The devil of identity theft is in the details that follow: Russ Jones tells a tale of woe that isn't particularly dramatic -- or rare -- and yet it's exactly the kind of story that worries me enough to ignore my better judgment and buy identity-theft protection from my insurance provider.
Jones sent me an e-mail after reading this post about the theft of a laptop containing personal information -- including payroll and bonuses -- belonging to an untold number of AT&T employees. AT&T insists there is no reason to believe that the information has been used for nefarious purposes, but Jones is of the opinion that such assurances should be of little comfort to those victimized.
That's because he's been there.
Here's what Jones had to say:
I have a lost laptop horror story for you.
I used to work for Boeing in Wichita. Boeing sold the Wichita division and all of the workers, including me, to another company. We still did the same work, but Boeing was just one customer of several.
Nearly a year after the sale, someone at Boeing lost a laptop that had the names, addresses and Social Security numbers of nearly all of the 12,000 Wichita ex-employees on it. They waited an unknown period of time before telling anyone, then another couple of weeks before they offered to pay for credit reporting subscriptions for us. They offered no compensation for people that had been actual identity-theft victims and they wouldn't pay for identity-theft insurance.
Almost immediately after the laptop went missing, someone used my SSN to apply for credit cards all over the country. The name they used was always close, but not exactly a match to my name/address. They used addresses of those private mail drop places.
Since I'd lived at my house for nearly 20 years at the time, all these bogus addresses made the credit card companies reject the applications, but those rejections showed up on my credit reports and lowered my rating.
The credit bureaus (I had to deal with all three of them separately) couldn't just remove those rejections; they said that the credit card companies that made the requests had to retract them. The bogus addresses also appeared on my credit report as alternate addresses for me, and I had to convince the credit agencies that I'd never lived in Minneapolis or Boca Raton or wherever.
I spent untold frustrating hours on the phone being transferred from one credit card company customer service representative to the next, listening to crappy on-hold music, often being disconnected, and having to tell my story over and over. It took several months to finally get everything cleared up, and I now have a fraud alert on my credit rating so nobody can request a report without my explicit permission.
That's really a double-edged sword. I recently tried to open a new bank account and when the bank found out that there was a fraud alert on my account, they assumed that I was a criminal. I eventually went to a different bank, one that didn't need a credit report to open a checking account. There have also been credit report requests in the last two or three years since the original laptop loss that didn't originate with anything I'd done. They were rejected, but there's someone out there that's still trying.
Like AT&T, Boeing wasn't particularly apologetic. They insisted that the information "probably hadn't been compromised," and they couldn't explain why someone was running around with the social security numbers of a bunch of people that didn't even work for Boeing.
You can read a news story about the Boeing incident here. You can read about similar incidents pretty much every day of the week, or so it seems.
Security guru Bruce Schneier had an interesting post recently that included the contention that identity theft isn't necessarily the financial drain or pain in the ass that worrywarts such as yours truly might fear. He wasn't saying it's a picnic, just not the catastrophe one might imagine ... and it's not worth paying any significant insurance premium to mitigate.
He's probably right, but as with so much surrounding the purchase of insurance, this isn't entirely a decision based on logic alone.
Here's my bottom line: Aside from the really serious worries in life -- health, kids, job security, etc. -- having to go through what Russ Jones went through is way up there on my list of fears. It would drive me absolutely bonkers to have to spend so much time -- time I don't have to spare -- undoing the damage to my financial reputation.
Especially since the exposure to that damage was someone else's fault.
Be sure to check out:
Laptop Losers Hall of Shame: The 10 worst security breaches of all time from unencrypted data
10 of the worst moments in network security history
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Kellogg's and LEGO team up to teach kids to choke.
Court rejects music industry's wild promo CD copyright claim.
Amazon.com is down ... really down.
Can early tornado warnings create Darwin Award winners?
The REAL sticking point between Microsoft and Yahoo!
Worst of the lot for two years running: PCMall and PCConnection.
Times breaks out xkcd-to-English translator.
This Year's 25 Geekiest 25th Anniversaries.
Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.
When not blogging, I am a Network World news editor and write the 'Net Buzz column.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Data and Laptop Theft - An Answer: I.T. Wars
An excellent and timely article: It's amazing that breaches and thefts keep happening. There is something that is helping a lot of people, judging by the business blogs I’ve been reading. It’s a defined eCulture called "The Business-Technology Weave" - it helps to influence employee behaviour as regards security, use and integrity of data - as well as protection of hard assets (such as laptops). The book “I.T. Wars” is the leading voice, and concentrates on the solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. This is particularly relevant: www.businessforum.com/DScott_02.html . Some good stuff here too: www.david-scott.net . We use his book at work - stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it.
Why on a laptop
Can anyone explain to me why in this day and age, ANY employee/customer data is kept on a laptop? Better to invest in secure remote access, than put data anywhere but the servers. What kind of company trade secrets/data is walking out the door at these places.
Take security out of the hands of the laptop user
I agree that it is amazing what is still stored on laptops in this day and age, but it is and will continue to be a fact of life. I say remove security concerns for the folks that carry the laptops, and start implementing policies and solutions that are always on to give peace of mind to both the CIO/CISO AND the end-user. If the right solution is in place, there is no need to erase. Checkout this new product from Alcatel-Lucent - Nonstop Laptop Guardian. http://www.alcatel-lucent.com/nlg
One Word - Encryption
At our company, all the laptops use encryption, so the only thing a thief can use them for is a doorstop :)
It's a simple practice, anything that contains confidential data, and which leave the premises (or could be taken out), needs to be encrypted.
Oh, and encryption is not as scary as it sounds, you are just logging in as you normally would, but at a prompt that comes up *before* the OS loads. All the heavy lifting (scrambling the data) occurs unseen to the users.
Seconded
We have a policy of full disk encryption on any laptop that will be removed from the premises. As the parent says, it's not scary to set up and use. It's not even expensive - we use the free encryption solution TrueCrypt.
It takes 5 minutes to set up, an hour or so to encrypt your disk (a one-time process) and provides peace of mind for the lifetime of your machine.
Like backing up, there's really no reason not to do it, and if the worst does happen, you'll be so glad you did.
truecrypt - laptops
I recently discovered truecrypt too. I've since made some truecrypt volumes on my work laptop and put my outlook archive into one. I could not figure out how to have a properly encrypted pst/ost file so I archived all my emails - kept the original on the server and a copy in my encrypted volume for when I can't connect. Works good so far. Lucky I only have 360meg archive so far (4 mths in the new job) but I might need to manage archives better as time goes on.
I also use the Truecrypt volume as a "temp" storage folder, so I can keep the data in there until I need to delete it. If the laptop got stolen, data would be unreadable.
Post new comment