Forget the NSA. Here's another very scary list. Are you included?

Forget the NSA. Here's another very scary list. Are you included?

Summary: Every time a massive data theft or breaches happens, I keep kicking myself for not starting up that list of all such compromises that I promised myself I would start (and maintain here on ZDNet). The last one of these, which I think is also the largest, involved 26.

TOPICS: Security

Every time a massive data theft or breaches happens, I keep kicking myself for not starting up that list of all such compromises that I promised myself I would start (and maintain here on ZDNet). The last one of these, which I think is also the largest, involved 26.5 million records containing the personal information of U.S. veterans. I don't think most people realize how bad the situation is which is why I thought a list would have more impact.  The problem is compounded in some cases by the failure to report the theft or breach on a timely basis. In the case of the U.S. veteran data, the Veterans Administration (VA) didn't report the data for nearly three weeks

Whereas public disclosure requirements exist in some states like California, they don't in others.  Things are less organized at the federal level where at least two separate bills are under consideration by the Senate and at least another two are under consideration by the House. In the House, the two forms of relevant legislation that are varying stages of devlopement are the Financial Data Protection Act of 2006 (House Commerce Committee) and the Cyber Security Enhancement and Consumer Data Protection Act (House Committee on the Judiciary).  The former is considered a joke by some because of the way disclosure is only triggered in the event that a breach is "reasonably likely to result in substantial harm or inconvenience" to consumers whose personal information was included in the breach.  Similar "toothless bills" are being considered in states like Arizona.  Not surprisingly (some lobby is obviously at work here), in a bit of foxes watching the henhouses, the highly subjective measurement of harm is left to the data custodian to conduct.

According to Wired Magazine, Microsoft is on record as favoring the low threshold:

In 2002, the Federal Trade Commission charged Microsoft with falsely claiming that consumer data held in its Passport electronic wallet service was highly secure. The company settled, agreeing to bolster Passport's security......Speaking to a roomful of privacy advocates, [Microsoft lawyer Michael] Hintze outlined a detailed plan for a federal law that he said would protect consumers while clarifying the responsibilities of corporate America.....Microsoft prefers that customers be notified only when a company determines there's a "reasonable risk of a material harm happening to a consumer," said Hintze. "If the trigger is too low ... people will get notice fatigue. People will get notices all the time."

To that I say, fatigue me. Notify me. Immediately.  I don't know about you, but when I find out that someone who I've entrusted my personal information to loses track of that information, I want to know so I can take my business elsewhere.  And there's nothing like the risk of consumer inflicted financial penalty to scare the daylights out of any business.

What does any of this have to do with my headline. Well, I'm not going to bother making that list.  That's because the Privacy Rights Clearing House already has one that lists the breaches that have been reported.  There's no telling what ones haven't been reported. But I'll venture a guess that the list of unreported incidents far outnumbers the list of reported ones.  Based on the size and frequency of these breaches (as well as brand names involved -- brand names we assumed we could trust), theft of your identity doesn't appear to be an "if" question.  If it hasn't happened already, it's just a question of when.  A very sad state of the state if you ask me.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ridiculous! When do these people get sued?

    That list basically says everyone has been compromised and they don't know it. I also read somewhere where the Social Security Administration has a "secondary" list of SSNs because so many have duplicate owners.

    Feh! Bah!
  • Add Wells Fargo to your list...

    ...of slow responders.

    Computer goes missing in early May, we get notified that our information was on the computer three days ago. Happened to one of the BusinessWeek TechBeat guys too...
  • leaks!

    why can't they store all the information in a secure fashion?

    these agencies will not take this up with a top priority until it hits their bottom line.
    either a leak of this sort should make them liable to be sued or it should be made mandatory for them to maintain information security above certain standards.
    • secure fashion?

      >>why can't they store all the information in a secure fashion?<<
      Because (pick your favorite answer):
      a) they believed they had done so
      b) they had no idea of how to test the security
      c) they didn't understand the security issues
      d) they believed that no one else on the planet was smart enough to find a way into their systems
      e) the cost of security was not justified according to the latest insurance risk data
      f) they had no idea what types of data had been amassed since version 1.0 of their application
      g) they didn't care
      h) all of the above
  • Two problems

    We have two inter-related problems with data security. First, like the VA lost computer, there are a lot of places that maintain a lot of sensitive date because they have to, but either fair or refuse to take security seriously; and second, we've all become spoiled by companies that keep sensitive data so we can do business on the 'net with less hassle. As an example, how many shopping websites do you allow to keep your personal information, including credit card info, so you can log on and finish shopping quicker? And for the truly paranoid, how many of those sites keep your sensitive info even if you don't authorize them to?

    Both need to be addressed.
    • Question about data at rest

      Should all data at rest be encrypted... only openable with the right, hardware-enforced credentials. Theoretically, a stolen notebook would be of no use to the crooks if the data was encrypted and required three factor security to uncork.
      • Answer: Yes. It's

        now easy:

        Full Disc Encryption (FDE)?Best-in-Class Data Protection
      • without question

        Yes. Uncatagorically, yes. Encryption has been an option for years. But will you pay for it? Remember that it must also be periodically updated and presents significant backward compatibility obstacles.

        "Hey, Joe! I've got to pull data off backup. Do you remember the key we used last year?"

        After the laughter subsides, Joe replies: "Key? Dog, I don't even know if we still have a system to read it. We upgraded to a new billing system last year!"
  • Another question, this one about national security

    Does the theft of this data represent any risk to national security? Would it include information about ex-intelligence personnel or politicians that shouldn't fall into the wrong hands?

    • Are you kidding?

      Our information is flowing so freely, it's like water running downhill. You see, there are costs involved in better security. And it's always about the money. The response to this, both public and private, is to hush things up.
    • Politicians

      The only thing they would get from politicians information is "mis-information".
    • some animals are more equal than others.

      Who cares if some of the ID thefts are pigs, politicians, or spooks. My data is what is important to me and if a few priviledged people get burned - badly - maybe they will take the steps to curb this outrage that will benefit all of us.

      National security is a red herring. Those people are either vetted to be sure there is nothing to blackmail on them or they don't factor in to security on this id level.
  • Yes, We're All Included

    Based on my 35 years as a broker of mailing lists (recently turned privacy activist) I can assure you we are all included in the massive databases of names and personal data. That's database(s)...plural. ChoicePoint and LexisNexis are just the tip of the iceberg. There's Acxiom, Experian, TransUnion (also credit reporting cos.)Lifestyle Selector, Behaviorbank, and the list goes on and on.

    My gut tells me we're also all represented somewhere in that Privacy Rights Clearinghous list of 82 million breaches. The ID thief just hasn't gotten around to some of us yet. And it won't do any good to jump from merchant to merchant because the list business is one huge conspiracy to collect maximum data on each American individual and sell it as many times as there are buyers. Current take on selling your name and private information is $4 billion annually.

    There is only one way to protect the use of consumers? names and personal data. Pass federal legislation to give the individual control over their name and personal data, and, while we?re at it, pay them when it is sold. You can read about it in my blog, The Dunning Letter at:

    Jack E. Dunning
    Cave Creek, AZ
    Nasty Jack
    • All of us?

      Some of us just can't take care of ourselves... we depend on security by others...please identify me before taking my money.
  • Amazon too

    It was a few years back, but one of my credit card numbers was one of those stolen by a hacker who breached Amazon security. As a result, I no longer allow online merchants to store my credit card information.
    • Amazon?

      Amazon should have verified who you were and not just accept a credit card number as payment. It wasn't your fault, probably, and they should eat the loss or your credit card co. should.
  • Demand it!

    I read somewhere that a majority of businesses are thinking about implementing better security less due to compliance issues and more because the don't want to lose customer trust. So, as a customer, you need to make it known to your banks, real estate broker, etc. that you trust is implicit on their level of security. Ultimately, that's how you'll force them to invest. Waiting for the first lawsuit to land is like hoping you'll get hit by a company truck and survive the damage to get some payback.

    More security stats:
  • this is not that big of a problem

    it should be federally mandated that all such data bases be destroyed. what has been destroyed cannot be leaked or stolen.
    • Not that big of a problem?

      How do you suggest that the Veteran's administration hold records that are vital for vets to receive payments, medical treatment, and pensions, then?
  • Stolen data

    People who steal identities should be executed! Period, no excuse.