I couldn't have thought this up on my own. And thanks to Microsoft and Mr. Claburn, the author of the article, my point has been driven home with no effort on my part. That point being of course that they couldn't care less about your identity theft issues, and furthermore if they actually believe this stuff then they also don't know anything about identity theft. Read this. Honestly I'm not making it up.
This was in yesterdays' InformationWeek magazine.
Microsoft is calling for the adoption of an Information Card system that provides end users with direct control of their digital identities.
By Thomas Claburn, InformationWeek Sept. 15, 2008
"In a bid to curtail online identity-theft fraud and to broaden adoption of its digital identity system, Microsoft is urging individuals, companies, and governments to work together to implement technology, initiatives, and policy that support the secure management of online identities.
In a white paper to be released on Monday, Microsoft calls for the adoption of an Information Card system that uses an interoperable vendor-neutral framework for identity management and provides end users with direct control of their digital identities.
"Personal information is becoming the new currency of crime," said Brendon Lynch, director of privacy strategy for Microsoft's Trustworthy Computing Group. "We need to look at the root causes of identity theft and see what we can do to change the game."
Key to this vision is the Information Card Foundation (ICF), an industry group that includes Equifax, Google, Deutsche Telecom, Intel, Microsoft, Novell, Oracle, and PayPal. The ICF, which debuted in June, aims to promote the adoption of Information Cards, a form of digital identification designed for secure, real-time e-commerce transactions. Information Cards bring a third-party ID provider into two-party transactions. This allows authentication to be done without the transmission of user names and passwords, and it allows the ID provider to present only the necessary personal information.
The group's goal is to develop open, trusted, vendor-neutral identity infrastructure for the Internet. "Information Cards are designed to prevent data that is shared in one context from being reused in a different context," the paper explains. "This is accomplished through creating a unique set of keys for each combination of Information Card and relaying party." Microsoft already has already implemented its version of Information Cards, CardSpace, in its Windows Vista operating system. CardSpace can also be downloaded for Windows XP. Lynch estimates that there are already about 200 million CardSpace clients installed ."
Does anyone need any more proof that the corporations responsible for safekeeping your personal information are so not interested in your identity theft issues? This consortium of companies has found yet another way to create a product to trade in identity theft without ever addressing the issue of identity theft itself.
While it is important to look at the future of database security one cannot ignore the existing tens of thousands of such bases that are vulnerable to theft and misuse. One cannot ignore the current and potential victims of identity theft resulting from theft from these existing databases.
Making a broad statement like "Microsoft Seeks To End Identity Theft" is a bit over the top. Microsoft cannot end identity theft. When we see that a lawyer in Texas has tossed into a dumpster dozens of bankers boxes containing hundreds of files of personal client information, reading about Microsofts' latest security product loses something in the reading. It is up to the public to protect itself from the ravages of identity theft.
Tuesday, September 16, 2008
Friday, September 12, 2008
Personal Point of View
The world of professional and academic privacy specialists and practitioners is populated by persons much more qualified than I. During the last three and a half years I have read and met some remarkable people that I hold in the highest regard. I've learned a great deal from each of them as they have helped to shape my position and opinions about data safety and the trade-off between public access and personal protection. As we move into a new paradigm of computing, the so-called Web 2.0 new ideas about privacy are emerging. Some great ideas including single internet log on IDs, and anonymous IP addresses are being seriously considered. These are good proposals for the future of the online "Uber Databases" that Google and other companies are proposing to establish. The problem is that this doesn't begin to touch the problem of identity theft.
The opinions in this column are just that, my opinions. As my work takes me into the field of speaking with employee groups I see what most people perceive as identity theft based on the information they get mostly from the media. The perspective I have come away with stems largely from what I learn from the experts, but also from what I see and hear in those employee meetings. You see identity theft is a personal crime with individual victims. In preparing to speak with these groups my research often involves a lot of statistics. There are huge losses to business ranging in the billions of dollars each year, staggering figures of information loss & theft in the hundreds of millions of records, and the millions of cases of victims and their nightmarish experiences. I don't think I have met anyone in the past three years or so that doesn't know about identity theft or has a personal story about it. I am also a victim of identity theft.
One thing I have observed since I began my interest in identity theft. The companies and organizations that are entrusted to safeguard the data they have simply do not care about the persons who could become victims. I can say with certainty that almost without exception this is true. There is a mentality of separation where a company takes it for granted that the "victims" are someone else, nameless and anonymous. Company officers don't think in terms of themselves being victims or their families or employees. It is always in the abstract. The businesses that are involved in privacy and who market "solutions" for data loss are only concerned with the bottom line of the company, its' corporate data, and the public image of the business. No one seems to be interested in talking about the thousands of places where existing data lists are ripe for the taking. As I have tried to point out in previous columns the information is in lots of places, not just in big repositories. Doctors offices, personnel files, accountancys, points of sale, county records are examples of the smaller and much easier to steal records. I have not met among the professional privacy community one single person whose primary concern is with the crime of identity theft. Businesses are engaged in protecting themselves and some make money by providing protection services for other companies, but not tackling the question of identity theft. I also have never met any individual identity theft victim who really cared which database was the source of their identity theft.
Nearly every U.S. state has enacted breach reporting laws designed in part to notify potential victims that their information may have been compromised. In the vast majority of data breach cases the potential victims are not notified due to loopholes in the statutes, and when they are notified the letters are often misleading, promising that no real danger exists but to check their bank statements anyway. On occasion they will offer simple credit monitoring, again misleading the public that monitoring alone is a safeguard.
Laws will not prevent identity theft any more than any other crime. Federal legislation and now state legislation have completely failed to stem the tide, and most predictions are for a sharp upswing in identity theft activity. The solution can only be found in arming the public with the correct information about the crimes we call identity theft and giving each one the tools to protect themselves. There cannot be any other solution. As long as there is value in the data thieves will continue to steal it, sell it, and profit from it.
The opinions in this column are just that, my opinions. As my work takes me into the field of speaking with employee groups I see what most people perceive as identity theft based on the information they get mostly from the media. The perspective I have come away with stems largely from what I learn from the experts, but also from what I see and hear in those employee meetings. You see identity theft is a personal crime with individual victims. In preparing to speak with these groups my research often involves a lot of statistics. There are huge losses to business ranging in the billions of dollars each year, staggering figures of information loss & theft in the hundreds of millions of records, and the millions of cases of victims and their nightmarish experiences. I don't think I have met anyone in the past three years or so that doesn't know about identity theft or has a personal story about it. I am also a victim of identity theft.
One thing I have observed since I began my interest in identity theft. The companies and organizations that are entrusted to safeguard the data they have simply do not care about the persons who could become victims. I can say with certainty that almost without exception this is true. There is a mentality of separation where a company takes it for granted that the "victims" are someone else, nameless and anonymous. Company officers don't think in terms of themselves being victims or their families or employees. It is always in the abstract. The businesses that are involved in privacy and who market "solutions" for data loss are only concerned with the bottom line of the company, its' corporate data, and the public image of the business. No one seems to be interested in talking about the thousands of places where existing data lists are ripe for the taking. As I have tried to point out in previous columns the information is in lots of places, not just in big repositories. Doctors offices, personnel files, accountancys, points of sale, county records are examples of the smaller and much easier to steal records. I have not met among the professional privacy community one single person whose primary concern is with the crime of identity theft. Businesses are engaged in protecting themselves and some make money by providing protection services for other companies, but not tackling the question of identity theft. I also have never met any individual identity theft victim who really cared which database was the source of their identity theft.
Nearly every U.S. state has enacted breach reporting laws designed in part to notify potential victims that their information may have been compromised. In the vast majority of data breach cases the potential victims are not notified due to loopholes in the statutes, and when they are notified the letters are often misleading, promising that no real danger exists but to check their bank statements anyway. On occasion they will offer simple credit monitoring, again misleading the public that monitoring alone is a safeguard.
Laws will not prevent identity theft any more than any other crime. Federal legislation and now state legislation have completely failed to stem the tide, and most predictions are for a sharp upswing in identity theft activity. The solution can only be found in arming the public with the correct information about the crimes we call identity theft and giving each one the tools to protect themselves. There cannot be any other solution. As long as there is value in the data thieves will continue to steal it, sell it, and profit from it.
Tuesday, September 2, 2008
Why Train Employees?
Below is an article I came across today. If any employer wants a good reason the train staff on identity theft, read this. Privacy professionals across the board agree that staff training should be mandatory for every company regardless of compliance mandates. This illustrates the point very well.
September 02, 2008
Mandatory Training, Fines for ID Theft Exposure
In the wake of identity theft scandals, two Texas employers, a health care provider and a retailer, have now entered agreements with Texas Attorney General Greg Abbott which require them to undertake mandatory employee training annually for the next 5 years.
Employees of Radio Shack and Select Medical Texas L.P. will learn about identity theft, its costs to patients/customers, and the importance of complying with new document disposal procedures, which were implemented as part of the agreements. To further ensure compliance with the new procedures, the two employers must post, at each of their locations, signs describing the record storage and disposal requirements and maintain certification records showing each employee's compliance with the training requirements. Additionally, Radio Shack has also agreed to conduct unannounced compliance audits at all of its Texas stores at least twice a year.
Select Medical came to the attorney general's attention after the Levelland Police Department reported that more than 4,000 documents containing customers' sensitive information were found in garbage containers behind the Levelland office of Select Physical Therapy Texas Limited Partnership. The state's enforcement action against Radio Shack began when state investigators learned that the retailer's Portland location exposed thousands of customers' personal identifying information by dumping sensitive records into a publicly accessible trash can.
Abbott's office prosecuted the two employers under the state's Identity Theft Enforcement and Protection Act. As a result of the prosecution, in addition to the mandatory training, Select Medical agreed to pay the state $990,000 and Radio Shack, $630,000. After the deduction of attorney's fees, the remaining sums will be appropriated for the investigation and prosecution of future identity theft cases.
Training is the single most basic and effective step any organization can take to stem the loss or theft of sensitive materials. Had these two employers initiated pro-active employee identity theft training these cases resulting in over $1.5 million in fines might have been avoided.
September 02, 2008
Mandatory Training, Fines for ID Theft Exposure
In the wake of identity theft scandals, two Texas employers, a health care provider and a retailer, have now entered agreements with Texas Attorney General Greg Abbott which require them to undertake mandatory employee training annually for the next 5 years.
Employees of Radio Shack and Select Medical Texas L.P. will learn about identity theft, its costs to patients/customers, and the importance of complying with new document disposal procedures, which were implemented as part of the agreements. To further ensure compliance with the new procedures, the two employers must post, at each of their locations, signs describing the record storage and disposal requirements and maintain certification records showing each employee's compliance with the training requirements. Additionally, Radio Shack has also agreed to conduct unannounced compliance audits at all of its Texas stores at least twice a year.
Select Medical came to the attorney general's attention after the Levelland Police Department reported that more than 4,000 documents containing customers' sensitive information were found in garbage containers behind the Levelland office of Select Physical Therapy Texas Limited Partnership. The state's enforcement action against Radio Shack began when state investigators learned that the retailer's Portland location exposed thousands of customers' personal identifying information by dumping sensitive records into a publicly accessible trash can.
Abbott's office prosecuted the two employers under the state's Identity Theft Enforcement and Protection Act. As a result of the prosecution, in addition to the mandatory training, Select Medical agreed to pay the state $990,000 and Radio Shack, $630,000. After the deduction of attorney's fees, the remaining sums will be appropriated for the investigation and prosecution of future identity theft cases.
Training is the single most basic and effective step any organization can take to stem the loss or theft of sensitive materials. Had these two employers initiated pro-active employee identity theft training these cases resulting in over $1.5 million in fines might have been avoided.
Friday, August 29, 2008
"Because the computer said so."
In the last couple of posts I made reference to the Data-Based You graphic on this blog. This wasn't my invention but rather a friend and colleague, Mr. john Gardner, a trial lawyer and author from South Carolina. John has an uncanny ability to grasp the big picture often when a lot of us are struggling with the information in front of us.
In the Data-Based You John shows by way of a simple graphic that the world sees all of us as a series of reports and scores. No matter how we dress, change our hair color, try to distinguish ourselves in any number of ways, we are judged, thats' right judged by our data when we deal with the world at large.
- Want a loan? Credit history.
- Rent an apartment? Credit score.
- Get on an airplane? TSA checks your drivers' license against federal watchlists and for warrants.
- Open a new bank account or purchase a car? Credit reports, SSA, IRS. Your records are compared to those and other databases for inconsistancies.
- Get some health insurance? MIB, doctor health records.
- Home, income loss, medical, or auto insurance claims? C.L.U.E. MIB, etc.
- Want a new job? How about the credit bureaus, your credit score, social networking sites, college records, criminal records, and more. You say you don't have a criminal record? Prove it.
That's just a sketch. The reality is that no matter what we do our records are checked to verify and to validate what we say and claim to be. We all rely on the record keepers to not let the information they have fall into the wrong hands. Let someone get hold of your info and commit crimes. They give your identifying info to the police and your records are altered. If you think it is easy to correct that, I hope you're sitting down. Often it takes 5 to 10 years to correct criminal record mistakes, sometimes never. What does the victim do in the meantime? Getting or maintaining a good job is not going to be easy. There are literally thousands of cases where wrongful criminal activity is tied to completely innocent people who were victims of identity theft. When the computer says you're guilty try explaining that to authorities. You can't limit a discussion on identity theft to illegal credit card use and credit reports. When personal records are altered by identity theft it can actually require an act of Congress to correct them. Refer to the bottom of this blog page for the Data-Based You graphic.
The Data-Based You shows us a window into how we are percieved, real or not.
Thursday, August 28, 2008
More data breaches so far than in all '07
Wednesday, August 27, 2008 (SF Chronicle)
article by; Brian Krebs, Washington Post
In a previous post titled "Where does all that stolen information come from?" I wrote that data breaches are on the rise. In spite of the federal regulations and state laws enacted over the last 5 years data breach is on a steep rise. And it should be no surprize that the reported cases of identity theft in all its many forms is also increasing.
According to the article, More data breaches so far than in all '07 "The Identity Theft Resource Center of San Diego found that 449 U.S. businesses, government agencies and universities have reported a loss or theft of consumer data this year. Last year, the center tallied 446 breaches involving 127 million consumer records. About 90 million of those records were attributed to a single retail chain, TJX, which operates T.J. Maxx, Marshalls and HomeGoods stores.
It is unclear how accurate a gauge these numbers are "Officials said they do not know whether there have been more breaches this year or there is better reporting of the incidents.
What is not in dispute is the inescapable fact that the frequency of these events has been increasing for the past several years.
Again, back to the article "So far this year, at least 22 million consumer records have been the
target of data breaches, according to the report. But resource center founder Linda Foley cautioned that the true number of records affected is probably far higher, noting that in 41 percent of the cases, the number of consumer records affected was not disclosed. What's more, Foley said, many businesses are not reporting data breaches or are not aware of them.
In addition, she said, a single breach report often involves data belonging to multiple businesses."
In order for me to make my case for lowering data value it is important to establish certain facts.
So far we have established that;
article by; Brian Krebs, Washington Post
In a previous post titled "Where does all that stolen information come from?" I wrote that data breaches are on the rise. In spite of the federal regulations and state laws enacted over the last 5 years data breach is on a steep rise. And it should be no surprize that the reported cases of identity theft in all its many forms is also increasing.
According to the article, More data breaches so far than in all '07 "The Identity Theft Resource Center of San Diego found that 449 U.S. businesses, government agencies and universities have reported a loss or theft of consumer data this year. Last year, the center tallied 446 breaches involving 127 million consumer records. About 90 million of those records were attributed to a single retail chain, TJX, which operates T.J. Maxx, Marshalls and HomeGoods stores.
It is unclear how accurate a gauge these numbers are "Officials said they do not know whether there have been more breaches this year or there is better reporting of the incidents.
What is not in dispute is the inescapable fact that the frequency of these events has been increasing for the past several years.
Again, back to the article "So far this year, at least 22 million consumer records have been the
target of data breaches, according to the report. But resource center founder Linda Foley cautioned that the true number of records affected is probably far higher, noting that in 41 percent of the cases, the number of consumer records affected was not disclosed. What's more, Foley said, many businesses are not reporting data breaches or are not aware of them.
In addition, she said, a single breach report often involves data belonging to multiple businesses."
In order for me to make my case for lowering data value it is important to establish certain facts.
So far we have established that;
- Every statistic and bit of information about us is in databases.
- Wherever data is held there is a significant risk of loss or theft that can and often does result in identity theft.
- There are over 10 million domestic victims of identity theft per year.
- Identity theft complaints that relate to our credit card and banking accounts comprise only about 30% of all identity theft cases. The other 70% involves our Social Security, drivers license, medical, criminal, and other records.
- In everything we do from seeking employment, loans, insurance, renting or buying a home, our very freedom, etc., our database information plays a huge role in determining the outcome. Often we are seen by others as a sum of our reports and records.
- The incidents of data theft are increasing steadily each year, with no end in sight.
Wednesday, August 20, 2008
Chapter Two, data use
In my last post I attempted to point out some of the sources of data that identity thieves can use to gain access to personal and sensitive information. As I mentioned in closing there are as many sources for stolen data as there are sources of data. Now I would like to take a moment to sketch out some of the things they do with it after they get it.
Sadly, another form of identity theft is at home, or more specifically by family members. Family passions can run high sometimes and retribution can take many forms. One of those forms is stealing personal information of someone in the family and using it as a weapon to cash in on their bank accounts, medical insurance, or to commit criminal acts. This is happening at an alarming rate, and often goes unreported since people are usually reluctant to prosecute family members. Once again, for as long as the data has value it will be stolen for a number of reasons. Now, on to the subject of this column.
In contrast to all the overwhelming statistics on the subject the majority still believes that this is a financial crime and that somehow identity theft is inextricably tied to their credit report. Although this is not true it is a good place to start.
Often thieves are a local ring, petty opportunists, and increasingly drug users who need a constant supply of cash. They figure that they can get away with raiding a victims' bank accounts and credit accounts rapidly and moving on to other victims before they are caught. Far less than 10% of them are ever caught making it a pretty safe bet that they will get away with it. About half of those criminals also use the information they steal to perpetrate other acts such as filing false insurance claims for example, or receiving medical treatments using the victim's insurance information. As to the financial side of this type of theft you can see just how important it is to look closely at bank statements immediately and to report anything that looks out of place or unknown charges to the bank or credit card companies. Consumer protections in place can limit your liability.
There are approximately 10 million victims of identity theft in this country each year and according to FTC complaint records less then 30% of them are related to banking or credit issues. The vast majority relate to all the other forms of illegal data use I mentioned previously.
This brings me to the ubiquitous international crime rings that work in various ways to traffic in data theft and resale. Most often they are not the end users but mostly broker data for profit. The end users run the gamut from immigrants to terrorists and scam artists. Once your information is in their hands it is sold and resold and re aggregated so that your social security number might be used by hundreds of immigrants while your drivers license might be forged by 20 different criminals. There can be an exponential spread of your information that once it is out there and used, will no longer be recognizable as yours until you discover that you are wanted by police or that the IRS is receiving notices from a hundred companies that you have applied for work. I should point out that the lack of international agreements on the trade of stolen personal information makes the capture and prosecution of these identity thieves nearly impossible. There was a story very recently of a soldier who upon returning from the war zone in the Middle East found that he had been victimized criminally, financially, was wanted by police to pay child support, and a myriad of cell phone contracts that had been opened in his name, all while he was away on assignment. All of this was the result of identity theft.
Another group are the data miners who, after quietly depositing routines in your computer, can record your computer usage from anywhere in the world. From that information not only can they monitor what you do but also gather enough information to scam you into giving them more by posing as legitimate online businesses. Once that information is gathered up it is sold on another black market that deals in "cyber crime". A classic example of that are the infamous Nigerian scams who solicited capitol by posing as attorneys who ask your help to regain fortunes lost in a civil war or some other similar story.
Also, as I wrote in my last column a lot of theft happens in the workplace. Employees who have access to information can be solicited by thieves to trade data for cash. This is especially lucrative for drug addicts who can quickly convert information into cash by draining credit and bank accounts, and opening new accounts in the name of their victim. There have also been many cases of people who get (mostly temp) jobs specifically to steal data from their employers. Others simply steal for their own use.
As you can see not only can your information be stolen from almost any source, it can also be used for any number of reasons. My mantra has become, "As long as your information has value it will be stolen". Again the graphic Data Based You at the bottom of this column will give you an idea of how many sources there are for getting to our personal information.
Sadly, another form of identity theft is at home, or more specifically by family members. Family passions can run high sometimes and retribution can take many forms. One of those forms is stealing personal information of someone in the family and using it as a weapon to cash in on their bank accounts, medical insurance, or to commit criminal acts. This is happening at an alarming rate, and often goes unreported since people are usually reluctant to prosecute family members. Once again, for as long as the data has value it will be stolen for a number of reasons. Now, on to the subject of this column.
In contrast to all the overwhelming statistics on the subject the majority still believes that this is a financial crime and that somehow identity theft is inextricably tied to their credit report. Although this is not true it is a good place to start.
Often thieves are a local ring, petty opportunists, and increasingly drug users who need a constant supply of cash. They figure that they can get away with raiding a victims' bank accounts and credit accounts rapidly and moving on to other victims before they are caught. Far less than 10% of them are ever caught making it a pretty safe bet that they will get away with it. About half of those criminals also use the information they steal to perpetrate other acts such as filing false insurance claims for example, or receiving medical treatments using the victim's insurance information. As to the financial side of this type of theft you can see just how important it is to look closely at bank statements immediately and to report anything that looks out of place or unknown charges to the bank or credit card companies. Consumer protections in place can limit your liability.
There are approximately 10 million victims of identity theft in this country each year and according to FTC complaint records less then 30% of them are related to banking or credit issues. The vast majority relate to all the other forms of illegal data use I mentioned previously.
This brings me to the ubiquitous international crime rings that work in various ways to traffic in data theft and resale. Most often they are not the end users but mostly broker data for profit. The end users run the gamut from immigrants to terrorists and scam artists. Once your information is in their hands it is sold and resold and re aggregated so that your social security number might be used by hundreds of immigrants while your drivers license might be forged by 20 different criminals. There can be an exponential spread of your information that once it is out there and used, will no longer be recognizable as yours until you discover that you are wanted by police or that the IRS is receiving notices from a hundred companies that you have applied for work. I should point out that the lack of international agreements on the trade of stolen personal information makes the capture and prosecution of these identity thieves nearly impossible. There was a story very recently of a soldier who upon returning from the war zone in the Middle East found that he had been victimized criminally, financially, was wanted by police to pay child support, and a myriad of cell phone contracts that had been opened in his name, all while he was away on assignment. All of this was the result of identity theft.
Another group are the data miners who, after quietly depositing routines in your computer, can record your computer usage from anywhere in the world. From that information not only can they monitor what you do but also gather enough information to scam you into giving them more by posing as legitimate online businesses. Once that information is gathered up it is sold on another black market that deals in "cyber crime". A classic example of that are the infamous Nigerian scams who solicited capitol by posing as attorneys who ask your help to regain fortunes lost in a civil war or some other similar story.
Also, as I wrote in my last column a lot of theft happens in the workplace. Employees who have access to information can be solicited by thieves to trade data for cash. This is especially lucrative for drug addicts who can quickly convert information into cash by draining credit and bank accounts, and opening new accounts in the name of their victim. There have also been many cases of people who get (mostly temp) jobs specifically to steal data from their employers. Others simply steal for their own use.
As you can see not only can your information be stolen from almost any source, it can also be used for any number of reasons. My mantra has become, "As long as your information has value it will be stolen". Again the graphic Data Based You at the bottom of this column will give you an idea of how many sources there are for getting to our personal information.
Tuesday, August 12, 2008
Chapter One, where does all that stolen info come from?
As we begin to close in on a discussion of lowering the value of data to identity thieves and illegal data brokers it is important to look at the sources of data loss and theft. Remember also that the term Identity Theft means that someone has stolen your identity, not simply your credit card numbers. A person who has sublimated their own identity and assumed your information to pose as you is an identity thief. Now, let’s look at some of the major sources of data theft and breaches as I have attempted to define them.
First and the most familiar to most consumers is personal theft. The theft of wallets, and purses can result in a thief getting your credit cards, your Social Security card, Drivers License, checkbook, and so forth. Perhaps you have an unpaid bill or other document that has banking information, SSN, or other useful information in your car that can be stolen in an instant. Another easy place for this kind of theft is outgoing mail left unattended, or at the receptionists desk at work.
This kind of theft often results in quick attacks on your bank accounts, and new accounts being opened. The long-term effect is having the stuff sold on the open data market, which results in many forms of ID theft, often over the course of several years.
The next most familiar but least understood forms of identity theft take place over the internet. What generally comes to mind is scams like "phishing" and "pretexting" which take the form of legitimate websites but in reality are simply gathering your personal information for illegal use. Internet ID theft however is a much larger subject and involves your very right to privacy.
Workplace theft. That’s’ right, another big source of data is company records of employee and customer data. There was a statistic out last year that said that over 65% of all lost personal data from businesses was the result of an employee spiriting the data out for profit or even for retribution. Nearly every day errors in judgment occur that compromise your personal information at work. Mistakes such as E-mails, internet postings, and un-shredded trash containing employee and customer sensitive info happen daily due to lack of training. Another source of workplace theft is the loss of laptop computers or flash drives containing important information.
Your college or university and local school districts. This has become a major issue within the past several years. About once a week in the U.S. there are notices of schools being hacked of tens of thousands of student, former student, and faculty records containing personal and financial information, or losing the information altogether.
Hospitals and clinics. Medical records and especially health insurance information are a goldmine for thieves. One source is underpaid medical clerks that establish a source of revenue from stealing records for profit. Medical and insurance records can be used to create a new identity, file false insurance claims, and receive medical services, for example.
Public records (city, county, and state). We have seen in the first six months of 2008 alone the loss of nearly 100,000 data records by way of theft and the wrongful posting of personal information by local governments across the country.
Retail databases. TJX, need I say more about that. The single biggest known theft of personal information in U.S. history. Just recently an international ring of thieves were charged in that case for stealing over 41 million identities. And that is only one of hundreds of similar cases since these records have been tracked starting in 2005.
Public databases like ChoicePoint, Lexis Nexis, the credit bureaus, etc. Called Specialty Databases these comprise the largest databases in the world and to date in total have been compromised to the tune of 50 to 60 million records in the past 3 years. In 2005 ChoicePoint accidentally sold personal data to thieves posing as a legitimate business.
Tax and financial planners. I heard a story recently of a financial planner who had the server containing all of his clients’ records literally stolen from the rack in his office. I believe he had just installed anti-hacking software prior to the server theft. A lot of good that does when the thieves have the hardware.
War driving is a provocative scheme where ID thieves drive by businesses, hospitals, and other sources of data and simply log onto unsecured networks from the comfort of their car. I am amazed at the number of unsecured networks in industrial parks and office buildings everywhere. Thieves can pull into a parking lot, and in just a few minutes find an unsecured network, and download personal and company data.
This list is far from complete and could go on. Look at the Data Based You graphic at the bottom of this column for more sources. The point I’m trying to make here is that everywhere records are kept, from our desk at home to our workplace to everything we have ever done that leaves a record is a potential source for stolen data. It is important for each of us to fully understand this fundamental and inescapable fact, and that this is the real price of data convenience. Nothing about the above is theoretical. I am talking about losses that have already occurred. Where is the trend going? One thing is certain, it is on the increase. Just how much is the subject of speculation. On the low side some say as little as 10% per year nationally. On the high side estimates are as much as a 20 fold increase within the next 24 months! No matter how you look at it there is no end in sight to data theft. As long as there is a market, there will be data theft.
Subscribe to:
Posts (Atom)
