Data Breaches Booming
InformationWeek recently published an article based on data from the Identity
Theft Resource Center (a non-profit organization which aims to understand and
prevent identity theft), that shows an increase of 47% in the number of reported
data breaches in 2008. The business sector reported the most breaches, followed
by the educational, government, health and financial sectors. It’s interesting
to note that in 2007, government institutions were at the top of the list,
reporting the highest number of break-ins, but have since moved to third place.
This may suggest government and military organizations are taking more
proactive steps in protecting their information.
When the Internet first came about, data security wasn’t considered a
concern; it was established to enable collaborative work over long distances.
However, with today’s Internet, it is no longer a valid assumption that everyone
has good intentions. Despite this, people still refuse to take any measures to
protect their data. The article states that only 2.8% of the breaches had
encryption in use, and only 8.5% had any sort of password protection. It’s no
wonder there were so many break-ins.
Organizations need to recognize that the Internet is a dangerous place. It is
no longer the friendly environment that it was when it was first established.
Institutions should actively take steps towards protecting their data. This
would include password protecting all accounts, and encrypting sensitive data.
Further, users of these systems should be educated about general security
practices, such as what constitutes a “good” password or why company laptops
shouldn’t be brought home. Until actions such as these are taken, data breaches
will continue to occur.
These sorts of incidents give rise to a number of privacy and safety concerns.
For instance, a data breach at on online retailer could leak customer’s credit
card information; a break-in at the DMV could reveal names, photos and
addresses; private medical information can be gleaned from hospital computers;
or military secrets stolen from an insecure server.
These organizations need to be encouraged to be more conscious of security
issues. Individuals who were harmed by data-breaches should hold the institutions
accountable. For example, if it was a business that didn’t password protect
their customer database, customers should refuse to purchase products from them
until they revamp their security. Until they see repercussions for their lax
attitude towards security, institutions will have little incentive to change.
Comment by cxlt
January 8, 2009 @ 7:15 pm
The problem with your boycotting proposition is that as little as institutions and organizations care, the average consumer cares even less. Whether due to ignorance or due to sloth, security simply isn’t the foremost concern to most people.
I’m not sure how true this is, but I saw a statistic a few days back in a semi-reputable source that 71% of people interviewed gave up their password to their work machine for a candy bar.
Even tech-savvy people – who should know better – fall into the simplest of traps.
Twitter is a prime example. The API they have is ridiculously laughable; calling it an API is pretty generous. Their third-party authentication scheme involves – no joke – handing the third party your password in cleartext, and trusting them not to do malice with it.
Pause for dramatic effect.
A month or so ago, there was a site that popped up, called Twitterank, which purported to provide aimfight-like ranking of how connected you are on twitter. It appears to actually generate your rank now, but when it first launched all it did was harvest login information, and give out what appeared to be a random number. Word got out several hours later, after most people on Twitter had given it a spin, and after about half a day’s worth of outrage, business returned to usual.
Most people who use Twitter, especially the top users, are prominent figures in the tech (or at least tech-blogging) industry. Twitter itself is one of _the_ up-and-coming web 2.0 companies out there. When such an educated population completely fails to do anything about the problem from either end, I have little confidence that the public at large would care whatsoever.
Comment by Joseph Chen
January 9, 2009 @ 1:26 pm
It’s interesting to see the Educational sector near the top of the list of security breaches. There are definitely a lot of security holes due to bad practices, security through obscurity, etc.
I worked a tech support position a couple years ago and every time a person requested a new account, we would create it and assign it the same (later on, nearly same) default password every time. Someone who knew the default password, knew new students who were getting acounts, and knew the username naming convention could have easily taken their account between account creation and the real user’s first login.
Also, this may a question of privacy and/or protecting information/assets, but a lot of University resources are not password protected in any way. Course sites with lectures, etc are often open to anyone outside of the university. Whether this is considered sensitive or private information is up for discussion, but sometimes information such as test scores, student names, etc are posted.
Additionally, it’s university policy to not email grades to students, but it happens anyways in many cases. I think it’s pretty clear already, but one of the biggest reasons why security is so difficult is because few people think of all the vulnerabilities or even consider certain assets as anything anybody would pursue. However, an active malicious person just needs to find a single hole in the wall, but someone trying to protect their assets has to maintain vigilance and not only plug any holes they find but must actively look for and consider any potential holes.
Comment by Josh Goodwin
January 9, 2009 @ 5:55 pm
With the number of data breaches, it brings to mind how critical it is to keep tabs on what information you have entrusted to companies to keep safe for you. Even more subtle is the risk of a “secure” site being breached because of a breach in an “insecure” site: for example, someone gains access to your financial account because the login and password you chose was the same as , which was breached. This type of attack could even by targeted, by looking for the “weakest link” in a series of sites a user uses, and then hoping that information gleaned from breaking that site could assist in breaking into more secure sites the user uses. With this in mind, the security of every single site or service that has information about you must be evaluated, which can be difficult for most users to keep track of.
Comment by Josh Goodwin
January 9, 2009 @ 5:57 pm
Update to previous post: should read “password you chose was the same as *insert random social networking/picture/service site you use*, which was breached.” Originally surrounded it in carrots, made it disappear.
Comment by eyezac
January 9, 2009 @ 11:08 pm
Try parsnips.