U.K. Council Implements Encrypted USB Sticks To Prevent Breaches

Computer Business Review magazine reported that to prevent future data breaches, a United Kingdom organization has:

"... moved to prevent the leakage of any data from its network of 4,100 fixed and mobile desktops by issuing 900 tamper-proof and encrypted USB memory sticks to its workforce. IT staffs at Caerphilly County Borough Council, which is the fourth largest local authority in Wales employing around 9,000 people, have taken the precautionary steps to minimise the operational risk of a security breach..."

The council took this action to require employees to use only approved USB memory sticks and to protect the organization computer viruses. The council offered an amnesty program, where employees could swap any current un-approved USB memory sticks for the standard, approved devices. A company representative said that their computer system also provides a complete audit trail of USB memory device usage by each employee.

How Much Is A Stolen Credit Card Worth On The Black Market?

The news media has covered very well the Gonzalez- led theft of 130 million credit card numbers. What is this information worth to criminals? In other words, what does this stolen information sell for?

According to a post on VirusList.com dated Aug. 17, 2009, U.S. consumers' Visa credit cards are worth about $2 each. While analyzing virus software, Kaspersky Lab virus analyst Dmitry Bestuzhev found a Web site with pricing information for stolen credit cards. German credit cards, at $6 (USD) each, fetch the highest price at piece. With technical support and a sliding scale of prices, this appears to be organized business.

It appears that the price also varies by order size. CBC News Canada reported:

"Stolen credit card numbers now go for as little as six cents each, if they're bought 10,000 at a time. The price can be $30 US per card for smaller orders. Access to hijacked email accounts can cost 10 cents to $100, while bank account credentials range from $10 to $1,000. Scammers can hire people to "cash out" compromised bank accounts for between eight per cent and 50 per cent of the amount they're stealing. Hosting for scam websites ranges from $3 to $40 per week."

That implies that the 130 million credit card numbers stolen by the Glonzalez-led theft ring are worth about $7.8 million (USD) on the black market, if purchased in bulk.

The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

1. Shop online with your credit card, since that gives you more protection than a debit card.
2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.

Investigators Uncover a New Source of Data Breaches: Home Workers

The Irish Times recently reported:

"Forensics experts at the Dublin office of consultancy Ernst & Young have found evidence that prominent companies in Ireland are allowing home-based employees to download sensitive company and client data to their personal computers. Second-hand computer hard drives containing sensitive information - including hundreds of customer bank, Laser and credit-card account details, car registration information, staff PPS numbers, internal corporate information and e-mail details - were purchased on Irish auction website eBay.ie from owners who, in most cases, had not even bothered to erase the drives."

Some countries call home-based workers "teleworkers." In some instances, it is employees who work both at home and at the office. Regardless, there's every reason to expect that data breaches via home-based workers happens in the USA, too:

"In addition to exposing their employers to litigation, and customers and employees to potential fraudulent use of their data, the failure of employees to protect such data is a violation of European data protection legislation... We found very sensitive corporate information about customers, transaction levels and volumes, company and personal e-mails, customer lists and, in one case, a plan for the technical architecture of the company's network... For the investigation, several drives were bought on eBay's Irish website from random individual owners for as little as €5. The purpose was to analyse what type of documents might be found on second-hand computers..."

Experts caution that a simple reformat of a hard drive is not enough. Forensics tools can recover files through that. Companies often use stronger erasure techniques that consumers don't have access to. Some experts advise companies to encrypt files that are made available to employees' home computers. Is employee training relevant? Absolutely.

I shudder to think what sensitive personal data is stored on the laptops of human resource department employees.

Now that investigators know that there is plenty of sensitive company information and sensitive consumer personal data on used computers and hard drives sold via auction sites, one should expect identity criminals to capitalize on this opportunity, too.

Are Facebook And Twitter Really Changing Data Privacy Rules?

There's a pretty good commentary by Michael Fitzgerald in ComputerWorld Norway:

"CIOs generally don't care about privacy," says Peter Milla, former CIO and chief privacy officer at Survey Sampling International (SSI). Milla says most CIOs either focus on technology, or regard privacy as outside their domain, the province of a chief privacy or chief security officer. He finds both attitudes wrongheaded."

I agree with Milla. It seems stupid for a CIO to focus on information and ignore data security. They go hand-in-hand. One is wholly dependent upon the other.

"Milla says he recently worked to modify a request from a big-box retailer who wanted information about the people surveyed by his company on their behalf. 'They were bewildered and frustrated that we wouldn't give it to them,' says Milla. The retailer already collects plenty of data on its customers and didn't see what the problem was with a bit more. But Milla saw a breach of privacy, a contractual violation. If it leaked out that SSI shared personal data about its panelists, it could devastate its business. Milla says the big-box retailer's attitude is endemic. Companies think the data they gather belongs to them."

To me, this episode demonstrates an arrogance and entitlement about the consumer and customer data their company archives. Without customers, their company wouldn't exist. Fitzgerald points to one historical example of this arrogance:

"Ten years ago, then-Sun Microsystems CEO Scott McNealy told us, 'You have zero privacy anyway. Get over it.' "

Given the recent rise in use of social networking sites by consumers, Fitzgerald listed some of the companies, behavioral advertising efforts, and lawsuits about bungled consumer privacy. Fitzgerald highlighted one episode:

"In the wake of its privacy faux pas with Beacon, Facebook has moved to asking its users their opinions on its privacy policies. It has also created more ways for its users to control who sees their data. To Fenwick's CTO, Matt Kesner, this creates an expectation about control over data that will ripple through the IT world."

Yes, Facebook has made some changes. In my opinion, more changes by Facebook are needed. The site still doesn't disclose how and with home customers' personal data is shared by those popular Facebook applications. And, browsers still don't provide options for consumers to block Web beacons.

Yes indeed. I, the consumer, have an expectation about control over my personal data -- all of it, not just some of it. Fitzgerald highlighted a behavioral advertising example:

"one of the British ISPs, BT, acknowledged piloting the program using actual consumer data, without asking for permission. That has landed BT in hot water. The European Commission has initiated legal action against the United Kingdom over its refusal to stop companies like BT from using live customer data without permission. Meanwhile, Amazon and Wikimedia have said they will block Phorm from accessing traffic on their sites, and in late April, the U.S. Congress began holding hearings on deep-packet inspection."

While some executives (and some consumers) maintain the myopic position that there is no privacy for consumers, these folks entirely miss the point.

First, it is about choice. Consumers choose whether or not to disclose their personal data when doing business with these companies. Second, control matters. Just because consumers choose to disclose their personal data (at the cash register or at the company's web site) doesn't mean that consumers give up all rights to control their personal data. Third, legal compliance matters. In the USA there are existing laws that require companies to protect certain types of sensitive consumer personal data (e.g., financial data, medical data, etc.).Fourth, it's about notice. Consumers expect opt-in mechanisms and to be notified about when and how their personal data is used. Opt-out mechanisms are not enough.

For me, my awareness as a consumer has been raised about privacy and various Internet technologies. It is no longer acceptable for a company:

• Not to disclose in its online privacy policy how it uses browser cookies and web beacons,
• Not to disclose in its online privacy policy the exact names of vendors, advertising networks, and third-parties it shares consumer and customer data with, and the circumstances when consumer data is shared with these companies,
• To perform a behavioral advertising program without first notifying consumers and getting consumers' explicit permission via opt-in,
• Not to disclose in its web site policies the offshore outsource vendors it works with and which circumstances and when it shares consumer data with those offshore vendors,
• Not to disclose data breaches by the offshore vendors the company does business with,
• Not to provide a mechanism for customers to communicate directly and immediately to a company representative via the company's web site using e-mail, reply forms, or similar methods.

Company executives that don't understand this and the shifting landscape are setting up their companies to go out of business, and suffer class action lawsuits.

Phorm Raises Money

I've written extensively about behavioral advertising. It is important to track the actions of companies that promote and enable behavioral advertising, particularly the Deep packet Inspection (DPI) technology. Revolution Magazine reported:

"Phorm has raised £15 million through a stock sale to fund expansion plans in Britain and Korea. The company said the capital will be used ‘to continue the implementation of its service in the UK and Korean markets, and for general working capital purposes, as it continues partnership discussions with ISPs both in the UK and internationally."

Phorm developed DPI technology that allows Internet Service Providers (ISPs) to track everything their customers do online. The data is sold to media companies and advertisers so ISPs can supposedly serve up more relevant ads and make more money.

"Last year Phorm sold 1.61 million shares for £20 each - more than four times the value of the latest offering... Kent Ertugrul, chief executive of Phorm said the 3.3 million shares sold for £4.50 each, account for 19.4 per cent of the company, and were bought up by existing shareholders and new financial institute investors."

DPI goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used. Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized.

My interest in this is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

U.K. Parliament Debates ISP-Based Targeted Advertising

This ClickZ news story caught my attention:

"... in the House of Commons, Members of Parliament, Lords, and industry experts met to discuss the privacy implications concerning ISP-level behavioral targeting from companies such as Phorm and NebuAd. The intention of the session, which was hosted by Liberal Democrat Home Affairs spokesperson, Baroness Sue Miller, was to "inform parliamentarians" on the issues surrounding the controversial practice... the majority of conversation focused on ad-targeting technology firm Phorm, which is currently the most advanced U.K. player in the ISP-based behavioral ad space. The company announced in February 2008 that it would partner with three of the U.K.'s largest ISPs in order to sell and target ads based on user's online interaction data. Although a number of Phorm executives were present at the event, the company was refused a place on the panel, according to CEO Kent Ertugrul."

This has implications for the USA. If targeted advertising (a/k/a behavioral advertising) gains acceptance in the United Kingdom, it could make acceptance more likely here in the USA. I have written extensively about behavioral advertising, including the role of ISPs, abuses by ISPs of consumers' privacy, the class-action lawsuit against NebuAd, and AT&T's promise to do behavioral advertising "the right way."

Can ISPs be trusted to do behavioral advertising the right way? In my opinion, no. A few might, but the industry as a whole: no. In the USA, their collective historical actions speak far louder than their collective words and promises.

My position: ISPs should not be allowed to perform behavioral advertising. Period. Why? Behavioral advertising would allow ISPs to collect (and potentially share with vendors) massive amounts of the most sensitive consumer data: every site and web page a consumer visits on the Internet, the amount of time spent at that site and at each page, keywords entered at search engine sites, instant message contents, email contents, and so forth.

The monthly tsunami of data breaches proves that corporations, including ISPs, don't take data security seriously. It seems foolish to allow ISPs to collect and archive more personal data, only for them to later lose it or have it stolen, while consumers bare the credit monitoring and recovery costs. ISPs claim that they will anonymize the data to protect consumers' privacy, but don't offer any guarantees or methods for independent verification. There is no oversight planned, so there is no way for consumers to verify that ISPs would actually live up to their promises. And, there are no penalties for abuses.

ISP-based behavioral advertising would be a train wreck.

Sir Tim Berners-Lee, director of the World Wide Web Consortium, said this about ISPs and behavioral advertising:

"There should be no snooping on the Internet; it's the equivalent of wire tapping, or opening a person's mail... I'm here today to defend the integrity of the Internet."

The article covered the comments by other experts:

"Richard Clayton, treasurer for the Foundation for Information Policy Research, agreed that ISPs had no business in intercepting user communications, stating, "Providing better ads is not the role of the ISP. It's not lawful." Meanwhile, Jim Killock, executive director of the Open Rights Group, argued the practice would "undermine our confidence in governments to preserve our basic human rights..."

According to PCPro News, Berners-Lee's comments drew this response from Phorm's CEO:

"There have been a number of things said that patently misrepresent what we do," he argued. "We have the strongest privacy protection of everyone on the internet." He then went on to claim that the media wouldn't survive without the increased targeted-advertising revenue provided by services such as Phorm... Ertugrul then accused Berners-Lee of speaking from a position of ignorance, claiming the company had invited him to inspect its technology on several occasions, which he had declined."

A position of ignorance? Pleeze! Berners-Lee invented the Internet, without which Ertugrul wouldn't have a company. Ertugrul's response to Berners-Lee was just plain rude. What's is insulting is Ertugrul's claim that the media can't survive without behavioral advertising. Where's the proof? If anything, it is ISPs clamoring for behavioral advertising, not media companies.

The strongest privacy protection? Better than banks? I doubt it. If Phorm's privacy protection is so great, they should sell it to banks and financial services companies; both of whom have already experienced numerous data breaches here in the USA.

If ISP-based behavioral advertising concerns you (and I surely hope that it does), I encourage you to write to your elected officials in the USA and tell them, "no behavioral advertising for ISPs." Plus, there is two global Facebook groups you should join:

• Stop ISPs From Breaching Customers' Privacy!
• Facebook: Tell Phorm to Eph Off and Leave My Facebook Data Alone

ISPs Charge UK Child Abuse Detectives For Data

Last year, I started to follow the corporate responsibility and consumer-data-privacy habits of ISPs (Internet Service Providers) after several ISPs secretly performed targeted advertising programs without notifying their subscribers and without providing their subscribers with an opt-out method. During the last year or two, both US and UK ISPs have arrangements with targeted advertising vendors.

Given this, an IT Pro Fit For Business news story caught my attention:

"The Child Exploitation and Online Protection Centre (CEOP) told the BBC following a freedom of information request that since April of 2006 it had made 9,400 requests for user information, at a total cost of £171,505.99... the CEOP centre’s chief executive Jim Gamble said the body expected to pay as much as £100,000 to ISPs to get the information they needed to find children who were being abused – and the criminals hurting them."

Do the math and that is about £18.25 per request or about US $36. You'd think that ISPs would not charge government child abuse detectives for data. The CEOP uses information from ISPs to track online predators:

"... essentially to put a name and location to IP addresses. Some ISPs charge to supply that data, while others do not."

I think that everyone will agree that protecting children from abuse, finding abused and abducted children, and prosecuting predators is a high-priority task. I wonder what distinguishes an ISP who charges abuse detectives for data versus an ISP that provides that data for free. Is one ISP simply better managed than the other? Or is one ISP more greedy than the other? Or, is the decision to charge detectives determined by company size?

I wonder why government detectives haven't negotiated a volume-discount arrangement with ISPs for IP data, since thy know they will make a certain number of requests each year. Do the math and the 9,400 requests since 2006 equal about 3,130 requests per year.

I wonder what UK citizens think of this. Are they curious to know which ISPs charge for supplying IP data to abuse detectives? You would think that they would want to know where their tax dollars are spent. Would UK citizens shift their subscriptions to ISPs that don't charge abuse detectives for the data?

What do you think?

Report: Cyber Criminals Selling Data About 21 Million German Consumers' Bank Accounts

What is your bank account data worth on the black market? This Germany data breach shows the value of sensitive consumer data. On Monday, IT World reported:

"Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate."

The cyber criminals offered to sell the sensitive consumer data (e.g., 21 million German bank accounts) for a reported 12 million Euros or about US $15 million. That's about US $ .70 per account, depending upon the exchange rate. Apparently, that is the low price:

"When sold in small quantities, full bank account details can fetch as much as $1,000 per record..."

That means, a criminal paying $1,000 for each consumer's stolen bank account data expects to steal at least that amount. What data was stolen, and how?

"That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim's account balance was also provided. The data was most likely collected from call center employees, the magazine reports."

As I have written previously in this blog, there clearly are data security risks with offshore outsourcing and many U.S. companies, including the three national credit bureaus, outsource their call center operations. Also, even though the online passwords weren't included in the stolen data, the cyber criminals have enough personal data about the German bank account-holders to impersonate them, withdraw money from their bank accounts, and ultimately acquire (and/or change) the consumers' online passwords.

More Than Half of British Companies Have Lost Data

Shocking statistics last week. More shocking statistics today.

The ComputerWorld Storage Security blog reported:

"An astonishing 55% of British companies have lost data, according to a new report of 785 IT professionals in the U.K."

There's more bad news:

"Conducted by the Ponemon Institute LLC, the survey found that 49% of them have had over two breaches in the last two years."

That's almost half have suffered multiple data breaches. How many data breaches does it take before executives learn? Apparently some corporate executives are slow learners, if that. Yet, there's more:

"Around two-thirds of respondents said negligence, including that of outsourcers, was responsible for data breaches, compared with only 10% who said hackers were a major cause. A third said insiders were a threat."

And, the bad news continues:

"Many firms were unable to track data breaches and find the source of the problem. Some 44% said they were not confident they could even detect a breach in the first place, and over half take several weeks to notify any customers affected."

Let me summarize all of this. Over half of British companies have had data breaches. About half of those have had multiple data breaches. And, a large number can't detect data breaches when they occur. So, the actual data breach activity probably is worse than the above statistics.

Companies and executives unable to detect data breaches? That seems to mirror the incompetence found within a study of data breaches at American companies.

Several weeks before consumers are notified? That seems pretty good compared to US companies. Really? In 2007, it took IBM three months to notify me and other current and former employees about its data breach. And IBM supposedly specializes in the computing and data security business! It took the Bank of New York Mellon 3 months to notify some of its data-breach victims, and 6 months to notify the rest after the bank increased its count of data-breach victims from 4.5 to 12 million.

And, we won't discuss the 90+ million records exposed by the TJX Companies / TJ Maxx debacle.

Corporate executives are still proving that they won't take data security and data-breach notification seriously until there are stiff penalties -- like huge fines and/or jail time.

Identity Thieves Use Sinowal Computer Virus to Steal 500,000 Bank and Credit Card Accounts

If there ever was a compelling advertisement for consumers to maintain the anti-virus software on their computer, this Washington Post news article is it:

"A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today... Researchers at RSA's Fraud Action Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs."

What was stolen:

"... more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information..."

So, the identity thieves had enough personal data -- bank account numbers, credit card numbers, ID and passwords -- to sign into consumers' bank accounts and/or to make fraudulent charges on consumers debit and credit cards. Yikes!!

Reportedly, the stolen consumer data was collected since 2006 by identity thieves most likely located in Russia. The Sinowal computer virus, also called "Torpig" and "Mebroot" by various anti-virus companies, is known for its ability to change its appearance to remain undetected by security software:

"On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs - or 28.5 percent - identified it as such or even flagged it as suspicious. Another scan of a Sinowal variant sent to VirusTotal a week earlier yielded slightly better results, with just over half of the anti-virus tools detecting it as malicious."

You can read more about the Sinowal Trojan in the New York Times. A word to the wise: keep the anti-virus software on your computer up The protection is worth every penny.

Privacy Advocates Target U.K. ISP Working With Phorm

In Europe, consumer privacy advocates are starting to increase the public's awareness of the consequences of behavioral advertising. According to the MediaPost Daily Online Examiner blog, several consumer privacy advocates are calling for the public to picket the annual meeting of BT shareholders due to the Internet Service Provider's (ISP) arrangement with a behavioral targeting vendor:

"The purpose of the protest is to make BT shareholders aware of the past and planned use of allegedly illegal interception technologies to sell behavioral profiles to an ex-spyware company... according to a report today in the U.K. paper The Register... an anti-Phorm petition in the U.K. has drawn more than 13,000 signatories to date. The petition, stating that Phorm’s plan 'would result in the browsing habits of the majority of the UK population being sold to a third party for advertising purposes,' warns that the opt out system for this technology is vague and unproven."

I've Been Mugged readers are aware of the consequences of behavioral advertising, which includes plans by ISPs to install tracking software on their servers to monitor every Web site and page their subscribers use and all search terms they enter. ISPs and advertisers claim two reasons for behavioral advertising: a) convenience for consumers with relevant ads, and b) the continuation of free services by ISPs. The reality is that consumers forfeit privacy for benefits they may never see, and ISPs gain a larger, more valuable advertising revenue stream.

If behavioral advertising troubles you (and it should!), I encourage you to read more about it and then tell your elected government officials about your concerns.

Women More Likely Than Men To Give Passwords To Strangers For Chocolate

When I read this news story, at first I thought that it was a humorous hoax. But, it's no joke. This is serious. According to InformationWeek:

"Women are four times more likely than men to surrender their computer passwords for chocolate, according to a survey of 576 office workers conducted outside Liverpool Street Station in London by Infosecurity Europe. According to the survey, 45% of women revealed their passwords to strangers posing as market researchers for a chocolate bar, compared to 10% of men. Apparently the overall percentage of password-yielding respondents this year (21%) represents an improvement over 2007, when 64% of respondents traded their security for a few moments of chocolaty goodness."

I spent part of a summer in 2004 living and working in London. I found the people there very friendly and a wide variety of great pubs. I'd love to visit London again. In fact, my photo in the right column is from my London Tube pass.

Claire Sellick, Event Director of Infosecurity Europe, emphasized the consequences of a lax attitude towards the security of personal data:

"... that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud."

Is Your IP Address Personal Data?

FYI... this news story caught my attention, since government policy and legislation affects how companies protect (or not) consumers' personal data:

"An official of the European Union has contradicted Google Inc. and said IP addresses should, for the most part, be regarded as personal information, according to reports Monday. When someone can be identified by an Internet protocol address "then it has to be regarded as personal data,"AP quoted Germany's data protection commissioner, Peter Scharr, as saying. Mountain View-based Google disagrees, AP reported, and says an IP address identifies the location of a computer but not the individual user."

To learn more, see this Associated Press (AP) news story.

Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birthdate, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.

Twice Bitten: Acts of Stupidity Can Lead to Identity Theft

Chris Soghoian has an excellent post in his C/Net Surveillance State blog:

"A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened."

Soghoian wrote:

"Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address."

Clarkson quickly changed his opinion of identity theft after an identity thief used Clarkson's data to create an automatic bank transfer to the Diabetes UK charity.

Recently, a friend in Oakland called to ask me about Lifelock. Soghoian has clearly "connected the dots," since he also wrote about Lifelock in the same post:

"Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters. Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number."

If you are considering Lifelock for a credit monitoring service, I also encourage you to read this Phoenix New Times article before making a decision.

Doctors May Be Fined For Not Protecting Patients' Data

From the ZDNet U.K. site:

"Doctors who lose confidential patient information should be held accountable for the loss, according to the Information Commissioner's Office. Information commissioner Richard Thomas, giving evidence at a House of Lords Constitution Committee inquiry into data collection and surveillance on Wednesday, proposed that a doctor who is found to be "flouting data-protection principles" should be fined £5,000 by magistrates, or alternatively face an unlimited fine in a Crown Court."

I agree 1,000 percent. Given the problems with identity theft in the healthcare industry, this should be the law here in the USA, too.

When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?

Data Security is Key to UK Consumers' Trust

Consumers' concerns about data security are growing in Europe just like in the USA. A recent ZDNet's UK Security Management Toolkit article reported:

"Safeguarding customer data should be a priority for UK companies — because consumers here place great store on how businesses treat their information, according to research."

The supporting statistics:

"Out of eight European nations, UK nationals stand out as the most concerned their data is kept safe. Eighty-one per cent of Britons polled by Unisys said an organisation's ability to keep their data safe is a key trust-building attribute. This compares to 42 percent of French respondents, 40 percent of Belgians and 35 percent of German consumers."

More importantly, consumers' trust is affected by how well companies protect consumers' personal data:

"The UK also leads the way in believing inadequate data privacy protection leads to an erosion of customer trust. Seventy-six percent of Brits feel this is the case, followed by 62 percent of consumers in Spain and 58 percent in France."

We Americans are not alone with our data security concerns. Safeguarding customer, employee, and former employee data should be a priority not only for UK companies, but also for multinational corporations and their partners/contractors. We live in a global economy. Money moves globally. Personal data moves globally, too.