PrivacyRights.org actually is counting, but no one seems to care. If the current rate of large scale identity theft is sustained, we stand a good chance to have every US residents’ identity exposed within the next 12-24 months.

Within the last 24 hours alone we learned about almost 1.2 Million exposed identities within the following organizations:

800,000 - Hackers infiltrate UCLA

382,000 - Stolen Laptop at Boeing

6,000 - Hackers get into University of Texas at Dallas

If we take a closer look at the list PrivacyRights.Org is compiling, we can break it down into three different risks that cause the exposure or theft of identity data:

1. Insider Threat
   Caused by disgruntled employees who want to get back at their current or former company or people who are in it for financial gain. There are a variety of solutions that can at least limit this risk. So called data loss prevention technology can now selectively block confidential information that contains identity information.
2. Hackers
   Criminals are now increasingly targeting identity data. They are shifting their attacks almost exclusively towards theft and exploitation of personal information such as SSN’s, credit card and other private data. Keeping systems up-to-date and the use of the latest system and network security technology can decrease the chances of hackers gaining access to sensitive information.
3. Theft or misplaced devices (such as laptops)
   This is usually a combination of carelessness, lack of policy enforcement and insufficient use of technology. For example, why would you leave your laptop in your car when you know it has 300,000 SSN’s on it. Why did the company allow them to put those 300,000 SSN”s on the laptop? And if you must have them on your laptop, why didn’t you buy some full-disk encryption software for it?

At the same time new government regulations are now forcing organizations to disclose the loss or exposure of identity information. In the past, prior to these new regulations, these kind of breaches where simply not reported and people would never know that there personal information has been exposed.

What can we do?
We can take the usual approach and throw money, technology, new policies and some user training classes at the problem and hope it’ll go away. Especially for No. 1 and 2 there are some fairly good solutions available to limit the risk. However when it comes to theft or lost devices, it gets a bit more complicated.

Individual accountability as the holy grail?
We need to take a look whether it makes sense to hold the individual accountable for the loss or exposure of identity information. If you are caught drinking and driving you know the consequences. You knew it’s against the law and you’re going spend a night downtown combined with using public transport for a while. But if you expose thousands of people’s identities due to your lack of responsibility - nothing happens. Sure you might get fired and your company has to pay a fine, but no one will prevent you from taking up another job and do the same thing again.

But what if the individual can be held responsible? Now all of a sudden you’ll think twice whether you leave that laptop in your car, maybe you’ll ask your boss “Do we really have enough security on that thing” or better yet, don’t even carry anything around that might leave you exposed.

Regulation across all industries
Granted, this can only work if there’s a fair balance between the employers and employees amount of accountability. Meaning the employer has to make sure that every possible safeguard is available, primarily the right technology and policies. And the employee has to be made aware that he or she is working with personal information and needs to protect it accordingly. These kind of regulation has to be across all industries whether it’s a public, private, non-profit, frankly any organization that creates, stores or transmits personal information.

Enter your email address to get Hack Report news via email:

1 Comment(s)

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website