Entries Tagged "data breaches"

Page 7 of 12

Breach Notification Laws

There are three reasons for breach notification laws. One, it’s common politeness that when you lose something of someone else’s, you tell him. The prevailing corporate attitude before the law—”They won’t notice, and if they do notice they won’t know it’s us, so we are better off keeping quiet about the whole thing”—is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security.

That last point needs a bit of explanation. The problem with companies protecting your data is that it isn’t in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control—or even knowledge—of the company’s security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost—both in bad publicity and the actual notification—of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

So how has it worked?

Earlier this year, three researchers at the Heinz School of Public Policy and Management at Carnegie Mellon University—Sasha Romanosky, Rahul Telang and Alessandro Acquisti—tried to answer that question. They looked at reported data breaches and rates of identity theft from 2002 to 2007, comparing states with a law to states without one. If these laws had their desired effects, people in states with notification laws should experience fewer incidences of identity theft. The result: not so much. The researchers found data breach notification laws reduced identity theft by just 2 percent on average.

I think there’s a combination of things going on. Identity theft is being reported far more today than five years ago, so it’s difficult to compare identity theft rates before and after the state laws were enacted. Most identity theft occurs when someone’s home or work computer is compromised, not from theft of large corporate databases, so the effect of these laws is small. Most of the security improvements companies made didn’t make much of a difference, reducing the effect of these laws.

The laws rely on public shaming. It’s embarrassing to have to admit to a data breach, and companies should be willing to spend to avoid this PR expense. The problem is, in order for this to work well, public shaming needs the cooperation of the press. And there’s an attenuation effect going on. The first major breach after the first state disclosure law was in February 2005 in California, when ChoicePoint sold personal data on 145,000 people to criminals. The event was big news, ChoicePoint’s stock tanked, and it was shamed into improving its security.

Next, LexisNexis exposed personal data on 300,000 individuals, and then Citigroup lost data on 3.9 million. The law worked; the only reason we knew about these security breaches was because of the law. But the breaches came in increasing numbers, and in larger quantities. Data breach stories felt more like “crying wolf” and soon, data breaches were no longer news.

Today, the remaining cost is that of the direct mail campaign to notify customers, which often turns into a marketing opportunity.

I’m still a fan of these laws, if only for the first two reasons I listed. Disclosure is important, but it’s not going to solve identity theft. As I’ve written previously, the reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.

Disclosure laws only deal with the economic externality of data owners protecting your personal information. What we really need are laws prohibiting financial institutions from granting credit to someone using your name with only a minimum of authentication.

This is the second half of a point/counterpoint with Marcus Ranum. Marcus’s essay is here.

Posted on January 21, 2009 at 6:59 AMView Comments

BNP Database Leaked

This is a big deal.

British National Party (BNP, a far-right nationalist party) membership and contacts list. 12,801 individuals are represented. Contains contact details and notes on selected party members and (possibly) other individuals. The list has been independently verified by Wikileaks staff as predominantly containing current or ex-BNP members, however other individuals who have donated to the BNP or who have had other contact (not necessarily supportive) with the BNP or one of its fronts may also be represented.

Says BBC:

Occupations ascribed to the listed names include teachers, a doctor, nurse, vicar and members of the armed forces.

While there is no ban on many of those professions joining the BNP, its right-wing political stance and whites-only membership policy are seen by many as incompatible with frontline public service.

Police officers, on the other hand, are formally banned from joining, a policy which is recognised in the list.

Alongside the name of a serving officer, the document states that there is “Discretion required re. employment concerns”.

Seems that the BNP database wasn’t hacked from the outside, but that someone on the inside leaked the list.

There’s a lot more leaked BNP documents on the Wikileaks website.

Posted on November 24, 2008 at 6:26 AMView Comments

UK Ministry of Defense Loses Memory Stick with Military Secrets

Oops:

The USB stick, outlining training for 70 soldiers from the 3rd Battalion, Yorkshire Regiment, was found on the floor of The Beach in Newquay in May.

Times, locations and travel and accommodation details for the troops were included in files on the device.

It’s not the first time:

More than 120 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it was reported earlier this year.

Some 26 of those disappeared this year == including three which contained information classified as “secret”, and 19 which were “restricted”.

I’ve written about this general problem before: we’re storing ever more data in ever smaller devices.

The point is that it’s now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I’d never know it.

The solution? Encrypt them.

Posted on September 16, 2008 at 6:21 AMView Comments

Laptop with Trusted Traveler Identities Stolen

Oops. A laptop with the names of 33,000 people enrolled in the Clear program—the most popular airport “trusted traveler” program—has been stolen at SFO. The TSA is unhappy.

Stealing databases of personal information is never good, but this doesn’t make a bit of difference to airport security. I’ve already written about the Clear program: it’s a $100-a-year program that lets you cut the security line, and nothing more. Clear members are no more trusted than anyone else.

Anyway, it’s easy to fly without an ID, as long as you claim to have lost it. And it’s also easy to get through airport security without being an actual airplane passenger.

None of this is security. Absolutely none of it.

EDITED TO ADD (8/7): The laptop has been found. Turns out it was never stolen:

The laptop was found Tuesday morning in the same company office where it supposedly had gone missing, said spokeswoman Allison Beer.

“It was not in an obvious location,” said Beer, who said an investigation was under way to determine whether the computer was actually stolen or had just been misplaced.

Why in the world do these people not use full-disk encryption?

Posted on August 5, 2008 at 12:09 PMView Comments

Encrypting Disks

The UK is learning:

The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers.

The portable data disk contained a copy of records of 894,629 calls to the ambulance service’s Paisley EMDC since February 2006. It was fully encrypted and password protected and includes the addresses of incidents, some phone numbers and some patient names. Given the security measures and the complex structure of the database it would be extremely difficult to gain access to any meaningful information.

News story here.

That’s what you want to do. There is no problem if encrypted disks are lost. You can mail them directly to your worst enemy and there’s no problem. Well, assuming you’ve implemented the encryption properly and chosen a good key.

This is much better than what the HM Revenue & Customs office did in November.

I wrote about disk and laptop encryption previously.

Posted on July 4, 2008 at 1:10 PMView Comments

IT Attacks: Insiders vs. Outsiders

A new study claims that insiders aren’t the main threat to network security:

Verizon’s 2008 Data Breach Investigations Report, which looked at 500 breach incidents over the last four years, contradicts the growing orthodoxy that insiders, rather than external agents, represent the most serious threat to network security at most organizations.

Seventy-three percent of the breaches involved outsiders, 18 percent resulted from the actions of insiders, with business partners blamed for 39 percent—the percentages exceed 100 percent due to the fact that some involve multiple breaches, with varying degrees of internal or external involvement.

“The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources,” the report states.

The whole insiders vs. outsiders debate has always been one of semantics more than anything else. If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case. And if you count damages, insiders generally come out on top—mostly because they have a lot more detailed information and can target their attacks better.

Both insiders and outsiders are security risks, and you have to defend against them both. Trying to rank them isn’t all that useful.

Posted on June 24, 2008 at 6:55 AMView Comments

Oklahoma Data Leak

Usually I don’t bother blogging about these, but this one is particularly bad. Anyone with basic SQL knowledge could have registered anyone he wanted as a sex offender.

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed—and possibly, changed—any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records—SSNs and all—from their website.

Posted on April 18, 2008 at 6:16 AMView Comments

Fraud Due to a Credit Card Breach

This sort of story is nothing new:

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

But it’s rare that we see statistics about the actual risk of fraud:

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

And this is interesting:

“Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs,” Spitzer said. “We’ve been engaged in a dialogue for a couple years now about changing this rule…. Without knowing who the retailer is that caused the breach, it’s hard for banks to conduct a good investigation on behalf of their consumers. And it’s a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don’t shop at that retailer.”

Posted on March 21, 2008 at 6:39 AMView Comments

Foreign Hackers Stealing American Health Care Records

What in the world is going on here?

Foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans’ health care records, according to a Department of Homeland Security analyst.

Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, told a workshop audience at the National Institute of Standards and Technology that the hackers’ primary motive seems to be espionage.

Espionage? Um, how?

Walker said the hackers are seeking to exfiltrate health care data. “We don’t know why,” he added. “We want to know why.” At the same time, he said, it’s clear that “medical information can be used against us from a national security standpoint.”

How? It’s not at all clear to me.

Any health problems among the nation’s leaders would be of interest to potential enemies, he said.

This just has to be another joke.

EDITED TO ADD (3/13): More Posted on February 20, 2008 at 12:30 PMView Comments

1 5 6 7 8 9 12

Sidebar photo of Bruce Schneier by Joe MacInnis.