Wednesday, August 20, 2008

You Cannot protect Your Identity Information Against This Sort of Stupidity!

The New York times reported yesterday that
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.

A flaw in configuring the site allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications.
I will not make you sick with the details - you can go read the story for yourself. I will pick a couple of lines from the article which nails the problem right to the wall of what went wrong.
The Web error indicates that the Princeton Review neglected several accepted online security practices. In addition to failing to properly restrict access to the student information, the company combined confidential and innocuous files on the same computers — which security researchers say is never a good idea.
When you have a bunch of incompetent people owning your private data you are completely exposed to data and privacy losses such as this. These are a bunch of people making a ton of money off manipulating, analyzing, and sharing your private (in this case test score and performance data) for profit!

One of my colleagues in Washington, DC believes that the Princeton Review should be hit with a severe punitive class action law suit on behalf of the almost 100 K students whose information was breached. Remember, we don't know who accessed this information or what they have done with the data they gleaned from these records. It could already be off in Cyberspace getting prepared for sale on one of many criminal identity and private data sites that abound all over the world for just this purpose.

My colleague and friend also believes that Congress needs to pass serious legislation that puts a much more protective wall around the cavalier, commercial use of peoples private data.

0 Comments:

Post a Comment

<< Home

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft