http://www.rockymountainnews.com/news/2008/mar/17/holes-grow-in-net-safety/ By Jeff Smith Rocky Mountain News March 17, 2008 Thieves steal a car that has boxes of documents in it. A law office staff dumps papers into a dumpster. A hacker breaks into university computers. Each of these real-life examples from last year had two things in common: They occurred in Colorado, and they involved the compromise of confidential information - such as names and Social Security numbers. Breaches of personal data are a growing problem nationwide, as society handles more information electronically, and it becomes more common to transport that information on laptops and other mobile devices. The San Diego-based Identity Theft Resource Center reported that more than 127 million records were exposed in 448 separate incidents nationwide in 2007 alone. That represented a huge jump over the 315 incidents and 20 million compromised records in 2006. The group, which in part compiles its information from news reports, has tracked more than 130 data breaches this year - making 2008 even more active so far. "We're seeing more breaches in the news than in the past," said Linda Foley, founder of the center. Another group that tracks the activity, Attrition.org, reported an even greater number of records compromised in 2007: 162.5 million, although its 2008 numbers are down slightly compared with last year. In Colorado, one of the most publicized data breaches last year involved an attack on a computer server at the University of Colorado. A weak spot in anti-virus software led to a breach that exposed the names and Social Security numbers of almost 45,000 students dating back several years. It's impossible to get a precise handle on the problem. But studies indicate data breaches and other forms of identity theft affect millions of Americans and cost billions of dollars a year. It can take months, if not years, for victims to straighten out their credit records. And, in the process, they likely face the time-consuming hassle of closing accounts and opening new ones. Part of the increase in data- breach reports could be due to laws requiring companies to disclose the events to the public and victims. Nearly 40 states, including Colorado, have disclosure laws. But there is no federal disclosure rule or standard. It's unclear how many incidents go unreported. "I think there's a serious question whether we're even hearing about (the small ones)," said Rob Douglas, a Steamboat Springs-based security consultant and privacy expert. "Even in states where laws have been put in place, (many) businesses themselves probably are not well-informed about those laws and probably don't even know they have a legal responsibility to report." Douglas noted that most laws allow companies to delay disclosure if requested to do so by law enforcement officials investigating the incident. He said he believes that "at times, companies have used that as a crutch." Brian Martin, a Denver-based Internet security contractor who co-founded Attrition.org, said he finds a lot of companies don't conduct the forensic investigation necessary to fully understand the implications of a possible breach. But experts generally agree large companies are doing a better job of reporting incidents, in part because they realize the lack of disclosure can come back to haunt them in terms of lawsuits, customer losses and business costs. TJX, the parent company of retailers T.J. Maxx and Marshalls, found that out after it disclosed a massive data breach in early 2007. Lawsuits were filed almost immediately, and TJX took a charge against earnings. It was reported recently that the company would hold a one-day, 15 percent-off sale as part of a class-action settlement. Foley founded the Identity Theft Resource Center after being victimized herself. She said her employer at a small business in the mid-1990s stole her identity and tried to get credit cards and cell phones in Foley's name. Foley would rather not talk in detail about the incident. "She was caught and arrested and punished," Foley said. "I am a victim and a survivor. I was able to figure out what was going on, and (police) stopped her fairly fast." Douglas said that while more attention is being paid to the problem, he has serious doubts about the effectiveness of apprehending and prosecuting criminals. He said he was in Washington, D.C., recently for a Federal Trade Commission event and heard a prosecutor acknowledge that he wouldn't even touch a case unless victim losses exceeded $40,000. "I was aghast," Douglas said. "Most losses are smaller than that. Unless you have a very serious crime, the odds of prosecution are very low." Douglas said the escalation of data breaches in the past few years can't be ignored and goes beyond people simply not doing a good job protecting data. "The numbers of lost and stolen laptops are just staggering," he said. "Thieves are not stupid. They are looking for these things." Foley said companies need to do a better job evaluating whether it's necessary for employees to leave the work place with certain information. But she also noted positive developments, such as industry groups working to establish data-breach standards. Don't get soaked Tips for consumers who have been the victim of a data breach or believe they may have been a victim of identity theft: 1. Place a fraud alert by calling the credit reporting agencies. You're entitled to receive a free credit report, which you should carefully review for irregularities. * Equifax: 1-800-525-6285 * Experian: 1-888-Experian (397-3742) * TransUnion: 1-800-680-7289 2. Close accounts you believe have been used fraudulently. When doing so, talk to someone in the security or fraud department of the company. Follow up in writing. Send your letters by certified mail with a return receipt requested so you can document what the company received and when. When you open new accounts, use new personal identification numbers and passwords. 3. File a complaint with the Federal Trade Commission. You can use the agency's online complaint form or call its Identity Theft hotline at 1-877-ID-THEFT (438-4338). Complaints help the agency track down identity thieves. 4. File a report with the local police where the theft took place. Include a printed copy of your FTC ID theft complaint. Plug the holes before they leak * Take advantage of your right under federal law to obtain a free credit report each year from the three main credit reporting agencies: Equifax, Experian, TransUnion. * Experts advise staggering those reports by ordering one every four months. The centralized service set up by the three firms is AnnualCreditReport .com or 1-877-322-8228. * Warning: This is the only service to obtain your annual free credit reports. There are dozens of other monitoring services, but they cost money. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Mar 18 2008 - 00:54:39 PST