by Mike Masnick

Filed Under:
credit monitoring, data leaks, security

Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On

from the yawn dept

We've noted in the past that it's become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year's free credit monitoring as a cost of doing business. It's certainly cheaper than actually securing your data.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    John Duncan Yoyo, Feb 1st, 2008 @ 10:51am

    If all these years of free credit monitoring are additive we may never need to pay for credit monitoring again.

    reply to this | link to this | view in thread ]

  2. identicon
    Garrett, Feb 1st, 2008 @ 11:08am

    CT's response to lost data

    I'd like to give some credit to the State of Connecticut when it comes to handling lost data. About a year ago I received a letter that they had lost an encrypted laptop with my data in it, the usual story. Except, I hadn't heard about this from the news at all. They took the initiative and contacted me.

    They offered the free protection for one year. They also picked up an insurance plan to cover and losses. This wasn't the end of it though. They continued to update me about the situation. Eventually they upped the protection to two years free and made sure that the debt protection company could not auto-renew our accounts.

    Overall, the entire situation hasn't really been a problem for me. The data was protected, the offer of coverage was generous and quick, and I wasn't tied into future services. Go CT.

    reply to this | link to this | view in thread ]

  3. identicon
    Ryan, Feb 1st, 2008 @ 11:08am


    Why is it that every laptop out there seems to come pre-loaded with everybody in America's social security number. I bet it's part of that bloatware that coms with a new Dell.

    I fail to see what's so important that some employee needs to be walking around with my SSN 24/7

    Has anybody heard of a VPN?

    reply to this | link to this | view in thread ]

  4. identicon
    NSMike, Feb 1st, 2008 @ 11:12am

    Security Still a Priority

    Maybe it is cheaper, but recently, the company I work for was transferring from a SQL-based payroll system to an Oracle-based payroll, and the engineer doing it left the payroll database on his laptop, on the front seat of his car, which was promptly stolen.

    After that, our company implemented many costly security measures to prevent this from happening again. We got the free credit monitoring software, all that stuff. But they certainly didn't ignore the security problem. Of course, like all solutions, however, it relies on the employees following these new procedures outside of the office. Which is by no means guaranteed, but at least they have an excuse to fire the people without question now.

    reply to this | link to this | view in thread ]

  5. identicon
    Kate Jackson, Feb 1st, 2008 @ 11:19am

    How is irony spelled again?

    LifeLock CEO was a victim of id theft too...

    Remember the TV ads, and billboards with his SSN on it?

    reply to this | link to this | view in thread ]

  6. identicon
    BillGod, Feb 1st, 2008 @ 11:45am


    They just sign everyone up for

    reply to this | link to this | view in thread ]

  7. identicon
    I Watch Too Much TV, Feb 1st, 2008 @ 12:03pm

    They should have seen this comin at them like an atom bomb.

    reply to this | link to this | view in thread ]

  8. identicon
    Rich Kulawiec, Feb 1st, 2008 @ 12:08pm

    And that

    1. Have you read the stories of people who've found errors in their credit reports (whether due to disclosure or just the ordinary bureaucratic malfunctions) and have tried to get them fixed?

    2. Knowing that your credit report is unaltered doesn't tell you who has your data or how they're using it.

    3. Not all data lost is financial in nature: how does monitoring your credit deal with loss of medical records?

    4. Since whoever has the data will see the same announcement of free credit monitoring for 1 year (or 2 years, or whatever) as everyone else, they know that if they sit on the data and do nothing for 1 year (or 2 years etc.) then it's much less likely anyone will be watching then.

    5. These problems follow the 1/10th of 1/10th rule that applies to any security disclosures: the number they know about is 10X the number they announce; the number that have actually happened is 10X the number they know about.

    Not that any of this will change anything, of course. Nobody gets fired, nobody gets fined, no business gets shut down, not even in cases like TJX -- where the executives are busy arranging golden parachutes for each other.

    reply to this | link to this | view in thread ]

  9. icon
    Jim (profile), Feb 1st, 2008 @ 12:19pm

    Laptops stolen - recovered - still no love.

    We just had this happen in Nashville, TN with two election commission computers with our name/address/SSN on them. Yes we are now getting the free credit report but the local paper reports that the person who uses the laptop was told that there was no need to carry the entire SSN; all she really needed was the last four digits. She was also told by Metro IT that the data should be encrypted. She never did any of this because no one could make her.
    This turns out to be more of an organizational problem than an IT or Security problem.

    I would like to know everyone’s opinion on whether it is possible for the police to determine if the laptops were in fact not accessed.

    reply to this | link to this | view in thread ]

  10. identicon
    Jack Bmg, Feb 1st, 2008 @ 12:41pm

    Why would anyone think that one year of free credi

    Once the ssn is out there, it's out there. You can ask for a credit watch for 30 days at the three reporting agencies if you think you've been compromised. What happens here is that if you apply for credit somewhere, it will be come back as "call agency" or something like that. It won't be approved until you the consumer actually talk to someone at the credit agency. Since you're in the presense of the merchant, then I guess that's good enough for the agency. Not sure what will happen with online credit apps. I guess the premise here is that if your identity is good enough for the merchant, it's good enough for the credit agency.
    So, why don't the credit agencies just permanently do this? It's somewhat a hassle for the consumer, but I'll take that over getting my id stolen.

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, Feb 1st, 2008 @ 12:54pm

    I see a market for "". Everyone sets up an account and if a company you deal with loses data with your private info, the company deposits a year of free credit reporting to your creditreportpal account!

    reply to this | link to this | view in thread ]

  12. icon
    Steve R. (profile), Feb 1st, 2008 @ 1:18pm

    The Free Service Come-on

    We received one of these notices, we didn't subscribe. The reason, too many "free" offers that silently metamorphize into a paying obligation that you don't realize until the bill arrives.

    Out of curiosity, has anyone subscribed to one of these offers and what happened when the free period expired?????????

    reply to this | link to this | view in thread ]

  13. identicon
    Amanya Wannahearfrom, Feb 1st, 2008 @ 2:46pm

    Pow! Now you've go' it!

    Keep em coming junior- good job!

    reply to this | link to this | view in thread ]

  14. identicon
    Rich Kulawiec, Feb 1st, 2008 @ 2:49pm

    Re: Laptops stolen - recovered

    It's impossible to prove that the data was not accessed. A minimally-competent person seeking to extract the data won't boot the system from its own disk drive(s) -- which would likely leave a trail (e.g., timestamp modifications). They'll boot it from either an external disk, or a CDROM/DVD, or a USB key, and simply vacuum all the data off the disk(s). Alternatively, they may take it apart and remove the disk(s), reading them elsewhere, then replacing them. (This latter method has the advantage that it's not necessary to power the laptop up at all -- just in case there's a counter in there that tracks minutes-of-operation.)

    So the only prudent assumption is to make is that ALL data has been read by parties unknown and may soon become available on the open market. Of course that's not what we hear most of the time: what we hear is "there's no proof it's been accessed". That statement is worthless.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, Feb 1st, 2008 @ 5:17pm

    Re: Re: Laptops stolen - recovered

    Only thing you can really do is to seed the database with bogus entries.
    You'll only know when the whole database has hit the open market.

    A silly idea. If the database is for personal information, seed the database
    with the personal information of the executive staff, IT staff and anyone who
    handles/access the data...

    reply to this | link to this | view in thread ]

  16. identicon
    Eric the Grey, Feb 1st, 2008 @ 6:43pm

    The whole thing needs to be re-defined.

    This is criminal negligence, IMO and should be treated as such. There is no valid reason fro this amount of information being taken from secure systems. These days, VPN (as mentioned above) and other forms of accessing the information from home are readily available.


    reply to this | link to this | view in thread ]

  17. identicon
    Rich Kulawiec, Feb 2nd, 2008 @ 4:03am

    Re: The whole thing needs to be re-defined...

    You're correct, Eric -- and the use of reasonably strong encryption, as we've had available for free for many years would help as well.

    So would the seeding of data with known-bogus, known-trackable entries that would at least provide some hope of detecting a breach, possibly even identifying its method and giving some indication of how the data's propagating.

    But all of these are just band-aids. The same problem underlies this symptom as underlies others (spam, DDoS attacks, phishing, etc.): miserably poor security. Because that's so systemic, even the countermeasures suggested here won't truly address the issue. For example, suppose VPNs were used: any attacker in control of the VPN's termination point, e.g., the laptop of the person working with the data, has full access to the VPN connection and thus whatever's on the other end of it.

    The problem isn't that far better security isn't available: it is. The problem is that people/companies won't invest the time/effort/money to use it. After all, why should they? It's not their data; why should they care?

    reply to this | link to this | view in thread ]

  18. identicon
    Michael Evans, Feb 2nd, 2008 @ 5:23am

    Keep the data secret for a year, sell it?

    What's to stop someone from waiting until the company publishes the free credit monitoring, pad that out a little, and sell the data for use after that point. Sure there will be some changed data, but anyone with real cash is still living in the same places with the same profile numbers, right?

    reply to this | link to this | view in thread ]

  19. identicon
    Rich Kulawiec, Feb 2nd, 2008 @ 7:50am

    Oh, and further stupidity

    One of the best sites to track this ongoing parade is Pogo Was Right.

    And one of the numerous incidents covered there today mentions a set of four desktops that were stolen -- and which contain information on several thousand people. Their former owners point out that "the desktops were password protected", either (a) unaware or (b) cynically refusing to admit that when an attacker has physical possession of the disk drives that password protection is irrelevant.

    reply to this | link to this | view in thread ]

  20. identicon
    Private, Feb 2nd, 2008 @ 8:34am

    Privacy Statement

    Consumers should begin handing out "Privacy Statement" documents when asked to give out their SSN or other private credentials.

    The statement should be worded so that the party requesting the data is held responsible for the loss of said data in the event of theft, or any other type of data loss.

    I've actually done this in one instance (a car rental agency) where they wanted to make a copy of my driver license. They signed my statement in return for my allowing them to make a copy of the license.

    The idea behind this is simple. You're forcing the data requester to hold themselves legally accountable and responsible for your data. The best part of this is that you don't need the backing of any state or federal law to do this.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.