Thursday, August 10, 2006

Identity Theft of Transportation Dept

Identity-Theft-of-Transportation-Dept audio post - click to play

There was a time, in popular movies, where the
criminal would be rescued by his gang members.
Now, however, we have lived to see a laptop
liberated (stolen) from a government vehicle
by the bad guys instead.

The stolen laptop, belonging to the federal
Department of Transportation inspector
general's
office contained the highly sensitive
personal
information of over 100,000 (133,000)
residents
of Florida.


Once again, unencrypted personal data prized by
identity thieves was not only placed on a portable
laptop computer, but it was transported in a
vehicle
far less secure than just about any
corporate data center.

That laptop data involved in the identity theft
included:

  • Names
  • Social Security Numbers (ssn)
  • Dates of Birth
  • Addresses
  • Pilot's Licenses
  • Driver's License

Any reasonably capable identity thief or credit fraudster
will be able to easily use this rich bounty of personal
information to quickly open up new accounts and
charge
illegal purchases while leaving their unsuspecting
victims financial future in ruins.

As part of the typical pattern of "after the fact" spin,
the Transportation Department issued the usual
apologies and press releases promising to do better.

"We regret this matter and take our
responsibilities seriously," Zinser wrote.
"We have taken action and will continue
to take steps necessary to prevent this
from happening again."


Excuse me, but had the Department of Transportation put
even half of that energy into these two simple preventative
steps, the lives of over 100,000 individuals would not be
in sudden peril:

  1. No unencrypted personal data leaves secure data centers ever
  2. No laptops are left in an unattended vehicle ever

However, just as Ernst & Young and other organizations we've
helped to expose this year as having slopping data handling
practices, the Transportation Department is now the latest
in a highly likely continued sad string of "stolen"laptops
containing consumer information.

How much do you want to bet some of these "stolen"
laptops may very well be inside jobs?

Want to gain back some degree of protection
against these
data mishaps which needlessly
put you or your family members at risk?


Our tip for today, then, is twofold. First, for the innocent
victims of identity theft caused by the Transportation Dept.,
contact any of the three major credit bureaus to get your
free fraud alert placed immediately. Secondly, you
can also contact the Transportation Department's toll
free
phone hotline to get any assistance you will require
for the mountain of legal paperwork, hassles from debt
collectors, and phone calls you'll make to creditors.

That hot line number is 800-424-9071.

Know someone else who you can share this episode with?

5 Comments:

At 12:03 AM, Anonymous Anonymous said...

Could we take your suggestions a step further?

1. Stricly limit the circumstances under which identity files can be removed from a secure data center by any government employee or government contractor.

2. If identity data files have to be put on a laptop, use a numeric identifier -- not name and SSN -- to identify the record. That number could be linked to the name and SSN at the data center.

3. Make the unauthorized removal of data containing personal identity information cause for immediate dismissal.

4. Computers containing sensitive personal data should require biometric authentication in addition to password protection AND files should be encrypted.

 
At 6:52 AM, Anonymous Anonymous said...

But, why do companies and government agencies keep doing this to us?
(unencrypted data on laptops)

You would think with all of the press about identity theft and the causes, someone would by now at least figure it out to not do those obviously dumb things like unencrypted data.

 
At 7:05 AM, Blogger agent99 said...

If data needs to be absolutely removed from the data center, a simple solution would be to minimally strip out the SSN and encrypt the data file.

Unfortunately, many organization's computer databases are set up to utilize the SSN as their primary key and re-programming costs and time have always been seen as an insurmountable hurdle to mandate this.

It appears leglislation will be required to help incentivize SSN removal as a primary identifier.

On the "cause for dismissal" & removal of PII, absolutely - take a look at the recent case of the Navy sailor who took a laptop containing classified information. He's now in jail facing & will most certainly facing treason charges.

Somewhere between treason and the slap on the hands approach now used, there's the appropriate punitive solution.

 
At 10:13 AM, Blogger Nathan said...

I'm not buying this "we will continue to take steps necessary to prevent this from happening again" BS that has been thrown around these days. The VA supposedly upped its security after lost so much data and then BAM, they let it happen again.

I am so sick of this we'll get to it later attitude. The time is now and unless these organizations act real soon people will start losing all faith in government agencies.

 
At 2:16 AM, Anonymous Anonymous said...

I don't understand - how can they NOT at least encrypt the data.

I mean like you get PGP for next to nothing straight off the internet to encrypt your data.

What am I missing on why this happened?

 

Post a Comment

<< Home