Slashdot Mirror
100 Million Victims of Data Theft
jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."
How can you trust the article when they make the outlandish claim that Boeing makes laptops. They make airplanes, silly.
Right now, it's becoming clear to me that the problem is that the weak chain in the link is that the creditors/banks/etcetera consistently rely on a few lines of data to complete transactions and identify the parties involved, 95% of which is publicly available, the other 5% easily stolen.
I don't know what to do to solve this, any suggestions?
(Way back when, my friend who worked at a Sam Goody used to actually check credit cards when customers bought something on his first day on the job. After the manager caught wind that he denied someone using their friend's mom's credit card, supposedly with permission, he got yelled at and told not to do it again. I can't help but think that the laws are too lax in this area and the industry has little interest fixing it.)
I wish I was the copyright holder, and protected by the applicable laws, of my own personal information.
Ronald said nothing. He flung himself from the room, flung himself upon his horse, and rode madly off in all directions.
http://dilemma.gulecha.org - My philospohical short film.
I have a feeling that more and more reporting on this subject is going to make thieves take a closer look at what they are stealing in future, thus making identity theft a greater possibility.
Not all conservatives are stupid,
but it is true that most stupid people are conservative.
- Hume
Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.
From the article: "A stolen laptop at The Boeing Co. has pushed a widely watched tally of U.S. data breach victims past the 100 million mark". Saying that the 100M people are thought to have had data disclosed about them is not the same as saying that 100M people are known victims of identity theft.
Not all conservatives are stupid,
but it is true that most stupid people are conservative.
- Hume
It would seem more logical to just sum up the known figures, and present them along with information about what areas they cover, making it clear they are minimum values. I'm pretty sure those totals would ring the alarm bells just as effectively for those who actually care about it.
How much of the information is redundant however? Is it 158 million American's, 158 Million people across the globe, or 30 Million people 5 times over?
I have been counted at least twice though. I am a veteran and got a letter from the VA with a previous theft, and that was just a few months after I got a letter from Boeing telling me that my info was stolen. Have not heard anything about this latest one, I do appreciate the free credit monitoring I get now, but I am not convinced it would do me any good if someone was really using my info. Plus it is only for one year, that is a relatively short period of time, the info has an unlimited life.
People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf.
the strangely named "Privacy Rights Clearinghouse" has just announced that they'll be showing up at one lucky person's house with a giant check with all 100 million pieces of personal data written on it in a really, really small font. I hope I win it!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?
Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud
I've learned that they're worthless, so I don't read AC comments anymore.
- Access to my credit report/score
- Big 3 credit bureau monitoring - notification of any new accounts or loans in my name
- Personal case officer (through the bank) if something happens
These services can be purchased for anywhere from $5 to $12 a month depending on the bank. I suppose I could still get burned but I can't imagine any of it could hurt, well worth the money at any rate in my mind.while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
First off, the term "identity theft" is completely ridiculous. No one is taking away who you are. Your friends and family won't suddenly forget who you are. A better term would be "credit fraud".
This is the basic scenario: A criminal poses as you to borrow money (usually with a credit card), and then whoever lent that person the money asks you to repay it.
Then there are generally 2 consequences for you: debt and reputation damage. The debt itself is usually the lesser of the two problems, since you're not legally obligated to repay money that someone else borrowed in your name. Reputation damage, on the other hand, is incredibly hard to repair. This usually takes the form of erroneous information on your credit report.
Private agencies (Equifax, Experian and TransUnion are the majors in the USA) maintain this information of your past financial transactions, and sell it to potential lenders in the form of a credit report. Lenders then use this information to decide how risky it would be to lend you money. These credit reporting agencies err on the side of over-reporting negative information, because a defaulted loan from an under-qualified borrower costs banks and lenders much more than a qualified applicant being turned away. Additional services (like providing reportees an easy way to correct errors) would cost credit reporting agencies much more than their client lenders would be willing to pay for the increased accuracy, so they don't bother implementing them.
The short version is that banks and other lenders knowingly rely on imperfect information about potential borrowers, because it is the most economically sensible thing to do. It's not profitable for them to pay for more accurate information. If they decide not to lend you money, even based on erroneous information, it will likely be very hard to change their minds.
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
I was fumbling to get my housekey into the lock when I heard her.
/b/. I was someone who had hit middle age at 25 without ever leaving puberty. Community college dropout, 4 year veteran of Cingular customer service phone support.
"Steven?"
Even after 7 years, I recognized her immediately. Julia. Julia McGurren. We had a platonic relationship in our senior year of high school. We shared a few classes and were both on the yearbook team. At first it was a mutual friendship. She got someone who knew the school esoteric layout software, I got female companionship. If it wasn't for the fact that I had been thinking about her almost every day for the past 7 years, I probably wouldn't of been able to tell it was her. What little fat she had carried in high school was gone, accentuating her full breasts and long legs. Her acne was gone, leaving only soft, smooth cheeks. Judging from the lexus she was stepping out of, her post-highschool plan of entering into the medical sciences field had paid off.
The reason she had never left my mind over so many years stemmed from our prom. I was sitting in the yearbook lab, playing snood, when she asked if I had a date for the prom. I said that I didn't, and she responded that she didn't either. Since I was, and still am, and idiot about girls, I went back to playing snood, completely oblivious to the fact that she wanted me to take her to the prom. Completely oblivious to the fact that my silent crush didn't go unnoticed.
Knowing that I didn't owe her money, nor had I ever slipped my tube steak into her (or into any woman for that matter), I realized that the reason she was here wasn't to collect a debt or inform me that I'm a father. She wanted to rekindle our friendship.
I had made the mistake of looking at myself in the mirror before leaving work today. My steady bachelor diet of fast food had given me an ample gut. The grease had only inflamed my acne. My quickly diminishing hairline stood on the crossroads of "hey he's got a big forehead" and "hey look at that bald fuck". my eyes were red from a previous night of playing kingdom hearts II and attempting to create memes on
I looked into her eyes. She wasn't addressing me. She was asking if I was me. I made a tough choice.
"Sorry lady, you must be looking for the previous owner. The real estate agent said he was gone long before I ever moved in."
It only hurt a little bit when her face showed relief.
"That's... that's alright. I figured he probably would of moved by now. Thanks anyways."
"No problem, lady. I hope you find who you're looking for." I said as I shut the door on her.
Trust me, Julie. The Steven in your memory is far superior to this broken shell of a man who pours his heart out on Slashdot tonight.
The university I graduated from reported someone had hacked in and gotten access to about 6K student and faculty records, including payroll info.
Their idea of taking care of the problem? Wanting me to register online (!!) or over the phone to be told if I was one of the victims, and also to get a free credit report or get credit monitoring, though they don't seem to think they should pay for that or for any fees I might get if I have been victimized...
Oh, and I only found out because it was in the local news.
why the hell is our information on something as portable as a laptop? Where the hell does it need to go? One should expect that information to be safe and under guard at all times. Just big corporations trying to spend the least amount of money so they can get their execs. more bonus money. Weak sauce people...weak sauce. Shouldn't would be smacking these places with huge lawsuits for negligence? We keep setting the bar too low for these companies who we are suppose to trust with our personal information. I guess it is wishful thinking.
Your User number 100,000,000 Claim your prize by sending in your credit card info as well as full name!!!! Be quick this is a limited time deal!!!!
estimated 347 million people are victims of made-up statistics.
...remember good 'ol times when IP used to mean Internet Protocol....
"...was stolen from an employee's car earlier this month"
Seriously, who carries around a Laptop with "Personal Information" of 382 Gazillion living, dead and zombie employees in a fscking Laptop and leaves it in a car unattended.
You would think they would store this information in a so-called safe server somewhere and have policies on not taking them around in Laptops. Why would you need that information on a laptop anyway ? For fsck sake - We're talking about serious personal information!
I say hire stewie to shoot this guy.
In other news - why no mention of India in this whole game of data theft ?
95% of all sigs are made up.
In this case, we should possess our own personal data, and unauthorized possession should be theft, just like someone broke into your house and stole your computer. I have about 300 GB of storage at home, and I'm quite sure that all the personal information that companies 'own' about me could easily be stored on MY premises.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Soon everyone will have been victimized, yes?
You can enforce encryption on every file, strong passwords etc but sooner or later some smuck will print it out and forget to schred the printout when done. So it ends up on some dump available to anyone crawling around looking for something usable.
Designers of company security forget the most obvious and most dangerous threat: stupidity! My personal favorite quote used to illustrate exactly that is the following:
When the infamous "ILOVEYOU" email virus hit, I saw TV news coverage that included an interview with some bubblebrained company secretary. At one point she said, "Oh, I saw we had dozens of these emails coming in, and of course I was suspicious, but I had to open just one of them because, you know, 'I Love You!' *giggle* I had to just see what it was about, you know?" You can't foolproof a system, you simply need to get rid of the idiots. Which sadly is easier said than done.......They'll really fly!
What are the fines in such situations? This is clearly they fault - the've taken personal data and haven't took enough care of it (in fact they were stupid enough to feed that data into laptop and get it stollen). What does US law says about it? In Poland (European Union) they would face severe consequences.
...their identity stolen? This computer fear thing smacks of the whole terrorism scam. How many people here inside the US have been or know personally someone who has been the victim of terrorism? The media, for whatever reason, seems to want to amp up the fear quotient of this nation. I bet that stolen wallets/physical mail account for ten thousand times more id fraud than any computer activities, yet that doesn't get headlines. Nor does the fact you are more likely to die from an accident in your bathtub then you are from a terrorist attack. "300 000 000 Million Potential Victims of Wallet Theft!" or "Your Bathtub: Friend or Insturment of Terror!" are a couple of headlines I'd like to see.
I realize this is probably a troll, but I'm responding in case it isn't.
/b/ scene. Get out of town for a while if you can.
It isn't too late. But you have a tough choice to make. You can either choose to make your life better, or choose to let life push you around. Changing is not easy.
Read Sartre, Camus, Nietzsche.
Pull your ethernet cable, unplug your wireless router. Take some time off of the
Think about your goals -- both the failed and incomplete. Ask yourself why the failed ones failed. Resolve to fix the problems that caused them to fail. Evaluate your incomplete goals. Make plans to finish them. Commit to your plans.
Exercise is good for you. I don't mean to make fun of your belly. But you obviously need to become stronger to become the man you want to be.
Don't sweat being bald.
You've wasted a lot of time, but you're still young. There's no point wasting any more.
After all, I am strangely colored.
Two words: Terminal Server.
I know it has been asked before, but WHY in the name of GOD does this kind of information need to be on a fucking laptop?!
My mother works at a VA hospitol and as such, has access to read and modify all the personal information necessary to commit identity theft on thousands of patients, and of course, she has a laptop computer issued by the hospitol so that she can work from afar. When she originally received it, it was nothing more than a Win2k box with VPN software, MS terminal services. All of the sensitive data was/is stored on the servers on their intranet. After a small "upgrade," the laptop was returned, only this time it came back with a full encryption setup. The interesting thing is that there is STILL no sensitive data stored on the laptop. It is, however, just as easily accessible. The point is, if someone stole that laptop, no sensitive data would be compromised, even if the encryption was broken (which probably wouldn't happen).
I don't fucking understand, why when we have the technology READILY available to completely prevent this kind of crap, that it isn't used. A shout out to all the companies on this planet: Centralize your damned security. Laptops cost $500. This kind of shit publicity and potential lawsuits cost a hell of a lot more.
Boot Windows, Linux, and ESX over the network for free.
I thought this was going to give me the 100 million victims' data. Guess not :(
If Bush wants to kill the terrorists, he should jump off a cliff.
Do you really think they'll take off?
This case would make an excellent case-study for the Vista Bitlocker facility. The cynic in me wonders whether Microsoft may play on this convenient timing.
throw new NoSignatureException();
The people who send you preapproved offers have very little info on you, pretty much just name and address. Basically they ask one of the credit reporting agencies for a list of people falling within a given set of criteria. They then send offers to those people. IF you want to take them up you have to give them more info and they get a full rundown of your credit and decide if they still want to give you credit, and if so on what terms (you can be turned down for preapproved cards).
You can opt out of this if you want, you have to contact the credit bureaus and tell them to quit giving out your info for this and they will.
I've heard many stories about your uncle, he's the Baron Munchausen, right?
By obtaining a drivers license you are agreeing to abide by the motor vehicle laws. If you don't have a drivers license and you know what you are doing, they can't touch you for breaking any of the laws
Your story would go well as a light comedy movie script, but it doesn't stand the hard test of reality. That's not how democracy, or any other form of government works. Laws exist to be obeyed by everyone, you cannot claim that you don't agree to abide by them. In the case you mention, driving a vehicle in a public road is a privilege, not a right. You are granted that privilege under certain circumstances and that privilege can be revoked.
I would agree with you if it was about copying data such as software, music, films, etc. But if someone has all the data that identifies you, he can effectively take it away from you. He can change your address so that all your mail goes to him and not to you. He can have a new driver's licence issued so that the picture in the DMV will be his and not yours. Without too much effort, he can make it so that *you* will be the fake.
Of course, if all you have are debts, that will not matter too much, but what if he uses your identity to sell your assets? What if he takes a mortgage on your property? Or what if he sells your real estate, he could even sell your home and disappear with the money.
Yes, I believe that, differently from intellectual "property", an identity is something that can be stolen.
Notice the massive serial thefts of electronic data since 9/11? Its been payed for and collected. Dont expect this aspect to be discussed in Congress.
Ahh what the hell.
Well dumbfuck, congratulations. You wasted your god damn life. You ate the fast food. You fucked up. Take your sob story and shove it. Plenty of people have gone through worse shit than you and succeeded. Do yourself a favor. Buy food at the grocery store. Cook food yourself.
You have no excuse for dropping out of college except your own god damn laziness. You want a solution, go stand in front of that mirror again. Look into your eyes, and ask yourself this "Why did I do this to myself?". Then do something about it. Don't expect us to do something for you.
You mad
I agree that "identity theft" is an over-used term when "credit fraud" might be a better description in most situations. However, I've heard of "identity theft" that didn't involve credit fraud. During the immigration debate that was going on last summer, I read a story in the newspaper (sorry, don't have a link) about a woman on the east coast who applied for unemployment benefits, but was denied because records showed that she was currently employed somewhere in the midwest. Except, she wasn't working in the midwest; some illegal alien was using her SSN. There have also been cases where the IRS has audited people because their tax returns do not match the income reported for their SSNs (again, probably illegal aliens using stolen SSNs).
So even if an "identity thief" doesn't apply for credit in you name, they can still cause you major problems.
Well this is simply not true, there are 33 states currently with disclosure laws, and at least 7 other states have disclosure laws in the works.. True not all laws are the same, but to claim that California is the only state that has a disclosure law related to data theft is just wrong..
http://www.pirg.org/consumer/credit/statelaws.htm
The poster says, "Since California is still the only state with disclosure laws..."
i ficationlaws.php for information on 34 state breach notification/disclosure laws.
Been in a cave for the last few years? See http://infosec.uga.edu/policymanagement/breachnot
My point is that how many people know how to access this information, or better yet, know to even look for this type of data on a stolen computer? I can see some kid trying to get into the laptop for a couple of days, and subsequently reformatting the hard drive. I don't want to imply that this information can't easily be compromised, and exploited, merely that I don't think this is very likely. Boeing's primary concern should probably be the other confidential information that was on the laptop. Don't they contract with the government?
"Does this wine taste funny to you?" -- Socrates
By definition, the info you provide to prove your identity (credit application, bank loan, etc.) can be used by anyone with access to it to impersonate you to someone else. Every time to apply for a loan or fill out a rental agreement, you are required to provide adequate proof of who you are ... which can then be reused by someone else to hijack your identity. The people/companies that should prevent the problem don't, because they can make a higher profit by not preventing it. The solution is fairly simple, but it will take someone like Google to step in and implement a free solution to allow the individual consumer to protect themsleves.
I'd argue that in such a case they'd definitely be "taking away who you are".
I told someone I know that 100 million people died in a typhoon and they said "See, I told ya!"
Yes, but, how many are dupes?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
As of last July, 34 states had laws requiring consumer notification. Some are triggered directly immediately upon the loss, others only if the data is considered "at-risk". It's hard to take TFA seriously when it can't even get basic facts correct that can be found in less time than it took to write this comment ...
THE PROBLEM: It is currently financially worthwhile for some companies to play loose with personal information. The perceived costs of the consequences of poor protection are not sufficient to warrant a change in their way of doing business.
Many merchants / agencies / whatever don't seem to want to provide us additional protections. All it would take is for a few companies who already take security very seriously to sign up for the best star rating listed below, chalk it up to advertising expense, and put the pressure on the other merchants who do not sign up. "Hey! *WE* take your security seriously, and we put our money where our mouth is. If *WE* mess up, we clean it up and pay *YOU* for your inconvenience. Why would you want to deal with anyone else?"
There is a financial opportunity for an enterprising group to make a fortune here. Existing insurance companies provided graduated coverages and fees depending on certain items. I can select how much liability insurance I want for my car. I can pay the insurance company a larger premium for a greater amount of coverage. Alternatively, if I have certain protective measures in place, then my premiums can be reduced. I choose the level of coverage that works for me.
whenever there is a security breach, make a payment to each CONSUMER! Get the consumer to be your best ally in getting merchants to sign up for the protection. So, if a merchant compromises the security of MY information, then the insurance company sends ME a check. I'll leave it as an exercise for the reader on how this could be extended to cover other organizations that have access to personal info such as hospitals or government agencies.)
Also, and VERY important: advertise this feature like crazy - get the consumers to push the merchants to get the coverage along with an easy-to-remember grading scale for consumers to use to assess the degree of protection they are provided by a merchant. It took a few years, but now US car companies are advertising the NHTSA crash test ratings. I expect the same could work for credit protection.
NOTE: All dollar amounts are pulled out of a hat. I'm just trying to put something concrete out there to use as a starting point for discussion. Obviously, the size of the covered merchant would affect the premiums and payouts, and I have NOT worked those into these numbers. Please offer improvements! The examples listed here might be appropriate for a moderate to large merchant.
Have a graduated scale of costs and coverages that depended on what level of security measures were in place at the time of the loss / theft.
If a merchant takes no security precautions then the insurance company would:
The consumer gets some benefits, even if the merchant makes no great effort to protect the user. It's still better than anything that the consumer is now getting. After a few payouts, word-of-mouth will boost interest by consumers in seeking out at lest this minimal coverage. CEOs and CIOs will start to take notice.
If a merchant takes certain, documented, security precautions ( encrypted DBMSs, firewalls) then the insurance company would:
This sort of data is everywhere. Home systems, work systems, servers, you name it. The incidental leakage is phenomenal.
Universities have taken such a black-eye in recent years that they've launched various cleanup efforts. But, the work is slow. There are hundreds of thousands of systems, most dirty, and simply finding the data is a chore. Tools like SNEF or Spider (http://www.cit.cornell.edu/security/tools) help, but a typical sys admin is left with hundreds of files to sort through for each system.
The key to this problem is find it, delete what you can, encrypt what you can't, and start a mass migration to IDs that aren't so easily used to defraud.
The Canadians laugh at our efforts, as SINs just don't have the power SSNs do.
I don't know if you have student loans or not, but, Jesus Christ!, ALL of the information to steal my identity is on their correspondance. WTF!
I don't know why schools insist on using SSNs as the student ID. If you want to steal a student's id, hang out in front of the burser's office during enrollemnt.
You'll hear, as these poors kids have to YELL, so that the clerk on the other side of the thick glass can hear, their: SSN, name, DOB, and address!! Idiotic!!!
Dude, make a stink!
Sue if you can. DON'T LISTEN TO THE SCHOOL - GET AN ATTOURNEY!
Because, if your identity is stolen, YOU will have to spend the rest of your life proving, in effect, that you're innocent and it'll cost you a shit load of $$$$$$$$$$$$! I know, you did nothing, but that's the way it works!!!
Here's an identity theft guide:
here
I hate this litigious as much as anyone, but sometimes, the only way these people will change is to cause them pain!
I know several people who have had their credit card numbers stolen. Its actually fairly common and by far the most common form of identity fraud. Why do you think you see so many ads on TV about protection from having your credit card numbers stolen? Its because that shit happens all the time and smart people care a great deal about being protected from it.
Thanks. -anon
Seriously? By so called hackers? Or was their mail stolen? And where is the hard data on numbers of police investigations resulting from credit fraud vs numbers of police investigations resulting from credit fraud caused by computer malfeasance? As to why you see it on tv, you see a lot of terrorism stuff (only talking about the US here) and that is virtually unheard of. Paranoia is the life blood of our media.
Not hackers so much as Phishers. (I assume you are familiar with this) Huge amounts of money is lost every year by people who submitted their credit card info or paypal password to authentic looking websites. I (and prettymuch everyone I know) routinely get emails from "paypal administrators" or "bank of america customer service" asking for info.
I have always tried to impress that paranoia you are looking down on onto people I know when it comes to stuff like this. Trusting these spam emails or giving any sensitive information to sites you arent damn sure are legit is prettymuch gauranteed to make you a victim of identity theft in short order. My grandfather was a victim of phishing when he got spyware on his computer and a popup appeared offering to sell him software to get rid of it for $30.
That being said, I am not sure what the ratio is of theft like this versus theft from the waiter at dennys writing everything down on a napkin when he goes to run your card. I think it is a safe assumption that neither is nontrivial however.
If you are telling people who are highly computer illiterate to trust that noone is going to steal from them on the internet and everyone else is just being paranoid then you are doing your friends/family a great disservice.