In the last few weeks, we have heard about both the ChoicePoint and Bank of America "hacks." As hopefully most of you know, these cases aren't hacks per se. Unfortunately, I have to be clear about which Bank of America hack I mean, and that is the loss of personal information of 1.2 million people, including that sacred group, U.S. senators. Of course they will now hold Congressional hearings on the matter.
In the ChoicePoint case, there was no hacking; instead, authorized clients using false identities accessed the computer records of 145,000 individuals. The Bank of America incident supposedly involves airline baggage handlers stealing copies of backup tapes on their way to safe storage. The media and everyone else loves to jump all over the computer angles, and ignores the basic security issues. It took several days before the media started portraying this as a case of flat-out business fraud.
Sadly, the ChoicePoint case demonstrated the ignorance within the security media, as even an Information Security Magazine article described ChoicePoint as a business that specializes in protecting personal information. That is incorrect and misleading. ChoicePoint is a business that specializes in compiling and selling personal information. Its business mandate is to put "sufficient" effort into protecting the information that it stores and sells.
I am honestly bewildered as to why the outrage about the "Bank of America incident" is being directed at Bank of America. From all indications, it was doing everything right.
The indications are that tapes were in the process of being shipped to a backup facility, which is a good demonstration of proper security procedures. All reports and tracking indicate that the tapes were stolen by an airline baggage handler. This is an infinitely greater concern than the fact that "senators'" information was stolen.
In a post 9/11 world, with all of the supposed focus on aircraft security, it is baffling that people aren't outraged by the criminal behavior of people who can put hundreds of lives in direct danger. It appears that nobody has an immediate accurate read as to who the baggage handlers were, and how regularly they exhibit criminal behavior.
This is the most important aspect of the entire story that the media and the outraged senators just don't appear to get. In the process of performing good computer security, poor airline security has caused a massive violation of personal privacy. It is easy to point the finger at a bank as it theoretically owned the information. However, it is inexcusable that this loss is the result of a failing in the security of an aspect of a critical homeland security area of focus.
Personally, I don't want a hearing parading Bank of America executives in front of Congress. I want to know the name of the airline and the individual baggage handlers with responsibility for the flights in question. I want to see airline executives tell Congress why their employees can walk in and out with contraband, which could include bombs.
It is also an outrage that Congress now wants to know why Bank of America waited two months to tell potential victims about the incident. Why didn't these concerned Senators care that losses like this have been going on for years, and we don't have to get any notice unless we live in California or two other states? Why don't they care that it takes months, maybe years, to clear your credit reports, and it only takes a couple of days to sign up to get legitimate access to the data to enable people to ruin someone's credit. Oh, I forgot, their data is involved now.
It is comforting to know that after this incident, the value of ChoicePoint stock dropped 10%, and legislation is being threatened for the relevant industries. While I sympathize on one level, these are the type of effects that will get the industry to make drastic improvements in their operational security procedures.
At the same time, we need to do what we can to make sure that the media and the legislature address the underlying issues. They have clearly demonstrated an interest in sensationalizing the issues, without looking at the underlying causes. Chances are that very little will happen until the next time a senator's information is at risk.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.