Over the past couple of months we have been hit by a wave of data scandals, blunders and thefts which will have seriously undermined many people's confidence in the increased digitalisation of our lives and our identities.
It came to a head this weekend as MasterCard revealed the full extent of a massive loss of data which may have seen as many as 40 million credit card accounts compromised by an intruder gaining access to a cardholder database.
This latest incident is the most headline grabbing, largely due to the size of the problem and the global profile of the company involved. It will hopefully prove a catalyst for serious discussion and, more importantly action, on the issue of data loss from within organisations.
Certainly it is a catalyst for change which is most definitely required - though not the ideal way to learn the lesson. Last week Citigroup lost almost four million account details. Prior to that we saw Bank of America lose more than one million customer accounts when backup tapes went astray. Japanese bank Mizuho also lost data from more than a quarter of a million customer accounts following a botched systems migration.
On a smaller scale, though no less worrying for those affected, UBS lost a hard disk containing thousands of customer account details.
And it's not just financial institutions. A California medical company lost data on 185,000 patients, while Time Warner admitted it too had seen backup tapes get 'lost in the post', compromising the personal data of as many as 600,000 employees past and present.
Meanwhile the University of Berkeley warned 98,000 people that the theft of a laptop from its Graduate Division had compromised their names, addresses, dates of birth and social security numbers. And Motorola admitted stolen PCs taken from one of its premises could also betray sensitive personal data.
And all this in the past couple of months - pushing the phrase 'it never rains but it pours' to the very limits of its potential. It's an issue which almost needs no further comment.
Whether it's lost backup tapes, a failed system migration, a stolen laptop, a stolen PC or an intruder gaining physical access to a database, the underlying and unifying fact is simple: it is not good enough.
Identities and credit card data are sought-after commodities among the criminal fraternity. Given that, it is inevitable they will be targeted and in the arms race of security there may be times when the criminals manage to gain an advantage. But too many of the above blunders appear to be evidence of companies failing to acknowledge the full extent of their responsibility and the full threat posed to their data.
All companies need to start quizzing themselves with such worst case scenarios in mind.
If PCs contain sensitive data, how can those PCs be picked up and walked off with? If that data is sensitive why not encrypt it? If that facility contains credit cardholder databases how can it be broken into?
If those laptops contain employee or student records, what are they doing going missing? And if they do - and you can sadly never plan for human error - what are they doing going missing with that data in a readable and accessible format?
If backup tapes can get lost so easily - and the evidence suggests they can - why is such a system still in use?
These organisations, particularly the banks, are making a great deal of money out of claims they can look after our money and be trusted to process highly sensitive transactions where security is essential.
It could easily be argued they are clearly not spending enough of that money on backing up such claims of security and integrity.
Comments
There are 3 comments. Join the discussion
1. anonymous
Never say never.
On websites where the frequently used statement "we (or company name) will never give your information to a third party" the phrase "unless of course the information is stolen" should be added.
2. anonymous
Data/Computer Theft Is Nothing New. What's New Is the REPORTING of Theft.
News of these thefts are front cover stories in the US trade press and US news outlets.
Judging by the headlines, these data breaches appear to be an epidemic, and lurid media reports suggest that companies are battling a 'new' data security problem.
But there’s nothing 'new' about the thefts of the past several months.
The fact that breaches are now being reported is the news.
This fact can be attributed entirely to California’s Data Breach Notification law, commonly called SB 1386. Before SB 1386 was passed into law July 2003, neither companies nor government agencies were required to report security breaches or theft of sensitive financial records. Now they MUST -- or face financial and criminal penalties.
Data theft is not new. It’s been a serious problem that has been going unreported for years. For confirmation, see: http://www.consumeraffairs.com/news04/2005/choicepoint_congress.html
The recent spate of thefts has angered members of the US Congress and other politicians, including those in the State of Illinois, which passed a security breach-reporting law similar to California's on 20 June 2005.
But there remain two elements of these events that puzzle me:
First:
In every case, harm from these ugly incidents could have been prevented had the data on the stolen computers and storage devices been encrypted.
Encryption is THE technology for protecting electronic information. That's why the military and intelligence communities relied on it so heavily.
Why isn't encryption being used?
Second:
These incidents are not unique to the US. Wherever computers and data are located, thefts of this type occur. For instance, similar data breaches were recently reported in Canada and Japan (the companies in Japan, Motorola and Ricoh, each publicly apologized to their customers!).
There is no law outside the USA requiring companies or government agencies to report data security breaches. People in nations around the world are suffering ID thefts at equally record rates -- but local news agencies seem to be happy to keep their audiences ignorant.
Why aren't there similar laws around the world, and why aren't more news agencies around the world reporting this problem?
3. Rob Lewis
Why isn't encryption being used?
Core security on the host where the data is, is the only way to protect it, but it isn't easy or cheap to use encryption around the board. Might be fine for the military where defense of a nation does not have a bottom line.
The only effective solution is access controls, not just its cheaper, easier cousin identity management.