http://www.rockymountainnews.com/news/2008/mar/17/holes-grow-in-net-safety/
By Jeff Smith
Rocky Mountain News
March 17, 2008
Thieves steal a car that has boxes of documents in it. A law office
staff dumps papers into a dumpster. A hacker breaks into university
computers.
Each of these real-life examples from last year had two things in
common: They occurred in Colorado, and they involved the compromise of
confidential information - such as names and Social Security numbers.
Breaches of personal data are a growing problem nationwide, as society
handles more information electronically, and it becomes more common to
transport that information on laptops and other mobile devices.
The San Diego-based Identity Theft Resource Center reported that more
than 127 million records were exposed in 448 separate incidents
nationwide in 2007 alone. That represented a huge jump over the 315
incidents and 20 million compromised records in 2006.
The group, which in part compiles its information from news reports, has
tracked more than 130 data breaches this year - making 2008 even more
active so far.
"We're seeing more breaches in the news than in the past," said Linda
Foley, founder of the center.
Another group that tracks the activity, Attrition.org, reported an even
greater number of records compromised in 2007: 162.5 million, although
its 2008 numbers are down slightly compared with last year.
In Colorado, one of the most publicized data breaches last year involved
an attack on a computer server at the University of Colorado. A weak
spot in anti-virus software led to a breach that exposed the names and
Social Security numbers of almost 45,000 students dating back several
years.
It's impossible to get a precise handle on the problem. But studies
indicate data breaches and other forms of identity theft affect millions
of Americans and cost billions of dollars a year.
It can take months, if not years, for victims to straighten out their
credit records. And, in the process, they likely face the time-consuming
hassle of closing accounts and opening new ones.
Part of the increase in data- breach reports could be due to laws
requiring companies to disclose the events to the public and victims.
Nearly 40 states, including Colorado, have disclosure laws.
But there is no federal disclosure rule or standard. It's unclear how
many incidents go unreported.
"I think there's a serious question whether we're even hearing about
(the small ones)," said Rob Douglas, a Steamboat Springs-based security
consultant and privacy expert. "Even in states where laws have been put
in place, (many) businesses themselves probably are not well-informed
about those laws and probably don't even know they have a legal
responsibility to report."
Douglas noted that most laws allow companies to delay disclosure if
requested to do so by law enforcement officials investigating the
incident. He said he believes that "at times, companies have used that
as a crutch."
Brian Martin, a Denver-based Internet security contractor who co-founded
Attrition.org, said he finds a lot of companies don't conduct the
forensic investigation necessary to fully understand the implications of
a possible breach.
But experts generally agree large companies are doing a better job of
reporting incidents, in part because they realize the lack of disclosure
can come back to haunt them in terms of lawsuits, customer losses and
business costs.
TJX, the parent company of retailers T.J. Maxx and Marshalls, found that
out after it disclosed a massive data breach in early 2007. Lawsuits
were filed almost immediately, and TJX took a charge against earnings.
It was reported recently that the company would hold a one-day, 15
percent-off sale as part of a class-action settlement.
Foley founded the Identity Theft Resource Center after being victimized
herself. She said her employer at a small business in the mid-1990s
stole her identity and tried to get credit cards and cell phones in
Foley's name.
Foley would rather not talk in detail about the incident.
"She was caught and arrested and punished," Foley said. "I am a victim
and a survivor. I was able to figure out what was going on, and (police)
stopped her fairly fast."
Douglas said that while more attention is being paid to the problem, he
has serious doubts about the effectiveness of apprehending and
prosecuting criminals.
He said he was in Washington, D.C., recently for a Federal Trade
Commission event and heard a prosecutor acknowledge that he wouldn't
even touch a case unless victim losses exceeded $40,000.
"I was aghast," Douglas said. "Most losses are smaller than that. Unless
you have a very serious crime, the odds of prosecution are very low."
Douglas said the escalation of data breaches in the past few years can't
be ignored and goes beyond people simply not doing a good job protecting
data.
"The numbers of lost and stolen laptops are just staggering," he said.
"Thieves are not stupid. They are looking for these things."
Foley said companies need to do a better job evaluating whether it's
necessary for employees to leave the work place with certain
information.
But she also noted positive developments, such as industry groups
working to establish data-breach standards.
Don't get soaked
Tips for consumers who have been the victim of a data breach or believe
they may have been a victim of identity theft:
1. Place a fraud alert by calling the credit reporting agencies. You're
entitled to receive a free credit report, which you should carefully
review for irregularities.
* Equifax: 1-800-525-6285
* Experian: 1-888-Experian (397-3742)
* TransUnion: 1-800-680-7289
2. Close accounts you believe have been used fraudulently. When doing
so, talk to someone in the security or fraud department of the
company. Follow up in writing. Send your letters by certified mail
with a return receipt requested so you can document what the company
received and when. When you open new accounts, use new personal
identification numbers and passwords.
3. File a complaint with the Federal Trade Commission. You can use the
agency's online complaint form or call its Identity Theft hotline at
1-877-ID-THEFT (438-4338). Complaints help the agency track down
identity thieves.
4. File a report with the local police where the theft took place.
Include a printed copy of your FTC ID theft complaint.
Plug the holes before they leak
* Take advantage of your right under federal law to obtain a free credit
report each year from the three main credit reporting agencies:
Equifax, Experian, TransUnion.
* Experts advise staggering those reports by ordering one every four
months. The centralized service set up by the three firms is
AnnualCreditReport .com or 1-877-322-8228.
* Warning: This is the only service to obtain your annual free credit
reports. There are dozens of other monitoring services, but they cost
money.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments