I heard on the local news last night that the North Carolina Department of Revenue has lost a laptop that had ~30,000 state taxpayers information on it. Social Security numbers/etc… The report I saw that the state has setup a hotline to “teach citizens about identity theft” and have sent letters to those affected. Thanks… lose a laptop with 30,000 and then teach US about identity theft. How about teaching employees with sensitive information about encryption? ……. so I looked into it a bit further this morning.

According to this article the laptop was stolen from a car in the Raleigh area in DECEMBER. North Carolina has a “victims toolkit” at this address which is geared towards giving people the tools to request a freeze on their credit, notifying the three major credit bureaus, etc. (The report was from mid-January).

Also, people are encouraged to act quickly if they are notified that their information has been compromised.

It’s amazing to me that such large volumes of sensitive data are carried around and assumably NOT kept in an encrypted loop-back or some other protected store. Let’s face it, there ARE many tools for making a file relatively unreadable without a good passphrase. There is no indication in the reporting that I’ve seen that any steps were taken to encrypt the data for just such a possibility.

This get’s me back to something I’ve said many times to folks that say they won’t make a purchase online because they’re concerned about identity theft. These days, we are at the mercy of EVERY company that we do business with (including the state/federal and local governments). There is risk EVERY time you give someone your social security number or let the credit card swipe because more often than not it goes into a database somewhere. If the companies that are keeping the data have lax security or make poor choices, then you’re out of luck.

From the Charlotte observer’s report….

The employee’s car was locked, and she had followed department policies about securing the computer, Brooks told the Observer. The computer contained security features, but Brooks said officials are examining additional software safeguards.

So… I will assume they at least had a login password as part of their policy… I’m afraid that may have been all.

Chase Card services mistakenly threw out backup tapes that contained the card information of around 2.6 million customers (according to the article Circuit City card holders (former and current.)) 5 data tapes were mistakenly trashed in July. Fortunately, they think the tapes were destroyed at the landfill, and are 1)notifying the affect, 2)working with authorities. So, it may be that no data in this case was actually leaked… it does underscore one thing….

Identity theft is NOT just a risk of those that do transactions online. I heard a report on the radio this evening. They talked about a woman who had discovered a large number of credit card purchases that she was not responsible for. The official advice that was given “don’t give out your card number to others and don’t shop online.” I was a bit agitated at that advice because of stories like the above…. stories like that of the VA and their stolen laptop, stories that I could go on ticking off where a company lost the data and it was NOT THE CUSTOMERS FAULT.

Sure, shopping online can increase your risk, so can shopping in the real world. Card readers are small enough for someone to hold in the palm of the hand when they take your card to run it at the register. In fact, I know of a local story where JUST THAT happened at a restaurant in the area. Many people discovered credit card charges in Mexico on their statements… the restaurant was the common theme and a few individuals, it turned out, would swipe the cards on the way back to the register to retrieve the card information, then process the transaction as normal.

Let’s face it, it’s NOT the customers fault for many cases of identity theft and we should give advice to businesses on how to deal with it as well as consumers.

Brian Krebs highlights a study on data theft/breaches. There are some interesting results (just 1/3 of data breaches were from criminal hacking, 29% from stolen laptops or storage media, 23% from improper disclosure of information (oops I published all our customers information on the website.) and 7% from inside sources – employees taking/selling data, just 2% from lost backup tapes (wouldn’t that fall under storage media?)

The leaders in data loss seem to be Colleges and Universities, followed by the Government and then businesses.

Unfortunately, I don’t think Colleges and Universities have done everything possible to protect their computer systems and keep them updated. This is not the first study that’s suggested that College and University PCs are a part of the problem online.

Yet another bit of proof that you can never make a single transaction online and still have your private data stolen.

AT&T has had a breach of data that revealed information on as many as 19,000 individuals that had used their online store. It appears that credit card data is what was stolen, it happened over the weekend and AT&T says they detected the breach “within hours”.

I’ve added yet another category for “data leaks”. This is where I’ll put news along the lines of X company leaked data on yyyyy customers. It’s unfortunate that this is something that likely happens daily. There is no way that I can keep up with EVERYTHING, but I’ll try to post the bigger events in this category. I have many customers that say they’re concerned about people getting their credit card or bank numbers and for that reason they don’t do ANY transactions online or have any of that data on their computers. Well, I hate to break it to you, but the genie is already out of the bottle, because the companies that we do business with (ON OR OFFLINE) have all your data on computers and prohibiting yourself from online transactions is NO guarantee that you won’t have your data stolen or be a victim of Identity theft.

Verizon Wireless accidentally attached the wrong file to an email and wound up broadcasting an Excel spreadsheet with the details of some 5210 customers to about 1800 people. Apparently, they were sending out a promotional email to some of their customers and instead of the electronic order form they intended to send. The promotional email was for a bluetooth headset.

According to the article above all of the customers whose information was leaked have Motorola Razr phones – so… if you have a Razr with Verizon wireless, there are likely about 1800 + more people out there that know you’re name, cell phone number, phone model and email addresses. (This is all that the article stated was leaked. Hopefully that’s the limit of it, however any data disclosure like this is bad.)