158 Million Records Exposed

Lucas123 writes "According to the The Privacy Rights Clearing House 158 million records have been exposed over the past two years as a result of inadequate security. Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies — or simply careless users — create new security holes, according to Bob Scheier at Computerworld."

i read it somewhere else

[circletimessquare]

but all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again. but as long as consumers shoulder that burden, or even a part of it, it will continue, as the consumer is not the one in a position to fix any of the problems that lead to identity theft

Re:i read it somewhere else

[amccaf1]

The problem then would be that the responsible companies would suddenly stop reporting when their records were stolen / went missing. When person X's identity is stolen the burden would be on that person to prove that the information came via company Y...

Re:i read it somewhere else

[aldousd666]

They can't make companies that consume financial information responsible for it 100%, because the big huge wide open hole is the consumer themselves. They can type their password into a fake website faster than you can say 'anbesol' and what fault of the bank's is that? None. Consumers need to be smarter, BUT banks or merchants SHOULD be liable for any data exposure due to negligence. Which is something else entirely. If it's bad security practice on behalf of the institution, or someone accidentally left the firewall open, then they should eat the cost of cleaning up their spill. But, if someone misuses a login because you were dumb enough to phish out your password, or you got keylogged, sucks to be you.

Re:i read it somewhere else

[plover]

"all you have to do is pass a law...and it would never happen again"?

Oh, if it were that easy. Pass a law and Windows bugs are fixed. Pass a law and dishonest employees will never steal again. Pass a law and a hard drive will never be misplaced, or a delivery service will never lose a tape en route, or a destruction service will never hire a corporate spy.

California (and a few other states) has a law requiring notification. Minnesota has almost exactly the law you would like requiring the leaking parties to be responsible for the costs, yet continues to have breaches.

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

Re:i read it somewhere else

[Billosaur]

As many people will point out, at some point you have to take responsibility for your own information. It's not the data breaches themselves that are really the issue, but the fact that once your data gets into the wild, it can be used for nefarious and often illegal purposes, and that's there is no easy way to deal with the problem. Anyone who gets their identity stolen literally spends years writing letters and making calls to various companies to indicate that in fact their identity was stolen and they are not responsible for the misuse of it. When it comes to clearing things up with the major credit monitoring services, it can be downright frustrating to get them to make necessary and factual changes to your credit report in order to get the matter cleared up.

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect (remember: your SS# is not supposed to be used as any kind of identifier except for tax purposes) and more importantly, how that data should be stored (mandatory encryption).

Re:i read it somewhere else

[Anonymous+Brave+Guy]

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect

Yes and yes. I've been arguing the same way ever since a probably inadvertent mistake by a minimum wage local government staffer screwed up my tax record by linking me to someone else. The mistake itself wasn't too damaging, fortunately, but the really nasty things were the fact that the first I knew about it was when my paycheque was well short one month because of over-charged tax, and that it took me several months contacting several different tax offices to get it fixed. (Hint to tax offices: if I'm complaining that my tax records have been corrupted, possibly by cross-linking with someone else's given the context, then it's not very sensible to stonewall me completely because the address and employer details I'm giving you aren't what's in my tax record. If I'm not currently working for that employer, why are you deducting tax on my wages from them?)

I believe we are long overdue for things like robust privacy/anti-collection of personal data laws, and that such laws should also require that anyone dealing with any sensitive personal information must provide a fast, low-cost, effective mechanism for fixing screw-ups or face unlimited fines in court for any damage resulting and to compensate for any distress and wasted time for the victim. And this should go double for any organisations that you are legally compelled to supply with personal information.

Re:i read it somewhere else

[JonXP]

"The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication."

Because, as we all know, fraud and identity theft did not exist before the advent of the internet.

Re:i read it somewhere else

[aztektum]

At some point a lot of these fall into the category of technological failings. Did you scan the list? I saw far more data loss because of shoddy management than average Joe's being scammed via a technical exploit. Dumpsters filled with paper records of employee SSN's and DL's. Backups being lost on non-encrypted media. Systems containing data that are stolen. Some people got scammed via e-mail, but most of this was because of shoddy physical security.

Put in place real penalties for these corporations (Kaiser fined 200k for putting patient info online? Their whole legal department probably costs them 10 times that easy to operate!) and I bet phishing attacks as a whole would barely make a newsworthy headline.

Re:i read it somewhere else

[Lally+Singh]

I think that when they let their employees have laptops full of my (unencrypted) personal data, which subsequently gets lost or stolen, that they should bear the responsibility.

For phishing sites, etc. There are technological solutions to this sort of problem. Just require better verification than 'the domain name matches the SSL certificate'.

Re:i read it somewhere else

[WGR]

Phishers can't operate as readily if the banking site can be identified by proper two way TSL certificates. That is, the banking certificate is given to the user by the bank branch directly so that all transactions with the bank are encrypted with the bank's public key and a shared key that only the bank knows. The user's password only unlocks the PKI certificate so even if the phisher's get the password, they will not have the actual certificate to be able to transact business with the bank.

The problem is that bank's would rather lose a few dollars to phishers than pay for proper security for online transactions.

In the late 90s my bank required a separate Entrust certificate process to run to be able to do business. But they lost business to banks that used the simpler (and less secure) one way SSL connection with a password that they changed to SSL themselves. As long as banks don't suffer the consequences of inadequate security and consumers don't require good security, we will still have problems.

Numbers

[ArcadeX]

I'm guessing that's a global number (RTFA? who has time... besides me), but if that was just America, that would be more than half of the population... wonder how many of those numbers are dupes.

Always going to be a problem

[TubeSteak]

Data breaches are always going to exist.
The big question is: What can be done to minimize the impact of the breaches.
The short answer - make it harder to get credit cards, loans, etc.

Once you change the way that money is handed out by financial institutions, all that stolen data becomes worthless.

But... that will never happen. Easy access to credit is the lifeblood of the debt driven American economy. So really, no matter how much moaning goes on about fraud, they still want a system that allows everyone to easily have access to debt at the drop of a hat.

Re:Always going to be a problem

[Watson+Ladd]

Your logic is wrong. If a bank waits five weeks to grant credit to do a criminal background check it won't help a bit if the guy they are giving the cash to is not the guy who they checked out.

Hum...

[GodCandy]

Did I do the math wrong or does that add up to just over 200,000 a day give or take.

2 years = 365*2 = 730
158,000,000/730 = 216,438.36

wow thats a lot of data to be "compromised." I think some of these people should have had better measures in place to prevent this type of thing. Others just shouldn't piss off there staff to the point that they sell company information to the highest bidder. Especially when that information is mine.

Security is an illusion

[rbanzai]

When it comes to your personal information there is no thing as security once it has left your control. None of it is really protected. Companies engage in "security theater" to give the appearance of protection but that is a sham. Why? THERE IS NO PENALTY FOR BREACHES.

Genuine security costs companies millions of dollars. Insecurity costs them NOTHING. They could expose every single piece of every person's information and it would have no penalty. None.

The government and corporations have no interest in protecting your information. So much is in the wild already that it makes no difference to them. 158 million people? What's 50 million more? 100 million more?

Stop complaining about this. The horse was out of the barn a long time ago. Security and privacy are illusions. They are gone and they are NEVER coming back. Your security and privacy have no value to the government or corporations.

Re:I am getting spam to my gmail account

[jafiwam]

Dictionary attack.

"aaaaaaaaa@gmail.com"
"aaaaaaaab@gmail.com"
"aaaaaaaac@gmail.com"

If you dig through your SMTP logs every once in a while, you see that stuff. Usually coming from a compromised home machine in short bursts of fifteen or thirty tries.

A few minutes later, another block is tried from another IP on the other side of the planet.

Plus, did you read the fine print on your Gmail account agreement? Did they SAY they wouldn't sell the address? Or did they SAY the wouldn't sell delivery of email to accounts? (Without releasing the list, they can do anything they want with the headers, it's their server after all.