Based on data supplied by Google Analytics, during 2009 the most-read I've Been Mugged blog posts were:
A quick scan of this list indicates that readers are most interested in credit monitoring service reviews, security issues about banks and financial institutions, recent breache. By contrast, the top posts of 2008 were:
During 2010, I will continue to review credit monitoring services, especially those I haven't reviewed yet. I will continue to cover corporate data breaches, medical identity theft, and new sources of privacy threats to consumers' sensitive personal information. I will continue to report on announcements by government agencies like the U.S. Federal Trade Commission, which proposes guidelines that affect consumers and the companies that store consumers' sensitive personal information.
If there are topics you'd like to see covered, feel free to share them below, by e-mail or via Twitter. On the Internet, things change quickly. Thanks for reading I've Been Mugged!
From The New York Times:
"A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security of the world’s wireless systems. The action by the encryption expert Karsten Nohl aimed to question the effectiveness of the 21-year-old GSM algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of the world's mobile calls.
Mr. Nohl disclosed his efforts at the Chaos Communication Congress, a four-day computer hacker’s conference.
"The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl’s efforts illegal and said they overstated the security threat to wireless calls."
Who knew that the code to encrypt wireless phone calls was 21 years old? You'd think that the cellular communications companies would use something more recent and more robust.
This month, Network World magazine released its list of the 2009 Data Breach Hall of Shame. This list includes companies and government agencies that really effed up... they didn't protect consumers' sensitive personal information as they should have. All of these breaches were preventable. Here's who made the list:
I agree with Network World. The companies and agencies on this list deserved to be on this list. Their executives were sound asleep when they should have been awake and actively protecting the sensitive information they were entrusted with. In honor of these executives, I'd like to present them with the Data Breach Analysis Flow below, which was first published in this blog in September 2007:
On Monday, Reuters news service reported that credit card processor Heartland Payment Systems Inc. has agreed to settle its consumer cardholder class action lawsuits related to the company's data breach. Heartland has agreed to:
"... pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class."
The settlement deal includes consumers whose credit and debit cards were compromised between Dec. 6, 2007 and Dec. 31, 2008, plus consumers who have alleged that they have suffered fraud losses.
I like the Netflix service. It's a convenient, inexpensive method to watch movies. I have been a happy customer for several years. I was distressed to read this in the MediaPost Daily Examiner:
"When Netflix released a trove of "anonymized" information about consumers as part of a contest for a better recommendation tool, it only took a few weeks for researchers at the University of Texas at Austin to show how easily the data could be de-anonymized... If Netflix was chagrined by this development, you'd never know it. Not only did the company continue with the contest, but proudly declared it intends to hold a second one -- for which it will release even more information than last time. For the new contest, Netflix will make available customers' gender, ages, ZIP codes and previously rented movies in hopes of gleaning insight into users' tastes... Researchers have known for more than a decade that gender plus ZIP code plus birthdate uniquely identifies a significant percentage of Americans... "
Last week, Wired magazine reported about the Doe v. Netflix class-action lawsuit filed in Federal Court in California (PDF document) where Netflix's actions with insufficiently anonymizzed data alledgedly outed a lesbian customer.
When will corporate executives learn that they don't own consumers sensitive personal data? When will corporate executives learn that consumers have entrusted them with their sensitive personal data? And that trust can easily be broken and hurt their brands.
Maybe Netflix executives ignored the Facebook-Beacon privacy fiasco. Maybe Netflix executives were hoping that during the holiday season we consumers wouldn't be paying attention. And the coming lawsuits should get the attention of these executives.
Well, we consumers are paying attention. If Netflix continues with activities like the above contest, then I will probably switch to a different service to view movies.
Last week, PC World reported:
"Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year."
Heartland processes credit card and debit card transactions. Typically after a breach banks and credit card issuers incur expenses to delete the compromised credit card accounts and issue new credit/debit cards to consumers. So, it is appropriate for Heartland to reimburse the credit card brands and credit card issuers.
"Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches."
Earlier this year, the company set aside over $12 million to cover fines and other breach-related expenses. In February of 2009, at least two class-action lawsuits were filed against Heartland. By Une, about 31 lawsuits had been filed.
I found this video interesting:
After watching the video, I visited the ID Watchdog web site to learn more about their service. My first interaction with the site was a positive one. I found it easy to read and easy to understand the identity protection services it provides. ID Watchdog seems to be moving towards the comprehensive detection I look for in a service, since it monitors a dozen different databases that store consumers' sensitive personal data. ID Watchdog has a data-sharing agreement with Acxiom.
My experiences with other identity protection services hasn't been so positive. You can access reviews of other identity protection services on the Reviews page in this blog.
I hadn't heard of InComm before. They seem to make and distribute cards that have stored value... like the gift cards you'd buy in a big-box retail store chain or grocery store chain. I am sure that this blog will cover during the coming months reviews of products by InComm and ID Watchdog.
At Law Technology News, David Bender has compiled a good list of reasons why it is profitable for companies to focus on good data security and privacy during tough economic times:
This list is also applicable to law firms, since attorneys have received an exemption from the FTC Red Flag Rules. To read the full list of Bender's reasons, read the Law Technology News article.
I've worked in Corporate America for more than 30 years. That has included both large, multinational Fortune 500 corporations to small 40-person firms. I have found that the language in the video below is consistent throughout.
And, you'll find much of the same language in corporate breach notification letters. Enjoy!
eMarketer summarized the results of a recent study by Technorati of bloggers worldwide. I found these results particularly interesting:
"... most are men, ages 18 to 44, affluent and well-educated. About one-quarter work for a traditional media outlet in addition to blogging, and most still don’t make any money from their self-publishing activities... 70% of bloggers polled by Technorati said they talked about products or brands on their blog. The most common activity was to post about brands they loved—or hated—as well as to write reviews or post about experiences with stores or customer service. Nearly six in 10 of all the bloggers surveyed said they were better known in their industry because of their blog..."
Those findings dovetail with what this blog is about... consumers experiences with companies regarding identity theft and data breaches. This blog also provides reviews of various credit monitoring services. To browse available reviews, just click on the Reviews link in the horizontal navigation bar at the top of this page. You will find plenty of readers' comments underneath each review. In some instances, a vendors' representative have also submitted comments.
Yet, there's more from the Technorati study. Perhaps, most importantly:
"... bloggers who post for a business reported even higher levels of success: 71% had increased visibility for their company, 63% had converted prospects into purchasers through their blog, and 56% have seen their blog bring their company recognition as a thought leader in the industry."
This is one of those times when I must deviate from the usual identity-theft content and discuss something more important.
I encourage you to read the Matter of Life, Death article in the St. Petersburg Times newspaper. The author is a close friend of mine who I have known since freshman year of college:
"I am scheduled to begin dying on Feb. 1, 2010. Although I have been an insulin-dependent Type 1 diabetic for 22 years, my health has always been very good. My condition has never impaired my enjoyment of life; I've never had a diabetic emergency. Luck, of course, has played a part, as has educating myself about diabetes management. By far, though, the single most critical element of my vitality has been excellent health insurance coverage. That will end on Jan. 31, the day my COBRA insurance benefits run out."
For those that are unfamiliar with the financial issues many consumers face wit health care insurance, Robert does an excellent job of highlighting the numbers:
"I continued my insurance coverage under COBRA, paying the entire $579 monthly premium... I wear a $5,000 insulin pump — the third one insurance has paid for since 1999. The pump's insulin-delivery kits, which must be changed every three days, cost $199 a month at market rates; insurance pays the full cost now. The insulin itself costs $338 a month (my current co-payment is $54). The test strips used in my blood-glucose testing monitor cost more than $200 a month over the counter (my current co-payment is $48)."
Please read the entire article. It's easy to be an opponent of health care reform when your life isn't at risk. We Americans tend to forget that people are dying due to a lack of or inadequate health care insurance.
The conversation needs to get personal.
Tell your elected officials that people are dying and will keep dying while they diddle. And send them the link to the above article.
Last week, SC Magazine reported:
"A federal judge has dismissed a Missouri man's lawsuit against pharmacy benefit management firm Express Scripts, which suffered a data breach that exposed sensitive customer data. John Amburgy alleged that Express Scripts was negligent because it did not secure its database, leaving the system vulnerable to hackers who stole customer data, including names, Social Security numbers, birth dates and prescription information... Amburgy contended that he and other victims faced an increased risk of becoming the victims of identity theft. He sought damages for the time and money he spent protecting his identity after the breach. The case was dismissed last week by U.S. Magistrate Judge Frederick Buckles because Amburgy could not prove that his information was actually used fraudulently."
You may recall that Express Scripts received an extortion letter demanding money, or the thieves would expose the stolen personal information: either use it fraudulently or resell it to other identity criminals. More than 700,000 consumers were affected.
The judge's decision seemed very consumer-unfriendly to me. I guess that a consumer has to actually experience theft of their money or a financial account takeover (or drainage of funds) in order to prove negligence.
"Attorney General Richard Blumenthal says a missing disk containing confidential data on almost 450,000 Health Net patients in Connecticut may have been stolen, rather than lost. Blumenthal said today he is notifying federal criminal investigators, asking that they take a closer look into the matter... Blumenthal said Health Net lost the information in May, but never informed consumers, the police or his office about the loss of information. He said the six-month delay in giving notice to consumers and the state could be a violation of the law. Meanwhile, Blumenthal also is probing Health Net's proposed deal to sell its northeastern licensed subsidiaries..."
While the breach has been bad news for consumers, these actions by local government are good news for consumers and breach victims. I wish Connecticut Attorney General Blumenthal continued success.
An important notice for consumers so you do not get "mugged" during the flu season. The Centers For Disease Control published an advisory for consumers:
"CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program. The messages request that users must create a personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The message then states that anyone that has reached the age of 18 has to have his/her personal Vaccination Profile on the cdc.gov site. The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. Users that click on the email are at risk of having malicious code installed on their system."
While flying between Boston and Los Angeles last week on business, I had the opportunity to use the in-flight WiFi service offered on Virgin America. The WiFi service is GoGo, which turns the entire plane into a flying hot-spot.
This seemed unfriendly to consumers and unnecessary.
GoGo is no small operation. According to a company press release, GoGo already has one-million customers. GoGo is produced by Aircell LLC. It should be easy to provide access to both policies before sign-up.
In my opinion, to ignore and not read a Web site's Terms of Service and Privacy policies is like surfing the Internet with your eyes shut. You may get where you are going, but you'll probably encounter plenty of difficulty along the way.
While I doubt there were any side-jacking thieves on board my flights, consumers should have access to both the Terms of Service and Privacy policies before signing up... especially with in-flight services like GoGo, which will become more commonplace.
When I returned from my business trip, there was an e-mail message in my in-box from GoGo asking me to provide feedback about their WiFi service. That survey and this blog post should be adequate feedback.