Identity-fraud rates are at their highest level in five years. But while most people imagine that sophisticated hackers pose the biggest threat to ID security, the majority of data breaches are accidental. Last year the Identity Theft Resource Center tracked 231 human-error cases involving 21 million records.
The stories are depressingly banal. Over and over, it’s a matter of hasty e-mails, goofy printer errors and flash drives lost at conferences. "The most stupid and ridiculous is the most common," says consultant Robert Siciliano, chief executive of IDTheftSecurity.com.
One common blunder is best referred to by the technical nomenclature "records dumped in the trash." If only they’d stayed there. Recent news accounts describe troves of private data washing up on the banks of Maine’s Pennamaquan River, blowing through Manhattan’s Upper West Side and swirling around a parking lot near the Richmond, Va., Babies "R" Us. Then there are the meth addicts who thrive on Dumpster data diving. While the surplus in ill-gotten credit card information recently sunk the street price from $10 to 50 cents per account, some ID files can still fetch $25.
Next we encounter the phenomenon known as "forgetting your stuff." Data-security research firm the Ponemon Institute says business travelers lose half a million laptops in airports every year, and nearly half those computers hold customer data. I left my MacBook at a Phoenix hotel last summer – I shouldn’t point fingers. But it’s harder to excuse security professionals. Last
June a veteran driver for Salt Lake City’s Perpetual Storage was asked to transport billing records for 2.2 million hospital patients to his company’s fireproof vault inside a granite mountain protected by steel doors and armed guards. Instead, he left the box overnight in his car. As Murphy’s Law would have it, a random burglar took the box.
Experts say many companies don’t enforce simple procedures that would prevent a leak. Last year, when Verizon Business’s Investigative Response Team was called in to investigate breaches involving several major retailers, it discovered the obvious problem: They were all using the same supplier to maintain their system, who was using the same default password to protect each retailer’s database. "Not an incredibly good decision," says Verizon security expert Wade Baker.
But some incidents are so absurd it seems all the foresight in the world couldn’t prevent them. My favorite: the Norfolk, Va., gas station attendant who refilled the receipt printer with a used roll that had prior customers’ credit card data printed on the back. Then there’s Broome Community College in upstate New York, which mailed 14,000 alumni magazines with the recipients’ Social Security numbers printed on the back. And the State of Louisiana, which mailed 150 tax-bill reminders with a second taxpayer’s data – yes – printed on the back.
But look at the bright side. Ponemon researcher Mike Spinney says just 2 percent of all data breaches result in ID fraud. So cluelessness works both ways. Just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they’ve received.
2009 Copyright The New York Times Syndicate