Identity Theft Blog Entry

Where is the outrage? Security incompetence is putting millions of people at risk for identity theft and there seems to be no accountability at all.

Week after week we see major companies losing control of their customers’ and employees’ private data. This past few weeks saw AT&T notifying present and past employees (I’m aware of one notified person who hasn’t been an employee for eight years!) that a laptop containing their Social Security Numbers, compensation, and home addresses was stolen. Administaff, an HR outsourcing firm, announced virtually the same thing. These instances demonstrate how vulnerable each of us is to identity theft, even though as security professionals we take appropriate measures to safeguard our private data.

I raise these two examples because they share several common characteristics.

In both cases, the company allowed a poorly configured laptop, one that did not enforce the company’s nominal security policy of encrypting confidential data, to be used for processing a large volume of confidential personnel data..

It’s a sad fact that given their size and portability, laptops are often lost and stolen. We can’t prevent that but we can manage how we configure these systems (e.g., requiring encryption if the system handles any sensitive data) and what we prohibit as unacceptable use to reduce these inherent risks.

It is all too common for organizations to extract data sets that contain more sensitive information than is actually needed to accomplish a particular goal. Few organizations have policies and procedures in place to ensure that this unnecessary data is scrubbed before the data set is downloaded or processed. It is far easier to prevent data leakage at the source, rather than the endpoint.

In both cases, the companies failed to keep physical control over laptops that they knew contained extensive confidential information. This is a red flag for poor security awareness and training. The concentrated personal data should have been removed after its use and the laptops should have been properly locked up when not in use.

The final similarity is that both companies acknowledged that they had put employees at a substantial risk of having their identities stolen. Both chose to ameliorate employee/customer concerns about Identity Theft by providing affected people with one year of an Equifax credit monitoring service. Interestingly, the second page of both the AT&T and Administaff letter to employees and customers is identical. That raises an interesting inference; the frequency of these types of breaches is so high that Equifax has standard form letters ready to go and is making a business out of closing the barn door.