Hackers get the rap for breached records in the popular press. But, most of the time the villain in the piece turns out to be lousy security opening the door for identity theft and stolen records.
If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record — some American’s social-security or credit-card number, academic grades or medical history — will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.
Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.
When the past quarter century is viewed in terms of the number of reported incidents. Three out of five point to organizational malfeasance of some variety, including missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online.
Even the simplest procedures get overlooked. IT should be the first people to know someone is going to be fired — so they can pull passwords and access before a pissed-off soon-to-be ex-employee can screw with the system.
1) Someone needs to start slapping these corporations with huge class action suits every time out private data gets out.
2) Congress needs to pass a privacy bill of rights — including a regulation of how our private data maybe be used and stored.
(for example, a company should not be allowed to keep our credit card number on record just because we shopped there once.)
3) The credit cards companies must be FORCED to make credit cards fraud-resistant.
Greg – right on all points.
BULL SHIT !!!
What the hell is this guy saying??? The thief isn’t to blame??? The hacker broke into the database and helped themselves to the information. That is theft no matter how you view it. Don’t blame the victim, blame the criminal.
Sure you can call the data banks stupid for their security, but that doesn’t excuse the fact that they are victims, hackers are thieves, and Phil Howard is a troll.
#3 – Hacker is not synonomous with thief. Hackers are not thieves. Dude, you know that.
If a woman picked your pocket and made off with your wallet, would it be logical to conclude that women are pickpockets?
3 – If you leave the key in the ignition of an unlocked high-value car or SUV while you pop into the Minimart and chat with the clerk for 20 minutes, it’ll be a thief who takes the vehicle. But you won’t get much sympathy and you might even get a ticket.
Corporations have IT departments for a reason, and IT departments are usually concerned with security these days. It has been a LONG time since a friend of mine used to just wander into corporate web sites and leave “Yah-yah-yah” messages telling them to fix their firewalls.
Eideard is right – simply telling the IT guys BEFORE the employee gets the ax would do a lot. And Greg Allen is right, too. Penalizing companies that violate user trust and “leave the key in the ignition” risk bringing harm to people. Companies that allow simple, easily avoided security holes should be penalized. When they hold people’s data, it needs to be treated like a fiduciary trust, subject to more than just PR penalties if improperly handled.
#4,
Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
#5,
If you leave the key in the ignition … it’ll be a thief who takes the vehicle.
I am not suggesting that keys should be left in the ignition or firewalls left open. The point is why blame the victim when a thief is the one who steals the information. Would you blame the victim for the rape? If there is no intrusion then how did the data get stolen?
TJ, you make a very good point about entrusting someone with our personal information. And I agree with that point. But don’t lose focus and forget about the criminal.
What is needed is stronger police action against ID and credit information thieves. Our local 16 man Sheriff’s office doesn’t have the resources to track down an identity thief halfway across the country let alone international. THAT is what should be addressed first. It takes months and $ thousands to clear you name afterwards is the second problem.
For all that they should do to shield private information from outsiders – these corporations do even less to protect the information from snoopers inside the enterprise. The firewalls are all aimed outside.
6 – Maybe some kind of legislated immunity to damage caused by identity theft? Requirements that companies take effective steps to help people recover from the damage to the credit etc. if stolen data causes harm? Trying to take active steps to solve the problem for the victims would be a real can of worms but that is where the final damage is done. Reducing the harm might require action on a lot of fronts, some of them either politically very difficult or vulnerable to abuses of their own. Messy.
7 – You’re right, security violations from inside the shop have always been harder to deal with than intrusions from outside. At some point, somebody’s got to hold the keys. If you’ve been bitten by the evil worm (nod to a movie called “Glory Road”) and the guy in the cubicle across the way keeps his password on a postit note on the monitor – or a pissed off IT guy steals an entire password file – I don’t think anyone has ever solved that problem. Maybe damages can be limited, is all.
#8, Inside information is greater a threat then you might think. I just had a test done at the hospital On the chart that followed me is my SS, address, height and weight, age, next of kin and health information. I can only guess at the number of people that had access to that information, every nurse and tech who saw me and some who didn’t, the Hospital’s billing and records department, the Physician and his billing agent, and the insurance companies (mine and my wife’s). Anyone in that group could make a new identity just using that information.
While it is easy to be upset with those who keep the door open, they are not the ones who steal the information. Get angry with the thieves.
And yes, there should be better methods of clearing one’s name from a stolen ID. Credit agencies have no interest in clearing bad information.
And since this is a national problem, there should be a national police force protecting, investigating, and pursuing those who steal our identities. If the Federal Government has jurisdiction over marijuana because it might cross state lines, surely they have jurisdiction over interstate crime and should go after the criminals.