Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On
from the yawn dept
We’ve noted in the past that it’s become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year’s free credit monitoring as a cost of doing business. It’s certainly cheaper than actually securing your data.
Filed Under: credit monitoring, data leaks, security
Comments on “Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On”
If all these years of free credit monitoring are additive we may never need to pay for credit monitoring again.
CT's response to lost data
I’d like to give some credit to the State of Connecticut when it comes to handling lost data. About a year ago I received a letter that they had lost an encrypted laptop with my data in it, the usual story. Except, I hadn’t heard about this from the news at all. They took the initiative and contacted me.
They offered the free protection for one year. They also picked up an insurance plan to cover and losses. This wasn’t the end of it though. They continued to update me about the situation. Eventually they upped the protection to two years free and made sure that the debt protection company could not auto-renew our accounts.
Overall, the entire situation hasn’t really been a problem for me. The data was protected, the offer of coverage was generous and quick, and I wasn’t tied into future services. Go CT.
weird
Why is it that every laptop out there seems to come pre-loaded with everybody in America’s social security number. I bet it’s part of that bloatware that coms with a new Dell.
I fail to see what’s so important that some employee needs to be walking around with my SSN 24/7
Has anybody heard of a VPN?
Security Still a Priority
Maybe it is cheaper, but recently, the company I work for was transferring from a SQL-based payroll system to an Oracle-based payroll, and the engineer doing it left the payroll database on his laptop, on the front seat of his car, which was promptly stolen.
After that, our company implemented many costly security measures to prevent this from happening again. We got the free credit monitoring software, all that stuff. But they certainly didn’t ignore the security problem. Of course, like all solutions, however, it relies on the employees following these new procedures outside of the office. Which is by no means guaranteed, but at least they have an excuse to fire the people without question now.
How is irony spelled again?
LifeLock CEO was a victim of id theft too…
http://idtheft.about.com/b/2007/07/27/256753.htm
Remember the TV ads, and billboards with his SSN on it?
Sure
They just sign everyone up for freecreditreport.com
They should have seen this comin at them like an atom bomb.
And that
1. Have you read the stories of people who’ve found errors in their credit reports (whether due to disclosure or just the ordinary bureaucratic malfunctions) and have tried to get them fixed?
2. Knowing that your credit report is unaltered doesn’t tell you who has your data or how they’re using it.
3. Not all data lost is financial in nature: how does monitoring your credit deal with loss of medical records?
4. Since whoever has the data will see the same announcement of free credit monitoring for 1 year (or 2 years, or whatever) as everyone else, they know that if they sit on the data and do nothing for 1 year (or 2 years etc.) then it’s much less likely anyone will be watching then.
5. These problems follow the 1/10th of 1/10th rule that applies to any security disclosures: the number they know about is 10X the number they announce; the number that have actually happened is 10X the number they know about.
Not that any of this will change anything, of course. Nobody gets fired, nobody gets fined, no business gets shut down, not even in cases like TJX — where the executives are busy arranging golden parachutes for each other.
Laptops stolen - recovered - still no love.
We just had this happen in Nashville, TN with two election commission computers with our name/address/SSN on them. Yes we are now getting the free credit report but the local paper reports that the person who uses the laptop was told that there was no need to carry the entire SSN; all she really needed was the last four digits. She was also told by Metro IT that the data should be encrypted. She never did any of this because no one could make her.
This turns out to be more of an organizational problem than an IT or Security problem.
I would like to know everyone’s opinion on whether it is possible for the police to determine if the laptops were in fact not accessed.
Why would anyone think that one year of free credi
Once the ssn is out there, it’s out there. You can ask for a credit watch for 30 days at the three reporting agencies if you think you’ve been compromised. What happens here is that if you apply for credit somewhere, it will be come back as “call agency” or something like that. It won’t be approved until you the consumer actually talk to someone at the credit agency. Since you’re in the presense of the merchant, then I guess that’s good enough for the agency. Not sure what will happen with online credit apps. I guess the premise here is that if your identity is good enough for the merchant, it’s good enough for the credit agency.
So, why don’t the credit agencies just permanently do this? It’s somewhat a hassle for the consumer, but I’ll take that over getting my id stolen.
I see a market for “creditreportpal.com”. Everyone sets up an account and if a company you deal with loses data with your private info, the company deposits a year of free credit reporting to your creditreportpal account!
The Free Service Come-on
We received one of these notices, we didn’t subscribe. The reason, too many “free” offers that silently metamorphize into a paying obligation that you don’t realize until the bill arrives.
Out of curiosity, has anyone subscribed to one of these offers and what happened when the free period expired?????????
Pow! Now you've go' it!
Keep em coming junior- good job!
Laptops stolen - recovered
It’s impossible to prove that the data was not accessed. A minimally-competent person seeking to extract the data won’t boot the system from its own disk drive(s) — which would likely leave a trail (e.g., timestamp modifications). They’ll boot it from either an external disk, or a CDROM/DVD, or a USB key, and simply vacuum all the data off the disk(s).
Alternatively, they may take it apart and remove the disk(s), reading them elsewhere, then replacing them. (This latter method has the advantage that it’s not necessary to power the laptop up at all — just in case there’s a counter in there that tracks minutes-of-operation.)
So the only prudent assumption is to make is that ALL data has been read by parties unknown and may soon become available on the open market. Of course that’s not what we hear most of the time: what we hear is “there’s no proof it’s been accessed”. That statement is worthless.
Re: Laptops stolen - recovered
Only thing you can really do is to seed the database with bogus entries.
You’ll only know when the whole database has hit the open market.
A silly idea. If the database is for personal information, seed the database
with the personal information of the executive staff, IT staff and anyone who
handles/access the data…
The whole thing needs to be re-defined.
This is criminal negligence, IMO and should be treated as such. There is no valid reason fro this amount of information being taken from secure systems. These days, VPN (as mentioned above) and other forms of accessing the information from home are readily available.
EtG
The whole thing needs to be re-defined...
You’re correct, Eric — and the use of reasonably strong encryption, as we’ve had available for free for many years would help as well.
So would the seeding of data with known-bogus, known-trackable entries that would at least provide some hope of detecting a breach, possibly even identifying its method and giving some indication of how the data’s propagating.
But all of these are just band-aids. The same problem underlies this symptom as underlies others (spam, DDoS attacks, phishing, etc.): miserably poor security. Because that’s so systemic, even the countermeasures suggested here won’t truly address the issue. For example, suppose VPNs were used: any attacker in control of the VPN’s termination point, e.g., the laptop of the person working with the data, has full access to the VPN connection and thus whatever’s on the other end of it.
The problem isn’t that far better security isn’t available: it is. The problem is that people/companies won’t invest the time/effort/money to use it. After all, why should they? It’s not their data; why should they care?
Keep the data secret for a year, sell it?
What’s to stop someone from waiting until the company publishes the free credit monitoring, pad that out a little, and sell the data for use after that point. Sure there will be some changed data, but anyone with real cash is still living in the same places with the same profile numbers, right?
Oh, and further stupidity
One of the best sites to track this ongoing parade is
Pogo Was Right.
And one of the numerous incidents covered there today mentions a set of four desktops that were stolen — and which contain information on several thousand people. Their former owners point out that “the desktops were password protected”,
either (a) unaware or (b) cynically refusing to admit that when an attacker has physical possession of the disk drives that password protection is irrelevant.
Privacy Statement
Consumers should begin handing out “Privacy Statement” documents when asked to give out their SSN or other private credentials.
The statement should be worded so that the party requesting the data is held responsible for the loss of said data in the event of theft, or any other type of data loss.
I’ve actually done this in one instance (a car rental agency) where they wanted to make a copy of my driver license. They signed my statement in return for my allowing them to make a copy of the license.
The idea behind this is simple. You’re forcing the data requester to hold themselves legally accountable and responsible for your data. The best part of this is that you don’t need the backing of any state or federal law to do this.