Saturday, October 28, 2006

Living the "Groudhog Day"

One of our readers asked for our opinion in response to an article that was written by the Associated Press, “Operator of 12 hospitals informs of lost data” on October 24, 2006.

Let me give you a little background first. The Sisters of St. Francis Health Service, which operates 12 hospitals within Indiana and Illinois or their medical billing contractor lost control of several computer discs, IN JULY 2006. These discs contained Social Security numbers and other personal information of their 260,000 patients.

The article says, “However, officials said they do not believe any of the 260,000 patients’ information was improperly accessed.” Does that mean it will never be improperly used? If I was one of the victims (oops) “patients’” I would be furious!

Questions that Potential Victims should Ask:

1. How can this affect me?
2. What should I or what could I do to sleep well at night?
3. Why The Sisters of St. Francis Health Service waited four months to notify the VICTIMS of their criminal behavior that this data was “misplaced?”
4. Why they feel so confident that this data has not been improperly accessed and will not be accessed in the future?
5. Who is the “medical billing contractor” that they blame on losing the data?
6. Why do they suggest that the “patient” spend their valuable time requesting credit reports when the hospital system lost the data?

If I were one the “patients” I would have demanded the contractor or the hospital to pay for my credit report being checked. Also, I would demand the hospital system purchase a monitoring service to cover me and my family against identity theft for at least one year.

Have you ever watched the movie “Groundhog Day?”

WHERE DOES IT END? WE MUST DO SOMETHING?

What do you think needs to happen for this level of irresponsibility to come to an end?

Labels: , ,

Thursday, October 26, 2006

From Across the Pond: Corporations Fall Victim to Identity Theft as Well

According to new research by CPP Group, a UK leading life assistant organization, one in five companies have fallen victim or know a company that has fallen victim to company identity theft, yet 64% of companies admit to not being adequately protected against it.

This research should be an eye-opener to corporations around the world. Identity theft criminals do not discriminate by race, gender, age, or even corporate or individual status. In the mind of the criminal we are all potential targets whether we live in Japan, Australia, Canada, United States, or the United Kingdom and regardless of our corporate, marriage, or financial status.

It is true these figures come from the UK but I would venture to guess that these figures are similar to the figures that would come from a like research project in the United States or from any other developed country around the world.

I was asked this past week at a seminar if I thought there would be a solution to identity theft in the near future. My answer was blunt and honest, NO! You can not stop the crime of identity theft, you can only educate the public and the corporations on the best practices to reduce their losses and exposures.

You can contact me by adding a comment.

Labels: , ,

Sunday, October 15, 2006

"The Government Screws Up." AGAIN?!

October 15, 2006.

It's raining.

Cold winds whipping from the North.

There are snow flakes.

All is grey and depressing.

I'm sipping dark rum on the rocks.

No this is not Ernest Hemigway! It's Ernest Schmidway depressed that the headlines never change!

The AP wire story today - "Government Losses of Personal Data Cited"

Really!?
  • "Federal workers at 19 agencies have lost personal information affecting thousands of employees and the public, according to a report released Friday by the House Government Reform Committee. Most of the data was lost or stolen. In a few cases, it was accessed by computer hackers, the report said. Government contractors were responsible for many of the security breaches."


According to the AP, the committee reported 788 incidents involving " ... loss or compromise of sensitive personal information since Jan. 1, 2003. That was in addition to “hundreds of security and privacy incidents” at the Department of Veterans Affairs, the report said."

Seven Hundred and Eighty Eight INCIDENTS!

What the heck does that mean?!

How many millions of sensitive pieces of personal information were compromised?!

How many American are now vulnerable to all kinds of identity intrusions - financial, religious, full identity theft?

And you know what burnes the hell out of me?

The story was a small almost invisible piece on page 22 of the New York Times. Of course, it failed to make it anywhere into most newspapers and was nowhere on any TV programs.

On Page One on the Times we have a story about how electricity markets have failed to deliver savings and another story about the Duke lacrosse team outta control behavior re exotic dancer, alleged rape, etc. is a bigger problem with athletes all over American colleges and universities! Oh yeah, there was also a story about how salmon find an ally in Russia's Far East, an urgent late breaking story for sure!

So, even the New York Times editors don't get it!

Saturday, October 14, 2006

Your Brokers are Brokering Your Identity!

My co-author sent me an e-mail early today asking "have you blogged yet?"

Oops! I've been remiss!

So what to blog?

No worries mate! Let's quick see what incompetent boobs have put thousands (maybe millions) at risk this week. I can count on many, MANY inept data guardians to have screwed up.

Ahha! Here is a good one.

The headline "Online Brokerage Account Scams Worry SEC "


  • "WASHINGTON ( Reuters) - High-tech crooks are hijacking online brokerage accounts using spyware and operating from remote locations, sometimes in Eastern Europe, U.S. market regulators said on Friday.
    The computer "incursions'' are a growing problem, said Walter Ricciardi, deputy enforcement director at the U.S. Securities and Exchange Commission."


Now this should NOT be happening! Over 25% of US stock trade (retail) in on line. There are, accrding to the news, somewhere aroundn 10 million on line accounts. So we are talking about a lot of investors and a Schmidt-load of money that is sitting in cyberspace waiting to earn (or lose) value, return on investment, pay for college, or for those "golden years".

So how does this scam work? The article goes on to 'splain.

  • "Crooks will load a victim's computer or a public PC with a spy program to monitor a user's activities and capture vital information, such as account numbers and passwords. The program then e-mails the stolen information back to the thief, who can use it to open victim accounts. Once inside, the thief may sell off an account's portfolio and take the proceeds. Or electronically hijacked accounts may be used for ``pump-and-dump'' schemes to manipulate stock prices for profit."


Public computers in Internet cafes and hotel rooms are particularily nasty entro points for the gangstas who are often in Eastern Europe (is there actually still such a place?), Russia, and other far-flung locations. The article went on say that American banks are working on online banking security technologies because "identity theft via online banking is a fast-growing crime".

No kidding! And yet, every time I go to my bank they say "are you using our on-line banking services"?

No I am NOT because you fools just want to cut costs and bank tellers but you have not done diddly to secure and armor those on-line sites!

Be careful when you on line bank. VERY careful!


Friday, October 13, 2006

The University of Iowa Data Breach. Identity Theft?????

My frustrations grow. On September 29, 2006 my wife was one of the potentially thousands of individuals that received a letter from The University of Iowa notifying her of a data breach that involved her name and social security number.

When will corporations, government agencies and education institutes like The University of Iowa take IT security serious? It is time that we not only blame the criminal but we prosecute and hold liable those that lose our personal data. Many times, we have personally entrusted them with our data, others times they have taken the responsibility on themselves. It is time those that are storing private data on citizens act responsible or face severe penalties.
The below are pieces of the not even one page notification The University of Iowa gave my wife.

The University of Iowa has recently learned that a computer used by our
research group was the target of a computer intrusion. Although there is
no evidence that any information was obtained from the computer during
this incident, we are writing to inform you that information about your
participation in one of our research studies, including your social security
number, was obtained on the computer.


They then go on to say.

We apologize for any inconvenience or concern this situation may cause,
but we believe you should be fully informed about this incident.

Great, now what? Is the University of Iowa offering any monitoring service, are they going to follow up with the people that they have let down? Certainly the envelope my wife received in the mail was missing several other sheets of information that explained all those questions.

Labels: , ,

Wednesday, October 04, 2006

Landfill ID Losses! How Lame is That?!

Here is the story that caught my eye and gave me indigestion!

The story in Network World (09/08/06) was titled "Chase Card Services dumps customer details in landfill". Chris Mellor, a TechWorld writer reported that

  • "In an amazing display of incompetence, Chase Card Services has dumped tapes containing millions of customers' details in a landfill site. The company will now have to tell 2.6 million current and former credit card customers of Circuit City that tapes containing their details were tossed out when they were mistaken for rubbish. Chase is apparently working with both local and national authorities to find out what happened but thinks they were in a locked box that was crushed and dumped in the landfill hole." (Network World at http://www.networkworld.com/news/2006/090806-chase-card-services-dumps-customer.html)
I don't know about you but I am ready for a class action lawsuit against these incompetent and irresponsible morons!

As I said in a recent keynote address to an audience at an international conference on security education, neither the government nor the private sector will take id security seriously until the people responisble for id information losses go to jail and institutions are seriously fined! (By the way, CNN is reporting as I sit here writing this blog, that millions of medical records are at risk of ID theft because the federal government has a system full of security holes)

For months now my co-author Mike McCoy and I have been preaching apparently to the deaf government officials and politicians that ID theft is a very dangerous, serious threat not just to the personal security of Americans but also to national security. After all, the September 11 terrorists had fake identities!

Chase Card Services losing computer tapes and having them end up in a landfill is unacceptable. It shows that Chase Card Services does not consider this highly personal information to be valuable or at risk. Moreover, it shows that they don't consider themselves to be the stewards of your most personal and intimate information.

A hefty fine and a robust response by their upper management team would help to get the attention of those (usually low level, minimum wage employees) who are given the responsibility of managing and disposing of such incredibly sensitive information.

Also, maybe a consumer boycott of companies that mishandle your data would send a good message!

Sunday, October 01, 2006

Data Breaches Approach 100,000,000 in the Past Two Years

According to Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches over the past two years now stands at 93,754,333.

My concern with these numbers are many, but most concerning is the numbers of unaccounted or undisclosed lost data files. The number could easily be nearing 500 million rather than 100 million.
I have included parts of a press release to demonstrate my point. For a copy of the September press release in its entirety visit, http://www.commerce.gov

FOR IMMEDIATE RELEASE
Thursday, September 21, 2006

Commerce Department Announces Information From Reviews of Missing Department Laptops and Potential Breaches of Personal Identity Data

WASHINGTON - The Department of Commerce today announced information from its recent Department-wide reviews of missing, lost or stolen laptops and potential breaches of personal identity data. The Department continues its review and is not aware of any data being improperly accessed or used. The information gathered from the reviews indicates that the Census Bureau had the disproportionate share of missing equipment and data. The reviews were in response to broad, government-wide Congressional and public inquiries.

Based on the review in response to the public inquiry, the Department determined that within its 15 operating units for the years 2001 to the present, out of over 30,000 laptops within the Department's inventory over that time period, 1,138* were either lost, stolen or missing. Of these laptops, 249 contained personally identifiable information (PII), although access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops.

A separate review in response to a request for information from the House Committee on Government Reform Chairman Tom Davis (R-VA) regarding the loss or compromise of any sensitive personal information from 2003 to the present found that there were 297 instances. These included: 217 laptops; 15 handheld devices; 46 thumbdrives; and the rest involved documents or other materials.

Information on the two agencies within the Department that have missing laptops with personal data follows:

Bureau of the Census
Most of the missing laptops were assigned to the Census Bureau, which during the last five years has used over 20,000 laptops. Every year, thousands of Census field representatives fan out around the country to compile survey data, using laptops in their work. Much of the field workforce is comprised of temporary, hourly employees paid to gather data door-to-door. Given the unique nature of the Census workforce and method of data collection, the Bureau has long had technological and procedural mechanisms in place that limit any potential breach of information.

Regarding the unique nature of the Census laptops, the Bureau indicated that they contained the following:
Technological Protections:

  • every Census laptop from 2001 on requires a password to access;
  • systemic safeguards ensure that once a survey is completed, the data is automatically stored on a laptop and cannot be retrieved or accessed in the field, even by the Census field representative;
  • and each laptop contains information on an estimated 20-30 households, and rarely more than 100;
  • field offices report that typical laptops would contain zero-to-two incomplete surveys.


Procedural Protections:

  • the survey data is contained in complex database formats requiring specialized applications to access;
  • each laptop contains survey data that is regularly transmitted at the end of each day, and such data is fully removed from the laptops at the end of each survey period;
  • and since 2001, the Census Bureau has been adding encryption technology on a rolling basis for extra protection, and today, all new laptops have encryption protection.

The Census Bureau reported:

  • 672 missing laptops, of which 246 contained some degree of personal data;
  • 107 of these laptops were fully encrypted;
  • 139 were either partially encrypted or had no encryption;
  • of the missing laptops involving PII, almost half of the unaccounted laptops were stolen (104), often from employees' vehicles, and another 113 were not returned from former employees;
  • and 46 thumbdrives, all of which were fully encrypted and protected by systemic safeguards.

In addition to laptops, Census began evaluating the use of handheld devices to record survey data for testing processes in preparation for the 2010 Census. Of the approximately 2,400 in use since 2004, 15 have been lost, stolen or are missing with PII on them. All of these had encryption and required an initial password to operate the unit, and a second password to access the data that was only available to employees at Census headquarters. Unlike the laptops, it is possible for us to determine the potentially affected households, and we are in the process of contacting those 558 households even though the risk of misuse of data is extremely low.


In addition to those instances of potential breaches, the Census Bureau also reported 16 instances of non-electronic potential breaches of personal information, ranging from employee time and attendance records being lost in an office move to retirement information packages sent to the National Finance Center during Hurricane Katrina not being received. Where these potentially affected people can be identified, we are also in the process of contacting them.

Other Department of Commerce Bureaus and Offices
The following bureaus of the Commerce Department had the following number of laptops lost or stolen in the last 5 years: Bureau of Industry and Security, 9; Economic Development Administration, 6; Bureau of Economic Analysis, 4; International Trade Administration, 42; Technology Administration, 17; National Institute of Standards and Technology, 35; U.S. Patent and Trademark Office, 9; Office of the Inspector General, 2; and the Office of the Secretary, 17. None of these contained personally identifiable information.

This leaves me with a very uncomfortable feeling, if the government is doing as poor as "Corporate America" in regards to protecting our personal data, who should be passing laws and regulations?



  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft