Slashdot Mirror
Marriott Discloses Missing Data Files
An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."
Why is the job of Homeland Security to secure the data storage of a random company? Start putting out heavy fines on companies who fail to securely store customer data and the problem will go away. Right now there is no "incentive" for companies to keep personal data stored safely. A little PR can take care of a hack.
Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.
Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.
I'm hearing you. I think the way the SSN system works with the financial system is horribly inefficient, insecure, and pront to abuse. But you need to cover both ends. Security on the front end, and proper policing on the back end. Cutting the DHS budget certainly isn't going to help-- especially when hundreds of millions are allocated for projects like the bridge to nowhere.
The theory of relativity doesn't work right in Arkansas.
Let me ask a simple question: Why don't they encrypt this stuff?
Given the lack of competence of DHS, eliminating their funding can only be a good thing. They only seem to make things worse, and haven't really shown any evidence of being effective at doing anything other that waste money and erode civil liberties.
... and then they built the supercollider.
I'm glad to read Marriot is offering credit fraud monitoring to the affected people like how Ford offered to its employees when they recently lost 70,000 employee/retiree SSNs. Unless it is lifetime monitoring I fail to see the long term value.
Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?
Speak truth to power.
that if these large corporations can't be trusted to play with their computers safely, maybe they should have them taken away. At the very least, I think some adult supervision should be required by law. And if that doesn't work, send them back to using typewriters and filing cabinets.
The higher the technology, the sharper that two-edged sword.
A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005...
The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.
http://privacydata.michaelaiello.com/paper.pdf
Bring forth the math corrections
I think that you're asking the wrong question here. Shouldn't you be asking "why does it matter if they keep your SSN?" Our whole system of using SSNs to identify people is broken, and if Congress would get off their lazy duffs and fix the problem then maybe it wouldn't matter if someone had my SSN number or not. A simple change to credit reporting laws that would require a second level of verification of the identity of a consumer before granting credit, like what happens when you put a fraud alert on your credit report, would go a long way toward fixing this problem. But those who issue credit are afraid that if you got rid of easy credit then their market would collapse. I'll agree that some people would be inconvenienced by such a system (like those who move around a lot), but it sure would reduce fraud. At the very least, I should have the option of making a fraud alert permanent, and to have complete control over who can view my credit history. Then maybe it wouldn't make such a difference if someone got my personal information.
If you don't want crime to pay, let the government run it.
I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).
I could be wrong about this, but here's another reason to think of. Hashing the SSN's in the database doesn't raise the bar much for ID thieves. There are 1G possible SSN's. According to my calculations (and the output of "openssl speed md5"), calculating and storing the MD5 of all of them would take my computer about 30 minutes and would take up about 20GB of drive space. After which, looking up an ssn from the hash would be fairly easy.
My first thought was "add some salt", but SSN's aren't passwords (although they're used like passwords fairly often), they're indexes. So if I've got info on my John Doe, and want to see what info you have on that same John Doe, unless we happened to use the same salt we're screwed.
The only solution I can see would be to use deterministic salt. store the MD5 of, for instance, the person's SSN.DOB. That would make it so that the problem for the attacker is (assuming he only cares about people 18-65 years old) 17,155 times harder. So now the database is over 300 TB, and it takes a year to calculate (on my machine). But it means that everyone has to start collecting DOB (which they mostly do anyway - but it would now be necessary) and would have to agree to use MD5(SSN.DOB) as a person's identifier. Thinking about it, that might not be so bad... But it'll still take an act of God or congress to get everyone to start doing it. And I'm guessing God might be more likely.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?