Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

100 Million Victims of Data Theft

kdawson posted more than 7 years ago | from the and-counting dept.

Security 115

jcatcw writes "With the latest significant data breach — theft of a Boeing laptop with unencrypted personal information on 382,000 employees — the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches."

Sorry! There are no comments related to the filter you selected.

FRIST PIST!! (0, Troll)

Asshat_Nazi (946431) | more than 7 years ago | (#17283230)

fuck off fishtits.

I don't trust the article (5, Funny)

BadAnalogyGuy (945258) | more than 7 years ago | (#17283246)

How can you trust the article when they make the outlandish claim that Boeing makes laptops. They make airplanes, silly.

Yeah, But when they do... (1, Funny)

Anonymous Coward | more than 7 years ago | (#17283892)

....They'll really fly!

I dunno (3, Funny)

BadAnalogyGuy (945258) | more than 7 years ago | (#17284162)

Do you really think they'll take off?

Re:I dunno (2, Funny)

MarkRose (820682) | more than 7 years ago | (#17285032)

I predict they'll be a flying success!

Re:I don't trust the article (1)

extern_void (1041264) | more than 7 years ago | (#17286758)

Nah Nah Nah they make notebooks, those airplanes are just for undercovering!

We need to think how transactions are processed (4, Insightful)

rolfwind (528248) | more than 7 years ago | (#17283280)

Right now, it's becoming clear to me that the problem is that the weak chain in the link is that the creditors/banks/etcetera consistently rely on a few lines of data to complete transactions and identify the parties involved, 95% of which is publicly available, the other 5% easily stolen.

I don't know what to do to solve this, any suggestions?

(Way back when, my friend who worked at a Sam Goody used to actually check credit cards when customers bought something on his first day on the job. After the manager caught wind that he denied someone using their friend's mom's credit card, supposedly with permission, he got yelled at and told not to do it again. I can't help but think that the laws are too lax in this area and the industry has little interest fixing it.)

Re:We need to think how transactions are processed (3, Funny)

AoT (107216) | more than 7 years ago | (#17283300)

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

On a side note, why is it that I get all these credit card offers from companies whom already have my SSN, I know you got it guys, and they tell me I'm "pre-approved" for credit, and yet I have to send all this info in?

Come on big brother! If'n you're going to know everything about me please dont make me fill out all the damn forms in triplicate!

From TFA (4, Insightful)

AlanS2002 (580378) | more than 7 years ago | (#17283374)

Yeah, there's that problem; and also the fact that it is 100M known victims of identity theft.

From the article: "A stolen laptop at The Boeing Co. has pushed a widely watched tally of U.S. data breach victims past the 100 million mark". Saying that the 100M people are thought to have had data disclosed about them is not the same as saying that 100M people are known victims of identity theft.

I was counted twice! (5, Interesting)

Aphoric (808093) | more than 7 years ago | (#17283422)

I have been counted at least twice though. I am a veteran and got a letter from the VA with a previous theft, and that was just a few months after I got a letter from Boeing telling me that my info was stolen. Have not heard anything about this latest one, I do appreciate the free credit monitoring I get now, but I am not convinced it would do me any good if someone was really using my info. Plus it is only for one year, that is a relatively short period of time, the info has an unlimited life.

Re:We need to think how transactions are processed (0)

Anonymous Coward | more than 7 years ago | (#17283528)

I can answer that.

Yes, they already have your SSN. But you have not given it to them.

When (if) you fill out the application for the credit card, you will dutifully provide them (again) with your SSN. At that time you will legally hand over a large chunk of control over your private data.
 

They don't know actually (3, Informative)

Sycraft-fu (314770) | more than 7 years ago | (#17284284)

The people who send you preapproved offers have very little info on you, pretty much just name and address. Basically they ask one of the credit reporting agencies for a list of people falling within a given set of criteria. They then send offers to those people. IF you want to take them up you have to give them more info and they get a full rundown of your credit and decide if they still want to give you credit, and if so on what terms (you can be turned down for preapproved cards).

You can opt out of this if you want, you have to contact the credit bureaus and tell them to quit giving out your info for this and they will.

Re:We need to think how transactions are processed (2)

marcello_dl (667940) | more than 7 years ago | (#17284294)

Come on big brother! If'n you're going to know everything about me please dont make me fill out all the damn forms in triplicate!
many things in life acquire a logic explanation using this axiom: banks want your property, bureaucracy wants your time.

Re:We need to think how transactions are processed (1)

FooAtWFU (699187) | more than 7 years ago | (#17286054)

many things in life acquire a logic explanation using this axiom: banks want your property, bureaucracy wants your time.
WTF does a bank want with my property? Don't let's be silly. Banks want your money, not your property. They are, in fact, willing to pay you for your money (this is called "interest" on your savings account or CD). They're also willing to sell you money, at a slight markup, so as to obtain more money; this is known as a "loan".

But your property? If you've got a foreclosure on your mortgage, the bank isn't going to be too happy about it. They don't want this big old lump of property sitting around- a house that needs maintenance, property taxes to pay, stuff like that - and it isn't earning them that much income just sitting there. A loan, now, that earns them income. So how are they going to turn property into money? They're probably going to sell it for a sizeable amount less than its market value, and get back some of their money so they can loan it out again.

Re:We need to think how transactions are processed (3, Insightful)

Anonymous Coward | more than 7 years ago | (#17283324)

I don't know what to do to solve this, any suggestions?

Do it the same way that you make companies care about any other type of public safety issue. Make it very painful for them if they fail to protect the data. If they lose privacy data they should be completely liable for any damages that occur. A couple of major class action lawsuits and we can make it so that companies won't want to collect privacy data except when absolutely needed.

Re:We need to think how transactions are processed (1)

TheRaven64 (641858) | more than 7 years ago | (#17284956)

Companies really need to start learning about security. My date of birth is not a good way of identifying me, because it's on the electoral register next to my name, and is publicly available (Gillette did some good marketing with this, sending a free razor to every male as soon as they appeared on it). Similarly, asking my for my mother's maiden name is not secure. Anyone who knows my name and date of birth can get this quite easily.

One of my banks has quite a sensible system; I select a password, but they only ever ask me for two letters from it (as well as asking for a five-digit pin every time). Someone passively intercepting this is not likely to be able to use the information they get. Unfortunately, their system is flawed because if you don't get it right, they ask you for the same two letters until you do, meaning that it only takes 676 attempts at maximum, and 338 on average (assuming no heuristics are used) to make brute-force it. Of course, to do this, they would have to have got my 5-digit pin (which is not used anywhere else), so it's not a bad system overall.

My US bank, however, is useless. In order to get my web password, I had to phone them and tell them the size of the last payment into the account. I couldn't - I wanted access to the web interface so I could find that out - but they were happy to tell me what it was if I told them my address (not exactly a secret). Once they had told me the size of the last payment, they wouldn't let me tell them that to get the web password; they had to transfer me to another operator who then asked me the size of the last payment. Once I told the second operator the information that the first one had given me, I had full access to everything.

Re:We need to think how transactions are processed (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17285082)

Yep, absolutely. This is the way forward, and it's long overdue. Awards of 100% of real damages plus statutory punitive damages of $100 per victim per incident if negligence is demonstrated would do the trick real quick, I'd imagine.

Re:We need to think how transactions are processed (1)

radtea (464814) | more than 7 years ago | (#17286120)

Awards of 100% of real damages plus statutory punitive damages of $100 per victim per incident if negligence is demonstrated would do the trick real quick, I'd imagine.

Unfortunately, your imagination does not conform to reality. Punitive measures rarely have a dramatic effect on human behaviour.

This can easily be seen in actual data. Consider the death penalty.

North Dakota has one of the lowest homocide rates in the U.S. [disastercenter.com] and has not had the death penatly since the 1930's [usask.ca] . The homocide rate in Texas is ten times higher [disastercenter.com] , and yet Texas executes people on a regular basis. [state.tx.us]

The rate of executions in Texas jumped from about 5 per year in the 80's to over 20 per year in the 90's, and this four-fold increase seems correlated with a ~20% drop in the homocide rate over the next decade, but no one who is arguing from the data, rather from their imagination, would suggest that increasing punitive measures is the best way to alter human behaviour. If a five-fold increase in killing convicted murderers brings about only a 20% drop in the murder rate, and yet making Texas more like North Dakota (but warmer!) brings about a ten-fold drop in the murder rate, an objective observer might suggest that we spend our resources figuring out what it is about North Dakota (or other north-central states, or Japan, or Canada, or Switzerland) that results in fewer people killing each other.

The data suggest that neither firearms ownership nor cultural diversity (Canada is one of the most culturally diverse nations on Earth, with criminal gangs drawn from the four corners of the globe all trying to set up shop here) nor punitive penalties are the most important differentiating factor.

And when one moves from the realm of individual to corporate malfeasence and negligence, it is more than clear that companies are willing to take enormous risks in the name of short-term profits as Merck did with Vioxx [nytimes.com] .

Ergo, whatever you might want to believe, the facts are pretty clearly in favour of punitive measures being a very poor way to influence human behaviour. They are sometimes necessary, but should be the last tool of social control that we reach for, not the first.

Re:We need to think how transactions are processed (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17288750)

For someone so keen on hard evidence, you're making a mighty big jump from what affects individuals who are screwed up enough to kill someone with a firearm and what affects a profit-making business. If you make something painful enough in financial terms, businesses will tend not to do it. Short of making the executives personally liable -- which would be no more constructive anyway by your own argument -- what better incentive would you suggest?

Re:We need to think how transactions are processed (5, Insightful)

Ajehals (947354) | more than 7 years ago | (#17283372)

This is an old problem - the banks / merchants etc... want to make it easy enough for you to spend your money or to get credit that you do it on a regular basis. If banks decided to make it harder - in order to increase their / your security / privacy then it means that they lose business, especially if they are the first to do it. Basically they don't mind losing a bit of money to make a lot of money.

Of course as long as its easy to get hold of your cash or get credit, someone will want to exploit that to get hold of cash or credit in your name. So making it harder to commit fraud or identity theft is really only beneficial to the customer, which in turn means that the only path to making it harder to commit fraud or identity theft is to introduce legislation or regulation to make it happen. That of course is opposed by the banks and merchants (as they lose out) and opposed by the majority of customers as they don't see that there is a problem until it happens to them.

So yeah, apart from not seeing an easy solution for the banks and merchants, I also don't really see a will to implement any solution which decreases the amount of spending or credit applications, or one that will cost money to roll out (after all most organisations are looking at short term profit not long term strategy's).

Re:We need to think how transactions are processed (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17283552)

I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

kill me, Slashdot, for I haven't the nerve myself (0, Interesting)

Anonymous Coward | more than 7 years ago | (#17283578)

I was fumbling to get my housekey into the lock when I heard her.

"Steven?"

Even after 7 years, I recognized her immediately. Julia. Julia McGurren. We had a platonic relationship in our senior year of high school. We shared a few classes and were both on the yearbook team. At first it was a mutual friendship. She got someone who knew the school esoteric layout software, I got female companionship. If it wasn't for the fact that I had been thinking about her almost every day for the past 7 years, I probably wouldn't of been able to tell it was her. What little fat she had carried in high school was gone, accentuating her full breasts and long legs. Her acne was gone, leaving only soft, smooth cheeks. Judging from the lexus she was stepping out of, her post-highschool plan of entering into the medical sciences field had paid off.

The reason she had never left my mind over so many years stemmed from our prom. I was sitting in the yearbook lab, playing snood, when she asked if I had a date for the prom. I said that I didn't, and she responded that she didn't either. Since I was, and still am, and idiot about girls, I went back to playing snood, completely oblivious to the fact that she wanted me to take her to the prom. Completely oblivious to the fact that my silent crush didn't go unnoticed.

Knowing that I didn't owe her money, nor had I ever slipped my tube steak into her (or into any woman for that matter), I realized that the reason she was here wasn't to collect a debt or inform me that I'm a father. She wanted to rekindle our friendship.

I had made the mistake of looking at myself in the mirror before leaving work today. My steady bachelor diet of fast food had given me an ample gut. The grease had only inflamed my acne. My quickly diminishing hairline stood on the crossroads of "hey he's got a big forehead" and "hey look at that bald fuck". my eyes were red from a previous night of playing kingdom hearts II and attempting to create memes on /b/. I was someone who had hit middle age at 25 without ever leaving puberty. Community college dropout, 4 year veteran of Cingular customer service phone support.

I looked into her eyes. She wasn't addressing me. She was asking if I was me. I made a tough choice.

"Sorry lady, you must be looking for the previous owner. The real estate agent said he was gone long before I ever moved in."

It only hurt a little bit when her face showed relief.

"That's... that's alright. I figured he probably would of moved by now. Thanks anyways."

"No problem, lady. I hope you find who you're looking for." I said as I shut the door on her.

Trust me, Julie. The Steven in your memory is far superior to this broken shell of a man who pours his heart out on Slashdot tonight.

Re:kill me, Slashdot, for I haven't the nerve myse (5, Insightful)

poopdeville (841677) | more than 7 years ago | (#17284100)

I realize this is probably a troll, but I'm responding in case it isn't.

It isn't too late. But you have a tough choice to make. You can either choose to make your life better, or choose to let life push you around. Changing is not easy.

Read Sartre, Camus, Nietzsche.

Pull your ethernet cable, unplug your wireless router. Take some time off of the /b/ scene. Get out of town for a while if you can.

Think about your goals -- both the failed and incomplete. Ask yourself why the failed ones failed. Resolve to fix the problems that caused them to fail. Evaluate your incomplete goals. Make plans to finish them. Commit to your plans.

Exercise is good for you. I don't mean to make fun of your belly. But you obviously need to become stronger to become the man you want to be.

Don't sweat being bald.

You've wasted a lot of time, but you're still young. There's no point wasting any more.

Re:kill me, Slashdot, for I haven't the nerve myse (0, Flamebait)

Broken scope (973885) | more than 7 years ago | (#17285368)

Ahh what the hell.



Well dumbfuck, congratulations. You wasted your god damn life. You ate the fast food. You fucked up. Take your sob story and shove it. Plenty of people have gone through worse shit than you and succeeded. Do yourself a favor. Buy food at the grocery store. Cook food yourself.

You have no excuse for dropping out of college except your own god damn laziness. You want a solution, go stand in front of that mirror again. Look into your eyes, and ask yourself this "Why did I do this to myself?". Then do something about it. Don't expect us to do something for you.

Re:We need to think how transactions are processed (4, Interesting)

bluefoxlucid (723572) | more than 7 years ago | (#17283656)

I solved this problem ages ago. Some guy, actually two of them, invented something called the Diffie-Hellman Public Key Encryption Algorithm. Since then we've had dozens of these show up and now have RSA and DSA/ElGamal out there. Pretty much, with huge (1024 byte!) challenges and hardware devices with your key in them, as well as transferable One Time Pads (so you can let someone else use your credit card once, twice, for $5, for $10...), you can make it so everyone along the way can verify your identity and nobody along the way can pretend to be you.

The system drawn out isn't that complex. It's lazy distributed too; anyone can cache your public key, so anyone can independently verify you over and over again. This means that the store can verify your card isn't a spoofer and not pester the credit card company with it if it is; and if it's not, then the credit card company can also verify your card isn't a spoofer (and that the store isn't sliding in extra charges after you've signed for the price) and not pester the national PKI network with it.

Re:We need to think how transactions are processed (1)

CodeBuster (516420) | more than 7 years ago | (#17289308)

The technical merits of public key cryptography are not in question, but rather the understanding of the public with regard to the proper use of these methods is and that is the real difficulty. If you cannot make the system completely workable without any knowledge or understanding on the part of the public then your efforts will fail because average people do not, will not, or cannot understand the basis for public key cryptography enough to be informed users of the system. I have personal experience with the glazed over looks that I get from the corporate top brass when I try and explain these things to them and these guys are smarter than the average Joe on the street (although just barely it seems).

The problem with the specific system that you describe is that it is based upon access to the physical credit card, but many credit card transactions are processed each day without sliding the actual card (i.e. Internet and phone transactions with just the numbers keyed in). How are you going to fix that loophole without making it such a hassle for the user that they just go to the physical store instead? How about trying to explain to the average guy in the event of a failure (and there WILL be failures because no implementation is perfect) why he cannot buy airline tickets to his grandmother's funeral because his card did not validate with the public key of his credit card company for whatever reason (i.e. maybe the data on the stripe got corrupted or something else went wrong)? These are real problems and they are difficult to solve without compromising either security or convenience or both.

Re:We need to think how transactions are processed (1)

Jessta (666101) | more than 7 years ago | (#17283854)

In Australia the shop is liable for credit card fraud. So it is in the shops best interest to make sure that the person making purchases on a credit card are who they say they are.

The real problem is that the information that identifies you as you is the same information that you give to people to prove that you are you.
Giving anyone you need to prove your identity to all the information they need to pretend to be you.
What is needed is something on long the lines of public-private key cryptography.

Re:We need to think how transactions are processed (2, Insightful)

dbc001 (541033) | more than 7 years ago | (#17284580)

This is a great point - I get annoyed every time a credit card transaction goes through and I don't have to sign anything. Don't they realize that without a signature there's no way to prove whether the transaction was me or someone else?

Re:We need to think how transactions are processed (1)

planetmn (724378) | more than 7 years ago | (#17284970)

Yes, they do realize that. The merchant has decided that the convenience of swipe and go will bring in more money than they will lose from reversed charges. For instance, I don't go to gas stations that don't accept credit cards at the pump. I don't want to wait in line to pay behind the idiot buying cigs and the idiot buying lottery tickets when I can go across the street, pay the same amount, and be out in much less time.

-dave

Re:We need to think how transactions are processed (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17285232)

They realise it, they just don't care.

Typically, the vendor is responsible for the loss if they permit a card transaction and it gets challenged successfully by the card holder. If the vendor doesn't check the signature or PIN properly, it's not going to be the card company's loss.

The only major exception is if the vendor has correctly followed procedures laid down by the card companies to verify ID (e.g., collecting a signature and checking it against the card, or using the Chip and PIN machine). In this case, card companies typically limit how much a card can be used -- and particularly how much it can be used in different circumstances to the historical pattern -- before alarm bells start going off and the card holder gets a call asking them to confirm that the transactions are legit. I got such a call once just for using a credit card to buy a tank of petrol: I'd had the card for a couple of years, and usually used it only for on-line purchases of tech stuff, and according to the card company guy who called me, the sudden change to a use that's a favourite for casual card thieves was enough to trigger a confirmation call.

The upshot of all of this is that while a certain amount of money may be lost to serious fraudsters, it's a drop in the ocean compared to the total volume of transactions these companies deal with. Relative to reducing the number of card transactions in favour of either something less secure or just not doing the business, both of which would cost the card companies a fortune, the level of loss is considered acceptable. Whether you really signed for your shopping doesn't matter to them, because if you make what appears on a simple examination to be a legitimate complaint, then it's cheaper to pay you back your $15 or whatever than to investigate more fully.

Re:We need to think how transactions are processed (1)

bl8n8r (649187) | more than 7 years ago | (#17284628)

> I don't know what to do to solve this, any suggestions?

1) Address the ignorance factor first. Make sure people are aware of the issue of data security and the seriousness of it. Don't assume they automatically know. Explain it to them in a way that is informative and not condescending.

2) Use a platform designed to keep users in userland.

3) Setup laptops with encrypted filesystems [0] and encrypted connections [1]. Do not give users administrative access. Re-image [2] system partitions for extra freshness. Stop using WEP.

[0] http://rubyforge.org/projects/fusefs/ [rubyforge.org]
[1] http://www.oreillynet.com/pub/a/wireless/2001/02/2 3/wep.html [oreillynet.com]
[2] http://www.feyrer.de/g4u/ [feyrer.de]
      http://sourceforge.net/projects/g4l [sourceforge.net]

Personal Information (2, Insightful)

Barkmullz (594479) | more than 7 years ago | (#17283334)


I wish I was the copyright holder, and protected by the applicable laws, of my own personal information.

Re:Personal Information (1)

JoshJ (1009085) | more than 7 years ago | (#17283386)

This actually seems like an interesting idea and potentially a real benefit that could come of the bullshit draconian copyright laws in existence right now. Any lawyers know what's up with this?

That said I can see the downside, it "legitimizes" even more draconian copyright legislation- instead of relying on "Think of the artists!" they could rely on "Think of the identity thieves!"

Re:Personal Information (0, Troll)

IpSo_ (21711) | more than 7 years ago | (#17283756)

I actually have an uncle who copyrighted his name and also became his own "sovereign nation" (or something along those lines) which actually enabled him to skirt many laws in Canada at least. I can't remember the exact name of the "program" he got the information from, something like "In The Truth", but its pretty interesting stuff. The stories he tells are hilarious.

Stories like fining judges large amounts of money for using his name without permission (it was copyrighted after all) and they ACTUALLY PAID, not to mention the charges were dropped.

Laws are apparently designed to screw over anyone who isn't in the "know". Ever wonder what a birth certificate is REALLY for? Look on the back of a Canadian birth certificate and you'll notice that it is actually a BANK NOTE. When you are born and your parents obtain a birth certificate for you, you are essentially agreeing to pay back your portion of the Canadian debt. No birth certificate? No debt obligations, no obligation to pay taxes, etc... etc...

Drivers licenses is apparently similar. By obtaining a drivers license you are agreeing to abide by the motor vehicle laws. If you don't have a drivers license and you know what you are doing, they can't touch you for breaking any of the laws. My uncle didn't renew his license, and was hauled off to court one day after being pulled over by the police. After a short trial where he basically told the judge (in the proper words) to go to hell, the charges were dropped and he was released. The police in his town know him pretty well and seem to stay clear.

Its crazy what people are doing with this sort of thing.

Re:Personal Information (1)

poopdeville (841677) | more than 7 years ago | (#17284140)

Hi.

This must sounds silly, but does your uncle have an email address? If so, could you email it to sollaa@vfemail.net? I would really like to ask him some questions. In particular, I would like more information about this, and intend to contact a Canadian lawyer regarding the legitimacy of such claims. If all this works out, I want to move to Canada.

I could make a mint on my name, especially in a long, drawn out trial. :-)

Re:Personal Information (1)

cakefool (801210) | more than 7 years ago | (#17284212)

I am interested in your ideas, and wish to subscribe to your newsletter?

I smell BS (1)

mangu (126918) | more than 7 years ago | (#17284300)

I actually have an uncle who copyrighted his name and also became his own "sovereign nation"


I've heard many stories about your uncle, he's the Baron Munchausen [imdb.com] , right?


By obtaining a drivers license you are agreeing to abide by the motor vehicle laws. If you don't have a drivers license and you know what you are doing, they can't touch you for breaking any of the laws


Your story would go well as a light comedy movie script, but it doesn't stand the hard test of reality. That's not how democracy, or any other form of government works. Laws exist to be obeyed by everyone, you cannot claim that you don't agree to abide by them. In the case you mention, driving a vehicle in a public road is a privilege, not a right. You are granted that privilege under certain circumstances and that privilege can be revoked.

Re:I smell BS (1)

IpSo_ (21711) | more than 7 years ago | (#17289814)

I figured it was all BS too... Until my uncle started actually doing it.

Keep in mind I get this information 2nd/3rd hand usually... Take a look at this site explaining how it is done with regards to income tax in both US and Canada:

http://www.detaxcanada.org/ [detaxcanada.org]

I just heard another story of my uncle latest adventures... The last three times he has been in court (he defends a bunch of other people as well) he just takes a color laminated photocopy (intended as a copy) of his (or the defendants) birth certificate, walks into court, when called upon goes up and hands it to the judge and walks out of the court room. Thats the last he hears from them.

The reason for this that I understand is that the vast majority of laws only apply to "fictional entities", essentially a birth certificate. By handing over your birth certificate to the judge, they can prosecute the fictional entity all they want, it has no consequence on a "person in the truth".

Again, call BS all you like, thousands of people do this sort of thing every day, and it just keeps growing. It works in both Canada and the US. But you NEED to know exactly what you are doing. Any Joe Blow can't just do this, they need to study law for several years usually first.

Re:Personal Information (1)

drsmithy (35869) | more than 7 years ago | (#17284048)

I wish I was the copyright holder, and protected by the applicable laws, of my own personal information.

Copyright is fucked up enough already. I shudder to think how legislation trying to do this would make it worse.

Re:Personal Information (1)

jamstar7 (694492) | more than 7 years ago | (#17289436)

This could be the way to bring it crashing down.

Worth a shot, isn't it? What could possibly make it worse?

Re:Personal Information (0)

Anonymous Coward | more than 7 years ago | (#17285710)

May be we should all sing/rap our personal info as part of a lyric out next time. That would be $100,000 per copyright for each violations please...

100 million.. six months ago! (4, Informative)

anilg (961244) | more than 7 years ago | (#17283344)

That according to http://attrition.org/dataloss/rant/100million.html [attrition.org]
The Data Loss Database - Open Source has almost 510 events and over 143 MILLION compromised records as of this writing. 100 million? Dudes and dudettes, we had that over six months ago.

reporting on this subject (1)

AlanS2002 (580378) | more than 7 years ago | (#17283354)

I have a feeling that more and more reporting on this subject is going to make thieves take a closer look at what they are stealing in future, thus making identity theft a greater possibility.

Re:reporting on this subject (0)

Anonymous Coward | more than 7 years ago | (#17283514)

You're right, we should just keep it quiet and pretend nothing is wrong. It's been working so far, identity theft didn't happen 5 or 10 years ago. Plus, laptops weren't a popular target for theft before it was widely known about possible personal information on corporate machines. We'd all be better off if the media would just keep quiet and quit raising crime.

Re:reporting on this subject (2, Interesting)

AlanS2002 (580378) | more than 7 years ago | (#17283572)

I think perhaps some restraint is justified on the part of Journalist's. Reporting the possible discloser of 382,000 peoples private information is one thing. Telling the world that there is a laptop floating around somewhere in Chicago with that information on it is another.

Why go with a guesstimate? (1)

zuiraM (1027890) | more than 7 years ago | (#17283376)

It would seem more logical to just sum up the known figures, and present them along with information about what areas they cover, making it clear they are minimum values. I'm pretty sure those totals would ring the alarm bells just as effectively for those who actually care about it.

How much of the information is... (1)

Crasoum (618885) | more than 7 years ago | (#17283406)

How much of the information is redundant however? Is it 158 million American's, 158 Million people across the globe, or 30 Million people 5 times over?

another announcement (2, Funny)

ILuvRamen (1026668) | more than 7 years ago | (#17283444)

the strangely named "Privacy Rights Clearinghouse" has just announced that they'll be showing up at one lucky person's house with a giant check with all 100 million pieces of personal data written on it in a really, really small font. I hope I win it!

I wonder... (2, Insightful)

e-scetic (1003976) | more than 7 years ago | (#17283480)

I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud

Re:I wonder... (2, Interesting)

suv4x4 (956391) | more than 7 years ago | (#17283550)


I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Doesn't it seem as if there would be a few major class action lawsuits, at the very least? You'd think every time data loss occurs on this large a scale, it would be followed by droves of people suffering from identity theft or fraud


You're correct: theft or loss of a machine doesn't automatically mean identity theft.

First, the machine should be in a working state which is sometimes not the case.
Then, the criminal should realize there may be interesting info on the laptop (most would just format the drive and reinstall OS).
Then he should find it on the disk.
Then know what to do with it or who would be interested in buying it.

As you may suspect, this quickly limits the potential damage from such mishaps.

But there's the other side of the coin: the fact you don't hear of consequences may be a result of too delayed or still undiscovered frauds.

It's like bad food additives (like aspartam): they are deemed safe, simply because by the time damage occurs, noone can link the damage to the cause.

It's possible that people suffered but they either didn't know they data was stolen, how it was stolen, or that their problems are caused by identity theft.

It's also possible that the info is collected somewhere, ready to be abused, but the would-be-criminals are waiting for things to "settle" so they have greater chances of success with their activities.

So it's all very complex, but one thing is simple: keeping unencrypted critical info on portable machines you can easily lose possession of, is terribly bad. It's pure laziness and ignorance, and the solutions to this very basic layer of data protection, are simple and "there", ready for someone to realize they are needed.

I'm not very happy to see the government trying to react in "pieces" by demanding that veteral info breaches are reported.. Why just veteran breaches? I'm not a veteran from any war, is theft of my data less critical? It can be the place where I work, the site I shopped from or my bank: it really should be approached with a generic solution and not a bunch of untimely exceptions to an absurd status quo.

Re:I wonder... (2, Insightful)

scdeimos (632778) | more than 7 years ago | (#17283650)

I never read of anyone having suffered consequences as a result of someone losing their data. Why is that?

Because not many media outlets are interested in reporting on individuals who lose a few hundred dollars when they can throw around figures like 100,000+ victims in a single crime.

Well, the guess isn't that bad, really (1)

rockout (1039072) | more than 7 years ago | (#17283506)

The director, Beth Givens, admits 'the number 100 million is largely a fictional number,
I suppose that's better than just tossing out a large, fictional number.

Re:Well, the guess isn't that bad, really (1)

Nymz (905908) | more than 7 years ago | (#17283816)

IANAG (I am not a grammerian) but I think the point of the sentance isn't the size of the number, but it's value or state, and therefore the adverb form was used appropriately.

Protect yo'self (3, Informative)

jomama717 (779243) | more than 7 years ago | (#17283522)

A buddy of mine was recently affected by the UCLA breach and was lamenting about all of the precautions and protections he was required to put into place now that his SS# was likely in some scumbag's hands, and it dawned on me that he may have actually gotten lucky. He was awakened to the reality of identity theft without having to experience any tangible loss, and is now motivated to take the proper precautions. It then occurred to me that to not assume that my information was in the wrong people's hands didn't make any sense and I have taken the same precautions my friend did:
  1. Access to my credit report/score
  2. Big 3 credit bureau monitoring - notification of any new accounts or loans in my name
  3. Personal case officer (through the bank) if something happens
These services can be purchased for anywhere from $5 to $12 a month depending on the bank. I suppose I could still get burned but I can't imagine any of it could hurt, well worth the money at any rate in my mind.

Re:Protect yo'self (1)

tgd (2822) | more than 7 years ago | (#17284886)

It doesn't feel to you like you're paying protection money to the mob buying those services from your bank? A bank that is part of the problem because like every bank, they'll gladly loan money in your name with little or no verification?

If they wanted to protect your identity, they'd make it harder to steal. Companies losing personal information aren't the problem, companies who casually take action based on very little information that will impact you when that information is lost is the real problem.

"Identity theft" is a meaningless term (3, Interesting)

Jonboy X (319895) | more than 7 years ago | (#17283564)

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are. Your friends and family won't suddenly forget who you are. A better term would be "credit fraud".

This is the basic scenario: A criminal poses as you to borrow money (usually with a credit card), and then whoever lent that person the money asks you to repay it.

Then there are generally 2 consequences for you: debt and reputation damage. The debt itself is usually the lesser of the two problems, since you're not legally obligated to repay money that someone else borrowed in your name. Reputation damage, on the other hand, is incredibly hard to repair. This usually takes the form of erroneous information on your credit report.

Private agencies (Equifax [equifax.com] , Experian [experiangroup.com] and TransUnion [truecredit.com] are the majors in the USA) maintain this information of your past financial transactions, and sell it to potential lenders in the form of a credit report. Lenders then use this information to decide how risky it would be to lend you money. These credit reporting agencies err on the side of over-reporting negative information, because a defaulted loan from an under-qualified borrower costs banks and lenders much more than a qualified applicant being turned away. Additional services (like providing reportees an easy way to correct errors) would cost credit reporting agencies much more than their client lenders would be willing to pay for the increased accuracy, so they don't bother implementing them.

The short version is that banks and other lenders knowingly rely on imperfect information about potential borrowers, because it is the most economically sensible thing to do. It's not profitable for them to pay for more accurate information. If they decide not to lend you money, even based on erroneous information, it will likely be very hard to change their minds.

Re:"Identity theft" is a meaningless term (1)

Fulcrum of Evil (560260) | more than 7 years ago | (#17283582)

Yeah, every time this comes up, someone posts to object to the terminology. Face it, ID theft is what we call it even though it isn't literally true. They are, however, eroding your identity with various banks, so it's more accurate that you may think. Anyway, have fun tilting at windmills.

Re:"Identity theft" is a meaningless term (1)

britneys 9th husband (741556) | more than 7 years ago | (#17283762)

"ID theft" is even worse. It makes it sound like someone stole your drivers license so they could buy beer. At least "identity theft" vaguely relates to what's going on.

Re:"Identity theft" is a meaningless term (0)

Anonymous Coward | more than 7 years ago | (#17283612)

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are. Your friends and family won't suddenly forget who you are. A better term would be "credit fraud".

I personally prefer to call it identity infringement.

Re:"Identity theft" is a meaningless term (1)

rastos1 (601318) | more than 7 years ago | (#17283890)

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are....

If you are not the only one "Jonboy X" that can prove that he is "Jonboy X" than you don't have identity. You are left with plurality at best ;-) You had identity before and now you don't have it anymore. Sounds pretty much like theft to me. Of course it is not only about the name. If someone can succesfully pretend to be you - including your debt history, providing correct address, SSN, CC # and your /. account ... - how do we know it is you? We don't. You lost your identification.

Re:"Identity theft" is a meaningless term (1)

Jonboy X (319895) | more than 7 years ago | (#17284040)

If you are not the only one "Jonboy X" that can prove that he is "Jonboy X" than you don't have identity. You are left with plurality at best ;-) You had identity before and now you don't have it anymore. Sounds pretty much like theft to me. Of course it is not only about the name. If someone can succesfully pretend to be you - including your debt history, providing correct address, SSN, CC # and your /. account ... - how do we know it is you? We don't. You lost your identification.
It's not so much the "identity" part that strikes me as odd; it's the "theft" part. When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you. It's just that now, someone else has some information that can be used to impersonate you to people who don't check too closely.

Maybe everyone should periodically be able to buy a public/private cryptographic key pair that can be used to authenticate you. The higher your net worth, the longer (and more expensive) key you buy. To buy something, you just encrypt the message "I bought a book from Jimbo Jones on November 19th, so please give him 20 bucks" and give it to the vendor. The vendor can decrypt the message with your public key to make sure it's really from you, and your bank can do the same when Jimbo shows up for his money.

Identity is not abstract data (1)

mangu (126918) | more than 7 years ago | (#17284338)

When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you. It's just that now, someone else has some information that can be used to impersonate you to people who don't check too closely.


I would agree with you if it was about copying data such as software, music, films, etc. But if someone has all the data that identifies you, he can effectively take it away from you. He can change your address so that all your mail goes to him and not to you. He can have a new driver's licence issued so that the picture in the DMV will be his and not yours. Without too much effort, he can make it so that *you* will be the fake.


Of course, if all you have are debts, that will not matter too much, but what if he uses your identity to sell your assets? What if he takes a mortgage on your property? Or what if he sells your real estate, he could even sell your home and disappear with the money.


Yes, I believe that, differently from intellectual "property", an identity is something that can be stolen.

Re:"Identity theft" is a meaningless term (1)

berzerke (319205) | more than 7 years ago | (#17286130)

When someone steals your television, they have it and you don't. When someone "steals" your identity, you still have it because you're still you.

Except the damage they do de-values you being you. Say you had a great credit score and were about to buy a home. Oops, now you can't get approved for the home loan because of all the black marks on your credit score. Can you honestly say that doesn't make you less valuable?

People have spent thousands of dollars and years trying to clean up after an identity theft. Is that de-valuing you. That money and time could have easily been put to better use. That's value you have lost.

Re:"Identity theft" is a meaningless term (1)

jimmichie (993747) | more than 7 years ago | (#17284558)

First off, the term "identity theft" is completely ridiculous.
Yeah, it should be Identity Sharing.

Re:"Identity theft" is a meaningless term (1)

raynet (51803) | more than 7 years ago | (#17285236)

Or how about Identity Infringement? I googled for Copyright Infringement and got this:

Copyright infringement occurs when a person copies someone else's copyrighted items without permission. This would also include public display of a copy of copyrighted work.

After small modification it actually sounds quite ok to me:

Identity infringement occurs when a person copies someone else's identity without permission. This would also include public display of a copy of identity.

Ofcourse using that copied identity to get a loan/buy something/etc wouldn't be Identity Infringement but a fraud.

Re:"Identity theft" is a meaningless term (1)

bky1701 (979071) | more than 7 years ago | (#17284618)

"A better term would be 'credit fraud'."

I much perfer "some-moron-is-buying-stuff-with-my-money-and-i-am -going-to-get-blamed-all-because-some-stupid-compa ny-can't-use-blowfish-i-hate-this".

Its Bigger than just Credit Fraud (1)

HighOrbit (631451) | more than 7 years ago | (#17285614)

I agree that "identity theft" is an over-used term when "credit fraud" might be a better description in most situations. However, I've heard of "identity theft" that didn't involve credit fraud. During the immigration debate that was going on last summer, I read a story in the newspaper (sorry, don't have a link) about a woman on the east coast who applied for unemployment benefits, but was denied because records showed that she was currently employed somewhere in the midwest. Except, she wasn't working in the midwest; some illegal alien was using her SSN. There have also been cases where the IRS has audited people because their tax returns do not match the income reported for their SSNs (again, probably illegal aliens using stolen SSNs).

So even if an "identity thief" doesn't apply for credit in you name, they can still cause you major problems.

you missed an important one (0)

Anonymous Coward | more than 7 years ago | (#17286634)

First off, the term "identity theft" is completely ridiculous. No one is taking away who you are.
How about if that "identity thief" were to take out a life insurance policy on a target?

I'd argue that in such a case they'd definitely be "taking away who you are".

Re:"Identity theft" is a meaningless term (1)

Vengeance2001 (843563) | more than 7 years ago | (#17289680)

I work in the financial services industry and I totally agree with the parent post. Banks and credit reporting agencies are doing what is most financially efficient for themselves, which is not reducing errors to zero, but reducing them to a number they can absorb the risk on, while foisting some of that risk on to consumers as well.

In reality though, 99% of that risk is still on the banks. Most credit card fraud isn't using your personal info to get a mortgage in another state, but simply making some charges for tennis shoes or trades of gasoline for cash at a truck stop. The issuing bank of your credit card eats this cost when you call them and dispute the charges. It is off your bill in seconds. The reason they can eat the cost is because they are getting half of all the interchange charged on your card, which is usually 1.5% to 2% of your charges. Trust me, they make a fortune. They can afford to eat the fraudulent charges.

What they have done now is brilliant marketing. They have convinced a large portion of the general public, including much of /. it seems, that this large scale mortage/loan fraud which ruins your credit is a very likely occurrence. Of the 100 million+ victims of identity theft, how many actually had enough happen to hit their credit report, or had additional loans and foreclosures happen? I bet less than 1000. Perhaps less than 100.

But instead, the banks hype this as a huge issue and get you to what... pay a monthly fee to "protect yourself". Now instead of them offsetting their lost transactions from fraud with interchange from your purchases, they are making $120/yr off of you for THEIR failure to authenticate you properly, selling you on the "service" to outsource to YOU their job in detecting the .01% case someone takes out a loan in your name.

This is a huge scam and I'm surprised /. people haven't seen through this by now.

I found out last week I might be a victim. (2, Interesting)

artifex2004 (766107) | more than 7 years ago | (#17283584)

The university I graduated from reported someone had hacked in and gotten access to about 6K student and faculty records, including payroll info.
Their idea of taking care of the problem? Wanting me to register online (!!) or over the phone to be told if I was one of the victims, and also to get a free credit report or get credit monitoring, though they don't seem to think they should pay for that or for any fees I might get if I have been victimized...

Oh, and I only found out because it was in the local news.

Re:I found out last week I might be a victim. (2)

aplusjimages (939458) | more than 7 years ago | (#17285396)

Man they are really taking care of business. Is there no liability on their end for not taking the proper measures to at least inform all the victims of the problem?

makes me wonder... (1)

lordvalrole (886029) | more than 7 years ago | (#17283602)

why the hell is our information on something as portable as a laptop? Where the hell does it need to go? One should expect that information to be safe and under guard at all times. Just big corporations trying to spend the least amount of money so they can get their execs. more bonus money. Weak sauce people...weak sauce. Shouldn't would be smacking these places with huge lawsuits for negligence? We keep setting the bar too low for these companies who we are suppose to trust with our personal information. I guess it is wishful thinking.

Re:makes me wonder... (3, Informative)

davaguco (771514) | more than 7 years ago | (#17283632)

On Europe we have a common Directive (that means its the same for all countries and it sets common guidelines that must be made into law by each nation) that establishes some measures that must be taken to protect all the personal information. On my country, companies are not allowed to store customer's personal information on a laptop, for example.

Re:makes me wonder... (1)

R2.0 (532027) | more than 7 years ago | (#17284292)

And of course, all European companies follow the laws scrupulously. So no one EVER puts such data on laptops. So if a company laptop goes missing, there's no reason to worry (or report it), because there couldn't POSSIBLY be personal data on it - why, that would be illegal!

Re:makes me wonder... (2, Insightful)

Skidge (316075) | more than 7 years ago | (#17283702)

It was probably some schmuck trying to make an unreasonable deadline for some reports, trying to put in a few extra hours of work at home so he doesn't get yelled at by his PHB, who didn't give said schmuck the approval needed to get a secure remote connect because it would have cost his department a few extra dollars.

Re:makes me wonder... (1)

Dunbal (464142) | more than 7 years ago | (#17284454)

why the hell is our information on something as portable as a laptop? Where the hell does it need to go?

      Obligatory: Information wants to be free? It was trying to break free?

Now the new scam email line will read. (1)

Overkill Nbuta (1035654) | more than 7 years ago | (#17283630)

Your User number 100,000,000 Claim your prize by sending in your credit card info as well as full name!!!! Be quick this is a limited time deal!!!!

in other news... (1)

fedork (186985) | more than 7 years ago | (#17283648)

estimated 347 million people are victims of made-up statistics.

Stolen from Car (1)

brajesh (847246) | more than 7 years ago | (#17283668)

"...was stolen from an employee's car earlier this month"

Seriously, who carries around a Laptop with "Personal Information" of 382 Gazillion living, dead and zombie employees in a fscking Laptop and leaves it in a car unattended.

You would think they would store this information in a so-called safe server somewhere and have policies on not taking them around in Laptops. Why would you need that information on a laptop anyway ? For fsck sake - We're talking about serious personal information!

I say hire stewie to shoot this guy.

In other news - why no mention of India in this whole game of data theft ?

Re:Stolen from Car (1)

B4D BE4T (879239) | more than 7 years ago | (#17284158)

For what it's worth, the data wasn't supposed to be on the laptop and the guy was fired for going against company policy.

Re:Stolen from Car (2, Informative)

B4D BE4T (879239) | more than 7 years ago | (#17284198)

Oh and in case anyone is interested in reading the full response from Jim McNerney (Boeing's CEO), here it is [nwsource.com] .

Possession is nine points of the law (1)

shanen (462549) | more than 7 years ago | (#17283684)

In this case, we should possess our own personal data, and unauthorized possession should be theft, just like someone broke into your house and stole your computer. I have about 300 GB of storage at home, and I'm quite sure that all the personal information that companies 'own' about me could easily be stored on MY premises.

hmm (1)

Falladir (1026636) | more than 7 years ago | (#17283694)

Soon everyone will have been victimized, yes?

Stupidity (3, Interesting)

Lavene (1025400) | more than 7 years ago | (#17283734)

A laptop containing the personal information on 382,000 current and retired workers of Chicago-based Boeing Co. was stolen from an employee's car earlier this month, according to Boeing spokesman Tim Neale. He declined to say exactly where the laptop was stolen.
That really sums it up. You will never ever have better security than what the stupidest person with access to sensitive data can muster. Leaving a laptop with such data unattended in a car??

You can enforce encryption on every file, strong passwords etc but sooner or later some smuck will print it out and forget to schred the printout when done. So it ends up on some dump available to anyone crawling around looking for something usable.

Designers of company security forget the most obvious and most dangerous threat: stupidity! My personal favorite quote used to illustrate exactly that is the following:

When the infamous "ILOVEYOU" email virus hit, I saw TV news coverage that included an interview with some bubblebrained company secretary. At one point she said, "Oh, I saw we had dozens of these emails coming in, and of course I was suspicious, but I had to open just one of them because, you know, 'I Love You!' *giggle* I had to just see what it was about, you know?"
You can't foolproof a system, you simply need to get rid of the idiots. Which sadly is easier said than done...

Re:Stupidity (0)

Anonymous Coward | more than 7 years ago | (#17284014)

All of this identity theft stuff is twaddle. There is no problem there never has been a problem and if there was a problem it would be be sorted out by the banks.

The banks have made a quite reasonable decision that they do not care about low levels of fraud.

We the users don't care or shouldn't we get a simple easy to use system without excessive checking and if occasionally someone abuses our data we get compensated a few weeks later.

There is of course a industry out there trying to spread FUD and panic you into wasting your valuable time protecting your data.

Remember all fo the salient information about you is not private.
This includes your SSN, your address, your date of birth, your mothers maiden name. How could they be private thousands of people know them.

Fines? (1)

kosmosik (654958) | more than 7 years ago | (#17284016)

What are the fines in such situations? This is clearly they fault - the've taken personal data and haven't took enough care of it (in fact they were stupid enough to feed that data into laptop and get it stollen). What does US law says about it? In Poland (European Union) they would face severe consequences.

How many people here have had or know personally.. (1)

b.burl (1034274) | more than 7 years ago | (#17284078)

...their identity stolen? This computer fear thing smacks of the whole terrorism scam. How many people here inside the US have been or know personally someone who has been the victim of terrorism? The media, for whatever reason, seems to want to amp up the fear quotient of this nation. I bet that stolen wallets/physical mail account for ten thousand times more id fraud than any computer activities, yet that doesn't get headlines. Nor does the fact you are more likely to die from an accident in your bathtub then you are from a terrorist attack. "300 000 000 Million Potential Victims of Wallet Theft!" or "Your Bathtub: Friend or Insturment of Terror!" are a couple of headlines I'd like to see.

For the love of God... (5, Insightful)

RulerOf (975607) | more than 7 years ago | (#17284112)

Two words: Terminal Server.

I know it has been asked before, but WHY in the name of GOD does this kind of information need to be on a fucking laptop?!

My mother works at a VA hospitol and as such, has access to read and modify all the personal information necessary to commit identity theft on thousands of patients, and of course, she has a laptop computer issued by the hospitol so that she can work from afar. When she originally received it, it was nothing more than a Win2k box with VPN software, MS terminal services. All of the sensitive data was/is stored on the servers on their intranet. After a small "upgrade," the laptop was returned, only this time it came back with a full encryption setup. The interesting thing is that there is STILL no sensitive data stored on the laptop. It is, however, just as easily accessible. The point is, if someone stole that laptop, no sensitive data would be compromised, even if the encryption was broken (which probably wouldn't happen).

I don't fucking understand, why when we have the technology READILY available to completely prevent this kind of crap, that it isn't used. A shout out to all the companies on this planet: Centralize your damned security. Laptops cost $500. This kind of shit publicity and potential lawsuits cost a hell of a lot more.

Oh... darn, looks like I got my hopes up too soon (1)

lavid (1020121) | more than 7 years ago | (#17284124)

I thought this was going to give me the 100 million victims' data. Guess not :(

Just a thought. (1)

Toreo asesino (951231) | more than 7 years ago | (#17284266)

This case would make an excellent case-study for the Vista Bitlocker [wikipedia.org] facility. The cynic in me wonders whether Microsoft may play on this convenient timing.

Total Information Awareness (0)

Anonymous Coward | more than 7 years ago | (#17284692)

Notice the massive serial thefts of electronic data since 9/11? Its been payed for and collected. Dont expect this aspect to be discussed in Congress.

Re:Total Information Awareness (0)

Anonymous Coward | more than 7 years ago | (#17284756)

data theft chart: http://www.waynemadsenreport.com/Datathefts.php [waynemadsenreport.com]

California is NOT the only state with disclosure. (0)

Anonymous Coward | more than 7 years ago | (#17285794)

Since California is still the only state with disclosure laws, incidents are difficult to analyze fully.


Well this is simply not true, there are 33 states currently with disclosure laws, and at least 7 other states have disclosure laws in the works.. True not all laws are the same, but to claim that California is the only state that has a disclosure law related to data theft is just wrong..

http://www.pirg.org/consumer/credit/statelaws.htm [pirg.org]

CA isn't the only state with disclosure laws (1)

vox_gabrieli (250873) | more than 7 years ago | (#17285942)

The poster says, "Since California is still the only state with disclosure laws..."

Been in a cave for the last few years? See http://infosec.uga.edu/policymanagement/breachnoti ficationlaws.php [uga.edu] for information on 34 state breach notification/disclosure laws.

Real World (1)

blacknblu (988181) | more than 7 years ago | (#17286182)

The article pertaining directly to Boeing stated the following:
Although the laptop was turned off and was password protected, Neale said the data on it was not encrypted.

My point is that how many people know how to access this information, or better yet, know to even look for this type of data on a stolen computer? I can see some kid trying to get into the laptop for a couple of days, and subsequently reformatting the hard drive. I don't want to imply that this information can't easily be compromised, and exploited, merely that I don't think this is very likely. Boeing's primary concern should probably be the other confidential information that was on the laptop. Don't they contract with the government?

Catch-22 (0)

Anonymous Coward | more than 7 years ago | (#17286230)

By definition, the info you provide to prove your identity (credit application, bank loan, etc.) can be used by anyone with access to it to impersonate you to someone else. Every time to apply for a loan or fill out a rental agreement, you are required to provide adequate proof of who you are ... which can then be reused by someone else to hijack your identity. The people/companies that should prevent the problem don't, because they can make a higher profit by not preventing it. The solution is fairly simple, but it will take someone like Google to step in and implement a free solution to allow the individual consumer to protect themsleves.

hehe. (0)

Anonymous Coward | more than 7 years ago | (#17287696)

I told someone I know that 100 million people died in a typhoon and they said "See, I told ya!"

Yes, But... (1)

Nom du Keyboard (633989) | more than 7 years ago | (#17288212)

number of data breach victims has passed 100 million

Yes, but, how many are dupes?

Not Just California Has Notification Laws (1)

idsfa (58684) | more than 7 years ago | (#17288246)

As of last July, 34 states [pirg.org] had laws requiring consumer notification. Some are triggered directly immediately upon the loss, others only if the data is considered "at-risk". It's hard to take TFA seriously when it can't even get basic facts correct that can be found in less time than it took to write this comment ...

help "them" to want to change (2, Interesting)

martyb (196687) | more than 7 years ago | (#17289248)

THE PROBLEM: It is currently financially worthwhile for some companies to play loose with personal information. The perceived costs of the consequences of poor protection are not sufficient to warrant a change in their way of doing business.

Many merchants / agencies / whatever don't seem to want to provide us additional protections. All it would take is for a few companies who already take security very seriously to sign up for the best star rating listed below, chalk it up to advertising expense, and put the pressure on the other merchants who do not sign up. "Hey! *WE* take your security seriously, and we put our money where our mouth is. If *WE* mess up, we clean it up and pay *YOU* for your inconvenience. Why would you want to deal with anyone else?"

There is a financial opportunity for an enterprising group to make a fortune here. Existing insurance companies provided graduated coverages and fees depending on certain items. I can select how much liability insurance I want for my car. I can pay the insurance company a larger premium for a greater amount of coverage. Alternatively, if I have certain protective measures in place, then my premiums can be reduced. I choose the level of coverage that works for me.

whenever there is a security breach, make a payment to each CONSUMER! Get the consumer to be your best ally in getting merchants to sign up for the protection. So, if a merchant compromises the security of MY information, then the insurance company sends ME a check. I'll leave it as an exercise for the reader on how this could be extended to cover other organizations that have access to personal info such as hospitals or government agencies.)

Also, and VERY important: advertise this feature like crazy - get the consumers to push the merchants to get the coverage along with an easy-to-remember grading scale for consumers to use to assess the degree of protection they are provided by a merchant. It took a few years, but now US car companies are advertising the NHTSA crash test ratings. [dot.gov] I expect the same could work for credit protection.

NOTE: All dollar amounts are pulled out of a hat. I'm just trying to put something concrete out there to use as a starting point for discussion. Obviously, the size of the covered merchant would affect the premiums and payouts, and I have NOT worked those into these numbers. Please offer improvements! The examples listed here might be appropriate for a moderate to large merchant.

Have a graduated scale of costs and coverages that depended on what level of security measures were in place at the time of the loss / theft.

  • PROTECTION LEVEL: ONE STAR:
    If a merchant takes no security precautions then the insurance company would:
    • charge high premiums: $10M per year, plus $10 per covered client.
    • require high deductible: $5M deductible (in escrow).
    • provide low payment to each consumer: $100.00 to each consumer.
    • provide limited credit monitoring protection: 6 months of credit reporting agency monitoring.
    The consumer gets some benefits, even if the merchant makes no great effort to protect the user. It's still better than anything that the consumer is now getting. After a few payouts, word-of-mouth will boost interest by consumers in seeking out at lest this minimal coverage. CEOs and CIOs will start to take notice.

  • PROTECTION LEVEL: TWO STAR:
    If a merchant takes certain, documented, security precautions ( encrypted DBMSs, firewalls) then the insurance company would:
    • charge moderate premiums: $5M per year, plus $10 per covered client.
    • require moderate deductible: $1M deductible (in escrow).
    • provide better payment to each consumer: $500.00 to each consumer.
    • provide better credit monitoring protection: 1 year of credit reporting agency monitoring.
    The consumer gets better benefits, so a consumer would prefer to see their merchant provide this higher level of protection. Better benefits to consumer - better word of mouth advertising (Sure, it was a hassle, but I got a new Wii and some Games with it!) CEOs and CIOs start talking to marketing.

  • PROTECTION LEVEL: THREE STAR:
    If a merchant undertakes rigorous security precautions (i.e. encryption throughout (DBMS, comms, POS terminal), firewalls, user-supplied challenges/responses, etc.) then the insurance company would:
    • charge low premiums: $1M per year, plus $1 per covered client.
    • require low deductible: $500K deductible (in escrow).
    • provide best payment to each consumer: $1000.00 to each consumer.
    • provide better credit monitoring protection: 5 years of credit reporting agency monitoring.
    The consumer gets even better benefits, so consumers push merchants to upgrade, or take their business elsewere. Marketing departments start to demand this from CEOs and CIOs.

And, yes, I am aware that the consumer ultimately pays for the implementation of these protections and for the insurance premiums. We're already paying for the LACK of protections because of chargebacks and the like, and I only see it getting worse before it gets better.

Please suggest improvements, oversights, and changes.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?