100 Million Victims of Data Theft

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

I don't trust the article

[BadAnalogyGuy]

How can you trust the article when they make the outlandish claim that Boeing makes laptops. They make airplanes, silly.

We need to think how transactions are processed

[rolfwind]

Right now, it's becoming clear to me that the problem is that the weak chain in the link is that the creditors/banks/etcetera consistently rely on a few lines of data to complete transactions and identify the parties involved, 95% of which is publicly available, the other 5% easily stolen.

I don't know what to do to solve this, any suggestions?

(Way back when, my friend who worked at a Sam Goody used to actually check credit cards when customers bought something on his first day on the job. After the manager caught wind that he denied someone using their friend's mom's credit card, supposedly with permission, he got yelled at and told not to do it again. I can't help but think that the laws are too lax in this area and the industry has little interest fixing it.)

Re:We need to think how transactions are processed

[AoT]

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

On a side note, why is it that I get all these credit card offers from companies whom already have my SSN, I know you got it guys, and they tell me I'm "pre-approved" for credit, and yet I have to send all this info in?

Come on big brother! If'n you're going to know everything about me please dont make me fill out all the damn forms in triplicate!

Re:We need to think how transactions are processed

I don't know what to do to solve this, any suggestions?

Do it the same way that you make companies care about any other type of public safety issue. Make it very painful for them if they fail to protect the data. If they lose privacy data they should be completely liable for any damages that occur. A couple of major class action lawsuits and we can make it so that companies won't want to collect privacy data except when absolutely needed.

Re:We need to think how transactions are processed

[Ajehals]

This is an old problem - the banks / merchants etc... want to make it easy enough for you to spend your money or to get credit that you do it on a regular basis. If banks decided to make it harder - in order to increase their / your security / privacy then it means that they lose business, especially if they are the first to do it. Basically they don't mind losing a bit of money to make a lot of money.

Of course as long as its easy to get hold of your cash or get credit, someone will want to exploit that to get hold of cash or credit in your name. So making it harder to commit fraud or identity theft is really only beneficial to the customer, which in turn means that the only path to making it harder to commit fraud or identity theft is to introduce legislation or regulation to make it happen. That of course is opposed by the banks and merchants (as they lose out) and opposed by the majority of customers as they don't see that there is a problem until it happens to them.

So yeah, apart from not seeing an easy solution for the banks and merchants, I also don't really see a will to implement any solution which decreases the amount of spending or credit applications, or one that will cost money to roll out (after all most organisations are looking at short term profit not long term strategy's).

Re:We need to think how transactions are processed

[bluefoxlucid]

I solved this problem ages ago. Some guy, actually two of them, invented something called the Diffie-Hellman Public Key Encryption Algorithm. Since then we've had dozens of these show up and now have RSA and DSA/ElGamal out there. Pretty much, with huge (1024 byte!) challenges and hardware devices with your key in them, as well as transferable One Time Pads (so you can let someone else use your credit card once, twice, for $5, for $10...), you can make it so everyone along the way can verify your identity and nobody along the way can pretend to be you.

The system drawn out isn't that complex. It's lazy distributed too; anyone can cache your public key, so anyone can independently verify you over and over again. This means that the store can verify your card isn't a spoofer and not pester the credit card company with it if it is; and if it's not, then the credit card company can also verify your card isn't a spoofer (and that the store isn't sliding in extra charges after you've signed for the price) and not pester the national PKI network with it.

100 million.. six months ago!

[anilg]

That according to http://attrition.org/dataloss/rant/100million.html

The Data Loss Database - Open Source has almost 510 events and over 143 MILLION compromised records as of this writing. 100 million? Dudes and dudettes, we had that over six months ago.

From TFA

[AlanS2002]

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

From the article: "A stolen laptop at The Boeing Co. has pushed a widely watched tally of U.S. data breach victims past the 100 million mark". Saying that the 100M people are thought to have had data disclosed about them is not the same as saying that 100M people are known victims of identity theft.

I was counted twice!

[Aphoric]

I have been counted at least twice though. I am a veteran and got a letter from the VA with a previous theft, and that was just a few months after I got a letter from Boeing telling me that my info was stolen. Have not heard anything about this latest one, I do appreciate the free credit monitoring I get now, but I am not convinced it would do me any good if someone was really using my info. Plus it is only for one year, that is a relatively short period of time, the info has an unlimited life.

Protect yo'self

[jomama717]

A buddy of mine was recently affected by the UCLA breach and was lamenting about all of the precautions and protections he was required to put into place now that his SS# was likely in some scumbag's hands, and it dawned on me that he may have actually gotten lucky. He was awakened to the reality of identity theft without having to experience any tangible loss, and is now motivated to take the proper precautions. It then occurred to me that to not assume that my information was in the wrong people's hands didn't make any sense and I have taken the same precautions my friend did:

1. Access to my credit report/score
2. Big 3 credit bureau monitoring - notification of any new accounts or loans in my name
3. Personal case officer (through the bank) if something happens

These services can be purchased for anywhere from $5 to $12 a month depending on the bank. I suppose I could still get burned but I can't imagine any of it could hurt, well worth the money at any rate in my mind.

"Identity theft" is a meaningless term

[Jonboy+X]

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are. Your friends and family won't suddenly forget who you are. A better term would be "credit fraud".

This is the basic scenario: A criminal poses as you to borrow money (usually with a credit card), and then whoever lent that person the money asks you to repay it.

Then there are generally 2 consequences for you: debt and reputation damage. The debt itself is usually the lesser of the two problems, since you're not legally obligated to repay money that someone else borrowed in your name. Reputation damage, on the other hand, is incredibly hard to repair. This usually takes the form of erroneous information on your credit report.

Private agencies (Equifax, Experian and TransUnion are the majors in the USA) maintain this information of your past financial transactions, and sell it to potential lenders in the form of a credit report. Lenders then use this information to decide how risky it would be to lend you money. These credit reporting agencies err on the side of over-reporting negative information, because a defaulted loan from an under-qualified borrower costs banks and lenders much more than a qualified applicant being turned away. Additional services (like providing reportees an easy way to correct errors) would cost credit reporting agencies much more than their client lenders would be willing to pay for the increased accuracy, so they don't bother implementing them.

The short version is that banks and other lenders knowingly rely on imperfect information about potential borrowers, because it is the most economically sensible thing to do. It's not profitable for them to pay for more accurate information. If they decide not to lend you money, even based on erroneous information, it will likely be very hard to change their minds.

Re:makes me wonder...

[davaguco]

On Europe we have a common Directive (that means its the same for all countries and it sets common guidelines that must be made into law by each nation) that establishes some measures that must be taken to protect all the personal information. On my country, companies are not allowed to store customer's personal information on a laptop, for example.

Stupidity

[Lavene]

A laptop containing the personal information on 382,000 current and retired workers of Chicago-based Boeing Co. was stolen from an employee's car earlier this month, according to Boeing spokesman Tim Neale. He declined to say exactly where the laptop was stolen. That really sums it up. You will never ever have better security than what the stupidest person with access to sensitive data can muster. Leaving a laptop with such data unattended in a car??

You can enforce encryption on every file, strong passwords etc but sooner or later some smuck will print it out and forget to schred the printout when done. So it ends up on some dump available to anyone crawling around looking for something usable.

Designers of company security forget the most obvious and most dangerous threat: stupidity! My personal favorite quote used to illustrate exactly that is the following:

When the infamous "ILOVEYOU" email virus hit, I saw TV news coverage that included an interview with some bubblebrained company secretary. At one point she said, "Oh, I saw we had dozens of these emails coming in, and of course I was suspicious, but I had to open just one of them because, you know, 'I Love You!' *giggle* I had to just see what it was about, you know?" You can't foolproof a system, you simply need to get rid of the idiots. Which sadly is easier said than done...

Re:kill me, Slashdot, for I haven't the nerve myse

[poopdeville]

I realize this is probably a troll, but I'm responding in case it isn't.

It isn't too late. But you have a tough choice to make. You can either choose to make your life better, or choose to let life push you around. Changing is not easy.

Read Sartre, Camus, Nietzsche.

Pull your ethernet cable, unplug your wireless router. Take some time off of the /b/ scene. Get out of town for a while if you can.

Think about your goals -- both the failed and incomplete. Ask yourself why the failed ones failed. Resolve to fix the problems that caused them to fail. Evaluate your incomplete goals. Make plans to finish them. Commit to your plans.

Exercise is good for you. I don't mean to make fun of your belly. But you obviously need to become stronger to become the man you want to be.

Don't sweat being bald.

You've wasted a lot of time, but you're still young. There's no point wasting any more.

For the love of God...

[RulerOf]

Two words: Terminal Server.

I know it has been asked before, but WHY in the name of GOD does this kind of information need to be on a fucking laptop?!

My mother works at a VA hospitol and as such, has access to read and modify all the personal information necessary to commit identity theft on thousands of patients, and of course, she has a laptop computer issued by the hospitol so that she can work from afar. When she originally received it, it was nothing more than a Win2k box with VPN software, MS terminal services. All of the sensitive data was/is stored on the servers on their intranet. After a small "upgrade," the laptop was returned, only this time it came back with a full encryption setup. The interesting thing is that there is STILL no sensitive data stored on the laptop. It is, however, just as easily accessible. The point is, if someone stole that laptop, no sensitive data would be compromised, even if the encryption was broken (which probably wouldn't happen).

I don't fucking understand, why when we have the technology READILY available to completely prevent this kind of crap, that it isn't used. A shout out to all the companies on this planet: Centralize your damned security. Laptops cost $500. This kind of shit publicity and potential lawsuits cost a hell of a lot more.

I dunno

[BadAnalogyGuy]

Do you really think they'll take off?

They don't know actually

[Sycraft-fu]

The people who send you preapproved offers have very little info on you, pretty much just name and address. Basically they ask one of the credit reporting agencies for a list of people falling within a given set of criteria. They then send offers to those people. IF you want to take them up you have to give them more info and they get a full rundown of your credit and decide if they still want to give you credit, and if so on what terms (you can be turned down for preapproved cards).

You can opt out of this if you want, you have to contact the credit bureaus and tell them to quit giving out your info for this and they will.