Slashdot Mirror

← Back to Stories (view on slashdot.org)

Good: Companies Care About Data Privacy Bad: No Idea How To Protect It

Posted by samzenpus on from the we've-tried-everything-that-doesn't-cost-us-money dept.

Esther Schindler writes: Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters. It's what companies are prepared (and funded) to do about it. For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy."

54 of 77 comments (clear)

  1. We care.... by Anonymous Coward · · Score: 1

    "We care about your privacy."

    "Oh, by the way, we have TBs of data stolen 3 months ago, but we forgot to tell you until today."

  2. Fairly easy way to protect data. by SuperKendall · · Score: 5, Insightful

    Never collect it to begin with.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Fairly easy way to protect data. by dgatwood · · Score: 1

      Well, that's not always possible, but it's a good start. I'd suggest a more nuanced/layered approach:

      • To the maximum extent possible, don't collect it.
      • If you must collect it, don't retain it.
      • If you must retain it, use end-to-end encryption, so that you cannot access the data yourself.
      • If you must retain it and must be able to access it, use encryption correctly, use access controls to limit access as narrowly as possible, and audit the heck out of your code.
      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Fairly easy way to protect data. by Tool+Man · · Score: 1

      I'm in the security industry, and this approach pretty much sums up what I try to instruct my clients to do. It differs of course from the piles of unprotected, unaudited, unmanaged fluff that some management wanker thought might be handy to keep around. Even restricted to such a constrained, specific scope as credit card data makes them blanche, I can't imagine them making the leap to more loosely guarded information without a business case.

    3. Re:Fairly easy way to protect data. by jellomizer · · Score: 2

      All sounds good however... For a large organization such rules become impractical. To get full security there will be so much administrative overhead of approving access to a given area for so much time and back, that if you played by the rules you wouldn't get your job done timely. So you end up with "black market" IT where people will store backups of the data in say an access or excel files, and keep them hidden from the official system. Not because they have nefarious use of them, but because they will need to get their job done, and the official secure way is too impractical.

      So let's say you were tasked to figure out if it was worth it it accept American Express, as AE charges a lot for its transaction. So you may need to figure out some numbers.
      %of customers with AE
      Average spending with AE
      Average spending in total
      Standard dev of spending with AE
      Standard dev of spending total

      Now because someone dropped the ball you will need this data quickly.
      Putting a request to get this data may take days.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Fairly easy way to protect data. by clark0r · · Score: 1

      "but we might need this stuff later, so i took a copy on my personal usb device and kept it in my glovebox because nobody would find it there"

    5. Re:Fairly easy way to protect data. by jellomizer · · Score: 1

      What are you a yuppie from the 1980s or something!
      For most cases unless the person was being malicious these problems happen due to a failure of the whole system not just one person.
      The best of us probably had made a mistake or at lest was really close to one.
      Human error is part of the game. If there is a problem you can act like adults and fix it, or act like kids and try to point to the person who can point any further.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Fairly easy way to protect data. by clark0r · · Score: 1

      Sometimes it's a good idea to have an incident management process that overrides controls to achieve aims within agreed timeframes. Triggering of the process has to match defined criteria, eg "we got compromised".

    7. Re:Fairly easy way to protect data. by Dutch+Gun · · Score: 1

      Ha! It's not like they don't actually want all that delicious, valuable customer data. That stuff is pure gold. They just want to be able to use it themselves, such as selling access to "interested third parties".

      My summation / interpretation of the article's premise: "We don't want a huge security breach that will embarrass us, but we don't actually want to spend a lot of money on the problem."

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:Fairly easy way to protect data. by peragrin · · Score: 2

      The problem is step 4 is the issue.

      using encryption correctly with access controls, is all but impossible with current OS's.

      Very few OS's have the access control setup to properly limit. Most current forms of Access control assume a greater and greater level of access with each level. That still creates accounts which can access everything. You don't want that.

      What is needed is an access level system that lets you install updates, maybe move files, but not read them. This way the system admin can't access your secure data period. He can move it, but he can't actually read the file itself. That way upper level executives who demand access to everything can get access to the data but not install malware. Even then there needs to be access level to restrict data from all but certain levels. So Accounting department can access your credit card information but the executives above them can't.

      So a Mandatory/need to access form of Access control, not the pyramid type system used in place today where each person is a on a level, and a few at the top get everything.

      --
      i thought once I was found, but it was only a dream.
    9. Re:Fairly easy way to protect data. by Anonymous Coward · · Score: 2, Informative

      1) Stop using cloud-infrastructure for storage.
      Essentially the reason stuff gets stolen in the first place is because someone's client is compromised, which is a lot easier to do than hacking into the cloud storage itself.
      2) Stop using virtual machines on "the real network", because it's a lot easier to just pull a virtual machine image, and run it on a "hostile" machine, all the well impersonating the hypervisor of the real machine. Why bruteforce over the network when you can just patch the login process to accept any password or key by accessing the storage itself.

      Those are the most important "painting ourselves into a corner" we are doing to ourselves right now for both privacy and security. The average data leak right now is a result of using off-the-shelf open-source software like Wordpress, and not keeping on top of security updates to the entire *AMP stack. Nobody has time for this, and letting the computer update itself is an even WORSE prospect as it will restart itself and open itself to MiM attacks in the process, it doesn't matter if an update is signed if you can just hijack the entire update process to change the expected checksums.

      Like right now, the weakest thing I have to deal with in linux is the auto-update process that doesn't work at all. Why does the yum have to take up 500MB of ram just to stay resident checking for updates. That is ass-backwards wrong and needs to stop. Someone please figure out how to make an auto-update process not grind the machine to a halt why they are at it.

      So how do we protect privacy?
      1) Stop outsourcing. This includes both "clouding" information, and hiring people outside the organization, or outside the country that need access to that data to do their job. Your phone company should not be outsourcing customer service to a third party, let alone a third party in India. The Indians in this case don't value privacy and will sell your private information for a nickel just because they can and can't be held responsible for it since they aren't in the US.
      2) Make US Privacy laws explicitly prohibit the "clouding" or "outsourcing" of customer information. That information needs to be stored on company-owned-and-maintained hardware that has the safegaurds. There is no reason why a customer at Target should have their privacy information available to the check-out clerk by indexing their credit card number. That's beyond stupid. Every time we make things more convienent to a customer, we are putting their private information at risk. De-centralize data storage so that data acquired at one location isn't shared with other locations unless that customer opt's in to connecting it. That's how banks work. Banks somehow are less stupid on this front, but are still stupid about verification.
      3) Social engineering... quit hiring morons. Instead of pushing down wages by constantly trying to poach smart people from other businesses to avoid training people to not be morons. Actually have internal security audits from "customers" that are really security people check that the representatives are doing their job properly and not just blindly believing every stupid thing someone says.

    10. Re:Fairly easy way to protect data. by schwit1 · · Score: 1

      How am I supposed to know it's you unless I use your SSN as an ID number? But how are we supposed to send you targeted advertizing if we don't know everything about you?

    11. Re:Fairly easy way to protect data. by turbidostato · · Score: 1

      "Not because they have nefarious use of them, but because they will need to get their job done, and the official secure way is too impractical."

      And by finding and using workarounds you are just making the problem bigger since an undetected problem is a problem that won't get solved anytime.

      If the policy in place is dumb, make it obviously so. This way it can be solved, if you don't do it, you are part of the problem.

    12. Re:Fairly easy way to protect data. by turbidostato · · Score: 1

      "Most current forms of Access control assume a greater and greater level of access with each level. That still creates accounts which can access everything."

      Hey! we could put a name to that. I suggest, hummm... "discretionary access control". What about that?

      "What is needed is an access level system that lets you install updates, maybe move files, but not read them. This way the system admin can't access your secure data period."

      If only someone invented something we could call, say, "mandatory access controls"...

      But then, let's imagine a world where you already could choose between implementing either "discretionary access controls" or "mandatory access controls", what do you think would be bussiness' choice?

    13. Re:Fairly easy way to protect data. by Jawnn · · Score: 2

      I can't imagine them making the leap to more loosely guarded information without a business case.

      The business case is already there, unless you do business only in one of the few remaining states without a law that makes it truly painful to suffer a breach. But I get what you mean, even the reality of ruinous penalties, lawsuits, and bad PR is just theoretical to many decision makers. They won't part with a dime to mitigate security issues without at least a good scare or two.

    14. Re:Fairly easy way to protect data. by BVis · · Score: 1

      And sometimes not even then. I was at a company when they had a breach involving financial info. It cost them hundreds of thousands of dollars to purchase credit protection for thousands of our customers. However, they just kept on operating the same way, storing credit card information in the clear because that's the way they've always done it, and upgrading the back-office accounting system to allow tokenization of transactions would have cost money. Nobody in upper management had the balls to go to the CFO and say "You will fix this, and you will fix it now. I don't want any excuses. Get it done."

      So, as far as I know, they're still doing it. At least they're not storing CVV numbers anymore...

      --
      Never underestimate the power of stupid people in large groups.
    15. Re:Fairly easy way to protect data. by BVis · · Score: 1

      If the policy in place is dumb, make it obviously so. This way it can be solved, if you don't do it, you are part of the problem.

      In my experience, the dumbness of the policy is directly proportional to the difficulty in making anyone understand how dumb it is. It's also directly proportional to the likelihood that someone whose job title starts with "Chief" wrote the policy and will not change it, no matter what.

      It's also dumb to allow the CEO to have a non-expiring password that is the name of the company. But good luck telling the CEO he can't have it. I'll see you at the unemployment office.

      --
      Never underestimate the power of stupid people in large groups.
    16. Re:Fairly easy way to protect data. by turbidostato · · Score: 1

      "In my experience, the dumbness of the policy is directly proportional to the difficulty in making anyone understand how dumb it is."

      Well, that's not exactly what we were talking about. If a policy is "just" dumb, or insecure, it's probably not your role to change it but, at most, to share your opinions with whomever is nominally responsible for that.

      Here we are talking about subverting the policies in order to be able to get your job done. No need to explain anything here, just follow the policies and let others see why no work is done. By subverting the policy, you are not only not allowing the problem to surface -so it won't get corrected, but offering yourself as a scapegoat when shit hits the fan: not the policy's fault, but yours, since you didn't follow it.

      "It's also dumb to allow the CEO to have a non-expiring password that is the name of the company. But good luck telling the CEO he can't have it"

      Well, it's a problem if the CEO already has such a password. If that's not the case, sorry, sir, I can't change your password's policy, neither technically nor by authority. Now, if you are technically able to change it and your supervisor commands it -ideally in written, why not doing it? It's not your problem.

    17. Re:Fairly easy way to protect data. by BVis · · Score: 1

      It's certainly your problem when they fire you for not doing it.

      --
      Never underestimate the power of stupid people in large groups.
    18. Re:Fairly easy way to protect data. by Tool+Man · · Score: 1

      I find that's one of the more useful bits about PCI, is that at some point, somebody tells the company to get their house in order. Maybe not the whole thing, but there's some value to moving all of the CC data tot he closet and locking THAT.
      My general security side says they should apply that principle elsewhere, but it's a harder sell when the rest isn't directly tied to cash flow.

    19. Re:Fairly easy way to protect data. by LessThanObvious · · Score: 1

      Sure, but then how are they going to put all our medical records online and use big data to analyze treatments and outcomes. Oh, you don't want that? No, sorry there isn't an opt out for that. I guess even though we know businesses are incapable of protecting privacy we'll just have to be understanding that it's for our own good.

      Myself, I'm preparing certified letters for my pharmacy, insurer and doctor's office to let them no they do not have my consent to do any of that and that I'd like all eligible records destroyed. Yes, I am bored, so what.

    20. Re:Fairly easy way to protect data. by dgatwood · · Score: 1

      And sometimes not even then. I was at a company when they had a breach involving financial info. It cost them hundreds of thousands of dollars to purchase credit protection for thousands of our customers. However, they just kept on operating the same way, storing credit card information in the clear because that's the way they've always done it, and upgrading the back-office accounting system to allow tokenization of transactions would have cost money. Nobody in upper management had the balls to go to the CFO and say "You will fix this, and you will fix it now. I don't want any excuses. Get it done."

      Don't worry. The second time it happens, the army of lawyers climbing all over each other to file a class action lawsuit against the company for gross negligence will almost certainly be successful at obtaining an injunction to shut down the business until they fix it.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    21. Re:Fairly easy way to protect data. by turbidostato · · Score: 1

      "It's certainly your problem when they fire you for not doing it."

      Nobody is going to fire you for not doing something known not to be possible.

      See... machines cause that effect. People get angry with people not doing as commanded -even if it is a silly command, but they won't take it personally if it is a machine the one saying "no". That means the CEO cannot have a four letter password, because it is not me disallowing it, but a policy in a machine stating that everybody will have an 8 letter password, and I can do nothing to change it.

    22. Re:Fairly easy way to protect data. by BVis · · Score: 1

      Don't know about that, and don't care. I left that shithole a year and a half ago.

      --
      Never underestimate the power of stupid people in large groups.
    23. Re:Fairly easy way to protect data. by BVis · · Score: 1

      "Change it or you're fired."

      He got his non-compliant password.

      Executives are immune from inconvenient policy.

      --
      Never underestimate the power of stupid people in large groups.
  3. Vested interest by ArhcAngel · · Score: 2

    You can't train an employee to care about someone else's data. If you make them take the course they will. They might even retain some of the message but when it comes time to put it into action it better not be more complex than pressing a button cause something else more important is calling their names.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  4. Lots of tools, not a lot of experience by mlts · · Score: 2

    Elaborating on the concept, the good thing is that businesses have a lot of security tools that are not too expensive:

    IDS/IPS.

    AD's innate protection and logging.

    Management and Alerting software like SolarWinds, SCOM/SCVMM/SCCM, or Splunk/Puppet/Chef/Webmin.

    Encapsulating network segments by offering access to data without the ability to fetch the raw items, which can be done with App-V, Remote Desktop, or Citrix.

    Disk encryption is in virtually every OS.

    Basic routing/firewalling/segmenting either via dedicated appliances or a general purpose PC with a routing OS.

    Virtualization/containers to separate applications from each other as well as completely revert the damage done to malware by snapshots.

    Backup servers. Even a SMB can buy an edition of Windows Server 2012R2, enable the Essentials package, and back up a number of clients via a pull mechanism which prevents malware on the target clients from being able to tamper with or modify stored data on the server. For larger installs, MS's SCDPM is one alternative, NetBackup, TSM, and other enterprise tier utilities are another.

    Now the bad news:

    The tools we have are decent. However, it takes not just putting them together to make a cohesive security structure, but also putting policies, procedures, and dealing with the human element. Piss the employees off, and no amount of glued USB ports and Draconian policies will keep them from slurping data offsite out of spite. This is where the expenses come in. It takes people who know what the heck they are doing and know each tools uses and what they can't do (for example, not think that BitLocker to protect against threats over the network.)

    A whitehat's job is hard. It requires a broad spectrum of knowledge of products, as well as being able to configure things in a failsafe manner [1] so if one item with security fails, all isn't lost.

    Another problem is that there has been such a disincentive for so long for people interested in computer security. I have been told by managers at different companies, "Security has no ROI and if we do get hacked, Tata/Infosys/Geek Squad can fix the problem with a phone call." Because security has been hind teat in the IT world for so long, finding experienced people is hard, and can be expensive.

    Maybe this will change, and if companies want security people, more people will start going that route, creating a positive feedback loop. However, I fear this is going to take a major event that causes loss of life before this ever will happen [2].

    It may not have to be that expensive a fix... if Sony had an alerting system to notify their SOC that someone was brute-forcing AD, the attack against them likely would have been far less widespread.

    [1]: For example, an anonymous FTP site would have the /pub directory NFS mounted read-only with permissions squashing root, but allowing everyone to read that directory. That way, if the FTP server gets compromised, the data offered for public FTP can't be tampered with. Of course, the intruder can dismount /pub and put their own Trojaned downloads in its place, but security is about mitigation about attacks as well as prevention, and cleaning up a hacked FTP server can just be as easy as rolling back to an earlier VMWare snapshot.

    [2]: Before the term "cyber 9/11" was coined, it was termed the "Warhol event".

    1. Re:Lots of tools, not a lot of experience by DraconPern · · Score: 1

      That's like.. a few hundred thousand dollars of software and hardware to support all that software.

    2. Re:Lots of tools, not a lot of experience by Tool+Man · · Score: 1

      These companies seem convinced there is financial reason to keep everyone else's data, and maybe there is. If so, it behooves them to do so correctly, according to the value of what they hold. If they think the data is worth less, a painful lawsuit judgement may change their minds. (See Ford, and Pinto gas tanks.)

    3. Re:Lots of tools, not a lot of experience by mjwx · · Score: 1
      The big cost isn't in the software itself, but in the cost of the operation.

      Even a free tool has huge costs if it requires specialist knowledge. What stops a lot of companies from being more secure isn't that they dont have the tools, its rather they dont have the know how.

      AD's innate protection and logging.

      Could you elaborate on this, specifically how to configure and use? Any link would be appreciated.

      Although it wont be of much use in my current role (we have another system that does everything to do with user accounts that manipulates AD) but it would be good for future roles.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:Lots of tools, not a lot of experience by clark0r · · Score: 1

      AD is useful for providing policy control over objects (eg for rolling out configurations to a particular set of devices), providing a directory with nested groups for granular access to network resources (file shares, web based systems, desktops, networks, anything that integrates with AD). AD also provides a lot of logs so you can see wtf happened after an event, or when performing regular auditing. If you're running a Windows shop you can't deny that AD is your most powerful tool, I've not yet come across anything else that can do what it does. I inherited Samba4 domain controllers and while they worked, switching to AD brought with it increased stability and a full integration with the clients that we could have only hoped for under S4.

  5. Job hunting by Anonymous Coward · · Score: 1

    If anybody has looked for a job lately, you know most companies are using some form of applicant tracking system. IE: you don't send your info to the company, you enter it into a 3rd party web form. Mosey on down and read the privacy statement, they all say the same thing: We value your privacy.... we will share all of your data with our "trusted" partners. Who are they? What are they doing with my data? Who are they sharing it with? What is their privacy policy? What control do we have? None obviously. I guess we need more laws.

  6. Training employees for security? by DougPaulson · · Score: 3, Interesting

    How about encrypting the data and using PKI over VPN with a full irrevocable audit trail. The keys being stored on a portable hardware token.

    1. Re:Training employees for security? by DougPaulson · · Score: 1

      "then all it takes for ana ttacker to compromise your system is access to the keys in the portable hardware token and you see yourself looking into a deep pit then my friend"

      If the hardware device is lost then all you have to do is revoke the keys. Remember all security resides in the key ..

  7. Reality by sublayer · · Score: 4, Insightful
    TFA: Just about every business cares about data privacy

    Reality: Just about every business says they care about data privacy

    The first line of the typical company privacy policy is "we value your privacy", but the next ten pages list all the ways they are going to violate it.

    1. Re:Reality by Anonymous Coward · · Score: 1

      Exactly. And we all know many examples of even the largest companies flat out rejecting, often with the highest arrogance, to do anything about even the simplest security/privacy holes... We have personal examples, and there are many articles about this on Slashdot too...

      Most *never* care in the least. Even when it is exposed in mass media, and they lose/spend millions or more because of it. They *never* care. These people at the top have all the money they want for many lives. At best they care about even more money, but we all know full well that in most cases, their pay will not be affected by a cent, even amidst the most major scandals (they may even get some bullshit golden parachute in the end, and be freed to infect another part of society). Even if they wanted to suck up as much money as possible, they would not care one little bit about security and privacy. They would only care about sucking up as much money as possible. It would just be a very tight calculation, without one bit of rationality.

  8. The Ugly: What 'Data Privacy' means. by Anonymous Coward · · Score: 1

    Of course it means their data privacy, not yours.

  9. as much as big companies? by Gravis+Zero · · Score: 4, Insightful

    smaller companies care about data privacy just as much as big ones do

    so they care deeply until you ask them to spend money at which point they will do the minimum needed to avoid being sued. gotcha, they're directed by sociopath.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:as much as big companies? by coofercat · · Score: 1

      ...or the small ones only hire people who believe the same things as the company. That is, if you're small (and you believe in privacy), you can only afford to hire people that also believe in privacy, have integrity and can keep a secret. Big companies cast their net much wider, and by the miracle of crap middle-management ensure that those people only do as they're told and don't think for themselves. Thus, those people need to be told to observe privacy through training courses.

      Ultimately, privacy is either a feature your company bakes into what it does or else it's not. If it's not, then it only makes an appearance if people are told to do it (which won't happen unless someone sees some 'bottom line' in it).

    2. Re:as much as big companies? by turbidostato · · Score: 1

      "by the miracle of crap middle-management ensure that those people only do as they're told and don't think for themselves."

      Is not "crap middle-management" but "crap companies". In such companies, the moment middle-management start thinking for themselves, they are fired.

    3. Re:as much as big companies? by Duckman5 · · Score: 1

      smaller companies care about data privacy just as much as big ones do

      so they care deeply until you ask them to spend money at which point they will do the minimum needed to avoid being sued. gotcha, they're directed by sociopath.

      I think you spelled MBA wrong.

  10. How much do the companies care about it? by Time_Ngler · · Score: 1

    They care about it bad, man, bad!

  11. But how to proceed? by John+Da'+Baddest · · Score: 1

    Suppose a smaller company does care, and wants to implement measures? These tools sound good, but like an auto parts store when you want a whole car, the integration is non-trivial. I guess the current solution is to hire a specialist, if you can find one appropriate. Maybe the industry has to evolve a bit more.

  12. Cutting to the chase by SuperKendall · · Score: 2

    I like all those layers.

    A simpler approach: All system developers dealing with personal data must place alongside any stored person data, their own personal SSN and login details for all of their banking and investment account, along with one embarrassing JPG.

    Then just let them do whatever comes naturally.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  13. Encryption? by darkain · · Score: 1

    Most everyone is commenting about better security software, firewalls, VPNs, encryption, and all that shit. Isn't the article about employee training?

    For example: call up a bank. Try to get the balance on someone's account. This is a task well within reason for the person on the other end of the phone, ASSUMING it is your account, right? That's the point of employee training. The human element is the weakest element of any security system. What training do these employees need in order to not leak out your private information to any random person who calls in? Is simply stating your name on the account enough? Is there more verification steps required?

    An example of social engineering security policies at various companies to the extreme that can happen:
    http://www.wired.com/2012/08/a...

  14. Robust Enterprise Security Management Strategy by deeps86 · · Score: 1

    Enterprise security management is an ongoing process. The underlying trick is in understanding those vulnerable points that are exploitable, and in identifying the impact on end users and the business. With data infiltration and breaches taking place at an alarming rate, organizations need to build robust enterprise security management strategies. Read: 5 Key Aspects for a Robust Enterprise Security Management Strategy

  15. Good: punctuation Bad: no punctuation by pr100 · · Score: 2

    :/

  16. Training thats the ticket by silas_moeckel · · Score: 1

    Big companies spend time training so they can point to it when something happens? Training is mostly a CYA not a real protection.

    Firing that helps a lot you would be amassed at the amount of stupid and lazy, implemented simple ssn email filters. Watch how many people send things with full ssn's outside the company (something that should never happen) everything from not redacting after idiot customer puts full ssn in an email to automated reports getting sent to outside vendors without so much as requiring TLS. It's not a one time thing they will continue to do so after being trained retrained.

    Something like a SSN should be sitting in a well secure table that only verifies if it's a match since no human should ever need to do a customer to SSN lookup. You can catch a lot of secondary exposures through good filtering and auditing.

    --
    No sir I dont like it.
    1. Re:Training thats the ticket by turbidostato · · Score: 1

      "Something like a SSN should be sitting in a well secure table that only verifies if it's a match since no human should ever need to do a customer to SSN lookup"

      And this, sir, shows where the problem lies: even basic understandment of what security is about.

      Why the hell should be an IDENTIFICATOR be taken for a SECURITY TOKEN???

      SSNs should be damn public because they are and should be nothing but a way for you to tell me who you are, just as it is your name. Do you imagine your name being secret? Well, an SSN is just a more cumbersome version of you name: it states who you say you are, just like your real name, but says nothing about why I should believe you are who you say you are, just like your real name.

    2. Re:Training thats the ticket by silas_moeckel · · Score: 1

      Unfortunately the government tends to require that it's used. The credit industry got allowed to use it as an identifier. At this point it's out of industry's hands it would require an act of congress to change things.

      --
      No sir I dont like it.
    3. Re:Training thats the ticket by turbidostato · · Score: 1

      "The credit industry got allowed to use it as an identifier"

      That's good, since it *is* an identifier, a better one that the first name/surname combination since it offers less collisions. What it is not is an authenticity token.

      The problem is not the industry using SSNs as an identification means, that should be OK, but that they are using them as passwords.

      Since they are private companies, it really doesn't take "an act of congress" to change things but people voting with their wallets. Would you put your money on a bank that obviously has no security guards and with their vaults wide open to the public?

  17. Grammar by duke_cheetah2003 · · Score: 1

    A comma between 'privacy' and 'bad' would have done wonders for clarifying the headline. It's kind of confusing.

  18. It's always about money isn't it by fluffernutter · · Score: 1

    If anyone knows that money solves all ills, it is an independent corporation. They just have to decide the right way to solve their ills with it.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  19. They only care about *appearing* to care by blivit42 · · Score: 1

    If companies actually cared about data privacy, then they would know how to protect it. If they don't know how to protect it, then they only care about *appearing* to care about data privacy.