Saturday, January 14, 2006

Federal Government Web Site Vulnerabilities Revealed in Recent News Reports Lay Bare the Sad State of Data Security

Security vulnerabilities that recent reports have revealed about federal government Web sites are unacceptable. The news, combined with ongoing corporate greed and negligence, bodes ill for the state of data security in a computer environment teeming with identity thieves.

Negligence and ignorance, not to mention greed on the part of industry, are horrible excuses for identity theft. We are seeing outrageous, unnecessary levels of incompetence and inattention.

On Jan. 13, The New York Times reported a security hole discovered at the General Services Administration (GSA). Government contractors’ financial information was found to be viewable and modifiable at the GSA’s Web site. The story followed news last week in Wall Street & Technology reporting Social Security numbers had been displayed at the U.S. Department of Justice’s Web site.

I have appeared on CNBC’s “On the Money” multiple times over the past two weeks to discuss identity theft. The rampant, out-of-control use of the Social Security number as a primary identifier and multipurpose account ID is unnecessary. The situation these practices breed makes the identity thief’s job easy.

A recent article in titled “Hijacking your Social Security number” provides a history explaining how the Social Security number has evolved to become a universal, all-purpose identifier. According to the Wall Street & Technology report, the Privacy Act aims to block the kind of Social Security number breach seen at the DOJ’s site but “is frustratingly fuzzy and comes with a dozen exceptions.”

Obviously, the Privacy Act is often misinterpreted or not enforced. If we want to stop identity theft, we need to make sense and use common sense. We need to make our own rules and tactics clear-cut.

We have no choice but to give large organizations our personal identifying and financial information. In return, the least that government and industry could do is to safeguard our information. And yet, despite all the high-profile breaches we’ve seen, we also see a continuing failure to implement simple measures that would curb the problem.

Credit Monitoring and Similar Services that Protect Small Business Owners and Others Deserve More Attention

Identity theft can be a catastrophe for small business owners, but credit monitoring and other solutions can ward off the crime or minimize the fallout that follows. The new year has already seen reports that larger companies recognize the potential such services pose in helping small businesses and profit margins at the same time.

Credit monitoring and other services protect the small business owner when thieves compromise her identity. Other products can help civilians to track their identities and thwart beginning-stage thefts. These services all deserve attention.

A report in the Jan. 1 issue of the Orlando Business Journal indicated that at least one company now sees the value in publicizing and offering identity theft protection services. According to the article, The Hartford Financial Services Group Inc. has made identity theft insurance available on “all its new or renewed small business policies."

I appeared on CNBC’s “On the Money” on Jan. 3 with representatives from Allstate Insurance to discuss credit monitoring and identity theft insurance. It’s time for industry to revisit its efforts to promote credit monitoring and similar services. For a long time, I’ve informed those who attend my identity theft workshops of the many products available to them. These services have existed for years. Many people are unaware of this, but I always encounter huge demand.

Other, similar services, which I offer through my Web site, have been available for a while:

=>MyPublicInfo, an Arlington, VA–based identity management company, provides the Public Information Profile (PIP), a tool that can be very useful in tracing the public “threads” that run through our lives. Anyone who obtains a PIP can view public records connected to his or her name and also see information accessible to other people performing background checks. Citizens can use their PIP to make sure their identities are in order.

=>Kroll Background America, the world’s leading risk-consulting company, provides the Identity Theft ShieldSM. The product includes continuous credit monitoring; access to Pre-Paid Legal Services®, Inc., an affordable attorney service; and identity restoration assistance should the customer’s ever be stolen.

=>MyPrivateLine (MPL) is a service offered by PrivateTel and available through An identity thief can learn a great deal from little information. This information could be as simple as a phone number. MPL ensures the last bit of privacy protecting a phone user’s identity. A single person can use MPL when communicating via phone through online social sites. Business owners can use MPL, too, when they want to list untraceable toll-free phone numbers for classified ads.

News reports about the suspected theft of millions of identities last year gave the impression that consumers were helpless. Yet the best bulwark against identity theft is indeed the consumer. We need to educate consumers on what’s available to them to stop this crime where the rubber meets the road.

A Data Tape Fumble and Major Computer Hack Job Cap off a Year Fraught with Large-scale Security Breaches and Whispers of Massive Identity Thefts

Reports in December described the loss of customer data tapes from a large mortgage company and revealed that hackers had managed to infiltrate the database of a company that itself investigates computer hacking incidents. The developments were fitting ways to cap off a year that was swimming in security breaches and identity theft. I see little improvement in the ways industry protects our data.

News of the ChoicePoint breaches broke in February of last year. Then we heard about the scare with Bank of America tapes, Social Security numbers of Boeing employees, everything in between, and now the latest. It’s like nobody has learned anything.

MSNBC and others ran articles late that month piecing together the apparent loss by delivery firm DHL and subsequent retrieval by the proprietor, a mortgage company, of computer tape containing data on 2 million mortgage customers. According to accounts, Dutch-owned ABN Amro Mortgage Group Inc. later reported the retrieval of lost computer tape that had entered transit via DHL on Nov. 18, more than a month earlier.

These companies should treat this data as if it were money to be transported in an armored vehicle. Imagine if millions of dollars were transported via a run-of-the-mill delivery truck.

Companies are cutting corners. It costs money to expand the capabilities of in-house server backup. Taking chances with the transit of consumers’ data costs industry less to low-tech warehouses is less expensive.

And people should be asking why the credit bureaus aren’t providing transport vehicles. Credit bureaus require the tapes but don’t seem to chip in with transportation costs.

The Washington Post then reported that hackers had compromised the database of Guidance Software, a Pasadena, Calif.–based company whose purpose, ironically, is to diagnose hacked computer systems. According to the article, Guidance’s database contained sensitive identifying information on thousands of those working in law enforcement and network security.

To Guidance’s credit, the company was prompt in notifying customers of their compromised identities. This is more than can be said for most other companies this year plagued by security breaches. Beyond the irony behind Guidance’s problems, we see just how perilous computer security really is. Everyone’s identity is on a computer, somewhere, and it seems like the information is fair game if you’re a smart enough hacker.

Industry needs to be in crisis mode, but doesn’t seem to be. Companies continue to handle our data just as they have for years despite the obvious threat exemplified by multiple high-profile breaches this year. How many second chances are we going to give them?

This page is powered by Blogger. Isn't yours?