Database data loss

Vault door; Database data loss

People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

Database data loss

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

    http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded

    http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

    http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

    http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.

© Copyright 2008-2013 Bambi Vincent. All rights reserved.

Recommended Posts

4 Comments

  1. You are right Bambi. Like I tried to point out, personal practices like password selection have no impact on the security of corporate databases.

    But think of database attacks like a bank robbery and individual attacks on passwords like pick pocketing. Obviously all criminals would prefer the bounty from robbing banks but most are willing to settle for the scraps of picking pockets.

    I just didn’t want your readers to give up on good personal security practices because they can’t take turns guarding the ‘bank vaults’.

  2. You wouldn’t be a customer of any of these, would you? Updated list of companies whose client databases were compromised in the great Epsilon hack:

    Kroger
    JPMorgan Chase
    Capital One
    Citi
    New York & Company
    US Bank
    Barclays Bank of Delaware
    Barclay’s L.L. Bean Visa card
    Brookstone
    McKinsey Quarterly
    TiVo
    Walgreens
    Ameriprise
    Marriott Rewards
    Ritz-Carlton Rewards
    Disney Destinations (The Walt Disney Travel Company)
    Benefit Cosmetics
    Home Shoppers Network (HSN)
    AbeBook
    Best Buy
    Best Buy Canada Reward Zone
    Borders
    City Market
    Dillons
    Food 4 Less
    Fred Meyer
    Fry’s
    Hilton Honors
    Jay C
    King Soopers
    QFC
    Ralphs
    Verizon
    Visa
    AIR MILES Reward Program (Canada)
    Beachbody
    bebe
    College Board
    Eileen Fisher
    Ethan Allen
    Lacoste
    Red Roof Inn
    Target
    1-800-FLOWERS
    Ann Taylor
    Viking River Cruises
    BJ’s Visa
    World Financial Network National Bank
    Victoria’s Secret card
    Express card
    Catherine’s card
    TripAdvisor.com
    TIAA-CREF
    TD Ameritrade
    Smith Brands
    Scottrade
    Robert Half International
    MoneyGram
    Marks & Spencer
    Eurosport Soccer
    Eddie Bauer Friends
    Dell Australia
    Charter Communications
    ExxonMobil card
    Home Depot card
    NTB card
    The Place
    Crucial
    Stonebridge Life Insurance
    Tastefully Simple
    Chadwick’s
    Dressbarn
    Fashion Bug
    Giant Eagle
    J.Crew
    Lane Bryant
    Maurice’s
    PotteryBarn
    RadioShack
    Sears
    Smile Generation Financial
    The Limited
    United Retail Group
    Avenue
    Jessica London
    OneStopPlus
    Value City Furniture
    GlaxoSmithKline Consumer Healthcare
    Woman Within
    Stage
    Trek
    Sportsman’s Guide
    Shell
    Reeds Jewelers
    Radio Shack
    QualityHealth
    Quality Food Centers
    PotterBarnKids
    PacSun
    Palais Royal
    Polo Ralph Lauren
    MyPoints Reward Visa
    KingSize Direct
    Justice
    J.Jill
    Gander Mountain
    Giant Eagle Fuelperks
    Domestications
    David’s Bridal
    Crate & Barrel
    AshleyStewart
    Abercrombie & Fitch

  3. Hi there, Bruce! I think most of us are scared into being careful with our credit cards and ATM behavior. My point above is that we as individuals and card-users can be extremely careful, but we can’t control how securely our data is kept by businesses. Our security is in their hands and mostly out of our control.

  4. The most important things you can do as a card holder is use good passwords/PINs/secret question answers and be very careful about who you share them with or where you type them in.

    It’s true that this won’t have any impact on databases being stolen from the merchants or processing companies, but individuals are still targeted quite often with ‘phishing’ in emails, web pages, and even phone calls.


Add a Comment

Your email address will not be published. Required fields are marked *