Privacy breaches: Knowing the facts and asking the right questions

Recent high-profile data compromises are only the tip of the iceberg, there's much more to be concerned about then what the media is telling you.

In the last few weeks, we have heard about both the ChoicePoint and Bank of America "hacks." As hopefully most of you know, these cases aren't hacks per se. Unfortunately, I have to be clear about which Bank of America hack I mean, and that is the loss of personal information of 1.2 million people, including that sacred group, U.S. senators. Of course they will now hold Congressional hearings on the matter.

In the ChoicePoint case, there was no hacking; instead, authorized clients using false identities accessed the computer records of 145,000 individuals. The Bank of America incident supposedly involves airline baggage handlers stealing copies of backup tapes on their way to safe storage. The media and everyone else loves to jump all over the computer angles, and ignores the basic security issues. It took several days before the media started portraying this as a case of flat-out business fraud.

Sadly, the ChoicePoint case demonstrated the ignorance within the security media, as even an Information Security Magazine article described ChoicePoint as a business that specializes in protecting personal information. That is incorrect and misleading. ChoicePoint is a business that specializes in compiling and selling personal information. Its business mandate is to put "sufficient" effort into protecting the information that it stores and sells.

I am honestly bewildered as to why the outrage about the "Bank of America incident" is being directed at Bank of America. From all indications, it was doing everything right.

More on the privacy breches

Customer vs. Bank of America: Who's to blame?

Lawsuit could amplify data protection laws

ChoicePoint CISO on the hot seat, but also firing back

It has one of the most extensive corporate information security programs in the industry. And its CISO is considered one of the nation's most competent, and given the overall scope of the threat facing banks, they have very few problems.

The indications are that tapes were in the process of being shipped to a backup facility, which is a good demonstration of proper security procedures. All reports and tracking indicate that the tapes were stolen by an airline baggage handler. This is an infinitely greater concern than the fact that "senators'" information was stolen.

In a post 9/11 world, with all of the supposed focus on aircraft security, it is baffling that people aren't outraged by the criminal behavior of people who can put hundreds of lives in direct danger. It appears that nobody has an immediate accurate read as to who the baggage handlers were, and how regularly they exhibit criminal behavior.

This is the most important aspect of the entire story that the media and the outraged senators just don't appear to get. In the process of performing good computer security, poor airline security has caused a massive violation of personal privacy. It is easy to point the finger at a bank as it theoretically owned the information. However, it is inexcusable that this loss is the result of a failing in the security of an aspect of a critical homeland security area of focus.

Tell us what you think
Join the SoundOff discussion on whether Bank of America's security leaders deserve a bigger break than ChoicePoint's because of the differences in data thefts? And where is the outrage over the lax security at the airline that led to the BoA theft?

Personally, I don't want a hearing parading Bank of America executives in front of Congress. I want to know the name of the airline and the individual baggage handlers with responsibility for the flights in question. I want to see airline executives tell Congress why their employees can walk in and out with contraband, which could include bombs.

It is also an outrage that Congress now wants to know why Bank of America waited two months to tell potential victims about the incident. Why didn't these concerned Senators care that losses like this have been going on for years, and we don't have to get any notice unless we live in California or two other states? Why don't they care that it takes months, maybe years, to clear your credit reports, and it only takes a couple of days to sign up to get legitimate access to the data to enable people to ruin someone's credit. Oh, I forgot, their data is involved now.

It is comforting to know that after this incident, the value of ChoicePoint stock dropped 10%, and legislation is being threatened for the relevant industries. While I sympathize on one level, these are the type of effects that will get the industry to make drastic improvements in their operational security procedures.

At the same time, we need to do what we can to make sure that the media and the legislature address the underlying issues. They have clearly demonstrated an interest in sensationalizing the issues, without looking at the underlying causes. Chances are that very little will happen until the next time a senator's information is at risk.

About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close