What Are You Doing With 25 Million Social Security Numbers On Your Laptop?

from the seemed-like-a-good-idea-at-the-time dept

In the never-ending barrage of stories about customer data leaks, one question is never answered: why are people carrying around laptops with so much personal information anyway? As you might expect, the answer’s got more to do with laziness and stupidity than anything else. There’s really no good reason for people to be carrying all this data on their laptops when it can be more securely held (in theory, anyway) in a central location, and accessed as needed over a network. Of course, all that requires a lot of effort, as does ensuring employees’ computers are using encryption and other security techniques, and as long as companies have no incentive to protect customer data, there’s little reason for them to go to the trouble, and cost, of actually securing data.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “What Are You Doing With 25 Million Social Security Numbers On Your Laptop?”

Subscribe: RSS Leave a comment
Jim Grey (profile) says:

Keeping data centralized

I used to work for a contractor who provided claims-processing services to Medicare. I had access to gobs of private health information. It was company policy that no data or work product of any sort was to be stored on your local PC — everything was to be stored on heavily-protected servers. It was also made very difficult to do things such as export large quantities of social security numbers from mainframes to PCs. We didn’t allow VPN access to our servers for laptop users either — when you were working remotely, all you could do was dial in to check your e-mail. All of this frequently slowed down my work and was frustrating and annoying — but we didn’t have problems with data walking out of the building, either.

Dam says:

Re: Keeping data centralized

All of this frequently slowed down my work and was frustrating and annoying — but we didn’t have problems with data walking out of the building, either.

Dealing in information is no different than physical inventory. An employer would fire anyone walking out of the building with selling inventory, no matter what it is. There’s no plausible reason for it, unless movement of that inventory has been recorded with the appropriate paperwork. So why is data treated any differently? I can’t take home a couple of carons of product to complete my work, why should a guy/gal with a laptop be able to move sensitive data?

Your employer was on top of things – mostly because they had to be. When other businesses have to be, under penalty of huge fines, this problem will be mitigated.

SomeUser says:

Annonomize the data

What I still can’t understand is in lieu of the public flogging of this type of news, why institutions still give out this information. Much of this work is outsourced to another firm, so this will happen more and more. Even if the workers sit at the company, the work was still farmed out.

Much of this information is so easy to anonomize (e.g. Addresses, phone numbers, SSN, etc.). The structure of data is the important thing, not necessarily the content. Take a representative sample of the structure and then put in bogus data. As the OP stated, this is complete laziness and stupidity. It is NOT that hard.

Dude says:

The next big screw up

I think that this is an issue at all levels of data storage, but government is one of the worst offenders. Even when notified they are reluctant to make changes. Just shows the amount of huberis and laziness that they have for being good stewards of private data. It won’t be resolved until there are heavy fines that get paid out to the victims.

Wiley says:

Fat, bloated and cumbersome

Not that any of this is new news…I am a Fed, I know the process to implement these security measures take not only and act of God, there is mounds of red tape and every system manager asking who gets their budget cut. Even if they wanted to implement a security measure now, it would have to go through the process (bidding, due diligence, etc.) which makes it available sometime in 2010. The Government is slow and cumbersome, not to mention a bloated pig. Follow the money as the rest of these bean counters do…It is easier to ask forgiveness than to get permission.

SPR (profile) says:

Re: Fat, bloated and cumbersome

This is why Congress needs to pass a Feredal law adding jail time as a penalty for inept AND corrupt disclosure of sensitive data they are entrusted to hold by the American people. I am tired of excuses. We need some decisive action on the part of the people we elect to these positions. They are elected to lead. It is about time they started leading!!

111-22-3333 says:

"Silly" status quo is hard to change

I am still amazed by all of the organizations that require one to give their SSN – when it is clearly not necessary. Utah driver’s license, Idaho fishing license, are two examples. The reasons given include; “because”, or “it’s necessary to properly identify you”. My social secirity card clearly states “for social security and tax purposes-not for identification”.

I can often get away with making one up. Until organizations change these “just because” default identifiers, I think we will experience more such breaches of information.

Anonymous Coward says:

Re: "Silly" status quo is hard to change

States do not require you to use a SSN on your license. My UT license very clearly states “Not Required” under the SSN field. Massachusetts used to allow people to use their SSN, but again, it was never mandated.

Also, the topic asks why this question of the data being carried on personal laptopts never comes up. I don’t understand this – it appears to be a major front story every single day. This topic itself looks like it was recycled from yesterday’s Wired post (http://www.wired.com/news/wireservice/0,71348-0.html)

Prescott says:

Re: "Silly" status quo is hard to change

“I am still amazed by all of the organizations that require one to give their SSN – when it is clearly not necessary. Utah driver’s license”

Nitpicking, but Utah doesn’t demand you put in on. They can leave the field blank. As I did.

Back to the topic, I think we need a new social number, one that is for the federal government and a citizen only. That could be, you know, secure.

When my healthcare account number is my social security number, it proves we have lost focus of what a social security number is.

Anonymous Coward says:

Re: "Silly" status quo is hard to change

“I can often get away with making one up.”

Well, thats great, but while you managed to provide yourself a modicum of security, you did it while committing a felony.

Providing a FALSE Soc Sec Num is a felony. Do not do that. Simply refuse to provide it.

Haywood says:

Here’s a twist for you; I recently received a letter form an insurance co. that I haven’t dealt with in over 2 years. They claimed a laptop had been stolen with my info in it. They also were trying to sell me a subscription to a credit reporting service. I personally believe this is just a scam to sell credit reporting services.

anonymous coward says:

i’m going to patent and start a company that has one product: massive lists of generic, randomized non-real data that can be used for corporate computer system testing.

all i have to do is read the paper each day for the ‘fuck up du jour”, call that company’s IT executive (or his new replacement), ask them how many millions of names they need at 1/10 cent per name, and profit…

Indelible1 says:

Haven’t any of these companies heard about encrypting sensitive customer and employee information?

It boggles the mind that the public sector can encrypt and send data on a daily basis that complies with or exceeds DOD standards, but the folks that are entrusted with our most sensitive personal information keep it in a completely insecure database on their laptop with no consideration of those that it will negatively effect.

Why not just put in an archive, encrypt it, and be done? It would be just as easy to access for the end user, but the common thugs that abscond with the laptop that was carelessly left in a vehicle wouldn’t be able to access it with ease, due to lack of knowledge.

Jose says:

Not hard to get at all

People forget all of the people that the data goes through before it finally reaches the *secure* servers. I have a data entry friend that pays almost minimum wage and handle claims for blue cross blue shield and others with all the information they could ever want. Also to get that job or a copy of those documents is not hard at all…. it’s like brining gold to a super secure place and first driving it in a donkey with the gold wrap around plastic bags…

The Truth Is Out There says:

Look in the mirror, sys admins

A few years back, I worked at a big manufacturing company, and data my department needed every day was stored in a big dumb mainframe, with a big dumb UI, managed by big dumb programmers. A co-worker wanted a couple minor changes to the db schema, and argued with the Deniers of Information Services for months with no help. Finally, he bought a copy of MS Access, loaded it on his desktop, did a big dump off the mainframe, and in a couple of days built an app that worked waaaaaaay better than anything the “pros” ever provided. So, this wasn’t personal data, and it wasn’t a laptop, but if you tie your users up in red tape instead of helping them do their work, don’t be surprised if they try to find a way around you. Unfortunately, that might lead to these kinds of security breaches.

jdw242 says:

what am I doing?

apparently I am not working at a company with an IT manager that has a G.D. brain!

No, really, it comes down to laziness. If I didn’t fight and prove that the potential losses would close the business I work for we wouldn’t have SafeBoot on our laptops right now. Everyone wants to have the security, but IT is supposed to take care of that. They don’t understand it starts with the user being responsible.

Of course, enter the obligatory IT Staff are not responsible for your own stupid carrying of said laptop into areas that are potentially dangerous, such as pool areas, bars, hot tubs, saunas, roof tops, crashing planes, etc., though our users probably think that we are…

the IT Manager says:

Shrugged Off

I wrote an email to the IT department head once to write a simple script to get data for me and many co-workers that needed it. It would have saved the company tons of employee time, digging and searching. When I sent the email it was 10:35. By 10:37 I got a reply, “It can’t be done.” I responded. “Yes it can, attached here is the script. Please review and launch.” BAM! Instant time saving, and I wasn’t even in the IT dept. I copied the plant manager that time. Needless to say about 6 mo’s later he wasn’t working here anymore. WOOHOO!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...