Saturday, MasterCard blamed a vendor of ALL credit card
providers called CardSystems Solutions, Inc., a third-party
processor of payment card data, as the source of loss of 40
million consumers credit card information.
As is pointed out by several newspaper and web articles over
the last few weeks, each recapping long lists of financial
information data breaches, something's gotta give before we
entirely lose trust in financial institutions, data brokers
and credit bureaus. How much privacy loss can we take
These types of data loss were very likely common and have
very probably been going on for a very long time. The
difference is that now, THEY ARE REQUIRED BY LAW TO DISCLOSE
THOSE LOSSES - not just in California, but in many states.
National disclosure laws on data security breaches are being
considered in Congress.
I suggest that these breaches of data security all came to
light due to the California law requiring disclosure from
companies suffering hacking loss or leaks or social
engineering or crooked employees or organized crime rings
posing as "legitimate" customers. All of the above have been
given as reasons for security lapses or poor security
About three years ago, a friend told me his paycheck deposit
to Bank of America went missing from account records after
he took his check to the bank on Friday. By Monday, Bank of
America was in the news claiming a computer glitch had
disappeared the entire day's deposits. I mumbled to myself,
"I'll bet that was a hack and that hacker just made a huge
offshore banking deposit with B of A depositors' money."
But we didn't find out why it happened in that particular
case because there was no disclosure law in place at the
time. Now we have disclosure laws that mandate notice of
security breaches. Now suddenly - huge financial services
hacks and devious criminal social engineering outfits posing
as legitimate customers and apparently "innocent" losses by
transport companies of backup tapes begin to come to light.
This spate of data loss incidents is proof of the need for
corporate "sunshine laws" that make public notice mandatory
of those data losses that threaten customer information.
Who is going to lose here - the public, the corporations,
the criminals, or the government? I'd prefer that the bad
guys get the shaft and take down crooked company insiders
that either facilitate data loss by underfunding security
and encryption or participate in data theft or loss in any
form - even if that participation is security negligence.
Financial companies and data brokers have been covering up
the losses and keeping quiet about hacks so as not to worry
or frighten their customers. But that practice is
essentially ended now that they must notify the public and
disclose those losses instead of hushing them up.
Keeping the breaches hidden from public view is bad practice
as it maintains the status quo. Disclosure will facilitate
internal corporate lockdowns on the data and all access to
it. Disclosure will educate the public to the lack of
security and danger to the sensitive information we all
provide rather casually and routinely to businesses.
As the following link to a silicon.com story suggests, we
cannot take much more of this lack of regard to privacy and
must lock down financially sensitive data securely and must
begin to hold data brokers, bureaus and handlers VERY
Insist to your elected representatives that your financial
data be locked down, encrypted and guarded by those
entrusted with storing, transporting and using it. Since our
financial, medical and legal lives are increasingly being
housed in digital form and transmitted between data centers
of multiple handlers - we need to know it is secure. We also
need to know when that security has been breached and our
data compromised or lost.
Thieves are becoming more aware of the ease with which they
can find and access financial data. Hacking is not the
source of the greatest losses.
Organized crime has easily found their way into our
financial records by simply paying for it by posing as
"legitimate" business customers of information brokers such
as ChoicePoint and Lexis/Nexis. Any business can buy
financial and credit information from those information
bureaus and credit reporting agencies by meeting rather lax
requirements for "need to know" that data.
As long as it is possible to purchase our sensitive data
from brokers and bureaus, organized crime will
"legitimately" buy it from those sources, then ruin our
credit by selling that information at a higher price in
identity theft schemes.
Since disclosure laws have come into effect, those breaches
have been made public, credit cards cancelled before losses
can occur and credit reports monitored to watch for
suspicious activity. The bad guys activities are squelched
because we are made aware of the possibility our information
has been compromised.
Not all blame can go to financial institutions and data
brokers. Protect your own private data by protecting your
computer records at home, in the office, on your laptop and
in your PDA by using basic keyword security and locking down
files. Use built in encryption on your operating system and
your home network to keep data secure. Then be certain to
clear that sensitive data off the computer when you sell it
or throw it away.
Data security is something we all need to take seriously and
the corporate breaches are dramatic illustrations of how
important it has become to build digital fortresses around
our critical financial, legal and medical information.
Mike Banks Valentine is a privacy advocate and blogs about
privacy issues at PrivacyNotes.com
You can read more about identity theft issues at:
Contact MikeValentine for Search Engine Optimization