FIRST PERSON: Waiting for the other shoe to drop

DSW's admission this week that 1.4 million customers had their credit card data stolen left one potential victim at a loss, but not for words.

This Content Component encountered an error

A couple of months ago I bought a pair of sneakers that now may cost me a king's ransom. I made the $40 purchase at one of the 108 Discount Shoe Warehouse [DSW] stores compromised by database thieves who stole three months' worth of credit card transactions.

My first thought when I heard the news this week: Not again.

This will be the third time in two years that I've had to contact credit agencies and issue a fraud alert. The last freeze, far I as know, is still in effect if recent difficulties getting a new cell phone plan is any indication.

In case you missed it, the national discount shoe chain on Monday announced it now believes "external" hackers swiped the data on 1.4 million credit card transactions and another 96,000

More on ID theft

Who should be on (and off) the hook for ID theft?
An influential cryptographer and a panel of technologists debate how best to fight false authentication and fraudulent transactions.

Washington panel weighs how best to tackle identity theft
To defeat the scourge of identity theft, consumers, Congress and corporate America need to team up.

processed checks between mid-November and mid-February at stores in 25 states. That's up from the 100,000 estimate initially reported last month. The Columbus, Ohio-based company says the stolen information doesn't include home addresses or PINs.

I'm sure people are crediting California's breach notification act for this latest disclosure, much as they did when data brokers ChoicePoint and LexisNexis were forced to come clean. This praise is worthy only if DSW announced the breaches in a truly timely manner. According to a company statement, within 24 hours of finding the theft, the company called federal authorities, hired a computer forensics company and notified cardholder associations. It then says it also "promptly issued" a customer alert posted on its Web site. The news media took over from there.

Once again, private companies with deep pockets and fuzzy math have the press to do their dirty work.

The biggest loophole in California's SB 1386, and from the looks of it all the legislation being made in its image, is the huge lag time between when companies find a breach and when they must let victims in on it. During the lapse, designed to allow law enforcement time to investigate, unwitting individuals are at risk of identity theft and fraud. I'm not against investigators getting a lead on catching culprits, but the notification window needs to be narrowed.

I used to moonlight as a college professor and a year ago my employer publicly announced a server holding financial information on students, staff and faculty had been compromised. The attack took place in October 2003; the press announcement was issued the following March -- during spring break, when campus was closed.

For the 10 people who caught the newscast, the school said it would be notifying impacted individuals, which in my case

Sound Off!

Should companies be given wide latitude in when and how they notify victims of data theft? Share your thoughts by clicking on the link at the top of the page.

came six months later. And nowhere in that form letter did it mention the attack had occurred a full year before. I had to call for that information. And notify the credit bureaus, again. I also was one of thousands of state employees whose payroll data was swiped from a server the previous year. That's the attack that ticked off state legislators to the point of creating SB 1386.

I think we're nearing a tipping point. The rash of widely publicized data thefts in the past few months is creating mounting consumer pressure that I hope finally closes clauses in data theft disclosure laws that still benefit big business. And by all means, let's keep the news media in the loop. Until change arrives, we'll still rely almost exclusively on diligent journalists, and not compromised companies, to help us decided how to handle the latest data thefts. That means altering the way and with whom we do business -- if criminals haven't already done it for us.

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close