http://www.mercurynews.com/mld/mercurynews/business/technology/14754071.htm By Aman Batheja Fort Worth Star Telegram Jun. 06, 2006 FORT WORTH, Texas - Another week, another huge breach of personal data. Dallas-based Hotels.com announced last week that credit-card numbers and other personal information on about 243,000 of its customers were on a laptop computer stolen from a car in February. Last month, the Veterans Affairs Department announced that personal information of 26.5 million veterans was compromised after a laptop and disks were stolen from the home of a data analyst. Information on 1.3 million more people who borrowed money through the Texas Guaranteed Student Loan Corp. was lost in May while in possession of a contractor. Despite the growing list of blunders, most companies still aren't doing enough to protect their customers' data, according to security experts. The reasons are largely the prohibitive costs of securing mobile devices and a lack of public concern. ``Until businesses are held accountable ... legally, financially and by customer demand for protecting that information, they're not in any strong hurry to make it happen,'' said Rick Fleming, chief technology officer with Digital Defense, a San Antonio-based network security firm. The Hotels.com data breach stems from an audit of the company's transactions performed by Ernst & Young. The laptop was stolen from the car of an analyst with the accounting firm. Hotels.com spokesman Paul Kranhold said the incident occurred in Texas but would not say where. He would not confirm nor deny news reports that indicated that the theft occurred in the Dallas area. The laptop required a password to use it. A file on the computer has information mostly on customer transactions from 2004, although some are from 2003 and 2002. The information on the file may have included customers' names, addresses and some credit- or debit-card information, according to a statement released by Ernst & Young. Hotels.com is sending letters to every customer whose data may have been on the laptop. Ernst & Young has set up a call center to address questions or concerns involving the incident. The accounting firm has also arranged for those affected to sign up for a credit-monitoring service for a full year for free. The information on the laptop was not encrypted, a practice of protecting information by transforming it into an unreadable code. Ernst & Young spokesman Charlie Perkins said the company had begun installing encryption systems on all of the company's laptops earlier this year, but the one with the Hotels.com data did not have the system yet. Ernst & Young has promised Hotels.com that it will take extra steps to protect the company's data in the future, including encrypting sensitive information. It has set up a toll-free phone number to help those who may be in danger of identity theft: 866-387-2242. Encryption is one of the most effective and efficient ways of securing information on a laptop, said Mike Stute, chief technology officer for Global DataGuard, a security risk-management company in Dallas. Companies, especially larger ones, are hesitant to spend up to several hundred dollars per laptop to encrypt data, Stute said. ``The truth is, the $1,000 laptop is trivial compared to the data on the machine,'' Fleming said. ``I don't understand why every company doesn't do it.'' Even a good encryption program is only as safe as the person operating it. A hacker can easily overcome an encryption system that's protected by a password if the user picked an easy one to guess, Fleming said. A more secure system includes an encryption token, a small object that must be plugged into the laptop's USB port to decrypt the information. That type of system can be extremely effective -- as long as the laptop and the token are kept apart. Fleming recalled seeing a man in an airport with an encryption token taped to his laptop, thereby defeating the purpose of having the token at all. A slew of large data breaches have surfaced in the past year mainly because laws passed in several states now require companies to report these embarrassing mistakes. California started the trend of data-breach laws in 2003. The Texas Breach of Computer Security Statute went into effect in September. ``There's no question that the states are taking the lead on identity theft,'' said Ed Mierzwinski, consumer program director for the Texas Public Interest Research Group. A handful of bills working their way through Congress would make data-breach notification a national law. Depending on which bill passes, companies may be required to report any data breaches where there's a chance for identity theft or fraud, or only when there's a good chance of misuse of the data. No matter what laws are passed, Stute doubts that companies will get more serious about protecting sensitive data until the technology becomes cheaper and easier to use. He noted that they have little motivation, considering that most of the major data breaches over the last year have not appeared to impose any lasting damage to the image of the company at fault. ``It never seems to stop consumers anyway,'' Stute said. ``It's bad press, but it doesn't seem to hit home with anybody.'' _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 06 2006 - 22:23:55 PDT