Slashdot Mirror

← Back to Stories (view on slashdot.org)

600,000 More Social Security Numbers Compromised

Posted by timothy on from the social-security-simply-isn't dept.

DoubleWhopper writes "This time it's Time Warner Inc. According to this CNN article, an 'outside storage company' is to blame for the latest significant loss of personal information. From the article: '...the tapes contained names and Social Security information on current and former Time Warner employees and some of their dependents and beneficiaries dating back to 1986.' Fortunately, the tapes are said to have no customer information, at least."

34 comments

  1. Tired old excuse.... by Psmylie · · Score: 4, Insightful
    I think its funny that they always make sure to note that it's an outside company... in my opinion, it doesn't really matter if it's an outside vendor or not, the company who owns the data is still responsible for the security of that information. Are the vendor's procedures inadequate? Well, it was your company's job to find that out before contracting with them. Were they not following procedures? Well, it's your company's job to check up on them and make sure they're following them.

    Honestly, I'd like to see all of the victims of ID theft get together and start filing class-actions against the companies that allow this sort of thing to happen. Maybe if we start hitting them in the pocketbook, these companies will start taking data security seriously.

    --

    psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo

    1. Re:Tired old excuse.... by slughead · · Score: 1

      I think its funny that they always make sure to note that it's an outside company.

      You do know that time warner owns CNN, right?

      --
      Latewire
    2. Re:Tired old excuse.... by anthony_dipierro · · Score: 1

      Honestly, I'd like to see all of the victims of ID theft get together and start filing class-actions against the companies that allow this sort of thing to happen.

      Please no. If you're dumb enough to lend someone money because they know a number, you deserve to be robbed.

    3. Re:Tired old excuse.... by Seumas · · Score: 1

      Unfortunately, the person robbed is the individual whos ID was stolen and then a loan was given fraudulently in their name. The lender or creditor isn't robbed, because they're going to get their blood out of you, whether you're the actual initiator or not.

    4. Re:Tired old excuse.... by anthony_dipierro · · Score: 1

      Unfortunately, the person robbed is the individual whos ID was stolen and then a loan was given fraudulently in their name. The lender or creditor isn't robbed, because they're going to get their blood out of you, whether you're the actual initiator or not.

      Apparently you know nothing about the law. No judge in the world would make you pay back a loan that was taken out by someone else just because that person knew a number which was related to you.

      Regardless, you seem to have your sense of responsibility completely screwed up. An idiot lends money to a thief and refuses to pay back, and you think some person who happened to tell the thief a number should be responsible.

    5. Re:Tired old excuse.... by Seumas · · Score: 2, Interesting

      Apparently you know nothing about having your identity stolen. Very often, when someone has their identity stolen, they are treated like the criminal and not the victim. At the worst, the corporate entity that extended credit to "them" can write it off, get a tax break and just up their fees annually to cover for it. The victim, however, will have their credit ruined at the least.

      When your identity is stolen, there is very little you can do about it. A lot of people have been left in total financial ruin by just such unfortunate means. And when all of my identity was stolen five years ago (from my office, no less), the local police didn't offer any hope or information. Their only comment was "well, we've got this in the record which might help you, but chances are you're now the victim of identity theft, so keep an eye on things".

      I asked them "and if I find problems arising out of this?".

      They didn't really have much to offer. They said to just contact them again so they could make a record of whatever additional complaints arose - but they seemed to feel I was essentially screwed. I'm only lucky that the person was apparently too stupid to know what data they had (they had my social security card, state photo identification card, birth certificate, pay stub, bank account and checking numbers)...

    6. Re:Tired old excuse.... by unitron · · Score: 1
      I think its funny that they always make sure to note that it's an outside company.

      You do know that time warner owns CNN, right?

      I fear that I fail to see your point. You do understand that Iron Mountain, the data storage company which lost the tapes, is not owned by Time-Warner, don't you?

      --

      I see even classic Slashdot is now pretty much unusable on dial up anymore.

    7. Re:Tired old excuse.... by anthony_dipierro · · Score: 1

      Very often, when someone has their identity stolen, they are treated like the criminal and not the victim.

      Like I said, they may be harrassed, but that doesn't mean the law isn't on their side.

      At the worst, the corporate entity that extended credit to "them" can write it off, get a tax break and just up their fees annually to cover for it.

      Huh? At the worst? What are you talking about?

      The victim, however, will have their credit ruined at the least.

      It may be temporarily ruined with false information, but credit reporting agencies are required by law to remove that false information.

      When your identity is stolen, there is very little you can do about it.

      Actually there is a lot you can do about it, and if you catch it quickly you won't have many problems at all.

      And when all of my identity was stolen five years ago (from my office, no less), the local police didn't offer any hope or information.

      I'm not sure what you expected the local police to do. If you wanted something forcibly removed from your credit report, you'd need to go to a judge, not the police.

      I'm only lucky that the person was apparently too stupid to know what data they had (they had my social security card, state photo identification card, birth certificate, pay stub, bank account and checking numbers)...

      Huh? So wait a second... What do you mean that you had your "identity stolen"? Just that someone knew your private information?

    8. Re:Tired old excuse.... by CaptainZapp · · Score: 2, Interesting
      And when all of my identity was stolen five years ago

      Well, first of all: Sorry for that. From all I know it sucks and I hope you could rectify the situation.

      Even though I believe your co-debator has a slightly simplified view of life, the universe and all, nevertheless I agree with what he says in spirit.

      If a financial institution is so friggin' greedy to provide everybody presenting a valid SSN with actual money they deserve to be hit and hit hard!

      There's such a thing called due diligence.

      This applies to me as the owner of a small data management consultancy. For example: When I take on a new customer I look at the customer. I might even run a financial check on that customer. If my customer is - say - a global company or the national Postbank I wouldn't do that, since I consider them well known, reliable entities. If Joe Blows Cheap PC Support wants to engage me, I try to make sure that JB is not at the verge of bankrupcy. I might even ask for a part of my fees up-front. If I did my homework and are nevertheless stiffed, well that's the risk of running a business. But the point is: I try to mitigate that risk

      This should not be different for a financial institution. If they provide every smooth talking Jasper presenting an SSN with actual credit, then it should be the responsibility of the finance bozos to clean up their act and recuperate their money.

      Now - and this is probably what your fellow debator fails to grasp: In the real world you're the one with the mess, it can take years to clean up and it will fuck up your credit history left right and central.

      In most of Europe laws seem to favour the consumer. A business that fails to check out a loan applicant would be laughed out of court and made aware in no uncertain words that they cannot tamper with the victims credit history at their discretion. There are pretty strong data protection laws in place which provide fairly stringent tools to fight offenders.

      Unfortunately the US seems to take a directly opposite approach. Business must be efficient, cost effective, streamlined and if there's collatoral damage, well that's just tough shit.

      --
      ich bin der musikant

      mit taschenrechner in der hand

      kraftwerk

    9. Re:Tired old excuse.... by Monkelectric · · Score: 1

      You are right about everything you said ... but the credit companies make the rules, and they've structured them in such a way that their mistakes are YOUR problem.

      --

      Religion is a gateway psychosis. -- Dave Foley

    10. Re:Tired old excuse.... by CaptainZapp · · Score: 1
      but the credit companies make the rules

      This is true, of course. But then again contractual rules are only valid to the participants of a contract.

      Say American Express - with whom I never had a business relationship else then purchasing travellers cheques - suddenly demands $ 20'000.00 from me, since they claim I ordered and used one of their credit cards, they still can't apply their rules, because I never ordered a credit card. If somebody has fraudulently ordered one in my name, then it's their fucking problem. They'd be hard pushed to prove in court that we engaged into a contract, since we actually never did.

      In addition, and if they do sue me, they pay all legal costs (including my attourney), which should give them some pause, before (ab)using the legal system to harrass me. This rule is applicable (to the best of my knowledge) in all European judical systems.

      That said, you're right of course. If you do enter a contractual business with a credit card company then their rules are certainly not geared towards my interests as a customer. This is the reason why I refrain from doing my banking stuff electronically. That's probably one of the reasons why finance companies have an image somewhere between a used car dealer and a time share salesman.

      --
      ich bin der musikant

      mit taschenrechner in der hand

      kraftwerk

  2. Alway's Compromised by Seumas · · Score: 4, Insightful

    Hell, I consider my social security number compromised every time I'm forced to give it to a $8/hr customer service person over the phone to get my Cable, Internet, Telephone, Gas, Electricity services, rent a car, get a loan, get a bank account, apply for a job.

    Even when it's acceptable to request a social security number (an employer), you aren't promised that someone in the chain won't take your information for their own use. *shrug*

    1. Re:Alway's Compromised by real+gumby · · Score: 2, Informative
      I'm forced to give it to a $8/hr customer service person over the phone to get my Cable, Internet, Telephone, Gas, Electricity services, rent a car, get a loan, get a bank account, apply for a job.
      For most of those cases you can get away without doing this. When people ask for my SSN I just tell 'em "I'm a foreigner" and they just assume that that means "....and so I don't have one." And since they generally do want to do business with me, they find a way around the problem.

      The really really nice thing about this is that the poor clerk taking my order doesn't need to get harshed about SSN politics, or even have to listen to a pointless rant. They just cast about and figure a way around the problem -- perfect! In fact they don't even see it as me causing a problem. It's just some faceless bureaucratic hassle that both of us are dealing with.

      (As it turns out I am a foreigner, but telling people that is about as useful as telling 'em "I have brown hair" since most foreigners in the USA for more than a brief holiday end up needing an SSN anyway. But most people don't realise that).
  3. Just goes to show by Anonymous Coward · · Score: 0

    As long as companies in-source and provide the jobs for minimum-wage Americans, shit like this will happen.

    They need to out-source of all this to happy Indians who will bust their asses for $100 a month to ensure the data security is at the expert level.

    Minimum-wage Americans are always on the lookout for some scheme they can pull off, and companies who engage in in-sourcing and such hiring practices as having US offices will realize their mistakes very soon.

    1. Re:Just goes to show by Anonymous Coward · · Score: 0

      yeah, outsourcing solves everything. I'm real sure some Indian living in India gives a rats ass about some random American. Yeah, they really care.

      dumbass

    2. Re:Just goes to show by Flendon · · Score: 2, Insightful

      That will definatly solve the problem. Outsourcing to India is a great idea. They would never steal our money over there.

      If your going to post something like this you should really make your meaning clear. Are you being sarcastic and mean that the outsourcing is NOT the answer? Or as the fact you posted AC implies you are serious? If you had used your name I would have immeadiatly taken this for sarcasm as mine was, but since you are signed AC it makes you seem as if you are serious and an idiot.

      --
      chown -R us ./base
  4. If you want to avoid a similar situation, by Clockwurk · · Score: 1, Flamebait

    don't use Iron Mountain

    besides, would you really trust critical stuff to someone who uses .asp?

  5. Re:If you want to avoid a similar situation, by superpulpsicle · · Score: 1

    I have seen first hand how credit card companies use contractors/consulting firms to deal with your data. I don't know if anyone's surprised, but up till the year 2002 some of the BIGGEST credit card companies still struggle to backup their data nightly. It's horrifying the number of hands the data go thru. If we are that paranoid, we should just all use cash.

  6. Re:If you want to avoid a similar situation, by Amouth · · Score: 1

    asp isn't as bad as it seems if done right "if done right" - Applies to all languages

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  7. What sucks is... by digerata · · Score: 2, Interesting
    There is enough compromised data out there to keep theives busy for years and years.

    While companies say they will cover the costs of what happens to your identity, what if it doesn't happen right away? What if its 5 or 6 years from now? What is your recorse? How do you prove after that much time has passed that your identity was compromised by a particular company? Hell, in that much time, I would probably forget any of this happened.

    --

    1;
    1. Re:What sucks is... by qwijibo · · Score: 1

      Sue all of them.

      Choicepoint requested my credit report. I have a copy of my credit report that has this listed. If I ever run into a problem, I think I can make a case that it's because of them.

      The beauty of our horribly flawed legal system is that justice is available for the right price.

  8. Wanna know something? by flawedgeek · · Score: 1

    Wanna know why there's so few comments on this so far? All the /.ers are busy either closing their accounts or working to open new ones with "their" SSNs.

    --
    My other Sig is .40 caliber.
  9. As a former Time Warner Employee,, by Anonymous Coward · · Score: 0

    Honestly, I'd like to see all of the victims of ID theft get together and start filing class-actions against the companies that allow this sort of thing to happen. Maybe if we start hitting them in the pocketbook, these companies will start taking data security seriously.

    Where do I sign up. If we compared notes, we might come up with more actions than the one.

  10. Social security numbers... by breakbeatninja · · Score: 3, Interesting

    Are very flawed forms of identification. With them you can find the associated name, birth date, bank accounts, loans, credit cards, properties, etc. They are extremely exploitable and yet the security that surrounds them is minimal. What a lot of people may not know is you ARE NOT required to give your social security number to utilities, banks, creditors, etc. Sure, it helps your standing with them and they can probably find them on their own, but I personally think with the amount of abuse of this central identification number there needs to be a new, more secure system with safe guards to prevent this sort of rampent abuse. The first step is for financial institutions to limit the customer's liability for identity theft related fraud, because they're insured by the FDIC. After that, perhaps a biometric or RFID identification system could eventually be implemented. I know it sounds very big brotherish, but the current system is horrible.

    --
    shop.envescent.com - Computer hardware and more.
    1. Re:Social security numbers... by anthony_dipierro · · Score: 2, Interesting

      What a lot of people may not know is you ARE NOT required to give your social security number to utilities, banks, creditors, etc.

      Required by what? By law? Yes, there isn't a law saying you have to give your social security number to any of those people. But you are required to give your social security number to most of those people, by those people (in other words, if you want to do business with them).

      Sure, it helps your standing with them and they can probably find them on their own, but I personally think with the amount of abuse of this central identification number there needs to be a new, more secure system with safe guards to prevent this sort of rampent abuse.

      The vast majority of businesses know this. And the ones that don't will find it out really quickly. Knowing a social security number doesn't prove you are who you say you are.

      The first step is for financial institutions to limit the customer's liability for identity theft related fraud, because they're insured by the FDIC.

      Limit liability? You have no liability whatsoever for identity theft related fraud. The law is already firmly on your side on that. You're never going to be required by a court to pay back a loan that you didn't take out just because someone knew your social security number. That would be ludicrous.

      After that, perhaps a biometric or RFID identification system could eventually be implemented. I know it sounds very big brotherish, but the current system is horrible.

      No, the current system is (pretty much) already fine. A business who wishes to extend credit to someone can use whatever means they wish to identify that person. If they screw up and misidentify the person, and that person never pays back, that's their problem. We don't need the government to step in and mandate what form of identification you need to check in order to extend credit to someone. Yes, that would be very big brotherish, and it would be a terrible idea.

      RFID? I'm not sure what that would help. RFID is utterly insecure, the benefit of it is convenience, not security. Yes, biometrics are a help, and we've already got a fairly good biometric system set up - the photo ID. Beyond that, for places making significant loans or needing to check your credit which can't verify your address, there's another biometric system commonly used - the fingerprint. Many banks require fingerprints when you cash a check there without having an account, and almost all check cashing places do. In order to get an account, you almost always have to verify that you receive mail at your address and receive phone calls at your non-mobile telephone number.

    2. Re:Social security numbers... by Vila,+Bob · · Score: 1

      I'm hoping that it won't be long before the days of biometric security measures are more commonplace in everyday life. You're right, social security numbers aren't exactly protected information. I'd be willing to jump through a few more hoops next time I open a checking account or apply for a line of credit, if it means that I can worry less about identity theft.

      --
      Yes, *that* Bob Vila.
    3. Re:Social security numbers... by Vila,+Bob · · Score: 1
      No, the current system is (pretty much) already fine. A business who wishes to extend credit to someone can use whatever means they wish to identify that person. If they screw up and misidentify the person, and that person never pays back, that's their problem.

      Except when it becomes the impersonated individual's problem as well. If someone is granted a line of credit in my name and don't make payments, the bank comes knocking at my proverbial door, right?

      --
      Yes, *that* Bob Vila.
    4. Re:Social security numbers... by anthony_dipierro · · Score: 1

      Except when it becomes the impersonated individual's problem as well.

      Well, I don't think it's really the job of the government to assign liability for such incidental damages as the time spent contacting your credit reporting agency to get everything straightened out. But if you want to assign liability, I think there are at least two people to look at before you look at the person who leaked the number. 1) the thief herself, and (in the likely case that the thief cannot afford to pay for the liability) 2) the idiot who gave a loan to the thief and slandered your name by reporting the loan to the credit reporting agency.

      If someone is granted a line of credit in my name and don't make payments, the bank comes knocking at my proverbial door, right?

      They might knock at your door, but that still doesn't mean you owe them any money.

  11. Oh no, not again. by Anonymous Coward · · Score: 0

    Man I just can't catch a break... first SAIC has my information stolen earlier this year and now this. I'm screwed. :)

  12. A solution to the ID crisis... by Dark+Coder · · Score: 3, Interesting

    To reduce the identity theft immensely, one or more of the following MUST be legislated:

    1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)

    2. Make data aggregation illegal (ooooh, sorry credit bureaus)

    3. Make IRS the focal point of multi-keyed 2nd-generation SSN registration centre (sorry SSA, you screwed up, big-time!)

    4. Customer "optionally" generate a NEW SSN for each business or financial institutions. (remember, data aggregation should be illegal)

    5. Credit Bureau would function just fine (just a bit laggard with aggregation effort).

    Once imposed, identity theft would (I guarantee this) be reduced to insignificant amount.

    UNTIL THEN, nothing is currently being done to reduce the water flow from the Dutch Boy's leaking dikes.

    It doesn't take much brain to resolve this crisis, just time and money. The Congress has absolutely no clue on how to fix this mess... Write your congressman today with these suggestions.

    1. Re:A solution to the ID crisis... by Seumas · · Score: 1

      1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)

      There is a significant portion of the population that would be completely baffled by a SecureID card/fob and would never be able to comprehend how to use them. But I agree that there should be a non-biometrical solution.

      What sucks is that you can't be required to provide a social security number to a company. Only your employer, financial institution, a hospital and the social security administration are allowed to require your social security number. However, in the real world, any utility service (and many other businesses and services) will not even look at you without providing them a social security number. Want electricity in your apartment or house? You need to give the electric company your social security number so they can run a credit check. Same with cable, telephone, paypal and so forth.

      What I really hate is that they consider the CCV number on the back of your credit card to be strong proof that it's really you using the card. Well, since I have to give that three digit number out to every site I order something from and many businesses in meat-space require you to write the CCV number on an authorization form - there are countless people out there with access to your credit card number, full name, expiration date - and CCV! Fucking retarded.

    2. Re:A solution to the ID crisis... by FLEB · · Score: 1

      How hard do you suppose it would be to embed something like a SecurID into credit cards, having another display that would act as the "Confirmation" code.

      Of course, this is all contingent upon the CC companies actually caring enough. As it stands now (IIRC, I may be wrong, correct me if I am) a significant amount of the fraud liability is borne by the defrauded vendors, and a lot of the enforcement is done by public police, making it a lot less critical for CC companies to get their security act together.

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
    3. Re:A solution to the ID crisis... by Dark+Coder · · Score: 1

      If I'm not mistaken, there are a couple of European countries that makes uses of SecureID card with challenege 0-9 keypad.

      How hard is that?

  13. Re:If you want to avoid a similar situation, by jkmiecik · · Score: 1

    "who uses .asp?"

    Yes, that's a great reason to rule them out.

    Provide some REAL information about why I shouldn't use them. Thanks.