COLUMN

Security Blog Log: The bright side of the VA data theft

By Bill Brenner 02 Jun 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

For the 26.5 million U.S. veterans whose personal information was stolen last week, it's probably hard to see a silver lining in the cloud of uncertainty now hanging over them. But according to some security bloggers, there really is a bright side.

The U.S. Department of Veterans Affairs confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses.

But Pete Lindstrom, research director of Spire Security LLC in Malvern, Penn., suggested in his Spire Security Viewpoint blog that there's a "finite limitation" to the number of Social Security numbers that may actually be used for fraud. For one thing, he said, it takes considerable work to "monetize" Social Security numbers. He added credit card numbers, on the other hand, are more likely to be used for quick-hit acts of fraud.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Uncle Sam slammed over data theft Blue Security's demise evokes mixed emotions Data storage bills go to extremes

Given all the work required to convert Social Security numbers into financial gains, Lindstrom said it's best for each individual involved to be one of many.

"The larger the number of SSNs stolen, the less likely any individual is to be a victim," he said, since there's no way the thieves can process all 26.5 million records. "So 26.5 million is better than, say, five …"

Lindstrom also took blogs like Emergent Chaos to task for suggesting that 8.9% of Americans are at increased risk for ID theft due to "that fellow" at the VA.

"Sure, the 13% at risk for account takeover from CardSystems was bad, but that was just credit cards. This is about the databases that control our lives," Adam Shostack wrote in the Emergent Chaos blog. "This is horrendous."

Lindstrom said Emergent Chaos and other blogs have engaged in a "baroque and convoluted publicity stunt to create FUD" around the VA data loss. He then offered some perspective, borrowing from a 2003 study (.pdf) conducted by Aegis Group plc's Synovate marketing research group on behalf of the Federal Trade Commission (FTC).

The study concluded that 100% of all Social Security numbers are at risk of use in identity fraud. That being the case, Lindstrom suggested that the latest incident means the affected veterans probably aren't any more likely to be ID theft victims than they already were.

"What I am suggesting is that the absolute level of increased risk is likely very, very, low," he said. "That is, if a typical account has 150,000 people with access and now there are 150,005 (or even 150,100 for that matter), even having an extra 100 people with access is not going to change the risk equation that much."

While it's unfortunate the VA theft happened, he said it's not the end of the world -- yet.

Some other bloggers agreed with Lindstrom's overall assessment, including Mike Rothman, president and principal analyst of Security Incite, an industry analyst firm in Atlanta.

"To be clear, the theft was terrible and I feel for all of the veterans out there that are now at an increased risk," Rothman said in his blog. "But [Lindstrom's blog] correctly indicates that a SSN requires a considerable amount of extra work to 'monetize' it. And there is no way the bad guys can get to all 26 million records."

Rothman added, "I know it seems a bit strange (and certainly wouldn't make a veteran feel any better), but Pete's thinking is correct."

Tags: Identity Theft and Data Security Breaches,  Security Industry Market Trends, Predictions and Forecasts,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary