Data breaches affect 2m in Mass. Firms increasingly targets for hackers, Coakley warns
By Hiawatha Bray Globe Staff / September 21, 2011
Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.
A state law enacted in 2007 requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. That could include leaks of individual names along with other sensitive information, such as Social Security numbers or bank account, credit card, and debit card numbers. The law was passed in 2007, after hackers stole45 million credit card numbers from Framingham-based retailer TJX Cos.
Coakley said that her office is just beginning to analyze the reports to find out whether the law is helping to reduce data breaches. But she predicted the problem will get worse as more Americans store vital personal data on various computer networks. "There is going to be more room for employee error, for intentional hacking,'' Coakley said. "This is going to be an increasing target.''
The attorney general's office has received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 2.1 million residents were affected by the various incidents, though it's unknown whether any of them were actually defrauded as a result of the data leaks.
I've said it before, and I'll say it again: it is not security that enables online commerce, but ignorance. Bruce Schnier has argued that the $300 limit on credit-card losses is the enabling factor in the e-commerce boom, but I've come to a different conclusion, and I contend that it is the fact that those at risk are not even aware of the chances they are taking. To put no fine point in it, the public doesn't realize that the electronic banking world is an "overlay" on a banking security system which hasn't changed since banking was invented: a system which is based on face-to-face transactions and on locally-maintained paper records. It is a system that has broken down in the face of online account access based on nothing more stringent that password authentication.
Not only is the first line of defense compromised, but the chances of getting caught while conducting online fraud are vanishingly small: the only time I contacted the Electronic Crimes Task Force concerning a fraud attempt which had not succeeded, the Secret Service agent told me point-blank that they don't have the manpower to pursue any case with losses under $20,000.00. This isn't some pimple-faced geek in a basement anymore: organized criminal gangs are conducting every kind of attack they can while hiding behind foreign flags, using experts who are receiving part of the profit and international data connectivity that has, for practical purposes, no means of tracing a connection or verifying a face.
Although I think Schnier is off the mark on the enabling factor, he is spot-on about the change-agent that will drive better security: the insurance industry will, at some point, get tired of paying out claims, and it will demand a new and (hopefully) more resilient system that reduces online fraud to manageable levels.
Bill Horne Moderator