Big companies stumble with high profile security breaches that make your local WiFi coffee shop look secure.
"...we have no choice in our involvement with Choicepoint. If you have a credit card, have filled out credit forms and applied for credit, or bought something on credit -- you're in their system."
You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down. I quickly fired up tcpdump and was surprised to see the screen light up with packets flowing back and forth. That's odd, I thought, so I opened a browser. But instead of my usual homepage I was greeted with a stern, legal warning. My wireless coffee shop was now all grown up.
At some point since my last visit, they had implemented a rather slick wireless authentication system. The homepage explained that people had been abusing the free access, doing all sorts of nefarious things. To combat this and to protect their customers, the owners were now requiring a username and password authentication that could be obtained from a barista. Hah -- I thought, they must be handing out the same name and password to everyone. I was shocked again as the gentleman behind the counter confidently explained that they had implemented randomly generated combinations "for better security."
I wandered back to my seat, a little stunned and a little proud. People, businesses, even small coffee shops -- they were finally starting to understand the value of security. I entered my randomly generated name and password, fired up my browser and began to catch up with the geek news I had fallen behind on.
With a tinge of irony, I read about a couple of recent security breaches at large organizations who, at first glance, appear to be less secure than my neighborhood coffee shop.
Choicepoint, one of the nation's largest information aggregators, had mistakenly allowed criminals to access the private identity and credit information of thousands of individuals. Approximately 50 "fake" companies had a crack at the billions of records the company stores on almost every citizen in the US.
Bank of America announced that it had "lost" tapes containing information on over 1.2 million federal employee credit cards -- exposing the individuals involved and the government to fraud and misuse.
The irony of the situation has everything to do with size and resources. Here I sat in a small, local coffee shop that had just shelled out a decent chunk of change for someone to implement a relatively sophisticated authentication system that protects both themselves and their customers. Then I read about these massive companies, with almost endless resources and many years of security experience completely dropping the ball.
Both incidents are troubling for different reasons. In the case of Choicepoint, their business is quite literally in information. Yet they have continually failed to protect our personal information, as this is certainly not their first security breach. Two things about this situation terrify me. First, we have no choice in our involvement with Choicepoint. If you have a credit card, have filled out credit forms and applied for credit, or bought something on credit -- you're in their system. We're not customers to them, we are merely bits of information and records in their massive database. What incentive do they have to protect us? Secondly, the only reason Choicepoint was obligated to release this information on the security breach is due to a California law that requires a company to inform California residents that their identity might have been compromised. If that law did not exist would we have ever heard about this? It's doubtful.
Bank of America's data loss is alarming too. Certainly, as a bank they have experience in fraud and obviously understand how costly it can be. Perhaps this was a logistical error and the tapes will turn up in a few weeks. But look at it like this: let's assume someone did get hold of this information, say, 10% of it. And of that 10% (120k records), 10% of those records get used in some sort of scam for a mere thousand dollars each, a very conservative estimate. That's 1.2 million dollars in fraud. Let's compare this story to one where armed robbers intercepted a bank truck and made off with more than a million dollars. You can bet it would be headline news across the nation. Now, let's factor in the manpower and time lost for the individuals and companies involved -- such a sum is nothing to scoff about. Identity theft is quickly becoming the modern criminal activity, with a low risk and high reward. I can confirm first hand how devastating this can be for the individuals involved. Time, money, reputations are lost or put on hold in definitely. And in this case we have a major company that accidentally loses 1.2 million credit profiles. That is simply unacceptable.
Both companies above have an obligation to protect our information while it is in their possession, but too many seem to be failing. What will it take for them to resolve their security issues? Drops in revenue, class action lawsuits or congressional regulation? Security, both for a company and its customers, is a necessity and a selling point in today's economy. We see normal people taking this into account everyday. I have neighbors calling me about spyware protection, relatives recognizing what SSL enabled web sites are, clients requesting more security layers, and friends shredding their private mail. Why then is it so hard for the big companies to take security seriously? When will these companies "get it?"