[ISN] Holes grow in Net safety

From: InfoSec News (alerts@private)
Date: Tue Mar 18 2008 - 00:45:02 PST


http://www.rockymountainnews.com/news/2008/mar/17/holes-grow-in-net-safety/

By Jeff Smith
Rocky Mountain News
March 17, 2008

Thieves steal a car that has boxes of documents in it. A law office 
staff dumps papers into a dumpster. A hacker breaks into university 
computers.

Each of these real-life examples from last year had two things in 
common: They occurred in Colorado, and they involved the compromise of 
confidential information - such as names and Social Security numbers.

Breaches of personal data are a growing problem nationwide, as society 
handles more information electronically, and it becomes more common to 
transport that information on laptops and other mobile devices.

The San Diego-based Identity Theft Resource Center reported that more 
than 127 million records were exposed in 448 separate incidents 
nationwide in 2007 alone. That represented a huge jump over the 315 
incidents and 20 million compromised records in 2006.

The group, which in part compiles its information from news reports, has 
tracked more than 130 data breaches this year - making 2008 even more 
active so far.

"We're seeing more breaches in the news than in the past," said Linda 
Foley, founder of the center.

Another group that tracks the activity, Attrition.org, reported an even 
greater number of records compromised in 2007: 162.5 million, although 
its 2008 numbers are down slightly compared with last year.

In Colorado, one of the most publicized data breaches last year involved 
an attack on a computer server at the University of Colorado. A weak 
spot in anti-virus software led to a breach that exposed the names and 
Social Security numbers of almost 45,000 students dating back several 
years.

It's impossible to get a precise handle on the problem. But studies 
indicate data breaches and other forms of identity theft affect millions 
of Americans and cost billions of dollars a year.

It can take months, if not years, for victims to straighten out their 
credit records. And, in the process, they likely face the time-consuming 
hassle of closing accounts and opening new ones.

Part of the increase in data- breach reports could be due to laws 
requiring companies to disclose the events to the public and victims. 
Nearly 40 states, including Colorado, have disclosure laws.

But there is no federal disclosure rule or standard. It's unclear how 
many incidents go unreported.

"I think there's a serious question whether we're even hearing about 
(the small ones)," said Rob Douglas, a Steamboat Springs-based security 
consultant and privacy expert. "Even in states where laws have been put 
in place, (many) businesses themselves probably are not well-informed 
about those laws and probably don't even know they have a legal 
responsibility to report."

Douglas noted that most laws allow companies to delay disclosure if 
requested to do so by law enforcement officials investigating the 
incident. He said he believes that "at times, companies have used that 
as a crutch."

Brian Martin, a Denver-based Internet security contractor who co-founded 
Attrition.org, said he finds a lot of companies don't conduct the 
forensic investigation necessary to fully understand the implications of 
a possible breach.

But experts generally agree large companies are doing a better job of 
reporting incidents, in part because they realize the lack of disclosure 
can come back to haunt them in terms of lawsuits, customer losses and 
business costs.

TJX, the parent company of retailers T.J. Maxx and Marshalls, found that 
out after it disclosed a massive data breach in early 2007. Lawsuits 
were filed almost immediately, and TJX took a charge against earnings. 
It was reported recently that the company would hold a one-day, 15 
percent-off sale as part of a class-action settlement.

Foley founded the Identity Theft Resource Center after being victimized 
herself. She said her employer at a small business in the mid-1990s 
stole her identity and tried to get credit cards and cell phones in 
Foley's name.

Foley would rather not talk in detail about the incident.

"She was caught and arrested and punished," Foley said. "I am a victim 
and a survivor. I was able to figure out what was going on, and (police) 
stopped her fairly fast."

Douglas said that while more attention is being paid to the problem, he 
has serious doubts about the effectiveness of apprehending and 
prosecuting criminals.

He said he was in Washington, D.C., recently for a Federal Trade 
Commission event and heard a prosecutor acknowledge that he wouldn't 
even touch a case unless victim losses exceeded $40,000.

"I was aghast," Douglas said. "Most losses are smaller than that. Unless 
you have a very serious crime, the odds of prosecution are very low."

Douglas said the escalation of data breaches in the past few years can't 
be ignored and goes beyond people simply not doing a good job protecting 
data.

"The numbers of lost and stolen laptops are just staggering," he said. 
"Thieves are not stupid. They are looking for these things."

Foley said companies need to do a better job evaluating whether it's 
necessary for employees to leave the work place with certain 
information.

But she also noted positive developments, such as industry groups 
working to establish data-breach standards.


Don't get soaked

Tips for consumers who have been the victim of a data breach or believe 
they may have been a victim of identity theft:

1. Place a fraud alert by calling the credit reporting agencies. You're 
   entitled to receive a free credit report, which you should carefully 
   review for irregularities.

* Equifax: 1-800-525-6285

* Experian: 1-888-Experian (397-3742)

* TransUnion: 1-800-680-7289

2. Close accounts you believe have been used fraudulently. When doing 
   so, talk to someone in the security or fraud department of the 
   company. Follow up in writing. Send your letters by certified mail 
   with a return receipt requested so you can document what the company 
   received and when. When you open new accounts, use new personal 
   identification numbers and passwords.

3. File a complaint with the Federal Trade Commission. You can use the 
   agency's online complaint form or call its Identity Theft hotline at 
   1-877-ID-THEFT (438-4338). Complaints help the agency track down 
   identity thieves.

4. File a report with the local police where the theft took place. 
   Include a printed copy of your FTC ID theft complaint.


Plug the holes before they leak

* Take advantage of your right under federal law to obtain a free credit 
  report each year from the three main credit reporting agencies: 
  Equifax, Experian, TransUnion.

* Experts advise staggering those reports by ordering one every four 
  months. The centralized service set up by the three firms is 
  AnnualCreditReport .com or 1-877-322-8228.

* Warning: This is the only service to obtain your annual free credit 
  reports. There are dozens of other monitoring services, but they cost 
  money.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Mar 18 2008 - 00:54:39 PST