Identity Data Loss by Organizations
By Michael Ross
This article was published by ComputorEdge, issue #2510, 2007-03-09, as a feature article, in both their print edition (on pages 18-19) and their website.
If any Internet user ever feels that the online world is ignoring them, that cyberspace is one cold place where no one takes an interest in who they are, then they only need to consider the countless commercial firms and other organizations that are keenly interested in the individual's identity. Businesses, medical groups, government agencies, and even your local movie rental shop are seemingly trying to gather as much of your personal information as they can.
In fact, they apparently care so much about your online popularity, that they will happily share your personal information with others, including anyone who stumbles upon databases of customer information on the organizations' websites, or walks away with an employee's laptop that is loaded with identity data for you and millions of other people.
Perhaps what is most infuriating is that not only are these organizations losing so much critical data accidentally, but in some cases, it turns out that they deliberately sold it to list makers and other organizations who promise to only use it for "legitimate" purposes — such as flooding your e-mail inbox and snail mailbox with junk.
With all this unrequested sharing of our personal information online, is it any wonder that identity theft is currently the fastest-growing crime in the United States? Why would identity thieves and organized crime syndicates ever need to employ crackers to break into protected databases of customer data, when so many organizations who have collected our sensitive information release tremendous amounts of it out into the open, through their security-clueless bumbling or unconscionable venality?
Given how relatively little criminal and civil action is taken against these firms, one might conclude that the identity data loss up to now has been insignificant. But the number of records compromised, and the frequency of such incidents, tell a different story — one that becomes more alarming when we consider how reticent these organizations often are to admit their blunders and wrongdoings, and how many of them prefer to simply hush up any internal security breaches or other mistakes, when revealed.
Private Sector, Public Data
One would think that, by now, most if not all commercial firms would have long ago implemented strict security controls for all of their sensitive information, including customer's identities. Unfortunately, some of these companies do not bother encrypting the data that we have entrusted with them — despite the vacuous privacy policies posted on their websites, and the letters we receive in the mail, informing us as to how important our privacy is to these firms.
To gauge the true extent of identity data loss within the private sector, consider some of the events in a single month, June 2006, which got off to a lamentable start: On 1 June, the Texas Guaranteed Student Loan company revealed that the records of 1.3 million customers, containing sensitive identity data, were compromised when a contractor lost some computer equipment.
Not even a week had passed after that incident, when the Buckeye Community Health Plan, located in Ohio, announced on 6 June that four computers had been stolen from their office in Columbus, containing 72,000 Medicaid subscribers' personal data. Just two days later, the YMCA admitted that a laptop stolen from an office in Providence, Rhode Island, contained the names, addresses, medical information, Social Security numbers, credit card numbers, and checking account numbers for about 65,000 parents whose children participated in day-care programs run by the YMCA ("Your MasterCard Announcer"?).
On 18 June, American International Group (AIG), a major insurance company, revealed that it had lost the identity data for approximately 970,000 clients, as a result of a burglary at one of their Midwest offices. The company chose not to disclose which office it was, possibly for security reasons — as if the Midwest customers hurt by this have never heard the expression about closing the barn door after the horse has escaped.
Public Sector, Public Data
With commercial enterprises being less than enterprising when it comes to securing our ID information, surely the law enforcement arms of the federal government would be ever vigilant about not revealing people's Social Security numbers, and would act swiftly to completely rectify any data security problem brought to their attention. That might be true for some law enforcement groups, but not the Justice Department.
In December 2005, InformationWeek confirmed that the website for the Justice Department made publicly accessible the names and Social Security numbers of several people. It was later learned that the Justice Department had been informed of the security breach as early as 12 November of that year, yet had done nothing about it.
The US Department of Veterans Affairs likely have on staff people who would not be characterized as "security veterans", which was well illustrated on 22 May 2006, when they admitted having lost the personal information of more than 26.5 million veterans and 2.2 million active-duty, National Guard, and Reserve troops — totaling more than half of all US military personnel. All that sensitive data was located on a laptop, stolen from an employee's home. What was that employee thinking, taking that unprotected data out of the VA building? Apparently, not much.
State governments may be no better than the federal government, if Minnesota is any example. In our favorite month, June 2006, three laptops containing sensitive employee data were stolen from the state auditor's office. Perhaps they need a security audit.
Keeping It More Private
Given the track record so far of private and public organizations, in "protecting" your sensitive information, it is becoming painfully clear that these data breaches will likely continue. As a customer and citizen, what can you do to minimize the chances that your personal identity information will end up becoming one of the identities lost in the future?
There are innumerable worthy security practices one could follow, but at least adhere to the basics: When instructed to provide your Social Security number, ask why it is needed, and if a substitute number can be used instead. When opening a new account, specify that you do not want any of your information shared with any other organization, or even other branches of the requesting organization.
Even better, don't open the account in the first place, if possible. Having a multitude of bank and credit card accounts confers few benefits, but often many headaches. Consolidate your financial affairs with a minimum number of reputable firms that do not show up in the "hall of shame" of organizations that have lost people's identity data.
When it comes to your personal data, the more "unpopular" you are, the better.
Copyright © 2007 Michael J. Ross. All rights reserved.