Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Privacy

Has the Data Security Problem Become an Epidemic? 75

Posted by Cliff from the so-much-for-privacy dept.
telstar asks: "Lately, it seems like an almost weekly occurrence: confidential customer data is exposed online, despite the assurance that security measures were in place to prevent such a problem. ChoicePoint Inc., LexisNexis, and DSW Inc. were all victims of online security breaches. Ameritrade and Bank of America both admitted lost physical data tapes containing confidential client account information. Recently, Carnegie Mellon notified 19,000 students, alumni, faculty and staff that their confidential information may have been compromised. An April 2005 GAO report found that though the IRS is making progress fixing security holes in systems that it operates, they aren't keeping pace with new vulnerabilities, risking exposure of sensitive financial data of the taxpaying population of the country. To top things off, these are only the cases that we're aware of, which begs the question of how many security breaches have gone unnoticed, or unannounced. What about companies like Google? As they expand their service offerings with GMail and Google Search History, where they are increasingly responsible for retaining client data, will they become a bigger target for attackers? This is the problem. What is the solution? Are there any tips for people to help protect their identity and confidential financial information? What firms go above and beyond the call of duty to ensure that their client data is secure?"
This discussion has been archived. No new comments can be posted.

Has the Data Security Problem Become an Epidemic? More

Has the Data Security Problem Become an Epidemic?

Comments Filter:

  • Write State Senators (Score:5, Insightful)

    by justanyone ( 308934 ) on Thursday May 05, 2005 @06:38PM (#12446499) Homepage Journal
    Write your state senators and legislators and urge adoption of california style laws that require companies to notify their customers if any private data is compromised.

    Illinois does not have a law, and it should.

    From what I understand, the main reason we're hearing more about these data intrusions is the California law now mandates such disclosures.

    • I really wouldn't be surprised if it turned out to be some sort of black ops CIA unit doing it...heh. [pentagonstrike.co.uk]
      • [pentagonstrike.co.uk]

        I hate that stupid site. It screams "Liberal Crackpot" like few other sites, and makes the Left look pretty fucking stupid.

        Did it ever occur to the authors that if they want to be taken seriously, perhaps they shouldn't use the 'Cheap MTV video' format. Maybe that shit works to get 13-year olds to buy more bling-bling, but it doesn't work for the rest of us.

        Oh, and maybe remove some of the moronic logical fallacies of their argument. "It sounded like a missle". Gee, how convincing.
        • It may not be the best, but it certainly grabs peoples attention...I see it as a kind of gateway tool to getting people interested in the truth.
          • I'm just not a big fan of this conspiracy theory. The arguments are pretty outdated, and ignore alot of evidence that has been published since.

            Honestly, they're suggesting a massive conspiracy amongst the hundreds of investigators and support staff. Pretty far fetched.
        • I hate that stupid site. It screams "Liberal Crackpot" like few other sites, and makes the Left look pretty fucking stupid.

          ..says the guy who uses "EnronHaliburton2004" as his /. nick.

          Thanks, dude, that totally made my day. :) +5, Funny.

  • Some of it is legal (Score:4, Insightful)

    by MerlynEmrys67 ( 583469 ) on Thursday May 05, 2005 @06:38PM (#12446505)
    Companies are now legally required to publically disclose breaches... 5 years ago there was no such requirement - so they didn't bother.

    That said - the cracker population is getting significantly more sophisticated with more resources available to them (think a zombie network for solving distributed problems rather than simply launching a DDoS).

    Online is a scary place to be isn't it ?

    • But it's still not so obvious.

      1.) Flaw found by QA
      2.) Flaw goes in internal database
      3.) Fix attempt by developers
      4.) Patch compiling by release eng
      5.) Now you hear about it in public

    • In California they are required to do so, but you should note that one iteration of thought that ChoicePoint reportedly went through was to consider notifying only CA residents.

      As far as I've read, there is no US Federal law requiring company disclosures of security breaches.

  • Look... (Score:2)

    by Otter ( 3800 )
    Stuff still catches fire, tens of thousands years after the technology came into use. (Or whenever the hell it was -- I'm not a freaking archeologist.) You try to be careful, and fire safety has certainly improved over that time, but ultimately there's a background level that will always have to be dealt with, by insurance and by just sucking it up.

    There's always going to be data compromise. One should be careful, and precautions should be kept in place but the long-term answer is that consumers will be pro

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Thursday May 05, 2005 @08:18PM (#12447288)
      Comment removed based on user account deletion

    • There's always going to be data compromise. One should be careful, and precautions should be kept in place but the long-term answer is that consumers will be protected like they are with credit card theft, the losses will become another background cost and you're going to have to live with the possibility that someone will know what movies you rent.

      The problem is that one can't be careful. Before Choicepoint's data compromise went public, I don't think I'd ever heard of them before. I certainly didn't kno


    • Posessing the data is a good part of the problem. Companies are allowed to callect and aggregate information about us, without our knowledge or permission, and then use that data in promoting their interests, which, as we've seen, can easily compromise our interests. When I say compromise, I'm not talking about a minor inconvenience- I'm talking about a life-chenging event that can take years to resolve, with no guarantee that it will be resolved.

      The I question think we should be asking is this: why are ot

  • No (Score:5, Insightful)

    by Safety Cap ( 253500 ) on Thursday May 05, 2005 @06:45PM (#12446579) Homepage Journal
    Data security is no more an epidemic than "terrorism" is. You're just hearing about it more, thanks to the disclosure laws in Cali, et. al.

    Compare with people who watch Faux News: they're convinced that Osama is on the verge of attacking BFE, ND, and we're also winning the war in Iraq.

    • agreed (Score:2)

      by js7a ( 579872 )
      It hasn't "become" an epidemic, it always "has been" one. Thank goodness for California, or most people would never know.
  • The word we were looking for was pandemic. Pandemic.
    • Or maybe just boring. I'm tired of all these fear inciting stories that mean nothing... You think you actually had any privacy in the first place? Ha! If someone wants to do something with your personal information, getting it is alot easier than doing something with it.

      When I used to work retail, people would always freak out if I looked anywhere near their hand while they typed in their pin numbers....like I could remember a hundred pin numbers a day? I hate how paranoid everyone has gotten with this s

    • The word we were looking for was pandemic.

      Doesn't look so clear-cut to me re choice of words -- from m-w.com [m-w.com]:

      1. pandemic [m-w.com]: occurring over a wide geographic area and affecting an exceptionally high proportion of the population
      2. epidemic [m-w.com]: an outbreak or product of sudden rapid spread, growth, or development; specifically : a natural population suddenly and greatly enlarged
      • Actually, this is a very clear-cut case. Pandemic is the proper term. If it were an epidemic, you would need to show that this isn't an all-encompassing problem. The nature of the write-up indicates that it is indeed a pandemic. To help you, think of it in terms of AIDS. To say that there is an AIDS epidemic is incorrect, since there are no places on the world that do not have the AIDS problem to deal with. If you are referring to any one single location, you can refer to it as an epidemic in that context.

  • Legislation in the pipeline (Score:1, Interesting)

    by Anonymous Coward
    I imagine there will be some laws passed about this real-soon-now. Stuff like this doesn't happen over night, but as high profile cases hit the news with greater frequency it is only a matter of time before an influential senator or congressman gets inconvenienced by it and champions a bill.

    I'm surprised the Homeland Security folks haven't done it themselves on the grounds terrorists will steal identities of US citizens to sneak in and get around.

    As for a technological fix... unplug.
    • Who would want to hack a Congressman's Blackberry, when they can access Paris Hilton's?

    • Pass a law for what? What makes you think that more laws/rules/restrictions will in any way help the problem? How about making people aware of what is happening and what could possibly happen. Then maybe give them a shove in the right direction to find something to help them with their issue. Homeland Security? If its "homeland" security shouldn't they have some kind of office in the "homeland"?

  • If it's worthless they won't steal it (Score:4, Insightful)

    by vandezuma ( 875570 ) on Thursday May 05, 2005 @06:49PM (#12446619) Homepage
    As I read in some article a few weeks ago (not sure if it was /. or not), if companies made their authentication processes more stringent, data like SSN's and names and addresses wouldn't be so valuable any more. The problem is that you can get access to so many things with just basic contact info and a SSN.

  • California (Score:1, Interesting)

    by Motherchucker ( 753076 )
    Whoops, posted anonymously...

    This is just speculation, but I believe a lot of these new warnings are the result of California's new law forcing disclosure of these events. I'd venture that it was probably happening before, but they just kept quiet about it. And if someone doesn't conduct business in California, you still won't know until it's too late.

    On the other hand, some of these may be cases where the *potential* exists that someone accessed your data, but really didn't, but the company is covering
  • This was in the Boston Globe as well as The Washington times today. The govenor of the state and many celebritie's driving records were publicly available, such as Jay Leno's. Massachusetts closes personal data hole [washingtontimes.com]
  • SA Article on Web Accelerator Flaw [somethingawful.com]

    I love Google as much as anyone else here, but this definately points out that even the geniuses at Google can make mistakes, and this is just a tiny look at what can happen with those mistakes.

    I hope Google is able to fix this or pulls the web accelerator.

    ~Rebecca
    • Ugh.. can't... resist.... troll... bait...

      Apparently neither Rich "Lowtax" Kyanka nor yourself actually *read* the Google Accelerator information page.
      http://webaccelerator.google.com/support.html [google.com]

      Rich's lack of understanding leads him to make several false statements:
      "Well here's the problem, folks: everything you view is now owned by Google. Do you read email? Well now Google reads your email, and now the entire world can read your email. Do you use private messages through a website?"
      First and foremos
      • First of all, just because Google isn't portrayed as a diety, doesn't make it troll bait.

        Second, I read the Google page yesterday, and it doesn't say "If you log in to gmail through the accelerator, someone else might get your cached copy." Also, your link now is dead, Google took it down. As of 5:10p AZ time the page reads "The requested URL was not found on this server." and nothing else.

        I believe it is a valid issue considering gmail itself uses http not httpS for the actual reading of your mail.
        • I stand by the troll critique.
          I called troll because the problems Rich points to are a non-issue with regards to the web accelerator.

          Now, if you had expounded upon his page with some of your own thoughts, like you just did, then I wouldn't have called troll.

          The actual security issue, as you just pointed out, is that *gmail* doesn't use HTTPS. Unfortunately for you, this has nothing to do with the web accelerator (which, I must reiterate, was the sole topic of your original post)

          BTW: The link is not dead,
          • The actual security issue, as you just pointed out, is that *gmail* doesn't use HTTPS. Unfortunately for you, this has nothing to do with the web accelerator (which, I must reiterate, was the sole topic of your original post)

            If http truely is the cause and has nothing to do with GWA, I challange you to get my gmail since I have not used GWA (not available for linux). If you decide to take my challange, its the same as my slashdot ID.

            While gmail not using https may be a problem in itself, the problem
            • If http truely is the cause and has nothing to do with GWA, I challange you to get my gmail since I have not used GWA (not available for linux). If you decide to take my challange, its the same as my slashdot ID.

              I think you are getting ahead of yourself here. I took the liberty of looking at gmail after the last post, it (like all other webmail services I'm familiar with) does indeed use HTTPS - although only for logins. (unlike, for instance, my ISP's webmail access, which is entirely HTTPS)

              If it can't

      • Lowtax is pretty strange, and extremely lazy. Hes into music in his spare time, and posts on SA asking about how to work a ceartin synth, well I own the yahoo group for this synth, I tell him go to my group and pose the question and im sure someone will answer you. Anyways he acted like it was a big deal to do that and couldn't I just do it all for him... hes probably still futzing with it

  • "begs the question" (Score:5, Informative)

    by venomkid ( 624425 ) on Thursday May 05, 2005 @07:11PM (#12446801)
    Look, I know this is OT, but I see this so often it's starting to cause me physical pain.

    To top things off, these are only the cases that we're aware of, which begs the question of how many security breaches have gone unnoticed, or unannounced.

    The circumstances may "raise" or "prompt" a question, but it doesn't "beg" a question. "Begging the question" is a logically fallacious practice in which one assumes one's conclusion, making a circular logic. (eg. claiming the Bible is the inerrant word of God because it says so) It has nothing to do with speculation.
    • This isn't strictly true. "Begging the question" has a very specific meaning in the world of logical fallacies, but it also has a very different meaning in the world of conversational English. Something may "beg a question" if there is an obvious and relevant follow-up question.

      "Are you still beating your wife?"

      "No!"

      "That begs the question--when did you stop?"
      • However, "begging the question" did not have this conversational meaning, as you call it, before this latest generation started using it that way without understanding its history. Until recently, no educated speaker of English would have used it that way - and it still makes many of us cringe.
        • Until recently, no educated speaker of English would have allowed a sentence to end with a preposition or to start with a conjunction. Today, educated speakers of English agree that these are unnecessary pseudo-remnants of the past. (The "don't end sentences with prepositions" rule isn't even English grammar; it was an attempt to dress English up by incorporating Latin grammatical elements.)

          The language changes. Deal with it. It doesn't make you educated to avoid ending sentences with prepositions, nor
          • Hi, rjh; always a pleasure to encounter someone who is familiar with the history of English usage. You should, perhaps, be a little careful about assuming ignorance on the part of those who might disagree with you. "The language changes. Deal with it," is simply rude.

            I am quite familiar with the attempt, especially in the 17th and 18th centuries, to make written English correspond with the formal structure of Latin grammar (that is, at least, Latin grammar as taught in English public schools). My area of p
            • A marker as to the language the user learned, yes; a marker as to the sophistication of the user, never.

              Languages change over time. One way to assess the power of a language is to measure the rate at which it changes and evolves. This process of evolution is natural and should neither be feared nor welcomed. It's a natural state of affairs. Hence my remark of "deal with it". You may think it's rude, but I think you should deal with it, the same way I think you should deal with gravity, the sun rising
  • The biggest reason that these releases of confidential data cause harm is that practically every piece of information that exists in a corporate database about an american citizen or resident alien is keyed to the SSN, and the SSN is used as an authenticator. If it weren't for this, the mere fact that someone got a copy of your bank records would be annoying, but not particularly worrisome.

    I don't particularly *want* a copy of my college transcripts roaming the Internet, but the main problem with them ro
  • When you have 100 times more servers and users, you'll probably have ~100 times more problems and security breaches.
  • Please actualy read the linked articles before replying

    1) Our Data : an appeal - a "Plimsoll line" for computer security [google.com]:

    Set up baseline expectations for all aspects of computer security

    2) Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs [blogspot.com]:

    Move to virtualized sandboxed environments. Make provision for auditable builds from third party Trusted Build Agents ( read the article ).

    3) Do you want the Good or Bad news first? [blogspot.com]

    Because security mechanisms are fallible, you need a secured secondary channel

  • One thing I don't understand is why our personal information has to be accessable to the entire world...ie, exposed to the Internet. It should be treated as any other item of high value and locked up or kept away from the public. A company doesn't keep their stock certificates or other valuables in the lobbies of their branch offices, so why should our data be "available" to the public? Why not just keep the computers that hold all this information on a separate network...one that is not connected to the ou
    • Dedicated private networks cost money. Money that most companies will not spend unless someone is holding a gun to their head. The problem with security is that often the risks and costs of improper disclosures are dumped on third parties, not the people who were responsible for the security breach.
      • It's true that the added infrastructure does cost more money for said companies. But how many companies have to be compromised? How many millions of identities have to be stolen before the government (or even companies with a concern for the people) puts some sort of regulations in place? We now have SOX compliance to deal with which will supposedly protect investors thanks to the Enron debacle. I would think that all this personal information would actually be a higher priority...but maybe I'm wrong.
  • To reduce the identity theft immensely, one or more of the following MUST be legislated:

    1. Replace the SSN with SecureID card with challenge keypad (none of those biometric foo-foo crap, bio is non-revokable)

    2. Make data aggregation illegal (ooooh, sorry credit bureaus)

    3. Make IRS the focal point of multi-keyed 2nd-generation SSN registration centre (sorry SSA, you screwed up, big-time!)

    4. Customer "optionally" generate a NEW SSN for each business or financial institutions. (remember, data aggregation

  • Tell me about it.. (Score:3, Funny)

    by Klowner ( 145731 ) on Thursday May 05, 2005 @10:55PM (#12448174) Homepage
    The other day, the wonderful community college which I acquired my near worthless associates degree from, sent an email to just about all the people in my graduating class. Not a problem you may think, but consider this..

    THEY PUT EVERYONE'S EMAIL, IN THE TO: LINE.

    I (as well as every other fellow student) now have a full listing of all my fellow student's names and email addresses..

    Oddly enough, this school has a "networking" course, hello security.
    • Expecting you email address to not be public is as stupid as expecting your real address not to be public. Anyone in your real community could probably find out your address, phone number, and the school you attended using no more tools/knowledge then a half an hour of time, your name, and a phone book. Why should you expect MORE pricacy from an online community?!?! I agree that individual mails are more polite on mailing lists then massive TO: blocks, but the whole idea that your email address is privat
  • I just went to a very interesting panel discussion [americanprogress.org] about just this very subject, hosted by hosted by the Center for American Progress (http://www.americanprogress.org [americanprogress.org]). It featured some very insightful comments from the very knowledgeable James X. Dempsey [cdt.org] of the Center for Democracy and Technology [cdt.org].

    Video transcripts are also available (here [americanprogress.org])
  • According to an article [windowsecurity.com] I remember reading on WindowsSecurity.com [windowsecurity.com], only 0.1% of companies are spending the appropriate budget on Intrusion Detection Systems.
  • Does anyone need to keep your data such as Credit card No etc after payment has been accepted ?

    which is worse losing 3 months customer data , or 3 years ?
  • What about employee data loss. Iron Mountain lost the backup tapes of Time Warner and data on every employee for the last 15 years, including SSN!!! Employees should have the same protections/requirements to be informed as customers. They are offering credit monitoring for a year, because everyone's SSN changes after a year of course(sarcasm included) Not that /. Would care, tried submitting it and it gets rejected!
  • Why do you think Symantec made the move to buy/merge with Veritas. At face value, it seems to be an odd pairing. The end goal of computer security is to protect data. The end goal of backup solutions is to protect data.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close