158 Million Records Exposed

Lucas123 writes "According to the The Privacy Rights Clearing House 158 million records have been exposed over the past two years as a result of inadequate security. Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies — or simply careless users — create new security holes, according to Bob Scheier at Computerworld."

Fixed?

Nothing for you to see here, please move along Phew, at least they fixed the problem quickly!

Re:Fixed?

[SilentChris]

Yeah, it's all fixed. What the summary failed to mention is that those 158 million records were 158 million individual breakins for 1 record each. It actually was the same guy's record each time. So, it's not that bad. Sucks to be that guy, though.

i read it somewhere else

[circletimessquare]

but all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again. but as long as consumers shoulder that burden, or even a part of it, it will continue, as the consumer is not the one in a position to fix any of the problems that lead to identity theft

Re:i read it somewhere else

[krakelohm]

I agree to an extent, you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password.

Re:i read it somewhere else

[amccaf1]

The problem then would be that the responsible companies would suddenly stop reporting when their records were stolen / went missing. When person X's identity is stolen the burden would be on that person to prove that the information came via company Y...

Re:i read it somewhere else

[aldousd666]

They can't make companies that consume financial information responsible for it 100%, because the big huge wide open hole is the consumer themselves. They can type their password into a fake website faster than you can say 'anbesol' and what fault of the bank's is that? None. Consumers need to be smarter, BUT banks or merchants SHOULD be liable for any data exposure due to negligence. Which is something else entirely. If it's bad security practice on behalf of the institution, or someone accidentally left the firewall open, then they should eat the cost of cleaning up their spill. But, if someone misuses a login because you were dumb enough to phish out your password, or you got keylogged, sucks to be you.

Re:i read it somewhere else

[plover]

"all you have to do is pass a law...and it would never happen again"?

Oh, if it were that easy. Pass a law and Windows bugs are fixed. Pass a law and dishonest employees will never steal again. Pass a law and a hard drive will never be misplaced, or a delivery service will never lose a tape en route, or a destruction service will never hire a corporate spy.

California (and a few other states) has a law requiring notification. Minnesota has almost exactly the law you would like requiring the leaking parties to be responsible for the costs, yet continues to have breaches.

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

Re:i read it somewhere else

[Billosaur]

As many people will point out, at some point you have to take responsibility for your own information. It's not the data breaches themselves that are really the issue, but the fact that once your data gets into the wild, it can be used for nefarious and often illegal purposes, and that's there is no easy way to deal with the problem. Anyone who gets their identity stolen literally spends years writing letters and making calls to various companies to indicate that in fact their identity was stolen and they are not responsible for the misuse of it. When it comes to clearing things up with the major credit monitoring services, it can be downright frustrating to get them to make necessary and factual changes to your credit report in order to get the matter cleared up.

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect (remember: your SS# is not supposed to be used as any kind of identifier except for tax purposes) and more importantly, how that data should be stored (mandatory encryption).

Re:i read it somewhere else

[jfengel]

By making something more than the knowledge of 16 digits required for a loan (which is what they're doing when they authorize a credit transaction). Or even deducting the money directly from my account. Or, God forbid, knowing 9 measly digits from my SSN, as if that somehow were a secret.

It continually baffles me that credit card numbers are assumed to be somehow secret, despite the fact that you hand a waiter making $2.15 an hour a little piece of plastic with that number written on it without a thought.

The customer is in no position to create a new technology that ends this "open secret" way of verifying identities. There are much better mechanisms available, using public-key cryptography and some combination of passwords (entered into a smart card, not passed over the Internet), biometrics, and physical identity tokens.

That's up to the credit card companies. The reason people steal the numbers is that all they have to do is steal the number. Make it harder to steal and they'll stop stealing it. Until then it will continue to shock me that mere knowledge of a password which is regularly transmitted all over the place, and can be stolen from my wallet or my mail, is used as an identifier.

They blame it on the customer because they can, not because it's the customer's fault.

Re:i read it somewhere else

[natebarney]

I think you missed the point. The point circletimessquare seems to be making is that if the financial institutions were held liable, they would more actively address the problem of identity theft, and that they have a much greater capability in this regard than does the consumer. Whether this is correct or not, your response arguing that passing laws doesn't eliminate crime doesn't really seem relevant.

Re:i read it somewhere else

[plover]

So who is "responsible" then if a phisher puts up a fake website that looks like YourBank.com? Is YourBank responsible for your stupidity at falling for the phish?

What about a DNS attack, where legitimate customers going to the legitimate YourBank.com site are redirected to a man-in-the-middle site? Everything looks legit (albeit slow) and it's a near-picture-perfect real-time clone of the bank's site and the user's account info. Who has to pony up in this case? Linksys/Cisco for making a router susceptible to DNS hijacking? IE or Firefox for somehow not recognizing the MITM? Verisign for legitimately issuing a certificate to a hacker that he then later misused?

At some point a lot of these fall into the category of technological failings. Are we suddenly going to see disclaimers on routers and ethernet switches claiming "Not suitable for secure financial transaction data"?

The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication. Shut down commercial use of the internet. Not a likely scenario.

The next best solution would be to train employees and end-users how to safely transact business over the internet. Joe Sixpack can't even identify every button on his TV remote control -- what are the chances he can learn how to check certificates for authenticity? Even if he could be trained, would you then shoulder the responsibility for training him how to spot hacks just in time to have a new hack come out and steal his account information anyway? "Mr. Trainer, I followed your instructions exactly and I still got hacked. Here's a lawsuit for damages due to your incompetence."

And before you place too much faith in IPV6 to solve all these problems, you should take a look at every other piece of technology claiming to solve security problems. They're all flawed -- some more than others. It's just that we don't know IPV6's vulnerabilities yet.

Re:i read it somewhere else

[Anonymous+Brave+Guy]

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect

Yes and yes. I've been arguing the same way ever since a probably inadvertent mistake by a minimum wage local government staffer screwed up my tax record by linking me to someone else. The mistake itself wasn't too damaging, fortunately, but the really nasty things were the fact that the first I knew about it was when my paycheque was well short one month because of over-charged tax, and that it took me several months contacting several different tax offices to get it fixed. (Hint to tax offices: if I'm complaining that my tax records have been corrupted, possibly by cross-linking with someone else's given the context, then it's not very sensible to stonewall me completely because the address and employer details I'm giving you aren't what's in my tax record. If I'm not currently working for that employer, why are you deducting tax on my wages from them?)

I believe we are long overdue for things like robust privacy/anti-collection of personal data laws, and that such laws should also require that anyone dealing with any sensitive personal information must provide a fast, low-cost, effective mechanism for fixing screw-ups or face unlimited fines in court for any damage resulting and to compensate for any distress and wasted time for the victim. And this should go double for any organisations that you are legally compelled to supply with personal information.

Re:i read it somewhere else

[JonXP]

"The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication."

Because, as we all know, fraud and identity theft did not exist before the advent of the internet.

Re:i read it somewhere else

[cowplex]

Very true. Technology, as it stands now, is very open to phishing, etc. You're entirely right - the technology needs to change.

However, such failings of technology is only a part of the problem. It seems like every time I visit /. there's a new article about how some company or another just lost the SSN, bank account numbers, passwords, identification numbers, DNA signatures and biometric iris scans of another 40 million people. It seems like these companies are actually at fault for this lost data, so where do we draw the line? If you get phished you're not liable but if you lose the laptop the personal information of everyone in the state is on you are? What about a weak implementation of security?

Re:i read it somewhere else

[Gryffin]

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

You're missing the point.

Right now, the companies whose data is stolen have no financial incentive to beef up their security, but they have plenty of PR incentive to cover up breaches. If such breaches were to hurt their bottom line, the shareholders would make them take their security seriously.

As for the effectiveness of laws, look at Sarbanes-Oxley: corporations have created whole departments just to manage compliance. Sure, they bitch and moan abotu the hassle, but they comply because it's the law. Why can't they be obligated to put the same effort into customer data security?

Re:i read it somewhere else

[bxbaser]

it is if my dogs name is kjGO6375nto87TONkj35jv25jh235

Re:i read it somewhere else

[aztektum]

At some point a lot of these fall into the category of technological failings. Did you scan the list? I saw far more data loss because of shoddy management than average Joe's being scammed via a technical exploit. Dumpsters filled with paper records of employee SSN's and DL's. Backups being lost on non-encrypted media. Systems containing data that are stolen. Some people got scammed via e-mail, but most of this was because of shoddy physical security.

Put in place real penalties for these corporations (Kaiser fined 200k for putting patient info online? Their whole legal department probably costs them 10 times that easy to operate!) and I bet phishing attacks as a whole would barely make a newsworthy headline.

Re:i read it somewhere else

[Lally+Singh]

I think that when they let their employees have laptops full of my (unencrypted) personal data, which subsequently gets lost or stolen, that they should bear the responsibility.

For phishing sites, etc. There are technological solutions to this sort of problem. Just require better verification than 'the domain name matches the SSL certificate'.

Re:i read it somewhere else

[WGR]

Phishers can't operate as readily if the banking site can be identified by proper two way TSL certificates. That is, the banking certificate is given to the user by the bank branch directly so that all transactions with the bank are encrypted with the bank's public key and a shared key that only the bank knows. The user's password only unlocks the PKI certificate so even if the phisher's get the password, they will not have the actual certificate to be able to transact business with the bank.

The problem is that bank's would rather lose a few dollars to phishers than pay for proper security for online transactions.

In the late 90s my bank required a separate Entrust certificate process to run to be able to do business. But they lost business to banks that used the simpler (and less secure) one way SSL connection with a password that they changed to SSL themselves. As long as banks don't suffer the consequences of inadequate security and consumers don't require good security, we will still have problems.

Re:i read it somewhere else

[tekrat]

at some point you have to take responsibility for your own information.

And how exactly am *I* supposed to do that? There are hundreds, perhaps thousands of companies who are continuously buying and selling information about *me*. And you can bet that when these companies sell someone else information they have collected about me, I am the last person on the notification list.

Furthermore, these companies actively resist you being able to contact them. Thanks to modern voice-mail trees, it's pretty much impossible to speak to a human at any of these companies, and assuming that you can make contact with some of the smaller ones, you can bet the first question they ask is "What's your social security number?", which, is information you're not supposed to give out over the phone if you want to protect your identity!

So far, the only way I have ever seen to have these companies take you seriously is to sue them. But you can't sue them if you're not sure they even have information about you. And it's very difficult to find out if they information about you unless you sue them.

I once recieved a letter from a collection agency I never heard of claiming I owed $28 for an AOL account, and unless I sent them a check, it would go into my credit report that I was delinquent. I called the company, and the first thing I was asked by the rude person over the phone was to give them my social security number. I refused to give this person a number since I felt this was a scam - I've never been and never will be an AOL customer. They hung up on me. So I called back, asking to speak to a supervisor. Again, I was asked for my social. I refused. They hung up.

So, I contacted AOL. AOL claimed I had an account that was unpaid. I told them I've never been an AOL customer. They said I had to fill out a form claiming that, and they needed my address. I pointed out that they should already have my address, since they were able to give that info to the collection agency.

In the end, I wound up sending complaints to AOL, the State Attouney General and Better Business, but, as far as I know, it did get resolved. But the point is, I have no idea how AOL got my information, and I only found out I had an AOL account after I was asked by a collection agency for money. AOL never once contacted me.

So exactly how am I supposed to "secure" and be responsible for my information, when I can't even tell who's got what about me?

What's worse is the amount of time I spent on this, because two dumbass companies can't even get their information about me straight. If AOL had contacted me FIRST, for example, it could have been resolved with one phone call. Instead, they just shuffled it off to a collection agency, which made the whole thing much more complicated.

Re:i read it somewhere else

[NMerriam]

The essential thing in the US is that the banking system has become quite enamored of easy credit in the last few decades -- the policy of extending credit to essentially anyone for any reason, based on nothing more than an application and a promise to pay it back at some later date. In a fight to get more customers for such credit, lenders competed with each other to make it as convenient as possible to apply, and therefore as convenient as possible to commit fraud. Simply knowing some easily available information about someone is enough to get you credit in their name.

So long as the creditors themselves don't suffer too much financially from fraud (which they don't, thanks to their generous campaign contributions and strict avoidance of responsibility through their merchant contracts) it's a winning business strategy because it also brings in more legitimate customers.

The fundamental problem is that we benefit from the convenience of easy credit, the banks profit from it, but when anything goes wrong all of a sudden the customer and the merchant (but not the bank) are left with all the costs of fraud. Any solution would inherently restrict the convenient availability of credit to some degree, and the American economy purrs along quite well in large part due to consumer spending that is largely tied to credit.

Solution is simple...

[Bomarc]

At a state level (We could never get our Fed legislative critter to do something for the people) have a 'data protection' right. Bottom line: You lose data: you pay the people who's data you had. You fail to notify the people you pay double. If the information is actually used, damages are double plus ACTUAL / ON GOING losses.

Bottom line: Lock up your data!. We learned this back in the days of the wild west. Now we must - relearn; reinvent the safe for the 21st century data.

Sucks

[Poppler]

My own information, including bank account numbers, has been stolen and sold. I received a letter from a company I've never done business with, explaining how it wasn't their fault that they lost information I didn't give them, and trying to reassure me that nothing bad would happen.

The people running these companies should be considered criminally negligent. Maybe then they'll start to take security seriously.

stats on what the breaches were

[wizardforce]

http://www.privacyrights.org/ar/DataBreaches2006-A nalysis.htm human/software incompetence took up 44% in the public sector, hackers 52% in higher education and theft(s) were 55 and 57% for private and medical respectively

Numbers

[ArcadeX]

I'm guessing that's a global number (RTFA? who has time... besides me), but if that was just America, that would be more than half of the population... wonder how many of those numbers are dupes.

Always going to be a problem

[TubeSteak]

Data breaches are always going to exist.
The big question is: What can be done to minimize the impact of the breaches.
The short answer - make it harder to get credit cards, loans, etc.

Once you change the way that money is handed out by financial institutions, all that stolen data becomes worthless.

But... that will never happen. Easy access to credit is the lifeblood of the debt driven American economy. So really, no matter how much moaning goes on about fraud, they still want a system that allows everyone to easily have access to debt at the drop of a hat.

Re:Always going to be a problem

[Watson+Ladd]

Your logic is wrong. If a bank waits five weeks to grant credit to do a criminal background check it won't help a bit if the guy they are giving the cash to is not the guy who they checked out.

Hum...

[GodCandy]

Did I do the math wrong or does that add up to just over 200,000 a day give or take.

2 years = 365*2 = 730
158,000,000/730 = 216,438.36

wow thats a lot of data to be "compromised." I think some of these people should have had better measures in place to prevent this type of thing. Others just shouldn't piss off there staff to the point that they sell company information to the highest bidder. Especially when that information is mine.

That's only partly true

[MikeRT]

Why should the banks be liable for phishing? That is the failure of the user to remember proper security and/or make a good decision. However, the banks should be 100% responsible for all fraudulent credit issues and such.

One thing we need is a new court order from each state government that allows a citizen or legal immigrant to simply walk up to a credit institution, post identity theft, and say "purge those records, NOW!" at the penalty of fines and being liable for libel and slander if not acted upon in a reasonable time period.

But it has to be reasonable for Joe Sixpack

[Anonymous+Brave+Guy]

Yes, that will motivate banks to use better security but in the end it all comes down to the fact that people need to do their part to uphold the security that is already there.

The problem with that is that current mechanisms are far too much of a burden for the average member of the public to avoid carelessness and/or social engineering attacks.

It simply isn't reasonable to expect people to create and remember a different, properly secure password for each of numerous services, some of which will only be accessed occasionally, perhaps as little as once per year or less. Nor is it reasonable to expect average people using typical software on typical computers to understand all the dangers of phishing attacks, the need to patch immediately against cross-site scripting vulnerabilities, and other geeky gobbledegook.

Since large organisations only tend to understand responsibilities in terms of the bottom line impact if they fail to live up to them — and that includes the responsibility to obey the law — the law needs to impose a sufficient burden on those handling sensitive personal information improperly that it becomes more economic for them to invest in proper security, both on their own side and in terms of what they expect of their clients. With sufficient pushing in the right direction, we could have not only much better security in terms of software and protocols, but also practically effective means of identifying people more reliably and with less susceptibility to casual crime.

This doesn't need to be rocket science, either: consider that switching from using signatures to using PINs to authenticate card transactions has reduced card fraud by something like 80% in several European countries. The new PIN-based systems are simple enough for almost everyone to understand, were well advertised prior to their takeover, are backed by software and equipment that work pretty well, and are based on the tried-and-tested security policy of combining a physical token with some information known only to the legitimate user. Just like that, you've removed a common mechanism for card fraud, saving businesses billions and saving hassle for thousands of would-have-been victims every year.

We have the technology to do this. A simple card and public key cryptography suffice for most purposes, after all. We just need the will to do it more widely, so the complexity is dealt with by the system and not by the user.

At least you knew!

[ChilyWily]

Well, at least you knew who and where the information was leaked.

In my case, I got a letter from my credit card saying that a merchant whom I had transacted with, was the source of a breach. No more information on when this occurred, who the merchant was, how many people were impacted or how long they knew of the situation, before they informed me. Instead, the Credit Card company re-issued me a new credit card, at 'my request' prior to me doing or asking for anything.

The letter in fact was so unsettling, it was written to evoke a feeling that I had somehow reported fradulent activity... I called the company and spent 45 minutes before realizing that there was one of me and a seemingly unending supply of pod-people who kept repeating the same line to me. I obtained my own credit report a few weeks after and guess what, the aforementioned account was "closed at the customer's request".

The outrage in me continues, and I wonder what kind of risk I'm exposed to, but I don't know what to do against an army of droid? May be a letter will do some good? How much time should I invest in all of this without the faintest glimmer that anything will happen?

I second your thoughts on higher penalties. With credit cards being an increasing singular means of carrying out transactions, I would certainly modify my business behaviors with people who are not careful with my information!

Security is an illusion

[rbanzai]

When it comes to your personal information there is no thing as security once it has left your control. None of it is really protected. Companies engage in "security theater" to give the appearance of protection but that is a sham. Why? THERE IS NO PENALTY FOR BREACHES.

Genuine security costs companies millions of dollars. Insecurity costs them NOTHING. They could expose every single piece of every person's information and it would have no penalty. None.

The government and corporations have no interest in protecting your information. So much is in the wild already that it makes no difference to them. 158 million people? What's 50 million more? 100 million more?

Stop complaining about this. The horse was out of the barn a long time ago. Security and privacy are illusions. They are gone and they are NEVER coming back. Your security and privacy have no value to the government or corporations.

Re:I am getting spam to my gmail account

[jafiwam]

Dictionary attack.

"aaaaaaaaa@gmail.com"
"aaaaaaaab@gmail.com"
"aaaaaaaac@gmail.com"

If you dig through your SMTP logs every once in a while, you see that stuff. Usually coming from a compromised home machine in short bursts of fifteen or thirty tries.

A few minutes later, another block is tried from another IP on the other side of the planet.

Plus, did you read the fine print on your Gmail account agreement? Did they SAY they wouldn't sell the address? Or did they SAY the wouldn't sell delivery of email to accounts? (Without releasing the list, they can do anything they want with the headers, it's their server after all.