropping out of college except your own god damn laziness. You want a solution, go stand in front of that mirror again. Look into your eyes, and ask yourself this "Why did I do this to m

Re:We need to think how transactions are processed

[bluefoxlucid]

I solved this problem ages ago. Some guy, actually two of them, invented something called the Diffie-Hellman Public Key Encryption Algorithm. Since then we've had dozens of these show up and now have RSA and DSA/ElGamal out there. Pretty much, with huge (1024 byte!) challenges and hardware devices with your key in them, as well as transferable One Time Pads (so you can let someone else use your credit card once, twice, for $5, for $10...), you can make it so everyone along the way can verify your identity and nobody along the way can pretend to be you.

The system drawn out isn't that complex. It's lazy distributed too; anyone can cache your public key, so anyone can independently verify you over and over again. This means that the store can verify your card isn't a spoofer and not pester the credit card company with it if it is; and if it's not, then the credit card company can also verify your card isn't a spoofer (and that the store isn't sliding in extra charges after you've signed for the price) and not pester the national PKI network with it.

Re:

[CodeBuster]

The technical merits of public key cryptography are not in question, but rather the understanding of the public with regard to the proper use of these methods is and that is the real difficulty. If you cannot make the system completely workable without any knowledge or understanding on the part of the public then your efforts will fail because average people do not, will not, or cannot understand the basis for public key cryptography enough to be informed users of the system. I have personal experience with

Re:

[bluefoxlucid]

you cannot make the system completely workable without any knowledge or understanding on the part of the public then your efforts will fail because average people do not, will not, or cannot understand the basis for public key cryptography enough to be informed users of the system.

Lock the PubKey in a hardware device (a USB device, really). All transactions have to ping the device. The easiest way to do this would be to embed a small OS (Minix? You could do it in all of 12,000 lines of code probab

Re:

[Jessta]

In Australia the shop is liable for credit card fraud. So it is in the shops best interest to make sure that the person making purchases on a credit card are who they say they are.

The real problem is that the information that identifies you as you is the same information that you give to people to prove that you are you.
Giving anyone you need to prove your identity to all the information they need to pretend to be you.
What is needed is something on long the lines of public-private key cryptography.

Re:

[dbc001]

This is a great point - I get annoyed every time a credit card transaction goes through and I don't have to sign anything. Don't they realize that without a signature there's no way to prove whether the transaction was me or someone else?

Re:

[planetmn]

Yes, they do realize that. The merchant has decided that the convenience of swipe and go will bring in more money than they will lose from reversed charges. For instance, I don't go to gas stations that don't accept credit cards at the pump. I don't want to wait in line to pay behind the idiot buying cigs and the idiot buying lottery tickets when I can go across the street, pay the same amount, and be out in much less time.

-dave

Re:

[Anonymous Brave Guy]

They realise it, they just don't care.

Typically, the vendor is responsible for the loss if they permit a card transaction and it gets challenged successfully by the card holder. If the vendor doesn't check the signature or PIN properly, it's not going to be the card company's loss.

The only major exception is if the vendor has correctly followed procedures laid down by the card companies to verify ID (e.g., collecting a signature and checking it against the card, or using the Chip and PIN machine). In th

Re:

[newt0311]

Mod parent up for a very insightful post on the cost and gains of security. too bad I don't have mod points right now.

Re:

[bl8n8r]

> I don't know what to do to solve this, any suggestions?

1) Address the ignorance factor first. Make sure people are aware of the issue of data security and the seriousness of it. Don't assume they automatically know. Explain it to them in a way that is informative and not condescending.

2) Use a platform designed to keep users in userland.

3) Setup laptops with encrypted filesystems [0] and encrypted connections [1]. Do not give users administrative access. Re-image [2] system partitions for extra fr

Re:

[garwain]

My cards have no signature, but a clearly printed "Check Identification" on the back. I use my VISA almost everywhere, and estimate that I am asked for my licence maybe once a month at the most. A lot of people hang onto the card until I sign the slip, then pretend to look at both, then hand over the card. Then there is the occasional person who has neve heard of doing that. One guy told me that it was illegal to do that, and another refused to process the sale, until I called VISA on my cellphone, to ask i

Personal Information

[Barkmullz]

I wish I was the copyright holder, and protected by the applicable laws, of my own personal information.

Re:

[JoshJ]

This actually seems like an interesting idea and potentially a real benefit that could come of the bullshit draconian copyright laws in existence right now. Any lawyers know what's up with this?

That said I can see the downside, it "legitimizes" even more draconian copyright legislation- instead of relying on "Think of the artists!" they could rely on "Think of the identity thieves!"

Re:

[IpSo_]

I actually have an uncle who copyrighted his name and also became his own "sovereign nation" (or something along those lines) which actually enabled him to skirt many laws in Canada at least. I can't remember the exact name of the "program" he got the information from, something like "In The Truth", but its pretty interesting stuff. The stories he tells are hilarious.

Stories like fining judges large amounts of money for using his name without permission (it was copyrighted after all) and they ACTUALLY PAID,

Re:

[poopdeville]

Hi.

This must sounds silly, but does your uncle have an email address? If so, could you email it to sollaa@vfemail.net? I would really like to ask him some questions. In particular, I would like more information about this, and intend to contact a Canadian lawyer regarding the legitimacy of such claims. If all this works out, I want to move to Canada.

I could make a mint on my name, especially in a long, drawn out trial. :-)

Re:

[cakefool]

I am interested in your ideas, and wish to subscribe to your newsletter?

I smell BS

[mangu]

I actually have an uncle who copyrighted his name and also became his own "sovereign nation"

I've heard many stories about your uncle, he's the Baron Munchausen [imdb.com], right?

By obtaining a drivers license you are agreeing to abide by the motor vehicle laws. If you don't have a drivers license and you know what you are doing, they can't touch you for breaking any of the laws

Your story would go well as a light comedy movie script, but it doesn't stand the hard test of reality. That's not how democracy, or any othe

Re:

[IpSo_]

I figured it was all BS too... Until my uncle started actually doing it.

Keep in mind I get this information 2nd/3rd hand usually... Take a look at this site explaining how it is done with regards to income tax in both US and Canada:

http://www.detaxcanada.org/ [detaxcanada.org]

I just heard another story of my uncle latest adventures... The last three times he has been in court (he defends a bunch of other people as well) he just takes a color laminated photocopy (intended as a copy) of his (or the defendants) birth certificat

Re:

[drsmithy]

I wish I was the copyright holder, and protected by the applicable laws, of my own personal information.

Copyright is fucked up enough already. I shudder to think how legislation trying to do this would make it worse.

Re:

[jamstar7]

This could be the way to bring it crashing down.

Worth a shot, isn't it? What could possibly make it worse?

100 million.. six months ago!

[anilg]

That according to http://attrition.org/dataloss/rant/100million.html [attrition.org]

The Data Loss Database - Open Source has almost 510 events and over 143 MILLION compromised records as of this writing. 100 million? Dudes and dudettes, we had that over six months ago.

reporting on this subject

[AlanS2002]

I have a feeling that more and more reporting on this subject is going to make thieves take a closer look at what they are stealing in future, thus making identity theft a greater possibility.

Re:

[AlanS2002]

I think perhaps some restraint is justified on the part of Journalist's. Reporting the possible discloser of 382,000 peoples private information is one thing. Telling the world that there is a laptop floating around somewhere in Chicago with that information on it is another.

Why go with a guesstimate?

[zuiraM]

It would seem more logical to just sum up the known figures, and present them along with information about what areas they cover, making it clear they are minimum values. I'm pretty sure those totals would ring the alarm bells just as effectively for those who actually care about it.

How much of the information is...

[Crasoum]

How much of the information is redundant however? Is it 158 million American's, 158 Million people across the globe, or 30 Million people 5 times over?

another announcement

[ILuvRamen]

the strangely named "Privacy Rights Clearinghouse" has just announced that they'll be showing up at one lucky person's house with a giant check with all 100 million pieces of personal data written on it in a really, really small font. I hope I win it!

Re:

[teutonic_leech]

Actually your joke gave me an idea. What they should do is to print out all 100 Million names (not the rest of the info of course ;-) on paper in 12 point type and present it to the new Congress in January. It's easy to quote these huge numbers - 100 Million or a Billion - nobody can really imagine how many that is. Print it out to get an idea how much potential damage we're looking at in the years to come.

The way things are going, it's just a matter of time until the personal info of anyone connected to th

I wonder...

[e-scetic]

I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud

Re:

[suv4x4]

I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud


You're correct: theft or loss of a machine doesn't automatically mean identity theft.

First, the machine should be in a working state which is sometimes not the case.
Then, th

Re:

[scdeimos]

I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Because not many media outlets are interested in reporting on individuals who lose a few hundred dollars when they can throw around figures like 100,000+ victims in a single crime.

Well, the guess isn't that bad, really

[rockout]

The director, Beth Givens, admits 'the number 100 million is largely a fictional number,

I suppose that's better than just tossing out a large, fictional number.

Re:

[Nymz]

IANAG (I am not a grammerian) but I think the point of the sentance isn't the size of the number, but it's value or state, and therefore the adverb form was used appropriately.

Protect yo'self

[jomama717]

A buddy of mine was recently affected by the UCLA breach and was lamenting about all of the precautions and protections he was required to put into place now that his SS# was likely in some scumbag's hands, and it dawned on me that he may have actually gotten lucky. He was awakened to the reality of identity theft without having to experience any tangible loss, and is now motivated to take the proper precautions. It then occurred to me that to not assume that my information was in the wrong people's hands didn't make any sense and I have taken the same precautions my friend did:

1. Access to my credit report/score
2. Big 3 credit bureau monitoring - notification of any new accounts or loans in my name
3. Personal case officer (through the bank) if something happens

These services can be purchased for anywhere from $5 to $12 a month depending on the bank. I suppose I could still get burned but I can't imagine any of it could hurt, well worth the money at any rate in my mind.

Re:

[tgd]

It doesn't feel to you like you're paying protection money to the mob buying those services from your bank? A bank that is part of the problem because like every bank, they'll gladly loan money in your name with little or no verification?

If they wanted to protect your identity, they'd make it harder to steal. Companies losing personal information aren't the problem, companies who casually take action based on very little information that will impact you when that information is lost is the real problem.

"Identity theft" is a meaningless term

[Jonboy X]

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are. Your friends and family won't suddenly forget who you are. A better term would be "credit fraud".

This is the basic scenario: A criminal poses as you to borrow money (usually with a credit card), and then whoever lent that person the money asks you to repay it.

Then there are generally 2 consequences for you: debt and reputation damage. The debt itself is usually the lesser of the two problems, since you're not legally obligated to repay money that someone else borrowed in your name. Reputation damage, on the other hand, is incredibly hard to repair. This usually takes the form of erroneous information on your credit report.

Private agencies (Equifax [equifax.com], Experian [experiangroup.com] and TransUnion [truecredit.com] are the majors in the USA) maintain this information of your past financial transactions, and sell it to potential lenders in the form of a credit report. Lenders then use this information to decide how risky it would be to lend you money. These credit reporting agencies err on the side of over-reporting negative information, because a defaulted loan from an under-qualified borrower costs banks and lenders much more than a qualified applicant being turned away. Additional services (like providing reportees an easy way to correct errors) would cost credit reporting agencies much more than their client lenders would be willing to pay for the increased accuracy, so they don't bother implementing them.

The short version is that banks and other lenders knowingly rely on imperfect information about potential borrowers, because it is the most economically sensible thing to do. It's not profitable for them to pay for more accurate information. If they decide not to lend you money, even based on erroneous information, it will likely be very hard to change their minds.

Re:

[Fulcrum of Evil]

Yeah, every time this comes up, someone posts to object to the terminology. Face it, ID theft is what we call it even though it isn't literally true. They are, however, eroding your identity with various banks, so it's more accurate that you may think. Anyway, have fun tilting at windmills.

Re:

[britneys 9th husband]

"ID theft" is even worse. It makes it sound like someone stole your drivers license so they could buy beer. At least "identity theft" vaguely relates to what's going on.

Re:

[rastos1]

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are....

If you are not the only one "Jonboy X" that can prove that he is "Jonboy X" than you don't have identity. You are left with plurality at best ;-) You had identity before and now you don't have it anymore. Sounds pretty much like theft to me. Of course it is not only about the name. If someone can succesfully pretend to be you - including your debt history, providing correct address, SSN, CC # and your /.

Re:

[Jonboy X]

If you are not the only one "Jonboy X" that can prove that he is "Jonboy X" than you don't have identity. You are left with plurality at best ;-) You had identity before and now you don't have it anymore. Sounds pretty much like theft to me. Of course it is not only about the name. If someone can succesfully pretend to be you - including your debt history, providing correct address, SSN, CC # and your /. account ... - how do we know it is you? We don't. You lost your identification.

It's not so much the "identity" part that strikes me as odd; it's the "theft" part. When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you. It's just that now, someone else has some information that can be used to impersonate you to people who don't check too closely.

Maybe everyone should periodically be able to buy a public/private cryptographic key pair that can be used to authenticate you. The higher your net w

Identity is not abstract data

[mangu]

When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you. It's just that now, someone else has some information that can be used to impersonate you to people who don't check too closely.

I would agree with you if it was about copying data such as software, music, films, etc. But if someone has all the data that identifies you, he can effectively take it away from you. He can change your address so that all your mail goes

Re:

[berzerke]

When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you.

Except the damage they do de-values you being you. Say you had a great credit score and were about to buy a home. Oops, now you can't get approved for the home loan because of all the black marks on your credit score. Can you honestly say that doesn't make you less valuable?

People have spent thousands of dollars and years trying to clean up after an identity

Re:

[jimmichie]

First off, the term "identity theft" is completely ridiculous.

Yeah, it should be Identity Sharing.

Re:

[raynet]

Or how about Identity Infringement? I googled for Copyright Infringement and got this:

Copyright infringement occurs when a person copies someone else's copyrighted items without permission. This would also include public display of a copy of copyrighted work.

After small modification it actually sounds quite ok to me:

Identity infringement occurs when a person copies someone else's identity without permission. This would also include public display of a copy of identity.

Ofcourse using that copied identity to

Re:

[jimmichie]

Or how about Identity Infringement?

Or better, Identity Cloning, as in phone cloning. Identity Infringement could be an effect of Identity Cloning, but it isn't the act itself.

Also the word "cloning" has that nicely sinister sound to it - crazy scientists and their two-headed cows, the word "Attack", etc.

Re:

[bky1701]

"A better term would be 'credit fraud'."

I much perfer "some-moron-is-buying-stuff-with-my-money-and-i-am -going-to-get-blamed-all-because-some-stupid-compa ny-can't-use-blowfish-i-hate-this".

Its Bigger than just Credit Fraud

[HighOrbit]

I agree that "identity theft" is an over-used term when "credit fraud" might be a better description in most situations. However, I've heard of "identity theft" that didn't involve credit fraud. During the immigration debate that was going on last summer, I read a story in the newspaper (sorry, don't have a link) about a woman on the east coast who applied for unemployment benefits, but was denied because records showed that she was currently employed somewhere in the midwest. Except, she wasn't working in

Re:

[Vengeance2001]

I work in the financial services industry and I totally agree with the parent post. Banks and credit reporting agencies are doing what is most financially efficient for themselves, which is not reducing errors to zero, but reducing them to a number they can absorb the risk on, while foisting some of that risk on to consumers as well.

In reality though, 99% of that risk is still on the banks. Most credit card fraud isn't using your personal info to get a mortgage in another state, but simply making some

I found out last week I might be a victim.

[artifex2004]

The university I graduated from reported someone had hacked in and gotten access to about 6K student and faculty records, including payroll info.
Their idea of taking care of the problem? Wanting me to register online (!!) or over the phone to be told if I was one of the victims, and also to get a free credit report or get credit monitoring, though they don't seem to think they should pay for that or for any fees I might get if I have been victimized...

Oh, and I only found out because it was in the local news.

Re:

[aplusjimages]

Man they are really taking care of business. Is there no liability on their end for not taking the proper measures to at least inform all the victims of the problem?

Re:

[davaguco]

On Europe we have a common Directive (that means its the same for all countries and it sets common guidelines that must be made into law by each nation) that establishes some measures that must be taken to protect all the personal information. On my country, companies are not allowed to store customer's personal information on a laptop, for example.

Re:

[R2.0]

And of course, all European companies follow the laws scrupulously. So no one EVER puts such data on laptops. So if a company laptop goes missing, there's no reason to worry (or report it), because there couldn't POSSIBLY be personal data on it - why, that would be illegal!

Re:

[ytm]

Yes, they follow the law. Otherwise they face fines (companies) and jail (people responsible for personal data security or lack of it).

I have worked in one of European national telecoms, I had access to full personal data of millions of our clients. Our computers were locked down so we couldn't copy the data on floppy/cd/usb. The network was tightly separated from the rest of the company intranet not to mention the Internet. Our office was monitored.

Before even touching the keyboard for the first time we ha

Re:

[Skidge]

It was probably some schmuck trying to make an unreasonable deadline for some reports, trying to put in a few extra hours of work at home so he doesn't get yelled at by his PHB, who didn't give said schmuck the approval needed to get a secure remote connect because it would have cost his department a few extra dollars.

Re:

[Dunbal]

why the hell is our information on something as portable as a laptop? Where the hell does it need to go?

      Obligatory: Information wants to be free? It was trying to break free?

Now the new scam email line will read.

[Overkill Nbuta]

Your User number 100,000,000 Claim your prize by sending in your credit card info as well as full name!!!! Be quick this is a limited time deal!!!!

in other news...

[fedork]

estimated 347 million people are victims of made-up statistics.

Stolen from Car

[brajesh]

"...was stolen from an employee's car earlier this month"

Seriously, who carries around a Laptop with "Personal Information" of 382 Gazillion living, dead and zombie employees in a fscking Laptop and leaves it in a car unattended.

You would think they would store this information in a so-called safe server somewhere and have policies on not taking them around in Laptops. Why would you need that information on a laptop anyway ? For fsck sake - We're talking about serious personal information!

I say hire stewie

Re:

[B4D BE4T]

For what it's worth, the data wasn't supposed to be on the laptop and the guy was fired for going against company policy.

Re:

[B4D BE4T]

Oh and in case anyone is interested in reading the full response from Jim McNerney (Boeing's CEO), here it is [nwsource.com].

Possession is nine points of the law

[shanen]

In this case, we should possess our own personal data, and unauthorized possession should be theft, just like someone broke into your house and stole your computer. I have about 300 GB of storage at home, and I'm quite sure that all the personal information that companies 'own' about me could easily be stored on MY premises.

hmm

[Falladir]

Soon everyone will have been victimized, yes?

Stupidity

[Lavene]

A laptop containing the personal information on 382,000 current and retired workers of Chicago-based Boeing Co. was stolen from an employee's car earlier this month, according to Boeing spokesman Tim Neale. He declined to say exactly where the laptop was stolen.

That really sums it up. You will never ever have better security than what the stupidest person with access to sensitive data can muster. Leaving a laptop with such data unattended in a car??

You can enforce encryption on every file, strong passwords etc but sooner or later some smuck will print it out and forget to schred the printout when done. So it ends up on some dump available to anyone crawling around looking for something usable.

Designers of company security forget the most obvious and most dangerous threat: stupidity! My personal favorite quote used to illustrate exactly that is the following:

When the infamous "ILOVEYOU" email virus hit, I saw TV news coverage that included an interview with some bubblebrained company secretary. At one point she said, "Oh, I saw we had dozens of these emails coming in, and of course I was suspicious, but I had to open just one of them because, you know, 'I Love You!' *giggle* I had to just see what it was about, you know?"

You can't foolproof a system, you simply need to get rid of the idiots. Which sadly is easier said than done...

Fines?

[kosmosik]

What are the fines in such situations? This is clearly they fault - the've taken personal data and haven't took enough care of it (in fact they were stupid enough to feed that data into laptop and get it stollen). What does US law says about it? In Poland (European Union) they would face severe consequences.

How many people here have had or know personally..

[b.burl]

...their identity stolen? This computer fear thing smacks of the whole terrorism scam. How many people here inside the US have been or know personally someone who has been the victim of terrorism? The media, for whatever reason, seems to want to amp up the fear quotient of this nation. I bet that stolen wallets/physical mail account for ten thousand times more id fraud than any computer activities, yet that doesn't get headlines. Nor does the fact you are more likely to die from an accident in your bat

Re:

[jorghis]

I know several people who have had their credit card numbers stolen. Its actually fairly common and by far the most common form of identity fraud. Why do you think you see so many ads on TV about protection from having your credit card numbers stolen? Its because that shit happens all the time and smart people care a great deal about being protected from it.

Re:

[b.burl]

Seriously? By so called hackers? Or was their mail stolen? And where is the hard data on numbers of police investigations resulting from credit fraud vs numbers of police investigations resulting from credit fraud caused by computer malfeasance? As to why you see it on tv, you see a lot of terrorism stuff (only talking about the US here) and that is virtually unheard of. Paranoia is the life blood of our media.

Re:

[jorghis]

Not hackers so much as Phishers. (I assume you are familiar with this) Huge amounts of money is lost every year by people who submitted their credit card info or paypal password to authentic looking websites. I (and prettymuch everyone I know) routinely get emails from "paypal administrators" or "bank of america customer service" asking for info.

I have always tried to impress that paranoia you are looking down on onto people I know when it comes to stuff like this. Trusting these spam emails or giving any

For the love of God...

[RulerOf]

Two words: Terminal Server.

I know it has been asked before, but WHY in the name of GOD does this kind of information need to be on a fucking laptop?!

My mother works at a VA hospitol and as such, has access to read and modify all the personal information necessary to commit identity theft on thousands of patients, and of course, she has a laptop computer issued by the hospitol so that she can work from afar. When she originally received it, it was nothing more than a Win2k box with VPN software, MS terminal services. All of the sensitive data was/is stored on the servers on their intranet. After a small "upgrade," the laptop was returned, only this time it came back with a full encryption setup. The interesting thing is that there is STILL no sensitive data stored on the laptop. It is, however, just as easily accessible. The point is, if someone stole that laptop, no sensitive data would be compromised, even if the encryption was broken (which probably wouldn't happen).

I don't fucking understand, why when we have the technology READILY available to completely prevent this kind of crap, that it isn't used. A shout out to all the companies on this planet: Centralize your damned security. Laptops cost $500. This kind of shit publicity and potential lawsuits cost a hell of a lot more.

Just a thought.

[Toreo asesino]

This case would make an excellent case-study for the Vista Bitlocker [wikipedia.org] facility. The cynic in me wonders whether Microsoft may play on this convenient timing.

CA isn't the only state with disclosure laws

[vox_gabrieli]

The poster says, "Since California is still the only state with disclosure laws..."

Been in a cave for the last few years? See http://infosec.uga.edu/policymanagement/breachnoti ficationlaws.php [uga.edu] for information on 34 state breach notification/disclosure laws.

Real World

[blacknblu]

The article pertaining directly to Boeing stated the following:

Although the laptop was turned off and was password protected, Neale said the data on it was not encrypted.

My point is that how many people know how to access this information, or better yet, know to even look for this type of data on a stolen computer? I can see some kid trying to get into the laptop for a couple of days, and subsequently reformatting the hard drive. I don't want to imply that this information can't easily be compromi

Yes, But...

[Nom du Keyboard]

number of data breach victims has passed 100 million

Yes, but, how many are dupes?

Not Just California Has Notification Laws

[idsfa]

As of last July, 34 states [pirg.org] had laws requiring consumer notification. Some are triggered directly immediately upon the loss, others only if the data is considered "at-risk". It's hard to take TFA seriously when it can't even get basic facts correct that can be found in less time than it took to write this comment ...

help "them" to want to change

[martyb]

THE PROBLEM: It is currently financially worthwhile for some companies to play loose with personal information. The perceived costs of the consequences of poor protection are not sufficient to warrant a change in their way of doing business.

Many merchants / agencies / whatever don't seem to want to provide us additional protections. All it would take is for a few companies who already take security very seriously to sign up for the best star rating listed below, chalk it up to advertising expense, and put the pressure on the other merchants who do not sign up. "Hey! *WE* take your security seriously, and we put our money where our mouth is. If *WE* mess up, we clean it up and pay *YOU* for your inconvenience. Why would you want to deal with anyone else?"

There is a financial opportunity for an enterprising group to make a fortune here. Existing insurance companies provided graduated coverages and fees depending on certain items. I can select how much liability insurance I want for my car. I can pay the insurance company a larger premium for a greater amount of coverage. Alternatively, if I have certain protective measures in place, then my premiums can be reduced. I choose the level of coverage that works for me.

whenever there is a security breach, make a payment to each CONSUMER! Get the consumer to be your best ally in getting merchants to sign up for the protection. So, if a merchant compromises the security of MY information, then the insurance company sends ME a check. I'll leave it as an exercise for the reader on how this could be extended to cover other organizations that have access to personal info such as hospitals or government agencies.)

Also, and VERY important: advertise this feature like crazy - get the consumers to push the merchants to get the coverage along with an easy-to-remember grading scale for consumers to use to assess the degree of protection they are provided by a merchant. It took a few years, but now US car companies are advertising the NHTSA crash test ratings. [dot.gov] I expect the same could work for credit protection.

NOTE: All dollar amounts are pulled out of a hat. I'm just trying to put something concrete out there to use as a starting point for discussion. Obviously, the size of the covered merchant would affect the premiums and payouts, and I have NOT worked those into these numbers. Please offer improvements! The examples listed here might be appropriate for a moderate to large merchant.

Have a graduated scale of costs and coverages that depended on what level of security measures were in place at the time of the loss / theft.

• PROTECTION LEVEL: ONE STAR:
  If a merchant takes no security precautions then the insurance company would:
  • charge high premiums: $10M per year, plus $10 per covered client.
  • require high deductible: $5M deductible (in escrow).
  • provide low payment to each consumer: $100.00 to each consumer.
  • provide limited credit monitoring protection: 6 months of credit reporting agency monitoring.

  The consumer gets some benefits, even if the merchant makes no great effort to protect the user. It's still better than anything that the consumer is now getting. After a few payouts, word-of-mouth will boost interest by consumers in seeking out at lest this minimal coverage. CEOs and CIOs will start to take notice.

• PROTECTION LEVEL: TWO STAR:
  If a merchant takes certain, documented, security precautions ( encrypted DBMSs, firewalls) then the insurance company would:
  • charge moderate premiums: $5M per year, plus $10 per covered client.
  • require moderate deductible: $1M deductible (in escrow).
  • provide better payment to each consumer: $500.00 to each consumer.
  • provide better credit monitoring protection: 1 year of credit reporting age