Updated: 7/8/2011 7:09 PM ET|
Tales of dingbat data breaches
Evil geniuses aren't to blame for most breaches of personal data. Usually, the information is all but handed out, thanks to carelessness or stupid decisions.
Most people imagine that sophisticated hackers pose the biggest threat to ID security, but the majority of data breaches are accidental. In 2008, the nonprofit Identity Theft Resource Center tracked 231 human-error cases involving 21 million records.
The stories are depressingly banal. Over and over, it's a matter of hasty emails, goofy printer errors and flash drives lost at conferences. "The most stupid and ridiculous is the most common," says consultant Robert Siciliano, the CEO of IDTheftSecurity.com.
One common blunder is best referred to by the technical nomenclature "records dumped in the trash." If only they'd stayed there. News accounts describe troves of private data washing up on the banks the Pennamaquan River in Maine, blowing through Manhattan's Upper West Side and swirling around a parking lot near a Babies R Us store in Richmond, Va.
Then there are the meth addicts who thrive on Dumpster data diving. Although the surplus in ill-gotten credit card information has sunk the street price from $10 to 50 cents per account, some identity files still can fetch $25.
Next we encounter the phenomenon known as "forgetting your stuff." The Ponemon Institute, a data security research firm, says business travelers lose half a million laptops in airports every year, and nearly half those computers hold customer data.
I left my MacBook at a Phoenix hotel once, so I shouldn't point fingers. But it's harder to excuse security professionals. In June 2009, a veteran driver for Perpetual Storage in Salt Lake City was asked to transport billing records for 2.2 million hospital patients to his company's fireproof vault inside a granite mountain protected by steel doors and armed guards. Instead, he left the box overnight in his car. As Murphy's Law would have it, a random burglar took the box.
Experts say many companies don't enforce simple procedures that would prevent a leak. In 2008, when Verizon Business' investigative response team was called in to investigate breaches involving several major retailers, it discovered the obvious problem: They were all using the same supplier to maintain their system, and that supplier was using the same default password to protect each retailer's database.
"Not an incredibly good decision," Verizon security expert Wade Baker says.
Some incidents are so absurd it seems that all the foresight in the world couldn't have prevented them. My favorite: a Norfolk, Va., gas station attendant who refilled the receipt printer with a used roll that had prior customers' credit card data printed on the back. Then there's Broome Community College in upstate New York, which mailed 14,000 alumni magazines with the recipients' Social Security numbers printed on the back. And the state of Louisiana, which mailed 150 tax-bill reminders with a second taxpayer's data -- yes -- printed on the back.
But look at the bright side: Ponemon researcher Mike Spinney says just 2% of all data breaches result in identity fraud. So cluelessness works both ways. Just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they've received.
VIDEO ON MSN MONEY
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.