Is It About Time We Got Upset?

Over the past couple of weeks, the media has treated us to an especially
large number of news items that can impact our basic rights, strike fear into
average consumers, and cause companies of all sizes to sit up and take
notice. In the biggest computer hacking breach of its kind, MasterCard
just warned the public about the theft of 40 MILLION credit card numbers
taken from one of its card processing firms, CardSystems Solutions of
Tucson, Arizona. MasterCard was quick to point out that only some 70,000
of the company’s 13.9M compromised cards were at “higher levels of risk.”
Whatever that means. The rest of the 40M numbers reportedly belong to
the other credit card companies. Details are scarce because the FBI is
still investigating the case. Indeed, the breach occurred late last year
(meaning that it spanned the holiday spending season) and the firms
only reported it to the public two weeks ago. Is that fair to consumers?
Does it represent an ethical code of conduct? I think not.

According to VISA, 5 cents out of every $100 in credit card transactions
are fraudulent. What’s the chance that 40M newly-compromised cards will
significantly impact those statistics?

In other news, one of the handful of credit reporting agencies has just
announced that it, too, has had a few hundred accounts compromised, all
Canadian and mostly in British Columbia. Equifax: you’ve heard the name
before. The company was publicly embarrassed a little over a year ago
when private information files on “1400 Canadians” was stolen. The files
contained social insurance numbers, bank account numbers, credit
histories, home addresses, and job descriptions. At the time, the company
worked with the RCMP to investigate the issue and subsequently failed
to release any further information.

Does the public have a right to know how these investigations progress?
Is it too much to ask of these companies to adequately preserve our
private data – or at least to let us know when they’ve actually lost it?

Do you get a sense that many companies that ‘touch’ sensitive
information have little control or insight into what they’re doing? That’s
probably because it’s true. Many firms have internal departments that
manage the network, help users get work done, and go home at the end of
the day. The lack of security management is obvious, so we should all be
amazed that some companies even manage to ever detect security breaches.
The vast majority do not, I guarantee it.

I had the privilege of speaking at the InfoSecurity Canada conference
last week and presented contrasting mid-year snapshots of the state of
the world, as seen through a security lens. Perhaps the only wholly
positive view of 2005 was provided by AusCERT, the Australian research
group responsible for the “2005 Australian Computer Crime and Security
Survey.” The report paints a rosy picture of security within
corporations, with some improvements ranging between 15% and 25% in
areas such as virus infections, the use of security standards and
overall employee awareness. Even more surprising, in most cases, the
trend has seen a complete reversal from 2003-2004; for example, only 35%
of organizations experienced security attacks this year compared to 49%
last year and 42% in 2003.

Does that mean things are improving? Perhaps, but apparently that’s only
happening in Australia. Over here, we have seen major university
networks, banks, large Web sites, and retailers hit with increasingly
significant attacks and in every single instance customers and consumers
were the helpless victims. Further supporting this point, Informatica
Research dug up another new study: the 2005 E-Crime Watch Survey by CSO
Magazine and the US Secret Service. This document points to evidence of
increased criminal activity in corporate environments, including zombie
machines, extortion, sabotage, identity theft, and theft of intellectual
property. The study mentions even more significant elements such as
terrorism and espionage and quantifies the threat posed by ‘foreign
entities’ (6%). Perhaps most significant is the fact that its findings
were exactly opposed to those of the AusCERT survey as indicated by one
critical question: “has the number of security attacks on your
organization increased or decreased (not changed or don’t know were also
options) in the past year?”

In 35% of cases, that number has increased, and that’s more like it. And
there you have it. We’re halfway through the year, security seems to
have become a marketing buzzword that really doesn’t translate into a
benefit for anyone, and we’re finding out – six months after the fact –
that our credit card numbers have been compromised by the very companies
we have entrusted them with. I think that entitles us to get upset.
That, and to start thinking about ways to hold companies responsible for
the way they treat our most valuable assets: our identities, our
digital records, and the rest of our private information.

The Privacy Commissioner of Canada offers
Fact Sheets and suggestions for action.