Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen

timothy posted more than 2 years ago | from the needs-more-government-regulation dept.

Security 64

An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."

cancel ×

64 comments

Not to be rude about it, but (0, Interesting)

Anonymous Coward | more than 2 years ago | (#39629891)

Don't the darknets where these SSN's and identities trade put a certain value on the credit history and wealth of the individuals involved? Realistically, who is going to want SSN's of a bunch of poor people on Medicaid? That's not to say that this excuses Utah from data security, of course, or makes this any less of a lesson in the need for said security. But I don't think too many of these things are going to end up resulting in actual identity thefts, not if the people who buy them have any clue what they're buying.

Although it does present an amusing image of a bunch of Ukrainian hackers trying to get credit cards in the names of people who have no income and wondering why none of them are going through.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39629945)

Not just poor people are on Medicaid. Just about every US citizen over the age of 65 is on it. What benefits they get may be based upon need, but they are still registered and on the list.

Re:Not to be rude about it, but (5, Informative)

hrvatska (790627) | more than 2 years ago | (#39630097)

Almost all US citizens over 65 are on Medicare, which is not the same as Medicaid. Some elderly are on both Medicare and Medicaid, but most are not.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39630125)

You're thinking of Medicare. Medicaid really is for the poor.

Re:Not to be rude about it, but (1)

Stormy Dragon (800799) | more than 2 years ago | (#39630287)

No, seniors are on Medicare, which is a completely different program.

Re:Not to be rude about it, but (1)

anotheryak (1823894) | more than 2 years ago | (#39630517)

You mean Medicare, not Medicaid, which is for the very poor or terminally ill.

The big prize here would be any Children's SSN's. Those are valuable for identity fraud [sltrib.com] because children have clean credit histories, and it takes months-to-years for the parents to figure it out.

I suspect "Anonymous" may be at work here, they've attacked Utah government and police sites before [sltrib.com] . They seem to support free speech, unless it's free speech they don't like, then it should be destroyed. Ironically, not only did they attack the wrong police department (Salt Lake City, not West Valley City), but they took down the site that allows the public to talk to the police. But I guess as long as you destroy something and screw up people's lives, that's good news for them.

Re:Not to be rude about it, but (1)

gnick (1211984) | more than 2 years ago | (#39630697)

They seem to support free speech, unless it's free speech they don't like, then it should be destroyed.

You're giving them too much credit. Most of them do it for the lulz. Seriously.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39632555)

Honestly, not just 65 and over and poor people are on medicaid. Where I live you can only get medicaid if you have children (and primary guardianship) and you made less than $120 in the month (I kid you not) or of legal retirement age, or permanently disabled (unable to work). However, once accepted it's there for a year no matter what. So I spent 4 months unemployed and forgot to file for unemployment for a month. After 3 months I finally applied for food stamps and medicaid. The only reason I got approved was because the first month of me being unemployed I had no income. When I accepted it, I was struggling to get my kids to the doctor and they needed their shots. Next month I picked up a job (that doesn't offer Health Insurance) that pays 6figures. I also can't get private health insurance myself, so that's why we're still on.

So yeah, there's a case where stealing an SSN would hurt, I'm sure I'm more of a minority. Something else I'd like to point out, my mother has been unemployed for almost 7 years, hasn't had _any_ money (legally) coming in over the last 7 years and yet she can't get medicaid (because she can work, she doesn't have children, and she isn't 65+, though getting close).

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39632595)

Err Medicare is for the old and disabled, medicaid is for the poor. Note above is what I was told by the medicaid people while I was being accepted for it.

Re:Not to be rude about it, but (1)

SJHillman (1966756) | more than 2 years ago | (#39629959)

Poor people are probably less likely to keep an eye on their credit reports so they're actually better targets. Stealing identities to get 100 fraudulent cards with a $1000 limit each is much more useful than a single card with a $100,000 limit... especially since the person whose identity allowed you to get the $100,000 card is more likely to catch it and know how to deal with it before it's too late.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39630459)

I would guess a significant portion of the people on Medicaid cannot get any credit of any kind. In most states, the Medicaid asset limit is $2k. Nobody is going to give $1k in credit to a person with only $2k in assets. These are literally people living well below the poverty line, with little to no income. They don't have credit and they can't get it.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39630749)

I would guess a significant portion of the people on Medicaid cannot get any credit of any kind

Then you would guess wrong.

Besides, the big prize is, as someone upthread said, children's SSNs.

Re:Not to be rude about it, but (0)

Anonymous Coward | more than 2 years ago | (#39630059)

Why does it always have to be Ukrainian hackers... just bash the Russians man, leave Ukrainians alone :) We suffered enough with Chernobyl and sh!t...

Re:Not to be rude about it, but (1)

firex726 (1188453) | more than 2 years ago | (#39630321)

Hey Stalker!

Illegal aliens (0)

Anonymous Coward | more than 2 years ago | (#39630067)

Realistically, who is going to want SSN's of a bunch of poor people on Medicaid?

Illegal aliens for one. Allows them to get a job.

Also, the victims may be poor, but if they have a clean credit record that's more than adequate to open a line of credit. Identity thieves can use this.

Then there's an SSN for getting medical treatment. Go to a hospital's emergency room, get treated, give them the SSN and name, and tada! Free medical treatments. Then the hospital tries to collect from the real person, real person says it's no them, hospital eats the cost - well, passes it on to people who can pay. (And Fox News says that "ObamaCare" will cost us more!)

This wouldn't be a problem if businesses weren't so beholden to the credit bureaus and Choicepoint to gather data - they think those companies are actually accurate.

Re:Illegal aliens (2)

leonardluen (211265) | more than 2 years ago | (#39630299)

Illegal aliens for one. Allows them to get a job.

it would be somewhat amusing if this helped the credit score for some of these people...though it would suck if it disqualifies them for medicaid

government agent: well it appears you are working 11 jobs in 3 states making a total of $123k per year. i am sorry but you don't fall under the minimum wage requirements to remain on medicaid...however we can offer you a heck of a deal on a new mortgage!

Re:Illegal aliens (1)

firex726 (1188453) | more than 2 years ago | (#39630361)

Don't they check the SSN against the listed name, Do, gender, etc...

Sure I would have something to put on a paper, but wouldn't it raise a red flag when the paper says it's a 23 year old Juan Gomez; and the SSN is for a 78 year old Martha Hicks on the other side of the country?

I once typo'd my SSN on a leasing agreement and the apt company asked me to redo it as the information did not match up.

Re:Illegal aliens (2)

Jason Levine (196982) | more than 2 years ago | (#39630581)

One would hope so, but as I learned the hard way, companies don't always check or pay attention to red flags. My identity was stolen. The thieves used my name, address, SSN, and DOB to open a credit card in my name. They got my mother's maiden name wrong. You know, that "security" question that's supposed to help prevent fraud? They got it completely wrong. (Red Flag #1) Then, they paid for rush delivery of the card and changed the address to another state entirely. (Red Flag #2) Then, they tried to get a $5,000 cash advance before the card was even activated. (Red Flag #3)

The only reason I found out about any of this was because the card company shipped the card out FIRST and THEN changed the address on their records. So the card wound up on my doorstep. Of course, once alerted to the fraud, the credit card company stonewalled me. (I was actually told "We can't tell you what the address is on the file they created under your name because if you go there and shoot them we're liable for damages.") They also stonewalled the police officers by not responding to calls. (They had a special "police call here" line which seemed to go straight to an unanswered voice mail system.)

The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.

Re:Illegal aliens (1)

firex726 (1188453) | more than 2 years ago | (#39630653)

So is there no recourse in such a case?

If the CC company wont allow you or the police to pursue the matter.

Re:Illegal aliens (1)

Jason Levine (196982) | more than 2 years ago | (#39631435)

It all depends on how much you want to pursue the matter and how forceful your police department is. My police department kept insisting that investigating these cases was useless because chances are the thief was in a different jurisdiction. They would not update me for awhile and, when I got insistent, they would reveal there was no progress at all. They honestly didn't seem to care much because I didn't "lose" anything of much value. (We caught it in time so immediate monetary loss was zero.) They also were completely technologically clueless. When they mentioned they had the IP address of the person who submitted the application form, I had to show them how to tracert to find info on the IP and alerted them to the fact that the ISP could tell them who was signed on then given the IP and date/time. After the credit card company's delays and the police delays got to be too much, I just dropped it and concentrated on securing my credit against future attacks.

Re:Illegal aliens (1)

gnick (1211984) | more than 2 years ago | (#39630827)

The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.

Coincidentally, I was on the phone for a good while with them yesterday and will be heading to the bank once they open today. Somebody grabbed those "balance transfer" (or whatever) checks that they send you out of my mailbox, wrote an enormous check out to "cash", put a signature on it that kind of looks like my name (if not my signature), and pulled out the cash before Capital One had a chance to tell the bank that the check was beyond my credit limit. Fun... Even the most basic heuristics should tell them that I don't make a habit out of borrowing $10k in cash against a credit card...

Re:Illegal aliens (1)

Jason Levine (196982) | more than 2 years ago | (#39631475)

Sadly, companies like this seem to consider basic fraud checks to be a needless expense. They just approve any credit/transfers and if they make a mistake.... oops! Well, it's only your money/credit. They'll write off any losses they incur and move on. Not every company is like this, but enough big companies are to make real problems for people like us.

Re:Illegal aliens (-1)

Anonymous Coward | more than 2 years ago | (#39630417)

No one has any damned idea what "Obamacare" will cost- that's the real problem. Experts on the issue are scratching their heads, so I know damned well some filthy geek on /. has no fucking clue.

But you stick to your little zero thought ideological talking points and "FoxNews" bogeyman bullshit. That's working out so fucking well, geek trash.

Re:Not to be rude about it, but (4, Interesting)

vlm (69642) | more than 2 years ago | (#39630315)

who is going to want SSN's of a bunch of poor people on Medicaid?

If you can fog a mirror you can get a car loan. A car can be driven across the border, to a chop shop, etc. If you're poor the interest rate will be 15% but if you stole the info and intend to never make a payment, no one cares. My mom had zero income, and someone with her info bought a pickup truck in Texas and disappeared into Mexico. She had no problem removing it from her credit history as it was beyond ridiculous, but if she were not so lucky, then it could have been a problem.

You don't need any money for an illegal to use your information to hold a job (IRS etc) or get free medical care. Actually a poor person has much better medical coverage than I do... so their info is more valuable than mine. The IRS thing with stolen SS numbers is no problem unless the illegal claims 15 exemptions and pays no tax.. then you have to pay their tax for them, or prove you're not working both as a sysadmin and a restaurant dishwasher simultaneously.

You don't need any money or credit record to visit a "check cashing place / payday loan joint" with a fake check, walk out with cash, and leave the victim to figure it all out.

Re:Not to be rude about it, but (1)

deciduousness (755695) | more than 2 years ago | (#39634227)

Ha! 15%, I wish. The cheapest rate I got for my first car loan was 20%, and they made it clear that they were doing me a favor while they were gouging me.

Re:Not to be rude about it, but (2)

LoverOfJoy (820058) | more than 2 years ago | (#39631459)

Not everyone on Medicaid stays poor for the rest of their lives. Utah in particular has a lot of young married students with young children who qualify for CHIP while in college but later go on to lucrative careers.

It might have something to do with the fact that (1)

Eightbitgnosis (1571875) | more than 2 years ago | (#39632277)

It's amazing how many social security checks go out to dead people

Re:Not to be rude about it, but (1)

mxbradley (1925686) | more than 2 years ago | (#39640357)

It also allows criminals to fraudulently bill Medicaid for services, prescriptions, and equipment that were never delivered. See news stories like this [journalgazette.net] and this [cbsnews.com] .

What a scam (0)

hesaigo999ca (786966) | more than 2 years ago | (#39629943)

How could this happen?
Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company that did not need to do the same, and then went and used their services/softwares....
otherwise, I am without any ideas how this could happen.

ooops (-1, Offtopic)

hesaigo999ca (786966) | more than 2 years ago | (#39629949)

And... oh yeah.....first post!

outsourcing and contractors / sub contractors (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39630251)

Using outsourcing and contractors / sub contractors not only adds overhead it also lets people play the pass the blame game that most of the time end's in on sub contractor getting changed (With all the cost that comes with it) with not fixing the real issues up front.

Now why should the techs take the blame for stuff out side of there control like having older softer that they don't have the funds or control to update. Don't have the power to make changes to the config with out having to go though levels contractors to get it done. Having to deal with NON tech mangers running the shop who do have control but they buy stuff on golf courses meeting with no in put from the tech people.

Re:What a scam (3, Insightful)

kestasjk (933987) | more than 2 years ago | (#39630357)

Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company [...] I am without any ideas how this could happen.

Oh I envy your naivety.. I work for an ISO9001 company and it is terrifyingly insecure.

ISO9001 compliance has nothing to do with security, and frankly ISO9001 compliance doesn't even have very much to do with ISO9001 certification..

Re:What a scam (1)

jedinite (33877) | more than 2 years ago | (#39632729)

The reference to ISO compliance here isn't to the ISO9001 quality standard, but the ISO 27001 and ISO 27002 best practices standards for information security.

see: http://en.wikipedia.org/wiki/ISO/IEC_27001 [wikipedia.org]

Re:What a scam (2)

Quiet_Desperation (858215) | more than 2 years ago | (#39630441)

How could this happen?

The people in charge don't give a shit.

Next silly question.

ID (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39629993)

Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.

Right?

Re:ID (1)

anotheryak (1823894) | more than 2 years ago | (#39630555)

Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.

Someone modded this up to "Insightful"? Really? Are you from Planet Quendor?

If you needed real government-issued photo ID to commit identity theft, then most of the criminals would be out of business

.

So that's only... (-1)

Anonymous Coward | more than 2 years ago | (#39630069)

So that would only be 5 Mormon families...

Simple solution: (1)

ArsenneLupin (766289) | more than 2 years ago | (#39630107)

do it like they do in Luxembourg: arrest anybody who talks about the breach [news.rtl.lu] . After a while there will be nobody left that knows about it. Case closed!

Re:Simple solution: (1, Funny)

Nidi62 (1525137) | more than 2 years ago | (#39630167)

do it like they do in Luxembourg: arrest anybody who talks about the breach [news.rtl.lu] . After a while there will be nobody left that knows about it. Case closed!

Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.

Re:Simple solution: (3, Informative)

mrvan (973822) | more than 2 years ago | (#39630253)

Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.

You seem to be doing a good job, though... [wikipedia.org]

Re:Simple solution: (0)

vlm (69642) | more than 2 years ago | (#39630339)

Arrest like 5 people ... almost a quarter of the population. A lot harder to do that in the US.

We'll git er done... Americuh, F yeah!

Re:Simple solution: (0)

Anonymous Coward | more than 2 years ago | (#39630523)

Aw, that's cute. I bet you think you're *so* above it all, don't you? I just wish I could be there to watch at the moment the real truth becomes known to you.

Pffffft..... (1)

AmiMoJo (196126) | more than 2 years ago | (#39630223)

The UK government lost 25 MILLION records on one disc. 500k is nothing.

Seriously, how bad does it have to get before people figure this out?

Re:Pffffft..... (1)

Ogi_UnixNut (916982) | more than 2 years ago | (#39632709)

Yeah, but when you lose sooo many records, nobody can use them as authoritative identity anymore, and as such they become rather useless for ID Fraud. Ironically the UK loses so many records that the records themselves are probably of very little use to ID thieves on their own. Everybody knows not to trust them due to all the leaks :)

Re:Pffffft..... (0)

Anonymous Coward | more than 2 years ago | (#39658437)

The UK government lost 25 MILLION records on one disc. 500k is nothing.

Seriously, how bad does it have to get before people figure this out?

The total population of the state of Utah is slightly less than 3 million. (Source:Wikipedia) So, yeah, 500k is a pretty big deal. The fact that the state even had this many records to be stolen is what boggles my mind. Why would the state even have any medical records for such a large percentage of the population?

So, how did they discover the leakage? (4, Insightful)

SCHecklerX (229973) | more than 2 years ago | (#39630319)

I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

This! (2, Informative)

Anonymous Coward | more than 2 years ago | (#39630497)

So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

This is the right question.

It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. So, it is not unreasonable for a network to lack this stuff, even a government network with sensitive data.

But, the announcements of precise numbers of compromised accounts and so forth are hard to believe. I think its more a case of; 'we think this Excel file was copied and it had 150,000 numbers in it'. Oh wait; 'this other Excel file might have been read and it has 250,000 numbers in it'.

These guys are guessing. They don't have a clue what went missing or when. But, the scary thing is that the truly skilled intruders get in siphon off everything and move on without anyone ever knowing. Some may even lurk for months/years without ever being discovered.

Re:This! (0)

Anonymous Coward | more than 2 years ago | (#39630831)

That's exactly right. The news said it was due to an employee error which means they didn't change the admin password. There is no way they know what was stolen and who is compromised, just that the server was accessed by a foreign ip and some data was transmitted. They can only guess what data might have been transmitted and notify people. Utah has centralized their IT department to a central internal group, but with hundreds (if not thousands) of servers to manage I'm sure there are many more servers still needing to be secured.

Re:So, how did they discover the leakage? (0)

Anonymous Coward | more than 2 years ago | (#39630507)

Gonna go with attackers flaunting it at their faces.

Re:So, how did they discover the leakage? (0)

Anonymous Coward | more than 2 years ago | (#39630935)

Well, it probably went something like:
  we have 100000 users in system A and some users of system A come to us and tell us we lost their data. So we had a breach and 100000 users were compromised.

A while later someone comes in and says you lost my data, hm wait a minute he's not from system A but from system B which has 250000 users. Ok, we have lost 350000 user details.

And so it continues ...

Re:So, how did they discover the leakage? (2)

dachshund (300733) | more than 2 years ago | (#39634611)

So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

A common approach is to insert 'canaries' into the datasets. These are wholly-invented users whose credentials should never show up in any system, anywhere. If they do start showing up in significant numbers, you have a breach. By measuring which, and how many of these fake users turn up, you get a read on how many records you lost.

Not that this necessarily has anything to do with this case. It's also possible that the thieves were openly advertising their haul on the 'net, and some law enforcement agent happened to be listening in.

We want this (0)

ebonum (830686) | more than 2 years ago | (#39630335)

Aren't we pushing for centralizing medical records in big databases? This means we have to provide easy access to 10's of thousands of doctors and hospitals and healthcare providers. Easy to access and impossible to hack only exist in RFP's chasing dumb government money. This is the trade off for the convenience. You no longer have to break in and steal a truckload of of files from 1000 different doctor's offices. You hit one database that has everything nicely prepared to be downloaded by the bad guys in Eastern Europe.

What part of "central database = one shop stop for data thieves" is hard to understand? If you say "I never thought THAT would happen" you should be fired.

Re:We want this (1)

anotheryak (1823894) | more than 2 years ago | (#39630785)

Exactly! What we need is a giant database that can be compromised by one overworked medical resident who has no real concept of data security.

I know of two cases where residents had a shared database of passwords to various medical systems at multiple hospitals stored on insecure public "document" sites. In one case, they all had a common password, and different groups of students/residents used it year after year (not even ever changing the username or password). When the IT people found out and blew a large gasket, the medical people honestly did not see what the problem was.

Re:We want this (0)

Anonymous Coward | more than 2 years ago | (#39631757)

Of course, what you're not thinking of is the ten thousand insecure sites where more than enough data is aggregated to cause problems ans exploit weaknesses.

If I can go to one place and see who is accessing my records, it's far better for my security than if I can only find out when somebody comes to me months later about some bill.

I'll take convenience over a piece-meal system that ends up costing me more.

Re:We want this (0)

Anonymous Coward | more than 2 years ago | (#39635303)

If you say "I never thought THAT would happen" you should be fired.

Nope. shot...

This is possible with many non-profits. (1)

Anonymous Coward | more than 2 years ago | (#39630659)

I work for another major, similar non-profit organization in another site. I've been involved with IT and various areas of the organization's business-side functions; including Electronic Medical Record systems. I will just say that if you really believe these companies are secure, you're naive. These are non-profit corporations with the majority of the people being very untechnologically savvy. Even a decent IT department only has so much control over what is going on - most of the time, the security of the EMR systems has nothing to do with IT to begin with. Instead they simply host them and leave control of the EMR systems to other leaders in the organization as IT shouldn't be involved with medical record access to begin with.

Non-Profits have very high turnover rates and employ hundreds, if not thousands (depending on agency size) of part-time workers. These people range from 3-30 hours a week. You have employees in rural areas of the state who barely know what a computer is - but are required to log into various systems with multiple username/passwords. You have employees sharing username/passwords which is impossible for IT or Leadership to always be aware of. The means of information getting out is enormous and uncontrollable depending on how their EMR system is used. And you have to remember that in non-profit, you are dealing with 'comfortable' employees. These are not the cutting edge employees you will find in corporate America. That's not how this business works. So you can only imagine how insecure most of these agencies are.

I could really get into detail but I won't. Just letting you know that this stuff is easy to access if someone really wants to.

What to do (4, Informative)

Jason Levine (196982) | more than 2 years ago | (#39630699)

My advice for anyone who's identity was stolen:

Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.

Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.

Step 3: Freeze your credit file.

About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.

Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.

Re:What to do (3, Informative)

RobertLTux (260313) | more than 2 years ago | (#39631249)

"Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed."

regarding that bit http://www.annualcreditreport.com/ [annualcreditreport.com] is the address you need

or hit https://www.annualcreditreport.com/cra/order?mail [annualcreditreport.com] for details on how to get this done (if you do the USPS method photocopy your DL and SS card and enclose that with the form)

Re:What to do (1)

Jason Levine (196982) | more than 2 years ago | (#39631487)

Thanks for adding that link.

Re:What to do (0)

Anonymous Coward | more than 2 years ago | (#39633969)

Altrnately, just send a copy of your driver's license, social security card, and a signed, notarized letter requesting the service to me and I'll take care of everything for you, for free! (Well, almost free. A small service charge may appear on a future credit card.)

Accountability...... (2)

who_stole_my_kidneys (1956012) | more than 2 years ago | (#39632117)

until institutions are held accountable for this type of data breach it will continue to happen. If the fine was lets say $1 million paid to each compromised SSN, then 2 things would happen: 1. they would spend more money on qualified individuals to protect their data 2. this would not be reported as much as they would cover it up.

Important Observation (1)

whydavid (2593831) | more than 2 years ago | (#39637295)

It is important to note where the primary concern of most of the commenters is: the stolen SSNs. We don't have effective health information exchange because politicians and their constituents are scared to death of their all-important "private health data" being stolen. When it actually happens, people stop and realize that no one could possibly have any use for Joe Average's health information, whereas your SSN/personal information can quickly compromise your financial livelihood. In order to get some use out of stolen health data, you'd have to sell it to some marketer (who would be outing themselves just by using it....) or you'd have to blackmail the person whose data you have (a felony/they probably don't have enough money to make it worth it/they are certain to be caught if they try to do this at any scale). To get some use out of stolen SSNs/personal information, you need to fill out a few online forms and start ordering. Of course, there are thousands (if not millions) of organizations storing SSN/Credit Card Numbers/Driver License or Passport Numbers/Addresses/etc... on tons of people. For some reason, we are OK with that risk, but up in arms when we talk about storing potentially life-saving health data. I fully expect many to agree with this post....and I fully expect the usual flame response when I post anywhere online that your health data is not sacred, no one who could feasibly use the stolen data can legally do so, and unless you are a high-priority target (celebrity, political figure, etc...) you really don't have any risk from having your health data stolen (although it should certainly still be secured unless you really want to make it public data).

Security instead through openness? (0)

Anonymous Coward | more than 2 years ago | (#39640639)

Perhaps the government should publish ALL SSN's, making them unreliable as a security or identification token without positive identification of the individual concerned in person. If no one were permitted to do any of the things normally requiring an SSN unless the individual is able to prove his or her identity, the information will become basically useless.

It's time to end this security through obscurity, because as leak after leak, theft after theft, and breach after breach have proven, there is NO obscurity, really, and hence, NO SECURITY.

Our government and private organizations that grant credit, etc., put us all at risk. The rules that allow them to offer credit, etc., over the phone or internet without any actual proof serve to enhance their bottom lines by making it easier for people to get credit, services, etc., but it jeopardizes the financial safety and security of us all.

Reform is needed NOW. Actually, it's long overdue.

What's dts.utah.gov & health.utah.gov run? (0)

Anonymous Coward | more than 2 years ago | (#39681403)

LINUX (and yes, it got HACKED, chumps) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov [netcraft.com]

AND

YOU GUESS IT FOOLS: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov [netcraft.com]

* Ah, yes - see the YEARS OF /. BULLSHIT CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (very bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins: (lol)

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com [netcraft.com]

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org] , & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS: (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers [slashdot.org]

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach: (lol)

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl [netcraft.com]

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811 [threatpost.com]

---

The Stratfor SECURITY hack: (can't blame it on poor setup, this IS a security firm that uses Linux)

http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed [slashdot.org]

What's that domain run? Yes kids - you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com [netcraft.com]

---

Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

PERTINENT QUOTE/EXCERPT:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

* You get the picture...

APK

P.S.=> Linux Security Blunders DOMINATE in 2011, despite all /. "FUD" for years saying "Linux = SECURE" (what a crock of shit that's turning out to be, especially on ANDROID where it can't hide by "security-by-obscurity" anymore & is in the hands of non-tech users galore - & EXPLOITS ARE EXPLODING ON ANDROID, nearly daily)

... apk/b

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...