finethen wrote: Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.
Hotel.com had info stolen too in the last few days. Is there some fancy new trick to stealing info or are these just flukes?
Neither. These kinds of databases have been around a long time, but 20 years ago they'd require serious computing centers that couldn't be easily lost or stolen. They did get hacked into from time to time, but you can't take an IBM Mainframe with you in your carry on luggage. Today three things have occured: 1. Technology has advanced. The entire Veteran's Affairs database can run off of someone's laptop. That makes it easier for it to leave the building. 2. Technology has become more widespread. In the 80's these things were the exclusive domain of large businesses and government agencies. Now there are hundreds of thousands of dot com companies with customer databases that are directly connected to the internet, any one of which could get hacked into. 3. A larger criminal market has arrived. In the 80's very little actual theft occured as the result of computer crime. Today organized criminal groups have cropped up, largely situated in the anarchocapitalism that exists in Russia and the Eastern Block as they struggle to build real, sustainable economies. These groups target the wide array of potentially insecure information sources, collect identity data, and convert it into cash. Distributed international networks of operatives coordinated through the internet monetize the results of these thefts and funnel money back to central coordinators. There are three things that need to be done: 1. Organizations that deal in personal information need to continue to take computer security seriously. In particular, the credit card companies, and other organizations that deal with money, need to build better systems for determining whether or not you are you before they'll authorize a financial transaction with your money. 2. Organizations that deal in personal information need to have strict internal policies for access to information. People shouldn't have the database floating around on CD. 3. Some amount of regulation may be needed. However, IMHO the feds are 0 for 2 with SOX and HIPPA, so I'm not sure they've proved that they can regulate in an effective way. Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world. Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals. |