In Russia, a country looking to join the World Trade Organization, there is still rampant piracy of music, movies, and software. A visit to the street markets in major cities quickly reveals an incredible selection of CDs and DVDs, being sold cheaply almost regardless of their specific content. For example, when I visited Russia in 1999, all CDs cost the equivalent of US $3, whether they contained the latest band’s music or a copy of a Windows OS.

These days, however, there is a scarier deal on the market. It appears as though the information being acquired by fraud artists, hackers, and phishers is reaching the street markets, as personal information is being sold in bulk. The examples given in this Globe and Mail article include Russia’s 2003 tax return records and a mobile phone company’s subscriber list.

It appears that in our day and age, the privacy of our PII is constantly under attack by the flow of information, whether such flow was intended or not. As long as those with criminal intent are able to so easily acquire PII, the aggregation and exploitation of that information will only continue to grow.

Even being head of the Federal Trade Commission is no guarantee against identity theft. FTC chair Deborah Platt Majoras was recently notified by shoe retailer DSW that she was among 1.4 million people whose credit card numbers were in a database breached by thieves. The DSW breach, discovered in March, affected customers of 108 DSW retail stores nationwide. While the compromised data did not include social security numbers, it did include credit card numbers, checking account numbers, and drivers license numbers. A suit has been filed by Ohio Attorney General Jim Petro seeking the notification of every individual affected by the breach.

Majoras could potentially join other high-profile victims of identity theft such as Bill Gates, Tiger Woods, and Ross Perot (among others).

The epidemic of information theft, leakage, and loss continued this past weekend with the announcement by MasterCard that 40 million credit card accounts had been compromised. The breach - as always attributed to hackers first, although this may be later clarified - affected almost 14 million MasterCard accounts, with the rest belonging to Visa and other companies. The lapse in security was at a third-party processing facility (CardSystems Solutions Inc), not MasterCard itself.

The latest twist in this story, just being reported this morning, is that the third-party processing company is now admitting that they were breaking rules established by Visa and MasterCard regarding information storage. Consumer records were being stored for ‘research purposes’, according to the company’s CEO; the CEO explicitly states that “we should not have been doing that” (first reported by The New York Times). The same article also reports that CardSystems Solutions was storing the 3/4-digit verification codes that are supposed to heighten credit card security in online purchases. The presence of that information can “double or triple the black-market value of a cardholder’s account” - even more reason to question the company’s unnecessary data storage practices.

Read the rest of this entry »

The epidemic of stolen privacy-sensitive information, largely starting with the fraud committed against ChoicePoint that came to light this February, has spurred states to adopt disclosure measures similar to the California law that has existed since July 2003. The California law was the first of its kind in requiring companies to notify consumers if privacy-sensitive information has been lost or stolen. Many privacy advocates heralded the California law as the only reason that ChoicePoint’s fraud issues entered the public spotlight. To date, five states - Arkansas, Georgia, Montana, North Dakota, and Washington - have already passed similar laws, while two other states - Florida and Illinois - are simply awaiting the governor’s signature.

A recent article that covers this recent legislative push by states can be found here.

Network World Fusion reports that a “medical group” in San Jose California experienced a burglary in their offices in the middle of the night. Two laptops were stolen containing personal information for 185,000 patients. The patient information included social security numbers. Thanks to the California law known as SB1386, these news stories are becoming more and more common because it requires that organizations make a good faith effort at notifying people affected by identity theft.

According to the Associated Press, a thief recently stole a laptop from the University of California at Berkeley, which contains personal information about nearly 100,000 alumni, graduate students and past applicants. Information contained on the laptop includes names and Social Security numbers dating back to 1976.

Recently there were several similar security breaches reported involving loss of a large amount of personal data, including ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.

SecurityFocus News is reporting that data for about 1.4 million Californians was put at risk due to a security breach at a computer system that contained data for California’s In-Home Supportive Services program.

It’s interesting to note that investigators are note sure whether or not the the personal information was actually extracted from the system. But California’s recently passed anti-identity theft law, SB1386, requires that all 1.4 million people whose data was on that system be notified so that they can take appropriate measures to protect their identity by calling the credit reporting agencies, etc.

Imagine, having to write a letter on your university letterhead to 1.4 million citizens of your state telling them that you were not protecting their information from theft and that an incident has occurred in which the citizen’s personal information, including social security number, has been downloaded by an unknown person.

It seems like Internet scamming is on the rise. Recently, many incidents of phishing have been observed causing loss of millions of dollars in the US. “Phishing is a scheme that uses e-mails appearing to come from a legitimate company and directing recipients to fake websites where they are asked for personal or financial information.” Consumers should only disclose personal information when they initiate a transaction themselves.
For more information please visit: 500 million dollars lost in Internet ‘phishing’ scams in US

Last October, a few of us at ThePrivacyPlace.Org examined the JetBlue Airways’ policy in an attempt to better understand the revelation that JetBlue had violated its public privacy policy when it gave the travel records of five million JetBlue customers to Torch Concepts, a private contractor to the Department of Defense (DoD). This paper is scheduled to appear in IEEE Security & Privacy and is entitled, “The Complexity Underlying JetBlue’s Privacy Policy Violations.” If you don’t want to wait for the paper to appear in print, the technical report is currently available here: The Complexity Underlying JetBlue’s Privacy Policy Violations.

The Department of Homeland Security (DHS)
Privacy Office investigated jetBlue to determine if the DoD had violated any laws. The DHS Privacy Office released a Report to the Public on Events Surrounding jetBlue Data Transfer on February 20, 2004. This report asserts that there is no evidence that jetBlue had provided directly to the Transportation Security Administration (TSA) or the U.S. Department of Transportation (DOT). Instead, that jetBlue had provided the information to Torch Concepts through its contractor (Acxiom). This objective of this investigation, was to determine whether government agencies had played a role in the privacy violation. The report states that no TSA employee had violated the Privacy Act; however, TSA employees were involved in the data transfer and failed to consider privacy policy impacts of this transfer: “The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974.” The DHS report specific recommendations, including the need for comprehensive privacy training for employees and the establishment of data sharing guidelines.

It was later revealed that Northwest Airline had also disclosed the travel records of its customers as well. This privacy violation also prompted a number of complaints, including one by the Electronic Privacy Information Center (EPIC). See: Northwest Airlines’ Disclosure of Passenger Data to Federal Agencies.

On the 15th of September, the Transportation Administration dismissed the privacy complaint filed by EPIC against Northwest (see: Transportation Department dismisses privacy complaint against Northwest.

We at ThePrivacyPlace.Org will continue to investigate methods and tools that can be developed to help stop sensitive information from being disclosed when such disclosures are not in compliance with governing policies and laws. For a sample of some our efforts, check out our reports that are available on our publications page.

– Annie Antón