Browse archive

Latest news

Targeted data stealing attacks using fake attachments

A look into the EC Council hack

New Mac spyware signed with legitimate Apple Developer ID

Ransomware adds password stealing to its arsenal

"Get free followers" scam targets Instagram users

Thoughts on the need for anonymity

Four LulzSec hackers handed prison sentences

The New Yorker launches anonymous dead-drop tool

Researchers reveal OpUSA attackers' MO

Info-stealing Dorkbot worm spreading on Facebook

Review: The Hacker's Guide to OS X

Private messages of Bloomberg clients end up online

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

When identity theft is not your fault

Posted on 12 July 2010.

Not a month goes by that we don't hear of a theft of a laptop, external hard drive, USB stick or CD belonging to a company and containing sensitive personal information of customers, present or former employees, or business associates. And not to mention the even more frequent - but often kept secret - breaches into the company networks and databases.

It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed.

They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands? And why, oh why, isn't encryption of this information mandated by law?

Individuals whose information has been stolen have probably asked these questions over and over again. Take Jake McCoy as an example. As many a student before him, he has applied for loans in order to pay for his education, and is still paying them back.

Two years ago, he was notified by his Alma Mater that a laptop containing his account information has gone missing. According to CNN, they apologized and arranged for a one-year long credit monitoring service, which has since expired.

"For me, it's not a one-year ordeal," says McCoy. "If I had ruined my credit, it would have taken me forever to get back on track. One year was a nice gesture, but I definitely wish it would have been more than just a year."

Unfortunately for him - and the 350 million people whose personal records have been compromised by data privacy breaches since 2005 - there is not much he can do apart from paying for the credit monitoring service in the years to come.

Companies are encouraged to use encryption to secure this and other kinds of sensitive data, but they often don't do it. Encryption slows down their day-to-day operation and that means extra cost.

But the Data Accountability and Trust Act that will soon be voted on by the U.S. Senate may change the situation for the affected customers for the better. If the Act is confirmed, the companies will be compelled to take "reasonable measures" to protect data containing personal information. Let's hope that these reasonable measures will include the use of encryption.